From 93977fe6eff0d4fd48ccd266fbfa947f39af67a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Fri, 26 Jul 2024 15:49:41 +0200 Subject: [PATCH 01/20] fix: address_of_entrypoint -> address-of-entrypoint --- objects/pe-optional-header/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/pe-optional-header/definition.json b/objects/pe-optional-header/definition.json index 6d477d4..0db4a2d 100644 --- a/objects/pe-optional-header/definition.json +++ b/objects/pe-optional-header/definition.json @@ -237,8 +237,8 @@ "meta-category": "file", "name": "pe-optional-header", "requiredOneOf": [ - "address_of_entrypoint" + "address-of-entrypoint" ], "uuid": "ebde65ab-ce98-413d-a518-8f37bc79bcb9", "version": 2 -} \ No newline at end of file +} From b58fd9afafb3eb8443b738343cc1cd584ac806e4 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 26 Jul 2024 16:39:28 +0200 Subject: [PATCH 02/20] chg: [pe-optional-header] jq all the things --- objects/pe-optional-header/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/pe-optional-header/definition.json b/objects/pe-optional-header/definition.json index 0db4a2d..c6bbc22 100644 --- a/objects/pe-optional-header/definition.json +++ b/objects/pe-optional-header/definition.json @@ -241,4 +241,4 @@ ], "uuid": "ebde65ab-ce98-413d-a518-8f37bc79bcb9", "version": 2 -} +} \ No newline at end of file From 14c2bd9b5fdd459fbb537f3420c8980dfc0b42f7 Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Mon, 5 Aug 2024 14:14:17 -0400 Subject: [PATCH 03/20] upd: [network-profile] add Yandex in `service-abuse` list. --- objects/network-profile/definition.json | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/objects/network-profile/definition.json b/objects/network-profile/definition.json index 687ac6b..451266f 100644 --- a/objects/network-profile/definition.json +++ b/objects/network-profile/definition.json @@ -129,7 +129,8 @@ "Google", "DuckDNS", "Cloudflare", - "AWS" + "AWS", + "Yandex" ] }, "subdomain": { @@ -214,5 +215,5 @@ "url" ], "uuid": "f0f9e287-8067-49a4-b0f8-7a0fed8d4e43", - "version": 5 -} \ No newline at end of file + "version": 6 +} From e46ddddb4fd2247f34df24ed1e0b3d37c5c94571 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 6 Aug 2024 17:57:11 +0200 Subject: [PATCH 04/20] chg: [network-profile] new-line --- objects/network-profile/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/network-profile/definition.json b/objects/network-profile/definition.json index 451266f..a44cf8b 100644 --- a/objects/network-profile/definition.json +++ b/objects/network-profile/definition.json @@ -216,4 +216,4 @@ ], "uuid": "f0f9e287-8067-49a4-b0f8-7a0fed8d4e43", "version": 6 -} +} \ No newline at end of file From 40209922861f5786d6cd9031b257ada9328d7393 Mon Sep 17 00:00:00 2001 From: Daniel Pascual Date: Tue, 6 Aug 2024 18:10:00 +0200 Subject: [PATCH 05/20] Add Google Threat Intelligence report --- .../definition.json | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 objects/google-threat-intelligence-report/definition.json diff --git a/objects/google-threat-intelligence-report/definition.json b/objects/google-threat-intelligence-report/definition.json new file mode 100644 index 0000000..70ad679 --- /dev/null +++ b/objects/google-threat-intelligence-report/definition.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "severity": { + "categories": [ + "External analysis" + ], + "description": "GTI Severity", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "verdict": { + "categories": [ + "External analysis" + ], + "description": "GTI Verdict", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "threat-score": { + "categories": [ + "External analysis" + ], + "description": "GTI Threat Score", + "disable_correlation": true, + "misp-attribute": "integer", + "ui-priority": 1 + }, + "detection-ratio": { + "categories": [ + "External analysis" + ], + "description": "Detection Ratio", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "first-submission": { + "categories": [ + "Other" + ], + "description": "First Submission", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "last-submission": { + "categories": [ + "Other" + ], + "description": "Last Submission", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "permalink": { + "categories": [ + "External analysis" + ], + "description": "Permalink Reference", + "disable_correlation": true, + "misp-attribute": "link", + "ui-priority": 2 + } + }, + "description": "Google Threat Intelligence report that provides an assessment (verdict, severity and scoring) and combined information from VirusTotal and Mandiant", + "meta-category": "misc", + "name": "google-threat-intelligence-report", + "required": [ + "permalink" + ], + "uuid": "e288e533-2736-438a-8136-26cac06be1e7", + "version": 1 +} From 51165e279a926ed298bc61f14e02581c88fb3e1b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 6 Aug 2024 18:21:05 +0200 Subject: [PATCH 06/20] chg: [google-threat-intelligene-report] JSON clean-up --- .../definition.json | 56 +++++++++---------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/objects/google-threat-intelligence-report/definition.json