From d82a50efb70bd5bb9d30691b83a6fccf061a439c Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Fri, 20 Aug 2021 08:42:00 +0200 Subject: [PATCH] chg: [types] updated types/categories mapping --- pymisp/data/describeTypes.json | 1106 ++++++++++++++++---------------- 1 file changed, 553 insertions(+), 553 deletions(-) diff --git a/pymisp/data/describeTypes.json b/pymisp/data/describeTypes.json index f5c3a6a..fac8fd0 100644 --- a/pymisp/data/describeTypes.json +++ b/pymisp/data/describeTypes.json @@ -1,134 +1,138 @@ { "result": { "categories": [ - "Internal reference", - "Targeting data", "Antivirus detection", - "Payload delivery", "Artifacts dropped", - "Payload installation", - "Persistence mechanism", - "Network activity", - "Payload type", "Attribution", "External analysis", "Financial fraud", - "Support Tool", - "Social network", + "Internal reference", + "Network activity", + "Other", + "Payload delivery", + "Payload installation", + "Payload type", + "Persistence mechanism", "Person", - "Other" + "Social network", + "Support Tool", + "Targeting data" ], "category_type_mappings": { "Antivirus detection": [ - "link", - "comment", - "text", - "hex", + "anonymised", "attachment", + "comment", + "hex", + "link", "other", - "anonymised" + "text" ], "Artifacts dropped": [ - "md5", - "sha1", - "sha224", - "sha256", - "sha384", - "sha512", - "sha512/224", - "sha512/256", - "sha3-224", - "sha3-256", - "sha3-384", - "sha3-512", - "ssdeep", - "imphash", - "telfhash", - "impfuzzy", + "anonymised", + "attachment", "authentihash", - "vhash", "cdhash", + "comment", + "cookie", "filename", + "filename-pattern", + "filename|authentihash", + "filename|impfuzzy", + "filename|imphash", "filename|md5", + "filename|pehash", "filename|sha1", "filename|sha224", "filename|sha256", - "filename|sha384", - "filename|sha512", - "filename|sha512/224", - "filename|sha512/256", "filename|sha3-224", "filename|sha3-256", "filename|sha3-384", "filename|sha3-512", - "filename|authentihash", - "filename|vhash", + "filename|sha384", + "filename|sha512", + "filename|sha512/224", + "filename|sha512/256", "filename|ssdeep", "filename|tlsh", - "filename|imphash", - "filename|impfuzzy", - "filename|pehash", - "regkey", - "regkey|value", + "filename|vhash", + "gene", + "hex", + "impfuzzy", + "imphash", + "kusto-query", + "malware-sample", + "md5", + "mime-type", + "mutex", + "named pipe", + "other", "pattern-in-file", "pattern-in-memory", - "filename-pattern", "pdb", - "stix2-pattern", - "yara", - "sigma", - "attachment", - "malware-sample", - "named pipe", - "mutex", - "process-state", - "windows-scheduled-task", - "windows-service-name", - "windows-service-displayname", - "comment", - "text", - "hex", - "x509-fingerprint-sha1", - "x509-fingerprint-md5", - "x509-fingerprint-sha256", - "other", - "cookie", - "gene", - "kusto-query", - "mime-type", - "anonymised", + "pgp-private-key", "pgp-public-key", - "pgp-private-key" + "process-state", + "regkey", + "regkey|value", + "sha1", + "sha224", + "sha256", + "sha3-224", + "sha3-256", + "sha3-384", + "sha3-512", + "sha384", + "sha512", + "sha512/224", + "sha512/256", + "sigma", + "ssdeep", + "stix2-pattern", + "telfhash", + "text", + "vhash", + "windows-scheduled-task", + "windows-service-displayname", + "windows-service-name", + "x509-fingerprint-md5", + "x509-fingerprint-sha1", + "x509-fingerprint-sha256", + "yara" ], "Attribution": [ - "threat-actor", - "campaign-name", + "anonymised", "campaign-id", - "whois-registrant-phone", + "campaign-name", + "comment", + "dns-soa-email", + "email", + "other", + "text", + "threat-actor", + "whois-creation-date", "whois-registrant-email", "whois-registrant-name", "whois-registrant-org", + "whois-registrant-phone", "whois-registrar", - "whois-creation-date", - "comment", - "text", - "x509-fingerprint-sha1", "x509-fingerprint-md5", - "x509-fingerprint-sha256", - "other", - "dns-soa-email", - "anonymised", - "email" + "x509-fingerprint-sha1", + "x509-fingerprint-sha256" ], "External analysis": [ - "md5", - "sha1", - "sha256", - "sha3-224", - "sha3-256", - "sha3-384", - "sha3-512", + "AS", + "anonymised", + "attachment", + "bro", + "comment", + "community-id", + "cortex", + "cpe", + "domain", + "domain|ip", "filename", + "filename-pattern", "filename|md5", "filename|sha1", "filename|sha256", @@ -136,392 +140,388 @@ "filename|sha3-256", "filename|sha3-384", "filename|sha3-512", - "ip-src", - "ip-dst", - "ip-dst|port", - "ip-src|port", - "mac-address", - "mac-eui-64", - "hostname", - "domain", - "domain|ip", - "url", - "user-agent", - "regkey", - "regkey|value", - "AS", - "snort", - "bro", - "zeek", - "pattern-in-file", - "pattern-in-traffic", - "pattern-in-memory", - "filename-pattern", - "vulnerability", - "cpe", - "weakness", - "attachment", - "malware-sample", - "link", - "comment", - "text", - "x509-fingerprint-sha1", - "x509-fingerprint-md5", - "x509-fingerprint-sha256", - "ja3-fingerprint-md5", - "jarm-fingerprint", + "github-repository", "hassh-md5", "hasshserver-md5", - "github-repository", + "hostname", + "ip-dst", + "ip-dst|port", + "ip-src", + "ip-src|port", + "ja3-fingerprint-md5", + "jarm-fingerprint", + "link", + "mac-address", + "mac-eui-64", + "malware-sample", + "md5", "other", - "cortex", - "anonymised", - "community-id" + "pattern-in-file", + "pattern-in-memory", + "pattern-in-traffic", + "regkey", + "regkey|value", + "sha1", + "sha256", + "sha3-224", + "sha3-256", + "sha3-384", + "sha3-512", + "snort", + "text", + "url", + "user-agent", + "vulnerability", + "weakness", + "x509-fingerprint-md5", + "x509-fingerprint-sha1", + "x509-fingerprint-sha256", + "zeek" ], "Financial fraud": [ - "btc", - "dash", - "xmr", - "iban", - "bic", - "bank-account-nr", "aba-rtn", + "anonymised", + "bank-account-nr", + "bic", "bin", + "btc", "cc-number", - "prtn", - "phone-number", "comment", - "text", - "other", + "dash", "hex", - "anonymised" + "iban", + "other", + "phone-number", + "prtn", + "text", + "xmr" ], "Internal reference": [ - "text", - "link", - "comment", - "other", - "hex", "anonymised", - "git-commit-id" + "comment", + "git-commit-id", + "hex", + "link", + "other", + "text" ], "Network activity": [ - "ip-src", - "ip-dst", - "ip-dst|port", - "ip-src|port", - "port", - "hostname", + "AS", + "anonymised", + "attachment", + "bro", + "comment", + "community-id", + "cookie", + "dkim", + "dkim-signature", "domain", "domain|ip", - "mac-address", - "mac-eui-64", "email", "email-dst", "email-src", + "email-subject", "eppn", - "url", - "uri", - "user-agent", - "http-method", - "AS", - "snort", - "pattern-in-file", + "favicon-mmh3", "filename-pattern", - "stix2-pattern", - "pattern-in-traffic", - "attachment", - "comment", - "text", - "x509-fingerprint-md5", - "x509-fingerprint-sha1", - "x509-fingerprint-sha256", - "ja3-fingerprint-md5", - "jarm-fingerprint", "hassh-md5", "hasshserver-md5", - "other", "hex", - "cookie", + "hostname", "hostname|port", - "bro", - "zeek", - "anonymised", - "community-id", - "email-subject", - "favicon-mmh3", - "dkim", - "dkim-signature" - ], - "Other": [ - "comment", - "text", - "other", - "size-in-bytes", - "counter", - "datetime", - "cpe", - "port", - "float", - "hex", - "phone-number", - "boolean", - "anonymised", - "pgp-public-key", - "pgp-private-key" - ], - "Payload