From 5af0d31c49092e67354b92a18432bc9dffe1b6f1 Mon Sep 17 00:00:00 2001 From: Andras Iklody Date: Fri, 20 Jul 2018 07:03:22 +0200 Subject: [PATCH 001/113] Allow multiple "pattern-in-file" in file object, fixes #109 --- objects/file/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 4c65a73..5c268db 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -98,7 +98,8 @@ "External analysis" ], "ui-priority": 1, - "misp-attribute": "pattern-in-file" + "misp-attribute": "pattern-in-file", + "multiple": true }, "text": { "description": "Free text value to attach to the file", @@ -164,7 +165,7 @@ ] } }, - "version": 11, + "version": 12, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From 9a72b539235f24577a7a597ff76ceeabd543fafc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 20 Jul 2018 10:12:09 +0200 Subject: [PATCH 002/113] chg: allow multiple domains too fix #108 --- objects/domain-ip/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/domain-ip/definition.json b/objects/domain-ip/definition.json index 7cd4d8a..8e56f07 100644 --- a/objects/domain-ip/definition.json +++ b/objects/domain-ip/definition.json @@ -30,7 +30,8 @@ "External analysis" ], "ui-priority": 1, - "misp-attribute": "domain" + "misp-attribute": "domain", + "multiple": true }, "ip": { "description": "IP Address", @@ -43,7 +44,7 @@ "multiple": true } }, - "version": 5, + "version": 6, "description": "A domain and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", From aae03a3db2ef70790a4ee369bb380c69dcc53083 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 22 Jul 2018 08:04:26 +0200 Subject: [PATCH 003/113] chg: [misp-objects] multiple flag is now visible in asciidoctor output --- tools/adoc_objects.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tools/adoc_objects.py b/tools/adoc_objects.py index de43cd2..c75e282 100755 --- a/tools/adoc_objects.py +++ b/tools/adoc_objects.py @@ -3,7 +3,7 @@ # # # A simple converter of MISP objects to asciidoctor format -# Copyright (C) 2017 Alexandre Dulaunoy +# Copyright (C) 2017-2018 Alexandre Dulaunoy # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as @@ -84,14 +84,18 @@ def asciidoc(content=False, adoc=None, t='title',title=''): #output = '\n{}\n'.format #output = '[cols=\",a\"]\n' output = output + '|===\n' - output = output + '|Object attribute | MISP attribute type | Description | Disable correlation\n' + output = output + '|Object attribute | MISP attribute type | Description | Disable correlation | Multiple\n' adoc = adoc + output for v in content['attributes']: disableCorrelation = 'icon:minus[] ' description = 'icon:minus[] ' + multiple = 'icon:minus[] ' if 'disable_correlation' in content['attributes'][v]: if content['attributes'][v]['disable_correlation']: disableCorrelation = 'icon:check[] ' + if 'multiple' in content['attributes'][v]: + if content['attributes'][v]['multiple']: + multiple = 'icon:check[] ' if 'description' in content['attributes'][v]: if content['attributes'][v]['description']: description = '{}'.format(content['attributes'][v]['description']) @@ -101,7 +105,7 @@ def asciidoc(content=False, adoc=None, t='title',title=''): if 'sane_default' in content['attributes'][v]: values = content['attributes'][v]['sane_default'] description = '{} {}'.format(content['attributes'][v]['description'],values) - output = '\n| {} | {} a| {} a| {}\n'.format(v, content['attributes'][v]['misp-attribute'], description ,disableCorrelation) + output = '\n| {} | {} a| {} a| {} a| {}\n'.format(v, content['attributes'][v]['misp-attribute'], description ,disableCorrelation, multiple) adoc = adoc + output output = '\n|===\n' adoc = adoc + output From 3aa3247b09f76e235fa4b94e216d5c879285c9d1 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 26 Jul 2018 14:06:39 +0200 Subject: [PATCH 004/113] chg: [paste object] add a link attribute when the paste reference is not malicious --- objects/paste/definition.json | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/objects/paste/definition.json b/objects/paste/definition.json index a7c31b0..09c5adf 100644 --- a/objects/paste/definition.json +++ b/objects/paste/definition.json @@ -19,7 +19,9 @@ "codepad.org", "safebin.net", "hastebin.com", - "ghostbin.com" + "ghostbin.com", + "paste.ee", + "0bin.net" ], "description": "Original source of the paste or post.", "ui-priority": 0, @@ -39,7 +41,12 @@ "url": { "misp-attribute": "url", "ui-priority": 0, - "description": "Link to the original source of the paste or post." + "description": "Link to the original source of the paste or post (when used maliciously)." + }, + "link": { + "misp-attribute": "link,", + "ui-priority": 0, + "description": "Link to the original source of the source or post (when used legitimately for OSINT source or alike)." }, "last-seen": { "description": "When the paste has been accessible or seen for the last time.", @@ -54,7 +61,7 @@ "misp-attribute": "datetime" } }, - "version": 3, + "version": 4, "description": "Paste or similar post from a website allowing to share privately or publicly posts.", "meta-category": "misc", "uuid": "cedc055c-78aa-49a4-bfd7-4cc30cecef12", From c1f5e7342bd7cc4257226f27c7191be6c23eb7c9 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 26 Jul 2018 15:49:44 +0200 Subject: [PATCH 005/113] url is not a field of email object, then not one of the requiredOneOf --- objects/email/definition.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/objects/email/definition.json b/objects/email/definition.json index 84c1465..a5099a6 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -3,7 +3,7 @@ "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "meta-category": "network", "description": "Email object describing an email with meta-information", - "version": 11, + "version": 12, "attributes": { "reply-to": { "description": "Email address the reply will be sent to", @@ -179,7 +179,6 @@ "message-id", "reply-to", "send-date", - "url", "mime-boundary", "thread-index", "header", From 4e23159cb0c7c46e84b5ff2ac0e59a377112ff03 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 27 Jul 2018 15:15:47 +0200 Subject: [PATCH 006/113] fix RequiredOneOf list in fle object --- objects/file/definition.json | 2 -- 1 file changed, 2 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 5c268db..972cf1a 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -4,8 +4,6 @@ "size-in-bytes", "authentihash", "ssdeep", - "imphash", - "pehash", "md5", "sha1", "sha224", From 60010ce556e580201e6302fd32188f7a170fa1e9 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 27 Jul 2018 15:19:15 +0200 Subject: [PATCH 007/113] fix file object version --- objects/file/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 972cf1a..49bbc28 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -163,7 +163,7 @@ ] } }, - "version": 12, + "version": 13, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From 0b164141af255dd8b8e0c71c9a73b0a0dae2b6d7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 4 Aug 2018 15:39:38 +0200 Subject: [PATCH 008/113] chg: [vehicle] Vehicle object template to describe a vehicle information and registration --- README.md | 3 +- objects/vehicle/definition.json | 52 +++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 objects/vehicle/definition.json diff --git a/README.md b/README.md index 963e2f3..dd87bb5 100644 --- a/README.md +++ b/README.md @@ -118,7 +118,7 @@ for a specific attribute. * [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. * [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. * [objects/suricata](objects/suricata/definition.json) - Suricata rule with context. -* [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromissed internal system. +* [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromised internal system. * [objects/threatgrid-report](objects/threatgrid-report/definition.json) - A threatgrid report object. * [objects/timecode](objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence. * [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship. @@ -127,6 +127,7 @@ for a specific attribute. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. * [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. * [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata. +* [objects/vehicle](objects/vehicle/definition.json) - Vehicle object template to describe a vehicle information and registration. * [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused. * [objects/whois](objects/whois/definition.json) - Whois records information for a domain name. * [objects/x509](objects/x509/definition.json) - x509 object describing a X.509 certificate. diff --git a/objects/vehicle/definition.json b/objects/vehicle/definition.json new file mode 100644 index 0000000..cc302f0 --- /dev/null +++ b/objects/vehicle/definition.json @@ -0,0 +1,52 @@ +{ + "requiredOneOf": [ + "description", + "year", + "make", + "model", + "license-plate-number", + "vin" + ], + "attributes": { + "description": { + "description": "Description of the vehicle", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "year": { + "description": "Year of manufacturing of the vehicle", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "make": { + "description": "Manufacturer of the vehicle", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "model": { + "description": "Model of the vehicle", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "vin": { + "description": "Vehicle identification number (VIN)", + "ui-priority": 