mirror of https://github.com/MISP/misp-book
chg: MISP types updated to the latest version of MISP 2.4.92
parent
1a04ae8de5
commit
11392bb9d3
|
@ -1,6 +1,6 @@
|
||||||
<!-- toc -->
|
<!-- toc -->
|
||||||
|
|
||||||
## MISP Attribute Categories vs Types
|
### Attribute Categories vs. Types
|
||||||
|
|
||||||
|Category| Internal reference | Targeting data | Antivirus detection | Payload delivery | Artifacts dropped | Payload installation |
|
|Category| Internal reference | Targeting data | Antivirus detection | Payload delivery | Artifacts dropped | Payload installation |
|
||||||
| --- |:---:|:---:|:---:|:---:|:---:|:---:|
|
| --- |:---:|:---:|:---:|:---:|:---:|:---:|
|
||||||
|
@ -21,6 +21,8 @@
|
||||||
|email-dst| | | | X | | |
|
|email-dst| | | | X | | |
|
||||||
|email-subject| | | | X | | |
|
|email-subject| | | | X | | |
|
||||||
|email-attachment| | | | X | | |
|
|email-attachment| | | | X | | |
|
||||||
|
|email-body| | | | X | | |
|
||||||
|
|float| | | | | | |
|
||||||
|url| | | | X | | |
|
|url| | | | X | | |
|
||||||
|http-method| | | | | | |
|
|http-method| | | | | | |
|
||||||
|user-agent| | | | X | | |
|
|user-agent| | | | X | | |
|
||||||
|
@ -32,12 +34,19 @@
|
||||||
|pattern-in-traffic| | | | X | | X |
|
|pattern-in-traffic| | | | X | | X |
|
||||||
|pattern-in-memory| | | | | X | X |
|
|pattern-in-memory| | | | | X | X |
|
||||||
|yara| | | | X | X | X |
|
|yara| | | | X | X | X |
|
||||||
|
|stix2-pattern| | | | X | X | X |
|
||||||
|
|sigma| | | | X | X | X |
|
||||||
|
|gene| | | | | X | |
|
||||||
|
|mime-type| | | | X | X | X |
|
||||||
|
|identity-card-number| | | | | | |
|
||||||
|
|cookie| | | | | X | |
|
||||||
|vulnerability| | | | X | | X |
|
|vulnerability| | | | X | | X |
|
||||||
|attachment| | | X | X | X | X |
|
|attachment| | | X | X | X | X |
|
||||||
|malware-sample| | | | X | X | X |
|
|malware-sample| | | | X | X | X |
|
||||||
|link| X | | X | X | | |
|
|link| X | | X | X | | |
|
||||||
|comment| X | X | X | X | X | X |
|
|comment| X | X | X | X | X | X |
|
||||||
|text| X | | X | X | X | X |
|
|text| X | | X | X | X | X |
|
||||||
|
|hex| X | | X | X | X | X |
|
||||||
|other| X | | X | X | X | X |
|
|other| X | | X | X | X | X |
|
||||||
|named pipe| | | | | X | |
|
|named pipe| | | | | X | |
|
||||||
|mutex| | | | | X | |
|
|mutex| | | | | X | |
|
||||||
|
@ -55,6 +64,7 @@
|
||||||
|bin| | | | | | |
|
|bin| | | | | | |
|
||||||
|cc-number| | | | | | |
|
|cc-number| | | | | | |
|
||||||
|prtn| | | | | | |
|
|prtn| | | | | | |
|
||||||
|
|phone-number| | | | | | |
|
||||||
|threat-actor| | | | | | |
|
|threat-actor| | | | | | |
|
||||||
|campaign-name| | | | | | |
|
|campaign-name| | | | | | |
|
||||||
|campaign-id| | | | | | |
|
|campaign-id| | | | | | |
|
||||||
|
@ -64,6 +74,7 @@
|
||||||
|ssdeep| | | | X | X | X |
|
|ssdeep| | | | X | X | X |
|
||||||
|imphash| | | | X | X | X |
|
|imphash| | | | X | X | X |
|
||||||
|pehash| | | | X | | X |
|
|pehash| | | | X | | X |
|
||||||
|
|impfuzzy| | | | X | X | X |
|
||||||
|sha224| | | | X | X | X |
|
|sha224| | | | X | X | X |
|
||||||
|sha384| | | | X | X | X |
|
|sha384| | | | X | X | X |
|
||||||
|sha512| | | | X | X | X |
|
|sha512| | | | X | X | X |
|
||||||
|
@ -73,6 +84,7 @@
|
||||||
|filename|authentihash| | | | X | X | X |
