misp-objects/objects/malware/definition.json

{
  "attributes": {
    "alias": {
      "description": "Alternative name used to identify this malware or malware family.",
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    },
    "architecture_execution_env": {
      "description": "The processor architecture that the malware instance or family is executable on.",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "sane_default": [
        "alpha",
        "arm",
        "ia-64",
        "mips",
        "powerpc",
        "sparc",
        "x86",
        "x86-64"
      ],
      "ui-priority": 0
    },
    "capability": {
      "description": "Any of the capabilities identified for the malware instance or family.",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "sane_default": [
        "accesses-remote-machines",
        "anti-debugging",
        "anti-disassembly",
        "anti-emulation",
        "anti-memory-forensics",
        "anti-sandbox",
        "anti-vm",
        "captures-input-peripherals",
        "captures-output-peripherals",
        "captures-system-state-data",
        "cleans-traces-of-infection",
        "commits-fraud",
        "communicates-with-c2",
        "compromises-data-availability",
        "compromises-data-integrity",
        "compromises-system-availability",
        "controls-local-machine",
        "degrades-security-software",
        "degrades-system-updates",
        "determines-c2-server",
        "emails-spam",
        "escalates-privileges",
        "evades-av",
        "exfiltrates-data",
        "fingerprints-host",
        "hides-artifacts",
        "hides-executing-code",
        "infects-files",
        "infects-remote-machines",
        "installs-other-components",
        "persists-after-system-reboot",
        "prevents-artifact-access",
        "prevents-artifact-deletion",
        "probes-network-environment",
        "self-modifies",
        "steals-authentication-credentials",
        "violates-system-operational-integrity"
      ],
      "ui-priority": 0
    },
    "description": {
      "description": "A description that provides more details and context about the malware instance or family, potentially including its purpose and its key characteristics.",
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "first_seen": {
      "description": "The time that the malware instance or family was first seen.",
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "implementation_language": {
      "description": "The programming language used to implement the malware instance or family.",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "sane_default": [
        "applescript",
        "bash",
        "c",
        "c++",
        "c#",
        "go",
        "java",
        "javascript",
        "lua",
        "objective-c",
        "perl",
        "php",
        "powershell",
        "python",
        "ruby",
        "scala",
        "swift",
        "typescript",
        "visual-basic",
        "x86-32",
        "x86-64"
      ],
      "ui-priority": 0
    },
    "is_family": {
      "description": "Defines whether the object represents a malware family or a malware instance.",
      "disable_correlation": true,
      "misp-attribute": "boolean",
      "ui-priority": 1
    },
    "last_seen": {
      "description": "The time that the malware family or malware instance was last seen.",
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "malware_type": {
      "description": "A set of categorizations for the malware being described.",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "sane_default": [
        "adware",
        "backdoor",
        "bot",
        "bootkit",
        "ddos",
        "downloader",
        "dropper",
        "exploit-kit",
        "keylogger",
        "ransomware",
        "remote-access-trojan",
        "resource-exploitation",
        "rogue-security-software",
        "rootkit",
        "screen-capture",
        "spyware",
        "trojan",
        "unknown",
        "virus",
        "webshell",
        "wiper",
        "worm"
      ],
      "ui-priority": 0
    },
    "name": {
      "description": "A name used to identify the malware instance or family. For a malware family the name MUST be defined. If a name for a malware instance is not available, the SHA-256 hash value or sample's filename MAY be used instead.",
      "misp-attribute": "text",
      "ui-priority": 0
    }
  },
  "description": "Malware is a type of TTP that represents malicious code.",
  "meta-category": "misc",
  "name": "malware",
  "required": [
    "is_family"
  ],
  "uuid": "e5ad1d64-4b4e-44f5-9e00-88a705a67f9d",
  "version": 1
}
add: [malware] New object template to describe a malware 2023-07-25 16:30:00 +02:00			`{`
