misp-objects/objects/attacker-infra/definition.json

327 lines
8.0 KiB
JSON
Raw Normal View History

{
"attributes": {
"architecture": {
"categories": [
"External analysis"
],
"description": "The CPU architecture of the beacon. Either x86 or x64",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"asn": {
"categories": [
"Network activity"
],
"description": "ASN where the IP resides",
"misp-attribute": "AS",
"ui-priority": 0
},
"beacon_host": {
"categories": [
"External analysis"
],
"description": "C2 of the beacon IP/hostname. (often matches the host that was scanned)",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"beacon_http_get": {
"categories": [
"External analysis"
],
"description": "Path that the beacon uses for the GET method",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"beacon_http_post": {
"categories": [
"External analysis"
],
"description": "Path that the beacon uses for the POST method",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"beacon_type": {
"categories": [
"External analysis"
],
"description": "Protocol that the beacon speaks. Usually HTTP",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"binary_md5": {
"categories": [
"Payload delivery"
],
"description": "MD5 of the PE binary",
"disable_correlation": true,
"misp-attribute": "md5",
"multiple": true,
"ui-priority": 0
},
"binary_sha1": {
"categories": [
"Payload delivery"
],
"description": "SHA1 of the PE binary",
"disable_correlation": true,
"misp-attribute": "sha1",
"multiple": true,
"ui-priority": 0
},
"binary_sha256": {
"categories": [
"Payload delivery"
],
"description": "SHA256 of the PE binary",
"disable_correlation": true,
"misp-attribute": "sha256",
"multiple": true,
"ui-priority": 0
},
"city": {
"categories": [
"Other"
],
"description": "City location of the IP in question",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"config_md5": {
"categories": [
"External analysis"
],
"description": "MD5 of the config file",
"disable_correlation": true,
"misp-attribute": "md5",
"multiple": true,
"ui-priority": 0
},
"config_sha1": {
"categories": [
"External analysis"
],
"description": "SHA1 of the config file",
"disable_correlation": true,
"misp-attribute": "sha1",
"multiple": true,
"ui-priority": 0
},
"config_sha256": {
"categories": [
"External analysis"
],
"description": "SHA256 of the config file",
"disable_correlation": true,
"misp-attribute": "sha256",
"multiple": true,
"ui-priority": 0
},
"content_length": {
"categories": [
"Other"
],
"description": "The length of the response body in octets",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"content_type": {
"categories": [
"Other"
],
"description": "The MIME type of the body of the request",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"encoded_data": {
"categories": [
"Other"
],
"description": "Base64 encoded config file",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"encoded_length": {
"categories": [
"Other"
],
"description": "Length of the base64 decoded raw config",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"geo": {
"categories": [
"Other"
],
"description": "Country location of the IP",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"hostname": {
"categories": [
"Network activity"
],
"description": "Reverse DNS name of the device in question",
"misp-attribute": "text",
"ui-priority": 0
},
"hostname_source": {
"categories": [
"Other"
],
"description": "Source of the hostname field contents",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"http": {
"categories": [
"Network activity"
],
"description": "HTTP version in used in response, e.g HTTP/1.1",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"http_code": {
"categories": [
"Network activity"
],
"description": "HTTP Response code: e.g., 200, 401, 404",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"http_url": {
"categories": [
"Network activity"
],
"description": "URL used to illicit the server response",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"ip": {
"categories": [
"Network activity"
],
"description": "IP of the of the URL",
"misp-attribute": "ip-src",
"multiple": true,
"ui-priority": 0
},
"license_id": {
"categories": [
"External analysis"
],
"description": "The license number",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"naics": {
"categories": [
"Other"
],
"description": "North American Industry Classification System Code",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"port": {
"categories": [
"Network activity"
],
"description": "Port that the response came from",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"protocol": {
"categories": [
"Network activity"
],
"description": "Protocol the response came in on",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"region": {
"categories": [
"Other"
],
"description": "State / Province / Administrative region where the device in question resides",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"sector": {
"categories": [
"Other"
],
"description": "Sector of the device in question",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"severity": {
"categories": [
"Other"
],
"description": "Severity of the event",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"tag": {
"categories": [
"Other"
],
"description": "Attribute tags",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"timestamp": {
"description": "Time that the IP was probed in UTC+0",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 0
}
},
"description": "Attacker Infrastructure",
"meta-category": "misc",
"name": "attacker-infra",
"required": [
"ip",
"port"
],
"uuid": "0211496c-dbcf-465b-a147-3d965da016cd",
"version": 2
}