0, + "misp-attribute": "text" + }, + "license-plate-number": { + "description": "License plate number", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + } + }, + "version": 1, + "description": "Vehicle object template to describe a vehicle information and registration", + "meta-category": "misc", + "uuid": "683c076c-f695-4ff2-8efa-e98a418049f4", + "name": "vehicle" +} From 487ff53afee98ffc3360424312bc7c82588de879 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 15 Aug 2018 18:26:10 +0200 Subject: [PATCH 009/113] fix: [geolocation] to include accuracy-radius as described by maxmind geoip2 API --- objects/geolocation/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/geolocation/definition.json b/objects/geolocation/definition.json index 9a129c3..b2c0393 100644 --- a/objects/geolocation/definition.json +++ b/objects/geolocation/definition.json @@ -63,6 +63,12 @@ "misp-attribute": "text", "ui-priority": 1 }, + "accuracy-radius": { + "description": "The approximate accuracy radius, in kilometers, around the latitude and longitude for the geographical entity (country, subdivision, city or postal code) associated with the related object. (based on geoip2 accuracy of maxmind)", + "misp-attribute": "float", + "ui-priority": 1, + "disable_correlation": true + }, "country": { "description": "Country.", "misp-attribute": "text", @@ -84,7 +90,7 @@ ] } }, - "version": 3, + "version": 4, "description": "An object to describe a geographic location.", "meta-category": "misc", "uuid": "fdd30d5f-6752-45ed-bef2-25e8ce4d8a3", From ab58f01666ba7c2325ab7092db3d5e4aaee8e0ba Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 15 Aug 2018 18:34:35 +0200 Subject: [PATCH 010/113] chg: [geolocation] disable correlation on specific attributes --- objects/geolocation/definition.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/objects/geolocation/definition.json b/objects/geolocation/definition.json index b2c0393..1189994 100644 --- a/objects/geolocation/definition.json +++ b/objects/geolocation/definition.json @@ -41,7 +41,8 @@ "altitude": { "description": "The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.", "ui-priority": 0, - "misp-attribute": "float" + "misp-attribute": "float", + "disable_correlation": true }, "address": { "description": "Address.", @@ -77,7 +78,8 @@ "epsg": { "description": "EPSG Geodetic Parameter value. This is an integer value of the EPSG.", "misp-attribute": "text", - "ui-priority": 70 + "ui-priority": 70, + "disable_correlation": true }, "spacial-reference": { "description": "Default spacial or projection refence for this object.", @@ -90,7 +92,7 @@ ] } }, - "version": 4, + "version": 5, "description": "An object to describe a geographic location.", "meta-category": "misc", "uuid": "fdd30d5f-6752-45ed-bef2-25e8ce4d8a3", From a2384e90324958d7c5b37dbd531eea01c644404a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 21 Aug 2018 10:22:42 +0200 Subject: [PATCH 011/113] added "signed-by" relationship fix #87 --- relationships/definition.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index e67c836..0010098 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1,5 +1,5 @@ { - "version": 12, + "version": 13, "values": [ { "name": "derived-from", @@ -615,6 +615,13 @@ "format": [ "misp" ] + }, + { + "name": "signed-by", + "description": "This relationship describes an object signed by another object.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", From e90b1ce4575c122d410f143d5205771614004d9f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 28 Aug 2018 14:30:29 +0200 Subject: [PATCH 012/113] chg: [ja3] categories removed (default attributes categories will be used) Fix MISP/MISP/issues/3593 --- objects/ja3/definition.json | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/objects/ja3/definition.json b/objects/ja3/definition.json index fb60f1c..6dcee9f 100644 --- a/objects/ja3/definition.json +++ b/objects/ja3/definition.json @@ -2,43 +2,27 @@ "name": "ja3", "meta-category": "network", "description": "JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3", - "version": 2, + "version": 3, "uuid": "09b45449-5d6e-492c-a68a-cb2e188cbfac", "attributes": { "ja3-fingerprint-md5": { "description": "Hash identifying source", "misp-attribute": "md5", - "ui-priority": 1, - "categories": [ - "Network activity", - "External analysis" - ] + "ui-priority": 1 }, "description": { "description": "Type of detected software ie software, malware", "misp-attribute": "text", - "ui-priority": 1, - "categories": [ - "Network activity", - "External analysis" - ] + "ui-priority": 1 }, "ip-src": { "description": "Source IP Address", "misp-attribute": "ip-src", - "categories": [ - "Network activity", - "External analysis" - ], "ui-priority": 1 }, "ip-dst": { "description": "Destination IP address", "misp-attribute": "ip-dst", - "categories": [ - "Network activity", - "External analysis" - ], "ui-priority": 1 }, "first-seen": { From b83e98bbd4cf891f1a486aba71ee6b81a2bc9f81 Mon Sep 17 00:00:00 2001 From: aksha Date: Mon, 3 Sep 2018 11:28:40 +0100 Subject: [PATCH 013/113] Add: Misp object for Digital Forensic - Case metadata --- .../definition.json | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 objects/digital-forensics-case-metadata/definition.json diff --git a/objects/digital-forensics-case-metadata/definition.json b/objects/digital-forensics-case-metadata/definition.json new file mode 100644 index 0000000..c1ab823 --- /dev/null +++ b/objects/digital-forensics-case-metadata/definition.json @@ -0,0 +1,68 @@ +{ + "requiredOneOf": [ + "case-number", + "name-of-the-analyst", + "crime-date", + "analysis-start-date" + ], + "attributes": { + "case-number": { + "description": "Any unique number assigned to the case for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "case-name": { + "description": "Name to address the case.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "name-of-the-analyst": { + "description": "Name(s) of the analyst assigned to the case.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "location-of-the-crime": { + "description": "Location where the crime took place.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "crime-date": { + "description": "Date and time when the crime occurred.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "describe-the-crime-scene": { + "description": "Description of the crime scene", + "ui-priority": 0, + "misp-attribute": "text" + }, + "objects-acquired": { + "description": "Digital evidence acquired from the crime scene.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "analysis-start-date": { + "description": "Date when the analysis began.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Describes details of the case under analysis.", + "meta-category": "misc", + "uuid": "3ea36022-ae93-455e-88b1-d43aca789cac", + "name": "Digital forensic - Case info" + } + \ No newline at end of file From 0c98a925f3db3184a9f44fdce7adcb3d3150806e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Sep 2018 13:54:59 +0200 Subject: [PATCH 014/113] chg: [forensic-case] object added based on the original one from @Aks6193 The idea is to separate the evidences from the case itself as you can have multiple acquisitions for a specific case. Another object template is required such as [forensic-evidence] to be able to link between the forensic-case object and one or more evidences. --- objects/forensic-case/definition.json | 47 +++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 objects/forensic-case/definition.json diff --git a/objects/forensic-case/definition.json b/objects/forensic-case/definition.json new file mode 100644 index 0000000..a15b7c2 --- /dev/null +++ b/objects/forensic-case/definition.json @@ -0,0 +1,47 @@ +{ + "requiredOneOf": [ + "case-number" + ], + "attributes": { + "case-number": { + "description": "Any unique number assigned to the case for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "case-name": { + "description": "Name to address the case.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "name-of-the-analyst": { + "description": "Name(s) of the analyst assigned to the case.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "analysis-start-date": { + "description": "Date when the analysis began.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "An object template to describe a digital forensic case.", + "meta-category": "misc", + "uuid": "3ea36022-ae93-455e-88b1-d43aca789cac", + "name": "forensic-case" +} From 7ee2ff1901ddea4b1464a4e39b4dc93dc5c943e6 Mon Sep 17 00:00:00 2001 From: aksha Date: Tue, 4 Sep 2018 12:31:13 +0100 Subject: [PATCH 015/113] Add: Object template for digital evidence --- .../definition.json | 68 ---------------- objects/forensic-evidence/definition.json | 78 +++++++++++++++++++ 2 files changed, 78 insertions(+), 68 deletions(-) delete mode 100644 objects/digital-forensics-case-metadata/definition.json create mode 100644 objects/forensic-evidence/definition.json diff --git a/objects/digital-forensics-case-metadata/definition.json b/objects/digital-forensics-case-metadata/definition.json deleted file mode 100644 index c1ab823..0000000 --- a/objects/digital-forensics-case-metadata/definition.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "requiredOneOf": [ - "case-number", - "name-of-the-analyst", - "crime-date", - "analysis-start-date" - ], - "attributes": { - "case-number": { - "description": "Any unique number assigned to the case for unique identification.