{ "result": { "sane_defaults": { "md5": { "default_category": "Payload delivery", "to_ids": 1 }, "sha1": { "default_category": "Payload delivery", "to_ids": 1 }, "sha256": { "default_category": "Payload delivery", "to_ids": 1 }, "filename": { "default_category": "Payload delivery", "to_ids": 1 }, "pdb": { "default_category": "Artifacts dropped", "to_ids": 0 }, "filename|md5": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha1": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha256": { "default_category": "Payload delivery", "to_ids": 1 }, "ip-src": { "default_category": "Network activity", "to_ids": 1 }, "ip-dst": { "default_category": "Network activity", "to_ids": 1 }, "hostname": { "default_category": "Network activity", "to_ids": 1 }, "domain": { "default_category": "Network activity", "to_ids": 1 }, "domain|ip": { "default_category": "Network activity", "to_ids": 1 }, "email-src": { "default_category": "Payload delivery", "to_ids": 1 }, "email-dst": { "default_category": "Network activity", "to_ids": 1 }, "email-subject": { "default_category": "Payload delivery", "to_ids": 0 }, "email-attachment": { "default_category": "Payload delivery", "to_ids": 1 }, "url": { "default_category": "External analysis", "to_ids": 1 }, "http-method": { "default_category": "Network activity", "to_ids": 0 }, "user-agent": { "default_category": "Network activity", "to_ids": 0 }, "regkey": { "default_category": "Persistence mechanism", "to_ids": 1 }, "regkey|value": { "default_category": "Persistence mechanism", "to_ids": 1 }, "AS": { "default_category": "Network activity", "to_ids": 0 }, "snort": { "default_category": "Network activity", "to_ids": 1 }, "pattern-in-file": { "default_category": "Payload installation", "to_ids": 1 }, "pattern-in-traffic": { "default_category": "Network activity", "to_ids": 1 }, "pattern-in-memory": { "default_category": "Payload installation", "to_ids": 1 }, "yara": { "default_category": "Payload installation", "to_ids": 1 }, "vulnerability": { "default_category": "External analysis", "to_ids": 0 }, "attachment": { "default_category": "External analysis", "to_ids": 0 }, "malware-sample": { "default_category": "Payload delivery", "to_ids": 1 }, "link": { "default_category": "External analysis", "to_ids": 0 }, "comment": { "default_category": "Other", "to_ids": 0 }, "text": { "default_category": "Other", "to_ids": 0 }, "other": { "default_category": "Other", "to_ids": 0 }, "named pipe": { "default_category": "Artifacts dropped", "to_ids": 0 }, "mutex": { "default_category": "Artifacts dropped", "to_ids": 1 }, "target-user": { "default_category": "Targeting data", "to_ids": 0 }, "target-email": { "default_category": "Targeting data", "to_ids": 0 }, "target-machine": { "default_category": "Targeting data", "to_ids": 0 }, "target-org": { "default_category": "Targeting data", "to_ids": 0 }, "target-location": { "default_category": "Targeting data", "to_ids": 0 }, "target-external": { "default_category": "Targeting data", "to_ids": 0 }, "btc": { "default_category": "Financial fraud", "to_ids": 1 }, "iban": { "default_category": "Financial fraud", "to_ids": 1 }, "bic": { "default_category": "Financial fraud", "to_ids": 1 }, "bank-account-nr": { "default_category": "Financial fraud", "to_ids": 1 }, "aba-rtn": { "default_category": "Financial fraud", "to_ids": 1 }, "bin": { "default_category": "Financial fraud", "to_ids": 1 }, "cc-number": { "default_category": "Financial fraud", "to_ids": 1 }, "prtn": { "default_category": "Financial fraud", "to_ids": 1 }, "threat-actor": { "default_category": "Attribution", "to_ids": 0 }, "campaign-name": { "default_category": "Attribution", "to_ids": 0 }, "campaign-id": { "default_category": "Attribution", "to_ids": 0 }, "malware-type": { "default_category": "Payload delivery", "to_ids": 0 }, "uri": { "default_category": "Network activity", "to_ids": 1 }, "authentihash": { "default_category": "Payload delivery", "to_ids": 1 }, "ssdeep": { "default_category": "Payload delivery", "to_ids": 1 }, "imphash": { "default_category": "Payload delivery", "to_ids": 1 }, "pehash": { "default_category": "Payload delivery", "to_ids": 1 }, "sha224": { "default_category": "Payload delivery", "to_ids": 1 }, "sha384": { "default_category": "Payload delivery", "to_ids": 1 }, "sha512": { "default_category": "Payload delivery", "to_ids": 1 }, "sha512/224": { "default_category": "Payload delivery", "to_ids": 1 }, "sha512/256": { "default_category": "Payload delivery", "to_ids": 1 }, "tlsh": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|authentihash": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|ssdeep": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|imphash": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|pehash": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha224": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha384": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha512": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha512/224": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|sha512/256": { "default_category": "Payload delivery", "to_ids": 1 }, "filename|tlsh": { "default_category": "Payload delivery", "to_ids": 1 }, "windows-scheduled-task": { "default_category": "Artifacts dropped", "to_ids": 0 }, "windows-service-name": { "default_category": "Artifacts dropped", "to_ids": 0 }, "windows-service-displayname": { "default_category": "Artifacts dropped", "to_ids": 0 }, "whois-registrant-email": { "default_category": "Attribution", "to_ids": 