|
|filename|authentihash| | | | X | X | X |
|
||||||
|filename|ssdeep| | | | X | X | X |
|
|filename|ssdeep| | | | X | X | X |
|
||||||
|filename|imphash| | | | X | X | X |
|
|filename|imphash| | | | X | X | X |
|
||||||
|
|filename|impfuzzy| | | | X | X | X |
|
||||||
|filename|pehash| | | | X | X | X |
|
|filename|pehash| | | | X | X | X |
|
||||||
|filename|sha224| | | | X | X | X |
|
|filename|sha224| | | | X | X | X |
|
||||||
|filename|sha384| | | | X | X | X |
|
|filename|sha384| | | | X | X | X |
|
||||||
|
@ -83,12 +95,15 @@
|
||||||
|windows-scheduled-task| | | | | X | |
|
|windows-scheduled-task| | | | | X | |
|
||||||
|windows-service-name| | | | | X | |
|
|windows-service-name| | | | | X | |
|
||||||
|windows-service-displayname| | | | | X | |
|
|windows-service-displayname| | | | | X | |
|
||||||
|whois-registrant-email| | | | | | |
|
|whois-registrant-email| | | | X | | |
|
||||||
|whois-registrant-phone| | | | | | |
|
|whois-registrant-phone| | | | | | |
|
||||||
|whois-registrant-name| | | | | | |
|
|whois-registrant-name| | | | | | |
|
||||||
|
|whois-registrant-org| | | | | | |
|
||||||
|whois-registrar| | | | | | |
|
|whois-registrar| | | | | | |
|
||||||
|whois-creation-date| | | | | | |
|
|whois-creation-date| | | | | | |
|
||||||
|x509-fingerprint-sha1| | | | X | X | X |
|
|x509-fingerprint-sha1| | | | X | X | X |
|
||||||
|
|x509-fingerprint-md5| | | | X | X | X |
|
||||||
|
|x509-fingerprint-sha256| | | | X | X | X |
|
||||||
|dns-soa-email| | | | | | |
|
|dns-soa-email| | | | | | |
|
||||||
|size-in-bytes| | | | | | |
|
|size-in-bytes| | | | | | |
|
||||||
|counter| | | | | | |
|
|counter| | | | | | |
|
||||||
|
@ -98,6 +113,8 @@
|
||||||
|ip-dst|port| | | | X | | |
|
|ip-dst|port| | | | X | | |
|
||||||
|ip-src|port| | | | X | | |
|
|ip-src|port| | | | X | | |
|
||||||
|hostname|port| | | | X | | |
|
|hostname|port| | | | X | | |
|
||||||
|
|mac-address| | | | X | | |
|
||||||
|
|mac-eui-64| | | | X | | |
|
||||||
|email-dst-display-name| | | | X | | |
|
|email-dst-display-name| | | | X | | |
|
||||||
|email-src-display-name| | | | X | | |
|
|email-src-display-name| | | | X | | |
|
||||||
|email-header| | | | X | | |
|
|email-header| | | | X | | |
|
||||||
|
@ -135,6 +152,8 @@
|
||||||
|place-port-of-onward-foreign-destination| | | | | | |
|
|place-port-of-onward-foreign-destination| | | | | | |
|
||||||
|passenger-name-record-locator-number| | | | | | |
|
|passenger-name-record-locator-number| | | | | | |
|
||||||
|mobile-application-id| | | | X | | X |
|
|mobile-application-id| | | | X | | X |
|
||||||
|
|cortex| | | | | | |
|
||||||
|
|boolean| | | | | | |
|
||||||
|
|
||||||
|Category| Persistence mechanism | Network activity | Payload type | Attribution | External analysis | Financial fraud |
|
|Category| Persistence mechanism | Network activity | Payload type | Attribution | External analysis | Financial fraud |
|
||||||
| --- |:---:|:---:|:---:|:---:|:---:|:---:|
|
| --- |:---:|:---:|:---:|:---:|:---:|:---:|
|
||||||
|
@ -155,6 +174,8 @@
|
||||||
|email-dst| | X | | | | |
|
|email-dst| | X | | | | |
|
||||||
|email-subject| | | | | | |
|
|email-subject| | | | | | |
|
||||||
|email-attachment| | | | | | |
|
|email-attachment| | | | | | |
|
||||||
|
