***Internal reference**: Reference used by the publishing party (e.g. ticket number)
***Targeting data**: Targeting information to include recipient email, infected machines, department, and or locations.<br/>
***Antivirus detection**: List of anti-virus vendors detecting the malware or information on detection performance (e.g. 13/43 or 67%). Attachment with list of detection or link to VirusTotal could be placed here as well.
***Payload delivery**: Information about the way the malware payload is initially delivered, for example information about the email or web-site, vulnerability used, originating IP etc. Malware sample itself should be attached here.
***Artifacts dropped**: Any artifact (files, registry keys etc.) dropped by the malware or other modifications to the system
***Payload installation**: Location where the payload was placed in the system and the way it was installed. For example, a filename|md5 type attribute can be added here like this: c:\windows\system32\malicious.exe|41d8cd98f00b204e9800998ecf8427e.
***Persistence mechanism**: Mechanisms used by the malware to start at boot. This could be a registry key, legitimate driver modification, LNK file in startup
***Network activity**: Information about network traffic generated by the malware
***Payload type**: Information about the final payload(s). Can contain a function of the payload, e.g. keylogger, RAT, or a name if identified, such as Poison Ivy.
***Attribution**: Identification of the group, organisation, or country behind the attack
***External analysis**: Any other result from additional analysis of the malware like tools output Examples: pdf-parser output, automated sandbox analysis, reverse engineering report.
***Financial fraud**: Financial Fraud indicators, for example: IBAN Numbers, BIC codes, Credit card numbers, etc.
***Other**: Attributes that are not part of any other category
***filename|md5**: A filename and an md5 hash separated by a | (no spaces)
***filename|sha1**: A filename and an sha1 hash separated by a | (no spaces)
***filename|sha256**: A filename and an sha256 hash separated by a | (no spaces)
***ip-src**: A source IP address of the attacker
***ip-dst**: A destination IP address of the attacker or C&C server. Also set the IDS flag on when this IP is hardcoded in malware
***hostname**: A full host/dnsname of an attacker. Also set the IDS flag on when this hostname is hardcoded in malware
***domain**: A domain name used in the malware. Use this instead of hostname when the upper domain is important or can be used to create links between events.
***authentihash**: You are encouraged to use filename|authentihash instead. Authenticode executable signature hash, only use this if you don't know the correct filename
***ssdeep**: You are encouraged to use filename|ssdeep instead. A checksum in the SSDeep format, only use this if you don't know the correct filename
***imphash**: You are encouraged to use filename|imphash instead. A hash created based on the imports in the sample, only use this if you don't know the correct filename
***sha-224**: You are encouraged to use filename|sha224 instead. A checksum in sha224 format, only use this if you don't know the correct filename
***sha-384**: You are encouraged to use filename|sha384 instead. A checksum in sha384 format, only use this if you don't know the correct filename
***sha-512**: You are encouraged to use filename|sha512 instead. A checksum in sha512 format, only use this if you don't know the correct filename
***sha-512/224**: You are encouraged to use filename|sha512/224 instead. A checksum in sha512/224 format, only use this if you don't know the correct filename
***sha-512/256**: You are encouraged to use filename|sha512/256 instead. A checksum in sha512/256 format, only use this if you don't know the correct filename
***tlsh**: You are encouraged to use filename|tlsh instead. A checksum in the Trend Micro Locality Sensitive Hash format, only use this if you don't know the correct filename
***filename|authentihash**: A checksum in md5 format
***filename|ssdeep**: A checksum in ssdeep format
***filename|imphash**: Import hash - a hash created based on the imports in the sample.
***filename|sha-224**: A filename and a sha-224 hash separated by a |
***filename|sha-384**: A filename and a sha-384 hash separated by a |
***filename|sha-512**: A filename and a sha-512 hash separated by a |
***filename|sha-512/224**: A filename and a sha-512/224 hash separated by a |
***filename|sha-512/256**: A filename and a sha-512/256 hash separated by a |
***filename|tlsh**: A filename and a Trend Micro Locality Sensitive Hash separated by a |
***windows-scheduled-task**: A scheduled task in windows
***windows-service-name**: A windows service name. This is the name used internally by windows. Not to be confused with the windows-service-displayname.
***windows-service-displayname**: A windows service's displayname, not to be confused with the windows-service-name. This is the name that applications will generally display as the service's name in applications.
***whois-registrant-email**: The e-mail of a domain's registrant, obtained from the WHOIS information.
***whois-registrant-phone**: The phone number of a domain's registrant, obtained from the WHOIS information.