			`"attributes": {`
			`"alias": {`
			`"description": "Alternative name used to identify this malware or malware family.",`
			`"misp-attribute": "text",`
			`"multiple": true,`
			`"ui-priority": 0`
			`},`
			`"architecture_execution_env": {`
			`"description": "The processor architecture that the malware instance or family is executable on.",`
			`"disable_correlation": true,`
			`"misp-attribute": "text",`
			`"multiple": true,`
			`"sane_default": [`
			`"alpha",`
			`"arm",`
			`"ia-64",`
			`"mips",`
			`"powerpc",`
			`"sparc",`
			`"x86",`
			`"x86-64"`
			`],`
			`"ui-priority": 0`
			`},`
			`"capability": {`
			`"description": "Any of the capabilities identified for the malware instance or family.",`
			`"disable_correlation": true,`
			`"misp-attribute": "text",`
			`"multiple": true,`
			`"sane_default": [`
			`"accesses-remote-machines",`
			`"anti-debugging",`
			`"anti-disassembly",`
			`"anti-emulation",`
			`"anti-memory-forensics",`
			`"anti-sandbox",`
			`"anti-vm",`
			`"captures-input-peripherals",`
			`"captures-output-peripherals",`
			`"captures-system-state-data",`
			`"cleans-traces-of-infection",`
			`"commits-fraud",`
			`"communicates-with-c2",`
			`"compromises-data-availability",`
			`"compromises-data-integrity",`
			`"compromises-system-availability",`
			`"controls-local-machine",`
			`"degrades-security-software",`
			`"degrades-system-updates",`
			`"determines-c2-server",`
			`"emails-spam",`
			`"escalates-privileges",`
			`"evades-av",`
			`"exfiltrates-data",`
			`"fingerprints-host",`
			`"hides-artifacts",`
			`"hides-executing-code",`
			`"infects-files",`
			`"infects-remote-machines",`
			`"installs-other-components",`
			`"persists-after-system-reboot",`
			`"prevents-artifact-access",`
			`"prevents-artifact-deletion",`
			`"probes-network-environment",`
			`"self-modifies",`
			`"steals-authentication-credentials",`
			`"violates-system-operational-integrity"`
			`],`
			`"ui-priority": 0`
			`},`
			`"description": {`
			`"description": "A description that provides more details and context about the malware instance or family, potentially including its purpose and its key characteristics.",`
			`"misp-attribute": "text",`
			`"ui-priority": 0`
			`},`
			`"first_seen": {`
			`"description": "The time that the malware instance or family was first seen.",`
			`"misp-attribute": "datetime",`
			`"ui-priority": 0`
			`},`
			`"implementation_language": {`
			`"description": "The programming language used to implement the malware instance or family.",`
			`"disable_correlation": true,`
			`"misp-attribute": "text",`
			`"multiple": true,`
			`"sane_default": [`
			`"applescript",`
			`"bash",`
			`"c",`
			`"c++",`
			`"c#",`
			`"go",`
			`"java",`
			`"javascript",`
			`"lua",`
			`"objective-c",`
			`"perl",`
			`"php",`
			`"powershell",`
			`"python",`
			`"ruby",`
			`"scala",`
			`"swift",`
			`"typescript",`
			`"visual-basic",`
			`"x86-32",`
			`"x86-64"`
			`],`
			`"ui-priority": 0`
			`},`
			`"is_family": {`
			`"description": "Defines whether the object represents a malware family or a malware instance.",`
			`"disable_correlation": true,`
fix: [malware] Fixed `is_family` attribute type 2023-08-10 11:39:44 +02:00			`"misp-attribute": "boolean",`
add: [malware] New object template to describe a malware 2023-07-25 16:30:00 +02:00			`"ui-priority": 1`
			`},`
			`"last_seen": {`
			`"description": "The time that the malware family or malware instance was last seen.",`
			`"misp-attribute": "datetime",`
			`"ui-priority": 0`
			`},`
			`"malware_type": {`
			`"description": "A set of categorizations for the malware being described.",`
			`"disable_correlation": true,`
			`"misp-attribute": "text",`
			`"multiple": true,`
			`"sane_default": [`
			`"adware",`
			`"backdoor",`
			`"bot",`
			`"bootkit",`
			`"ddos",`
			`"downloader",`
			`"dropper",`
			`"exploit-kit",`
			`"keylogger",`
			`"ransomware",`
			`"remote-access-trojan",`
			`"resource-exploitation",`
			`"rogue-security-software",`
			`"rootkit",`
			`"screen-capture",`
			`"spyware",`
			`"trojan",`
			`"unknown",`
			`"virus",`
			`"webshell",`
			`"wiper",`
			`"worm"`
			`],`
			`"ui-priority": 0`
			`},`
			`"name": {`
			`"description": "A name used to identify the malware instance or family. For a malware family the name MUST be defined. If a name for a malware instance is not available, the SHA-256 hash value or sample's filename MAY be used instead.",`
			`"misp-attribute": "text",`
			`"ui-priority": 0`
			`}`
			`},`
			`"description": "Malware is a type of TTP that represents malicious code.",`
			`"meta-category": "misc",`
			`"name": "malware",`
			`"required": [`
			`"is_family"`
			`],`
			`"uuid": "e5ad1d64-4b4e-44f5-9e00-88a705a67f9d",`
			`"version": 1`
			`}`