MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of https://github.com/Aks6193/misp-objects

pull/125/head
Alexandre Dulaunoy 2018-10-25 17:30:30 +02:00
parent a2ce46ecad bb119724ba
commit 38a006b05b
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
22 changed files with 1762 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
objects/TSK-Chats/definition.json Normal file
View File

@ -0,0 +1,84 @@
{
"required": [
"message-type",
"message"
],
"attributes": {
"message-type": {
"description": "the type of message extracted from the forensic-evidence.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"SMS",
"MMS",
"Instant Message (IM)",
"Voice Message"
],
"disable_correlation": true
},
"datetime-sent": {
"description": "date and the time when the message was sent.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"datetime-received": {
"description": "date and time when the message was received.",
"multiple": true,
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"Source": {
"description": "Source of the message.(Contact details)",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"destination": {
"description": "Destination of the message.(Contact details)",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"app-used": {
"description": "Application used to send the message.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"subject": {
"description": "Subject of the message if any.",
"ui-priority": 0,
"misp-attribute": "text"
},
"message": {
"description": "Message exchanged.",
"ui-priority": 0,
"misp-attribute": "text"
},
"attachments": {
"description": "External references",
"multiple": true,
"ui-priority": 0,
"categories": [
"External analysis"
],
"misp-attribute": "link"
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"categories": [
"External analysis"
],
"disable_correlation": true
}
},
"version": 1,
"description": "An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation.",
"meta-category": "misc",
"uuid": "6b71f231-c502-467f-bc67-1423cd5bf800",
"name": "tsk-chats"
}

67
objects/TSK-Web-Bookmark/definition.json Normal file
View File

@ -0,0 +1,67 @@
{
"required": [
"URL"
],
"attributes": {
"URL": {
"description": "The URL saved as bookmark.",
"ui-priority": 0,
"misp-attribute": "link"
},
"datetime-bookmarked": {
"description": "date and time when the URL was added to favorites.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"name": {
"description": "Book mark name. ",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"title": {
"description": "Title of the web page",
"ui-priority": 0,
"misp-attribute": "text"
},
"browser": {
"description": "Browser used to access the URL.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"IE",
"Safari",
"Chrome",
"Firefox",
"Opera mini",
"Chromium"
],
"disable_correlation": true
},
"domain-name": {
"description": "Domain of the URL.",
"ui-priority": 0,
"misp-attribute": "text"
},
"domain-ip": {
"description": "IP of the URL domain.",
"ui-priority": 0,
"misp-attribute": "ip-src"
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"categories": [
"External analysis"
],
"disable_correlation": true
}
},
"version": 1,
"description": "An Object Template to add evidential bookmarks identified during a digital forensic investigation.",
"meta-category": "misc",
"uuid": "7d9a88a8-9934-4caa-a85b-f76bc97d5373",
"name": "tsk-web-bookmark"
}

67
objects/TSK-Web-Cookie/definition.json Normal file
View File

@ -0,0 +1,67 @@
{
"required": [
"URL",
"name",
"value"
],
"attributes": {
"URL": {
"description": "The website URL that created the cookie.",
"ui-priority": 0,
"misp-attribute": "link"
},
"datetime-created": {
"description": "date and time when the cookie was created.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"name": {
"description": "Name of the cookie ",
"ui-priority": 0,
"misp-attribute": "text"
},
"value": {
"description": "Value assigned to the cookie.",
"ui-priority": 0,
"misp-attribute": "text"
},
"browser": {
"description": "Browser on which the cookie was created.",
"ui-priority": 0,
"sane_default": [
"IE",
"Safari",
"Chrome",
"Firefox",
"Opera mini",
"Chromium"
],
"misp-attribute": "text"
},
"domain-name": {
"description": "Domain of the URL that created the cookie.",
"ui-priority": 0,
"misp-attribute": "text"
},
"domain-ip": {
"description": "IP of the domain that created the URL.",
"ui-priority": 0,
"misp-attribute": "ip-src"
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"categories": [
"External analysis"
],
"disable_correlation": true
}
},
"version": 1,
"description": "An TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.",
"meta-category": "misc",
"uuid": "40d23a4f-43be-4c9e-8328-382a2188eb1d",
"name": "tsk-web-cookie"
}

