MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Chg: Jq'ed all the objects

pull/118/head
aksha 2018-10-25 12:39:48 +01:00
parent 478dc899f2
commit 1cedea6506
22 changed files with 1470 additions and 1490 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
objects/TSK-Chats/definition.json
View File

@ -1,84 +1,84 @@
{
"required": [
"message-type",
"message"
],
"attributes": {
"message-type": {
"description": "the type of message extracted from the forensic-evidence.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default":[
"SMS",
"MMS",
"Instant Message (IM)",
"Voice Message"
],
"disable_correlation": true
},
"datetime-sent": {
"description": "date and the time when the message was sent.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"datetime-received": {
"description": "date and time when the message was received.",
"multiple": true,
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"Source": {
"description": "Source of the message.(Contact details)",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"destination": {
"description": "Destination of the message.(Contact details)",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"app-used": {
"description": "Application used to send the message.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"subject": {
"description": "Subject of the message if any.",
"ui-priority": 0,
"misp-attribute": "text"
},
"message": {
"description": "Message exchanged.",
"ui-priority": 0,
"misp-attribute": "text"
},
"attachments": {
"description": "External references",
"multiple": true,
"ui-priority": 0,
"categories": [
"External analysis"
],
"misp-attribute": "link"
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"categories": [
"External analysis"
],
"disable_correlation": true
}
},
"version": 1,
"description": "An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation.",
"meta-category": "misc",
"uuid": "6b71f231-c502-467f-bc67-1423cd5bf800",
"name": "TSK-Chats"
}
{
"required": [
"message-type",
"message"
],
"attributes": {
"message-type": {
"description": "the type of message extracted from the forensic-evidence.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"SMS",
"MMS",
"Instant Message (IM)",
"Voice Message"
],
"disable_correlation": true
},
"datetime-sent": {
"description": "date and the time when the message was sent.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"datetime-received": {
"description": "date and time when the message was received.",
"multiple": true,
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"Source": {
"description": "Source of the message.(Contact details)",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"destination": {
"description": "Destination of the message.(Contact details)",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"app-used": {
"description": "Application used to send the message.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"subject": {
"description": "Subject of the message if any.",
"ui-priority": 0,
"misp-attribute": "text"
},
"message": {
"description": "Message exchanged.",
"ui-priority": 0,
"misp-attribute": "text"
},
"attachments": {
"description": "External references",
"multiple": true,
"ui-priority": 0,
"categories": [
"External analysis"
],
"misp-attribute": "link"
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"categories": [
"External analysis"
],
"disable_correlation": true
}
},
"version": 1,
"description": "An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation.",
"meta-category": "misc",
"uuid": "6b71f231-c502-467f-bc67-1423cd5bf800",
"name": "TSK-Chats"
}

134
objects/TSK-Web-Bookmark/definition.json
View File

@ -1,67 +1,67 @@
{
"required": [
"URL"
],
"attributes": {
"URL": {
"description": "The URL saved as bookmark.",
"ui-priority": 0,
"misp-attribute": "link"
},
"datetime-bookmarked": {
"description": "date and time when the URL was added to favorites.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"name": {
"description": "Book mark name. ",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"title": {
"description": "Title of the web page",
"ui-priority": 0,
"misp-attribute": "text"
},
"browser": {
"description": "Browser used to access the URL.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"IE",
"Safari",
"Chrome",
"Firefox",
"Opera mini",
"Chromium"
],
"disable_correlation": true
},
"domain-name": {
"description": "Domain of the URL.",
"ui-priority": 0,
"misp-attribute": "text"
},
"domain-ip": {
"description": "IP of the URL domain.",
"ui-priority": 0,
"misp-attribute": "ip-src"
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"categories": [
"External analysis"
],
"disable_correlation": true
}
},
"version": 1,
"description": "An Object Template to add evidential bookmarks identified during a digital forensic investigation.",
"meta-category": "misc",
"uuid": "7d9a88a8-9934-4caa-a85b-f76bc97d5373",
"name": "TSK-Web-Bookmark"
}
{
"required": [
"URL"
],
"attributes": {
"URL": {
"description": "The URL saved as bookmark.",
"ui-priority": 0,
"misp-attribute": "link"
},
"datetime-bookmarked": {
"description": "date and time when the URL was added to favorites.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"name": {
"description": "Book mark name. ",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"title": {
"description": "Title of the web page",
"ui-priority": 0,
"misp-attribute": "text"
},
"browser": {
"description": "Browser used to access the URL.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"IE",
"Safari",
"Chrome",
"Firefox",
"Opera mini",
"Chromium"
],
"disable_correlation": true
},
"domain-name": {
"description": "Domain of the URL.",
"ui-priority": 0,
"misp-attribute": "text"
},
"domain-ip": {
"description": "IP of the URL domain.",
"ui-priority": 0,
"misp-attribute": "ip-src"
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"categories": [
"External analysis"
],
"disable_correlation": true
}
},
"version": 1,
"description": "An Object Template to add evidential bookmarks identified during a digital forensic investigation.",
"meta-category": "misc",
"uuid": "7d9a88a8-9934-4caa-a85b-f76bc97d5373",
"name": "TSK-Web-Bookmark"
}

