{ "result": { "types": [ "md5", "sha1", "sha256", "filename", "pdb", "filename|md5", "filename|sha1", "filename|sha256", "ip-src", "ip-dst", "hostname", "domain", "domain|ip", "email-src", "email-dst", "email-subject", "email-attachment", "url", "http-method", "user-agent", "regkey", "regkey|value", "AS", "snort", "pattern-in-file", "pattern-in-traffic", "pattern-in-memory", "yara", "vulnerability", "attachment", "malware-sample", "link", "comment", "text", "other", "named pipe", "mutex", "target-user", "target-email", "target-machine", "target-org", "target-location", "target-external", "btc", "iban", "bic", "bank-account-nr", "aba-rtn", "bin", "cc-number", "prtn", "threat-actor", "campaign-name", "campaign-id", "malware-type", "uri", "authentihash", "ssdeep", "imphash", "pehash", "sha224", "sha384", "sha512", "sha512/224", "sha512/256", "tlsh", "filename|authentihash", "filename|ssdeep", "filename|imphash", "filename|pehash", "filename|sha224", "filename|sha384", "filename|sha512", "filename|sha512/224", "filename|sha512/256", "filename|tlsh", "windows-scheduled-task", "windows-service-name", "windows-service-displayname", "whois-registrant-email", "whois-registrant-phone", "whois-registrant-name", "whois-registrar", "whois-creation-date", "targeted-threat-index", "mailslot", "pipe", "ssl-cert-attributes", "x509-fingerprint-sha1" ], "categories": [ "Internal reference", "Targeting data", "Antivirus detection", "Payload delivery", "Artifacts dropped", "Payload installation", "Persistence mechanism", "Network activity", "Payload type", "Attribution", "External analysis", "Financial fraud", "Other" ], "category_type_mappings": { "Internal reference": [ "link", "comment", "text", "other" ], "Targeting data": [ "target-user", "target-email", "target-machine", "target-org", "target-location", "target-external", "comment" ], "Antivirus detection": [ "link", "comment", "text", "attachment", "other" ], "Payload delivery": [ "md5", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512/224", "sha512/256", "ssdeep", "imphash", "authentihash", "pehash", "tlsh", "filename", "filename|md5", "filename|sha1", "filename|sha224", "filename|sha256", "filename|sha384", "filename|sha512", "filename|sha512/224", "filename|sha512/256", "filename|authentihash", "filename|ssdeep", "filename|tlsh", "filename|imphash", "filename|pehash", "ip-src", "ip-dst", "hostname", "domain", "email-src", "email-dst", "email-subject", "email-attachment", "url", "user-agent", "AS", "pattern-in-file", "pattern-in-traffic", "yara", "attachment", "malware-sample", "link", "malware-type", "comment", "text", "vulnerability", "x509-fingerprint-sha1", "other" ], "Artifacts dropped": [ "md5", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512/224", "sha512/256", "ssdeep", "imphash", "authentihash", "filename", "filename|md5", "filename|sha1", "filename|sha224", "filename|sha256", "filename|sha384", "filename|sha512", "filename|sha512/224", "filename|sha512/256", "filename|authentihash", "filename|ssdeep", "filename|tlsh", "filename|imphash", "filename|pehash", "regkey", "regkey|value", "pattern-in-file", "pattern-in-memory", "pdb", "yara", "attachment", "malware-sample", "named pipe", "mutex", "windows-scheduled-task", "windows-service-name", "windows-service-displayname", "comment", "text", "x509-fingerprint-sha1", "other" ], "Payload installation": [ "md5", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512/224", "sha512/256", "ssdeep", "imphash", "authentihash", "pehash", "tlsh", "filename", "filename|md5", "filename|sha1", "filename|sha224", "filename|sha256", "filename|sha384", "filename|sha512", "filename|sha512/224", "filename|sha512/256", "filename|authentihash", "filename|ssdeep", "filename|tlsh", "filename|imphash", "filename|pehash", "pattern-in-file", "pattern-in-traffic", "pattern-in-memory", "yara", "vulnerability", "attachment", "malware-sample", "malware-type", "comment", "text", "x509-fingerprint-sha1", "other" ], "Persistence mechanism": [ "filename", "regkey", "regkey|value", "comment", "text", "other" ], "Network activity": [ "ip-src", "ip-dst", "hostname", "domain", "domain|ip", "email-dst", "url", "uri", "user-agent", "http-method", "AS", "snort", "pattern-in-file", "pattern-in-traffic", "attachment", "comment", "text", "x509-fingerprint-sha1", "other" ], "Payload type": [ "comment", "text", "other" ], "Attribution": [ "threat-actor", "campaign-name", "campaign-id", "whois-registrant-phone", "whois-registrant-email", "whois-registrant-name", "whois-registrar", "whois-creation-date", "comment", "text", "x509-fingerprint-sha1", "other" ], "External analysis": [ "md5", "sha1", "sha256", "filename", "filename|md5", "filename|sha1", "filename|sha256", "ip-src", "ip-dst", "hostname", "domain", "domain|ip", "url", "user-agent", "regkey", "regkey|value", "AS", "snort", "pattern-in-file", "pattern-in-traffic", "pattern-in-memory", "vulnerability", "attachment", "malware-sample", "link", "comment", "text", "x509-fingerprint-sha1", "other" ], "Financial fraud": [ "btc", "iban", "bic", "bank-account-nr", "aba-rtn", "bin", "cc-number", "prtn", "comment", "text", "other" ], "Other": [ "comment", "text", "other" ] } } }