55
objects/TSK-Web-Downloads/definition.json Normal file
View File

@ -0,0 +1,55 @@
{
"required": [
"URL",
"name"
],
"attributes": {
"URL": {
"description": "The URL used to download the file.",
"ui-priority": 0,
"misp-attribute": "link"
},
"datetime-accessed": {
"description": "date and time when the file was downloaded.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"name": {
"description": "Name of the file downloaded.",
"ui-priority": 0,
"misp-attribute": "text"
},
"path-downloadedTo": {
"description": "Location the file was downloaded to.",
"ui-priority": 0,
"misp-attribute": "text"
},
"pathID": {
"description": "Id of the attribute file where the information is gathered from.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"attachment": {
"description": "The downloaded file itself.",
"ui-priority": 1,
"misp-attribute": "attachment",
"disable_correlation": true
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"categories": [
"External analysis"
],
"disable_correlation": true
}
},
"version": 1,
"description": "An Object Template to add web-downloads",
"meta-category": "File",
"uuid": "ab9603a1-9dcc-48e8-a51c-b8bccc7bcc26",
"name": "tsk-web-downloads"
}

68
objects/TSK-Web-History/definition.json Normal file
View File

@ -0,0 +1,68 @@
{
"required": [
"URL",
"datetime-accessed"
],
"attributes": {
"URL": {
"description": "The URL accessed.",
"ui-priority": 0,
"misp-attribute": "link"
},
"datetime-accessed": {
"description": "date and the time when the URL was accessed.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"referrer": {
"description": "where the URL was referred from ",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"title": {
"description": "Title of the web page",
"ui-priority": 0,
"misp-attribute": "text"
},
"domain-name": {
"description": "Domain of the URL.",
"ui-priority": 0,
"misp-attribute": "text"
},
"domain-ip": {
"description": "IP of the URL domain.",
"ui-priority": 0,
"misp-attribute": "ip-src"
},
"browser": {
"description": "Browser used to access the URL.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"IE",
"Safari",
"Chrome",
"Firefox",
"Opera mini",
"Chromium"
],
"disable_correlation": true
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"categories": [
"External analysis"
],
"disable_correlation": true
}
},
"version": 1,
"description": "An Object Template to share web history information",
"meta-category": "misc",
"uuid": "e1325e52-e52e-49b1-89ad-d503c127c698",
"name": "tsk-web-history"
}

66
objects/TSK-Web-Search-Query/definition.json Normal file
View File

@ -0,0 +1,66 @@
{
"required": [
"domain",
"text"
],
"attributes": {
"domain": {
"description": "The domain of the search engine.",
"ui-priority": 0,
"misp-attribute": "link",
"sane_default": [
"Google",
"Yahoo",
"Bing",
"Alta Vista",
"MSN"
],
"disable_correlation": true
},
"text": {
"description": "the search word or sentence.",
"ui-priority": 0,
"misp-attribute": "text"
},
"datetime-searched": {
"description": "date and time when the search was conducted.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"browser": {
"description": "Browser used.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"IE",
"Safari",
"Chrome",
"Firefox",
"Opera mini",
"Chromium"
],
"disable_correlation": true
},
"username": {
"description": "User name or ID associated with the search.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"categories": [
"External analysis"
],
"disable_correlation": true
}
},
"version": 1,
"description": "An Object Template to share web search query information",
"meta-category": "misc",
"uuid": "16b3f8d0-fd09-4812-a42c-b5aeff2d4c2e",
"name": "tsk-web-search-query"
}