134
objects/TSK-Web-Cookie/definition.json
View File

@ -1,67 +1,67 @@
{
"required": [
"URL",
"name",
"value"
],
"attributes": {
"URL": {
"description": "The website URL that created the cookie.",
"ui-priority": 0,
"misp-attribute": "link"
},
"datetime-created": {
"description": "date and time when the cookie was created.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"name": {
"description": "Name of the cookie ",
"ui-priority": 0,
"misp-attribute": "text"
},
"value": {
"description": "Value assigned to the cookie.",
"ui-priority": 0,
"misp-attribute": "text"
},
"browser": {
"description": "Browser on which the cookie was created.",
"ui-priority": 0,
"sane_default": [
"IE",
"Safari",
"Chrome",
"Firefox",
"Opera mini",
"Chromium"
],
"misp-attribute": "text"
},
"domain-name": {
"description": "Domain of the URL that created the cookie.",
"ui-priority": 0,
"misp-attribute": "text"
},
"domain-ip": {
"description": "IP of the domain that created the URL.",
"ui-priority": 0,
"misp-attribute": "ip-src"
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"categories": [
"External analysis"
],
"disable_correlation": true
}
},
"version": 1,
"description": "An TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.",
"meta-category": "misc",
"uuid": "40d23a4f-43be-4c9e-8328-382a2188eb1d",
"name": "TSK-Web-Cookie"
}
{
"required": [
"URL",
"name",
"value"
],
"attributes": {
"URL": {
"description": "The website URL that created the cookie.",
"ui-priority": 0,
"misp-attribute": "link"
},
"datetime-created": {
"description": "date and time when the cookie was created.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"name": {
"description": "Name of the cookie ",
"ui-priority": 0,
"misp-attribute": "text"
},
"value": {
"description": "Value assigned to the cookie.",
"ui-priority": 0,
"misp-attribute": "text"
},
"browser": {
"description": "Browser on which the cookie was created.",
"ui-priority": 0,
"sane_default": [
"IE",
"Safari",
"Chrome",
"Firefox",
"Opera mini",
"Chromium"
],
"misp-attribute": "text"
},
"domain-name": {
"description": "Domain of the URL that created the cookie.",
"ui-priority": 0,
"misp-attribute": "text"
},
"domain-ip": {
"description": "IP of the domain that created the URL.",
"ui-priority": 0,
"misp-attribute": "ip-src"
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"categories": [
"External analysis"
],
"disable_correlation": true
}
},
"version": 1,
"description": "An TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.",
"meta-category": "misc",
"uuid": "40d23a4f-43be-4c9e-8328-382a2188eb1d",
"name": "TSK-Web-Cookie"
}

110
objects/TSK-Web-Downloads/definition.json
View File

@ -1,55 +1,55 @@
{
"required": [
"URL",
"name"
],
"attributes": {
"URL": {
"description": "The URL used to download the file.",
"ui-priority": 0,
"misp-attribute": "link"
},
"datetime-accessed": {
"description": "date and time when the file was downloaded.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"name": {
"description": "Name of the file downloaded.",
"ui-priority": 0,
"misp-attribute": "text"
},
"path-downloadedTo": {
"description": "Location the file was downloaded to.",
"ui-priority": 0,
"misp-attribute": "text"
},
"pathID": {
"description": "Id of the attribute file where the information is gathered from.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"attachment": {
"description": "The downloaded file itself.",
"ui-priority": 1,
"misp-attribute": "attachment",
"disable_correlation": true
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"categories": [
"External analysis"
],
"disable_correlation": true
}
},
"version": 1,
"description": "An Object Template to add web-downloads",
"meta-category": "File",
"uuid": "ab9603a1-9dcc-48e8-a51c-b8bccc7bcc26",
"name": "TSK-Web-Downloads"
}
{
"required": [
"URL",
"name"
],
"attributes": {
"URL": {
"description": "The URL used to download the file.",
"ui-priority": 0,
"misp-attribute": "link"
},
"datetime-accessed": {
"description": "date and time when the file was downloaded.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"name": {
"description": "Name of the file downloaded.",
"ui-priority": 0,
"misp-attribute": "text"
},
"path-downloadedTo": {
"description": "Location the file was downloaded to.",
"ui-priority": 0,
"misp-attribute": "text"
},
"pathID": {
"description": "Id of the attribute file where the information is gathered from.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"attachment": {
"description": "The downloaded file itself.",
"ui-priority": 1,
"misp-attribute": "attachment",
"disable_correlation": true
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"categories": [
"External analysis"
],
"disable_correlation": true
}
},
"version": 1,
"description": "An Object Template to add web-downloads",
"meta-category": "File",
"uuid": "ab9603a1-9dcc-48e8-a51c-b8bccc7bcc26",
"name": "TSK-Web-Downloads"
}

136
objects/TSK-Web-History/definition.json
View File

@ -1,68 +1,68 @@
{
"required": [
"URL",
"datetime-accessed"
],
"attributes": {
"URL": {
"description": "The URL accessed.",
"ui-priority": 0,
"misp-attribute": "link"
},
"datetime-accessed": {
"description": "date and the time when the URL was accessed.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"referrer": {
"description": "where the URL was referred from ",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"title": {
"description": "Title of the web page",
"ui-priority": 0,
"misp-attribute": "text"
},
"domain-name": {
"description": "Domain of the URL.",
"ui-priority": 0,
"misp-attribute": "text"
},
"domain-ip": {
"description": "IP of the URL domain.",
"ui-priority": 0,
"misp-attribute": "ip-src"
},
"browser": {
"description": "Browser used to access the URL.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"IE",
"Safari",
"Chrome",
"Firefox",
"Opera mini",
"Chromium"
],
"disable_correlation": true
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"categories": [
"External analysis"
],
"disable_correlation": true
}
},
"version": 1,
"description": "An Object Template to share web history information",
"meta-category": "misc",
"uuid": "e1325e52-e52e-49b1-89ad-d503c127c698",
"name": "TSK-Web-History"
}
{
"required": [
"URL",
"datetime-accessed"
],
"attributes": {
"URL": {
"description": "The URL accessed.",
"ui-priority": 0,
"misp-attribute": "link"
},
"datetime-accessed": {
"description": "date and the time when the URL was accessed.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"referrer": {
"description": "where the URL was referred from ",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"title": {
"description": "Title of the web page",
"ui-priority": 0,
"misp-attribute": "text"
},
"domain-name": {
"description": "Domain of the URL.",
"ui-priority": 0,
"misp-attribute": "text"
},
"domain-ip": {
"description": "IP of the URL domain.",
"ui-priority": 0,
"misp-attribute": "ip-src"
},
"browser": {
"description": "Browser used to access the URL.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"IE",
"Safari",
"Chrome",
"Firefox",
"Opera mini",
"Chromium"
],
"disable_correlation": true
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"categories": [
"External analysis"
],
"disable_correlation": true
}
},
"version": 1,
"description": "An Object Template to share web history information",
"meta-category": "misc",
"uuid": "e1325e52-e52e-49b1-89ad-d503c127c698",
"name": "TSK-Web-History"
}

