From 9f83f2140b9cbe7744c52cf0827cf2f46c1a6d99 Mon Sep 17 00:00:00 2001 From: Michael Chisholm Date: Tue, 6 Nov 2018 15:10:40 -0500 Subject: [PATCH] Ran trailing-whitespace pre-commit hook. It changed a bunch of files, in ways we don't completely understand... --- docs/Makefile | 2 +- .../datastore/stix2.datastore.filesystem.rst | 2 +- .../api/datastore/stix2.datastore.filters.rst | 2 +- docs/api/datastore/stix2.datastore.memory.rst | 2 +- docs/api/datastore/stix2.datastore.taxii.rst | 2 +- .../stix2.markings.granular_markings.rst | 2 +- .../stix2.markings.object_markings.rst | 2 +- docs/api/markings/stix2.markings.utils.rst | 2 +- docs/api/stix2.core.rst | 2 +- docs/api/stix2.datastore.rst | 2 +- docs/api/stix2.environment.rst | 2 +- docs/api/stix2.exceptions.rst | 2 +- docs/api/stix2.markings.rst | 2 +- docs/api/stix2.patterns.rst | 2 +- docs/api/stix2.properties.rst | 2 +- docs/api/stix2.utils.rst | 2 +- docs/api/stix2.v20.common.rst | 2 +- docs/api/stix2.v20.observables.rst | 2 +- docs/api/stix2.v20.sdo.rst | 2 +- docs/api/stix2.v20.sro.rst | 2 +- docs/api/stix2.workbench.rst | 2 +- .../20170531213019735010.json | 44 ++++++------- .../20170531213026496201.json | 38 +++++------ .../20170531213029458940.json | 32 +++++----- .../20170531213045139269.json | 32 +++++----- .../20170531213041022897.json | 32 +++++----- .../20170531213032662702.json | 32 +++++----- .../20170531213026495974.json | 20 +++--- .../20170531213041022744.json | 14 ++-- .../20170601000000000000.json | 18 +++--- .../20181101232448446000.json | 2 +- .../20170531213149412497.json | 64 +++++++++---------- .../20170531213153197755.json | 48 +++++++------- .../20170531213258226477.json | 36 +++++------ .../20181101232448456000.json | 2 +- .../20181101232448457000.json | 2 +- .../20170531213326565056.json | 36 +++++------ .../20170531213248482655.json | 36 +++++------ .../20170531213215263882.json | 36 +++++------ ...-fa42a846-8d90-4e51-bc29-71d5b4802168.json | 16 ++--- .../20170531213327182784.json | 24 +++---- .../20170531213327082801.json | 24 +++---- .../20170531213327018782.json | 24 +++---- .../20170531213327100701.json | 24 +++---- .../20170531213327143973.json | 24 +++---- .../20170531213327021562.json | 24 +++---- .../20170531213327044387.json | 24 +++---- .../20170531213327051532.json | 24 +++---- .../20170531213231601148.json | 42 ++++++------ .../20170531213212684914.json | 36 +++++------ 50 files changed, 426 insertions(+), 426 deletions(-) diff --git a/docs/Makefile b/docs/Makefile index 0c4ce84..e1582e8 100644 --- a/docs/Makefile +++ b/docs/Makefile @@ -17,4 +17,4 @@ help: # Catch-all target: route all unknown targets to Sphinx using the new # "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS). %: Makefile - @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) \ No newline at end of file + @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) diff --git a/docs/api/datastore/stix2.datastore.filesystem.rst b/docs/api/datastore/stix2.datastore.filesystem.rst index 665df66..2b0d2ee 100644 --- a/docs/api/datastore/stix2.datastore.filesystem.rst +++ b/docs/api/datastore/stix2.datastore.filesystem.rst @@ -2,4 +2,4 @@ filesystem ========================== .. automodule:: stix2.datastore.filesystem - :members: \ No newline at end of file + :members: diff --git a/docs/api/datastore/stix2.datastore.filters.rst b/docs/api/datastore/stix2.datastore.filters.rst index b556754..3c9f0b1 100644 --- a/docs/api/datastore/stix2.datastore.filters.rst +++ b/docs/api/datastore/stix2.datastore.filters.rst @@ -2,4 +2,4 @@ filters ======================= .. automodule:: stix2.datastore.filters - :members: \ No newline at end of file + :members: diff --git a/docs/api/datastore/stix2.datastore.memory.rst b/docs/api/datastore/stix2.datastore.memory.rst index b0521c7..eda42cb 100644 --- a/docs/api/datastore/stix2.datastore.memory.rst +++ b/docs/api/datastore/stix2.datastore.memory.rst @@ -2,4 +2,4 @@ memory ====================== .. automodule:: stix2.datastore.memory - :members: \ No newline at end of file + :members: diff --git a/docs/api/datastore/stix2.datastore.taxii.rst b/docs/api/datastore/stix2.datastore.taxii.rst index 68389a0..f1c43bf 100644 --- a/docs/api/datastore/stix2.datastore.taxii.rst +++ b/docs/api/datastore/stix2.datastore.taxii.rst @@ -2,4 +2,4 @@ taxii ===================== .. automodule:: stix2.datastore.taxii - :members: \ No newline at end of file + :members: diff --git a/docs/api/markings/stix2.markings.granular_markings.rst b/docs/api/markings/stix2.markings.granular_markings.rst index b4a7160..d64ebc9 100644 --- a/docs/api/markings/stix2.markings.granular_markings.rst +++ b/docs/api/markings/stix2.markings.granular_markings.rst @@ -2,4 +2,4 @@ granular_markings ================================ .. automodule:: stix2.markings.granular_markings - :members: \ No newline at end of file + :members: diff --git a/docs/api/markings/stix2.markings.object_markings.rst b/docs/api/markings/stix2.markings.object_markings.rst index d861c87..8e8de67 100644 --- a/docs/api/markings/stix2.markings.object_markings.rst +++ b/docs/api/markings/stix2.markings.object_markings.rst @@ -2,4 +2,4 @@ object_markings ============================== .. automodule:: stix2.markings.object_markings - :members: \ No newline at end of file + :members: diff --git a/docs/api/markings/stix2.markings.utils.rst b/docs/api/markings/stix2.markings.utils.rst index ee59b6c..66793aa 100644 --- a/docs/api/markings/stix2.markings.utils.rst +++ b/docs/api/markings/stix2.markings.utils.rst @@ -2,4 +2,4 @@ utils ==================== .. automodule:: stix2.markings.utils - :members: \ No newline at end of file + :members: diff --git a/docs/api/stix2.core.rst b/docs/api/stix2.core.rst index f0e98d4..dbd5256 100644 --- a/docs/api/stix2.core.rst +++ b/docs/api/stix2.core.rst @@ -2,4 +2,4 @@ core ========== .. automodule:: stix2.core - :members: \ No newline at end of file + :members: diff --git a/docs/api/stix2.datastore.rst b/docs/api/stix2.datastore.rst index 4af05a9..0d90987 100644 --- a/docs/api/stix2.datastore.rst +++ b/docs/api/stix2.datastore.rst @@ -2,4 +2,4 @@ datastore =============== .. automodule:: stix2.datastore - :members: \ No newline at end of file + :members: diff --git a/docs/api/stix2.environment.rst b/docs/api/stix2.environment.rst index fb5c7b7..6b44ba5 100644 --- a/docs/api/stix2.environment.rst +++ b/docs/api/stix2.environment.rst @@ -2,4 +2,4 @@ environment ================= .. automodule:: stix2.environment - :members: \ No newline at end of file + :members: diff --git a/docs/api/stix2.exceptions.rst b/docs/api/stix2.exceptions.rst index a8d498e..ad8ddf3 100644 --- a/docs/api/stix2.exceptions.rst +++ b/docs/api/stix2.exceptions.rst @@ -2,4 +2,4 @@ exceptions ================ .. automodule:: stix2.exceptions - :members: \ No newline at end of file + :members: diff --git a/docs/api/stix2.markings.rst b/docs/api/stix2.markings.rst index 9819fe7..881fda1 100644 --- a/docs/api/stix2.markings.rst +++ b/docs/api/stix2.markings.rst @@ -2,4 +2,4 @@ markings ============== .. automodule:: stix2.markings - :members: \ No newline at end of file + :members: diff --git a/docs/api/stix2.patterns.rst b/docs/api/stix2.patterns.rst index ec7b42c..f95ec34 100644 --- a/docs/api/stix2.patterns.rst +++ b/docs/api/stix2.patterns.rst @@ -2,4 +2,4 @@ patterns ============== .. automodule:: stix2.patterns - :members: \ No newline at end of file + :members: diff --git a/docs/api/stix2.properties.rst b/docs/api/stix2.properties.rst index c3db9ff..e357ef4 100644 --- a/docs/api/stix2.properties.rst +++ b/docs/api/stix2.properties.rst @@ -2,4 +2,4 @@ properties ================ .. automodule:: stix2.properties - :members: \ No newline at end of file + :members: diff --git a/docs/api/stix2.utils.rst b/docs/api/stix2.utils.rst index 4091fb5..49a1e16 100644 --- a/docs/api/stix2.utils.rst +++ b/docs/api/stix2.utils.rst @@ -2,4 +2,4 @@ utils =========== .. automodule:: stix2.utils - :members: \ No newline at end of file + :members: diff --git a/docs/api/stix2.v20.common.rst b/docs/api/stix2.v20.common.rst index 0c7a296..8cec059 100644 --- a/docs/api/stix2.v20.common.rst +++ b/docs/api/stix2.v20.common.rst @@ -2,4 +2,4 @@ common ================ .. automodule:: stix2.v20.common - :members: \ No newline at end of file + :members: diff --git a/docs/api/stix2.v20.observables.rst b/docs/api/stix2.v20.observables.rst index d31f75f..4d9803a 100644 --- a/docs/api/stix2.v20.observables.rst +++ b/docs/api/stix2.v20.observables.rst @@ -2,4 +2,4 @@ observables ===================== .. automodule:: stix2.v20.observables - :members: \ No newline at end of file + :members: diff --git a/docs/api/stix2.v20.sdo.rst b/docs/api/stix2.v20.sdo.rst index c4c97f8..a115d5b 100644 --- a/docs/api/stix2.v20.sdo.rst +++ b/docs/api/stix2.v20.sdo.rst @@ -2,4 +2,4 @@ sdo ============= .. automodule:: stix2.v20.sdo - :members: \ No newline at end of file + :members: diff --git a/docs/api/stix2.v20.sro.rst b/docs/api/stix2.v20.sro.rst index 379ed18..397cf29 100644 --- a/docs/api/stix2.v20.sro.rst +++ b/docs/api/stix2.v20.sro.rst @@ -2,4 +2,4 @@ sro ============= .. automodule:: stix2.v20.sro - :members: \ No newline at end of file + :members: diff --git a/docs/api/stix2.workbench.rst b/docs/api/stix2.workbench.rst index 19345f0..8fa2544 100644 --- a/docs/api/stix2.workbench.rst +++ b/docs/api/stix2.workbench.rst @@ -2,4 +2,4 @@ workbench =============== .. automodule:: stix2.workbench - :members: \ No newline at end of file + :members: diff --git a/stix2/test/stix2_data/attack-pattern/attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22/20170531213019735010.json b/stix2/test/stix2_data/attack-pattern/attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22/20170531213019735010.json index 4da65a1..47dd5f8 100644 --- a/stix2/test/stix2_data/attack-pattern/attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22/20170531213019735010.json +++ b/stix2/test/stix2_data/attack-pattern/attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22/20170531213019735010.json @@ -1,42 +1,42 @@ { - "id": "bundle--f68640b4-0cdc-42ae-b176-def1754a1ea0", + "id": "bundle--f68640b4-0cdc-42ae-b176-def1754a1ea0", "objects": [ { - "created": "2017-05-31T21:30:19.73501Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Credential dumping is the process of obtaining account login and password information from the operating system and software. Credentials can be used to perform Windows Credential Editor, Mimikatz, and gsecdump. These tools are in use by both professional security testers and adversaries.\n\nPlaintext passwords can be obtained using tools such as Mimikatz to extract passwords stored by the Local Security Authority (LSA). If smart cards are used to authenticate to a domain using a personal identification number (PIN), then that PIN is also cached as a result and may be dumped.Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective DLL Injection to reduce potential indicators of malicious activity.\n\nNTLM hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Legitimate Credentials in-use by adversaries may help as well. \n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,[[Citation: Powersploit]] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: API monitoring, Process command-line parameters, Process monitoring, PowerShell logs", + "created": "2017-05-31T21:30:19.73501Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "Credential dumping is the process of obtaining account login and password information from the operating system and software. Credentials can be used to perform Windows Credential Editor, Mimikatz, and gsecdump. These tools are in use by both professional security testers and adversaries.\n\nPlaintext passwords can be obtained using tools such as Mimikatz to extract passwords stored by the Local Security Authority (LSA). If smart cards are used to authenticate to a domain using a personal identification number (PIN), then that PIN is also cached as a result and may be dumped.Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective DLL Injection to reduce potential indicators of malicious activity.\n\nNTLM hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Legitimate Credentials in-use by adversaries may help as well. \n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,[[Citation: Powersploit]] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: API monitoring, Process command-line parameters, Process monitoring, PowerShell logs", "external_references": [ { - "external_id": "T1003", - "source_name": "mitre-attack", + "external_id": "T1003", + "source_name": "mitre-attack", "url": "https://attack.mitre.org/wiki/Technique/T1003" - }, + }, { - "description": "Delpy, B. (2014, September 14). Mimikatz module ~ sekurlsa. Retrieved January 10, 2016.", - "source_name": "Github Mimikatz Module sekurlsa", + "description": "Delpy, B. (2014, September 14). Mimikatz module ~ sekurlsa. Retrieved January 10, 2016.", + "source_name": "Github Mimikatz Module sekurlsa", "url": "https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa" - }, + }, { - "description": "PowerSploit. (n.d.). Retrieved December 4, 2014.", - "source_name": "Powersploit", + "description": "PowerSploit. (n.d.). Retrieved December 4, 2014.", + "source_name": "Powersploit", "url": "https://github.com/mattifestation/PowerSploit" } - ], - "id": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + ], + "id": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "kill_chain_phases": [ { - "kill_chain_name": "mitre-attack", + "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } - ], - "modified": "2017-05-31T21:30:19.73501Z", - "name": "Credential Dumping", + ], + "modified": "2017-05-31T21:30:19.73501Z", + "name": "Credential Dumping", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + ], "type": "attack-pattern" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/attack-pattern/attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b/20170531213026496201.json b/stix2/test/stix2_data/attack-pattern/attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b/20170531213026496201.json index ca50fc4..13f900f 100644 --- a/stix2/test/stix2_data/attack-pattern/attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b/20170531213026496201.json +++ b/stix2/test/stix2_data/attack-pattern/attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b/20170531213026496201.json @@ -1,37 +1,37 @@ { - "id": "bundle--b07d6fd6-7cc5-492d-a1eb-9ba956b329d5", + "id": "bundle--b07d6fd6-7cc5-492d-a1eb-9ba956b329d5", "objects": [ { - "created": "2017-05-31T21:30:26.496201Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Rootkits are programs that hide the existence of malware by intercepting and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the Basic Input/Output System.[[Citation: Wikipedia Rootkit]]\n\nAdversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.\n\nDetection: Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR.[[Citation: Wikipedia Rootkit]]\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: BIOS, MBR, System calls", + "created": "2017-05-31T21:30:26.496201Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "Rootkits are programs that hide the existence of malware by intercepting and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the Basic Input/Output System.