b/objects/google-threat-intelligence-report/definition.json index 70ad679..9dab99c 100644 --- a/objects/google-threat-intelligence-report/definition.json +++ b/objects/google-threat-intelligence-report/definition.json @@ -1,32 +1,5 @@ { "attributes": { - "severity": { - "categories": [ - "External analysis" - ], - "description": "GTI Severity", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 1 - }, - "verdict": { - "categories": [ - "External analysis" - ], - "description": "GTI Verdict", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 1 - }, - "threat-score": { - "categories": [ - "External analysis" - ], - "description": "GTI Threat Score", - "disable_correlation": true, - "misp-attribute": "integer", - "ui-priority": 1 - }, "detection-ratio": { "categories": [ "External analysis" @@ -62,6 +35,33 @@ "disable_correlation": true, "misp-attribute": "link", "ui-priority": 2 + }, + "severity": { + "categories": [ + "External analysis" + ], + "description": "GTI Severity", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "threat-score": { + "categories": [ + "External analysis" + ], + "description": "GTI Threat Score", + "disable_correlation": true, + "misp-attribute": "integer", + "ui-priority": 1 + }, + "verdict": { + "categories": [ + "External analysis" + ], + "description": "GTI Verdict", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 } }, "description": "Google Threat Intelligence report that provides an assessment (verdict, severity and scoring) and combined information from VirusTotal and Mandiant", @@ -72,4 +72,4 @@ ], "uuid": "e288e533-2736-438a-8136-26cac06be1e7", "version": 1 -} +} \ No newline at end of file From 62bc75edd8f1194d8701706b8f54e3f3060d948b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 7 Aug 2024 09:15:31 +0200 Subject: [PATCH 07/20] chg: [doc] list of object templates updated --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 1ad9682..8ea653e 100644 --- a/README.md +++ b/README.md @@ -162,6 +162,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/dark-pattern-item](https://github.com/MISP/misp-objects/blob/main/objects/dark-pattern-item/definition.json) - An Item whose User Interface implements a dark pattern. - [objects/ddos](https://github.com/MISP/misp-objects/blob/main/objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy or using the type field. - [objects/ddos-claim](https://github.com/MISP/misp-objects/blob/main/objects/ddos-claim/definition.json) - DDoS-claim object describes a current claim of DDoS activity. +- [objects/ddos-config](https://github.com/MISP/misp-objects/blob/main/objects/ddos-config/definition.json) - DDoS-claim object describes a current claim of DDoS activity. - [objects/device](https://github.com/MISP/misp-objects/blob/main/objects/device/definition.json) - An object to define a device. - [objects/diameter-attack](https://github.com/MISP/misp-objects/blob/main/objects/diameter-attack/definition.json) - Attack as seen on the diameter signaling protocol supporting LTE networks. - [objects/diamond-event](https://github.com/MISP/misp-objects/blob/main/objects/diamond-event/definition.json) - A diamond model event object consisting of the four diamond features advesary, infrastructure, capability and victim, several meta-features and ioc attributes. @@ -254,6 +255,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/github-user](https://github.com/MISP/misp-objects/blob/main/objects/github-user/definition.json) - GitHub user. - [objects/gitlab-user](https://github.com/MISP/misp-objects/blob/main/objects/gitlab-user/definition.json) - GitLab user. Gitlab.com user or self-hosted GitLab instance. - [objects/google-safe-browsing](https://github.com/MISP/misp-objects/blob/main/objects/google-safe-browsing/definition.json) - Google Safe checks a URL against Google's constantly updated list of unsafe web resources. +- [objects/google-threat-intelligence-report](https://github.com/MISP/misp-objects/blob/main/objects/google-threat-intelligence-report/definition.json) - Google Threat Intelligence report that provides an assessment (verdict, severity and scoring) and combined information from VirusTotal and Mandiant. - [objects/greynoise-ip](https://github.com/MISP/misp-objects/blob/main/objects/greynoise-ip/definition.json) - GreyNoise IP Information. - [objects/gtp-attack](https://github.com/MISP/misp-objects/blob/main/objects/gtp-attack/definition.json) - GTP attack object as attack as seen on the GTP signaling protocol supporting GPRS/LTE networks. - [objects/hashlookup](https://github.com/MISP/misp-objects/blob/main/objects/hashlookup/definition.json) - hashlookup object as described on hashlookup services from circl.lu - https://www.circl.lu/services/hashlookup. From c7445733b3385b56f97e7c8d725d66e5c6359e13 Mon Sep 17 00:00:00 2001 From: th3r3d Date: Fri, 16 Aug 2024 15:27:34 +0200 Subject: [PATCH 08/20] Update ADS to v2 Added Categorization Others for more granular view of MITRE Att&ck TTP used --- objects/ADS/definition.json | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/objects/ADS/definition.json b/objects/ADS/definition.json index 2d23077..f3ee2bf 100644 --- a/objects/ADS/definition.json +++ b/objects/ADS/definition.json @@ -22,6 +22,12 @@ "multiple": true, "ui-priority": 10 }, + "categorization_others": { + "description": "Provides a mapping of the ADS to the relevant entry in the Att&CK if 'categorization is not sufficient'.