diff --git a/objects/malware/definition.json b/objects/malware/definition.json new file mode 100644 index 0000000..89162d0 --- /dev/null +++ b/objects/malware/definition.json @@ -0,0 +1,168 @@ +{ + "attributes": { + "alias": { + "description": "Alternative name used to identify this malware or malware family.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "architecture_execution_env": { + "description": "The processor architecture that the malware instance or family is executable on.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "alpha", + "arm", + "ia-64", + "mips", + "powerpc", + "sparc", + "x86", + "x86-64" + ], + "ui-priority": 0 + }, + "capability": { + "description": "Any of the capabilities identified for the malware instance or family.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "accesses-remote-machines", + "anti-debugging", + "anti-disassembly", + "anti-emulation", + "anti-memory-forensics", + "anti-sandbox", + "anti-vm", + "captures-input-peripherals", + "captures-output-peripherals", + "captures-system-state-data", + "cleans-traces-of-infection", + "commits-fraud", + "communicates-with-c2", + "compromises-data-availability", + "compromises-data-integrity", + "compromises-system-availability", + "controls-local-machine", + "degrades-security-software", + "degrades-system-updates", + "determines-c2-server", + "emails-spam", + "escalates-privileges", + "evades-av", + "exfiltrates-data", + "fingerprints-host", + "hides-artifacts", + "hides-executing-code", + "infects-files", + "infects-remote-machines", + "installs-other-components", + "persists-after-system-reboot", + "prevents-artifact-access", + "prevents-artifact-deletion", + "probes-network-environment", + "self-modifies", + "steals-authentication-credentials", + "violates-system-operational-integrity" + ], + "ui-priority": 0 + }, + "description": { + "description": "A description that provides more details and context about the malware instance or family, potentially including its purpose and its key characteristics.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "first_seen": { + "description": "The time that the malware instance or family was first seen.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "implementation_language": { + "description": "The programming language used to implement the malware instance or family.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "applescript", + "bash", + "c", + "c++", + "c#", + "go", + "java", + "javascript", + "lua", + "objective-c", + "perl", + "php", + "powershell", + "python", + "ruby", + "scala", + "swift", + "typescript", + "visual-basic", + "x86-32", + "x86-64" + ], + "ui-priority": 0 + }, + "is_family": { + "description": "Defines whether the object represents a malware family or a malware instance.", + "disable_correlation": true, + "misp-attribute": "bool", + "ui-priority": 1 + }, + "last_seen": { + "description": "The time that the malware family or malware instance was last seen.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "malware_type": { + "description": "A set of categorizations for the malware being described.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "adware", + "backdoor", + "bot", + "bootkit", + "ddos", + "downloader", + "dropper", + "exploit-kit", + "keylogger", + "ransomware", + "remote-access-trojan", + "resource-exploitation", + "rogue-security-software", + "rootkit", + "screen-capture", + "spyware", + "trojan", + "unknown", + "virus", + "webshell", + "wiper", + "worm" + ], + "ui-priority": 0 + }, + "name": { + "description": "A name used to identify the malware instance or family. For a malware family the name MUST be defined. If a name for a malware instance is not available, the SHA-256 hash value or sample's filename MAY be used instead.", + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "Malware is a type of TTP that represents malicious code.", + "meta-category": "misc", + "name": "malware", + "required": [ + "is_family" + ], + "uuid": "e5ad1d64-4b4e-44f5-9e00-88a705a67f9d", + "version": 1 +} \ No newline at end of file