From 1e14201fc03dd93a78e645a478be5c842be2097c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 19 Jan 2021 15:38:31 +0100 Subject: [PATCH 01/17] chg: Update objects to match lief output for authenticode --- .../authenticode-signerinfo/definition.json | 25 ++++++++++++++++--- objects/pe/definition.json | 7 +++++- 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/objects/authenticode-signerinfo/definition.json b/objects/authenticode-signerinfo/definition.json index 64d6070..4681592 100644 --- a/objects/authenticode-signerinfo/definition.json +++ b/objects/authenticode-signerinfo/definition.json @@ -5,8 +5,20 @@ "misp-attribute": "text", "ui-priority": 0 }, + "digest-base64": { + "description": "Signature created by the signing certificate’s private key", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, "digest_algorithm": { - "description": "Digest algorithm", + "description": "Algorithm used to hash the file.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "encryption_algorithm": { + "description": "Algorithm used to encrypt the digest", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 @@ -22,6 +34,12 @@ "misp-attribute": "text", "ui-priority": 0 }, + "serial-number": { + "description": "Serial number of the certificate", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, "signature_algorithm": { "description": "Signature algorithm", "disable_correlation": true, @@ -55,8 +73,9 @@ "name": "authenticode-signerinfo", "requiredOneOf": [ "url", - "program-name" + "program-name", + "issuer" ], "uuid": "965cb0aa-baf1-4cc6-9070-68f5c1698c1e", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/pe/definition.json b/objects/pe/definition.json index fba3a8d..ae89b65 100644 --- a/objects/pe/definition.json +++ b/objects/pe/definition.json @@ -1,5 +1,10 @@ { "attributes": { + "authentihash": { + "description": "Authenticode executable signature hash (sha256)", + "misp-attribute": "authentihash", + "ui-priority": 1 + }, "company-name": { "description": "CompanyName in the resources", "disable_correlation": true, @@ -131,5 +136,5 @@ "impfuzzy" ], "uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07", - "version": 6 + "version": 7 } \ No newline at end of file From ca247d8c2ad6060bef8e10e33145e1019fde6241 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 26 Jan 2021 10:27:35 +0100 Subject: [PATCH 02/17] new: [telegram-user] basic telegram user Ref: https://core.telegram.org/constructor/user More could be added in the future --- objects/telegram-account/definition.json | 43 ++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 objects/telegram-account/definition.json diff --git a/objects/telegram-account/definition.json b/objects/telegram-account/definition.json new file mode 100644 index 0000000..30597ad --- /dev/null +++ b/objects/telegram-account/definition.json @@ -0,0 +1,43 @@ +{ + "attributes": { + "phone": { + "description": "Phone associated with the telegram user", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "first_name": { + "description": "First name", + "misp-attribute": "text", + "ui-priority": 1 + }, + "last_name": { + "description": "Last name", + "misp-attribute": "text", + "ui-priority": 1 + }, + "id": { + "description": "Telegram user identifier", + "misp-attribute": "text", + "ui-priority": 1 + }, + "verified": { + "description": "Verified", + "misp-attribute": "text", + "ui-priority": 1 + }, + "username": { + "description": "Telegram username", + "misp-attribute": "text", + "ui-priority": 1 + } + }, + "description": "Information related to a telegram account", + "meta-category": "misc", + "name": "telegram-account", + "requiredOneOf": [ + "username" + ], + "uuid": "06f02ecf-5afb-42c5-9cb0-b362e222f52c", + "version": 1 +} From eedcc2d5af83e044fac806108d6c70095e5c7343 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 26 Jan 2021 10:30:30 +0100 Subject: [PATCH 03/17] chg: [telegram-account] fixes --- objects/telegram-account/definition.json | 28 ++++++++++++------------ 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/objects/telegram-account/definition.json b/objects/telegram-account/definition.json index 30597ad..cb09482 100644 --- a/objects/telegram-account/definition.json +++ b/objects/telegram-account/definition.json @@ -1,35 +1,35 @@ { "attributes": { - "phone": { - "description": "Phone associated with the telegram user", - "misp-attribute": "text", - "multiple": true, - "ui-priority": 1 - }, "first_name": { "description": "First