132
objects/TSK-Web-Search-Query/definition.json
View File

@ -1,66 +1,66 @@
{
"required": [
"domain",
"text"
],
"attributes": {
"domain": {
"description": "The domain of the search engine.",
"ui-priority": 0,
"misp-attribute": "link",
"sane_default": [
"Google",
"Yahoo",
"Bing",
"Alta Vista",
"MSN"
],
"disable_correlation": true
},
"text": {
"description": "the search word or sentence.",
"ui-priority": 0,
"misp-attribute": "text"
},
"datetime-searched": {
"description": "date and time when the search was conducted.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"browser": {
"description": "Browser used.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"IE",
"Safari",
"Chrome",
"Firefox",
"Opera mini",
"Chromium"
],
"disable_correlation": true
},
"username": {
"description": "User name or ID associated with the search.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"categories": [
"External analysis"
],
"disable_correlation": true
}
},
"version": 1,
"description": "An Object Template to share web search query information",
"meta-category": "misc",
"uuid": "16b3f8d0-fd09-4812-a42c-b5aeff2d4c2e",
"name": "TSK-Web-Search-Query"
}
{
"required": [
"domain",
"text"
],
"attributes": {
"domain": {
"description": "The domain of the search engine.",
"ui-priority": 0,
"misp-attribute": "link",
"sane_default": [
"Google",
"Yahoo",
"Bing",
"Alta Vista",
"MSN"
],
"disable_correlation": true
},
"text": {
"description": "the search word or sentence.",
"ui-priority": 0,
"misp-attribute": "text"
},
"datetime-searched": {
"description": "date and time when the search was conducted.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"browser": {
"description": "Browser used.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"IE",
"Safari",
"Chrome",
"Firefox",
"Opera mini",
"Chromium"
],
"disable_correlation": true
},
"username": {
"description": "User name or ID associated with the search.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"categories": [
"External analysis"
],
"disable_correlation": true
}
},
"version": 1,
"description": "An Object Template to share web search query information",
"meta-category": "misc",
"uuid": "16b3f8d0-fd09-4812-a42c-b5aeff2d4c2e",
"name": "TSK-Web-Search-Query"
}

320
objects/python-etvx-event-log/definition.json
View File

@ -5,169 +5,163 @@
"name"
],
"attributes": {
"event-id": {
"description": "A unique number which identifies the event.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"name": {
"description": "Name of the event.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"event-channel":
{
"description":" Channel through which the event occurred",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"sane-default":[
"Application",
"System",
"Security",
"Setup",
"other"
]
},
"event-type":
{
"description": "Event-type assigned to the event",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"sane-default":[
"Admin",
"Operational",
"Audit",
"Analytic",
"Debug",
"other"
]
},
"source": {
"description": "The source of the event log - application/software that logged the event.",
"ui-priority": 0,
"misp-attribute": "text"
},
"event-date-time":
{
"description": "Date and time when the event was logged.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"level": {
"description": "Determines the event severity.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default":[
"Information",
"Warning",
"Error",
"Critical",
"Success Audit",
"Failure Audit"
]
},
"Computer": {
"description": "Computer name on which the event occurred",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"User": {
"description": "Name or the User ID the event is associated with.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"Operational-code": {
"description": "The opcode (numeric value or name) associated with the activity carried out by the event.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"log": {
"description": "Log file where the event was recorded.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"task-category":{
"description": "Activity by the event publisher",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"Keywords":{
"description" : "Tags used for the event for the purpose of filtering or searching.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default":[
"Network",
"Security",
"Resource not found",
"other"
]
},
"Processor-ID": {
"description": "ID of the processor that processed the event.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"Thread-ID": {
"description": "Thread id that generated the event.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"Session-ID": {
"description": "Terminal server session ID.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"Correlation-ID": {
"description": "Unique activity identity which relates the event to a process. ",
"ui-priority": 0,
"misp-attribute": "text"
},
"Relative-Correlation-ID": {
"description": "Related activity ID which identity similar activities which occurred as a part of the event.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"kernel-time":
{
"description": "Execution time of the kernel mode instruction.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"user-time":
{
"description": "Date and time when the user instruction was executed.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"Event-data":
{
"description": "Event data description.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"comment": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
"event-id": {
"description": "A unique number which identifies the event.",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"name": {
"description": "Name of the event.",
"ui-priority": 2,
"misp-attribute": "text",
"disable_correlation": true
},
"event-channel": {
"description": " Channel through which the event occurred",
"ui-priority": 3,
"misp-attribute": "text",
"disable_correlation": true,
"sane-default": [
"Application",
"System",
"Security",
"Setup",
"other"
]
},
"event-type": {
"description": "Event-type assigned to the event",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"sane-default": [
"Admin",
"Operational",
"Audit",
"Analytic",
"Debug",
"other"
]
},
"source": {
"description": "The source of the event log - application/software that logged the event.",
"ui-priority": 0,
"misp-attribute": "text"
},
"event-date-time": {
"description": "Date and time when the event was logged.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"level": {
"description": "Determines the event severity.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"Information",
"Warning",
"Error",
"Critical",
"Success Audit",
"Failure Audit"
]
},
"Computer": {
"description": "Computer name on which the event occurred",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"User": {
"description": "Name or the User ID the event is associated with.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"Operational-code": {
"description": "The opcode (numeric value or name) associated with the activity carried out by the event.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"log": {
"description": "Log file where the event was recorded.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"task-category": {
"description": "Activity by the event publisher",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"Keywords": {
"description": "Tags used for the event for the purpose of filtering or searching.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"Network",
"Security",
"Resource not found",
"other"
]
},
"Processor-ID": {
"description": "ID of the processor that processed the event.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"Thread-ID": {
"description": "Thread id that generated the event.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"Session-ID": {
"description": "Terminal server session ID.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"Correlation-ID": {
"description": "Unique activity identity which relates the event to a process. ",
"ui-priority": 0,
"misp-attribute": "text"
},
"Relative-Correlation-ID": {
"description": "Related activity ID which identity similar activities which occurred as a part of the event.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"kernel-time": {
"description": "Execution time of the kernel mode instruction.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"user-time": {
"description": "Date and time when the user instruction was executed.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"Event-data": {
"description": "Event data description.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"comment": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 1,
"description": "Event log object template to share information of the activities conducted on a system. ",