delivery": [ - "md5", - "sha1", - "sha224", - "sha256", - "sha384", - "sha512", - "sha512/224", - "sha512/256", - "sha3-224", - "sha3-256", - "sha3-384", - "sha3-512", - "ssdeep", - "imphash", - "telfhash", - "impfuzzy", - "authentihash", - "vhash", - "pehash", - "tlsh", - "cdhash", - "filename", - "filename|md5", - "filename|sha1", - "filename|sha224", - "filename|sha256", - "filename|sha384", - "filename|sha512", - "filename|sha512/224", - "filename|sha512/256", - "filename|sha3-224", - "filename|sha3-256", - "filename|sha3-384", - "filename|sha3-512", - "filename|authentihash", - "filename|vhash", - "filename|ssdeep", - "filename|tlsh", - "filename|imphash", - "filename|impfuzzy", - "filename|pehash", - "mac-address", - "mac-eui-64", - "ip-src", + "http-method", "ip-dst", "ip-dst|port", + "ip-src", "ip-src|port", - "hostname", - "domain", - "email", - "email-src", - "email-dst", - "email-subject", - "email-attachment", - "email-body", - "url", - "user-agent", - "AS", - "pattern-in-file", - "pattern-in-traffic", - "filename-pattern", - "stix2-pattern", - "yara", - "sigma", - "mime-type", - "attachment", - "malware-sample", - "link", - "malware-type", - "comment", - "text", - "hex", - "vulnerability", - "cpe", - "weakness", - "x509-fingerprint-sha1", - "x509-fingerprint-md5", - "x509-fingerprint-sha256", "ja3-fingerprint-md5", "jarm-fingerprint", - "hassh-md5", - "hasshserver-md5", + "mac-address", + "mac-eui-64", "other", - "hostname|port", - "email-dst-display-name", - "email-src-display-name", - "email-header", - "email-reply-to", - "email-x-mailer", - "email-mime-boundary", - "email-thread-index", - "email-message-id", - "mobile-application-id", - "chrome-extension-id", - "whois-registrant-email", - "anonymised" + "pattern-in-file", + "pattern-in-traffic", + "port", + "snort", + "stix2-pattern", + "text", + "uri", + "url", + "user-agent", + "x509-fingerprint-md5", + "x509-fingerprint-sha1", + "x509-fingerprint-sha256", + "zeek" ], - "Payload installation": [ - "md5", - "sha1", - "sha224", - "sha256", - "sha384", - "sha512", - "sha512/224", - "sha512/256", - "sha3-224", - "sha3-256", - "sha3-384", - "sha3-512", - "ssdeep", - "imphash", - "telfhash", - "impfuzzy", + "Other": [ + "anonymised", + "boolean", + "comment", + "counter", + "cpe", + "datetime", + "float", + "hex", + "other", + "pgp-private-key", + "pgp-public-key", + "phone-number", + "port", + "size-in-bytes", + "text" + ], + "Payload delivery": [ + "AS", + "anonymised", + "attachment", "authentihash", - "vhash", - "pehash", - "tlsh", "cdhash", + "chrome-extension-id", + "comment", + "cpe", + "domain", + "email", + "email-attachment", + "email-body", + "email-dst", + "email-dst-display-name", + "email-header", + "email-message-id", + "email-mime-boundary", + "email-reply-to", + "email-src", + "email-src-display-name", + "email-subject", + "email-thread-index", + "email-x-mailer", "filename", + "filename-pattern", + "filename|authentihash", + "filename|impfuzzy", + "filename|imphash", "filename|md5", + "filename|pehash", "filename|sha1", "filename|sha224", "filename|sha256", - "filename|sha384", - "filename|sha512", - "filename|sha512/224", - "filename|sha512/256", "filename|sha3-224", "filename|sha3-256", "filename|sha3-384", "filename|sha3-512", - "filename|authentihash", - "filename|vhash", + "filename|sha384", + "filename|sha512", + "filename|sha512/224", + "filename|sha512/256", "filename|ssdeep", "filename|tlsh", - "filename|imphash", - "filename|impfuzzy", - "filename|pehash", - "pattern-in-file", - "pattern-in-traffic", - "pattern-in-memory", - "filename-pattern", - "stix2-pattern", - "yara", - "sigma", - "vulnerability", - "cpe", - "weakness", - "attachment", + "filename|vhash", + "hassh-md5", + "hasshserver-md5", + "hex", + "hostname", + "hostname|port", + "impfuzzy", + "imphash", + "ip-dst", + "ip-dst|port", + "ip-src", + "ip-src|port", + "ja3-fingerprint-md5", + "jarm-fingerprint", + "link", + "mac-address", + "mac-eui-64", "malware-sample", "malware-type", - "comment", - "text", - "hex", - "x509-fingerprint-sha1", - "x509-fingerprint-md5", - "x509-fingerprint-sha256", - "mobile-application-id", - "chrome-extension-id", - "other", + "md5", "mime-type", - "anonymised" + "mobile-application-id", + "other", + "pattern-in-file", + "pattern-in-traffic", + "pehash", + "sha1", + "sha224", + "sha256", + "sha3-224", + "sha3-256", + "sha3-384", + "sha3-512", + "sha384", + "sha512", + "sha512/224", + "sha512/256", + "sigma", + "ssdeep", + "stix2-pattern", + "telfhash", + "text", + "tlsh", + "url", + "user-agent", + "vhash", + "vulnerability", + "weakness", + "whois-registrant-email", + "x509-fingerprint-md5", + "x509-fingerprint-sha1", + "x509-fingerprint-sha256", + "yara" + ], + "Payload installation": [ + "anonymised", + "attachment", + "authentihash", + "cdhash", + "chrome-extension-id", + "comment", + "cpe", + "filename", + "filename-pattern", + "filename|authentihash", + "filename|impfuzzy", + "filename|imphash", + "filename|md5", + "filename|pehash", + "filename|sha1", + "filename|sha224", + "filename|sha256", + "filename|sha3-224", + "filename|sha3-256", + "filename|sha3-384", + "filename|sha3-512", + "filename|sha384", + "filename|sha512", + "filename|sha512/224", + "filename|sha512/256", + "filename|ssdeep", + "filename|tlsh", + "filename|vhash", + "hex", + "impfuzzy", + "imphash", + "malware-sample", + "malware-type", + "md5", + "mime-type", + "mobile-application-id", + "other", + "pattern-in-file", + "pattern-in-memory", + "pattern-in-traffic", + "pehash", + "sha1", + "sha224", + "sha256", + "sha3-224", + "sha3-256", + "sha3-384", + "sha3-512", + "sha384", + "sha512", + "sha512/224", + "sha512/256", + "sigma", + "ssdeep", + "stix2-pattern", + "telfhash", + "text", + "tlsh", + "vhash", + "vulnerability", + "weakness", + "x509-fingerprint-md5", + "x509-fingerprint-sha1", + "x509-fingerprint-sha256", + "yara" ], "Payload type": [ + "anonymised", "comment", - "text", "other", - "anonymised" + "text" ], "Persistence mechanism": [ + "anonymised", + "comment", "filename", + "hex", + "other", "regkey", "regkey|value", - "comment", - "text", - "other", - "hex", - "anonymised" + "text" ], "Person": [ - "first-name", - "middle-name", - "last-name", - "full-name", + "anonymised", + "comment", + "country-of-residence", "date-of-birth", - "place-of-birth", + "email", + "first-name", + "frequent-flyer-number", + "full-name", "gender", - "passport-number", + "identity-card-number", + "issue-date-of-the-visa", + "last-name", + "middle-name", + "nationality", + "other", + "passenger-name-record-locator-number", "passport-country", "passport-expiration", - "redress-number", - "nationality", - "visa-number", - "issue-date-of-the-visa", - "primary-residence", - "country-of-residence", - "special-service-request", - "frequent-flyer-number", - "travel-details", + "passport-number", "payment-details", - "place-port-of-original-embarkation", + "pgp-private-key", + "pgp-public-key", + "phone-number", + "place-of-birth", "place-port-of-clearance", "place-port-of-onward-foreign-destination", - "passenger-name-record-locator-number", - "comment", + "place-port-of-original-embarkation", + "primary-residence", + "redress-number", + "special-service-request", "text", - "other", - "phone-number", - "identity-card-number", - "anonymised", - "email", - "pgp-public-key", - "pgp-private-key" + "travel-details", + "visa-number" ], "Social