name", "misp-attribute": "text", "ui-priority": 1 }, - "last_name": { - "description": "Last name", - "misp-attribute": "text", - "ui-priority": 1 - }, "id": { "description": "Telegram user identifier", "misp-attribute": "text", "ui-priority": 1 }, - "verified": { - "description": "Verified", + "last_name": { + "description": "Last name", "misp-attribute": "text", "ui-priority": 1 }, + "phone": { + "description": "Phone associated with the telegram user", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, "username": { "description": "Telegram username", "misp-attribute": "text", "ui-priority": 1 + }, + "verified": { + "description": "Verified", + "misp-attribute": "text", + "ui-priority": 1 } }, "description": "Information related to a telegram account", @@ -40,4 +40,4 @@ ], "uuid": "06f02ecf-5afb-42c5-9cb0-b362e222f52c", "version": 1 -} +} \ No newline at end of file From 4f50074ba7957895a29d06e1200322cc32fc84f8 Mon Sep 17 00:00:00 2001 From: Terrtia Date: Tue, 26 Jan 2021 11:39:22 +0100 Subject: [PATCH 04/17] chg: [telegram-account] required attributes --- objects/telegram-account/definition.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/objects/telegram-account/definition.json b/objects/telegram-account/definition.json index cb09482..b485d46 100644 --- a/objects/telegram-account/definition.json +++ b/objects/telegram-account/definition.json @@ -36,8 +36,10 @@ "meta-category": "misc", "name": "telegram-account", "requiredOneOf": [ + "id", + "phone", "username" ], "uuid": "06f02ecf-5afb-42c5-9cb0-b362e222f52c", - "version": 1 + "version": 2 } \ No newline at end of file From 82c217781f2fe82bc25561440a26b8ea98db8da0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 2 Feb 2021 11:39:37 +0100 Subject: [PATCH 05/17] chg: allow multiple IPs in URL object --- objects/url/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/url/definition.json b/objects/url/definition.json index b456cc0..0276e23 100644 --- a/objects/url/definition.json +++ b/objects/url/definition.json @@ -35,6 +35,7 @@ "ip": { "description": "Better type when the host is an IP.", "misp-attribute": "ip-dst", + "multiple": true, "ui-priority": 0 }, "last-seen": { @@ -105,5 +106,5 @@ "resource_path" ], "uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5", - "version": 8 -} \ No newline at end of file + "version": 9 +} From 160c39d91e304b929227db40dcf32730db34db88 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 2 Feb 2021 11:57:41 +0100 Subject: [PATCH 06/17] chg: [url] jq all the things --- objects/url/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/url/definition.json b/objects/url/definition.json index 0276e23..9795574 100644 --- a/objects/url/definition.json +++ b/objects/url/definition.json @@ -107,4 +107,4 @@ ], "uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5", "version": 9 -} +} \ No newline at end of file From 0756f2d43f8ac974fbdee5d128a55d431800e1f2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 2 Feb 2021 12:26:08 +0100 Subject: [PATCH 07/17] chg: [relationships] writes added --- relationships/definition.json | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index 6a3c49a..ff5e8ed 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1018,6 +1018,13 @@ ], "name": "extends" }, + { + "description": "Reprensents an object which writes towards another object or attribute", + "format": [ + "misp" + ], + "name": "writes" + }, { "description": "Represents the semantic link of an asn object being ranked with a bgp-ranking object", "format": [ @@ -1117,5 +1124,5 @@ "name": "doxed-by" } ], - "version": 21 -} \ No newline at end of file + "version": 22 +} From 4b9f12c64467613ff8f8d67209345039b7acdd6e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 2 Feb 2021 12:29:31 +0100 Subject: [PATCH 08/17] chg: [relationships] updated --- relationships/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index ff5e8ed..8613d03 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1125,4 +1125,4 @@ } ], "version": 22 -} +} \ No newline at end of file From 625684684ab482ad98f9807cc67f33fb6f8bdeff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 2 Feb 2021 15:25:13 +0100 Subject: [PATCH 09/17] chg: Disable correlation in VT objects --- objects/virustotal-report/definition.