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "case-name": { - "description": "Name to address the case.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "name-of-the-analyst": { - "description": "Name(s) of the analyst assigned to the case.", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "text" - }, - "location-of-the-crime": { - "description": "Location where the crime took place.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "crime-date": { - "description": "Date and time when the crime occurred.", - "ui-priority": 0, - "misp-attribute": "datetime" - }, - "describe-the-crime-scene": { - "description": "Description of the crime scene", - "ui-priority": 0, - "misp-attribute": "text" - }, - "objects-acquired": { - "description": "Digital evidence acquired from the crime scene.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "references": { - "description": "External references", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "link" - }, - "analysis-start-date": { - "description": "Date when the analysis began.", - "ui-priority": 0, - "misp-attribute": "datetime" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text" - } - }, - "version": 1, - "description": "Describes details of the case under analysis.", - "meta-category": "misc", - "uuid": "3ea36022-ae93-455e-88b1-d43aca789cac", - "name": "Digital forensic - Case info" - } - \ No newline at end of file diff --git a/objects/forensic-evidence/definition.json b/objects/forensic-evidence/definition.json new file mode 100644 index 0000000..eddb50e --- /dev/null +++ b/objects/forensic-evidence/definition.json @@ -0,0 +1,78 @@ +{ + "required": [ + "case-number", + "evidence-number" + ], + "attributes": { + "case-number": { + "description": "A unique number assigned to the case for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "evidence-number": { + "description": "A unique number assigned to the evidence for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "type": { + "description": "Evidence type.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Computer", + "Network", + "Mobile Device", + "Multimedia", + "Cloud", + "IoT", + "Other" + ], + "disable_correlation": true + }, + "name": { + "description": "Name", + "ui-priority": 0, + "misp-attribute": "text" + }, + "acquisition-hash-type": { + "description": "Hashing algorithm used on the evidence", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "MD5", + "SHA-1", + "Other" + ], + "disable_correlation": true + }, + "acquisition-hash": { + "description": "Acquisition hash of the evidence", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "file-upload": { + "description": "Upload any file pertaining to the evidence.", + "ui-priority": 0, + "misp-attribute": "attachment", + "multiple": true + } + }, + "version": 1, + "description": "An object template to describe a digital forensic evidence.", + "meta-category": "misc", + "uuid": "fe44c648-63ef-43fc-b3de-af71a2e023e4", + "name": "forensic-evidence" +} From 4e66e692d4d09a26ce25b216ccf20c76529fe44a Mon Sep 17 00:00:00 2001 From: aksha Date: Tue, 4 Sep 2018 12:46:00 +0100 Subject: [PATCH 016/113] fixed intendation --- objects/forensic-evidence/definition.json | 130 +++++++++++----------- 1 file changed, 65 insertions(+), 65 deletions(-) diff --git a/objects/forensic-evidence/definition.json b/objects/forensic-evidence/definition.json index eddb50e..a572b43 100644 --- a/objects/forensic-evidence/definition.json +++ b/objects/forensic-evidence/definition.json @@ -1,74 +1,74 @@ { "required": [ - "case-number", - "evidence-number" + "case-number", + "evidence-number" ], "attributes": { "case-number": { - "description": "A unique number assigned to the case for unique identification.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "evidence-number": { - "description": "A unique number assigned to the evidence for unique identification.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "type": { - "description": "Evidence type.", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "Computer", - "Network", - "Mobile Device", - "Multimedia", - "Cloud", - "IoT", - "Other" - ], - "disable_correlation": true - }, - "name": { - "description": "Name", - "ui-priority": 0, - "misp-attribute": "text" - }, - "acquisition-hash-type": { - "description": "Hashing algorithm used on the evidence", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "MD5", - "SHA-1", - "Other" - ], - "disable_correlation": true - }, - "acquisition-hash": { - "description": "Acquisition hash of the evidence", - "ui-priority": 0, - "misp-attribute": "text" - }, - "references": { - "description": "External references", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "link" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text" + "description": "A unique number assigned to the case for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" }, - "file-upload": { - "description": "Upload any file pertaining to the evidence.", - "ui-priority": 0, - "misp-attribute": "attachment", - "multiple": true - } + "evidence-number": { + "description": "A unique number assigned to the evidence for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "type": { + "description": "Evidence type.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Computer", + "Network", + "Mobile Device", + "Multimedia", + "Cloud", + "IoT", + "Other" + ], + "disable_correlation": true + }, + "name": { + "description": "Name", + "ui-priority": 0, + "misp-attribute": "text" + }, + "acquisition-hash-type": { + "description": "Hashing algorithm used on the evidence", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "MD5", + "SHA-1", + "Other" + ], + "disable_correlation": true + }, + "acquisition-hash": { + "description": "Acquisition hash of the evidence", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "file-upload": { + "description": "Upload any file pertaining to the evidence.", + "ui-priority": 0, + "misp-attribute": "attachment", + "multiple": true + } }, "version": 1, "description": "An object template to describe a digital forensic evidence.", From d2550dffb63b46a7c15f143485d1575af8c8c4f2 Mon Sep 17 00:00:00 2001 From: aksha Date: Tue, 4 Sep 2018 14:18:30 +0100 Subject: [PATCH 017/113] update: Forensic-evidence object --- objects/forensic-evidence/definition.json | 136 +++++++++++----------- 1 file changed, 71 insertions(+), 65 deletions(-) diff --git a/objects/forensic-evidence/definition.json b/objects/forensic-evidence/definition.json index a572b43..068a15e 100644 --- a/objects/forensic-evidence/definition.json +++ b/objects/forensic-evidence/definition.json @@ -4,71 +4,77 @@ "evidence-number" ], "attributes": { - "case-number": { - "description": "A unique number assigned to the case for unique identification.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "evidence-number": { - "description": "A unique number assigned to the evidence for unique identification.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "type": { - "description": "Evidence type.", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "Computer", - "Network", - "Mobile Device", - "Multimedia", - "Cloud", - "IoT", - "Other" - ], - "disable_correlation": true - }, - "name": { - "description": "Name", - "ui-priority": 0, - "misp-attribute": "text" - }, - "acquisition-hash-type": { - "description": "Hashing algorithm used on the evidence", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "MD5", - "SHA-1", - "Other" - ], - "disable_correlation": true - }, - "acquisition-hash": { - "description": "Acquisition hash of the evidence", - "ui-priority": 0, - "misp-attribute": "text" - }, - "references": { - "description": "External references", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "link" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "file-upload": { - "description": "Upload any file pertaining to the evidence.", - "ui-priority": 0, - "misp-attribute": "attachment", - "multiple": true - } + "case-number": { + "description": "A unique number assigned to the case for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "evidence-number": { + "description": "A unique number assigned to the evidence for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "type": { + "description": "Evidence type.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Computer", + "Network", + "Mobile Device", + "Multimedia", + "Cloud", + "IoT", + "Other" + ] + }, + "name": { + "description": "Name", + "ui-priority": 0, + "misp-attribute": "text" + }, + "acquisition-method": { + "description": "Method used for acquisition of the evidence.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Live acquisition", + "Dead/Offline acquisition", + "Physical collection", + "Logical collection", + "File system extraction", + "Chip-off", + "Other" + ] + }, + "acquisition-tools": { + "description": "Tools used for acquisition of the evidence.