|email-body| | | | | | |
|
||||||
|
|float| | | | | | |
|
||||||
|url| | X | | | X | |
|
|url| | X | | | X | |
|
||||||
|http-method| | X | | | | |
|
|http-method| | X | | | | |
|
||||||
|user-agent| | X | | | X | |
|
|user-agent| | X | | | X | |
|
||||||
|
@ -166,12 +187,19 @@
|
||||||
|pattern-in-traffic| | X | | | X | |
|
|pattern-in-traffic| | X | | | X | |
|
||||||
|pattern-in-memory| | | | | X | |
|
|pattern-in-memory| | | | | X | |
|
||||||
|yara| | | | | | |
|
|yara| | | | | | |
|
||||||
|
|stix2-pattern| | X | | | | |
|
||||||
|
|sigma| | | | | | |
|
||||||
|
|gene| | | | | | |
|
||||||
|
|mime-type| | | | | | |
|
||||||
|
|identity-card-number| | | | | | |
|
||||||
|
|cookie| | X | | | | |
|
||||||
|vulnerability| | | | | X | |
|
|vulnerability| | | | | X | |
|
||||||
|attachment| | X | | | X | |
|
|attachment| | X | | | X | |
|
||||||
|malware-sample| | | | | X | |
|
|malware-sample| | | | | X | |
|
||||||
|link| | | | | X | |
|
|link| | | | | X | |
|
||||||
|comment| X | X | X | X | X | X |
|
|comment| X | X | X | X | X | X |
|
||||||
|text| X | X | X | X | X | X |
|
|text| X | X | X | X | X | X |
|
||||||
|
|hex| X | X | | | | X |
|
||||||
|other| X | X | X | X | X | X |
|
|other| X | X | X | X | X | X |
|
||||||
|named pipe| | | | | | |
|
|named pipe| | | | | | |
|
||||||
|mutex| | | | | | |
|
|mutex| | | | | | |
|
||||||
|
@ -189,6 +217,7 @@
|
||||||
|bin| | | | | | X |
|
|bin| | | | | | X |
|
||||||
|cc-number| | | | | | X |
|
|cc-number| | | | | | X |
|
||||||
|prtn| | | | | | X |
|
|prtn| | | | | | X |
|
||||||
|
|phone-number| | | | | | X |
|
||||||
|threat-actor| | | | X | | |
|
|threat-actor| | | | X | | |
|
||||||
|campaign-name| | | | X | | |
|
|campaign-name| | | | X | | |
|
||||||
|campaign-id| | | | X | | |
|
|campaign-id| | | | X | | |
|
||||||
|
@ -198,6 +227,7 @@
|
||||||
|ssdeep| | | | | | |
|
|ssdeep| | | | | | |
|
||||||
|imphash| | | | | | |
|
|imphash| | | | | | |
|
||||||
|pehash| | | | | | |
|
|pehash| | | | | | |
|
||||||
|
|impfuzzy| | | | | | |
|
||||||
|sha224| | | | | | |
|
|sha224| | | | | | |
|
||||||
|sha384| | | | | | |
|
|sha384| | | | | | |
|
||||||
|sha512| | | | | | |
|
|sha512| | | | | | |
|
||||||
|
@ -207,6 +237,7 @@
|
||||||
|filename|authentihash| | | | | | |
|
|filename|authentihash| | | | | | |
|
||||||
|filename|ssdeep| | | | | | |
|
|filename|ssdeep| | | | | | |
|
||||||
|filename|imphash| | | | | | |
|
|filename|imphash| | | | | | |
|
||||||
|
|filename|impfuzzy| | | | | | |
|
||||||
|filename|pehash| | | | | | |
|
|filename|pehash| | | | | | |
|
||||||
|filename|sha224| | | | | | |
|
|filename|sha224| | | | | | |
|
||||||
|filename|sha384| | | | | | |
|
|filename|sha384| | | | | | |
|
||||||
|
@ -220,18 +251,23 @@
|
||||||
|whois-registrant-email| | | | X | | |
|
|whois-registrant-email| | | | X | | |
|
||||||
|whois-registrant-phone| | | | X | | |
|
|whois-registrant-phone| | | | X | | |
|
||||||
|whois-registrant-name| | | | X | | |
|
|whois-registrant-name| | | | X | | |
|
||||||
|
|whois-registrant-org| | | | X | | |
|
||||||
|whois-registrar| | | | X | | |
|
|whois-registrar| | | | X | | |
|
||||||
|whois-creation-date| | | | X | | |
|
|whois-creation-date| | | | X | | |
|
||||||
|x509-fingerprint-sha1| | X | | X | X | |
|