171
objects/python-etvx-event-log/definition.json Normal file
View File

@ -0,0 +1,171 @@
{
"required": [
"source",
"type",
"name"
],
"attributes": {
"event-id": {
"description": "A unique number which identifies the event.",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"name": {
"description": "Name of the event.",
"ui-priority": 2,
"misp-attribute": "text",
"disable_correlation": true
},
"event-channel": {
"description": " Channel through which the event occurred",
"ui-priority": 3,
"misp-attribute": "text",
"disable_correlation": true,
"sane-default": [
"Application",
"System",
"Security",
"Setup",
"other"
]
},
"event-type": {
"description": "Event-type assigned to the event",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"sane-default": [
"Admin",
"Operational",
"Audit",
"Analytic",
"Debug",
"other"
]
},
"source": {
"description": "The source of the event log - application/software that logged the event.",
"ui-priority": 0,
"misp-attribute": "text"
},
"event-date-time": {
"description": "Date and time when the event was logged.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"level": {
"description": "Determines the event severity.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"Information",
"Warning",
"Error",
"Critical",
"Success Audit",
"Failure Audit"
]
},
"Computer": {
"description": "Computer name on which the event occurred",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"User": {
"description": "Name or the User ID the event is associated with.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"Operational-code": {
"description": "The opcode (numeric value or name) associated with the activity carried out by the event.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"log": {
"description": "Log file where the event was recorded.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"task-category": {
"description": "Activity by the event publisher",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"Keywords": {
"description": "Tags used for the event for the purpose of filtering or searching.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"Network",
"Security",
"Resource not found",
"other"
]
},
"Processor-ID": {
"description": "ID of the processor that processed the event.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"Thread-ID": {
"description": "Thread id that generated the event.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"Session-ID": {
"description": "Terminal server session ID.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"Correlation-ID": {
"description": "Unique activity identity which relates the event to a process. ",
"ui-priority": 0,
"misp-attribute": "text"
},
"Relative-Correlation-ID": {
"description": "Related activity ID which identity similar activities which occurred as a part of the event.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"kernel-time": {
"description": "Execution time of the kernel mode instruction.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"user-time": {
"description": "Date and time when the user instruction was executed.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"Event-data": {
"description": "Event data description.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"comment": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 1,
"description": "Event log object template to share information of the activities conducted on a system. ",
"meta-category": "misc",
"uuid": "94e3aee9-cb99-4503-9bf6-7da3db5de55e",
"name": "python-etvx-event-log"
}

98
objects/regripper-NTUser/definition.json Normal file
View File

@ -0,0 +1,98 @@
{
"required": [
"key"
],
"requiredOneOf": [
"logon-user-name"
],
"attributes": {
"key": {
"description": "Registry key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"key-last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"logon-user-name": {
"description": "Name assigned to the user profile.",
"ui-priority": 0,
"misp-attribute": "text"
},
"recent-folders-accessed": {
"description": "List of recent folders accessed by the user.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"recent-files-accessed": {
"description": "List of recent files accessed by the user.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"typed-urls": {
"description": "Urls typed by the user in internet explorer",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"applications-installed": {
"description": "List of applications installed.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"applications-run": {
"description": "List of applications set to run on the system.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"external-devices": {
"description": "List of external devices connected to the system by the user.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"user-init": {
"description": "Applications or processes set to run when the user logs onto the windows system.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"nukeOnDelete": {
"description": "Determines if the Recycle bin option has been disabled.",
"ui-priority": 0,
"misp-attribute": "boolean",
"disable_correlation": true
},
"network-connected-to": {
"description": "List of networks the user connected the system to.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"mount-points": {
"description": "Details of the mount points created on the system.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true,
"disable_correlation": true
},
"comments": {
"description": "Additional information related to the user profile",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 1,
"description": "Regripper Object template designed to present user specific configuration details extracted from the NTUSER.dat hive.",
"meta-category": "misc",
"uuid": "f9dc7b7e-8ab1-4dde-95d9-67e41b461c65",
"name": "regripper-NTUser"
}