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple" : true, + "sane_default": [ + "DCFldd", + "EnCase", + "FTK Imager", + "FDAS", + "TrueBack", + "Guymager", + "IXimager", + "Other" + ] + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text" + } }, "version": 1, "description": "An object template to describe a digital forensic evidence.", From d84b499d3ab866d0a4cca1cfb392fbc0f23a4fc9 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 4 Sep 2018 16:15:08 +0200 Subject: [PATCH 018/113] fix: Some relationships typo fixed --- relationships/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index e67c836..2e35d42 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -187,7 +187,7 @@ }, { "name": "indicates", - "description": "This relationships describes that the source object indicates the target object.", + "description": "This relationship describes that the source object indicates the target object.", "format": [ "misp", "stix-2.0" @@ -611,7 +611,7 @@ }, { "name": "exploits", - "description": "This relationships describes an object (like a PoC/exploit) which exploits another object (such as a vulnerability object).", + "description": "This relationship describes an object (like a PoC/exploit) which exploits another object (such as a vulnerability object).", "format": [ "misp" ] From 3a81765d8fdcb8e10a67fd407b09ca33fe7f868d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 4 Sep 2018 20:40:16 +0200 Subject: [PATCH 019/113] jq all the things (tm) --- objects/forensic-evidence/definition.json | 146 +++++++++++----------- 1 file changed, 73 insertions(+), 73 deletions(-) diff --git a/objects/forensic-evidence/definition.json b/objects/forensic-evidence/definition.json index 068a15e..b0effd8 100644 --- a/objects/forensic-evidence/definition.json +++ b/objects/forensic-evidence/definition.json @@ -1,80 +1,80 @@ { "required": [ - "case-number", - "evidence-number" + "case-number", + "evidence-number" ], "attributes": { - "case-number": { - "description": "A unique number assigned to the case for unique identification.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "evidence-number": { - "description": "A unique number assigned to the evidence for unique identification.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "type": { - "description": "Evidence type.", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "Computer", - "Network", - "Mobile Device", - "Multimedia", - "Cloud", - "IoT", - "Other" - ] - }, - "name": { - "description": "Name", - "ui-priority": 0, - "misp-attribute": "text" - }, - "acquisition-method": { - "description": "Method used for acquisition of the evidence.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "Live acquisition", - "Dead/Offline acquisition", - "Physical collection", - "Logical collection", - "File system extraction", - "Chip-off", - "Other" - ] - }, - "acquisition-tools": { - "description": "Tools used for acquisition of the evidence.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple" : true, - "sane_default": [ - "DCFldd", - "EnCase", - "FTK Imager", - "FDAS", - "TrueBack", - "Guymager", - "IXimager", - "Other" - ] - }, - "references": { - "description": "External references", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "link" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text" - } + "case-number": { + "description": "A unique number assigned to the case for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "evidence-number": { + "description": "A unique number assigned to the evidence for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "type": { + "description": "Evidence type.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Computer", + "Network", + "Mobile Device", + "Multimedia", + "Cloud", + "IoT", + "Other" + ] + }, + "name": { + "description": "Name", + "ui-priority": 0, + "misp-attribute": "text" + }, + "acquisition-method": { + "description": "Method used for acquisition of the evidence.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Live acquisition", + "Dead/Offline acquisition", + "Physical collection", + "Logical collection", + "File system extraction", + "Chip-off", + "Other" + ] + }, + "acquisition-tools": { + "description": "Tools used for acquisition of the evidence.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "DCFldd", + "EnCase", + "FTK Imager", + "FDAS", + "TrueBack", + "Guymager", + "IXimager", + "Other" + ] + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text" + } }, "version": 1, "description": "An object template to describe a digital forensic evidence.", From 38071f4bd9e3de1138a096cbbf66089f5105d798 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 4 Sep 2018 20:48:51 +0200 Subject: [PATCH 020/113] chg: [forensic-evidence] updated to include other tools and correlation disabled for some fields --- objects/forensic-evidence/definition.json | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/objects/forensic-evidence/definition.json b/objects/forensic-evidence/definition.json index b0effd8..95e5398 100644 --- a/objects/forensic-evidence/definition.json +++ b/objects/forensic-evidence/definition.json @@ -27,10 +27,11 @@ "Cloud", "IoT", "Other" - ] + ], + "disable_correlation": true }, "name": { - "description": "Name", + "description": "Name of the evidence acquired.", "ui-priority": 0, "misp-attribute": "text" }, @@ -46,7 +47,8 @@ "File system extraction", "Chip-off", "Other" - ] + ], + "disable_correlation": true }, "acquisition-tools": { "description": "Tools used for acquisition of the evidence.", @@ -54,7 +56,9 @@ "misp-attribute": "text", "multiple": true, "sane_default": [ - "DCFldd", + "dd", + "dc3dd", + "dcfldd", "EnCase", "FTK Imager", "FDAS", @@ -62,7 +66,8 @@ "Guymager", "IXimager", "Other" - ] + ], + "disable_correlation": true }, "references": { "description": "External references", @@ -73,10 +78,11 @@ "additional-comments": { "description": "Comments.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true } }, - "version": 1, + "version": 2, "description": "An object template to describe a digital forensic evidence.", "meta-category": "misc", "uuid": "fe44c648-63ef-43fc-b3de-af71a2e023e4", From 089042085661bbfc36700fbd4d451996c10d3777 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 6 Sep 2018 11:20:26 +0200 Subject: [PATCH 021/113] new: New Object describing original files usedd to import data in MISP --- README.md | 1 + .../original-imported-file/definition.json | 34 +++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 objects/original-imported-file/definition.json diff --git a/README.md b/README.md index dd87bb5..472d106 100644 --- a/README.md +++ b/README.md @@ -100,6 +100,7 @@ for a specific attribute. * [objects/mutex](objects/mutex/definition.json) - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program. * [objects/netflow](objects/netflow/definition.json) - Netflow object describes an network object based on the Netflowv5/v9 minimal definition. * [objects/network-connection](objects/network-connection/definition.json) - Network object describes a local or remote network connection. +* [objects/original-imported-file](pbjects/original-imported-file/definition.json) - Object to describe the original files used to import data in MISP. * [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01). * [objects/paste](objects/paste/definition.json) - Object describing a paste or similar post from a website allowing to share privately or publicly posts. * [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object. diff --git a/objects/original-imported-file/definition.json b/objects/original-imported-file/definition.json new file mode 100644 index 0000000..2a2c0d9 --- /dev/null +++ b/objects/original-imported-file/definition.json @@ -0,0 +1,34 @@ +{ + "requiredOneOf": [ + "filename", + "imported-sample", + "type" + ], + "attributes": { + "filename": { + "description": "Original name of the file imported.", + "ui-priority": 1, + "misp-attribute": "filename" + }, + "imported-sample": { + "description": "The original imported file itself (binary).", + "ui-priority": 1, + "misp-attribute": "attachment" + }, + "type": { + "description": "Type of data imported.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "uri": { + "description": "URI related to the imported file.", + "ui-priority": 0, + "misp-attribute": "uri" + } + }, + "version": 1, + "description": "Object describing the original file used to import data in MISP.", + "meta-category": "file", + "uuid": "4cd560e9-2cfe-40a1-9964-7b2e797ecac5", + "name": "original-imported-file" +} From 1a02c6879eaf23bcfa78587cd6961ad2d41cf1a2 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 6 Sep 2018 14:54:39 +0200 Subject: [PATCH 022/113] chg: Deleted filename attribute since it is already contained in attachment --- objects/original-imported-file/definition.json | 6 ------ 1 file changed, 6 deletions(-) diff --git a/objects/original-imported-file/definition.json b/objects/original-imported-file/definition.json index 2a2c0d9..2afdc62 100644 --- a/objects/original-imported-file/definition.json +++ b/objects/original-imported-file/definition.json @@ -1,15 +1,9 @@ { "requiredOneOf": [ - "filename", "imported-sample", "type" ], "attributes": { - "filename": { - "description": "Original name of the file imported.", - "ui-priority": 1, - "misp-attribute": "filename" - }, "imported-sample": { "description": "The original imported file itself (binary).", "ui-priority": 1, From 767b46142937c50881bf0f55b9f7b27b518ad99a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 7 Sep 2018 11:26:37 +0200 Subject: [PATCH 023/113] chg: [file] following some CyBOX import adding a fullpath field which includes filename and path request --- objects/file/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 49bbc28..d58f4db 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -131,6 +131,12 @@ "ui-priority": 0, "misp-attribute": "text" }, + "fullpath": { + "description": "Complete path of the filename including the filename", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text" + }, "tlsh": { "description": "Fuzzy hash by Trend