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 13 + }, "date": { "description": "Enter date, when ADS has been created or edited.", "misp-attribute": "datetime", @@ -76,6 +82,6 @@ "goal", "categorization" ], - "uuid": "07a7f4cf-e738-47ad-b045-34c3b382f3b4", - "version": 1 -} \ No newline at end of file + "uuid": "4f2a8d9a-6c3b-4e3b-9076-fc2c0a9246b7", + "version": 2 +} From 1e01268720a48a32c60787f9ae2f4b2aa06cbdb2 Mon Sep 17 00:00:00 2001 From: th3r3d Date: Sat, 17 Aug 2024 11:02:03 +0200 Subject: [PATCH 09/20] Updated UUID Updated UUID to last version. --- objects/ADS/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/ADS/definition.json b/objects/ADS/definition.json index f3ee2bf..ee885f4 100644 --- a/objects/ADS/definition.json +++ b/objects/ADS/definition.json @@ -82,6 +82,6 @@ "goal", "categorization" ], - "uuid": "4f2a8d9a-6c3b-4e3b-9076-fc2c0a9246b7", + "uuid": "07a7f4cf-e738-47ad-b045-34c3b382f3b4", "version": 2 } From ee3318c15b78ec5cc4d02476176370c066a94f1a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 22 Aug 2024 10:56:11 +0200 Subject: [PATCH 10/20] chg: [ADS] updated --- objects/ADS/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/ADS/definition.json b/objects/ADS/definition.json index ee885f4..ba1c64f 100644 --- a/objects/ADS/definition.json +++ b/objects/ADS/definition.json @@ -84,4 +84,4 @@ ], "uuid": "07a7f4cf-e738-47ad-b045-34c3b382f3b4", "version": 2 -} +} \ No newline at end of file From fa2973b502a9c91ec18c5d0c0321476ef150b3ad Mon Sep 17 00:00:00 2001 From: Julien Loizelet Date: Fri, 23 Aug 2024 11:24:15 +0900 Subject: [PATCH 11/20] feat(crowdsec): Add attributes to crowdsec-ip-context object --- objects/crowdsec-ip-context/definition.json | 24 +++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/objects/crowdsec-ip-context/definition.json b/objects/crowdsec-ip-context/definition.json index 2d425c9..6b98e47 100644 --- a/objects/crowdsec-ip-context/definition.json +++ b/objects/crowdsec-ip-context/definition.json @@ -29,7 +29,7 @@ "ui-priority": 1 }, "background-noise": { - "description": "Background noise", + "description": "High background noise scores highlight untargeted, mild threat mass-attacks", "disable_correlation": true, "misp-attribute": "float", "ui-priority": 1 @@ -66,6 +66,13 @@ "misp-attribute": "text", "ui-priority": 0 }, + "cves": { + "description": "CVEs exploited by the observed IP", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, "dst-port": { "categories": [ "Network activity", @@ -124,6 +131,19 @@ "misp-attribute": "float", "ui-priority": 1 }, + "mitre-techniques": { + "description": "MITRE ATT&CK techniques used by the observed IP", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "reputation": { + "description": "Real-time, actionable IP reputation score derived from trusted reports and consensus-validated data in CrowdSec CTI", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, "reverse-dns": { "categories": [ "Network activity", @@ -159,5 +179,5 @@ "ip" ], "uuid": "0f0a6def-a351-4d3b-9868-d732f6f4666f", - "version": 3 + "version": 4 } \ No newline at end of file From 3d07f2ddc6ed9cf87286bdf5f5253939bf0eba4a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 19 Sep 2024 09:09:40 +0200 Subject: [PATCH 12/20] new: [user-action] new user-action object added --- objects/user-action/definition.json | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 objects/user-action/definition.json diff --git a/objects/user-action/definition.json b/objects/user-action/definition.json new file mode 100644 index 0000000..31d5898 --- /dev/null +++ b/objects/user-action/definition.json @@ -0,0 +1,29 @@ +{ + "attributes": { + "action": { + "description": "Action performed by the user", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "Click", + "Install", + "Execute", + "Plug", + "Scan", + "Unknown" + ], + "ui-priority": 1 + }, + "description": { + "description": "Description of the action performed by the user", + "disable_correlation": true, + "ui-priority": 1 + } + }, + "description": "Represent an user action", + "meta-category": "misc", + "name": "user-action", + "uuid": "699dcf9d-2fa2-4200-a5cf-1d1e124e28c1", + "version": 1 +} \ No newline at end of file From 7bef45c74d48d8cfb44ba6af364bbe2e0bfaacc8 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 19 Sep 2024 09:15:54 +0200 Subject: [PATCH 13/20] chg: [user-action] fixed --- objects/user-action/definition.json | 1 + 1 file changed, 1 insertion(+) diff --git a/objects/user-action/definition.json b/objects/user-action/definition.json index 31d5898..a61bf43 100644 --- a/objects/user-action/definition.json +++ b/objects/user-action/definition.json @@ -18,6 +18,7 @@ "description": { "description": "Description of the action performed by the user", "disable_correlation": true, + "misp-attribute": "text", "ui-priority": 1 } }, From 