network": [ - "github-username", - "github-repository", - "github-organisation", - "jabber-id", - "twitter-id", - "email", - "email-src", - "email-dst", - "eppn", - "comment", - "text", - "other", - "whois-registrant-email", "anonymised", + "comment", + "email", + "email-dst", + "email-src", + "eppn", + "github-organisation", + "github-repository", + "github-username", + "jabber-id", + "other", + "pgp-private-key", "pgp-public-key", - "pgp-private-key" + "text", + "twitter-id", + "whois-registrant-email" ], "Support Tool": [ - "link", - "text", + "anonymised", "attachment", "comment", - "other", "hex", - "anonymised" + "link", + "other", + "text" ], "Targeting data": [ - "target-user", + "anonymised", + "comment", "target-email", + "target-external", + "target-location", "target-machine", "target-org", - "target-location", - "target-external", - "comment", - "anonymised" + "target-user" ] }, "sane_defaults": { @@ -1271,192 +1271,192 @@ } }, "types": [ - "md5", - "sha1", - "sha256", - "filename", - "pdb", - "filename|md5", - "filename|sha1", - "filename|sha256", - "ip-src", - "ip-dst", - "hostname", + "AS", + "aba-rtn", + "anonymised", + "attachment", + "authentihash", + "bank-account-nr", + "bic", + "bin", + "boolean", + "bro", + "btc", + "campaign-id", + "campaign-name", + "cc-number", + "cdhash", + "chrome-extension-id", + "comment", + "community-id", + "cookie", + "cortex", + "counter", + "country-of-residence", + "cpe", + "dash", + "date-of-birth", + "datetime", + "dkim", + "dkim-signature", + "dns-soa-email", "domain", "domain|ip", "email", - "email-src", - "eppn", - "email-dst", - "email-subject", "email-attachment", "email-body", - "float", - "git-commit-id", - "url", - "http-method", - "user-agent", - "ja3-fingerprint-md5", - "jarm-fingerprint", + "email-dst", + "email-dst-display-name", + "email-header", + "email-message-id", + "email-mime-boundary", + "email-reply-to", + "email-src", + "email-src-display-name", + "email-subject", + "email-thread-index", + "email-x-mailer", + "eppn", "favicon-mmh3", - "hassh-md5", - "hasshserver-md5", - "regkey", - "regkey|value", - "AS", - "snort", - "bro", - "zeek", - "community-id", - "pattern-in-file", - "pattern-in-traffic", - "pattern-in-memory", - "pattern-filename", - "pgp-public-key", - "pgp-private-key", - "yara", - "stix2-pattern", - "sigma", - "gene", - "kusto-query", - "mime-type", - "identity-card-number", - "cookie", - "vulnerability", - "cpe", - "weakness", - "attachment", - "malware-sample", - "link", - "comment", - "text", - "hex", - "other", - "named pipe", - "mutex", - "process-state", - "target-user", - "target-email", - "target-machine", - "target-org", - "target-location", - "target-external", - "btc", - "dash", - "xmr", - "iban", - "bic", - "bank-account-nr", - "aba-rtn", - "bin", - "cc-number", - "prtn", - "phone-number", - "threat-actor", - "campaign-name", - "campaign-id", - "malware-type", - "uri", - "authentihash", - "vhash", - "ssdeep", - "imphash", - "telfhash", - "pehash", - "impfuzzy", - "sha224", - "sha384", - "sha512", - "sha512/224", - "sha512/256", - "sha3-224", - "sha3-256", - "sha3-384", - "sha3-512", - "tlsh", - "cdhash", + "filename", "filename|authentihash", - "filename|vhash", - "filename|ssdeep", - "filename|imphash", "filename|impfuzzy", + "filename|imphash", + "filename|md5", "filename|pehash", + "filename|sha1", "filename|sha224", - "filename|sha384", - "filename|sha512", - "filename|sha512/224", - "filename|sha512/256", + "filename|sha