Micro: Locality Sensitive Hash", "ui-priority": 0, @@ -163,7 +169,7 @@ ] } }, - "version": 13, + "version": 14, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From 344b8f002eeddeebe19436449fc42202ee2c0828 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 7 Sep 2018 11:32:47 +0200 Subject: [PATCH 024/113] fix: Changed 'type' attribute that is more relevant as being called 'format' --- objects/original-imported-file/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/original-imported-file/definition.json b/objects/original-imported-file/definition.json index 2afdc62..3146241 100644 --- a/objects/original-imported-file/definition.json +++ b/objects/original-imported-file/definition.json @@ -9,8 +9,8 @@ "ui-priority": 1, "misp-attribute": "attachment" }, - "type": { - "description": "Type of data imported.", + "format": { + "description": "Format of data imported.", "ui-priority": 1, "misp-attribute": "text" }, From ac221f8927ff08f9099c19381918c9a0c73058f1 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 7 Sep 2018 11:37:55 +0200 Subject: [PATCH 025/113] fix: typo in link to an object --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 472d106..7bdfa9d 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ for a specific attribute. * [objects/mutex](objects/mutex/definition.json) - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program. * [objects/netflow](objects/netflow/definition.json) - Netflow object describes an network object based on the Netflowv5/v9 minimal definition. * [objects/network-connection](objects/network-connection/definition.json) - Network object describes a local or remote network connection. -* [objects/original-imported-file](pbjects/original-imported-file/definition.json) - Object to describe the original files used to import data in MISP. +* [objects/original-imported-file](objects/original-imported-file/definition.json) - Object to describe the original files used to import data in MISP. * [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01). * [objects/paste](objects/paste/definition.json) - Object describing a paste or similar post from a website allowing to share privately or publicly posts. * [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object. From c8ecf75fdcc880a358155286365e09b4e8e56707 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 9 Sep 2018 12:29:58 +0200 Subject: [PATCH 026/113] new: [tracking-id] Analytics and tracking ID such as used in Google Analytics or other analytic platform. --- objects/tracking-id/definition.json | 46 +++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 objects/tracking-id/definition.json diff --git a/objects/tracking-id/definition.json b/objects/tracking-id/definition.json new file mode 100644 index 0000000..509dbe7 --- /dev/null +++ b/objects/tracking-id/definition.json @@ -0,0 +1,46 @@ +{ + "requiredOneOf": [ + "id" + ], + "attributes": { + "id": { + "description": "Tracking code", + "ui-priority": 1, + "misp-attribute": "text" + }, + "description": { + "description": "Description of the tracking id", + "ui-priority": 1, + "misp-attribute": "text" + }, + "url": { + "description": "URL where the tracking id was found", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "url" + }, + "hostname": { + "description": "hostname where the tracking id was found", + "ui-priority": 0, + "misp-attribute": "hostname", + "multiple": true + }, + "first-seen": { + "description": "First time the tracking code was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "last-seen": { + "description": "Last time the tracking code was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "Analytics and tracking ID such as used in Google Analytics or other analytic platform.", + "meta-category": "network", + "uuid": "3681c62a-2c75-48d8-99f2-6a3444ce2393", + "name": "tracking-id" +} From ddd341d0ed2236e9d42ae742fc9a1e0b8420745b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 9 Sep 2018 12:31:53 +0200 Subject: [PATCH 027/113] chg: [doc] tracking-id added to the list of templates --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 7bdfa9d..f41ccdf 100644 --- a/README.md +++ b/README.md @@ -124,6 +124,7 @@ for a specific attribute. * [objects/timecode](objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence. * [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. +* [objects/tracking-id](objects/tracking-id/definition.json) - Analytics and tracking ID such as used in Google Analytics or other analytic platform. * [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. * [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. From 37a4a93326dc3189f03e015861b00a962edf626f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 9 Sep 2018 12:34:06 +0200 Subject: [PATCH 028/113] chg: [original-import-file] list of "sane" default format. --- objects/original-imported-file/definition.json | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/objects/original-imported-file/definition.json b/objects/original-imported-file/definition.json index 3146241..c2a5af5 100644 --- a/objects/original-imported-file/definition.json +++ b/objects/original-imported-file/definition.json @@ -12,7 +12,14 @@ "format": { "description": "Format of data imported.", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "sane_default": [ + "STIX 1.0", + "STIX 1.1", + "STIX 1.2", + "STIX 2.0", + "OpenIOC" + ] }, "uri": { "description": "URI related to the imported file.", @@ -20,7 +27,7 @@ "misp-attribute": "uri" } }, - "version": 1, + "version": 2, "description": "Object describing the original file used to import data in MISP.", "meta-category": "file", "uuid": "4cd560e9-2cfe-40a1-9964-7b2e797ecac5", From bb2b8d810fa2f34f9b32aebe37bcc3bfa750e43a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 9 Sep 2018 12:39:22 +0200 Subject: [PATCH 029/113] chg: [tracking-id] add the tracker origin such as the vendor or software --- objects/tracking-id/definition.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/objects/tracking-id/definition.json b/objects/tracking-id/definition.json index 509dbe7..79c374a 100644 --- a/objects/tracking-id/definition.json +++ b/objects/tracking-id/definition.json @@ -8,6 +8,18 @@ "ui-priority": 1, "misp-attribute": "text" }, + "tracker": { + "description": "Name of the tracker - organisation doing the tracking and/or analytics", + "ui-priority": 1, + "misp-attribute": "text", + "sane_default": [ + "Google Analytics", + "Piwik", + "Kissmetrics", + "Woopra", + "Chartbeat" + ] + }, "description": { "description": "Description of the tracking id", "ui-priority": 1, @@ -38,7 +50,7 @@ "misp-attribute": "datetime" } }, - "version": 1, + "version": 2, "description": "Analytics and tracking ID such as used in Google Analytics or other analytic platform.", "meta-category": "network", "uuid": "3681c62a-2c75-48d8-99f2-6a3444ce2393", From 76b3086356f2e6683199baacef97a0bcef6f568c Mon Sep 17 00:00:00 2001 From: Terrtia Date: Wed, 12 Sep 2018 16:49:28 +0200 Subject: [PATCH 030/113] fix: [ail-leak] disable correlation --- objects/ail-leak/definition.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/objects/ail-leak/definition.json b/objects/ail-leak/definition.json index 93f9073..7a4f9d5 100644 --- a/objects/ail-leak/definition.json +++ b/objects/ail-leak/definition.json @@ -12,6 +12,7 @@ "attributes": { "sensor": { "description": "The AIL sensor uuid where the leak was processed and analysed.", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" }, @@ -23,6 +24,7 @@ }, "duplicate_number": { "description": "Number of known duplicates.", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "counter" }, From 243396a34d11351803add157166d1a3ad73d92f5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 12 Sep 2018 22:11:46 +0200 Subject: [PATCH 031/113] chg: [ail] version of the template updated --- objects/ail-leak/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/ail-leak/definition.json b/objects/ail-leak/definition.json index 7a4f9d5..feae522 100644 --- a/objects/ail-leak/definition.json +++ b/objects/ail-leak/definition.json @@ -64,7 +64,7 @@ "misp-attribute": "attachment" } }, - "version": 8, + "version": 9, "description": "An information leak as defined by the AIL Analysis Information Leak framework.", "meta-category": "misc", "uuid": "dc6a8fa2-0a43-4a0c-a5aa-b1a5336ca80e", From 8b5b5df77c8105152799dc6faf4d36fce6fbc158 Mon Sep 17 00:00:00 2001 From: Stefan Kelm Date: Thu, 13 Sep 2018 14:05:45 +0200 Subject: [PATCH 032/113] bgp-hijack --- objects/bgp-hijack/definition.json | 53 ++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 objects/bgp-hijack/definition.json diff --git a/objects/bgp-hijack/definition.json b/objects/bgp-hijack/definition.json new file mode 100644 index 0000000..952ade7 --- /dev/null +++ b/objects/bgp-hijack/definition.json @@ -0,0 +1,53 @@ +{ + "required": [ + "expected-asn", + "detected-asn", + "start", + "subnet-announced" + ], + "attributes": { + "expected-asn": { + "description": "Expected Autonomous System Number", + "ui-priority": 1, + "misp-attribute": "AS" + }, + "detected-asn": { + "description": "Detected Autonomous System Number", + "ui-priority": 1, + "misp-attribute": "AS" + }, + "description": { + "description": "BGP Hijack details", + "ui-priority": 1, + "misp-attribute": "text" + }, + "country": { + "description": "Country code of the main location of the attacking autonomous system", + "ui-priority": 1, + "misp-attribute": "text" + }, + "subnet-announced": { + "description": "Subnet