|x509-fingerprint-sha1| | X | | X | X | |
|
||||||
|dns-soa-email| | | | | | |
|
|x509-fingerprint-md5| | | | X | X | |
|
||||||
|
|x509-fingerprint-sha256| | | | X | X | |
|
||||||
|
|dns-soa-email| | | | X | | |
|
||||||
|size-in-bytes| | | | | | |
|
|size-in-bytes| | | | | | |
|
||||||
|counter| | | | | | |
|
|counter| | | | | | |
|
||||||
|datetime| | | | | | |
|
|datetime| | | | | | |
|
||||||
|cpe| | | | | | |
|
|cpe| | | | | | |
|
||||||
|port| | | | | | |
|
|port| | X | | | | |
|
||||||
|ip-dst|port| | X | | | X | |
|
|ip-dst|port| | X | | | X | |
|
||||||
|ip-src|port| | X | | | X | |
|
|ip-src|port| | X | | | X | |
|
||||||
|hostname|port| | | | | | |
|
|hostname|port| | | | | | |
|
||||||
|
|mac-address| | X | | | X | |
|
||||||
|
|mac-eui-64| | X | | | X | |
|
||||||
|email-dst-display-name| | | | | | |
|
|email-dst-display-name| | | | | | |
|
||||||
|email-src-display-name| | | | | | |
|
|email-src-display-name| | | | | | |
|
||||||
|email-header| | | | | | |
|
|email-header| | | | | | |
|
||||||
|
@ -269,6 +305,8 @@
|
||||||
|place-port-of-onward-foreign-destination| | | | | | |
|
|place-port-of-onward-foreign-destination| | | | | | |
|
||||||
|passenger-name-record-locator-number| | | | | | |
|
|passenger-name-record-locator-number| | | | | | |
|
||||||
|mobile-application-id| | | | | | |
|
|mobile-application-id| | | | | | |
|
||||||
|
|cortex| | | | | X | |
|
||||||
|
|boolean| | | | | | |
|
||||||
|
|
||||||
|Category| Support Tool | Social network | Person | Other |
|
|Category| Support Tool | Social network | Person | Other |
|
||||||
| --- |:---:|:---:|:---:|:---:|
|
| --- |:---:|:---:|:---:|:---:|
|
||||||
|
@ -289,6 +327,8 @@
|
||||||
|email-dst| | X | | |
|
|email-dst| | X | | |
|
||||||
|email-subject| | | | |
|
|email-subject| | | | |
|
||||||
|email-attachment| | | | |
|
|email-attachment| | | | |
|
||||||
|
|email-body| | | | |
|
||||||
|
|float| | | | X |
|
||||||
|url| | | | |
|
|url| | | | |
|
||||||
|http-method| | | | |
|
|http-method| | | | |
|
||||||
|user-agent| | | | |
|
|user-agent| | | | |
|
||||||
|
@ -300,12 +340,19 @@
|
||||||
|pattern-in-traffic| | | | |
|
|pattern-in-traffic| | | | |
|
||||||
|pattern-in-memory| | | | |
|
|pattern-in-memory| | | | |
|
||||||
|yara| | | | |
|
|yara| | | | |
|
||||||
|
|stix2-pattern| | | | |
|
||||||
|
|sigma| | | | |
|
||||||
|
|gene| | | | |
|
||||||
|
|mime-type| | | | |
|
||||||
|
|identity-card-number| | | X | |
|
||||||
|
|cookie| | | | |
|
||||||
|vulnerability| | | | |
|
|vulnerability| | | | |
|
||||||
|attachment| X | | | |
|
|attachment| X | | | |
|
||||||
|malware-sample| | | | |
|
|malware-sample| | | | |
|
||||||
|link| X | | | |
|
|link| X | | | |
|
||||||
|comment| X | X | X | X |
|
|comment| X | X | X | X |
|
||||||
|text| X | X | X | X |
|
|text| X | X | X | X |
|
||||||
|
|hex| X | | | X |
|
||||||
|other| X | X | X | X |
|
|other| X | X | X | X |
|
||||||
|named pipe| | | | |
|
|named pipe| | | | |
|
||||||
|mutex| | | | |
|
|mutex| | | | |
|
||||||
|
@ -323,6 +370,7 @@
|
||||||
|bin| | | | |
|
|bin| | | | |
|
||||||
|cc-number| | | | |
|
|cc-number| | | | |
|
||||||
|prtn| | | | |
|
|prtn| | | | |
|
||||||
|
|phone-number| | | X | X |
|
||||||
|threat-actor| | | | |
|
|threat-actor| | | | |
|
||||||
|campaign-name| | | | |
|