11
objects/regripper-NTUser/definition.json
View File

@ -26,25 +26,25 @@
"description": "List of recent folders accessed by the user.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple":true
"multiple": true
},
"recent-files-accessed": {
"description": "List of recent files accessed by the user.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple":true
"multiple": true
},
"typed-urls": {
"description": "Urls typed by the user in internet explorer",
"ui-priority": 0,
"misp-attribute": "text",
"multiple":true
"multiple": true
},
"applications-installed": {
"description": "List of applications installed.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple":true
"multiple": true
},
"applications-run": {
"description": "List of applications set to run on the system.",
@ -58,7 +58,7 @@
"misp-attribute": "text",
"multiple": true
},
"user-init": {
"user-init": {
"description": "Applications or processes set to run when the user logs onto the windows system.",
"ui-priority": 0,
"misp-attribute": "text",
@ -89,7 +89,6 @@
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 1,
"description": "Regripper Object template designed to present user specific configuration details extracted from the NTUSER.dat hive.",

134
objects/regripper-sam-hive-single-user/definition.json
View File

@ -1,70 +1,68 @@
{
"required": [
"key"
],
"requiredOneOf": [
"user-name",
"last-login-time",
"login-count"
],
"attributes": {
"key": {
"description": "Registry key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"key-last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"user-name": {
"description": "User name assigned to the user profile.",
"ui-priority": 0,
"misp-attribute": "text"
},
"full-user-name": {
"description": "Full name assigned to the user profile.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-login-time": {
"description": "Date and time when the user last logged onto the system.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"pwd-reset-time": {
"description": "Date and time when the password was last reset.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"pwd-fail-date": {
"description": "Date and time when a password last failed for this user profile.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"login-count": {
"description": "Number of times the user logged-in onto the system.",
"ui-priority": 0,
"misp-attribute": "counter",
"disable_correlation": true
},
"comments": {
"description": "Full name assigned to the user profile.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
"required": [
"key"
],
"requiredOneOf": [
"user-name",
"last-login-time",
"login-count"
],
"attributes": {
"key": {
"description": "Registry key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"version": 1,
"description": "Regripper Object template designed to present user profile details extracted from the SAM hive.",
"meta-category": "misc",
"uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef",
"name": "regripper-sam-hive-single-user"
}
"key-last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"user-name": {
"description": "User name assigned to the user profile.",
"ui-priority": 0,
"misp-attribute": "text"
},
"full-user-name": {
"description": "Full name assigned to the user profile.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-login-time": {
"description": "Date and time when the user last logged onto the system.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"pwd-reset-time": {
"description": "Date and time when the password was last reset.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"pwd-fail-date": {
"description": "Date and time when a password last failed for this user profile.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"login-count": {
"description": "Number of times the user logged-in onto the system.",
"ui-priority": 0,
"misp-attribute": "counter",
"disable_correlation": true
},
"comments": {
"description": "Full name assigned to the user profile.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 1,
"description": "Regripper Object template designed to present user profile details extracted from the SAM hive.",
"meta-category": "misc",
"uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef",
"name": "regripper-sam-hive-single-user"
}

106
objects/regripper-sam-hive-user-group/definition.json
View File

@ -1,56 +1,54 @@
{
"required": [
"key"
],
"requiredOneOf": [
"group-name"
],
"attributes": {
"key": {
"description": "Registry key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"key-last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"group-name": {
"description": "Name assigned to the profile.",
"ui-priority": 0,
"misp-attribute": "text"
},
"full-name": {
"description": "Full name assigned to the profile.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-date-time": {
"description": "Date and time when the group key was updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"group-comment": {
"description": "Name assigned to the profile.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"group-users": {
"description": "Users belonging to the group",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
}
"required": [
"key"
],
"requiredOneOf": [
"group-name"
],
"attributes": {
"key": {
"description": "Registry key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"version": 1,
"description": "Regripper Object template designed to present group profile details extracted from the SAM hive.",
"meta-category": "misc",
"uuid": "b924bae1-2dec-4d2d-a8c2-b03305222b7c",
"name": "regripper-sam-hive-user-group"
}
"key-last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"group-name": {
"description": "Name assigned to the profile.",
"ui-priority": 0,
"misp-attribute": "text"
},
"full-name": {
"description": "Full name assigned to the profile.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-date-time": {
"description": "Date and time when the group key was updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"group-comment": {
"description": "Any group comment added.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"group-users": {
"description": "Users belonging to the group",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
}
},
"version": 1,
"description": "Regripper Object template designed to present group profile details extracted from the SAM hive.",
"meta-category": "misc",
"uuid": "b924bae1-2dec-4d2d-a8c2-b03305222b7c",
"name": "regripper-sam-hive-user-group"
}

115
objects/regripper-software-hive-BHO/definition.json
View File

@ -1,60 +1,59 @@
{
"required": [
"key",
"BHO-name"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"BHO-name": {
"description": "Name of the browser helper object.",
"ui-priority": 0,
"misp-attribute": "text"
},
"BHO-key-last-write-time": {
"description": "Date and time when the BHO key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"class": {
"description": "Class to which the BHO belongs to.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"module": {
"description": "DLL module the BHO belongs to.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"references": {
"description": "References to the BHO.",
"ui-priority": 0,
"misp-attribute": "link",
"multiple":true
}
"required": [
"key",
"BHO-name"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"version": 1,
"description": "Regripper Object template designed to gather information of the browser helper objects installed on the system.",
"meta-category": "misc",
"uuid": "e7b46b5a-d2d2-4a05-bc25-2ac8d4683ae2",
"name": "regripper-software-hive-BHO"
}
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"BHO-name": {
"description": "Name of the browser helper object.",
"ui-priority": 0,
"misp-attribute": "text"
},
"BHO-key-last-write-time": {
"description": "Date and time when the BHO key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"class": {
"description": "Class to which the BHO belongs to.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"module": {
"description": "DLL module the BHO belongs to.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"references": {
"description": "References to the BHO.",
"ui-priority": 0,
"misp-attribute": "link",
"multiple": true
}
},
"version": 1,
"description": "Regripper Object template designed to gather information of the browser helper objects installed on the system.",
"meta-category": "misc",
"uuid": "e7b46b5a-d2d2-4a05-bc25-2ac8d4683ae2",
"name": "regripper-software-hive-BHO"
}