announced", + "ui-priority": 0, + "misp-attribute": "ip-src", + "multiple": true + }, + "start": { + "description": "First time the Prefix hijack was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "end": { + "description": "Last time the Prefix hijack was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "Object encapsulating BGP Hijack description as specified, for example, by bgpstream.com", + "meta-category": "network", + "uuid": "42355673-1fab-4908-8045-00bebd91c389", + "name": "bgp-hijack" +} From 76553f176c0421fe2d783e411bafb444fbef275e Mon Sep 17 00:00:00 2001 From: Stefan Kelm Date: Thu, 13 Sep 2018 14:10:52 +0200 Subject: [PATCH 033/113] bgp-hijack --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index f41ccdf..fe29188 100644 --- a/README.md +++ b/README.md @@ -71,6 +71,7 @@ for a specific attribute. * [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. * [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature. * [objects/bank-account](objects/bank-account/definition.json) - Object describing bank account information based on account description from goAML 4.0. +* [objects/bgp-hijack](objects/bgp-hijack/definition.json) - Object encapsulating BGP Hijack description as specified, for example, by bgpstream.com * [objects/cap-alert](objects/cap-alert/definition.json) - Common Alerting Protocol Version (CAP) alert object. * [objects/cap-info](objects/cap-info/definition.json) - Common Alerting Protocol Version (CAP) info object. * [objects/cap-resource](objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object. From 00184b6fc0b06f8c78d37e2fc7f9e8084c37209b Mon Sep 17 00:00:00 2001 From: Stefan Kelm Date: Thu, 13 Sep 2018 14:13:33 +0200 Subject: [PATCH 034/113] bgp-hijack --- objects/bgp-hijack/definition.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/objects/bgp-hijack/definition.json b/objects/bgp-hijack/definition.json index 952ade7..1955f9a 100644 --- a/objects/bgp-hijack/definition.json +++ b/objects/bgp-hijack/definition.json @@ -1,9 +1,9 @@ { "required": [ - "expected-asn", - "detected-asn", - "start", - "subnet-announced" + "expected-asn", + "detected-asn", + "start", + "subnet-announced" ], "attributes": { "expected-asn": { @@ -42,7 +42,7 @@ "description": "Last time the Prefix hijack was seen", "disable_correlation": true, "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime" } }, "version": 1, From d2b33810c567ceb0701f5511f4f77f17bec35a61 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 14 Sep 2018 18:39:20 +0200 Subject: [PATCH 035/113] chg: [relationships] updated with new relationships --- relationships/definition.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index f91926f..5279345 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1,5 +1,5 @@ { - "version": 13, + "version": 14, "values": [ { "name": "derived-from", @@ -622,6 +622,20 @@ "format": [ "misp" ] + }, + { + "name": "delivered-by", + "description": "This relationship describes an object by another object (such as exploit kit, dropper).", + "format": [ + "misp" + ] + }, + { + "name": "controls", + "description": "This relationship describes an object which controls another object.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", From 4d6e0d7580b6239e33ed268031b7a1297a6ad686 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 16 Sep 2018 17:13:30 +0200 Subject: [PATCH 036/113] chg: [file] fullpath can be part of a single file object --- objects/file/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index d58f4db..6083298 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -16,7 +16,8 @@ "pattern-in-file", "x509-fingerprint-sha1", "malware-sample", - "path" + "path", + "fullpath" ], "attributes": { "md5": { @@ -169,7 +170,7 @@ ] } }, - "version": 14, + "version": 15, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From 01ea4c30979d7bbaf07071ea502d1f492815b4d8 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 21 Sep 2018 07:11:38 +0200 Subject: [PATCH 037/113] chg: [malware-config] new object to describe malware configuration in clear-text or encrypted/encoded ref: fix https://github.com/MISP/MISP/issues/3679 --- objects/malware-config/definition.json | 51 ++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 objects/malware-config/definition.json diff --git a/objects/malware-config/definition.json b/objects/malware-config/definition.json new file mode 100644 index 0000000..435fc95 --- /dev/null +++ b/objects/malware-config/definition.json @@ -0,0 +1,51 @@ +{ + "requiredOneOf": [ + "config" + ], + "attributes": { + "config": { + "description": "Raw (decrypted, decoded) text of the malware configuration.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "format": { + "sane_default": [ + "JSON", + "yaml", + "INI", + "other" + ], + "description": "Original format of the malware configuration.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "encrypted": { + "description": "Encrypted or encoded text of the malware configuration in base64.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "password": { + "description": "Password or encryption key used to encrypt the malware configuration.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "last-seen": { + "description": "When the malware configuration has been seen for the last time.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "first-seen": { + "description": "When the malware configuration has been seen for the first time.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "Malware configuration recovered or extracted from a malicious binary.", + "meta-category": "file", + "uuid": "8200b79b-1d8c-49a8-9a63-7710e613c059", + "name": "malware-config" +} From 231fdaf92b2507f7dca38ce82e88c604d5ce19dc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 21 Sep 2018 07:13:23 +0200 Subject: [PATCH 038/113] chg: [README] malware-config object added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index fe29188..b7b03f0 100644 --- a/README.md +++ b/README.md @@ -97,6 +97,7 @@ for a specific attribute. * [objects/legal-entity](objects/legal-entity/definition.json) - Object describing a legal entity, such as an organisation. * [objects/macho](objects/macho/definition.json) - Object describing a Mach object file format. * [objects/macho-section](objects/macho-section/definition.json) - Object describing a section of a Mach object file format. +* [objects/malware-config](objects/malware-config/definition.json) - Object describing a malware configuration recovered or extracted from a malicious binary. * [objects/microblog](objects/microblog/definition.json) - Object describing microblog post like Twitter or Facebook. * [objects/mutex](objects/mutex/definition.json) - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program. * [objects/netflow](objects/netflow/definition.json) - Netflow object describes an network object based on the Netflowv5/v9 minimal definition. From 89e869c57790d6726cfbaf6c980fb2f135f7d292 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 21 Sep 2018 15:40:32 +0200 Subject: [PATCH 039/113] add docs - time related objects --- docs/time-related-objects.ods | Bin 0 -> 19977 bytes docs/time-related-objects.pdf | Bin 0 -> 23583 bytes 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 docs/time-related-objects.ods create mode 100644 docs/time-related-objects.pdf diff --git a/docs/time-related-objects.ods b/docs/time-related-objects.ods new file mode 100644 index 0000000000000000000000000000000000000000..637e8901aa3f4d350af3a33d9bc3f6125dd24d6a GIT binary patch literal 19977 zcmb5V1CTGl(;zsu-gxE>-q^Nn+qU%^+qP}nwrv}4YXK!L_Y-i+bV`2-Sb+UIfF)(&AH!%Uo|1V?uZ(S0%Pyzw{2QdGQ zsci0SV`yt&VeLc*_@7l;dt0+`d08=d7;Kn-ufR))3oHJ+kN<-oDA0dbYc7ybARv%0 zd1+-45MU5+2xv%XcvuK9C`dSXC@0VWO+?jK?tLP{Jm1_BHOqTgr~gufZcaESUm>F3)S=hNaSQvTOnK?PRs9E`G*#%j+g*gQ! zc*GR=S*eA&m;`va#Ce(dc?E^}c_al`r35(@#d(EaTHB^w& z4OR6mb@YujjjVOd9E>z%jkT4G^>r-uRjrLQ9n5r%jEoFSEsf2sElmup%}uPVt&Odn zOzl0a9GtBHUQSkq4z`wVwk803YfpRAe{ClxCr1|#fV;P+i=(%jlc%SrwX46QXONS3 zn1_$Qi(iD7f3Rm@ly_*nzpG84r&EBBXP6Hl*xxI{&owH@Gd|QiC@3f}G$Jr8Dk3Bx zIy@*UDk?B4F*G4HG%h_dE-5lGGchVCE;c?RAtEs`F+L?DDJ?5KIUzeeDJwHGDkU!| zt0=ReET^nKKQ+2AGpQguy(~MaC@-rrKeeJTv!N`zu&|(@q@uW@y1b;IvaGnWva+bE zskW}Bq^_f?zNwzs=cnXv$3+Vv9Y10y{Wycy``b6y{W6KtGczn zrF)>IZ@jyIsB>_tXLP>5wW`0PvA?@xth;HjuX}o+b#kzCZnV3vuWw*vd}w@fd}Ls1 zd}Lx`VqkJtJ>7YG9#& z>G9Ro)#=s!_3hQ={p;P;+2h^S-QC^&^V`$w$LsUs`|H#9_cw(=NH-7=89+iqB?9n%MPu(rwO@nYY$`W_ICPh@lZ&>^mZVmt1Vao=v1w%<y5#Y%w)*tF@TZgFez^Scub~l!q$B&JEmf0{tn9bK7w{0|Kk(bR`Mw4I z?oe`d+{VzN3LST(I4EZ@! zkQa|mC+`A!e3#@vm;%0t)a#J%RW=3SEz6_ETTD;uU3a9g^jI>|tM)?XNImW&@p>dm zd|qxN4nFN-I!GV=b9x5He8ba`#sTMRD{3C}OLNR3h=#IaoS!&H}eD4>hw+|>2D9K!I$eGyc)T|IJHrjup-)DD=hJD*CjmjR` zc69#r7you!AWs1AA!7{5-+7v}3x9MDPX~SrUkEB6O@uYcXsGCS;$ilF;r14(xTalB zN|ZcLbEvo*T6VR$zb)#!O1rCLN}CY7zv#7=hx1U}|Jc2yLVys%F=QM(R6e z#o3<9+A7vt4IEBQNCb*tPT$NDBO~RP7SG;y#BgY>09FR3K>^9LRA^P!>m*M&tAql8 zhqCz@8-!Z52PaHr@u!Qoy4|Ea01=;%29tiQ%Fub(o@BtC7<&`L{>I(f5|U8;>=HVt zxq4Wo%8lH}$V~Da)w+ee1)Sw+ZK@5UVtCQ*@iW zs5#*?%bkr7rLNzLWC#QDAGlkPK3&r3=adb!M=1$n&(ciJSn>3d^56nWHlv)~+Rm3- zWh*Ii{X=fm@XP=kNke1g%7y;J(Qwc00ORAp(TK&pzBkhME^;+J=>eM&Aiu42KFs{fd-hA`4Q8g$72>oDV~q)R3l6 zkk*1!R~0@$v(~IJ1=i7kr30t4=)XLmjFzW|wv%iPQd1;ZZaB+w2y$B`8E)95ftaLS z6d;bu5~NvYN0f{Vz#{P^ilMnxyyesVuft0{aU+@+fes( zo3jd(84yqh*c4a6-fUlr7hpT!YaJU{SS4(VY@N01sG}d2>hy|sv=OF6TS-RyH6!nM z*!;RzgA%V`(|# zfAUaO_SMK)I!pHzeNa!E>l;qxwOe@h^BfmG)2sPQiNWT(|LiW-CT%4{`PaiTBz~{Q z@%F%Ibba`Z*s`45!|V9d$p!ip`8REqxb@Vm+f${UsYN#g-aD5_qmiaC6(My;Q}5m^=?>#M%$8u*gE?