68
objects/regripper-sam-hive-single-user/definition.json Normal file
View File

@ -0,0 +1,68 @@
{
"required": [
"key"
],
"requiredOneOf": [
"user-name",
"last-login-time",
"login-count"
],
"attributes": {
"key": {
"description": "Registry key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"key-last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"user-name": {
"description": "User name assigned to the user profile.",
"ui-priority": 0,
"misp-attribute": "text"
},
"full-user-name": {
"description": "Full name assigned to the user profile.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-login-time": {
"description": "Date and time when the user last logged onto the system.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"pwd-reset-time": {
"description": "Date and time when the password was last reset.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"pwd-fail-date": {
"description": "Date and time when a password last failed for this user profile.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"login-count": {
"description": "Number of times the user logged-in onto the system.",
"ui-priority": 0,
"misp-attribute": "counter",
"disable_correlation": true
},
"comments": {
"description": "Full name assigned to the user profile.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 1,
"description": "Regripper Object template designed to present user profile details extracted from the SAM hive.",
"meta-category": "misc",
"uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef",
"name": "regripper-sam-hive-single-user"
}

54
objects/regripper-sam-hive-user-group/definition.json Normal file
View File

@ -0,0 +1,54 @@
{
"required": [
"key"
],
"requiredOneOf": [
"group-name"
],
"attributes": {
"key": {
"description": "Registry key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"key-last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"group-name": {
"description": "Name assigned to the profile.",
"ui-priority": 0,
"misp-attribute": "text"
},
"full-name": {
"description": "Full name assigned to the profile.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-date-time": {
"description": "Date and time when the group key was updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"group-comment": {
"description": "Any group comment added.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"group-users": {
"description": "Users belonging to the group",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
}
},
"version": 1,
"description": "Regripper Object template designed to present group profile details extracted from the SAM hive.",
"meta-category": "misc",
"uuid": "b924bae1-2dec-4d2d-a8c2-b03305222b7c",
"name": "regripper-sam-hive-user-group"
}

59
objects/regripper-software-hive-BHO/definition.json Normal file
View File

@ -0,0 +1,59 @@
{
"required": [
"key",
"BHO-name"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"BHO-name": {
"description": "Name of the browser helper object.",
"ui-priority": 0,
"misp-attribute": "text"
},
"BHO-key-last-write-time": {
"description": "Date and time when the BHO key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"class": {
"description": "Class to which the BHO belongs to.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"module": {
"description": "DLL module the BHO belongs to.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"references": {
"description": "References to the BHO.",
"ui-priority": 0,
"misp-attribute": "link",
"multiple": true
}
},
"version": 1,
"description": "Regripper Object template designed to gather information of the browser helper objects installed on the system.",
"meta-category": "misc",
"uuid": "e7b46b5a-d2d2-4a05-bc25-2ac8d4683ae2",
"name": "regripper-software-hive-BHO"
}

53
objects/regripper-software-hive-appInit-DLLS/definition.json Normal file
View File

@ -0,0 +1,53 @@
{
"required": [
"key",
"DLL-name",
"DLL-path"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"DLL-name": {
"description": "Name of the DLL file.",
"ui-priority": 0,
"misp-attribute": "text"
},
"DLL-path": {
"description": "Path where the DLL file is stored.",
"ui-priority": 0,
"misp-attribute": "text"
},
"DLL-last-write-time": {
"description": "Date and time when the DLL file was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"references": {
"description": "References to the DLL file.",
"ui-priority": 0,
"misp-attribute": "link",
"multiple": true
}
},
"version": 1,
"description": "Regripper Object template designed to gather information of the DLL files installed on the system.",
"meta-category": "misc",
"uuid": "7893be05-8398-451e-ab1e-5e25ea4a8859",
"name": "regripper-software-hive-appInit-DLLS"
}

49
objects/regripper-software-hive-application-paths/definition.json Normal file
View File

