"description":"SHA256 of associated (potentially malicious) payload, if downloaded from the URL",
"misp-attribute":"sha256",
"ui-priority":0
},
"source":{
"description":"Source of information, if public",
"disable_correlation":true,
"misp-attribute":"text",
"multiple":true,
"ui-priority":0
},
"tag":{
"description":"Array of tags associated with the URL if any. In this report typically it will be a CVE entry, for example CVE-2021-44228. This allows for better understanding of the URL context observed (ie. usage associated with a particular CVE).",
"disable_correlation":true,
"misp-attribute":"text",
"multiple":true,
"ui-priority":0
},
"timestamp":{
"description":"Timestamp of when the URL was seen (in the last 24 hours)",
"misp-attribute":"datetime",
"ui-priority":0
},
"url":{
"description":"URL that was extracted from an observed exploitation attempt, assumed to be carrying a malware payload",
"misp-attribute":"url",
"multiple":true,
"ui-priority":0
}
},
"description":"This report identifies URLs that were observed in exploitation attempts in the last 24 hours. They are assumed to contain a malware payload or serve as C2 controllers. If a payload was successfully downloaded in the last 24 hours, it’s SHA256 hash will also be published. The data is primarily sourced from honeypots (in which case they will often be IoT related), but other sources are possible. As always, you only receive information on IPs found on your network/constituency or in the case of a National CSIRT, your country. Ref: https://www.shadowserver.org/what-we-do/network-reporting/malware-url-report/",