103
objects/regripper-software-hive-appInit-DLLS/definition.json
View File

@ -1,54 +1,53 @@
{
"required": [
"key",
"DLL-name",
"DLL-path"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"DLL-name": {
"description": "Name of the DLL file.",
"ui-priority": 0,
"misp-attribute": "text"
},
"DLL-path": {
"description": "Path where the DLL file is stored.",
"ui-priority": 0,
"misp-attribute": "text"
},
"DLL-last-write-time": {
"description": "Date and time when the DLL file was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"references": {
"description": "References to the DLL file.",
"ui-priority": 0,
"misp-attribute": "link",
"multiple":true
}
"required": [
"key",
"DLL-name",
"DLL-path"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"version": 1,
"description": "Regripper Object template designed to gather information of the DLL files installed on the system.",
"meta-category": "misc",
"uuid": "7893be05-8398-451e-ab1e-5e25ea4a8859",
"name": "regripper-software-hive-appInit-DLLS"
}
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"DLL-name": {
"description": "Name of the DLL file.",
"ui-priority": 0,
"misp-attribute": "text"
},
"DLL-path": {
"description": "Path where the DLL file is stored.",
"ui-priority": 0,
"misp-attribute": "text"
},
"DLL-last-write-time": {
"description": "Date and time when the DLL file was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"references": {
"description": "References to the DLL file.",
"ui-priority": 0,
"misp-attribute": "link",
"multiple": true
}
},
"version": 1,
"description": "Regripper Object template designed to gather information of the DLL files installed on the system.",
"meta-category": "misc",
"uuid": "7893be05-8398-451e-ab1e-5e25ea4a8859",
"name": "regripper-software-hive-appInit-DLLS"
}

95
objects/regripper-software-hive-application-paths/definition.json
View File

@ -1,50 +1,49 @@
{
"required": [
"key",
"executable-file-name",
"path"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"executable-file-name": {
"description": "Name of the executable file.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple":true
},
"path": {
"description": "Path of the executable file.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple":true
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"references": {
"description": "References to the application installed.",
"ui-priority": 0,
"misp-attribute": "link",
"multiple":true
}
"required": [
"key",
"executable-file-name",
"path"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"version": 1,
"description": "Regripper Object template designed to gather information of the application paths.",
"meta-category": "misc",
"uuid": "9f2d3c9b-9a82-42a7-82c2-733115d101c8",
"name": "regripper-software-hive-application-paths"
}
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"executable-file-name": {
"description": "Name of the executable file.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"path": {
"description": "Path of the executable file.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"references": {
"description": "References to the application installed.",
"ui-priority": 0,
"misp-attribute": "link",
"multiple": true
}
},
"version": 1,
"description": "Regripper Object template designed to gather information of the application paths.",
"meta-category": "misc",
"uuid": "9f2d3c9b-9a82-42a7-82c2-733115d101c8",
"name": "regripper-software-hive-application-paths"
}

111
objects/regripper-software-hive-applications-installed/definition.json
View File

@ -1,58 +1,57 @@
{
"required": [
"key",
"app-name"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"key-path": {
"description": "Path of the key.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"app-name": {
"description": "Name of the application.",
"ui-priority": 0,
"misp-attribute": "text"
},
"app-last-write-time": {
"description": "Date and time when the application key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"version": {
"description": "Version of the application.",
"ui-priority": 0,
"misp-attribute": "text"
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"references": {
"description": "References to the application installed.",
"ui-priority": 0,
"misp-attribute": "link",
"multiple":true
}
"required": [
"key",
"app-name"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"version": 1,
"description": "Regripper Object template designed to gather information of the applications installed on the system.",
"meta-category": "misc",
"uuid": "7a8fb6b4-cbbd-4de5-b893-7b0a5c4858cd",
"name": "regripper-software-hive-applications-installed"
}
"key-path": {
"description": "Path of the key.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"app-name": {
"description": "Name of the application.",
"ui-priority": 0,
"misp-attribute": "text"
},
"app-last-write-time": {
"description": "Date and time when the application key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"version": {
"description": "Version of the application.",
"ui-priority": 0,
"misp-attribute": "text"
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"references": {
"description": "References to the application installed.",
"ui-priority": 0,
"misp-attribute": "link",
"multiple": true
}
},
"version": 1,
"description": "Regripper Object template designed to gather information of the applications installed on the system.",
"meta-category": "misc",
"uuid": "7a8fb6b4-cbbd-4de5-b893-7b0a5c4858cd",
"name": "regripper-software-hive-applications-installed"
}

107
objects/regripper-software-hive-command-shell/definition.json
View File

@ -1,56 +1,55 @@
{
"required": [
"key",
"shell",
"shell-path"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"shell": {
"description": "Type of shell used to execute the command.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default":[
"exe",
"cmd",
"bat",
"hta",
"pif",
"Other"
],
"disable_correlation": true
},
"shell-path": {
"description": "Path of the shell.",
"ui-priority": 0,
"misp-attribute": "text"
},
"command": {
"description": "Command executed.",
"ui-priority": 0,
"misp-attribute": "text"
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
"required": [
"key",
"shell",
"shell-path"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"version": 1,
"description": "Regripper Object template designed to gather information of the shell commands executed on the system.",
"meta-category": "misc",
"uuid": "a7dc3697-89ce-46dc-a64d-0b1015457978",
"name": "regripper-software-hive-command-shell"
}
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"shell": {
"description": "Type of shell used to execute the command.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"exe",
"cmd",
"bat",
"hta",
"pif",
"Other"
],
"disable_correlation": true
},
"shell-path": {
"description": "Path of the shell.",
"ui-priority": 0,
"misp-attribute": "text"
},
"command": {
"description": "Command executed.",
"ui-priority": 0,
"misp-attribute": "text"
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 1,
"description": "Regripper Object template designed to gather information of the shell commands executed on the system.",
"meta-category": "misc",
"uuid": "a7dc3697-89ce-46dc-a64d-0b1015457978",
"name": "regripper-software-hive-command-shell"
}

247
objects/regripper-software-hive-general-windows-info/definition.json
View File