@ -0,0 +1,49 @@
{
"required": [
"key",
"executable-file-name",
"path"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"executable-file-name": {
"description": "Name of the executable file.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"path": {
"description": "Path of the executable file.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"references": {
"description": "References to the application installed.",
"ui-priority": 0,
"misp-attribute": "link",
"multiple": true
}
},
"version": 1,
"description": "Regripper Object template designed to gather information of the application paths.",
"meta-category": "misc",
"uuid": "9f2d3c9b-9a82-42a7-82c2-733115d101c8",
"name": "regripper-software-hive-application-paths"
}

57
objects/regripper-software-hive-applications-installed/definition.json Normal file
View File

@ -0,0 +1,57 @@
{
"required": [
"key",
"app-name"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"key-path": {
"description": "Path of the key.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"app-name": {
"description": "Name of the application.",
"ui-priority": 0,
"misp-attribute": "text"
},
"app-last-write-time": {
"description": "Date and time when the application key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"version": {
"description": "Version of the application.",
"ui-priority": 0,
"misp-attribute": "text"
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"references": {
"description": "References to the application installed.",
"ui-priority": 0,
"misp-attribute": "link",
"multiple": true
}
},
"version": 1,
"description": "Regripper Object template designed to gather information of the applications installed on the system.",
"meta-category": "misc",
"uuid": "7a8fb6b4-cbbd-4de5-b893-7b0a5c4858cd",
"name": "regripper-software-hive-applications-installed"
}

55
objects/regripper-software-hive-command-shell/definition.json Normal file
View File

@ -0,0 +1,55 @@
{
"required": [
"key",
"shell",
"shell-path"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"shell": {
"description": "Type of shell used to execute the command.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"exe",
"cmd",
"bat",
"hta",
"pif",
"Other"
],
"disable_correlation": true
},
"shell-path": {
"description": "Path of the shell.",
"ui-priority": 0,
"misp-attribute": "text"
},
"command": {
"description": "Command executed.",
"ui-priority": 0,
"misp-attribute": "text"
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 1,
"description": "Regripper Object template designed to gather information of the shell commands executed on the system.",
"meta-category": "misc",
"uuid": "a7dc3697-89ce-46dc-a64d-0b1015457978",
"name": "regripper-software-hive-command-shell"
}

125
objects/regripper-software-hive-general-windows-info/definition.json Normal file
View File

@ -0,0 +1,125 @@
{
"required": [
"win-cv-path",
"CurrentVersion"
],
"attributes": {
"win-cv-path": {
"description": "key where the windows information is retrieved from",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"RegisteredOrganization": {
"description": "Name of the registered organization.",
"ui-priority": 0,
"misp-attribute": "text"
},
"RegisteredOwner": {
"description": "Name of the registered owner.",
"ui-priority": 0,
"misp-attribute": "text"
},
"CurrentVersion": {
"description": "Current version of windows",
"ui-priority": 0,
"disable_correlation": true
},
"CurrentBuild": {
"description": "Build number of the windows OS.",
"ui-priority": 0,
"misp-attribute": "text"
},
"SoftwareType": {
"description": "Software type of windows.",
"ui-priority": 0,
"sane_default": [
"System",
"Application",
"other"
],
"misp-attribute": "text",
"disable_correlation": true
},
"InstallationType": {
"description": "Type of windows installation.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"InstallDate": {
"description": "Date when windows was installed.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"SystemRoot": {
"description": "Root directory.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"PathName": {
"description": "Path to the root directory.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"EditionID": {
"description": "Windows edition.",
"ui-priority": 0,
"misp-attribute": "text"
},
"ProductName": {
"description": "Name of the windows version.",
"ui-priority": 0,
"misp-attribute": "text"
},
"ProductID": {
"description": "ID of the product version.",
"ui-priority": 0,
"misp-attribute": "text"
},
"CSDVersion": {
"description": "Version of the service pack installed.",
"ui-priority": 0,
"misp-attribute": "text"
},
"CurrentBuildType": {
"description": "Current build type of the OS.",
"ui-priority": 0,
"misp-attribute": "text"
},
"BuildLab": {
"description": "Windows BuildLab string.",
"ui-priority": 0,
"misp-attribute": "text"
},
"BuildGUID": {
"description": "Build ID.",
"ui-priority": 0,
"misp-attribute": "text"
},
"BuildLabEx": {
"description": "Windows BuildLabEx string.",
"ui-priority": 0,
"misp-attribute": "text"
},
"comment": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "",
"disable_correlation": true
}
},
"version": 1,
"description": "Regripper Object template designed to gather general windows information extracted from the software-hive.",
"meta-category": "misc",
"uuid": "03200c25-4bf5-4282-9852-001a51ab20f1",
"name": "regripper-software-hive-windows-general-info"
}

63
objects/regripper-software-hive-software-run/definition.json Normal file
View File

@ -0,0 +1,63 @@
{
"required": [
"key",
"application-name",
"application-path"
],
"attributes": {
"key": {
"description": "Software hive key where the information is retrieved from.",
"ui-priority": 0,
"sane_default": [
"Run",
"RunOnce",
"Runservices",
"Terminal",
"Other"
],
"misp-attribute": "text",
"disable_correlation": true
},
"key-path": {
"description": "Path of the key.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"application-name": {
"description": "Name of the application run.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"application-path": {
"description": "Path where the application is installed.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"references": {
"description": "References to the applications.",
"ui-priority": 0,
"misp-attribute": "link",
"multiple": true
}
},
"version": 1,
"description": "Regripper Object template designed to gather information of the applications set to run on the system.",
"meta-category": "misc",
"uuid": "4bae06d1-3996-4028-88ec-7c7d54cc1d94",
"name": "regripper-software-hive-software-run"
}

160
objects/regripper-software-hive-userprofile-winlogon/definition.json Normal file
View File

@ -0,0 +1,160 @@
{
"required": [
"user-profile-key-path",
"SID"
],
"attributes": {
"user-profile-key-path": {
"description": "key where the user-profile information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"user-profile-key-last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"user-profile-path": {
"description": "Path of the user profile on the system",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"SID": {
"description": "Security identifier assigned to the user profile.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"user-profile-last-write-time": {
"description": "Date and time when the user profile was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"winlogon-key-path": {
"description": "winlogon key referred in order to retrieve default user information",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"winlogon-key-last-write-time": {
"description": "Date and time when the winlogon key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"DefaultUserName": {
"description": "user-name of the default user.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"Shell": {
"description": "Shell set to run when the user logs onto the system.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"multiple": true
},
"UserInit": {
"description": "Applications and files set to run when the user logs onto the system (User logon activity).",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"Legal-notice-caption": {
"description": "Message title set to display when the user logs-in.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true,
"disable_correlation": true
},
"Legal-notice-text": {
"description": "Message set to display when the user logs-in.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true,
"disable_correlation": true
},
"PreCreateKnownFolders": {
"description": "create known folders key",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"ReportBootOk": {
"description": "Flag to check if the reboot was successful.",
"ui-priority": 0,
"misp-attribute": "boolean",
"disable_correlation": true
},
"AutoRestartShell": {
"description": "Value of the flag set to auto restart the shell if it crashes or shuts down automatically.",
"ui-priority": 0,
"misp-attribute": "boolean",
"disable_correlation": true
},
"PasswordExpiryWarining": {
"description": "Number of times the password expiry warning appeared.",
"ui-priority": 0,
"misp-attribute": "counter",
"disable_correlation": true
},
"PowerdownAfterShutDown": {
"description": "Flag value- if the system is set to power down after it is shutdown.",
"ui-priority": 0,
"misp-attribute": "boolean",
"disable_correlation": true
},
"ShutdownWithoutLogon": {
"description": "Value of the flag set to enable shutdown without requiring a user to login.",
"ui-priority": 0,
"misp-attribute": "boolean",
"disable_correlation": true
},
"WinStationsDisabled": {
"description": "Flag value set to enable/disable logons to the system.",
"ui-priority": 0,
"misp-attribute": "boolean",
"disable_correlation": true
},
"DisableCAD": {
"description": "Flag to determine if user login is enabled by pressing Ctrl+ALT+Delete.",
"ui-priority": 0,
"misp-attribute": "boolean",
"disable_correlation": true
},
"AutoAdminLogon": {
"description": "Flag value to determine if autologon is enabled for a user without entering the password.",
"ui-priority": 0,
"misp-attribute": "boolean",
"disable_correlation": true
},
"CachedLogonCount": {
"description": "Number of times the user has logged into the system.",
"ui-priority": 0,
"misp-attribute": "counter",
"disable_correlation": true
},
"ShutdownFlags": {
"description": "Number of times shutdown is initiated from a process when the user is logged-in.",
"ui-priority": 0,
"misp-attribute": "counter",
"disable_correlation": true
},
"Comments": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 1,
"description": "Regripper Object template designed to gather user profile information when the user logs onto the system, gathered from the software hive.",
"meta-category": "misc",
"uuid": "df03d0e4-3e6b-4e56-951a-142eae4cad59",
"name": "regripper-software-hive-userprofile-winlogon"
}

50
objects/regripper-system-hive-firewall-configuration/definition.json Normal file
View File

@ -0,0 +1,50 @@
{
"required": [
"profile"
],
"attributes": {
"profile": {
"description": "Firewall Profile type",
"ui-priority": 0,
"sane-default": [
"Domain Profile",
"Standard Profile",
"Network Profile",
"Public Profile",
"Private Profile",
"other"
],
"misp-attribute": "text",
"disable_correlation": true
},
"last-write-time": {
"description": "Date and time when the firewall profile policy was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"enbled-firewall": {
"description": "Boolean flag to determine if the firewall is enabled.",
"ui-priority": 0,
"misp-attribute": "boolean",
"disable_correlation": true
},
"disable-notification": {
"description": "Boolean flag to determine if firewall notifications are enabled.",
"ui-priority": 0,
"misp-attribute": "boolean",
"disable_correlation": true
},
"comment": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 1,
"description": "Regripper Object template designed to present firewall configuration information extracted from the system-hive.",
"meta-category": "misc",
"uuid": "d9839b3c-c013-4ba7-b5e5-2787198b9e07",
"name": "regripper-system-hive-firewall-configuration"
}

89
objects/regripper-system-hive-general-configuration/definition.json Normal file
View File

@ -0,0 +1,89 @@
{
"required": [
"computer-name"
],
"attributes": {
"computer-name": {
"description": "name of the computer under analysis",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"shutdown-time": {
"description": "Date and time when the system was shutdown.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"timezone-last-write-time": {
"description": "Date and time when the timezone key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"timezone-bias": {
"description": "Offset in minutes from UTC. Offset added to the local time to get a UTC value.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"timezone-standard-name": {
"description": "Timezone standard name used during non-daylight saving months.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"timezone-standard-date": {
"description": "Standard date - non daylight saving months",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"timezone-standard-bias": {
"description": "value in minutes to be added to the value of timezone-bias to generate the bias used during standard time.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"timezone-daylight-name": {
"description": "Timezone name used during daylight saving months.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"timezone-daylight-date": {
"description": "Daylight date - daylight saving months",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"timezone-daylight-bias": {
"description": "value in minutes to be added to the value of timezone-bias to generate the bias used during daylight time.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"fDenyTSConnections:": {
"description": "Specifies whether remote connections are enabled or disabled on the system.",
"ui-priority": 0,
"misp-attribute": "boolean",
"disable_correlation": true
},
"comment": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "",
"disable_correlation": true
}
},
"version": 1,
"description": "Regripper Object template designed to present general system properties extracted from the system-hive.",
"meta-category": "misc",
"uuid": "5ac85401-cbf1-4d05-a85e-1784546881e4",
"name": "regripper-system-hive-general-configuration"
}

106
objects/regripper-system-hive-network-information/definition.json Normal file
View File

@ -0,0 +1,106 @@
{
"required": [
"network-key"
],
"attributes": {
"network-key": {
"description": "Registry key assigned to the network",
"ui-priority": 0,
"misp-attribute": "text"
},
"network-key-last-write-time": {
"description": "Date and time when the network key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"network-key-path": {
"description": "Path of the key where the information is retrieved from.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"TCPIP-key": {
"description": "TCPIP key",
"ui-priority": 0,
"misp-attribute": "text"
},
"TCPIP-key-last-write-time": {
"description": "Datetime when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"DHCP-domain": {
"description": "Name of the DHCP domain service",
"ui-priority": 0,
"misp-attribute": "text"
},
"DHCP-IP-address": {
"description": "DHCP service - IP address",
"ui-priority": 0,
"misp-attribute": "ip-dst"
},
"DHCP-subnet-mask": {
"description": "DHCP subnet mask - IP address.",
"ui-priority": 0,
"misp-attribute": "ip-dst"
},
"DHCP-name-server": {
"description": "DHCP Name server - IP address.",
"ui-priority": 0,
"misp-attribute": "ip-dst"
},
"DHCP-server": {
"description": "DHCP server - IP address.",
"ui-priority": 0,
"misp-attribute": "ip-dst"
},
"interface-GUID": {
"description": "GUID value assigned to the interface.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"interface-last-write-time": {
"description": "Last date and time when the interface key was updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"interface-name": {
"description": "Name of the interface.",
"ui-priority": 0,
"misp-attribute": "text"
},
"interface-PnpInstanceID": {
"description": "Plug and Play instance ID assigned to the interface.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"interface-MediaSubType": {
"description": "",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"interface-IPcheckingEnabled": {
"description": "",
"ui-priority": 0,
"misp-attribute": "boolean",
"disable_correlation": true
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 1,
"description": "Regripper object template designed to gather network information from the system-hive.",
"meta-category": "misc",
"uuid": "a5a3ba3a-ba2e-42a4-be45-b36809ae56f0",
"name": "regripper-system-hive-network-information."
}

98
objects/regripper-system-hive-service-drivers/definition.json Normal file
View File

@ -0,0 +1,98 @@
{
"required": [
"name"
],
"attributes": {
"name": {
"description": "name of the key",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-write-time": {
"description": "Date and time when the key was last updated.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"display": {
"description": "Display name/information of the service or the driver.",
"ui-priority": 0,
"misp-attribute": "text"
},
"image-path": {
"description": "Path of the service/drive",
"ui-priority": 0,
"misp-attribute": "text"
},
"type": {
"description": "Service/driver type.",
"ui-priority": 0,
"sane_default": [
"Kernel driver",
"File system driver",
"Own process",
"Share process",
"Interactive",
"Other"
],
"misp-attribute": "text",
"disable_correlation": true
},
"start": {
"description": "When the service/driver starts or executes.",
"ui-priority": 0,
"sane_default": [
"Boot start",
"System start",
"Auto start",
"Manual",
"Disabled"
],
"misp-attribute": "text",
"disable_correlation": true
},
"group": {
"description": "Group to which the system/driver belong to.",
"ui-priority": 0,
"sane_default": [
"Base",
"Boot Bus Extender",
"Boot File System",
"Cryptography",
"Extended base",
"Event Log",
"Filter",
"FSFilter Bottom",
"FSFilter Infrastructure",
"File System",
"FSFilter Virtualization",
"Keyboard Port",
"Network",
"NDIS",
"Parallel arbitrator",
"Pointer Port",
"PnP Filter",
"ProfSvc_Group",
"PNP_TDI",
"SCSI Miniport",
"SCSI CDROM Class",
"System Bus Extender",
"Video Save",
"other"
],
"misp-attribute": "text",
"disable_correlation": true
},
"comment": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "",
"disable_correlation": true
}
},
"version": 1,
"description": "Regripper Object template designed to gather information regarding the services/drivers from the system-hive.",
"meta-category": "misc",
"uuid": "78cdae45-2061-4b49-b1d6-71f562094a73",
"name": "regripper-system-hive-services-drivers"
}