[[Citation: Wikipedia Rootkit]]\n\nAdversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.\n\nDetection: Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR.[[Citation: Wikipedia Rootkit]]\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: BIOS, MBR, System calls", "external_references": [ { - "external_id": "T1014", - "source_name": "mitre-attack", + "external_id": "T1014", + "source_name": "mitre-attack", "url": "https://attack.mitre.org/wiki/Technique/T1014" - }, + }, { - "description": "Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016.", - "source_name": "Wikipedia Rootkit", + "description": "Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016.", + "source_name": "Wikipedia Rootkit", "url": "https://en.wikipedia.org/wiki/Rootkit" } - ], - "id": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + ], + "id": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "kill_chain_phases": [ { - "kill_chain_name": "mitre-attack", + "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } - ], - "modified": "2017-05-31T21:30:26.496201Z", - "name": "Rootkit", + ], + "modified": "2017-05-31T21:30:26.496201Z", + "name": "Rootkit", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + ], "type": "attack-pattern" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/attack-pattern/attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9/20170531213029458940.json b/stix2/test/stix2_data/attack-pattern/attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9/20170531213029458940.json index 99a50cc..db57e2c 100644 --- a/stix2/test/stix2_data/attack-pattern/attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9/20170531213029458940.json +++ b/stix2/test/stix2_data/attack-pattern/attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9/20170531213029458940.json @@ -1,32 +1,32 @@ { - "id": "bundle--1a854c96-639e-4771-befb-e7b960a65974", + "id": "bundle--1a854c96-639e-4771-befb-e7b960a65974", "objects": [ { - "created": "2017-05-31T21:30:29.45894Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Data, such as sensitive documents, may be exfiltrated through the use of automated processing or Scripting after being gathered during Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol.\n\nDetection: Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: File monitoring, Process monitoring, Process use of network", + "created": "2017-05-31T21:30:29.45894Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "Data, such as sensitive documents, may be exfiltrated through the use of automated processing or Scripting after being gathered during Exfiltration Over Command and Control Channel and Exfiltration Over Alternative Protocol.\n\nDetection: Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: File monitoring, Process monitoring, Process use of network", "external_references": [ { - "external_id": "T1020", - "source_name": "mitre-attack", + "external_id": "T1020", + "source_name": "mitre-attack", "url": "https://attack.mitre.org/wiki/Technique/T1020" } - ], - "id": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + ], + "id": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "kill_chain_phases": [ { - "kill_chain_name": "mitre-attack", + "kill_chain_name": "mitre-attack", "phase_name": "exfiltration" } - ], - "modified": "2017-05-31T21:30:29.45894Z", - "name": "Automated Exfiltration", + ], + "modified": "2017-05-31T21:30:29.45894Z", + "name": "Automated Exfiltration", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + ], "type": "attack-pattern" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/attack-pattern/attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475/20170531213045139269.json b/stix2/test/stix2_data/attack-pattern/attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475/20170531213045139269.json index 9b3179c..d48092d 100644 --- a/stix2/test/stix2_data/attack-pattern/attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475/20170531213045139269.json +++ b/stix2/test/stix2_data/attack-pattern/attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475/20170531213045139269.json @@ -1,32 +1,32 @@ { - "id": "bundle--33e3e33a-38b8-4a37-9455-5b8c82d3b10a", + "id": "bundle--33e3e33a-38b8-4a37-9455-5b8c82d3b10a", "objects": [ { - "created": "2017-05-31T21:30:45.139269Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system.\nUtilities and commands that acquire this information include netstat, \"net use,\" and \"net session\" with Net.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: Process command-line parameters, Process monitoring", + "created": "2017-05-31T21:30:45.139269Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system.\nUtilities and commands that acquire this information include netstat, \"net use,\" and \"net session\" with Net.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: Process command-line parameters, Process monitoring", "external_references": [ { - "external_id": "T1049", - "source_name": "mitre-attack", + "external_id": "T1049", + "source_name": "mitre-attack", "url": "https://attack.mitre.org/wiki/Technique/T1049" } - ], - "id": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475", + ], + "id": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475", "kill_chain_phases": [ { - "kill_chain_name": "mitre-attack", + "kill_chain_name": "mitre-attack", "phase_name": "discovery" } - ], - "modified": "2017-05-31T21:30:45.139269Z", - "name": "Local Network Connections Discovery", + ], + "modified": "2017-05-31T21:30:45.139269Z", + "name": "Local Network Connections Discovery", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + ], "type": "attack-pattern" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/attack-pattern/attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c/20170531213041022897.json b/stix2/test/stix2_data/attack-pattern/attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c/20170531213041022897.json index d80d781..031419e 100644 --- a/stix2/test/stix2_data/attack-pattern/attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c/20170531213041022897.json +++ b/stix2/test/stix2_data/attack-pattern/attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c/20170531213041022897.json @@ -1,32 +1,32 @@ { - "id": "bundle--a87938c5-cc1e-4e06-a8a3-b10243ae397d", + "id": "bundle--a87938c5-cc1e-4e06-a8a3-b10243ae397d", "objects": [ { - "created": "2017-05-31T21:30:41.022897Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to cmd may be used to gather information.\n\nDetection: Monitor processes and command-line arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: File monitoring, Process monitoring, Process command-line parameters", + "created": "2017-05-31T21:30:41.022897Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to cmd may be used to gather information.