256", "filename|sha3-224", "filename|sha3-256", "filename|sha3-384", "filename|sha3-512", + "filename|sha384", + "filename|sha512", + "filename|sha512/224", + "filename|sha512/256", + "filename|ssdeep", "filename|tlsh", - "windows-scheduled-task", - "windows-service-name", - "windows-service-displayname", - "whois-registrant-email", - "whois-registrant-phone", - "whois-registrant-name", - "whois-registrant-org", - "whois-registrar", - "whois-creation-date", - "x509-fingerprint-sha1", - "x509-fingerprint-md5", - "x509-fingerprint-sha256", - "dns-soa-email", - "size-in-bytes", - "counter", - "datetime", - "port", - "ip-dst|port", - "ip-src|port", + "filename|vhash", + "first-name", + "float", + "frequent-flyer-number", + "full-name", + "gender", + "gene", + "git-commit-id", + "github-organisation", + "github-repository", + "github-username", + "hassh-md5", + "hasshserver-md5", + "hex", + "hostname", "hostname|port", + "http-method", + "iban", + "identity-card-number", + "impfuzzy", + "imphash", + "ip-dst", + "ip-dst|port", + "ip-src", + "ip-src|port", + "issue-date-of-the-visa", + "ja3-fingerprint-md5", + "jabber-id", + "jarm-fingerprint", + "kusto-query", + "last-name", + "link", "mac-address", "mac-eui-64", - "email-dst-display-name", - "email-src-display-name", - "email-header", - "email-reply-to", - "email-x-mailer", - "email-mime-boundary", - "email-thread-index", - "email-message-id", - "github-username", - "github-repository", - "github-organisation", - "jabber-id", - "twitter-id", - "dkim", - "dkim-signature", - "first-name", + "malware-sample", + "malware-type", + "md5", "middle-name", - "last-name", - "full-name", - "date-of-birth", - "place-of-birth", - "gender", - "passport-number", + "mime-type", + "mobile-application-id", + "mutex", + "named pipe", + "nationality", + "other", + "passenger-name-record-locator-number", "passport-country", "passport-expiration", - "redress-number", - "nationality", - "visa-number", - "issue-date-of-the-visa", - "primary-residence", - "country-of-residence", - "special-service-request", - "frequent-flyer-number", - "travel-details", + "passport-number", + "pattern-filename", + "pattern-in-file", + "pattern-in-memory", + "pattern-in-traffic", "payment-details", - "place-port-of-original-embarkation", + "pdb", + "pehash", + "pgp-private-key", + "pgp-public-key", + "phone-number", + "place-of-birth", "place-port-of-clearance", "place-port-of-onward-foreign-destination", - "passenger-name-record-locator-number", - "mobile-application-id", - "chrome-extension-id", - "cortex", - "boolean", - "anonymised" + "place-port-of-original-embarkation", + "port", + "primary-residence", + "process-state", + "prtn", + "redress-number", + "regkey", + "regkey|value", + "sha1", + "sha224", + "sha256", + "sha3-224", + "sha3-256", + "sha3-384", + "sha3-512", + "sha384", + "sha512", + "sha512/224", + "sha512/256", + "sigma", + "size-in-bytes", + "snort", + "special-service-request", + "ssdeep", + "stix2-pattern", + "target-email", + "target-external", + "target-location", + "target-machine", + "target-org", + "target-user", + "telfhash", + "text", + "threat-actor", + "tlsh", + "travel-details", + "twitter-id", + "uri", + "url", + "user-agent", + "vhash", + "visa-number", + "vulnerability", + "weakness", + "whois-creation-date", + "whois-registrant-email", + "whois-registrant-name", + "whois-registrant-org", + "whois-registrant-phone", + "whois-registrar", + "windows-scheduled-task", + "windows-service-displayname", + "windows-service-name", + "x509-fingerprint-md5", + "x509-fingerprint-sha1", + "x509-fingerprint-sha256", + "xmr", + "yara", + "zeek" ] } }