@ -1,126 +1,125 @@
{
"required": [
"win-cv-path",
"CurrentVersion"
],
"attributes": {
"win-cv-path": {
"description": "key where the windows information is retrieved from",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"RegisteredOrganization": {
"description": "Name of the registered organization.",
"ui-priority": 0,
"misp-attribute": "text"
},
"RegisteredOwner": {
"description": "Name of the registered owner.",
"ui-priority": 0,
"misp-attribute": "text"
},
"CurrentVersion": {
"description": "Current version of windows",
"ui-priority": 0,
"misp-attribute": "text"
},
"CurrentBuild": {
"description": "Build number of the windows OS.",
"ui-priority": 0,
"misp-attribute": "text"
},
"SoftwareType": {
"description": "Software type of windows.",
"ui-priority": 0,
"sane_default":[
"System",
"Application",
"other"
],
"misp-attribute": "text",
"disable_correlation": true
},
"InstallationType": {
"description": "Type of windows installation.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"InstallDate": {
"description": "Date when windows was installed.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"SystemRoot": {
"description": "Root directory.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"PathName": {
"description": "Path to the root directory.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"EditionID": {
"description": "Windows edition.",
"ui-priority": 0,
"misp-attribute": "text"
},
"ProductName": {
"description": "Name of the windows version.",
"ui-priority": 0,
"misp-attribute": "text"
},
"ProductID": {
"description": "ID of the product version.",
"ui-priority": 0,
"misp-attribute": "text"
},
"CSDVersion": {
"description": "Version of the service pack installed.",
"ui-priority": 0,
"misp-attribute": "text"
},
"CurrentType": {
"description": "Current build type of the OS.",
"ui-priority": 0,
"misp-attribute": "text"
},
"BuildLab": {
"description": "Windows BuildLab string.",
"ui-priority": 0,
"misp-attribute": "text"
},
"BuildGUID": {
"description": "Build ID.",
"ui-priority": 0,
"misp-attribute": "text"
},
"BuildLabEx": {
"description": "Windows BuildLabEx string.",
"ui-priority": 0,
"misp-attribute": "text"
},
"comment": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "",
"disable_correlation": true
}
"required": [
"win-cv-path",
"CurrentVersion"
],
"attributes": {
"win-cv-path": {
"description": "key where the windows information is retrieved from",
"ui-priority": 0,
"misp-attribute": "text"
},
"version": 1,
"description": "Regripper Object template designed to gather general windows information extracted from the software-hive.",
"meta-category": "misc",
"uuid": "03200c25-4bf5-4282-9852-001a51ab20f1",
"name": "regripper-software-hive-windows-general-info"
}
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"RegisteredOrganization": {
"description": "Name of the registered organization.",
"ui-priority": 0,
"misp-attribute": "text"
},
"RegisteredOwner": {
"description": "Name of the registered owner.",
"ui-priority": 0,
"misp-attribute": "text"
},
"CurrentVersion": {
"description": "Current version of windows",
"ui-priority": 0,
"disable_correlation": true
},
"CurrentBuild": {
"description": "Build number of the windows OS.",
"ui-priority": 0,
"misp-attribute": "text"
},
"SoftwareType": {
"description": "Software type of windows.",
"ui-priority": 0,
"sane_default": [
"System",
"Application",
"other"
],
"misp-attribute": "text",
"disable_correlation": true
},
"InstallationType": {
"description": "Type of windows installation.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"InstallDate": {
"description": "Date when windows was installed.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"SystemRoot": {
"description": "Root directory.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"PathName": {
"description": "Path to the root directory.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"EditionID": {
"description": "Windows edition.",
"ui-priority": 0,
"misp-attribute": "text"
},
"ProductName": {
"description": "Name of the windows version.",
"ui-priority": 0,
"misp-attribute": "text"
},
"ProductID": {
"description": "ID of the product version.",
"ui-priority": 0,
"misp-attribute": "text"
},
"CSDVersion": {
"description": "Version of the service pack installed.",
"ui-priority": 0,
"misp-attribute": "text"
},
"CurrentBuildType": {
"description": "Current build type of the OS.",
"ui-priority": 0,
"misp-attribute": "text"
},
"BuildLab": {
"description": "Windows BuildLab string.",
"ui-priority": 0,
"misp-attribute": "text"
},
"BuildGUID": {
"description": "Build ID.",
"ui-priority": 0,
"misp-attribute": "text"
},
"BuildLabEx": {
"description": "Windows BuildLabEx string.",
"ui-priority": 0,
"misp-attribute": "text"
},
"comment": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "",
"disable_correlation": true
}
},
"version": 1,
"description": "Regripper Object template designed to gather general windows information extracted from the software-hive.",
"meta-category": "misc",
"uuid": "03200c25-4bf5-4282-9852-001a51ab20f1",
"name": "regripper-software-hive-windows-general-info"
}

123
objects/regripper-software-hive-software-run/definition.json
View File

@ -1,64 +1,63 @@
{
"required": [
"key",
"application-name",
"application-path"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"sane_default": [
"Run",
"RunOnce",
"Runservices",
"Terminal",
"Other"
],
"misp-attribute": "text",
"disable_correlation": true
},
"key-path": {
"description": "Path of the key.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"application-name": {
"description": "Name of the application run.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple":true
},
"application-path": {
"description": "Path where the application is installed.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple":true
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"references": {
"description": "References to the applications.",
"ui-priority": 0,
"misp-attribute": "link",
"multiple":true
}
"required": [
"key",
"application-name",
"application-path"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"sane_default": [
"Run",
"RunOnce",
"Runservices",
"Terminal",
"Other"
],
"misp-attribute": "text",
"disable_correlation": true
},
"version": 1,
"description": "Regripper Object template designed to gather information of the applications set to run on the system.",
"meta-category": "misc",
"uuid": "4bae06d1-3996-4028-88ec-7c7d54cc1d94",
"name": "regripper-software-hive-software-run"
}
"key-path": {
"description": "Path of the key.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"application-name": {
"description": "Name of the application run.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"application-path": {
"description": "Path where the application is installed.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"references": {
"description": "References to the applications.",
"ui-priority": 0,
"misp-attribute": "link",
"multiple": true
}
},
"version": 1,
"description": "Regripper Object template designed to gather information of the applications set to run on the system.",
"meta-category": "misc",
"uuid": "4bae06d1-3996-4028-88ec-7c7d54cc1d94",
"name": "regripper-software-hive-software-run"
}

3
objects/regripper-software-hive-userprofile-winlogon/definition.json
View File

@ -145,8 +145,7 @@
"misp-attribute": "counter",
"disable_correlation": true
},
"Comments":
{
"Comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",

94
objects/regripper-system-hive-firewall-configuration/definition.json
View File