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/objects/virustotal-report/definition.json b/objects/virustotal-report/definition.json index 0a85f4c..d7b0e09 100644 --- a/objects/virustotal-report/definition.json +++ b/objects/virustotal-report/definition.json @@ -6,6 +6,7 @@ ], "description": "Comment related to this hash", "misp-attribute": "text", + "disable_correlation": true, "multiple": true, "ui-priority": 2 }, @@ -33,6 +34,7 @@ ], "description": "First Submission", "misp-attribute": "datetime", + "disable_correlation": true, "ui-priority": 0 }, "last-submission": { @@ -41,6 +43,7 @@ ], "description": "Last Submission", "misp-attribute": "datetime", + "disable_correlation": true, "ui-priority": 0 }, "permalink": { @@ -49,6 +52,7 @@ ], "description": "Permalink Reference", "misp-attribute": "link", + "disable_correlation": true, "ui-priority": 2 } }, @@ -59,5 +63,5 @@ "permalink" ], "uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", - "version": 3 -} \ No newline at end of file + "version": 4 +} From 3d3d40e6c05c066b8be847198d9b22e31948782a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 2 Feb 2021 15:31:00 +0100 Subject: [PATCH 10/17] fix: keys order in VT object --- objects/virustotal-report/definition.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/objects/virustotal-report/definition.json b/objects/virustotal-report/definition.json index d7b0e09..b69e256 100644 --- a/objects/virustotal-report/definition.json +++ b/objects/virustotal-report/definition.json @@ -5,8 +5,8 @@ "External analysis" ], "description": "Comment related to this hash", - "misp-attribute": "text", "disable_correlation": true, + "misp-attribute": "text", "multiple": true, "ui-priority": 2 }, @@ -33,8 +33,8 @@ "Other" ], "description": "First Submission", - "misp-attribute": "datetime", "disable_correlation": true, + "misp-attribute": "datetime", "ui-priority": 0 }, "last-submission": { @@ -42,8 +42,8 @@ "Other" ], "description": "Last Submission", - "misp-attribute": "datetime", "disable_correlation": true, + "misp-attribute": "datetime", "ui-priority": 0 }, "permalink": { @@ -51,8 +51,8 @@ "External analysis" ], "description": "Permalink Reference", - "misp-attribute": "link", "disable_correlation": true, + "misp-attribute": "link", "ui-priority": 2 } }, @@ -64,4 +64,4 @@ ], "uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "version": 4 -} +} \ No newline at end of file From 2b1c3532dccad651f960ff71defdbc422c40ef0c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 4 Feb 2021 11:03:01 +0100 Subject: [PATCH 11/17] chg: [report] add a link field to the report object template --- objects/report/definition.json | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/objects/report/definition.json b/objects/report/definition.json index 316823f..ff9920b 100644 --- a/objects/report/definition.json +++ b/objects/report/definition.json @@ -9,6 +9,12 @@ "misp-attribute": "text", "ui-priority": 1 }, + "link": { + "description": "Link to the report mentioned", + "misp-attribute": "link", + "multiple": true, + "ui-priority": 100 + }, "report-file(s)": { "description": "Attachment(s) that is related to the report", "misp-attribute": "attachment", @@ -30,8 +36,9 @@ "meta-category": "misc", "name": "report", "required": [ - "summary" + "summary", + "link" ], "uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", - "version": 1 + "version": 2 } \ No newline at end of file From 84df20e51f6c3ecbb47a370d25cd356a952589a2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 13 Feb 2021 17:01:44 +0100 Subject: [PATCH 12/17] new: [windows-service] windows-service object added --- objects/windows-service/definition.json | 92 +++++++++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 objects/windows-service/definition.json diff --git a/objects/windows-service/definition.json b/objects/windows-service/definition.json new file mode 100644 index 0000000..f3e2cee --- /dev/null +++ b/objects/windows-service/definition.json @@ -0,0 +1,92 @@ +{ + "attributes": { + "comment": { + "description": "Additional comments.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "display": { + "description": "Display name/information of the service.", + "misp-attribute": "windows-service-displayname", + "ui-priority": 0 + }, + "group": { + "description": "Group to which the system/driver belong to.