|campaign-name| | | | |
|
||||||
|campaign-id| | | | |
|
|campaign-id| | | | |
|
||||||
|
@ -332,6 +380,7 @@
|
||||||
|ssdeep| | | | |
|
|ssdeep| | | | |
|
||||||
|imphash| | | | |
|
|imphash| | | | |
|
||||||
|pehash| | | | |
|
|pehash| | | | |
|
||||||
|
|impfuzzy| | | | |
|
||||||
|sha224| | | | |
|
|sha224| | | | |
|
||||||
|sha384| | | | |
|
|sha384| | | | |
|
||||||
|sha512| | | | |
|
|sha512| | | | |
|
||||||
|
@ -341,6 +390,7 @@
|
||||||
|filename|authentihash| | | | |
|
|filename|authentihash| | | | |
|
||||||
|filename|ssdeep| | | | |
|
|filename|ssdeep| | | | |
|
||||||
|filename|imphash| | | | |
|
|filename|imphash| | | | |
|
||||||
|
|filename|impfuzzy| | | | |
|
||||||
|filename|pehash| | | | |
|
|filename|pehash| | | | |
|
||||||
|filename|sha224| | | | |
|
|filename|sha224| | | | |
|
||||||
|filename|sha384| | | | |
|
|filename|sha384| | | | |
|
||||||
|
@ -351,12 +401,15 @@
|
||||||
|windows-scheduled-task| | | | |
|
|windows-scheduled-task| | | | |
|
||||||
|windows-service-name| | | | |
|
|windows-service-name| | | | |
|
||||||
|windows-service-displayname| | | | |
|
|windows-service-displayname| | | | |
|
||||||
|whois-registrant-email| | | | |
|
|whois-registrant-email| | X | | |
|
||||||
|whois-registrant-phone| | | | |
|
|whois-registrant-phone| | | | |
|
||||||
|whois-registrant-name| | | | |
|
|whois-registrant-name| | | | |
|
||||||
|
|whois-registrant-org| | | | |
|
||||||
|whois-registrar| | | | |
|
|whois-registrar| | | | |
|
||||||
|whois-creation-date| | | | |
|
|whois-creation-date| | | | |
|
||||||
|x509-fingerprint-sha1| | | | |
|
|x509-fingerprint-sha1| | | | |
|
||||||
|
|x509-fingerprint-md5| | | | |
|
||||||
|
|x509-fingerprint-sha256| | | | |
|
||||||
|dns-soa-email| | | | |
|
|dns-soa-email| | | | |
|
||||||
|size-in-bytes| | | | X |
|
|size-in-bytes| | | | X |
|
||||||
|counter| | | | X |
|
|counter| | | | X |
|
||||||
|
@ -366,6 +419,8 @@
|
||||||
|ip-dst|port| | | | |
|
|ip-dst|port| | | | |
|
||||||
|ip-src|port| | | | |
|
|ip-src|port| | | | |
|
||||||
|hostname|port| | | | |
|
|hostname|port| | | | |
|
||||||
|
|mac-address| | | | |
|
||||||
|
|mac-eui-64| | | | |
|
||||||
|email-dst-display-name| | | | |
|
|email-dst-display-name| | | | |
|
||||||
|email-src-display-name| | | | |
|
|email-src-display-name| | | | |
|
||||||
|email-header| | | | |
|
|email-header| | | | |
|
||||||
|
@ -403,6 +458,8 @@
|
||||||
|place-port-of-onward-foreign-destination| | | X | |
|
|place-port-of-onward-foreign-destination| | | X | |
|
||||||
|passenger-name-record-locator-number| | | X | |
|
|passenger-name-record-locator-number| | | X | |
|
||||||
|mobile-application-id| | | | |
|
|mobile-application-id| | | | |
|
||||||
|
|cortex| | | | |
|
||||||
|
|boolean| | | | X |
|
||||||
|
|
||||||
### Categories
|
### Categories
|
||||||
|
|
||||||
|
@ -438,10 +495,12 @@
|
||||||
* **hostname**: A full host/dnsname of an attacker. Also set the IDS flag on when this hostname is hardcoded in malware
|
* **hostname**: A full host/dnsname of an attacker. Also set the IDS flag on when this hostname is hardcoded in malware
|
||||||
* **domain**: A domain name used in the malware. Use this instead of hostname when the upper domain is important or can be used to create links between events.
