add: [malware] New object template to describe a malware

2023-07-25 16:30:00 +02:00 · 2023-07-25 16:30:00 +02:00 · 9486bbbab1
parent 5c830087a0
commit 9486bbbab1
1 changed files with 168 additions and 0 deletions
--- a/objects/malware/definition.json
+++ b/objects/malware/definition.json
@ -0,0 +1,168 @@
+{
+  "attributes": {
+    "alias": {
+      "description": "Alternative name used to identify this malware or malware family.",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "architecture_execution_env": {
+      "description": "The processor architecture that the malware instance or family is executable on.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "sane_default": [
+        "alpha",
+        "arm",
+        "ia-64",
+        "mips",
+        "powerpc",
+        "sparc",
+        "x86",
+        "x86-64"
+      ],
+      "ui-priority": 0
+    },
+    "capability": {
+      "description": "Any of the capabilities identified for the malware instance or family.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "sane_default": [
+        "accesses-remote-machines",
+        "anti-debugging",
+        "anti-disassembly",
+        "anti-emulation",
+        "anti-memory-forensics",
+        "anti-sandbox",
+        "anti-vm",
+        "captures-input-peripherals",
+        "captures-output-peripherals",
+        "captures-system-state-data",
+        "cleans-traces-of-infection",
+        "commits-fraud",
+        "communicates-with-c2",
+        "compromises-data-availability",
+        "compromises-data-integrity",
+        "compromises-system-availability",
+        "controls-local-machine",
+        "degrades-security-software",
+        "degrades-system-updates",
+        "determines-c2-server",
+        "emails-spam",
+        "escalates-privileges",
+        "evades-av",
+        "exfiltrates-data",
+        "fingerprints-host",
+        "hides-artifacts",
+        "hides-executing-code",
+        "infects-files",
+        "infects-remote-machines",
+        "installs-other-components",
+        "persists-after-system-reboot",
+        "prevents-artifact-access",
+        "prevents-artifact-deletion",
+        "probes-network-environment",
+        "self-modifies",
+        "steals-authentication-credentials",
+        "violates-system-operational-integrity"
+      ],
+      "ui-priority": 0
+    },
+    "description": {
+      "description": "A description that provides more details and context about the malware instance or family, potentially including its purpose and its key characteristics.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "first_seen": {
+      "description": "The time that the malware instance or family was first seen.",
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "implementation_language": {
+      "description": "The programming language used to implement the malware instance or family.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "sane_default": [
+        "applescript",
+        "bash",
+        "c",
+        "c++",
+        "c#",
+        "go",
+        "java",
+        "javascript",
+        "lua",
+        "objective-c",
+        "perl",
+        "php",
+        "powershell",
+        "python",
+        "ruby",
+        "scala",
+        "swift",
+        "typescript",
+        "visual-basic",
+        "x86-32",
+        "x86-64"
+      ],
+      "ui-priority": 0
+    },
+    "is_family": {
+      "description": "Defines whether the object represents a malware family or a malware instance.",
+      "disable_correlation": true,
+      "misp-attribute": "bool",
+      "ui-priority": 1
+    },
+    "last_seen": {
+      "description": "The time that the malware family or malware instance was last seen.",
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "malware_type": {
+      "description": "A set of categorizations for the malware being described.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "sane_default": [
+        "adware",
+        "backdoor",
+        "bot",
+        "bootkit",
+        "ddos",
+        "downloader",
+        "dropper",
+        "exploit-kit",
+        "keylogger",
+        "ransomware",
+        "remote-access-trojan",
+        "resource-exploitation",
+        "rogue-security-software",
+        "rootkit",
+        "screen-capture",
+        "spyware",
+        "trojan",
+        "unknown",
+        "virus",
+        "webshell",
+        "wiper",
+        "worm"
+      ],
+      "ui-priority": 0
+    },
+    "name": {
+      "description": "A name used to identify the malware instance or family. For a malware family the name MUST be defined. If a name for a malware instance is not available, the SHA-256 hash value or sample's filename MAY be used instead.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    }
+  },
+  "description": "Malware is a type of TTP that represents malicious code.",
+  "meta-category": "misc",
+  "name": "malware",
+  "required": [
+    "is_family"
+  ],
+  "uuid": "e5ad1d64-4b4e-44f5-9e00-88a705a67f9d",
+  "version": 1
+}