@ -1,48 +1,50 @@
{
"required": [
"profile"
],
"attributes": {
"profile": {
"description": "Firewall Profile type",
"ui-priority": 0,
"sane-default":[
"Domain Profile",
"Standard Profile",
"other"
],
"misp-attribute": "text",
"disable_correlation": true
},
"last-write-time": {
"description": "Date and time when the firewall profile policy was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"enbled-firewall": {
"description": "Boolean flag to determine if the firewall is enabled.",
"ui-priority": 0,
"misp-attribute": "boolean",
"disable_correlation": true
},
"disable-notification": {
"description": "Boolean flag to determine if firewall notifications are enabled.",
"ui-priority": 0,
"misp-attribute": "boolean",
"disable_correlation": true
},
"comment": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
"required": [
"profile"
],
"attributes": {
"profile": {
"description": "Firewall Profile type",
"ui-priority": 0,
"sane-default": [
"Domain Profile",
"Standard Profile",
"Network Profile",
"Public Profile",
"Private Profile",
"other"
],
"misp-attribute": "text",
"disable_correlation": true
},
"version": 1,
"description": "Regripper Object template designed to present firewall configuration information extracted from the system-hive.",
"meta-category": "misc",
"uuid": "d9839b3c-c013-4ba7-b5e5-2787198b9e07",
"name": "regripper-system-hive-firewall-configuration"
}
"last-write-time": {
"description": "Date and time when the firewall profile policy was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"enbled-firewall": {
"description": "Boolean flag to determine if the firewall is enabled.",
"ui-priority": 0,
"misp-attribute": "boolean",
"disable_correlation": true
},
"disable-notification": {
"description": "Boolean flag to determine if firewall notifications are enabled.",
"ui-priority": 0,
"misp-attribute": "boolean",
"disable_correlation": true
},
"comment": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 1,
"description": "Regripper Object template designed to present firewall configuration information extracted from the system-hive.",
"meta-category": "misc",
"uuid": "d9839b3c-c013-4ba7-b5e5-2787198b9e07",
"name": "regripper-system-hive-firewall-configuration"
}

175
objects/regripper-system-hive-general-configuration/definition.json
View File

@ -1,90 +1,89 @@
{
"required": [
"computer-name"
],
"attributes": {
"computer-name": {
"description": "name of the computer under analysis",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"shutdown-time": {
"description": "Date and time when the system was shutdown.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"timezone-last-write-time": {
"description": "Date and time when the timezone key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"timezone-bias": {
"description": "Offset in minutes from UTC. Offset added to the local time to get a UTC value.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"timezone-standard-name": {
"description": "Timezone standard name used during non-daylight saving months.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"timezone-standard-date": {
"description": "Standard date - non daylight saving months",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"timezone-standard-bias": {
"description": "value in minutes to be added to the value of timezone-bias to generate the bias used during standard time.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"timezone-daylight-name": {
"description": "Timezone name used during daylight saving months.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"timezone-daylight-date": {
"description": "Daylight date - daylight saving months",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"timezone-daylight-bias": {
"description": "value in minutes to be added to the value of timezone-bias to generate the bias used during daylight time.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"fDenyTSConnections:": {
"description": "Specifies whether remote connections are enabled or disabled on the system.",
"ui-priority": 0,
"misp-attribute": "boolean",
"disable_correlation": true
},
"comment": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "",
"disable_correlation": true
}
"required": [
"computer-name"
],
"attributes": {
"computer-name": {
"description": "name of the computer under analysis",
"ui-priority": 0,
"misp-attribute": "text"
},
"version": 1,
"description": "Regripper Object template designed to present general system properties extracted from the system-hive.",
"meta-category": "misc",
"uuid": "5ac85401-cbf1-4d05-a85e-1784546881e4",
"name": "regripper-system-hive-general-configuration"
}
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"shutdown-time": {
"description": "Date and time when the system was shutdown.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"timezone-last-write-time": {
"description": "Date and time when the timezone key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"timezone-bias": {
"description": "Offset in minutes from UTC. Offset added to the local time to get a UTC value.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"timezone-standard-name": {
"description": "Timezone standard name used during non-daylight saving months.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"timezone-standard-date": {
"description": "Standard date - non daylight saving months",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"timezone-standard-bias": {
"description": "value in minutes to be added to the value of timezone-bias to generate the bias used during standard time.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"timezone-daylight-name": {
"description": "Timezone name used during daylight saving months.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"timezone-daylight-date": {
"description": "Daylight date - daylight saving months",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"timezone-daylight-bias": {
"description": "value in minutes to be added to the value of timezone-bias to generate the bias used during daylight time.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"fDenyTSConnections:": {
"description": "Specifies whether remote connections are enabled or disabled on the system.",
"ui-priority": 0,
"misp-attribute": "boolean",
"disable_correlation": true
},
"comment": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "",
"disable_correlation": true
}
},
"version": 1,
"description": "Regripper Object template designed to present general system properties extracted from the system-hive.",
"meta-category": "misc",
"uuid": "5ac85401-cbf1-4d05-a85e-1784546881e4",
"name": "regripper-system-hive-general-configuration"
}