81968ba088dd3e0b6a0988f23485361b92a14bfc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 19 Sep 2024 15:23:19 +0200 Subject: [PATCH 14/20] chg: [shadowserver-scan-http-proxy] new template for MISP-LEA project --- .../definition.json | 185 ++++++++++++++++++ 1 file changed, 185 insertions(+) create mode 100644 objects/shadowserver-scan-http-proxy/definition.json diff --git a/objects/shadowserver-scan-http-proxy/definition.json b/objects/shadowserver-scan-http-proxy/definition.json new file mode 100644 index 0000000..dd1e354 --- /dev/null +++ b/objects/shadowserver-scan-http-proxy/definition.json @@ -0,0 +1,185 @@ +{ + "attributes": { + "asn": { + "description": "ASN where the IP resides", + "misp-attribute": "AS", + "ui-priority": 0 + }, + "city": { + "description": "City location of the IP in question", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "connection": { + "description": "Control options for the current connection and list of hop-by-hop request fields", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "content_length": { + "description": "The length of the response body in octets", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "content_type": { + "description": "The MIME type of the body of the request", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "geo": { + "description": "Country location of the IP", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "hostname": { + "description": "Any of the capabilities identified for the malware instance or family.", + "misp-attribute": "hostname", + "multiple": true, + "ui-priority": 0 + }, + "hostname_source": { + "description": "Hostname source", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "http": { + "description": "Hypertext Transfer Protocol Version", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "http_code": { + "description": "HTTP Response code: e.g., 200, 401, 404", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "http_date": { + "description": "The date and time that the message was sent", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "http_reason": { + "description": "The text reason to go with the HTTP Code", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "ip": { + "description": "The IP address of the device in question", + "misp-attribute": "ip-src", + "multiple": true, + "ui-priority": 0 + }, + "naics": { + "description": "North American Industry Classification System Code", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "port": { + "description": "Port the response came from", + "misp-attribute": "port", + "multiple": true, + "ui-priority": 0 + }, + "protocol": { + "description": "Protocol observed in the network traffic", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "proxy_authenticate": { + "description": "The authentication method that should be used to gain access to a resource behind a proxy server", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "region": { + "description": "Regional location of the IP in question", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "sector": { + "description": "Sector of the IP in question", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "server": { + "description": "HTTP Server type", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "severity": { + "description": "Severity leve", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "critical", + "high", + "medium", + "low", + "info" + ], + "ui-priority": 0 + }, + "tag": { + "description": "Array of tags associated with the URL if any. In this report typically it will be a CVE entry, for example CVE-2021-44228. This allows for better understanding of the URL context observed (ie. usage associated with a particular CVE).", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "timestamp": { + "description": "Time that the IP was probed in UTC+0", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "transfer_encoding": { + "description": "The form of encoding used to safely transfer the entity to the user", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "via": { + "description": "General header added by proxies", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + } + }, + "description": "This report identifies open HTTP proxy servers on multiple ports. While HTTP proxies have legitimate uses, they are also used for attacks or other forms of abuse. https://www.shadowserver.org/what-we-do/network-reporting/open-http-proxy-report/", + "meta-category": "misc", + "name": "shadowserver-scan-http-proxy", + "required": [ + "timestamp", + "ip", + "port", + "tag" + ], + "uuid": "ad0c83d5-56bf-4300-8743-ed2b4caf6206", + "version": 1 +} \ No newline at end of file From c90bcd9402199caf9d336c57966e15347f9ed981 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 19 Sep 2024 15:32:29 +0200 Subject: [PATCH 15/20] new: [attacker-infra] added for the MISP-LEA project --- objects/attacker-infra/definition.json | 327 +++++++++++++++++++++++++ 1 file changed, 327 insertions(+) create mode 100644 objects/attacker-infra/definition.json diff --git a/objects/attacker-infra/definition.json b/objects/attacker-infra/definition.json