|
* **domain**: A domain name used in the malware. Use this instead of hostname when the upper domain is important or can be used to create links between events.
|
||||||
* **domain|ip**: A domain name and its IP address (as found in DNS lookup) separated by a | (no spaces)
|
* **domain|ip**: A domain name and its IP address (as found in DNS lookup) separated by a | (no spaces)
|
||||||
* **email-src**: The email address (or domainname) used to send the malware.
|
* **email-src**: The email address used to send the malware.
|
||||||
* **email-dst**: A recipient email address that is not related to your constituency.
|
* **email-dst**: A recipient email address that is not related to your constituency.
|
||||||
* **email-subject**: The subject of the email
|
* **email-subject**: The subject of the email
|
||||||
* **email-attachment**: File name of the email attachment.
|
* **email-attachment**: File name of the email attachment.
|
||||||
|
* **email-body**: Email body
|
||||||
|
* **float**: A floating point value.
|
||||||
* **url**: url
|
* **url**: url
|
||||||
* **http-method**: HTTP method used by the malware (e.g. POST, GET, ...).
|
* **http-method**: HTTP method used by the malware (e.g. POST, GET, ...).
|
||||||
* **user-agent**: The user-agent used by the malware in the HTTP request.
|
* **user-agent**: The user-agent used by the malware in the HTTP request.
|
||||||
|
@ -453,12 +512,19 @@
|
||||||
* **pattern-in-traffic**: Pattern in network traffic that identifies the malware
|
* **pattern-in-traffic**: Pattern in network traffic that identifies the malware
|
||||||
* **pattern-in-memory**: Pattern in memory dump that identifies the malware
|
* **pattern-in-memory**: Pattern in memory dump that identifies the malware
|
||||||
* **yara**: Yara signature
|
* **yara**: Yara signature
|
||||||
|
* **stix2-pattern**: STIX 2 pattern
|
||||||
|
* **sigma**: Sigma - Generic Signature Format for SIEM Systems
|
||||||
|
* **gene**: GENE - Go Evtx sigNature Engine
|
||||||
|
* **mime-type**: A media type (also MIME type and content type) is a two-part identifier for file formats and format contents transmitted on the Internet
|
||||||
|
* **identity-card-number**: Identity card number
|
||||||
|
* **cookie**: HTTP cookie as often stored on the user web client. This can include authentication cookie or session cookie.
|
||||||
* **vulnerability**: A reference to the vulnerability used in the exploit
|
* **vulnerability**: A reference to the vulnerability used in the exploit
|
||||||
* **attachment**: Please upload files using the <em>Upload Attachment</em> button.
|
* **attachment**: Please upload files using the <em>Upload Attachment</em> button.
|
||||||
* **malware-sample**: Please upload files using the <em>Upload Attachment</em> button.
|
* **malware-sample**: Please upload files using the <em>Upload Attachment</em> button.
|
||||||
* **link**: Link to an external information
|
* **link**: Link to an external information
|
||||||
* **comment**: Comment or description in a human language. This will not be correlated with other attributes
|
* **comment**: Comment or description in a human language. This will not be correlated with other attributes
|
||||||
* **text**: Name, ID or a reference
|
* **text**: Name, ID or a reference
|
||||||
|
* **hex**: A value in hexadecimal format
|
||||||
* **other**: Other attribute
|
* **other**: Other attribute
|
||||||
* **named pipe**: Named pipe, use the format \.\pipe\<PipeName>
|
* **named pipe**: Named pipe, use the format \.\pipe\<PipeName>
|
||||||
* **mutex**: Mutex, use the format \BaseNamedObjects\<Mutex>
|
* **mutex**: Mutex, use the format \BaseNamedObjects\<Mutex>
|
||||||
|
@ -470,12 +536,13 @@
|
||||||
* **target-external**: External Target Organizations Affected by this Attack
|
* **target-external**: External Target Organizations Affected by this Attack
|
||||||
* **btc**: Bitcoin Address
|
* **btc**: Bitcoin Address
|
||||||
* **iban**: International Bank Account Number
|
* **iban**: International Bank Account Number
|
||||||
* **bic**: Bank Identifier Code Number
|
* **bic**: Bank Identifier Code Number also known as SWIFT-BIC, SWIFT code or ISO 9362 code
|
||||||
* **bank-account-nr**: Bank account number without any routing number
|