_b3G68g&0VPk2%o%d%+ z8reI6uAi&HiU*risx+I@ix|ErH>>fjpTnB70yzmsPy1qtD|Cr6Op+Mg>SOW^2Os18 zCB@ot@3aC5nbGWmsG~E7doKWLfeq8T3;m-o3uf=K55cJhc zdtdz@(vJ4_aUmyb4fK%n)1gOma9n~5``D}mRW}OqQb@~S3Z60icN_&RH7OE(-7(V@ zCNXK!rf!R?!4&GHEgeAkh~s!%I`UWM@R zaR7|s0?-n;3LD0eIkCw`+EWk?4wXEp+l=OL6f1oWX;@-@wfF+qec`SgPBkg8oVp+U zb5jl9s~W^(l!FXW%6a2Nz=ZI}0Ivrd@$QFMZG{P!cLbuODr(JIm(@eAkleJT|49fh zB~#t)Y@DECk8>z;2QXS68{|V26gAj%2Yi(#QDpTqRLbF`(cCZwW7owU&)(+2d7}jE zEX5#=CGi(O$4NG_~( z${xjGSY2H#TnVwJyqZnY^rQ2OvK;~BqP@35vrv;!*%zZN09R|_CvfYe1 z9cXtG2vtQJPJ~T{wq35EEO6$%9+Q2aV-3pb0el6kLQE!Pa~pGI`h1Y$b?UTrKgPdP zGp6GTSRCu(1KirWGuF|LEyM)(ze13LMM_|iX0ZRBlBr|!tQZ;-$hzXV}a~_Ift$@l>TDdst ztn~W4m0IQor6!}CDVn4*(y-XUTM3DYu7lgXZV$P`?^wJH*-2b(3$M@jNl!V;fSzod zsY!QpZiV(hvNsBqa>$lTV2eOAD?Dtuq-!_1t?$jJIk$nnwU59Th9>7pSp;_7@pMks zCymEQj4<=8gm}y>|uk(EZGICBVEv=^30w!nc!~N4%tp%&#bLlL?plg?r zA^Isk-AifQO-uzsZ<+?c@3916`#+45%@u5PkBC^w%u`aS~e|N0TCsLH#|u zHo2YOph=+n*lgMX$HN@GpIWn>oq;_+nXc~co$%LtEXCY}e+>g5+YV7tlj;kI6TLC& z!|QYIvh21R%24pofVQ;ak*V*_!!>%W7s>2^axZs#t~7WX$?eY~v1WaDyV-r-Z1iDK zXo#F4t>3IY7Z`1OfeW8$BXPZB+DVo=AFsTx_+fjo9xa>rArW%65**|ZJN!%3DsPsY zU7ydMy7zKKWAn)%s=6SOFHkSl5L;Z=y#QGCc^Yokd!DH*NA#y|&c9@vm%kkOtPFG) zDXa9*KR({{I(^`H;7Kbj-A+fvlO)u86ENGzI0Xd|UO_&o`itA+7qY(HxyI#m%AGeW>{o6EX{vK`x;;zjs#& z(0gtb!=AZjmy>9)yFk2L-sRI)t>Ic&q_Em_@ML^Aim$^6;f_ZFlR$#ESEBE$kKaBD z!oeE=ea^zMbrdAPHw$j*jSkY@pNqH|IFlhD$YfYx1br02)x2(CO))i&G-U;%hQyi@ zTCy=Rf)~3Bj>J}iA*${o)rAXo_#zNZkm%_a2`wg5(&Mh&XL1^-2~H%K)*p()Jo&th z6Emwh^U;f^c;a6ym~RCPtzumCO5ya?-H(+pEdQ@2>^Cq^%s?LCqi z<>2EPPHHD63X$hWg_A=^YIZ&bsBKuUH!Zmj1BvIxyj&vbVd%|Dr@0<)kL?jEJQX0w zIwyy%t^WR{yKY3=EJ6H8{^ zxLw-K?V{}=we&E_wVMtnR7m!XjYe29yuvW@j;}L>U0frGv=9xsd*+6MH5=@9ik9vr zS$@%S&_sPOUAkiW+CLX9@x6*j6ke^}w0GB;t&j#(&E-&MELKo)37;jyUT-`#5$Vj^_}96nx^k4i8Z|qSiv9UhGPK8Se)L2( zI0U#oSM$TLpVm(!xjN+%g6YqAUq}1^V;zy*6D2Ppk_?E!qur35>fx?_ezMWDQOsY; zMPdW@##41Oi~*v*^T>8^@oVOUNF)kq2e*18KS}NlLw2BQWA_a$T~Ja(#_c38k;jJj z${euFv3~c((_vNZcDY)MScj2TPxqN(*01IVwja4cIA@7V==i50iMnCAW2HBLw;%$A zkimVLkV{Ce;Y~czi{T{)H_J3bvAAU++cYt^h(dyNntw15c_6DBd2~JRoIxy8$i0p0 z0x7GpNG@_@7aZ=CQ)VwurTa!5TCVIr;0lH=Px%ZnZ+2?G5*mDLF5~Wi2I=Jo{SAtB z;GX8Z*B{1W0|hR^4^Ru9OI!9rRJ+}H5eX3KEw+T1VBi`Gg6h#RM9&hW8qX0sGld|( zeDY(7F>4T`9hg3(lFfkm7HPe$%x59Ce1P^YsH8>=d&p}_+Khuk0T3jC)m@YqZ!)&OVKtdAEMehEA9!R zx}mNmw1j!d53i4)+YfpZUK(NxE8WfSJm2H7DTkvJ98nfqxkDg;_@!2pS}X2&mqs#s za_^;@&Z~pf#^K`tx1Z)=@v{c<>rha2ha^@uOrp$=47#nHPaM^lu2Eh8znsSY!w^5 za1kj&$bzC>b0G=rX=YV)r*srr1w9O}JXK>~>1W;)?=(~3En>s-um>_dzDWkF!iVkx zrL{RuYylVD1U4`e*uR#>&3tG6>kt-)0uNKhKTN3wa_*YWZE6+du`J550!pP{Rfk?T zl4XiH3Z_A?N-!K2&F@|B74>j9B4XJL**`9&NrUYi28vR=%$Oh#o6=eYR#X$?;NS6(NNJ=PGHMT%cyEX7-+T#HrsT7wj{?>uK5g!;0v!Tu|x^;tg$m81^HbX2*)k`uuV zYdvRZrQZGvWzTGOo3SG%UC3h#NJdMB=3}Ii7L><*xoCc;8^-n=*t~tKd?n!uo8Phq zz|^a&CO#)d>90CJ5Oc>2{G7l#$W0&|gn^`PYroQSnfQBw0z7w7y;j<^53${(SN=An zd#g=71rInDNkQ<@ig}%rlzzXzalpTEU=kL>2oZQf^=E+ecK|#o0dflv-nkZ#nFi2W zF1S{q!4OO26_5>Vo%;hm#m_)$h`wlq%XI7Q-~y*Mb_K)NvTvL%wHFj}(FCrdx2wP} zXOhmSf}(Xb-=`8uv}S-#i$}yAn8cHT2_#Hcl0+vH8`ZyGt1TzWq@S_99yJCq_rhM8 zJ-1vPjFgvL6Qu?jxmAq&zi+PW&P&kc;#_P^Wbg6tHKtD7=k?yLy1vg`+4pDcDidOZ+%@ms@vR)~^v0=V6cFM}sHYb-UHS2t>Qj0;*SZC2;* zR8Tovleu(XG}{-|1~= zu3XfY8k-Y`8X&j$Ky0zI|Di!Y4es|x=zMHbbLY&huy+PF0vRx5Jp`Cg5w`mi?m{c8|u9f)yOxZ=Ng_5`( zdHh@*=mp_t@HGphzrvD|ro^Wa|d>RLf<*nT*t! z|M|86u%Pt6EjaKO%d(q3@-Po2y=JN5q^&=c1{Gz&=FsT!&=ftM@uzEgpC7G6@!}hb zim5cWv5-5<&SFICYUZx|(a1arwFAyw`Bq5I1hXR67r8#PT818t>JfY1bvAStR?;1+ zsCT#NyHvY2T zfS|okF!l59Z{WIhrklb@6~|4i7#7#WXenY_&fgacu^*>lMrzQ&6D%;0Vo^13P2R0l z^6S@eU$oZDnfV5E`d=_YWCNr}XBh1$Ay#}bZMDOyW<#bc<8}UqK3y8AgMzWcq%f_P z4d}QOU|`S8a8%eDdLz~>oq`Bo1@)z4?Q|DvnAk9f`?YJW^fN=>zUz!z^6Dg7v*(VO zGl0RE4wG#}qS-;p7UGzY5M(dt7Wz$ITiZ{hHw@CyNgY&s+$ZTaSu0`ahW07vC8m8& z8sg>MaJif6*xmdeBJaHXtHn#5Wwa*d9@BtgkC)d59w$LYsnq7T;mKJNuLRz1)sC}( z-jP--!(xxt*9Np*yjS3Y-KtmbN;RY%P+tl5JAjM8D(cZVmtE~QU}tBz0Uyt5I;-%h zgbKyyE^!E6S|Df67}kcAg}J!oDdU6YvD-zH?j}3pCVX@LMyL@(bS4?#Wba( zoQKg?npiH^ zA`QiyiHS6pq^9L1wu>k?Sh)#=`G~eOP;-ttH;;qbtisBgM|~{9qk57XMk!*Vaa}#8m`!7-MT}s z;A}sFO!h=f%Jv67M?no&V?`@I9Q({|k>M(Xu*AXlbgl7Fh^Z<2M$N-4F znLzn>r0$%$ypx>for%~au!b2H`zoM5PxITzzavlbY%V%ogQi7iWYcSdlc*AF&E|c& z7#uG}G@y$$Ci=2<*QEMuz7^UtsX@zDVtQgO8I;9a(@q&WmYv(hSXC=|uBy0%v&y|#Nkek5d#3K!_lzAxtL(3wtgtY7 zTIPlE_zSz9TbH#bwAREziVh~if;M7yPXqhKueGx1Tsin0X_)A8EjPh@3ug!e;e0Fr zMBbo*E%jKRchW^zt6qZR03ZEdh@S!KcQoOwUW4bh6#=_m@GWZ|giCN*PL`0LyQrbU zP$8pcp2OI{W;&Oh-nxgFXbtEFUa*6mhvyk2X5Gs!UxO1bSWwy7GRbj|@|!_E2p?Zc zli2Ukq$aCE%MiT0T78hVqR(M&=&CWT`zI;B8QLe+-o#&-P8BXe<54*G=+ZzJrwW~x zj(91T_axj0$t#q#FA)iwR2&~c5C@5!xbM*t6KB~d)+!L98_99 zV^``uL1K6!;oZ60jxkXCq5ohjHVGwEEK&i9cUWZ-)$Y8zpwE5JKd{1PuKN?X-fIvVZRF z@;SKnrVr+65d3GGy~CkqE5jPoF@nPuF!ih!L)mUiSLG4Zv&{4{eER!LXhyrfS;huW z-syQR``2N!#~Fcq0P&dT-(&(04)5Z}4V}Lf&Q2`b-ooYZ?^|9~$3DrDVvB52wL4i_ zM_Nv;NkuowlQ&aXRS>qll~UJn=X&E3K4*eu6g?Z2jx%OV#By1=zK+3DC+3$uM+c*e z&Q0z{%@}7I=kBBrM_VP}!&W46C*3FCH^jEsG@b-Uq4HnnKWP*?miLTR)ERjAt_v?G zWQBUWRE*-?5vrx(wI8QBrxKD+6c3CGuH4)|*WaCvPgK9&TkgH?d_u^~Kxbt6{77|p z&d7cW4$CvtB4gR4nHB)uzT1GmC}ufjIRq~>&(#vNZtsG9ew%l>T5gVJWCR}~qTZxj z-ltj>Nu0~`DLSILJWJlUNKaT!lP`#BSvBR<9}QIvW%aMBEz)|T_*S_9)s{pv7hG5K zdJ>_Zb?jH)u8{p7zi6W`Bi^of=IDPbvz4}4cB$MYcBDy$mH6k;gw^4*0;PI|hk3j9 z+YWfHB7J=i=KYc10WIXVWJ6&Ebw2HwMzgcXNn^0Yw`X#YEAQjEFI<5u=@f3XT zg@xe)!&DkgGRK;;o|q4N=<@Lrs$y)@>+c{9LH%&9@KgA2gbCep=*rjJ^zK36uc9Jh zK(){K_w*l%?MAZ8&d;Gw-^>@q%XzsS5Z+Oql%9K)HCI>D$7dt+T9RtUgJ_ zhnm*cgiu~wO%8TlzoLzRAfm87)?9J4l0ugs?TO|YPEp-7jSO;S3Tw>k!FjiD`xHOe zq@e+-vDsjtNdbqf?;K=mr5pKb2A3L`8K^|+Q;(3aj#rbM$Stc004BI-ulhs%QzG^0jAz4AS>o}H_l75XduY;# z%P06Ly41XGI@?~2VpFm+1&5F^mmtdUjODKi3rQY8+-3F-bW-OQi9m+P$d>{SYpG;M zj9#v#OI$>oTebS(@4UiJz1YgOU#NW?7Ot(TrvLWNexB~wB%LP=_>+V^sCK!isU zUP_?kPCGp`Wa+43-jglqN-7ku=7O5)U^hcbziuf5nLjH*(FgG^*8d#0l5LFYDV~S5MJ86RPdHZeaLt7J-hvJ@ zZXCHb)a~dgjaigSoH3|RsC}`<%`p}xo`EtEJcHAM!KF9OOANKs>X7}HrCF937Bv+5 zhlXxomC*S{?E2WYtpkv%RC>QX^>zx`YYib|IDH`s-PJ8IHMls-d8o^m?Z4eJu>YwJ zrNIM%XYn|*OcR<3Rz`7z0>%KtIgrT`8{T0wOQe=jRXj|W?0L2OZ~Atr>N7xK?^I~< zNAvu>%O^?yuxchg2+10xtng6t+xV>UZ1tIT%jKz$hRJ|XTyW-gKT2-5MEPQ;ZaKL` z*N4SQ!jWOB`~4huJP!pCU1Su)u6OpUKmkDFem-;n3%D1fEJ z`FcK069Ya&S!|baztF^LTV{Mk8`I?)jAXTRuWk3ejZMYwLTRi`C%#(C$<8_|Y1>_i zUvp%DoKm0WoyqT;7t_^-KMrh`Vm-;E93GjcRJarj3$(TH+h?Pp)woIl_?jtqaxV}1sw@N-Lc z%hNcy1;j4`2kIh@WCY;kWZfp0wNU70CSogc-TQN8E7Ak*jdlG`&;Kmg|0+Uuwx$+l&W`^h za@L8F4q#_zZEs*}VomqI$NNu=?Ee?O)0nOK|rBX0NKVg6U& z=>#wUI6M8HQ?z%qGjlX?`v1ZFuPEBv**n|+XPW=b9RDlMm|EKz08IY7`QiT;oUyPm zFf(zY6SM%>7}z`gACml!5dUA+KtVzMkI?CVRQ{g=`>$qXXAAgGT(p~w^_7m6-C+x| z4`1(qy+5IQo}GjX3Y&xiGx=Q3Hf`Nz&T}&QC?gwcxsYN{mY#1&hlUIFC`SJ@>68$1 z;^6*mCaf8`M#q-}Uib=X)4t?R^GCLBCpe>g)Z}f=*9m@a+{JV3%TI^OAp@fRm~x!( z9~$VSrq|Zs!eT7bZr3Z}$^3$l%>1HXY5DLWln@$G*sA5BXWAN(^|191w@GcB8v|R{ zoNMznQN@MZX0qXxh3O@YI*?qNV9lIfRW7*PYynYd1$e_t_be300h6Ph&qEt-YgaR- zjWd@8g@CoI-K{Oa;*R28UQr|pjUpvFK)^3^3h>?wCg&q>6!nLI_$!%GgcI~>vvA@EI$dZiZz5Ci{ zXy$Qs6j7>kVZO$RV*{-WWcn~WHC;h%l&V-#VcTzNUC9Bmd&h+BLpwjmh9uX*RzPhm zu=)rXO(482g4I6+@I|YLl*XAzmpuk-UE+nHqx`=#61Y;12lOf$P&ASy@ zt95fwhK;0RWU(6by}PE6LI-)d8}6Hv`lYm9l6Z1}9|B^^Xl~0{As*p(jeVJBojhdS z)JqdgXfpq-0P2n&tp(BVVsYa+%(+t)?y4x=Z8iY&Zge&iV0h#LXElqL{&>K4;R-*u zvnIC928Auet3u?cy44!fD29K88ED`S((yNI)g+dPcsgd6Vd?6&NcqIl(w6un<_L!;vcap)CkZ`BLSFrT30a z5l_F`N4{~FdP?TbuqJx+0wd%1JkqTeJbg(Lcn4`7U8^9n_-j`al?aiGlily__j{)c zrl9b=4%LYc;An}>>c;V|Y*N*I)=AKWdx~h5ukMBx{-??DdzK;wxJHP0;Rc8I2L)a#$cx*V{2BEKczXVP; zWO{V=hJY06|NcTN;@mg~dyelMkwZxQI6l{JA5~7{0c!;??THu#1*4iHFCvN8dq!Ij zUT#!SQcYB7j>u4-5<)Vb95>iiX-E`dIwEJR&EvViI`e`HqVg~-U$YZ@)sfoE#vdmy zfA4x;kj8%IRD?NTQ-+(zg4L@>NRmuCCwrrJuD)wm2$k*S6N{2;;95zSi~FsKXd@du z!#8n*Q#7S%0>R@6T{()JL`ZV+JLpZWq$^G_M=L4WV082pSgj(gU9l_B@=D8S;h%rQe1w2^IcxQ zIJ!=4M4U0d>uzMtn35*7A3TI(mT}INQ&RB}$+Je_H?nIZ3d*g2N2QrAmXcU?``qBtR~z`~%;%SbobPIoTpbsFf>-_&0MudH}#AFvIU(jB+^ zBO{l0UqREjJ|(GUp4Usd%<2<}`wIWO=Q>Z{Tk^M)`qgBW!bwqxaTMHT)z)LA(#-7g z<$ZNlR&%JVIlMW;CT$sarV2XjlQldv`Tbq-oP3w279>gKPG?g+dS=BIEmev2k-&Eq zWf$_awLH>L7P@u2>#3!a_iG$10`+ig&jh-dd9*C{Y+ve^`BZbiI^rL_0OkNZ!l@e3 zo!w!r-BPZ#jNh!+siPnw?R`uBysQOHW`U+Wea(TitXCm2X=A&g)b5^c->j(DHTbbA z7pU01oWh5@2uTSR!&v>FoCg++rvf%W%IUe0IAF&QSeubyL?7p$2hJB;StCvef_ElZ zGgR`=Ntk$&mMHMNx_Iy>VH0A4f&3&39_+E9Oi|-OzQz58kPoklIU_+Zb362z{R<~o z(E{ZJTxl=%c!;G34Q;B2i*2n5BjA!e_olLVyKOJT8`~djBgEHx6{|uWFlW+E`0Kxc z6hT2PIMDE>MEj0X+Aaq0rVHndrQeJXr-^?@5mC7wayCCJ7r(I%_d+$-z}{7C>xiIM z!r}cKR=n`~5+(;?qJZ*}*}}=h9^8=|qTaXLgR;*U<9rPM_>cWO=XGprPO%@beny&K!e$sh)?4Hx3b( zMe%jYihssb7$U$z=>~RjXMHIE%k4Od+ZWa=x&&3nz!DNhxQj6l1&CCpWyW-Miz z=uagr7wvm0`Su0j97%fD$6wPk0HLJ&sIrpEVuF-LaYD-fHz= zd!OabJ6$K{C|EdtULiXWu`kQo3b>UZ!48$<)YVkB)F*YjUsm?+QR*@?>f{{q2@Yy4 zhBZtsb_K1bT4okFZ%==yJ%z}1U7S|Gb4DgU>&|emHRMi8zi%}%^lGvR_~P@kGDhmv ztGbRqzpQ z<-f9g|3}iG3Bce#W^Z(&Kk z?C%dlF4@Ly9FNDtOm{m7?cH3>#IAswrbex#VpJ0SVxj6VSGUm6HA^Sv}N|)yn+~+HPGKi| zb3b~ye6>h@r9iXEfAVMVr*wDBF$^PV&C{hl%%36Z0NwBoH|FRhm`?Ne_f;KV>^}uc z!oo5;Tff?$_`>-9BT|RZSjlW)ARw848J7Qhk^Uzk(+S{iZQ}GFp>Atx*=@3-`s~&s zDeJHKjd!ri7|}V@HDB1;&_6ctphpRhTT>|Hk#n8Z;@37@$7ge%9fQe;_?+Bk-DnF- z^7eK~)HnM#@e_B}eWjae(ZfmvH5?82{9G41nd;T_aF97f3AROvtC!Fl$@beaP*c-p zp-Hj08>BL8AQm_yv%b=z1bub6ASy$Bcu^RV3JtmX1 z(c&u9Wm8huWi58NNteLvqOOI9qa-jx!Zla5^^<=93~I3^Q)@c6ZOt~{qUMI4Fd~Dg z%%}nfVNz33rIb-Skc8^h_urXzS=LY)>6dx^t22|5&sd5Q%Yoql1sO`}_E4^BM}L_` zoYO^pY!b%Tn!qAPXSp1fo#DH2gY75`<5u?e$+^MUt1!td@GWpoI&t>< zqQ%_ z>$1-L3?%1y{9vQq@~G)oAn!e1XVA!0YzjzEP%E00j`^{16p2d%QxB)W!#_p!9|0x5 z<0&rAnO8v>D%m7Ubz4F?EDQ)>$uTC-SuI3Q&_!@uzz%n^)ucHM=>)&Xbjx0uVy{s- zokT(RT8;b(k_8jeu9{I9tqh@YritpR(<9j7Eq++hin}BJYctNT6l6ztX(u2Xfv?5R zVy*?h401zEf2jL#K+#f0jva`+pC^7C!ezSw`}*rsCni&6P@3VaMW4PqR;G3g zo8ba{%MXrN+cd2f{Z^o=lQ2r0w(7+9)1uqkw%cDK92mFBQG72_;{xGt5uREm*P#lS zk-TB|U#5)a{)TLJf}u6mTO9c~`MBEbtX0$^xI6EHj05wU;3L@}7zoCCldRlhYq31? zqM9^jr#yPYhM_-Fl5w{hY2*HJtq7v+&NsUoHfRVpYk#at>xVFTAnx65Oq&Fm?mjCj zRWGsVyRg)>{a4DWJ2KwCBt^?Y-2egv4 z%g4&1L|=o@CGk9OYuJks!zU9p&r3McIL=}-ScXszPpLgI;+*HSENV1^;IH|)z(By) zAVnkB2HUge^a}hz@F2Qtswk+D^_FGA2qC0}{e|KK<909}TP0)R>d)&0-VaUpwVlQZ zYU;%Yb8G7ctI%-Fwrdqo*!