new file mode 100644 index 0000000..974b275 --- /dev/null +++ b/objects/attacker-infra/definition.json @@ -0,0 +1,327 @@ +{ + "attributes": { + "architecture": { + "categories": [ + "External analysis" + ], + "description": "The CPU architecture of the beacon. Either x86 or x64", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "asn": { + "categories": [ + "Network activity" + ], + "description": "ASN where the IP resides", + "misp-attribute": "AS", + "ui-priority": 0 + }, + "beacon_host": { + "categories": [ + "External analysis" + ], + "description": "C2 of the beacon IP/hostname. (often matches the host that was scanned)", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "beacon_http_get": { + "categories": [ + "External analysis" + ], + "description": "Path that the beacon uses for the GET method", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "beacon_http_post": { + "categories": [ + "External analysis" + ], + "description": "Path that the beacon uses for the POST method", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "beacon_type": { + "categories": [ + "External analysis" + ], + "description": "Protocol that the beacon speaks. Usually HTTP", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "binary_md5": { + "categories": [ + "Payload delivery" + ], + "description": "MD5 of the PE binary", + "disable_correlation": true, + "misp-attribute": "md5", + "multiple": true, + "ui-priority": 0 + }, + "binary_sha1": { + "categories": [ + "Payload delivery" + ], + "description": "SHA1 of the PE binary", + "disable_correlation": true, + "misp-attribute": "sha1", + "multiple": true, + "ui-priority": 0 + }, + "binary_sha256": { + "categories": [ + "Payload delivery" + ], + "description": "SHA256 of the PE binary", + "disable_correlation": true, + "misp-attribute": "sha256", + "multiple": true, + "ui-priority": 0 + }, + "city": { + "categories": [ + "Other" + ], + "description": "City location of the IP in question", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "config_md5": { + "categories": [ + "External analysis" + ], + "description": "MD5 of the config file", + "disable_correlation": true, + "misp-attribute": "md5", + "multiple": true, + "ui-priority": 0 + }, + "config_sha1": { + "categories": [ + "External analysis" + ], + "description": "SHA1 of the config file", + "disable_correlation": true, + "misp-attribute": "sha1", + "multiple": true, + "ui-priority": 0 + }, + "config_sha256": { + "categories": [ + "External analysis" + ], + "description": "SHA256 of the config file", + "disable_correlation": true, + "misp-attribute": "sha256", + "multiple": true, + "ui-priority": 0 + }, + "content_length": { + "categories": [ + "Other" + ], + "description": "The length of the response body in octets", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "content_type": { + "categories": [ + "Other" + ], + "description": "The MIME type of the body of the request", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "encoded_data": { + "categories": [ + "Other" + ], + "description": "Base64 encoded config file", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "encoded_length": { + "categories": [ + "Other" + ], + "description": "Length of the base64 decoded raw config", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "geo": { + "categories": [ + "Other" + ], + "description": "Country location of the IP", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "hostname": { + "categories": [ + "Network activity" + ], + "description": "Reverse DNS name of the device in question", + "misp-attribute": "text", + "ui-priority": 0 + }, + "hostname_source": { + "categories": [ + "Other" + ], + "description": "Source of the hostname field contents", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "http": { + "categories": [ + "Network activity" + ], + "description": "HTTP version in used in response, e.g HTTP/1.1", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "http_code": { + "categories": [ + "Network activity" + ], + "description": "HTTP Response code: e.g., 200, 401, 404", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "http_url": { + "categories": [ + "Network activity" + ], + "description": "URL used to illicit the server response", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "ip": { + "categories": [ + "Network activity" + ], + "description": "IP of the of the URL", + "misp-attribute": "ip-src", + "multiple": true, + "ui-priority": 0 + }, + "license_id": { + "categories": [ + "External analysis" + ], + "description": "The license number", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "naics": { + "categories": [ + "Other" + ], + "description": "North American Industry Classification System Code", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "port": { + "categories": [ + "Network activity" + ], + "description": "Port that the response came from", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "protocol": { + "categories": [ + "Network activity" + ], + "description": "Protocol the response came in on", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "region": { + "categories": [ + "Other" + ], + "description": "State / Province / Administrative region where the device in question resides", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "sector": { + "categories": [ + "Other" + ], + "description": "Sector of the device in question", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "severity": { + "categories": [ + "Other" + ], + "description": "Severity of the event", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "tag": { + "categories": [ + "Other" + ], + "description": "Attribute tags", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "timestamp": { + "description": "Time that the IP was probed in UTC+0", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 0 + } + }, + "description": "Attacker Infrastructure", + "meta-category": "misc", + "name": "attacker-infra", + "required": [ + "ip", + "port" + ], + "uuid": "0211496c-dbcf-465b-a147-3d965da016cd", + "version": 2 +} \ No newline at end of file From 3549c45e2176016c261ce7918c350427829c2a81 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 19 Sep 2024 15:36:13 +0200 Subject: [PATCH 16/20] chg: [doc] updated --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 8ea653e..3220f95 100644 --- a/README.md +++ b/README.md @@ -119,6 +119,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/asn](https://github.com/MISP/misp-objects/blob/main/objects/asn/definition.json) - Autonomous system object describing an autonomous system which can include one or more network operators managing an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. - [objects/attack-pattern](https://github.com/MISP/misp-objects/blob/main/objects/attack-pattern/definition.json) - Attack pattern describing a common attack pattern enumeration and classification. - [objects/attack-step](https://github.com/MISP/misp-objects/blob/main/objects/attack-step/definition.json) - An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks. +- [objects/attacker-infra](https://github.com/MISP/misp-objects/blob/main/objects/attacker-infra/definition.json) - Attacker Infrastructure. - [objects/authentication-failure-report](https://github.com/MISP/misp-objects/blob/main/objects/authentication-failure-report/definition.json) - Authentication Failure Report. - [objects/authenticode-signerinfo](https://github.com/MISP/misp-objects/blob/main/objects/authenticode-signerinfo/definition.json) - Authenticode Signer Info. - [objects/av-signature](https://github.com/MISP/misp-objects/blob/main/objects/av-signature/definition.json) - Antivirus detection signature. @@ -384,6 +385,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/script](https://github.com/MISP/misp-objects/blob/main/objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts. - [objects/security-playbook](https://github.com/MISP/misp-objects/blob/main/objects/security-playbook/definition.json) - The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows. - [objects/shadowserver-malware-url-report](https://github.com/MISP/misp-objects/blob/main/objects/shadowserver-malware-url-report/definition.json) - This report identifies URLs that were observed in exploitation attempts in the last 24 hours. They are assumed to contain a malware payload or serve as C2 controllers. If a payload was successfully downloaded in the last 24 hours, it’s SHA256 hash will also be published. The data is primarily sourced from honeypots (in which case they will often be IoT related), but other sources are possible. As always, you only receive information on IPs found on your network/constituency or in the case of a National CSIRT, your country. Ref: https://www.shadowserver.org/what-we-do/network-reporting/malware-url-report/. +- [objects/shadowserver-scan-http-proxy](https://github.com/MISP/misp-objects/blob/main/objects/shadowserver-scan-http-proxy/definition.json) - This report identifies open HTTP proxy servers on multiple ports. While HTTP proxies have legitimate uses, they are also used for attacks or other forms of abuse. https://www.shadowserver.org/what-we-do/network-reporting/open-http-proxy-report/. - [objects/shell-commands](https://github.com/MISP/misp-objects/blob/main/objects/shell-commands/definition.json) - Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands. - [objects/shodan-report](https://github.com/MISP/misp-objects/blob/main/objects/shodan-report/definition.json) - Shodan Report for a given IP. - [objects/short-message-service](https://github.com/MISP/misp-objects/blob/main/objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply. @@ -437,6 +439,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/typosquatting-finder-result](https://github.com/MISP/misp-objects/blob/main/objects/typosquatting-finder-result/definition.json) - Typosquatting result. - [objects/url](https://github.com/MISP/misp-objects/blob/main/objects/url/definition.json) - url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata. - [objects/user-account](https://github.com/MISP/misp-objects/blob/main/objects/user-account/definition.json) - User-account object, defining aspects of user identification, authentication, privileges and other relevant