209
objects/regripper-system-hive-network-information/definition.json
View File

@ -1,107 +1,106 @@
{
"required": [
"network-key"
],
"attributes": {
"network-key": {
"description": "Registry key assigned to the network",
"ui-priority": 0,
"misp-attribute": "text"
},
"network-key-last-write-time": {
"description": "Date and time when the network key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"network-key-path": {
"description": "Path of the key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"TCPIP-key": {
"description": "TCPIP key",
"ui-priority": 0,
"misp-attribute": "text"
},
"TCPIP-key-last-write-time": {
"description": "Datetime when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"DHCP-domain": {
"description": "Name of the DHCP domain service",
"ui-priority": 0,
"misp-attribute": "text"
},
"DHCP-IP-address": {
"description": "DHCP service - IP address",
"ui-priority": 0,
"misp-attribute": "ip-dst"
},
"DHCP-subnet-mask": {
"description": "DHCP subnet mask - IP address.",
"ui-priority": 0,
"misp-attribute": "ip-dst"
},
"DHCP-name-server": {
"description": "DHCP Name server - IP address.",
"ui-priority": 0,
"misp-attribute": "ip-dst"
},
"DHCP-server": {
"description": "DHCP server - IP address.",
"ui-priority": 0,
"misp-attribute": "ip-dst"
},
"interface-GUID": {
"description": "GUID value assigned to the interface.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"interface-last-write-time": {
"description": "Last date and time when the interface key was updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"interface-name": {
"description": "Name of the interface.",
"ui-priority": 0,
"misp-attribute": "text"
},
"interface-PnpInstanceID": {
"description": "Plug and Play instance ID assigned to the interface.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"interface-MediaSubType": {
"description": "",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"interface-IPcheckingEnabled": {
"description": "",
"ui-priority": 0,
"misp-attribute": "boolean",
"disable_correlation": true
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
"required": [
"network-key"
],
"attributes": {
"network-key": {
"description": "Registry key assigned to the network",
"ui-priority": 0,
"misp-attribute": "text"
},
"version": 1,
"description": "Regripper object template designed to gather network information from the system-hive.",
"meta-category": "misc",
"uuid": "a5a3ba3a-ba2e-42a4-be45-b36809ae56f0",
"name": "regripper-system-hive-network-information."
}
"network-key-last-write-time": {
"description": "Date and time when the network key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"network-key-path": {
"description": "Path of the key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"TCPIP-key": {
"description": "TCPIP key",
"ui-priority": 0,
"misp-attribute": "text"
},
"TCPIP-key-last-write-time": {
"description": "Datetime when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"DHCP-domain": {
"description": "Name of the DHCP domain service",
"ui-priority": 0,
"misp-attribute": "text"
},
"DHCP-IP-address": {
"description": "DHCP service - IP address",
"ui-priority": 0,
"misp-attribute": "ip-dst"
},
"DHCP-subnet-mask": {
"description": "DHCP subnet mask - IP address.",
"ui-priority": 0,
"misp-attribute": "ip-dst"
},
"DHCP-name-server": {
"description": "DHCP Name server - IP address.",
"ui-priority": 0,
"misp-attribute": "ip-dst"
},
"DHCP-server": {
"description": "DHCP server - IP address.",
"ui-priority": 0,
"misp-attribute": "ip-dst"
},
"interface-GUID": {
"description": "GUID value assigned to the interface.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"interface-last-write-time": {
"description": "Last date and time when the interface key was updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"interface-name": {
"description": "Name of the interface.",
"ui-priority": 0,
"misp-attribute": "text"
},
"interface-PnpInstanceID": {
"description": "Plug and Play instance ID assigned to the interface.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"interface-MediaSubType": {
"description": "",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"interface-IPcheckingEnabled": {
"description": "",
"ui-priority": 0,
"misp-attribute": "boolean",
"disable_correlation": true
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 1,
"description": "Regripper object template designed to gather network information from the system-hive.",
"meta-category": "misc",
"uuid": "a5a3ba3a-ba2e-42a4-be45-b36809ae56f0",
"name": "regripper-system-hive-network-information."
}

193
objects/regripper-system-hive-service-drivers/definition.json
View File

@ -1,99 +1,98 @@
{
"required": [
"name"
],
"attributes": {
"name": {
"description": "name of the key",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"display": {
"description": "Display name/information of the service or the driver.",
"ui-priority": 0,
"misp-attribute": "text"
},
"image-path": {
"description": "Path of the service/drive",
"ui-priority": 0,
"misp-attribute": "text"
},
"type": {
"description": "Service/driver type.",
"ui-priority": 0,
"sane_default": [
"Kernel driver",
"File system driver",
"Own process",
"Share process",
"Interactive",
"Other"
],
"misp-attribute": "text",
"disable_correlation": true
},
"start": {
"description": "When the service/driver starts or executes.",
"ui-priority": 0,
"sane_default":[
"Boot start",
"System start",
"Auto start",
"Manual",
"Disabled"
],
"misp-attribute": "text",
"disable_correlation": true
},
"group": {
"description": "Group to which the system/driver belong to.",
"ui-priority": 0,
"sane_default":[
"Base",
"Boot Bus Extender",
"Boot File System",
"Cryptography",
"Extended base",
"Event Log",
"Filter",
"FSFilter Bottom",
"FSFilter Infrastructure",
"File System",
"FSFilter Virtualization",
"Keyboard Port",
"Network",
"NDIS",
"Parallel arbitrator",
"Pointer Port",
"PnP Filter",
"ProfSvc_Group",
"PNP_TDI",
"SCSI Miniport",
"SCSI CDROM Class",
"System Bus Extender",
"Video Save",
"other"
],
"misp-attribute": "text",
"disable_correlation": true
},
"comment": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "",
"disable_correlation": true
}
"required": [
"name"
],
"attributes": {
"name": {
"description": "name of the key",
"ui-priority": 0,
"misp-attribute": "text"
},
"version": 1,
"description": "Regripper Object template designed to gather information regarding the services/drivers from the system-hive.",
"meta-category": "misc",
"uuid": "78cdae45-2061-4b49-b1d6-71f562094a73",
"name": "regripper-system-hive-services-drivers"
}
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"display": {
"description": "Display name/information of the service or the driver.",
"ui-priority": 0,
"misp-attribute": "text"
},
"image-path": {
"description": "Path of the service/drive",
"ui-priority": 0,
"misp-attribute": "text"
},
"type": {
"description": "Service/driver type.",
"ui-priority": 0,
"sane_default": [
"Kernel driver",
"File system driver",
"Own process",
"Share process",
"Interactive",
"Other"
],
"misp-attribute": "text",
"disable_correlation": true
},
"start": {
"description": "When the service/driver starts or executes.",
"ui-priority": 0,
"sane_default": [
"Boot start",
"System start",
"Auto start",
"Manual",
"Disabled"
],
"misp-attribute": "text",
"disable_correlation": true
},
"group": {
"description": "Group to which the system/driver belong to.",
"ui-priority": 0,
"sane_default": [
"Base",
"Boot Bus Extender",
"Boot File System",
"Cryptography",
"Extended base",
"Event Log",
"Filter",
"FSFilter Bottom",
"FSFilter Infrastructure",
"File System",
"FSFilter Virtualization",
"Keyboard Port",
"Network",
"NDIS",
"Parallel arbitrator",
"Pointer Port",
"PnP Filter",
"ProfSvc_Group",
"PNP_TDI",
"SCSI Miniport",
"SCSI CDROM Class",
"System Bus Extender",
"Video Save",
"other"
],
"misp-attribute": "text",
"disable_correlation": true
},
"comment": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "",
"disable_correlation": true
}
},
"version": 1,
"description": "Regripper Object template designed to gather information regarding the services/drivers from the system-hive.",
"meta-category": "misc",
"uuid": "78cdae45-2061-4b49-b1d6-71f562094a73",
"name": "regripper-system-hive-services-drivers"
}