* **bank-account-nr**: Bank account number without any routing number
|
||||||
* **aba-rtn**: ABA routing transit number
|
* **aba-rtn**: ABA routing transit number
|
||||||
* **bin**: Bank Identification Number
|
* **bin**: Bank Identification Number
|
||||||
* **cc-number**: Credit-Card Number
|
* **cc-number**: Credit-Card Number
|
||||||
* **prtn**: Premium-Rate Telephone Number
|
* **prtn**: Premium-Rate Telephone Number
|
||||||
|
* **phone-number**: Telephone Number
|
||||||
* **threat-actor**: A string identifying the threat actor
|
* **threat-actor**: A string identifying the threat actor
|
||||||
* **campaign-name**: Associated campaign name
|
* **campaign-name**: Associated campaign name
|
||||||
* **campaign-id**: Associated campaign ID
|
* **campaign-id**: Associated campaign ID
|
||||||
|
@ -485,6 +552,7 @@
|
||||||
* **ssdeep**: You are encouraged to use filename|ssdeep instead. A checksum in the SSDeep format, only use this if you don't know the correct filename
|
* **ssdeep**: You are encouraged to use filename|ssdeep instead. A checksum in the SSDeep format, only use this if you don't know the correct filename
|
||||||
* **imphash**: You are encouraged to use filename|imphash instead. A hash created based on the imports in the sample, only use this if you don't know the correct filename
|
* **imphash**: You are encouraged to use filename|imphash instead. A hash created based on the imports in the sample, only use this if you don't know the correct filename
|
||||||
* **pehash**: PEhash - a hash calculated based of certain pieces of a PE executable file
|
* **pehash**: PEhash - a hash calculated based of certain pieces of a PE executable file
|
||||||
|
* **impfuzzy**: You are encouraged to use filename|impfuzzy instead. A fuzzy hash created based on the imports in the sample, only use this if you don't know the correct filename
|
||||||
* **sha224**: You are encouraged to use filename|sha224 instead. A checksum in sha224 format, only use this if you don't know the correct filename
|
* **sha224**: You are encouraged to use filename|sha224 instead. A checksum in sha224 format, only use this if you don't know the correct filename
|
||||||
* **sha384**: You are encouraged to use filename|sha384 instead. A checksum in sha384 format, only use this if you don't know the correct filename
|
* **sha384**: You are encouraged to use filename|sha384 instead. A checksum in sha384 format, only use this if you don't know the correct filename
|
||||||
* **sha512**: You are encouraged to use filename|sha512 instead. A checksum in sha512 format, only use this if you don't know the correct filename
|
* **sha512**: You are encouraged to use filename|sha512 instead. A checksum in sha512 format, only use this if you don't know the correct filename
|
||||||
|
@ -494,6 +562,7 @@
|
||||||
* **filename|authentihash**: A checksum in md5 format
|
* **filename|authentihash**: A checksum in md5 format
|
||||||
* **filename|ssdeep**: A checksum in ssdeep format
|
* **filename|ssdeep**: A checksum in ssdeep format
|
||||||
* **filename|imphash**: Import hash - a hash created based on the imports in the sample.
|
* **filename|imphash**: Import hash - a hash created based on the imports in the sample.
|
||||||
|
* **filename|impfuzzy**: Import fuzzy hash - a fuzzy hash created based on the imports in the sample.
|
||||||
* **filename|pehash**: A filename and a PEhash separated by a |
|
* **filename|pehash**: A filename and a PEhash separated by a |
|
||||||
* **filename|sha224**: A filename and a sha-224 hash separated by a |
|
* **filename|sha224**: A filename and a sha-224 hash separated by a |
|
||||||
* **filename|sha384**: A filename and a sha-384 hash separated by a |
|
* **filename|sha384**: A filename and a sha-384 hash separated by a |
|
||||||
|
@ -507,9 +576,12 @@
|
||||||
* **whois-registrant-email**: The e-mail of a domain's registrant, obtained from the WHOIS information.
|
* **whois-registrant-email**: The e-mail of a domain's registrant, obtained from the WHOIS information.
|
||||||
* **whois-registrant-phone**: The phone number of a domain's registrant, obtained from the WHOIS information.
|
* **whois-registrant-phone**: The phone number of a domain's registrant, obtained from the WHOIS information.