\n\nDetection: Monitor processes and command-line arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: File monitoring, Process monitoring, Process command-line parameters", "external_references": [ { - "external_id": "T1039", - "source_name": "mitre-attack", + "external_id": "T1039", + "source_name": "mitre-attack", "url": "https://attack.mitre.org/wiki/Technique/T1039" } - ], - "id": "attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c", + ], + "id": "attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c", "kill_chain_phases": [ { - "kill_chain_name": "mitre-attack", + "kill_chain_name": "mitre-attack", "phase_name": "collection" } - ], - "modified": "2017-05-31T21:30:41.022897Z", - "name": "Data from Network Shared Drive", + ], + "modified": "2017-05-31T21:30:41.022897Z", + "name": "Data from Network Shared Drive", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + ], "type": "attack-pattern" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/attack-pattern/attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a/20170531213032662702.json b/stix2/test/stix2_data/attack-pattern/attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a/20170531213032662702.json index 0e81b3c..67c380c 100644 --- a/stix2/test/stix2_data/attack-pattern/attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a/20170531213032662702.json +++ b/stix2/test/stix2_data/attack-pattern/attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a/20170531213032662702.json @@ -1,32 +1,32 @@ { - "id": "bundle--5ddaeff9-eca7-4094-9e65-4f53da21a444", + "id": "bundle--5ddaeff9-eca7-4094-9e65-4f53da21a444", "objects": [ { - "created": "2017-05-31T21:30:32.662702Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system.\n\nDetection: Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: Network protocol analysis, Process use of network, Binary file metadata, File monitoring, Malware reverse engineering", + "created": "2017-05-31T21:30:32.662702Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system.\n\nDetection: Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: Network protocol analysis, Process use of network, Binary file metadata, File monitoring, Malware reverse engineering", "external_references": [ { - "external_id": "T1027", - "source_name": "mitre-attack", + "external_id": "T1027", + "source_name": "mitre-attack", "url": "https://attack.mitre.org/wiki/Technique/T1027" } - ], - "id": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + ], + "id": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "kill_chain_phases": [ { - "kill_chain_name": "mitre-attack", + "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } - ], - "modified": "2017-05-31T21:30:32.662702Z", - "name": "Obfuscated Files or Information", + ], + "modified": "2017-05-31T21:30:32.662702Z", + "name": "Obfuscated Files or Information", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + ], "type": "attack-pattern" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/course-of-action/course-of-action--95ddb356-7ba0-4bd9-a889-247262b8946f/20170531213026495974.json b/stix2/test/stix2_data/course-of-action/course-of-action--95ddb356-7ba0-4bd9-a889-247262b8946f/20170531213026495974.json index 302d3f5..541ede1 100644 --- a/stix2/test/stix2_data/course-of-action/course-of-action--95ddb356-7ba0-4bd9-a889-247262b8946f/20170531213026495974.json +++ b/stix2/test/stix2_data/course-of-action/course-of-action--95ddb356-7ba0-4bd9-a889-247262b8946f/20170531213026495974.json @@ -1,16 +1,16 @@ { - "id": "bundle--a42d26fe-c938-4074-a1b3-50d852e6f0bd", + "id": "bundle--a42d26fe-c938-4074-a1b3-50d852e6f0bd", "objects": [ { - "created": "2017-05-31T21:30:26.495974Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]", - "id": "course-of-action--95ddb356-7ba0-4bd9-a889-247262b8946f", - "modified": "2017-05-31T21:30:26.495974Z", - "name": "Rootkit Mitigation", + "created": "2017-05-31T21:30:26.495974Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]", + "id": "course-of-action--95ddb356-7ba0-4bd9-a889-247262b8946f", + "modified": "2017-05-31T21:30:26.495974Z", + "name": "Rootkit Mitigation", "type": "course-of-action" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/course-of-action/course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd/20170531213041022744.json b/stix2/test/stix2_data/course-of-action/course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd/20170531213041022744.json index 71be78d..669aae5 100644 --- a/stix2/test/stix2_data/course-of-action/course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd/20170531213041022744.json +++ b/stix2/test/stix2_data/course-of-action/course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd/20170531213041022744.json @@ -1,9 +1,9 @@ { - "created": "2017-05-31T21:30:41.022744Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]", - "id": "course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd", - "modified": "2017-05-31T21:30:41.022744Z", - "name": "Data from Network Shared Drive Mitigation", + "created": "2017-05-31T21:30:41.022744Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting[[CiteRef::Beechey 2010]] tools, like AppLocker,[[CiteRef::Windows Commands JPCERT]][[CiteRef::NSA MS AppLocker]] or Software Restriction Policies[[CiteRef::Corio 2008]] where appropriate.[[CiteRef::TechNet Applocker vs SRP]]", + "id": "course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd", + "modified": "2017-05-31T21:30:41.022744Z", + "name": "Data from Network Shared Drive Mitigation", "type": "course-of-action" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5/20170601000000000000.json b/stix2/test/stix2_data/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5/20170601000000000000.json index 25e9361..d110a09 100644 --- a/stix2/test/stix2_data/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5/20170601000000000000.json +++ b/stix2/test/stix2_data/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5/20170601000000000000.json @@ -1,15 +1,15 @@ { - "id": "bundle--81884287-2548-47fc-a997-39489ddd5462", + "id": "bundle--81884287-2548-47fc-a997-39489ddd5462", "objects": [ { - "created": "2017-06-01T00:00:00Z", - "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "identity_class": "organization", - "modified": "2017-06-01T00:00:00Z", - "name": "The MITRE Corporation", + "created": "2017-06-01T00:00:00Z", + "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "identity_class": "organization", + "modified": "2017-06-01T00:00:00Z", + "name": "The MITRE Corporation", "type": "identity" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5/20181101232448446000.json b/stix2/test/stix2_data/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5/20181101232448446000.json index ff3cc88..7528b44 100644 --- a/stix2/test/stix2_data/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5/20181101232448446000.json +++ b/stix2/test/stix2_data/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5/20181101232448446000.json @@ -8,4 +8,4 @@ "labels": [ "version two" ] -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/intrusion-set/intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064/20170531213149412497.json b/stix2/test/stix2_data/intrusion-set/intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064/20170531213149412497.json index 72e435d..648ed94 100644 --- a/stix2/test/stix2_data/intrusion-set/intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064/20170531213149412497.json +++ b/stix2/test/stix2_data/intrusion-set/intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064/20170531213149412497.json @@ -1,54 +1,54 @@ { - "id": "bundle--7790ee4c-2d57-419a-bc9d-8805b5bb4118", + "id": "bundle--7790ee4c-2d57-419a-bc9d-8805b5bb4118", "objects": [ { "aliases": [ - "Deep Panda", - "Shell Crew", - "WebMasters", - "KungFu Kittens", - "PinkPanther", + "Deep Panda", + "Shell Crew", + "WebMasters", + "KungFu Kittens", + "PinkPanther", "Black Vine" - ], - "created": "2017-05-31T21:31:49.412497Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications.Deep Panda.Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion.[[Citation: Symantec Black Vine]]", + ], + "created": "2017-05-31T21:31:49.412497Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications.Deep Panda.Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion.[[Citation: Symantec Black Vine]]", "external_references": [ { - "external_id": "G0009", - "source_name": "mitre-attack", + "external_id": "G0009", + "source_name": "mitre-attack", "url": "https://attack.mitre.org/wiki/Group/G0009" - }, + }, { - "description": "Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.", - "source_name": "Alperovitch 2014", + "description": "Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.", + "source_name": "Alperovitch 2014", "url": "http://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/" - }, + }, { - "description": "DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016.", - "source_name": "Symantec Black Vine", + "description": "DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016.", + "source_name": "Symantec Black Vine", "url": "http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-black-vine-cyberespionage-group.pdf" - }, + }, { - "description": "RSA Incident Response. (2014, January). RSA Incident Response Emerging Threat Profile: Shell Crew. Retrieved January 14, 2016.", - "source_name": "RSA Shell Crew", + "description": "RSA Incident Response. (2014, January). RSA Incident Response Emerging Threat Profile: Shell Crew. Retrieved January 14, 2016.", + "source_name": "RSA Shell Crew", "url": "https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf" - }, + }, { - "description": "ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.", - "source_name": "ThreatConnect Anthem", + "description": "ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.", + "source_name": "ThreatConnect Anthem", "url": "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/" } - ], - "id": "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", - "modified": "2017-05-31T21:31:49.412497Z", - "name": "Deep Panda", + ], + "id": "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", + "modified": "2017-05-31T21:31:49.412497Z", + "name": "Deep Panda", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + ], "type": "intrusion-set" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/intrusion-set/intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a/20170531213153197755.json b/stix2/test/stix2_data/intrusion-set/intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a/20170531213153197755.json index 541072e..bf3daa6 100644 --- a/stix2/test/stix2_data/intrusion-set/intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a/20170531213153197755.json +++ b/stix2/test/stix2_data/intrusion-set/intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a/20170531213153197755.json @@ -1,44 +1,44 @@ { - "id": "bundle--96a6ea7a-fcff-4aab-925b-a494bcdf0480", + "id": "bundle--96a6ea7a-fcff-4aab-925b-a494bcdf0480", "objects": [ { "aliases": [ "DragonOK" - ], - "created": "2017-05-31T21:31:53.197755Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. [[Citation: Operation Quantum Entanglement]][[Citation: Symbiotic APT Groups]] It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. [[Citation: New DragonOK]]", + ], + "created": "2017-05-31T21:31:53.197755Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. [[Citation: Operation Quantum Entanglement]][[Citation: Symbiotic APT Groups]] It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. [[Citation: New DragonOK]]", "external_references": [ { - "external_id": "G0017", - "source_name": "mitre-attack", + "external_id": "G0017", + "source_name": "mitre-attack", "url": "https://attack.mitre.org/wiki/Group/G0017" - }, + }, { - "description": "Haq, T., Moran, N., Vashisht, S., Scott, M. (2014, September). OPERATION QUANTUM ENTANGLEMENT. Retrieved November 4, 2015.", - "source_name": "Operation Quantum Entanglement", + "description": "Haq, T., Moran, N., Vashisht, S., Scott, M. (2014, September). OPERATION QUANTUM ENTANGLEMENT. Retrieved November 4, 2015.", + "source_name": "Operation Quantum Entanglement", "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf" - }, + }, { - "description": "Haq, T. (2014, October). An Insight into Symbiotic APT Groups. Retrieved November 4, 2015.", - "source_name": "Symbiotic APT Groups", + "description": "Haq, T. (2014, October). An Insight into Symbiotic APT Groups. Retrieved November 4, 2015.", + "source_name": "Symbiotic APT Groups", "url": "https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon%202014%20R&D%20Track%20Insight%20into%20Symbiotic%20APT.pdf" - }, + }, { - "description": "Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015.", - "source_name": "New DragonOK", + "description": "Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015.", + "source_name": "New DragonOK", "url": "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/" } - ], - "id": "intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a", - "modified": "2017-05-31T21:31:53.197755Z", - "name": "DragonOK", + ], + "id": "intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a", + "modified": "2017-05-31T21:31:53.197755Z", + "name": "DragonOK", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + ], "type": "intrusion-set" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/malware/malware--6b616fc1-1505-48e3-8b2c-0d19337bff38/20170531213258226477.json b/stix2/test/stix2_data/malware/malware--6b616fc1-1505-48e3-8b2c-0d19337bff38/20170531213258226477.json index 8ce4c86..c60200b 100644 --- a/stix2/test/stix2_data/malware/malware--6b616fc1-1505-48e3-8b2c-0d19337bff38/20170531213258226477.json +++ b/stix2/test/stix2_data/malware/malware--6b616fc1-1505-48e3-8b2c-0d19337bff38/20170531213258226477.json @@ -1,34 +1,34 @@ { - "id": "bundle--f64de948-7067-4534-8018-85f03d470625", + "id": "bundle--f64de948-7067-4534-8018-85f03d470625", "objects": [ { - "created": "2017-05-31T21:32:58.226477Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan.[[Citation: Palo Alto Rover]]", + "created": "2017-05-31T21:32:58.226477Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan.[[Citation: Palo Alto Rover]]", "external_references": [ { - "external_id": "S0090", - "source_name": "mitre-attack", + "external_id": "S0090", + "source_name": "mitre-attack", "url": "https://attack.mitre.org/wiki/Software/S0090" - }, + }, { - "description": "Ray, V., Hayashi, K. (2016, February 29). New Malware \u2018Rover\u2019 Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.", - "source_name": "Palo Alto Rover", + "description": "Ray, V., Hayashi, K. (2016, February 29). New Malware \u2018Rover\u2019 Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.", + "source_name": "Palo Alto Rover", "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/" } - ], - "id": "malware--6b616fc1-1505-48e3-8b2c-0d19337bff38", + ], + "id": "malware--6b616fc1-1505-48e3-8b2c-0d19337bff38", "labels": [ "malware" - ], - "modified": "2017-05-31T21:32:58.226477Z", - "name": "Rover", + ], + "modified": "2017-05-31T21:32:58.226477Z", + "name": "Rover", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + ], "type": "malware" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/malware/malware--6b616fc1-1505-48e3-8b2c-0d19337bff38/20181101232448456000.json b/stix2/test/stix2_data/malware/malware--6b616fc1-1505-48e3-8b2c-0d19337bff38/20181101232448456000.json index e025563..af47f27 100644 --- a/stix2/test/stix2_data/malware/malware--6b616fc1-1505-48e3-8b2c-0d19337bff38/20181101232448456000.json +++ b/stix2/test/stix2_data/malware/malware--6b616fc1-1505-48e3-8b2c-0d19337bff38/20181101232448456000.json @@ -24,4 +24,4 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/malware/malware--6b616fc1-1505-48e3-8b2c-0d19337bff38/20181101232448457000.json b/stix2/test/stix2_data/malware/malware--6b616fc1-1505-48e3-8b2c-0d19337bff38/20181101232448457000.json index 5f65e74..446fb26 100644 --- a/stix2/test/stix2_data/malware/malware--6b616fc1-1505-48e3-8b2c-0d19337bff38/20181101232448457000.json +++ b/stix2/test/stix2_data/malware/malware--6b616fc1-1505-48e3-8b2c-0d19337bff38/20181101232448457000.json @@ -24,4 +24,4 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/malware/malware--92ec0cbd-2c30-44a2-b270-73f4ec949841/20170531213326565056.json b/stix2/test/stix2_data/malware/malware--92ec0cbd-2c30-44a2-b270-73f4ec949841/20170531213326565056.json index fda1b6a..50c8a5d 100644 --- a/stix2/test/stix2_data/malware/malware--92ec0cbd-2c30-44a2-b270-73f4ec949841/20170531213326565056.json +++ b/stix2/test/stix2_data/malware/malware--92ec0cbd-2c30-44a2-b270-73f4ec949841/20170531213326565056.json @@ -1,34 +1,34 @@ { - "id": "bundle--c633942b-545c-4c87-91b7-9fe5740365e0", + "id": "bundle--c633942b-545c-4c87-91b7-9fe5740365e0", "objects": [ { - "created": "2017-05-31T21:33:26.565056Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "RTM is custom malware written in Delphi. It is used by the group of the same name (RTM).