From 9a3974f383e9675e16712e998d7ae1645e7151c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 29 Aug 2017 13:25:58 +0200 Subject: [PATCH] Update definitions of binaries --- objects/elf/definition.json | 9 ++- objects/file/definition.json | 88 +++++++++++++-------- objects/macho-section/definition.json | 73 +++++++++++++---- objects/macho/definition.json | 8 +- objects/pe-section/definition.json | 110 ++++++++++++++++++-------- objects/pe/definition.json | 30 +++++-- schema_objects.json | 6 +- 7 files changed, 232 insertions(+), 92 deletions(-) diff --git a/objects/elf/definition.json b/objects/elf/definition.json index db7d9b0..4e9a43f 100644 --- a/objects/elf/definition.json +++ b/objects/elf/definition.json @@ -5,11 +5,13 @@ ], "attributes": { "entrypoint-address": { + "description": "Address of the entry point", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" }, "type": { + "description": "Type of ELF", "sane_default": [ "CORE", "DYNAMIC", @@ -23,11 +25,13 @@ "misp-attribute": "text" }, "number-sections": { + "description": "Number of sections", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "counter" }, "arch": { + "description": "Architecture of the ELF file", "sane_default": [ "None", "M32", @@ -209,6 +213,7 @@ "misp-attribute": "text" }, "os_abi": { + "description": "Header operating system application binary interface (ABI)", "sane_default": [ "AIX", "ARM", @@ -236,9 +241,11 @@ "misp-attribute": "text" }, "text": { + "description": "Free text value to attach to the ELF", "disable_correlation": true, "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "recommended": false } }, "version": 2, diff --git a/objects/file/definition.json b/objects/file/definition.json index a43a13f..0ca3530 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -6,65 +6,89 @@ "ssdeep", "imphash", "pehash", + "md5", + "sha1", "sha224", + "sha256", "sha384", "sha512", "sha512/224", "sha512/256", "tlsh", - "md5", - "sha1", - "sha256", "pattern-in-file" ], "attributes": { "md5": { + "description": "[Insecure] MD5 hash (128 bits)", "ui-priority": 1, - "misp-attribute": "md5" + "misp-attribute": "md5", + "recommended": false }, - "sha512/224": { - "ui-priority": 0, - "misp-attribute": "sha512/224" - }, - "sha512": { - "ui-priority": 0, - "misp-attribute": "sha512" - }, - "sha384": { - "ui-priority": 0, - "misp-attribute": "sha384" + "sha1": { + "description": "[Insecure] Secure Hash Algorithm 1 (160 bits)", + "ui-priority": 1, + "misp-attribute": "sha1", + "recommended": false }, "sha224": { + "description": "Secure Hash Algorithm 2 (224 bits)", "ui-priority": 0, - "misp-attribute": "sha224" + "misp-attribute": "sha224", + "recommended": false + }, + "sha256": { + "description": "Secure Hash Algorithm 2 (256 bits)", + "ui-priority": 1, + "misp-attribute": "sha256" + }, + "sha384": { + "description": "Secure Hash Algorithm 2 (384 bits)", + "ui-priority": 0, + "misp-attribute": "sha384", + "recommended": false + }, + "sha512": { + "description": "Secure Hash Algorithm 2 (512 bits)", + "ui-priority": 1, + "misp-attribute": "sha512" + }, + "sha512/224": { + "description": "Secure Hash Algorithm 2 (224 bits)", + "ui-priority": 0, + "misp-attribute": "sha512/224", + "recommended": false + }, + "sha512/256": { + "description": "Secure Hash Algorithm 2 (256 bits)", + "ui-priority": 0, + "misp-attribute": "sha512/256", + "recommended": false }, "ssdeep": { + "description": "Fuzzy hash using context triggered piecewise hashes (CTPH)", "ui-priority": 0, "misp-attribute": "ssdeep" }, "authentihash": { + "description": "Authenticode executable signature hash", "ui-priority": 0, - "misp-attribute": "authentihash" + "misp-attribute": "authentihash", + "recommended": false }, "size-in-bytes": { + "description": "Size of the file, in bytes", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "size-in-bytes" }, - "sha1": { - "ui-priority": 1, - "misp-attribute": "sha1" - }, - "sha256": { - "ui-priority": 1, - "misp-attribute": "sha256" - }, "entropy": { + "description": "Entropy of the whole file", "disable_correlation": true, "ui-priority": 1, "misp-attribute": "float" }, "pattern-in-file": { + "description": "Pattern that can be found in the file", "categories": [ "Artifacts dropped", "Payload installation", @@ -74,15 +98,19 @@ "misp-attribute": "pattern-in-file" }, "text": { + "description": "Free text value to attach to the file", "disable_correlation": true, "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "recommended": false }, "malware-sample": { + "description": "The file itself (binary)", "ui-priority": 1, "misp-attribute": "malware-sample" }, "filename": { + "description": "Filename on disk", "categories": [ "Payload delivery", "Artifacts dropped", @@ -92,21 +120,19 @@ "ui-priority": 1, "misp-attribute": "filename" }, - "sha512/256": { - "ui-priority": 0, - "misp-attribute": "sha512/256" - }, "tlsh": { + "description": "Fuzzy hash by Trend Micro: Locality Sensitive Hash", "ui-priority": 0, "misp-attribute": "tlsh" }, "mimetype": { + "description": "Mime type", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" } }, - "version": 2, + "version": 3, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", diff --git a/objects/macho-section/definition.json b/objects/macho-section/definition.json index fa92060..f2258f5 100644 --- a/objects/macho-section/definition.json +++ b/objects/macho-section/definition.json @@ -2,53 +2,94 @@ "requiredOneOf": [ "text", "name", + "md5", "sha1", + "sha224", "sha256", - "sha512" + "sha384", + "sha512", + "sha512/224", + "sha512/256" ], "attributes": { - "sha512": { + "md5": { + "description": "[Insecure] MD5 hash (128 bits)", + "ui-priority": 1, + "misp-attribute": "md5", + "recommended": false + }, + "sha1": { + "description": "[Insecure] Secure Hash Algorithm 1 (160 bits)", + "ui-priority": 1, + "misp-attribute": "sha1", + "recommended": false + }, + "sha224": { + "description": "Secure Hash Algorithm 2 (224 bits)", "ui-priority": 0, + "misp-attribute": "sha224", + "recommended": false + }, + "sha256": { + "description": "Secure Hash Algorithm 2 (256 bits)", + "ui-priority": 1, + "misp-attribute": "sha256" + }, + "sha384": { + "description": "Secure Hash Algorithm 2 (384 bits)", + "ui-priority": 0, + "misp-attribute": "sha384", + "recommended": false + }, + "sha512": { + "description": "Secure Hash Algorithm 2 (512 bits)", + "ui-priority": 1, "misp-attribute": "sha512" }, + "sha512/224": { + "description": "Secure Hash Algorithm 2 (224 bits)", + "ui-priority": 0, + "misp-attribute": "sha512/224", + "recommended": false + }, + "sha512/256": { + "description": "Secure Hash Algorithm 2 (256 bits)", + "ui-priority": 0, + "misp-attribute": "sha512/256", + "recommended": false + }, "ssdeep": { + "description": "Fuzzy hash using context triggered piecewise hashes (CTPH)", "ui-priority": 0, "misp-attribute": "ssdeep" }, "entropy": { + "description": "Entropy of the whole section", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "float" }, "name": { + "description": "Name of the section", "disable_correlation": true, "ui-priority": 1, "misp-attribute": "text" }, - "sha256": { - "ui-priority": 0, - "misp-attribute": "sha256" - }, "size-in-bytes": { + "description": "Size of the section, in bytes", "disable_correlation": true, "ui-priority": 1, "misp-attribute": "size-in-bytes" }, "text": { + "description": "Free text value to attach to the section", "disable_correlation": true, "ui-priority": 1, - "misp-attribute": "text" - }, - "sha1": { - "ui-priority": 0, - "misp-attribute": "sha1" - }, - "md5": { - "ui-priority": 1, - "misp-attribute": "md5" + "misp-attribute": "text", + "recommended": false } }, - "version": 1, + "version": 2, "description": "Object describing a section of a file in Mach-O format.", "meta-category": "file", "uuid": "fca3c534-d188-4964-9c6e-9922e1dfe66e", diff --git a/objects/macho/definition.json b/objects/macho/definition.json index b263bc3..c15d346 100644 --- a/objects/macho/definition.json +++ b/objects/macho/definition.json @@ -6,11 +6,13 @@ ], "attributes": { "entrypoint-address": { + "description": "Address of the entry point", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" }, "type": { + "description": "Type of Mach-O", "sane_default": [ "BUNDLE", "CORE", @@ -28,19 +30,23 @@ "misp-attribute": "text" }, "number-sections": { + "description": "Number of sections", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "counter" }, "name": { + "description": "Binary's name", "disable_correlation": false, "ui-priority": 1, "misp-attribute": "text" }, "text": { + "description": "Free text value to attach to the ELF", "disable_correlation": true, "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "recommended": false } }, "version": 1, diff --git a/objects/pe-section/definition.json b/objects/pe-section/definition.json index 68b2e9e..3d1d792 100644 --- a/objects/pe-section/definition.json +++ b/objects/pe-section/definition.json @@ -2,21 +2,75 @@ "requiredOneOf": [ "text", "name", + "md5", "sha1", + "sha224", "sha256", - "sha512" + "sha384", + "sha512", + "sha512/224", + "sha512/256" ], "attributes": { - "characteristics": { - "sane_default": [ - "read", - "write", - "executable" - ], + "md5": { + "description": "[Insecure] MD5 hash (128 bits)", + "ui-priority": 1, + "misp-attribute": "md5", + "recommended": false + }, + "sha1": { + "description": "[Insecure] Secure Hash Algorithm 1 (160 bits)", + "ui-priority": 1, + "misp-attribute": "sha1", + "recommended": false + }, + "sha224": { + "description": "Secure Hash Algorithm 2 (224 bits)", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "sha224", + "recommended": false + }, + "sha256": { + "description": "Secure Hash Algorithm 2 (256 bits)", + "ui-priority": 1, + "misp-attribute": "sha256" + }, + "sha384": { + "description": "Secure Hash Algorithm 2 (384 bits)", + "ui-priority": 0, + "misp-attribute": "sha384", + "recommended": false + }, + "sha512": { + "description": "Secure Hash Algorithm 2 (512 bits)", + "ui-priority": 1, + "misp-attribute": "sha512" + }, + "sha512/224": { + "description": "Secure Hash Algorithm 2 (224 