From 11392bb9d3a70ecf584ef8635023e423cf598df1 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 18 Jun 2018 14:25:50 +0200 Subject: [PATCH] chg: MISP types updated to the latest version of MISP 2.4.92 --- categories-and-types/README.md | 92 +++++++++++++++++++++++++++++++--- 1 file changed, 84 insertions(+), 8 deletions(-) diff --git a/categories-and-types/README.md b/categories-and-types/README.md index e169fbc..6b03ca4 100644 --- a/categories-and-types/README.md +++ b/categories-and-types/README.md @@ -1,6 +1,6 @@ -## MISP Attribute Categories vs Types +### Attribute Categories vs. Types |Category| Internal reference | Targeting data | Antivirus detection | Payload delivery | Artifacts dropped | Payload installation | | --- |:---:|:---:|:---:|:---:|:---:|:---:| @@ -21,6 +21,8 @@ |email-dst| | | | X | | | |email-subject| | | | X | | | |email-attachment| | | | X | | | +|email-body| | | | X | | | +|float| | | | | | | |url| | | | X | | | |http-method| | | | | | | |user-agent| | | | X | | | @@ -32,12 +34,19 @@ |pattern-in-traffic| | | | X | | X | |pattern-in-memory| | | | | X | X | |yara| | | | X | X | X | +|stix2-pattern| | | | X | X | X | +|sigma| | | | X | X | X | +|gene| | | | | X | | +|mime-type| | | | X | X | X | +|identity-card-number| | | | | | | +|cookie| | | | | X | | |vulnerability| | | | X | | X | |attachment| | | X | X | X | X | |malware-sample| | | | X | X | X | |link| X | | X | X | | | |comment| X | X | X | X | X | X | |text| X | | X | X | X | X | +|hex| X | | X | X | X | X | |other| X | | X | X | X | X | |named pipe| | | | | X | | |mutex| | | | | X | | @@ -55,6 +64,7 @@ |bin| | | | | | | |cc-number| | | | | | | |prtn| | | | | | | +|phone-number| | | | | | | |threat-actor| | | | | | | |campaign-name| | | | | | | |campaign-id| | | | | | | @@ -64,6 +74,7 @@ |ssdeep| | | | X | X | X | |imphash| | | | X | X | X | |pehash| | | | X | | X | +|impfuzzy| | | | X | X | X | |sha224| | | | X | X | X | |sha384| | | | X | X | X | |sha512| | | | X | X | X | @@ -73,6 +84,7 @@ |filename|authentihash| | | | X | X | X | |filename|ssdeep| | | | X | X | X | |filename|imphash| | | | X | X | X | +|filename|impfuzzy| | | | X | X | X | |filename|pehash| | | | X | X | X | |filename|sha224| | | | X | X | X | |filename|sha384| | | | X | X | X | @@ -83,12 +95,15 @@ |windows-scheduled-task| | | | | X | | |windows-service-name| | | | | X | | |windows-service-displayname| | | | | X | | -|whois-registrant-email| | | | | | | +|whois-registrant-email| | | | X | | | |whois-registrant-phone| | | | | | | |whois-registrant-name| | | | | | | +|whois-registrant-org| | | | | | | |whois-registrar| | | | | | | |whois-creation-date| | | | | | | |x509-fingerprint-sha1| | | | X | X | X | +|x509-fingerprint-md5| | | | X | X | X | +|x509-fingerprint-sha256| | | | X | X | X | |dns-soa-email| | | | | | | |size-in-bytes| | | | | | | |counter| | | | | | | @@ -98,6 +113,8 @@ |ip-dst|port| | | | X | | | |ip-src|port| | | | X | | | |hostname|port| | | | X | | | +|mac-address| | | | X | | | +|mac-eui-64| | | | X | | | |email-dst-display-name| | | | X | | | |email-src-display-name| | | | X | | | |email-header| | | | X | | | @@ -135,6 +152,8 @@ |place-port-of-onward-foreign-destination| | | | | | | |passenger-name-record-locator-number| | | | | | | |mobile-application-id| | | | X | | X | +|cortex| | | | | | | +|boolean| | | | | | | |Category| Persistence mechanism | Network activity | Payload type | Attribution | External analysis | Financial fraud | | --- |:---:|:---:|:---:|:---:|:---:|:---:| @@ -155,6 +174,8 @@ |email-dst| | X | | | | | |email-subject| | | | | | | |email-attachment| | | | | | | +|email-body| | | | | | | +|float| | | | | | | |url| | X | | | X | | |http-method| | X | | | | | |user-agent| | X | | | X | | @@ -166,12 +187,19 @@ |pattern-in-traffic| | X | | | X | | |pattern-in-memory| | | | | X | | |yara| | | | | | | +|stix2-pattern| | X | | | | | +|sigma| | | | | | | +|gene| | | | | | | +|mime-type| | | | | | | +|identity-card-number| | | | | | | +|cookie| | X | | | | | |vulnerability| | | | | X | | |attachment| | X | | | X | | |malware-sample| | | | | X | | |link| | | | | X | | |comment| X | X | X | X | X | X | |text| X | X | X | X | X | X | +|hex| X | X | | | | X | |other| X | X | X | X | X | X | |named pipe| | | | | | | |mutex| | | | | | | @@ -189,6 +217,7 @@ |bin| | | | | | X | |cc-number| | | | | | X | |prtn| | | | | | X | +|phone-number| | | | | | X | |threat-actor| | | | X | | | |campaign-name| | | | X | | | |campaign-id| | | | X | | | @@ -198,6 +227,7 @@ |ssdeep| | | | | | | |imphash| | | | | | | |pehash| | | | | | | +|impfuzzy| | | | | | | |sha224| | | | | | | |sha384| | | | | | | |sha512| | | | | | | @@ -207,6 +237,7 @@ |filename|authentihash| | | | | | | |filename|ssdeep| | | | | | | |filename|imphash| | | | | | | +|filename|impfuzzy| | | | | | | |filename|pehash| | | | | | | |filename|sha224| | | | | | | |filename|sha384| | | | | | | @@ -220,18 +251,23 @@ |whois-registrant-email| | | | X | | | |whois-registrant-phone| | | | X | | | |whois-registrant-name| | | | X | | | +|whois-registrant-org| | | | X | | | |whois-registrar| | | | X | | | |whois-creation-date| | | | X | | | |x509-fingerprint-sha1| | X | | X | X | | -|dns-soa-email| | | | | | | +|x509-fingerprint-md5| | | | X | X | | +|x509-fingerprint-sha256| | | | X | X | | +|dns-soa-email| | | | X | | | |size-in-bytes| | | | | | | |counter| | | | | | | |datetime| | | | | | | |cpe| | | | | | | -|port| | | | | | | +|port| | X | | | | | |ip-dst|port| | X | | | X | | |ip-src|port| | X | | | X | | |hostname|port| | | | | | | +|mac-address| | X | | | X | | +|mac-eui-64| | X | | | X | | |email-dst-display-name| | | | | | | |email-src-display-name| | | | | | | |email-header| | | | | | | @@ -269,6 +305,8 @@ |place-port-of-onward-foreign-destination| | | | | | | |passenger-name-record-locator-number| | | | | | | |mobile-application-id| | | | | | | +|cortex| | | | | X | | +|boolean| | | | | | | |Category| Support Tool | Social network | Person | Other | | --- |:---:|:---:|:---:|:---:| @@ -289,6 +327,8 @@ |email-dst| | X | | | |email-subject| | | | | |email-attachment| | | | | +|email-body| | | | | +|float| | | | X | |url| | | | | |http-method| | | | | |user-agent| | | | | @@ -300,12 +340,19 @@ |pattern-in-traffic| | | | | |pattern-in-memory| | | | | |yara| | | | | +|stix2-pattern| | | | | +|sigma| | | | | +|gene| | | | | +|mime-type| | | | | +|identity-card-number| | | X | | +|cookie| | | | | |vulnerability| | | | | |attachment| X | | | | |malware-sample| | | | | |link| X | | | | |comment| X | X | X | X | |text| X | X | X | X | +|hex| X | | | X | |other| X | X | X | X | |named pipe| | | | | |mutex| | | | | @@ -323,6 +370,7 @@ |bin| | | | | |cc-number| | | | | |prtn| | | | | +|phone-number| | | X | X | |threat-actor| | | | | |campaign-name| | | | | |campaign-id| | | | | @@ -332,6 +380,7 @@ |ssdeep| | | | | |imphash| | | | | |pehash| | | | | +|impfuzzy| | | | | |sha224| | | | | |sha384| | | | | |sha512| | | | | @@ -341,6 +390,7 @@ |filename|authentihash| | | | | |filename|ssdeep| | | | | |filename|imphash| | | | | +|filename|impfuzzy| | | | | |filename|pehash| | | | | |filename|sha224| | | | | |filename|sha384| | | | | @@ -351,12 +401,15 @@ |windows-scheduled-task| | | | | |windows-service-name| | | | | |windows-service-displayname| | | | | -|whois-registrant-email| | | | | +|whois-registrant-email| | X | | | |whois-registrant-phone| | | | | |whois-registrant-name| | | | | +|whois-registrant-org| | | | | |whois-registrar| | | | | |whois-creation-date| | | | | |x509-fingerprint-sha1| | | | | +|x509-fingerprint-md5| | | | | +|x509-fingerprint-sha256| | | | | |dns-soa-email| | | | | |size-in-bytes| | | | X | |counter| | | | X | @@ -366,6 +419,8 @@ |ip-dst|port| | | | | |ip-src|port| | | | | |hostname|port| | | | | +|mac-address| | | | | +|mac-eui-64| | | | | |email-dst-display-name| | | | | |email-src-display-name| | | | | |email-header| | | | | @@ -403,6 +458,8 @@ |place-port-of-onward-foreign-destination| | | X | | |passenger-name-record-locator-number| | | X | | |mobile-application-id| | | | | +|cortex| | | | | +|boolean| | | | X | ### Categories @@ -438,10 +495,12 @@ * **hostname**: A full host/dnsname of an attacker. Also set the IDS flag on when this hostname is hardcoded in malware * **domain**: A domain name used in the malware. Use this instead of hostname when the upper domain is important or can be used to create links between events. * **domain|ip**: A domain name and its IP address (as found in DNS lookup) separated by a | (no spaces) -* **email-src**: The email address (or domainname) used to send the malware. +* **email-src**: The email address used to send the malware. * **email-dst**: A recipient email address that is not related to your constituency. * **email-subject**: The subject of the email * **email-attachment**: File name of the email attachment. +* **email-body**: Email body +* **float**: A floating point value. * **url**: url * **http-method**: HTTP method used by the malware (e.g. POST, GET, ...). * **user-agent**: The user-agent used by the malware in the HTTP request. @@ -453,12 +512,19 @@ * **pattern-in-traffic**: Pattern in network traffic that identifies the malware * **pattern-in-memory**: Pattern in memory dump that identifies the malware * **yara**: Yara signature +* **stix2-pattern**: STIX 2 pattern +* **sigma**: Sigma - Generic Signature Format for SIEM Systems +* **gene**: GENE - Go Evtx sigNature Engine +* **mime-type**: A media type (also MIME type and content type) is a two-part identifier for file formats and format contents transmitted on the Internet +* **identity-card-number**: Identity card number +* **cookie**: HTTP cookie as often stored on the user web client. This can include authentication cookie or session cookie. * **vulnerability**: A reference to the vulnerability used in the exploit * **attachment**: Please upload files using the Upload Attachment button. * **malware-sample**: Please upload files using the Upload Attachment button. * **link**: Link to an external information * **comment**: Comment or description in a human language. This will not be correlated with other attributes * **text**: Name, ID or a reference +* **hex**: A value in hexadecimal format * **other**: Other attribute * **named pipe**: Named pipe, use the format \.\pipe\ * **mutex**: Mutex, use the format \BaseNamedObjects\ @@ -470,12 +536,13 @@ * **target-external**: External Target Organizations Affected by this Attack * **btc**: Bitcoin Address * **iban**: International Bank Account Number -* **bic**: Bank Identifier Code Number +* **bic**: Bank Identifier Code Number also known as SWIFT-BIC, SWIFT code or ISO 9362 code * **bank-account-nr**: Bank account number without any routing number * **aba-rtn**: ABA routing transit number * **bin**: Bank Identification Number * **cc-number**: Credit-Card Number * **prtn**: Premium-Rate Telephone Number +* **phone-number**: Telephone Number * **threat-actor**: A string identifying the threat actor * **campaign-name**: Associated campaign name * **campaign-id**: Associated campaign ID @@ -485,6 +552,7 @@ * **ssdeep**: You are encouraged to use filename|ssdeep instead. A checksum in the SSDeep format, only use this if you don't know the correct filename * **imphash**: You are encouraged to use filename|imphash instead. A hash created based on the imports in the sample, only use this if you don't know the correct filename * **pehash**: PEhash - a hash calculated based of