0 }, "whois-registrant-phone": { "default_category": "Attribution", "to_ids": 0 }, "whois-registrant-name": { "default_category": "Attribution", "to_ids": 0 }, "whois-registrar": { "default_category": "Attribution", "to_ids": 0 }, "whois-creation-date": { "default_category": "Attribution", "to_ids": 0 }, "x509-fingerprint-sha1": { "default_category": "Network activity", "to_ids": 1 } }, "types": [ "md5", "sha1", "sha256", "filename", "pdb", "filename|md5", "filename|sha1", "filename|sha256", "ip-src", "ip-dst", "hostname", "domain", "domain|ip", "email-src", "email-dst", "email-subject", "email-attachment", "url", "http-method", "user-agent", "regkey", "regkey|value", "AS", "snort", "pattern-in-file", "pattern-in-traffic", "pattern-in-memory", "yara", "vulnerability", "attachment", "malware-sample", "link", "comment", "text", "other", "named pipe", "mutex", "target-user", "target-email", "target-machine", "target-org", "target-location", "target-external", "btc", "iban", "bic", "bank-account-nr", "aba-rtn", "bin", "cc-number", "prtn", "threat-actor", "campaign-name", "campaign-id", "malware-type", "uri", "authentihash", "ssdeep", "imphash", "pehash", "sha224", "sha384", "sha512", "sha512/224", "sha512/256", "tlsh", "filename|authentihash", "filename|ssdeep", "filename|imphash", "filename|pehash", "filename|sha224", "filename|sha384", "filename|sha512", "filename|sha512/224", "filename|sha512/256", "filename|tlsh", "windows-scheduled-task", "windows-service-name", "windows-service-displayname", "whois-registrant-email", "whois-registrant-phone", "whois-registrant-name", "whois-registrar", "whois-creation-date", "x509-fingerprint-sha1" ], "categories": [ "Internal reference", "Targeting data", "Antivirus detection", "Payload delivery", "Artifacts dropped", "Payload installation", "Persistence mechanism", "Network activity", "Payload type", "Attribution", "External analysis", "Financial fraud", "Other" ], "category_type_mappings": { "Internal reference": [ "text", "link", "comment", "other" ], "Targeting data": [ "target-user", "target-email", "target-machine", "target-org", "target-location", "target-external", "comment" ], "Antivirus detection": [ "link", "comment", "text", "attachment", "other" ], "Payload delivery": [ "md5", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512/224", "sha512/256", "ssdeep", "imphash", "authentihash", "pehash", "tlsh", "filename", "filename|md5", "filename|sha1", "filename|sha224", "filename|sha256", "filename|sha384", "filename|sha512", "filename|sha512/224", "filename|sha512/256", "filename|authentihash", "filename|ssdeep", "filename|tlsh", "filename|imphash", "filename|pehash", "ip-src", "ip-dst", "hostname", "domain", "email-src", "email-dst", "email-subject", "email-attachment", "url", "user-agent", "AS", "pattern-in-file", "pattern-in-traffic", "yara", "attachment", "malware-sample", "link", "malware-type", "comment", "text", "vulnerability", "x509-fingerprint-sha1", "other" ], "Artifacts dropped": [ "md5", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512/224", "sha512/256", "ssdeep", "imphash", "authentihash", "filename", "filename|md5", "filename|sha1", "filename|sha224", "filename|sha256", "filename|sha384", "filename|sha512", "filename|sha512/224", "filename|sha512/256", "filename|authentihash", "filename|ssdeep", "filename|tlsh", "filename|imphash", "filename|pehash", "regkey", "regkey|value", "pattern-in-file", "pattern-in-memory", "pdb", "yara", "attachment", "malware-sample", "named pipe", "mutex", "windows-scheduled-task", "windows-service-name", "windows-service-displayname", "comment", "text", "x509-fingerprint-sha1", "other" ], "Payload installation": [ "md5", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512/224", "sha512/256", "ssdeep", "imphash", "authentihash", "pehash", "tlsh", "filename", "filename|md5", "filename|sha1", "filename|sha224", "filename|sha256", "filename|sha384", "filename|sha512", "filename|sha512/224", "filename|sha512/256", "filename|authentihash", "filename|ssdeep", "filename|tlsh", "filename|imphash", "filename|pehash", "pattern-in-file", "pattern-in-traffic", "pattern-in-memory", "yara", "vulnerability", "attachment", "malware-sample", "malware-type", "comment", "text", "x509-fingerprint-sha1", "other" ], "Persistence mechanism": [ "filename", "regkey", "regkey|value", "comment", "text", "other" ], "Network activity": [ "ip-src", "ip-dst", "hostname", "domain", "domain|ip", "email-dst", "url", "uri", "user-agent", "http-method", "AS", "snort", "pattern-in-file", "pattern-in-traffic", "attachment", "comment", "text", "x509-fingerprint-sha1", "other" ], "Payload type": [ "comment", "text", "other" ], "Attribution": [ "threat-actor", "campaign-name", "campaign-id", "whois-registrant-phone", "whois-registrant-email", "whois-registrant-name", "whois-registrar", "whois-creation-date", "comment", "text", "x509-fingerprint-sha1", "other" ], "External analysis": [ "md5", "sha1", "sha256", "filename", "filename|md5", "filename|sha1", "filename|sha256", "ip-src", "ip-dst", "hostname", "domain", "domain|ip", "url", "user-agent", "regkey", "regkey|value", "AS", "snort", "pattern-in-file", "pattern-in-traffic", "pattern-in-memory", "vulnerability", "attachment", "malware-sample", "link", "comment", "text", "x509-fingerprint-sha1", "other" ], "Financial fraud": [ "btc", "iban", "bic", "bank-account-nr", "aba-rtn", "bin", "cc-number", "prtn", "comment", "text", "other" ], "Other": [ "comment", "text", "other" ] } } }