bits)", + "ui-priority": 0, + "misp-attribute": "sha512/224", + "recommended": false + }, + "sha512/256": { + "description": "Secure Hash Algorithm 2 (256 bits)", + "ui-priority": 0, + "misp-attribute": "sha512/256", + "recommended": false + }, + "ssdeep": { + "description": "Fuzzy hash using context triggered piecewise hashes (CTPH)", + "ui-priority": 0, + "misp-attribute": "ssdeep" + }, + "entropy": { + "description": "Entropy of the whole section", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "float" }, "name": { + "description": "Name of the section", "disable_correlation": true, "sane_default": [ ".rsrc", @@ -29,42 +83,30 @@ "misp-attribute": "text" }, "size-in-bytes": { + "description": "Size of the section, in bytes", "disable_correlation": true, "ui-priority": 1, "misp-attribute": "size-in-bytes" }, "text": { + "description": "Free text value to attach to the section", "disable_correlation": true, "ui-priority": 1, + "misp-attribute": "text", + "recommended": false + }, + "characteristic": { + "description": "Characteristic of the section", + "sane_default": [ + "read", + "write", + "executable" + ], + "ui-priority": 0, "misp-attribute": "text" - }, - "md5": { - "ui-priority": 1, - "misp-attribute": "md5" - }, - "entropy": { - "disable_correlation": true, - "ui-priority": 0, - "misp-attribute": "float" - }, - "sha256": { - "ui-priority": 0, - "misp-attribute": "sha256" - }, - "sha1": { - "ui-priority": 0, - "misp-attribute": "sha1" - }, - "ssdeep": { - "ui-priority": 0, - "misp-attribute": "ssdeep" - }, - "sha512": { - "ui-priority": 0, - "misp-attribute": "sha512" } }, - "version": 1, + "version": 2, "description": "Object describing a section of a Portable Executable", "meta-category": "file", "uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a", diff --git a/objects/pe/definition.json b/objects/pe/definition.json index ea00208..e53d7ea 100644 --- a/objects/pe/definition.json +++ b/objects/pe/definition.json @@ -7,37 +7,40 @@ ], "attributes": { "pehash": { + "description": "Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/", "ui-priority": 0, "misp-attribute": "pehash" }, "impfuzzy": { + "description": "Fuzzy Hash (ssdeep) calculated from the import table", "ui-priority": 0, "misp-attribute": "impfuzzy" }, - "pe-type": { - "disable_correlation": true, - "ui-priority": 0, - "misp-attribute": "text" - }, "internal-filename": { + "description": "InternalFilename in the resources", "ui-priority": 0, "misp-attribute": "filename" }, "original-filename": { + "description": "OriginalFilename in the resources", "ui-priority": 1, "misp-attribute": "filename" }, "number-sections": { + "description": "Number of sections", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "counter" }, "text": { + "description": "Free text value to attach to the PE", "disable_correlation": true, "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "recommended": false }, "type": { + "description": "Type of PE", "sane_default": [ "exe", "dll", @@ -49,60 +52,71 @@ "misp-attribute": "text" }, "imphash": { + "description": "Hash (md5) calculated from the import table", "ui-priority": 0, "misp-attribute": "imphash" }, "compilation-timestamp": { + "description": "Compilation timestamp defined in the PE header", "ui-priority": 1, "misp-attribute": "datetime" }, - "entrypoint-section|position": { + "entrypoint-section-at-position": { + "description": "Name of the section and position of the section in the PE", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" }, "entrypoint-address": { + "description": "Address of the entry point", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" }, "file-description": { + "description": "FileDescription in the resources", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" }, "file-version": { + "description": "FileVersion in the resources", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" }, "lang-id": { + "description": "Lang ID in the resources", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" }, "product-name": { + "description": "ProductName in the resources", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" }, "product-version": { + "description": "ProductVersion in the resources", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" }, "company-name": { + "description": "CompanyName in the resources", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" }, "legal-copyright": { + "description": "LegalCopyright in the resources", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" } }, - "version": 1, + "version": 2, "description": "Object describing a Portable Executable", "meta-category": "file", "uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07", diff --git a/schema_objects.json b/schema_objects.json index aa52400..c17250d 100644 --- a/schema_objects.json +++ b/schema_objects.json @@ -43,13 +43,17 @@ "to_ids": { "type": "boolean" }, + "recommended": { + "type": "boolean" + }, "description": { "type": "string" } }, "required": [ "misp-attribute", - "ui-priority" + "ui-priority", + "description" ] } },