certain pieces of a PE executable file +* **impfuzzy**: You are encouraged to use filename|impfuzzy instead. A fuzzy hash created based on the imports in the sample, only use this if you don't know the correct filename * **sha224**: You are encouraged to use filename|sha224 instead. A checksum in sha224 format, only use this if you don't know the correct filename * **sha384**: You are encouraged to use filename|sha384 instead. A checksum in sha384 format, only use this if you don't know the correct filename * **sha512**: You are encouraged to use filename|sha512 instead. A checksum in sha512 format, only use this if you don't know the correct filename @@ -494,6 +562,7 @@ * **filename|authentihash**: A checksum in md5 format * **filename|ssdeep**: A checksum in ssdeep format * **filename|imphash**: Import hash - a hash created based on the imports in the sample. +* **filename|impfuzzy**: Import fuzzy hash - a fuzzy hash created based on the imports in the sample. * **filename|pehash**: A filename and a PEhash separated by a | * **filename|sha224**: A filename and a sha-224 hash separated by a | * **filename|sha384**: A filename and a sha-384 hash separated by a | @@ -507,9 +576,12 @@ * **whois-registrant-email**: The e-mail of a domain's registrant, obtained from the WHOIS information. * **whois-registrant-phone**: The phone number of a domain's registrant, obtained from the WHOIS information. * **whois-registrant-name**: The name of a domain's registrant, obtained from the WHOIS information. +* **whois-registrant-org**: The org of a domain's registrant, obtained from the WHOIS information. * **whois-registrar**: The registrar of the domain, obtained from the WHOIS information. * **whois-creation-date**: The date of domain's creation, obtained from the WHOIS information. * **x509-fingerprint-sha1**: X509 fingerprint in SHA-1 format +* **x509-fingerprint-md5**: X509 fingerprint in MD5 format +* **x509-fingerprint-sha256**: X509 fingerprint in SHA-256 format * **dns-soa-email**: RFC1035 mandates that DNS zones should have a SOA (Statement Of Authority) record that contains an email address where a PoC for the domain could be contacted. This can sometimes be used for attribution/linkage between different domains even if protected by whois privacy * **size-in-bytes**: Size expressed in bytes * **counter**: An integer counter, generally to be used in objects @@ -519,6 +591,8 @@ * **ip-dst|port**: IP destination and port number seperated by a | * **ip-src|port**: IP source and port number seperated by a | * **hostname|port**: Hostname and port number seperated by a | +* **mac-address**: Mac address +* **mac-eui-64**: Mac EUI-64 address * **email-dst-display-name**: Email destination display name * **email-src-display-name**: Email source display name * **email-header**: Email header @@ -526,7 +600,7 @@ * **email-x-mailer**: Email x-mailer header * **email-mime-boundary**: The email mime boundary separating parts in a multipart email * **email-thread-index**: The email thread index header -* **email-message-id**: +* **email-message-id**: The email message ID * **github-username**: A github user name * **github-repository**: A github repository * **github-organisation**: A github organisation @@ -556,4 +630,6 @@ * **place-port-of-onward-foreign-destination**: A Port where the passenger is transiting to * **passenger-name-record-locator-number**: The Passenger Name Record Locator is a key under which the reservation for a trip is stored in the system. The PNR contains, among other data, the name, flight segments and address of the passenger. It is defined by a combination of five or six letters and numbers. * **mobile-application-id**: The application id of a mobile application +* **cortex**: Cortex analysis result +* **boolean**: Boolean value - to be used in objects