data points. +- [objects/user-action](https://github.com/MISP/misp-objects/blob/main/objects/user-action/definition.json) - Represent an user action. - [objects/vehicle](https://github.com/MISP/misp-objects/blob/main/objects/vehicle/definition.json) - Vehicle object template to describe a vehicle information and registration. - [objects/victim](https://github.com/MISP/misp-objects/blob/main/objects/victim/definition.json) - Victim object describes the target of an attack or abuse. - [objects/virustotal-graph](https://github.com/MISP/misp-objects/blob/main/objects/virustotal-graph/definition.json) - VirusTotal graph. From 8cbcba4b5dea6c986ad81a657c01e15ed6bfbd02 Mon Sep 17 00:00:00 2001 From: rectifyq <170057705+rectifyq@users.noreply.github.com> Date: Fri, 20 Sep 2024 03:51:10 +0000 Subject: [PATCH 17/20] new: [misp-object] New ctf-challenge object --- objects/ctf-challenge/definition.json | 79 +++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 objects/ctf-challenge/definition.json diff --git a/objects/ctf-challenge/definition.json b/objects/ctf-challenge/definition.json new file mode 100644 index 0000000..b2d41d7 --- /dev/null +++ b/objects/ctf-challenge/definition.json @@ -0,0 +1,79 @@ +{ + "description": "Capture-the-flag challenge object as defined by Rectifyq", + "meta-category": "misc", + "name": "ctf-challenge", + "required": [ + "title" + ], + "uuid": "f9bb5d47-ff5b-4569-9987-4bb970639a55", + "version": 1, + "attributes": { + "title": { + "description": "The name of the challenge", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 4 + }, + "description": { + "description": "A brief explanation of the challenge", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 2 + }, + "category": { + "description": "The type of challenge (e.g., web, binary, forensics)", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 3, + "values_list": [ + "Web", + "Reverse Engineering", + "Binary Exploitation", + "Forensics", + "Networking", + "Cryptography", + "OSINT", + "Misc" + ] + }, + "points": { + "description": "The rewarded points for completing the challenge", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 1 + }, + "flag": { + "description": "Submitted and accepted CTF Challenge's flag", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "hints": { + "description": "Clues to help solve the challenge", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "attachment": { + "description": "Any relevant supporting files or resources that are attached to the challenge", + "disable_correlation": true, + "multiple": true, + "misp-attribute": "attachment", + "ui-priority": 1 + }, + "max_attempts": { + "description": "Maximum tries allowed", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 1 + }, + "solves": { + "description": "Number of people who solved the challenge", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 1 + } + } +} \ No newline at end of file From d4a5bcf70c51bbbd641ad808f56b56bd09262406 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 20 Sep 2024 06:31:54 +0200 Subject: [PATCH 18/20] fix: [ctf-challenge] JSON jqed --- objects/ctf-challenge/definition.json | 152 +++++++++++++------------- 1 file changed, 76 insertions(+), 76 deletions(-) diff --git a/objects/ctf-challenge/definition.json b/objects/ctf-challenge/definition.json index b2d41d7..bfd60cb 100644 --- a/objects/ctf-challenge/definition.json +++ b/objects/ctf-challenge/definition.json @@ -1,79 +1,79 @@ { - "description": "Capture-the-flag challenge object as defined by Rectifyq", - "meta-category": "misc", - "name": "ctf-challenge", - "required": [ - "title" - ], - "uuid": "f9bb5d47-ff5b-4569-9987-4bb970639a55", - "version": 1, - "attributes": { - "title": { - "description": "The name of the challenge", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 4 - }, - "description": { - "description": "A brief explanation of the challenge", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 2 - }, - "category": { - "description": "The type of challenge (e.g., web, binary, forensics)", - "disable_correlation": true, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 3, - "values_list": [ - "Web", - "Reverse Engineering", - "Binary Exploitation", - "Forensics", - "Networking", - "Cryptography", - "OSINT", - "Misc" - ] - }, - "points": { - "description": "The rewarded points for completing the challenge", - "disable_correlation": true, - "misp-attribute": "float", - "ui-priority": 1 - }, - "flag": { - "description": "Submitted and accepted CTF Challenge's flag", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, - "hints": { - "description": "Clues to help solve the challenge", - "disable_correlation": true, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 1 - }, - "attachment": { - "description": "Any relevant supporting files or resources that are attached to the challenge", - "disable_correlation": true, - "multiple": true, - "misp-attribute": "attachment", - "ui-priority": 1 - }, - "max_attempts": { - "description": "Maximum tries allowed", - "disable_correlation": true, - "misp-attribute": "counter", - "ui-priority": 1 - }, - "solves": { - "description": "Number of people who solved the challenge", - "disable_correlation": true, - "misp-attribute": "counter", - "ui-priority": 1 - } + "attributes": { + "attachment": { + "description": "Any relevant supporting files or resources that are attached to the challenge", + "disable_correlation": true, + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 1 + }, + "category": { + "description": "The type of challenge (e.g., web, binary, forensics)", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 3, + "values_list": [ + "Web", + "Reverse Engineering", + "Binary Exploitation", + "Forensics", + "Networking", + "Cryptography", + "OSINT", + "Misc" + ] + }, + "description": { + "description": "A brief explanation of the challenge", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 2 + }, + "flag": { + "description": "Submitted and accepted CTF Challenge's flag", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "hints": { + "description": "Clues to help solve the challenge", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "max_attempts": { + "description": "Maximum tries allowed", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 1 + }, + "points": { + "description": "The rewarded points for completing the challenge", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 1 + }, + "solves": { + "description": "Number of people who solved the challenge", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 1 + }, + "title": { + "description": "The name of the challenge", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 4 } + }, + "description": "Capture-the-flag challenge object as defined by Rectifyq", + "meta-category": "misc", + "name": "ctf-challenge", + "required": [ + "title" + ], + "uuid": "f9bb5d47-ff5b-4569-9987-4bb970639a55", + "version": 1 } \ No newline at end of file From fe0aa7377a6264fe67a92ff09378aed0500600b4 Mon Sep 17 00:00:00 2001 From: Alexandre De Oliveira Date: Wed, 2 Oct 2024 13:19:56 +0200 Subject: [PATCH 19/20] Update definition.json - Diameter Object Updating Diameter object with new fields to match SS7 object --- objects/diameter-attack/definition.json | 38 ++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/objects/diameter-attack/definition.json b/objects/diameter-attack/definition.json index 22a7e00..b0dccf7 100644 --- a/objects/diameter-attack/definition.json +++ b/objects/diameter-attack/definition.json @@ -35,12 +35,48 @@ "multiple": true, "ui-priority": 0 }, + "Origin-Host-OperatorName": { + "description": "Origin-Host Operator Name", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "Origin-Host-CountryISO2": { + "description": "Origin-Host Country ISO2", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "Origin-Host-TADIG": { + "description": "Origin-Host Operator TADIG", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, "Origin-Realm": { "description": "Origin-Realm.", "misp-attribute": "text", "multiple": true, "ui-priority": 0 }, + "Origin-Realm-OperatorName": { + "description": "Origin-Realm Operator Name", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "Origin-Realm-CountryISO2": { + "description": "Origin-Realm Country ISO2", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "Origin-Realm-TADIG": { + "description": "Origin-Realm Operator TADIG", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, "SessionId": { "description": "Session-ID.", "misp-attribute": "text", @@ -86,4 +122,4 @@ ], "uuid": "a3fdce4c-8e21-4acc-ab8e-9976e9165a12", "version": 2 -} \ No newline at end of file +} From 7d8bac33a9887a66fcba7eb12c0b2e65059efa55 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 2 Oct 2024 22:10:03 +0200 Subject: [PATCH 20/20] chg: [diameter-attack] jq all the things --- objects/diameter-attack/definition.json | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/objects/diameter-attack/definition.json b/objects/diameter-attack/definition.json index b0dccf7..99b1130 100644 --- a/objects/diameter-attack/definition.json +++ b/objects/diameter-attack/definition.json @@ -35,14 +35,14 @@ "multiple": true, "ui-priority": 0 }, - "Origin-Host-OperatorName": { - "description": "Origin-Host Operator Name", + "Origin-Host-CountryISO2": { + "description": "Origin-Host Country ISO2", "misp-attribute": "text", "multiple": true, "ui-priority": 0 }, - "Origin-Host-CountryISO2": { - "description": "Origin-Host Country ISO2", + "Origin-Host-OperatorName": { + "description": "Origin-Host Operator Name", "misp-attribute": "text", "multiple": true, "ui-priority": 0 @@ -59,14 +59,14 @@ "multiple": true, "ui-priority": 0 }, - "Origin-Realm-OperatorName": { - "description": "Origin-Realm Operator Name", + "Origin-Realm-CountryISO2": { + "description": "Origin-Realm Country ISO2", "misp-attribute": "text", "multiple": true, "ui-priority": 0 }, - "Origin-Realm-CountryISO2": { - "description": "Origin-Realm Country ISO2", + "Origin-Realm-OperatorName": { + "description": "Origin-Realm Operator Name", "misp-attribute": "text", "multiple": true, "ui-priority": 0 @@ -122,4 +122,4 @@ ], "uuid": "a3fdce4c-8e21-4acc-ab8e-9976e9165a12", "version": 2 -} +} \ No newline at end of file