[[Citation: ESET RTM Feb 2017]]", + "created": "2017-05-31T21:33:26.565056Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "RTM is custom malware written in Delphi. It is used by the group of the same name (RTM).[[Citation: ESET RTM Feb 2017]]", "external_references": [ { - "external_id": "S0148", - "source_name": "mitre-attack", + "external_id": "S0148", + "source_name": "mitre-attack", "url": "https://attack.mitre.org/wiki/Software/S0148" - }, + }, { - "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.", - "source_name": "ESET RTM Feb 2017", + "description": "Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.", + "source_name": "ESET RTM Feb 2017", "url": "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" } - ], - "id": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", + ], + "id": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", "labels": [ "malware" - ], - "modified": "2017-05-31T21:33:26.565056Z", - "name": "RTM", + ], + "modified": "2017-05-31T21:33:26.565056Z", + "name": "RTM", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + ], "type": "malware" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/malware/malware--96b08451-b27a-4ff6-893f-790e26393a8e/20170531213248482655.json b/stix2/test/stix2_data/malware/malware--96b08451-b27a-4ff6-893f-790e26393a8e/20170531213248482655.json index a60341e..224f6a9 100644 --- a/stix2/test/stix2_data/malware/malware--96b08451-b27a-4ff6-893f-790e26393a8e/20170531213248482655.json +++ b/stix2/test/stix2_data/malware/malware--96b08451-b27a-4ff6-893f-790e26393a8e/20170531213248482655.json @@ -1,34 +1,34 @@ { - "id": "bundle--09ce4338-8741-4fcf-9738-d216c8e40974", + "id": "bundle--09ce4338-8741-4fcf-9738-d216c8e40974", "objects": [ { - "created": "2017-05-31T21:32:48.482655Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015.[[Citation: Dell Sakula]]\n\nAliases: Sakula, Sakurel, VIPER", + "created": "2017-05-31T21:32:48.482655Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015.[[Citation: Dell Sakula]]\n\nAliases: Sakula, Sakurel, VIPER", "external_references": [ { - "external_id": "S0074", - "source_name": "mitre-attack", + "external_id": "S0074", + "source_name": "mitre-attack", "url": "https://attack.mitre.org/wiki/Software/S0074" - }, + }, { - "description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.", - "source_name": "Dell Sakula", + "description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.", + "source_name": "Dell Sakula", "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/" } - ], - "id": "malware--96b08451-b27a-4ff6-893f-790e26393a8e", + ], + "id": "malware--96b08451-b27a-4ff6-893f-790e26393a8e", "labels": [ "malware" - ], - "modified": "2017-05-31T21:32:48.482655Z", - "name": "Sakula", + ], + "modified": "2017-05-31T21:32:48.482655Z", + "name": "Sakula", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + ], "type": "malware" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/malware/malware--b42378e0-f147-496f-992a-26a49705395b/20170531213215263882.json b/stix2/test/stix2_data/malware/malware--b42378e0-f147-496f-992a-26a49705395b/20170531213215263882.json index d68624e..3e1c870 100644 --- a/stix2/test/stix2_data/malware/malware--b42378e0-f147-496f-992a-26a49705395b/20170531213215263882.json +++ b/stix2/test/stix2_data/malware/malware--b42378e0-f147-496f-992a-26a49705395b/20170531213215263882.json @@ -1,34 +1,34 @@ { - "id": "bundle--611947ce-ae3b-4fdb-b297-aed8eab22e4f", + "id": "bundle--611947ce-ae3b-4fdb-b297-aed8eab22e4f", "objects": [ { - "created": "2017-05-31T21:32:15.263882Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.[[Citation: FireEye Poison Ivy]]\n\nAliases: PoisonIvy, Poison Ivy", + "created": "2017-05-31T21:32:15.263882Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.[[Citation: FireEye Poison Ivy]]\n\nAliases: PoisonIvy, Poison Ivy", "external_references": [ { - "external_id": "S0012", - "source_name": "mitre-attack", + "external_id": "S0012", + "source_name": "mitre-attack", "url": "https://attack.mitre.org/wiki/Software/S0012" - }, + }, { - "description": "FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.", - "source_name": "FireEye Poison Ivy", + "description": "FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.", + "source_name": "FireEye Poison Ivy", "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf" } - ], - "id": "malware--b42378e0-f147-496f-992a-26a49705395b", + ], + "id": "malware--b42378e0-f147-496f-992a-26a49705395b", "labels": [ "malware" - ], - "modified": "2017-05-31T21:32:15.263882Z", - "name": "PoisonIvy", + ], + "modified": "2017-05-31T21:32:15.263882Z", + "name": "PoisonIvy", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + ], "type": "malware" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json b/stix2/test/stix2_data/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json index 93f94a7..be93c62 100755 --- a/stix2/test/stix2_data/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json +++ b/stix2/test/stix2_data/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json @@ -1,16 +1,16 @@ { - "id": "bundle--0f4a3025-7788-4f25-a0c7-26171056dfae", + "id": "bundle--0f4a3025-7788-4f25-a0c7-26171056dfae", "objects": [ { - "created": "2017-06-01T00:00:00Z", + "created": "2017-06-01T00:00:00Z", "definition": { "statement": "Copyright 2017, The MITRE Corporation" - }, - "definition_type": "statement", - "id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168", + }, + "definition_type": "statement", + "id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168", "type": "marking-definition" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/relationship/relationship--0d4a7788-7f3b-4df8-a498-31a38003c883/20170531213327182784.json b/stix2/test/stix2_data/relationship/relationship--0d4a7788-7f3b-4df8-a498-31a38003c883/20170531213327182784.json index 87d9a7c..0f4a32a 100644 --- a/stix2/test/stix2_data/relationship/relationship--0d4a7788-7f3b-4df8-a498-31a38003c883/20170531213327182784.json +++ b/stix2/test/stix2_data/relationship/relationship--0d4a7788-7f3b-4df8-a498-31a38003c883/20170531213327182784.json @@ -1,20 +1,20 @@ { - "id": "bundle--7e715462-dd9d-40b9-968a-10ef0ecf126d", + "id": "bundle--7e715462-dd9d-40b9-968a-10ef0ecf126d", "objects": [ { - "created": "2017-05-31T21:33:27.182784Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "id": "relationship--0d4a7788-7f3b-4df8-a498-31a38003c883", - "modified": "2017-05-31T21:33:27.182784Z", + "created": "2017-05-31T21:33:27.182784Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--0d4a7788-7f3b-4df8-a498-31a38003c883", + "modified": "2017-05-31T21:33:27.182784Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "relationship_type": "uses", - "source_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "target_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", + ], + "relationship_type": "uses", + "source_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "target_ref": "malware--92ec0cbd-2c30-44a2-b270-73f4ec949841", "type": "relationship" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/relationship/relationship--0e55ee98-0c6d-43d4-b424-b18a0036b227/20170531213327082801.json b/stix2/test/stix2_data/relationship/relationship--0e55ee98-0c6d-43d4-b424-b18a0036b227/20170531213327082801.json index 231b57f..e5e1e87 100644 --- a/stix2/test/stix2_data/relationship/relationship--0e55ee98-0c6d-43d4-b424-b18a0036b227/20170531213327082801.json +++ b/stix2/test/stix2_data/relationship/relationship--0e55ee98-0c6d-43d4-b424-b18a0036b227/20170531213327082801.json @@ -1,20 +1,20 @@ { - "id": "bundle--a53eef35-abfc-4bcd-b84e-a048f7b4a9bf", + "id": "bundle--a53eef35-abfc-4bcd-b84e-a048f7b4a9bf", "objects": [ { - "created": "2017-05-31T21:33:27.082801Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "id": "relationship--0e55ee98-0c6d-43d4-b424-b18a0036b227", - "modified": "2017-05-31T21:33:27.082801Z", + "created": "2017-05-31T21:33:27.082801Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--0e55ee98-0c6d-43d4-b424-b18a0036b227", + "modified": "2017-05-31T21:33:27.082801Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "relationship_type": "uses", - "source_ref": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "target_ref": "tool--242f3da3-4425-4d11-8f5c-b842886da966", + ], + "relationship_type": "uses", + "source_ref": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "target_ref": "tool--242f3da3-4425-4d11-8f5c-b842886da966", "type": "relationship" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/relationship/relationship--1e91cd45-a725-4965-abe3-700694374432/20170531213327018782.json b/stix2/test/stix2_data/relationship/relationship--1e91cd45-a725-4965-abe3-700694374432/20170531213327018782.json index 00af1c7..9651425 100644 --- a/stix2/test/stix2_data/relationship/relationship--1e91cd45-a725-4965-abe3-700694374432/20170531213327018782.json +++ b/stix2/test/stix2_data/relationship/relationship--1e91cd45-a725-4965-abe3-700694374432/20170531213327018782.json @@ -1,20 +1,20 @@ { - "id": "bundle--0b9f6412-314f-44e3-8779-9738c9578ef5", + "id": "bundle--0b9f6412-314f-44e3-8779-9738c9578ef5", "objects": [ { - "created": "2017-05-31T21:33:27.018782Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "id": "relationship--1e91cd45-a725-4965-abe3-700694374432", - "modified": "2017-05-31T21:33:27.018782Z", + "created": "2017-05-31T21:33:27.018782Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--1e91cd45-a725-4965-abe3-700694374432", + "modified": "2017-05-31T21:33:27.018782Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "relationship_type": "mitigates", - "source_ref": "course-of-action--95ddb356-7ba0-4bd9-a889-247262b8946f", - "target_ref": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--95ddb356-7ba0-4bd9-a889-247262b8946f", + "target_ref": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "relationship" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/relationship/relationship--3a3084f9-0302-4fd5-9b8a-e0db10f5345e/20170531213327100701.json b/stix2/test/stix2_data/relationship/relationship--3a3084f9-0302-4fd5-9b8a-e0db10f5345e/20170531213327100701.json index a2ad396..7e355fc 100644 --- a/stix2/test/stix2_data/relationship/relationship--3a3084f9-0302-4fd5-9b8a-e0db10f5345e/20170531213327100701.json +++ b/stix2/test/stix2_data/relationship/relationship--3a3084f9-0302-4fd5-9b8a-e0db10f5345e/20170531213327100701.json @@ -1,20 +1,20 @@ { - "id": "bundle--6d5b04a8-efb2-4179-990e-74f1dcc76e0c", + "id": "bundle--6d5b04a8-efb2-4179-990e-74f1dcc76e0c", "objects": [ { - "created": "2017-05-31T21:33:27.100701Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "id": "relationship--3a3084f9-0302-4fd5-9b8a-e0db10f5345e", - "modified": "2017-05-31T21:33:27.100701Z", + "created": "2017-05-31T21:33:27.100701Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--3a3084f9-0302-4fd5-9b8a-e0db10f5345e", + "modified": "2017-05-31T21:33:27.100701Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "relationship_type": "uses", - "source_ref": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475", - "target_ref": "tool--03342581-f790-4f03-ba41-e82e67392e23", + ], + "relationship_type": "uses", + "source_ref": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475", + "target_ref": "tool--03342581-f790-4f03-ba41-e82e67392e23", "type": "relationship" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/relationship/relationship--3a3ed0b2-0c38-441f-ac40-53b873e545d1/20170531213327143973.json b/stix2/test/stix2_data/relationship/relationship--3a3ed0b2-0c38-441f-ac40-53b873e545d1/20170531213327143973.json index 453dfef..f537309 100644 --- a/stix2/test/stix2_data/relationship/relationship--3a3ed0b2-0c38-441f-ac40-53b873e545d1/20170531213327143973.json +++ b/stix2/test/stix2_data/relationship/relationship--3a3ed0b2-0c38-441f-ac40-53b873e545d1/20170531213327143973.json @@ -1,20 +1,20 @@ { - "id": "bundle--a7efc025-040d-49c7-bf97-e5a1120ecacc", + "id": "bundle--a7efc025-040d-49c7-bf97-e5a1120ecacc", "objects": [ { - "created": "2017-05-31T21:33:27.143973Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "id": "relationship--3a3ed0b2-0c38-441f-ac40-53b873e545d1", - "modified": "2017-05-31T21:33:27.143973Z", + "created": "2017-05-31T21:33:27.143973Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--3a3ed0b2-0c38-441f-ac40-53b873e545d1", + "modified": "2017-05-31T21:33:27.143973Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "relationship_type": "uses", - "source_ref": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9", - "target_ref": "malware--6b616fc1-1505-48e3-8b2c-0d19337bff38", + ], + "relationship_type": "uses", + "source_ref": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "target_ref": "malware--6b616fc1-1505-48e3-8b2c-0d19337bff38", "type": "relationship" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/relationship/relationship--592d0c31-e61f-495e-a60e-70d7be59a719/20170531213327021562.json b/stix2/test/stix2_data/relationship/relationship--592d0c31-e61f-495e-a60e-70d7be59a719/20170531213327021562.json index fd22d63..47008f0 100644 --- a/stix2/test/stix2_data/relationship/relationship--592d0c31-e61f-495e-a60e-70d7be59a719/20170531213327021562.json +++ b/stix2/test/stix2_data/relationship/relationship--592d0c31-e61f-495e-a60e-70d7be59a719/20170531213327021562.json @@ -1,20 +1,20 @@ { - "id": "bundle--9f013d47-7704-41c2-9749-23d0d94af94d", + "id": "bundle--9f013d47-7704-41c2-9749-23d0d94af94d", "objects": [ { - "created": "2017-05-31T21:33:27.021562Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "id": "relationship--592d0c31-e61f-495e-a60e-70d7be59a719", - "modified": "2017-05-31T21:33:27.021562Z", + "created": "2017-05-31T21:33:27.021562Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--592d0c31-e61f-495e-a60e-70d7be59a719", + "modified": "2017-05-31T21:33:27.021562Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "relationship_type": "mitigates", - "source_ref": "course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd", - "target_ref": "attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c", + ], + "relationship_type": "mitigates", + "source_ref": "course-of-action--d9727aee-48b8-4fdb-89e2-4c49746ba4dd", + "target_ref": "attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c", "type": "relationship" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/relationship/relationship--70dc6b5c-c524-429e-a6ab-0dd40f0482c1/20170531213327044387.json