From 593d80abd1f0f840be6f0317f454144d8938151d Mon Sep 17 00:00:00 2001 From: matthijsvp Date: Fri, 1 Jul 2022 16:43:22 +0200 Subject: [PATCH 1/3] initial commit --- objects/attack-step/definition.json | 83 +++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 objects/attack-step/definition.json diff --git a/objects/attack-step/definition.json b/objects/attack-step/definition.json new file mode 100644 index 0000000..b0f5573 --- /dev/null +++ b/objects/attack-step/definition.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "source-ip": { + "description": "IP source of the attack step, if any.", + "misp-attribute": "ip-src", + "ui-priority": 1 + }, + "source-domain": { + "description": "Domain source of the attack step, if any.", + "misp-attribute": "domain", + "ui-priority": 1 + }, + "source-misc": { + "description": "Other type of source of the attack step, if any. This can be e.g. rotating ip from cloud providers such as AWS, or localhost.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "dst-ip": { + "description": "IP destination of the attack step, if any.", + "misp-attribute": "ip-dst", + "disable-correlation": true, + "ui-priority": 1 + }, + "dst-domain": { + "description": "Domain destination of the attack step, if any.", + "misp-attribute": "domain", + "disable-correlation": true, + "ui-priority": 1 + }, + "dst-misc": { + "description": "Other type of source of the attack step, if any. This can be e.g. localhost.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "description": { + "description": "Description of the attack step", + "misp-attribute": "text", + "ui-priority": 1 + }, + "command-line": { + "description": "Command line used to execute attack step, if any.", + "multiple": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "succesful": { + "description": "Was this attack step succesful?", + "misp-attribute": "boolean", + "sane_default": [ + "True", + "False" + ], + "ui-priority": 1 + }, + "key-step": { + "description": "Was this attack step object a key step within the context of the incident/event?", + "misp-attribute": "boolean", + "sane_default": [ + "True", + "False" + ], + "ui-priority": 1 + }, + "detections": { + "description": "Detections by the victim's monitoring capabilities.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "expected-response": { + "description": "Response or detection expected (in case of purple teaming)", + "misp-attribute": "text", + "ui-priority": 1 + } + }, + "description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.", + "meta-category": "misc", + "name": "attack-step", + "requiredOneOf": [ + "description" + ], + "uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74", + "version": 1 +} \ No newline at end of file From 896fb727358366b949dfa74b9321d979c6e53e62 Mon Sep 17 00:00:00 2001 From: matthijsvp Date: Fri, 1 Jul 2022 16:47:23 +0200 Subject: [PATCH 2/3] Merge from master --- objects/attack-step/definition.json | 88 ++++++++++++++--------------- 1 file changed, 44 insertions(+), 44 deletions(-) diff --git a/objects/attack-step/definition.json b/objects/attack-step/definition.json index b0f5573..0c63e05 100644 --- a/objects/attack-step/definition.json +++ b/objects/attack-step/definition.json @@ -1,35 +1,9 @@ { "attributes": { - "source-ip": { - "description": "IP source of the attack step, if any.", - "misp-attribute": "ip-src", - "ui-priority": 1 - }, - "source-domain": { - "description": "Domain source of the attack step, if any.", - "misp-attribute": "domain", - "ui-priority": 1 - }, - "source-misc": { - "description": "Other type of source of the attack step, if any. This can be e.g. rotating ip from cloud providers such as AWS, or localhost.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "dst-ip": { - "description": "IP destination of the attack step, if any.", - "misp-attribute": "ip-dst", - "disable-correlation": true, - "ui-priority": 1 - }, - "dst-domain": { - "description": "Domain destination of the attack step, if any.", - "misp-attribute": "domain", - "disable-correlation": true, - "ui-priority": 1 - }, - "dst-misc": { - "description": "Other type of source of the attack step, if any. This can be e.g. localhost.", + "command-line": { + "description": "Command line used to execute attack step, if any.", "misp-attribute": "text", + "multiple": true, "ui-priority": 1 }, "description": { @@ -37,19 +11,31 @@ "misp-attribute": "text", "ui-priority": 1 }, - "command-line": { - "description": "Command line used to execute attack step, if any.", - "multiple": true, + "detections": { + "description": "Detections by the victim's monitoring capabilities.", "misp-attribute": "text", "ui-priority": 1 }, - "succesful": { - "description": "Was this attack step succesful?", - "misp-attribute": "boolean", - "sane_default": [ - "True", - "False" - ], + "dst-domain": { + "description": "Domain destination of the attack step, if any.", + "disable-correlation": true, + "misp-attribute": "domain", + "ui-priority": 1 + }, + "dst-ip": { + "description": "IP destination of the attack step, if any.", + "disable-correlation": true, + "misp-attribute": "ip-dst", + "ui-priority": 1 + }, + "dst-misc": { + "description": "Other type of source of the attack step, if any. This can be e.g. localhost.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "expected-response": { + "description": "Response or detection expected (in case of purple teaming)", + "misp-attribute": "text", "ui-priority": 1 }, "key-step": { @@ -61,14 +47,28 @@ ], "ui-priority": 1 }, - "detections": { - "description": "Detections by the victim's monitoring capabilities.", + "source-domain": { + "description": "Domain source of the attack step, if any.", + "misp-attribute": "domain", + "ui-priority": 1 + }, + "source-ip": { + "description": "IP source of the attack step, if any.", + "misp-attribute": "ip-src", + "ui-priority": 1 + }, + "source-misc": { + "description": "Other type of source of the attack step, if any. This can be e.g. rotating ip from cloud providers such as AWS, or localhost.", "misp-attribute": "text", "ui-priority": 1 }, - "expected-response": { - "description": "Response or detection expected (in case of purple teaming)", - "misp-attribute": "text", + "succesful": { + "description": "Was this attack step succesful?", + "misp-attribute": "boolean", + "sane_default": [ + "True", + "False" + ], "ui-priority": 1 } }, From 8e024f48636c6091585895df47d7cc1f1a73013f Mon Sep 17 00:00:00 2001 From: matthijsvp Date: Fri, 1 Jul 2022 16:59:03 +0200 Subject: [PATCH 3/3] chg: Fixed typo in disable_correlation --- objects/attack-step/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/attack-step/definition.json b/objects/attack-step/definition.json index 0c63e05..ec30a13 100644 --- a/objects/attack-step/definition.json +++ b/objects/attack-step/definition.json @@ -18,13 +18,13 @@ }, "dst-domain": { "description": "Domain destination of the attack step, if any.", - "disable-correlation": true, + "disable_correlation": true, "misp-attribute": "domain", "ui-priority": 1 }, "dst-ip": { "description": "IP destination of the attack step, if any.", - "disable-correlation": true, + "disable_correlation": true, "misp-attribute": "ip-dst", "ui-priority": 1 },