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Base", + "Boot Bus Extender", + "Boot File System", + "Cryptography", + "Extended base", + "Event Log", + "Filter", + "FSFilter Bottom", + "FSFilter Infrastructure", + "File System", + "FSFilter Virtualization", + "Keyboard Port", + "Network", + "NDIS", + "Parallel arbitrator", + "Pointer Port", + "PnP Filter", + "ProfSvc_Group", + "PNP_TDI", + "SCSI Miniport", + "SCSI CDROM Class", + "System Bus Extender", + "Video Save", + "other" + ], + "ui-priority": 0 + }, + "image-path": { + "description": "Path of the service/drive", + "misp-attribute": "text", + "ui-priority": 0 + }, + "name": { + "description": "name of the service", + "misp-attribute": "windows-service-name", + "ui-priority": 0 + }, + "start": { + "description": "When the service/driver starts or executes.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Boot start", + "System start", + "Auto start", + "Manual", + "Disabled" + ], + "ui-priority": 0 + }, + "type": { + "description": "Service/driver type.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Kernel driver", + "File system driver", + "Own process", + "Share process", + "Interactive", + "Other" + ], + "ui-priority": 0 + } + }, + "description": "Windows service and detailed about a service running a Windows operating system", + "meta-category": "misc", + "name": "windows-service", + "required": [ + "name" + ], + "uuid": "7598cc63-7ba3-4d0a-91c0-b875c6013035", + "version": 1 +} \ No newline at end of file From f3830e044a0b5555a36ec55eddcacdc004976af3 Mon Sep 17 00:00:00 2001 From: marcnil815 <33084026+marcnil815@users.noreply.github.com> Date: Mon, 15 Feb 2021 14:13:17 +0100 Subject: [PATCH 13/17] Update definition.json Added possibility for multiple searches in same object to accomodate using raw searches and datamodel searches. --- objects/splunk/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/splunk/definition.json b/objects/splunk/definition.json index fb0c9cd..37f16b5 100644 --- a/objects/splunk/definition.json +++ b/objects/splunk/definition.json @@ -46,6 +46,7 @@ "description": "Search / Correlation search", "disable_correlation": true, "misp-attribute": "text", + "multiple": true, "ui-priority": 0 } }, @@ -57,4 +58,4 @@ ], "uuid": "fd9b7bf8-df7b-4df9-bcd8-28591edcaab8", "version": 1 -} \ No newline at end of file +} From cb73cfaf49272523daff700233196ce9f1e23ed8 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 15 Feb 2021 14:43:44 +0100 Subject: [PATCH 14/17] chg: [splunk] object updated --- objects/splunk/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/splunk/definition.json b/objects/splunk/definition.json index 37f16b5..e5a8e81 100644 --- a/objects/splunk/definition.json +++ b/objects/splunk/definition.json @@ -57,5 +57,5 @@ "search" ], "uuid": "fd9b7bf8-df7b-4df9-bcd8-28591edcaab8", - "version": 1 + "version": 2 } From 36994fda1ef423e6141d2a3582fed3e6219dbf59 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 15 Feb 2021 15:10:20 +0100 Subject: [PATCH 15/17] fix: [splunk] fixed --- objects/splunk/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/splunk/definition.json b/objects/splunk/definition.json index e5a8e81..db96a6b 100644 --- a/objects/splunk/definition.json +++ b/objects/splunk/definition.json @@ -58,4 +58,4 @@ ], "uuid": "fd9b7bf8-df7b-4df9-bcd8-28591edcaab8", "version": 2 -} +} \ No newline at end of file From 016f9e58afe936c51702fda259ae5f248391fe03 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 19 Feb 2021 18:03:23 +0100 Subject: [PATCH 16/17] chg: [regexp] added Farsight Compatible Regular Expressions (FCRE) added Ref: https://docs.dnsdb.info/dnsdb-fcre-reference-guide/#farsight-compatible-regular-expressions-fcre --- objects/regexp/definition.json | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/objects/regexp/definition.json b/objects/regexp/definition.json index fc77bb0..741674a 100644 --- a/objects/regexp/definition.json +++ b/objects/regexp/definition.json @@ -19,7 +19,8 @@ "PCRE", "PCRE2", "POSIX BRE", - "POSIX ERE" + "POSIX ERE", + "FCRE (Farsight Compatible Regular Expressions)" ] }, "type": { @@ -51,5 +52,5 @@ "regexp" ], "uuid": "ceffad66-71e5-4e20-9370-1b3fb694c648", - "version": 4 -} \ No newline at end of file + "version": 5 +} From 4e011f24785f22ca3b98cb9a7248753ea0a02b7a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 19 Feb 2021 21:56:35 +0100 Subject: [PATCH 17/17] chg: [regexp] fixed --- objects/regexp/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/regexp/definition.json b/objects/regexp/definition.json index 741674a..e566357 100644 --- a/objects/regexp/definition.json +++ b/objects/regexp/definition.json @@ -53,4 +53,4 @@ ], "uuid": "ceffad66-71e5-4e20-9370-1b3fb694c648", "version": 5 -} +} \ No newline at end of file