b/stix2/test/stix2_data/relationship/relationship--70dc6b5c-c524-429e-a6ab-0dd40f0482c1/20170531213327044387.json index 40a50db..d697277 100644 --- a/stix2/test/stix2_data/relationship/relationship--70dc6b5c-c524-429e-a6ab-0dd40f0482c1/20170531213327044387.json +++ b/stix2/test/stix2_data/relationship/relationship--70dc6b5c-c524-429e-a6ab-0dd40f0482c1/20170531213327044387.json @@ -1,20 +1,20 @@ { - "id": "bundle--15167b24-4cee-4c96-a140-32a6c37df4b4", + "id": "bundle--15167b24-4cee-4c96-a140-32a6c37df4b4", "objects": [ { - "created": "2017-05-31T21:33:27.044387Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "id": "relationship--70dc6b5c-c524-429e-a6ab-0dd40f0482c1", - "modified": "2017-05-31T21:33:27.044387Z", + "created": "2017-05-31T21:33:27.044387Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--70dc6b5c-c524-429e-a6ab-0dd40f0482c1", + "modified": "2017-05-31T21:33:27.044387Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "relationship_type": "uses", - "source_ref": "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", - "target_ref": "malware--96b08451-b27a-4ff6-893f-790e26393a8e", + ], + "relationship_type": "uses", + "source_ref": "intrusion-set--a653431d-6a5e-4600-8ad3-609b5af57064", + "target_ref": "malware--96b08451-b27a-4ff6-893f-790e26393a8e", "type": "relationship" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/relationship/relationship--8797579b-e3be-4209-a71b-255a4d08243d/20170531213327051532.json b/stix2/test/stix2_data/relationship/relationship--8797579b-e3be-4209-a71b-255a4d08243d/20170531213327051532.json index edfc864..d7f2ff7 100644 --- a/stix2/test/stix2_data/relationship/relationship--8797579b-e3be-4209-a71b-255a4d08243d/20170531213327051532.json +++ b/stix2/test/stix2_data/relationship/relationship--8797579b-e3be-4209-a71b-255a4d08243d/20170531213327051532.json @@ -1,20 +1,20 @@ { - "id": "bundle--ff845dca-7036-416f-aae0-95030994c49f", + "id": "bundle--ff845dca-7036-416f-aae0-95030994c49f", "objects": [ { - "created": "2017-05-31T21:33:27.051532Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "id": "relationship--8797579b-e3be-4209-a71b-255a4d08243d", - "modified": "2017-05-31T21:33:27.051532Z", + "created": "2017-05-31T21:33:27.051532Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--8797579b-e3be-4209-a71b-255a4d08243d", + "modified": "2017-05-31T21:33:27.051532Z", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "relationship_type": "uses", - "source_ref": "intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a", - "target_ref": "malware--b42378e0-f147-496f-992a-26a49705395b", + ], + "relationship_type": "uses", + "source_ref": "intrusion-set--f3bdec95-3d62-42d9-a840-29630f6cdc1a", + "target_ref": "malware--b42378e0-f147-496f-992a-26a49705395b", "type": "relationship" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/tool/tool--03342581-f790-4f03-ba41-e82e67392e23/20170531213231601148.json b/stix2/test/stix2_data/tool/tool--03342581-f790-4f03-ba41-e82e67392e23/20170531213231601148.json index 713e4d0..9d47880 100644 --- a/stix2/test/stix2_data/tool/tool--03342581-f790-4f03-ba41-e82e67392e23/20170531213231601148.json +++ b/stix2/test/stix2_data/tool/tool--03342581-f790-4f03-ba41-e82e67392e23/20170531213231601148.json @@ -1,39 +1,39 @@ { - "id": "bundle--d8826afc-1561-4362-a4e3-05a4c2c3ac3c", + "id": "bundle--d8826afc-1561-4362-a4e3-05a4c2c3ac3c", "objects": [ { - "created": "2017-05-31T21:32:31.601148Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.Net has a great deal of functionality,[[Citation: Savill 1999]] much of which is useful for an adversary, such as gathering system and network information for [[Discovery]], moving laterally through [[Windows admin shares]] using net use commands, and interacting with services.\n\nAliases: Net, net.exe", + "created": "2017-05-31T21:32:31.601148Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.Net has a great deal of functionality,[[Citation: Savill 1999]] much of which is useful for an adversary, such as gathering system and network information for [[Discovery]], moving laterally through [[Windows admin shares]] using net use commands, and interacting with services.\n\nAliases: Net, net.exe", "external_references": [ { - "external_id": "S0039", - "source_name": "mitre-attack", + "external_id": "S0039", + "source_name": "mitre-attack", "url": "https://attack.mitre.org/wiki/Software/S0039" - }, + }, { - "description": "Microsoft. (2006, October 18). Net.exe Utility. Retrieved September 22, 2015.", - "source_name": "Microsoft Net Utility", + "description": "Microsoft. (2006, October 18). Net.exe Utility. Retrieved September 22, 2015.", + "source_name": "Microsoft Net Utility", "url": "https://msdn.microsoft.com/en-us/library/aa939914" - }, + }, { - "description": "Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.", - "source_name": "Savill 1999", + "description": "Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.", + "source_name": "Savill 1999", "url": "http://windowsitpro.com/windows/netexe-reference" } - ], - "id": "tool--03342581-f790-4f03-ba41-e82e67392e23", + ], + "id": "tool--03342581-f790-4f03-ba41-e82e67392e23", "labels": [ "tool" - ], - "modified": "2017-05-31T21:32:31.601148Z", - "name": "Net", + ], + "modified": "2017-05-31T21:32:31.601148Z", + "name": "Net", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + ], "type": "tool" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +} diff --git a/stix2/test/stix2_data/tool/tool--242f3da3-4425-4d11-8f5c-b842886da966/20170531213212684914.json b/stix2/test/stix2_data/tool/tool--242f3da3-4425-4d11-8f5c-b842886da966/20170531213212684914.json index a82da42..281888e 100644 --- a/stix2/test/stix2_data/tool/tool--242f3da3-4425-4d11-8f5c-b842886da966/20170531213212684914.json +++ b/stix2/test/stix2_data/tool/tool--242f3da3-4425-4d11-8f5c-b842886da966/20170531213212684914.json @@ -1,34 +1,34 @@ { - "id": "bundle--7dbde18f-6f14-4bf0-8389-505c89d6d5a6", + "id": "bundle--7dbde18f-6f14-4bf0-8389-505c89d6d5a6", "objects": [ { - "created": "2017-05-31T21:32:12.684914Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Windows Credential Editor is a password dumping tool.[[Citation: Amplia WCE]]\n\nAliases: Windows Credential Editor, WCE", + "created": "2017-05-31T21:32:12.684914Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "Windows Credential Editor is a password dumping tool.[[Citation: Amplia WCE]]\n\nAliases: Windows Credential Editor, WCE", "external_references": [ { - "external_id": "S0005", - "source_name": "mitre-attack", + "external_id": "S0005", + "source_name": "mitre-attack", "url": "https://attack.mitre.org/wiki/Software/S0005" - }, + }, { - "description": "Amplia Security. (n.d.). Windows Credentials Editor (WCE) F.A.Q.. Retrieved December 17, 2015.", - "source_name": "Amplia WCE", + "description": "Amplia Security. (n.d.). Windows Credentials Editor (WCE) F.A.Q.. Retrieved December 17, 2015.", + "source_name": "Amplia WCE", "url": "http://www.ampliasecurity.com/research/wcefaq.html" } - ], - "id": "tool--242f3da3-4425-4d11-8f5c-b842886da966", + ], + "id": "tool--242f3da3-4425-4d11-8f5c-b842886da966", "labels": [ "tool" - ], - "modified": "2017-05-31T21:32:12.684914Z", - "name": "Windows Credential Editor", + ], + "modified": "2017-05-31T21:32:12.684914Z", + "name": "Windows Credential Editor", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + ], "type": "tool" } - ], - "spec_version": "2.0", + ], + "spec_version": "2.0", "type": "bundle" -} \ No newline at end of file +}