mirror of https://github.com/MISP/misp-objects
327 lines
8.0 KiB
JSON
327 lines
8.0 KiB
JSON
|
{
|
||
|
"attributes": {
|
||
|
"architecture": {
|
||
|
"categories": [
|
||
|
"External analysis"
|
||
|
],
|
||
|
"description": "The CPU architecture of the beacon. Either x86 or x64",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"asn": {
|
||
|
"categories": [
|
||
|
"Network activity"
|
||
|
],
|
||
|
"description": "ASN where the IP resides",
|
||
|
"misp-attribute": "AS",
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"beacon_host": {
|
||
|
"categories": [
|
||
|
"External analysis"
|
||
|
],
|
||
|
"description": "C2 of the beacon IP/hostname. (often matches the host that was scanned)",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"beacon_http_get": {
|
||
|
"categories": [
|
||
|
"External analysis"
|
||
|
],
|
||
|
"description": "Path that the beacon uses for the GET method",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"beacon_http_post": {
|
||
|
"categories": [
|
||
|
"External analysis"
|
||
|
],
|
||
|
"description": "Path that the beacon uses for the POST method",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"beacon_type": {
|
||
|
"categories": [
|
||
|
"External analysis"
|
||
|
],
|
||
|
"description": "Protocol that the beacon speaks. Usually HTTP",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"binary_md5": {
|
||
|
"categories": [
|
||
|
"Payload delivery"
|
||
|
],
|
||
|
"description": "MD5 of the PE binary",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "md5",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"binary_sha1": {
|
||
|
"categories": [
|
||
|
"Payload delivery"
|
||
|
],
|
||
|
"description": "SHA1 of the PE binary",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "sha1",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"binary_sha256": {
|
||
|
"categories": [
|
||
|
"Payload delivery"
|
||
|
],
|
||
|
"description": "SHA256 of the PE binary",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "sha256",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"city": {
|
||
|
"categories": [
|
||
|
"Other"
|
||
|
],
|
||
|
"description": "City location of the IP in question",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"config_md5": {
|
||
|
"categories": [
|
||
|
"External analysis"
|
||
|
],
|
||
|
"description": "MD5 of the config file",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "md5",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"config_sha1": {
|
||
|
"categories": [
|
||
|
"External analysis"
|
||
|
],
|
||
|
"description": "SHA1 of the config file",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "sha1",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"config_sha256": {
|
||
|
"categories": [
|
||
|
"External analysis"
|
||
|
],
|
||
|
"description": "SHA256 of the config file",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "sha256",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"content_length": {
|
||
|
"categories": [
|
||
|
"Other"
|
||
|
],
|
||
|
"description": "The length of the response body in octets",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"content_type": {
|
||
|
"categories": [
|
||
|
"Other"
|
||
|
],
|
||
|
"description": "The MIME type of the body of the request",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"encoded_data": {
|
||
|
"categories": [
|
||
|
"Other"
|
||
|
],
|
||
|
"description": "Base64 encoded config file",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"encoded_length": {
|
||
|
"categories": [
|
||
|
"Other"
|
||
|
],
|
||
|
"description": "Length of the base64 decoded raw config",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"geo": {
|
||
|
"categories": [
|
||
|
"Other"
|
||
|
],
|
||
|
"description": "Country location of the IP",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"hostname": {
|
||
|
"categories": [
|
||
|
"Network activity"
|
||
|
],
|
||
|
"description": "Reverse DNS name of the device in question",
|
||
|
"misp-attribute": "text",
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"hostname_source": {
|
||
|
"categories": [
|
||
|
"Other"
|
||
|
],
|
||
|
"description": "Source of the hostname field contents",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"http": {
|
||
|
"categories": [
|
||
|
"Network activity"
|
||
|
],
|
||
|
"description": "HTTP version in used in response, e.g HTTP/1.1",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"http_code": {
|
||
|
"categories": [
|
||
|
"Network activity"
|
||
|
],
|
||
|
"description": "HTTP Response code: e.g., 200, 401, 404",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"http_url": {
|
||
|
"categories": [
|
||
|
"Network activity"
|
||
|
],
|
||
|
"description": "URL used to illicit the server response",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"ip": {
|
||
|
"categories": [
|
||
|
"Network activity"
|
||
|
],
|
||
|
"description": "IP of the of the URL",
|
||
|
"misp-attribute": "ip-src",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"license_id": {
|
||
|
"categories": [
|
||
|
"External analysis"
|
||
|
],
|
||
|
"description": "The license number",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"naics": {
|
||
|
"categories": [
|
||
|
"Other"
|
||
|
],
|
||
|
"description": "North American Industry Classification System Code",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"port": {
|
||
|
"categories": [
|
||
|
"Network activity"
|
||
|
],
|
||
|
"description": "Port that the response came from",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"protocol": {
|
||
|
"categories": [
|
||
|
"Network activity"
|
||
|
],
|
||
|
"description": "Protocol the response came in on",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"region": {
|
||
|
"categories": [
|
||
|
"Other"
|
||
|
],
|
||
|
"description": "State / Province / Administrative region where the device in question resides",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"sector": {
|
||
|
"categories": [
|
||
|
"Other"
|
||
|
],
|
||
|
"description": "Sector of the device in question",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"severity": {
|
||
|
"categories": [
|
||
|
"Other"
|
||
|
],
|
||
|
"description": "Severity of the event",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "text",
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"tag": {
|
||
|
"categories": [
|
||
|
"Other"
|
||
|
],
|
||
|
"description": "Attribute tags",
|
||
|
"misp-attribute": "text",
|
||
|
"multiple": true,
|
||
|
"ui-priority": 0
|
||
|
},
|
||
|
"timestamp": {
|
||
|
"description": "Time that the IP was probed in UTC+0",
|
||
|
"disable_correlation": true,
|
||
|
"misp-attribute": "datetime",
|
||
|
"ui-priority": 0
|
||
|
}
|
||
|
},
|
||
|
"description": "Attacker Infrastructure",
|
||
|
"meta-category": "misc",
|
||
|
"name": "attacker-infra",
|
||
|
"required": [
|
||
|
"ip",
|
||
|
"port"
|
||
|
],
|
||
|
"uuid": "0211496c-dbcf-465b-a147-3d965da016cd",
|
||
|
"version": 2
|
||
|
}
|