|
||||||
* **whois-registrant-name**: The name of a domain's registrant, obtained from the WHOIS information.
|
* **whois-registrant-name**: The name of a domain's registrant, obtained from the WHOIS information.
|
||||||
|
* **whois-registrant-org**: The org of a domain's registrant, obtained from the WHOIS information.
|
||||||
* **whois-registrar**: The registrar of the domain, obtained from the WHOIS information.
|
* **whois-registrar**: The registrar of the domain, obtained from the WHOIS information.
|
||||||
* **whois-creation-date**: The date of domain's creation, obtained from the WHOIS information.
|
* **whois-creation-date**: The date of domain's creation, obtained from the WHOIS information.
|
||||||
* **x509-fingerprint-sha1**: X509 fingerprint in SHA-1 format
|
* **x509-fingerprint-sha1**: X509 fingerprint in SHA-1 format
|
||||||
|
* **x509-fingerprint-md5**: X509 fingerprint in MD5 format
|
||||||
|
* **x509-fingerprint-sha256**: X509 fingerprint in SHA-256 format
|
||||||
* **dns-soa-email**: RFC1035 mandates that DNS zones should have a SOA (Statement Of Authority) record that contains an email address where a PoC for the domain could be contacted. This can sometimes be used for attribution/linkage between different domains even if protected by whois privacy
|
* **dns-soa-email**: RFC1035 mandates that DNS zones should have a SOA (Statement Of Authority) record that contains an email address where a PoC for the domain could be contacted. This can sometimes be used for attribution/linkage between different domains even if protected by whois privacy
|
||||||
* **size-in-bytes**: Size expressed in bytes
|
* **size-in-bytes**: Size expressed in bytes
|
||||||
* **counter**: An integer counter, generally to be used in objects
|
* **counter**: An integer counter, generally to be used in objects
|
||||||
|
@ -519,6 +591,8 @@
|
||||||
* **ip-dst|port**: IP destination and port number seperated by a |
|
* **ip-dst|port**: IP destination and port number seperated by a |
|
||||||
* **ip-src|port**: IP source and port number seperated by a |
|
* **ip-src|port**: IP source and port number seperated by a |
|
||||||
* **hostname|port**: Hostname and port number seperated by a |
|
* **hostname|port**: Hostname and port number seperated by a |
|
||||||
|
* **mac-address**: Mac address
|
||||||
|
* **mac-eui-64**: Mac EUI-64 address
|
||||||
* **email-dst-display-name**: Email destination display name
|
* **email-dst-display-name**: Email destination display name
|
||||||
* **email-src-display-name**: Email source display name
|
* **email-src-display-name**: Email source display name
|
||||||
* **email-header**: Email header
|
* **email-header**: Email header
|
||||||
|
@ -526,7 +600,7 @@
|
||||||
* **email-x-mailer**: Email x-mailer header
|
* **email-x-mailer**: Email x-mailer header
|
||||||
* **email-mime-boundary**: The email mime boundary separating parts in a multipart email
|
* **email-mime-boundary**: The email mime boundary separating parts in a multipart email
|
||||||
* **email-thread-index**: The email thread index header
|
* **email-thread-index**: The email thread index header
|
||||||
* **email-message-id**:
|
* **email-message-id**: The email message ID
|
||||||
* **github-username**: A github user name
|
* **github-username**: A github user name
|
||||||
* **github-repository**: A github repository
|
* **github-repository**: A github repository
|
||||||
* **github-organisation**: A github organisation
|
* **github-organisation**: A github organisation
|
||||||
|
@ -556,4 +630,6 @@
|
||||||
* **place-port-of-onward-foreign-destination**: A Port where the passenger is transiting to
|
* **place-port-of-onward-foreign-destination**: A Port where the passenger is transiting to
|
||||||
* **passenger-name-record-locator-number**: The Passenger Name Record Locator is a key under which the reservation for a trip is stored in the system. The PNR contains, among other data, the name, flight segments and address of the passenger. It is defined by a combination of five or six letters and numbers.
|
* **passenger-name-record-locator-number**: The Passenger Name Record Locator is a key under which the reservation for a trip is stored in the system. The PNR contains, among other data, the name, flight segments and address of the passenger. It is defined by a combination of five or six letters and numbers.
|
||||||
* **mobile-application-id**: The application id of a mobile application
|
* **mobile-application-id**: The application id of a mobile application
|
||||||
|
* **cortex**: Cortex analysis result
|
||||||
|
* **boolean**: Boolean value - to be used in objects
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue