From 48c64c52fcc5e3f43b7a29af94c78bcf14bc5cc6 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Sat, 1 Jun 2019 10:04:46 +0200
Subject: [PATCH] new: [shell-commands] Object describing a series of shell
 commands executed. This object can be linked with malicious files in order to
 describe a specific execution of shell commands.

---
 objects/shell-commands/definition.json | 62 ++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 objects/shell-commands/definition.json

diff --git a/objects/shell-commands/definition.json b/objects/shell-commands/definition.json
new file mode 100644
index 0000000..37160ea
--- /dev/null
+++ b/objects/shell-commands/definition.json
@@ -0,0 +1,62 @@
+{
+  "requiredOneOf": [
+    "shell-command"
+  ],
+  "attributes": {
+    "script": {
+      "description": "Free text of the script if available which executed the shell commands.",
+      "ui-priority": 10,
+      "misp-attribute": "text"
+    },
+    "comment": {
+      "description": "Comment associated to the shell commands executed.",
+      "ui-priority": 1,
+      "misp-attribute": "text"
+    },
+    "language": {
+      "description": "Scripting language used for the shell commands executed.",
+      "ui-priority": 9,
+      "misp-attribute": "text",
+      "disable_correlation": true,
+      "sane_default": [
+        "PowerShell",
+        "VBScript",
+        "Bash",
+        "Lua",
+        "JavaScript",
+        "AppleScript",
+        "AWK",
+        "Python",
+        "Perl",
+        "Ruby",
+        "Winbatch",
+        "AutoIt",
+        "PHP"
+      ]
+    },
+    "shell-command": {
+      "description": "",
+      "ui-priority": 0,
+      "misp-attribute": "text",
+      "multiple": true
+    },
+    "state": {
+      "misp-attribute": "text",
+      "ui-priority": 0,
+      "description": "Known state of the script.",
+      "multiple": true,
+      "disable_correlation": true,
+      "values_list": [
+        "Malicious",
+        "Unknown",
+        "Harmless",
+        "Trusted"
+      ]
+    }
+  },
+  "version": 1,
+  "description": "Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.",
+  "meta-category": "misc",
+  "uuid": "fee65efa-eb64-4516-8611-1db76c589f79",
+  "name": "script"
+}