}g6tJ=AJa=7ZyW_kk&{3>_rk5-n*=&X6BU!fg${Es^<~v}IArcn{r+OtrvJSsdb(5BXB$?5(s@jJhNEDFodT7ei()-NF*cqmRG zRPi+hSQUM=;#Lnj9ATk)nzLwRP=4h#N%663aWTioV@k0rfTXY!)ty`saF{7LVR*M! z^a+Q@Ed_>)0u4R5(|OGR{RTOAIhSpmnN&MbuSZVuxX%^v=pe${Fb+OF1p0TN=Wl(X&0bl)1=nSf1LDT>+Ac4p&4a?mF`|qX zG2bGtdoIHeeG~#!q^!`|pdvY6OL5M(9T@9TX>P1Zzr0svYmv&UXRhP~vf&P zMv54HVtm)=NC}TE84OAR#%FGUnlC%jlq`B@C}?x19RlH#4wBvT5}P0o7rNZ1^5qf| z`Cn;g{xvOU)`macVLXW^)*$q^NyX9D>am$>}h2p$<(jK0pay>5vYy~Ego z!MZxSx;dR!0z3(=;^rc{!u9SqU3Er&kt47i{W8t(dIK2V1XHSXJgPk!wX7=){biPM zyp{o*`**aKyQg$mQS`q7X)0={q+w-KJE_(zdo?{uKZ!37*vdM-y97n`hDPG5ijxsg z^oNz7$AaD%_QPzUXk+U@+7YdwIljkkuw;AfNACYzblf(aAN?M>jW_YgopmgN7PriA;aDQygFElf?E0JM(ArqhYjwt@6WK{wpNCNpdNbl~8Q zfm(u8OS?5F^Q@QMHT0{ONTY0OuI2nnO6olW04JI{mRTn6eJVk=FMkR zoSn4o#haWPYb{jx8Mt?rfyKF$9j>;N9C|6iG;DCzvyBDhZW#~Ua$SV|%j^!~a3f7I zP|$eMf)-ClUf3Kn2hgT!3V@5eIQN%7JdxX+<#`P-1}%!+p)G&n{rRJzr6+;_fjAwq zQo~Fs4+E|#R57z_J7I7oe|7h|>#nr}cfFF$J+6&BoEL}hc8QYo zvly@C&O5o>e@?z>XMeB`YMWeyt@&pP&EDfqn(pyc#A^S;zNQ!R1@M1{M&N&IX#9tL z|5qPZ9u8%@#>WyuXvi5c6D=Z3ePj8oF_Vd`Gc}QAEQzsY7s@V7ma=9`N_`3$%Dy`Y zeHF(#G#uMu>|?SkKgaQpZj{R`?;U{_g=S`owv86EA~I7#)6r- z*B2#fsbQ5snd5mMA1SR5Z{w47h8?kw**PAs zP{#!rkp%Je((0b&0ND#K2xenR_$(%$w3wNBGvSrYs^HS|eGT{l?`ZJr%1?*YoM9_fPGM#l)TP(;K@UM+;mu_=~enS$D<7*j5ynki5}yQr)xIp|C_Z}ZYM zzwHMU(|V+A>hfIIFgmJB@+nx#Np7o5qIJL*))f{9b+$oZcAks`5IV|r>!Ajyg2nk_ zV$iCSl=X5#GqAQ@5ld`Ka3W*?O--#i8q5t;OBWY1!~_S#t=%;Pr<`kGRbTr=bFUW6 zntWRq)i@Nuel7jTSB@IbAdYIJN`rJZ_XwL><_YwVT5k_i6+sP>m_}3{m!A8&9n5bd zx!+l!VPh5)CsymT-YbwO#p%$8+EPSEpTZVj}|e05{1mO-|?9iuw)vowbQ2b>IVMpwU)V zXm@RK(P}4P#Qn5oe^^&S@!Eb~}Hij(*gmf~}SzmYR4-Pe(Pjgbq zXd!SY&(XtcsNes2$;gRCKD@nWo3AdJZz!Xr_&uebze4C#$ZO*iwUGO%;VOTojjq{9 zo-Z9wF0y5i0W z=#k!!Bj7;|$^`B=-Iw8c5Wn7AHp1}*(J%Gy-|zzDi5Rg>SB#6r=NGd&PY%X%aIG~5 zo`d%%yA|9D(>fgC`S{53Z(TPoX1RZKjX)%fV8wyJHPe*HkR!!kdUAmu^}`Os6Qt@p zBrL_feYcj_W8$uj6*k_XFvlc+eCazHm13lub)@!fOOsjNr~7izR^z6d*jMVr#GNHp zrmq|Ljwx6pswFqukt}gaue7v(Ch2fbvwyoCoS)yW2M>R2m5$NwWlDruXmNpD@7nT~ z8m6^3frp~q8uP?1|5Qw9iMhBF>>l( zn#eoVT={!T@RkFpbtw8GX4T%`&ZRtK^M#%CTxsrF&~u~K3cC^|Zt;nt?TP$;FEwCg z;aL7+O5XE3a+m#WPa;d z6kx^MTqAsGNO(I5V<9VIG+1%_o$HRV$vdn0{$eGe2s;Icp;;2?gWtG@Ap0a?8S_ZZ zVDs*cvt>^Qr=@e`!XlM@&Ewqc?}5(6cJg-qjf*G@3O7zNj0B&kh2;^*LYEi%r)MTR zo^^@D`gkchNN2vVuj(Ouo-(-MTse`E7E1!xI3z}$ZBV5^ii~nF+JO%wdCWCKZAmVw z%PWg6Ngl#Avi~3x)>bSRz&Ry=Ix_0^Izaxptqtt72Ahxd8J8h3yv2A>eKq29aBV%C zoIV-7m#=;8#VNshJ#|J>^Xt@k159k%DttPFC%R`IiV@JGv5BYs z`?QyYd*qduH%Gq>iop8S!!@eDci<%{G5O<}3&D;ulZ|qD5pwe!3Tnbb;xC|rTdZ{@ z3;wsvE^Uv1H*l*BFV&M!TVi!QFqf{Z;Pr{2utZ){FYI&NW zCn34SavSBGm2-oqQLFK%%evV$7l=bFiQkFmwOZn3vv9RinME#y}}vVId@UE1~$+<1#L`)qpP0wsP9!t7AsRL$y;#`*Wb zJFLL7y#b#>I<-lXT1XWz6Yjwoi74B}V5Dg(tAQS*_+H4(dwrpx*%*s8NZf*_2v*0L z@~>yqUp%)yQ6xON8ckYUlLjJQe(ucm2`@*bx$d;Kl6{J;wvVn zHPPEEB}>8-a+_N)6D{h;l$i?UsE4C8D=q3w%mRRe=P^-3&tN~NGwns~ow!7YpsCA) z<}dAKp`!o*nqo^gO{rfMYDQ&y_a5lDzve&D-~IOCp)1`7v(U6|y5aX>*{ysZ%(Q!7 z)B7+nD&Yt7?Dj}h`q%jER>luz+U=3qeoPEX`N2Fit(d#qJOEX^-SMMupDLEM|y+t%CAn*~9SM~i2rYYM^1Nh5AxX=HDV$MDr7OCxAv zZf{^qBWSK;Z@_P$XQgkz#RXw!Z)>1q0pXlpt|k#h)Ck=^Sy@!;bAF`uOPlu3}M+*o^H>JgHew^6+gk(OSwCSJ43R0acKtUWe|= z#zzM$Az|lC8lOA2FW(T#(idG+G{`JX`O;ssGg4l( z9g<(P9hvUCfw}Lympo4VhKuQLc?#u?E-q@d3%QIjzuIp(vF*$s(O6!uX2WrDwr(pQ zV-Hbj8=h2ERsEdN9XVqo|=sz5yjSbM=miQYvb!NI2B!6%Fa zCB%5P^t-RmkN2zi{cTh49#z2nlqNpkqw2>)W>vucVq@P|X!H9n1h{(sZxr5Atghgq z1q>Nc4Srx{AObd&Ms4t5_0RoJW9jI2Gcr2llV|qNz%_1vU-;g`ceajd&yD zzk@;vxD9=aMF|)a#kj}zuh{_-~b3? z2mob@t0C4W&%9M(xZmDgN8W_hpwqMPLb~866@-y}KPmZzuvAZ5RD%J;n&iYkKbJ-JE;UzHnJ0liTR)!3v3hRO3O-#^e zP{h>ULIO;LV)O{ae|z@0$OtsG(QC@9@CCEPhFWh6YzY4{1G|=GJ`k%Zng$qG1&od} z&~26vJDsq)5b=ehIR~2&z;dA~F2hf6EEP_28dy~T20Ii$-tL)nmN9@nZW}|)7MM~_ z!8HS@mSs*X@KyHX$W!?TGEvaK>85QphUg0)Ix!V>NQ_C@+xqL-4V-8crey$qA#c24 zz-%#I&|761e5NI|8x;h9f|GU{8Fl+c=JCf>`GS+^r|096@_N|$zq!n77jOHu$p?UZ z6UY|n`zEm6Rz$#0Dn;w zOe9J9VuhIW%?dja!)!>*;U8A;sW#!L3jZwgC<>0AKm;-Xn+mh2MCZgvjf^)Oje(vC zQfPe>Uuu2eKMM5-#Uy+3KeTj<@k83=!~Tm_$nbw?aiRZ*7Wuzu5$6A-xRDivfZNFr zXCxUa-Ta;=J53mEcEYN%ihDU=Ix>_00nIy()qn{{@I+25GlK zP0;8MtjwKoOT2iBsvYR{%P1>Brs2cmHe3C9h^i#- z;e`sz%g{(G72U`VZ5_Eqzrs$>gBb8#!@k_%o-mc8g^mL>eeuD`G~R07^-q8CFcH0% z_$zxQy@F*G)oV%tkj_q@+AG&J8X6tre1E?rGw$jbK_S zRri76wH6%Unh*YzT`%>>kt%B1i{1X9UTXJ}d2`|RL9bl{)D#`d?oOi}7{z`GqGvYd zNc82%^WbwI1ZO#~=L;*HQ$}4`*>+xDOE;_D3cWN-NQCtZPlkoXDj;?-38~8D`-w$mf`>WQH1Dw7e!l1fB$s3NO6mM^lJSZ%20DW9N481_ zg*6W#&mLe)h%9#^*55{NArT;a(ATn0jOP&yC@@)Sh3_ECisW|2Fc*8N>;8Rq;*c98 zN`5}o&##4c&7BtaF`PatDUDB1cVAS^1c|ViaXbo7du z7FrZRs6znS#!QVCYEUU;tiPJ}4>)V1#a8+A1NrJr+)|E6^pH|)wsM;+|4sM8=V0*p z2T<*_UW~RInl4J0&|XPixTd`LTDN!C;kV*+ulOTdjnn z`imK1Xw%uPTXB4Iu6KNM6kb+ zg6iQQ#uUUagF^cj^ABkC9s1wi-rK4SXL@gC<&{Awy4vudF91M4OCD`NcR?Rcm*|`A zCW>c29Em^`&~_hf5p$p2pEVkAYFBMe(esF6^Ddd{o|-LizTC}N+sMZr=B?NY`25fa@8KZ&UjMseo z6!)Dg8az35rUFX@L`kHc&4ow8pF-iMtbv7P>lY2~a(~8TC7Y{Nu}o`w{2)tboQs!j zCUAfE9ce^mAi3Ew>VSqidTN8aUXa3wkQUf@wa)ACknKGRlk7hdf}vS~^%{m?4_(Tr z);I1x7)F(+$nk+yUl>P;+W?cmsH9gaR+G$CJD{QUIXD9V`pr3UGCB9T|2_R-KN3D{ zxdjnpH+jdE7#VdjVuJhl!w=LuZ57_=1^0qFH3q`KQvY8Ezc1O@5k{PNJQLBPb?XOBlSa>JylVHkd%1(}U`f)s7baP~B+L(=oqa07zz*-UNw^+u8fdgX-5nv%iZkBbKW_JD6ZNhT13+;v zLt$x$6~{E3m9BnpHX1&_W7RrN;#=LYmZ#v9ad*0(^J@* z51n7_^Kty-Hpdksj`F-zc3`-~zAgS}u^UUJyTA%Fcoa@|Bn;lT6oivlj=)1|#N-Kf zVe#EMPkx9@i6Bg_*78b;V@ah=*cPhihIV{n&z*^mt90@DEuh4(SmqV9NxQxp%!&$* z-z5v@*@55>AjZ?A%nc5h=C2%t)2U9lk2PlmSma9N+!<&+YBMxp65aZD&B@hzh=^7ygR)!!Tis7k4 z0=9?a_0Gpj5AG?Zo1^Y?2vfv`FCfbi6yy2BLilYZ@ekTj=rxaN7e4R$u;{uQJ_6cOGT5UUASEJTR33yA6G!;XQtAl6-uK;8mhF;Ng_c{CYLtZ|z+}7a#RG;N^(SO+ePU>X9K^P~nIK_JS($=A-D1By zz;12B=17Eg#>-}cXlW`3*eyyhpr^`kyjlB2(+lO8E^UFSG5lSAmy#h;UArnC^ATO< zKSh zlbqyM)c}d7dC?8Qe-kU}bcv@dk_)OWxuf)e(I@ie;jN#~Cb66Wwjm(kLrb%G*_JEA zu?S?M_%$D0@qlA7Ie4}5FBB#5hLMR7=VnL>xM8thBbH*{3tZy{n!55?lTIKCH!a55M~n0kX;*i&JyVpj}oa~F4-ZZ!)&t%6EYe{Bi+0s;#CPQ+0ob=FO^jOBc7G!K|w$TuWc=T8m#A zBn`a!>s|CE0uhuNmm*s0)$=j*)*UuCk*&})+G}(}jGAYruOIKHTxvQh5s@lr39McsJA zrt|`Jal8;-o2Xb3ZJplGRIr!_sVza|;S)h1`uuS}^9%q$oCFI$Hc_=pWTM_ z|JrTX{vURmfBmjOheyXq%f|e_|BA8h>gFy#Uw@@}nC@~g#*o4w@{`_(e$PNN8kFV- z8!&?JUlCyfbXp=lLtY>e!yza=Y(te10SG9TwKZOvfss$l#f!)$MTdJpu zd%$yn)ljx(v&$5J?}gV_kIu`=%dvF31x>f}`UOq1^ZLb1qLofMVSf5Q&N=pXFTJoE zw!Odoqm{q_-3AMa+MF^f5w>^ztykH5&D^{kw_@e|!8H7ja8y=n^X*Rh7qRg9(|Ltg zBs6%uv^~%4;qg@-@uN~Sf{zp`7j!TO<4iQ#r^RS!X*T`{H+Y|yy76Lvgx*JK_?}xV zRh-{zVR-s}dJjH;HSBYFSzV1kA1>;=65)$%TazLD=AFPK%*)Go2zvF?p?}%JGKc*u z$pHuYl${j(H?e_DbIRDk)sIeuF@;Jo?KfLLKAYU^jD}o+VUvLr$@AyyOk0jifO>Xw zDC-c)1LrBiK`c^DN_6$4$?2G!2Hiu{XOimCGU5zgn7aU1+T1mzOB^SU?q2=yT=Wl@ zIX7)m+*rB20Ixyh=Vl%BA5k%j!?%0WUVMWwuR8H>@H4a%uz377343I9Ib5)KmW0bN zn>{F3(Z96~+8Lr7(fu#CnP3NoZ00OU*(4o%2yE36w`Z$%qtIbOf(P zHqqJow*k#&r}7UG?j?ou0PkC5jluW6Z7^aZG(v4iwe9^1M%L;OHJu>?bS`=Y1jClX z^ooly8h@`w$wR$8sf^^csZoUCnd3QsYig%tXOmFz0#jFJ)3-D7odw;n#VI;ZW^_r( z#&D(7f4mRBjZe?`%*BCX<(~GLL-o@_SPrF9_1MhB(o}szTFYrVU^G#)D$mhI;yx!p z0WyB%`S#aD7KhP8S;{^`0V*mo%HDy#k;JW`>sm26b7{Z1C_Tmf#A58E@ypISrO_-RbyOIOa;z_X#I6iS1p z%ns0sjk%Fk+`~;%t+d9Jlz6WZB48x=NTc_Gk9-&I+5kyvzn!>+?nr*27^$Aa_MKp= zmY_Cs;%Mn~$0jeg20O$Agd2#r(iZ4Z?pv0yH_L2jSsPy!=uoK4X43p@1Nn7^%ipga5HI5L&IXc>93fjhnz$UeYIeIv_ ziWty_Y28!A$5IzYc!k3pou=8?Tm9%RcHQb8TR)c|MXsV4(7LU7T!dhcOdP28+7!N@ z;sUJ~wwK2?FW@qBE9YRCIa!vem4n+(YcT~f`jGL_%9}GDV|`z|02tYa|6s|Z6wLtq zhoimnBf-I#ay1K<*tMdBb5e=I`ub8&AW>kyEXshen~<)2SyO5`MYC&_hm1PN$mr_S z4J$b|M@Of)<9k7TJp3ksC?!=N*=PlhIk^46+Ia;)MXO|U|9%KL*Im`*D#G1#6(8h2 zwo~=iRkgB-smjWc#!6LGpGTnzCu>-!0JwDZ8t#paqXQg-%0q}}Wc$&HHg>CF@8 zb!nA%uO%Bkn$S_PjM-o-t%Obx&aRyf6`zb+!OY(zwKks0$yMUP_!ks*7E>Is2J&q`<&zSSTUML~8B)1;Ol57zB@L1`If#eRj+XkG{{~DD{?3pPj z=>ZbAPn)rOJfFLkA)z)s~%T~%IHW3ZOKYn-6j+;PkIN#(u|9+ z#l>LMir=?)2@ynL8nTzT9x@|hRkR-Kua9kWrCHUw5GrQO6w^}xn)6|9THCD*d^s9} ztDizOkri^klB~M{R%O03b|9IscQ5GF<2~J9_^OhAKQUR!&vvt^7m)jS*tn6u_qn|C z7qp6m#L6r;{6cG?BBLhGkt|0{ZQeyAz5PKJj>!yzil!79bibGNZi!Yo8+v)K?kWu4 zbjB4n&FAB@93ir5dP3%+JgCPIs0oVmL{k!XXfY@`t*oz(O;qJFCXMG*MMT{ojCSN? z!K&wh85x;*6A>hX=xJ;o^2E#Ste?6`+4s?k@bq!D z9uo{OCgczy#5c&EHLe#C5#h9AxT&xwH))o-QMRZ@0UyJVmo1ghyx?n1!E{$E*Ur}> zICtb30p z$o-c!*ALb#b6HW>gb@=qHuj8ObMh^hFh3fa*@K)9)g1<>v}Rt0E0o&RF?8VC^~|}g zTD93w5t|IF)F5Hd(d-H=)#(jlVoEY)<1NY+Rkd^0tlC3_ED1-K9l6+EB&M6PM?FHF1+h?C8};g3q{B+zE*ZWC9f6~ z)tl-ZPjxZWO!TyD8;uQjmrvadOl!z6BwXY0geBtyOS`)kPwrJm`MYw%M8hod?Hw6Q z%=7clFteh@)il{l=VVTg23 zsE9*nBRp=CM^|izC8V@T3IX$2O(_F|MhoIni;Ii=3`WMaWEm-El#8;ut3J??Xv%~-ilxG*n1ay!F5VB= zpIynVH#2m${Ulq>Q1@CVtJ2cb_B?}h| z3kp@_WS?BMLKW(cLiD8A&xC{Gj^V_DSg|C75Ra`5Ux*VDc41P5g>ljns2nC!fZ?K8 zJ(p`Ul!~&5=)2NES-4rp>bvJWSi-sb7c0P!i9QQoZ?4oT!YJzHArB9Grq!M4Q5_># z!t8wP4uOUPcAIHq!wyN7G9Z66Pffh2sv%ylG~jR7c^#i9nC&T~N>-VkbQd)2y*Qq~}c;hoNoz+3Rs)Lz0&%G2`l{09J+H)nF%FK`LPLypb?MH~0$`J#N@O54C<5Z)9J1(sx`;?sZ}0M-S!*cBzibR00b4k*X}^ z`jlfBFM6x}AZ4V@@!^Bw{>w&sO&p7}eyGwg+jb*?zONN_Iu+3{M*J>XFL^3rlb;4A zA~g-+a_Ay1xsfux^;!PELi^4sJ>j== z>kT2`lizRCiZb}f-rzCGX0#iK=_)XT=;++7~&VSN^s z?!~$QV}7DCeZNnml+OBcW+eAXTyX&fOs!sj|2!U+y>r;P?5Va8AQ~XcJSnqgJ%6GB zyY6Y{I`2CZx})-Nr!vYsXhCkyuSOE15*p?$V?~P=7i-^!m&`wPOodUFf!$AHY!DJ_ zB9>dkFY4?!$DXay+uovrXOg?SP z!gAoqY)xoQqXhkf3j@tz+QFv1g%=G0BN$OhFo2*C;Z@!bKZMAI0Xtdd9Hw+x*Z$fz zLn;gtb+njrYw{N`q8sYq2vj21$c_lex-O{M8hJi(&lCsE-KJL2d`Z?(cfmBcMPU|> zOq8y@UbtP#$>y9ByDGzl^m~uirFml|g`12AYUyg`X8!|r_^Louhcf9Hv7oX1z|o|h z>JP;ktSq7nB%MG0OuC&zOd-<5yeVMI1WN*N{H(-1g9L5(Kv)Rdn%D3#m~c+P>VLvR z(+L*Bun^SH_f?6o;iJOV2zM^|Eu+8|35+T<`~`I5hK339g0B*vvWMC!dthv$hBPR6 zThUOO`9JMr_(J2rbCSX22PCgGWu*C&NfJY_;B`N&rd>vG`L=1CWw1v9^6F zPUC`UH*`Q0?t*pB1!Ub@DkOCoR!71I;+^+hdlPys$0`W4)sgZ;=4o81$%8UerZJm8 z!uy(2!K^wty^p^wg&b|N0jV^Fi0vcEIkNDIpR;f)+uI~BEXb~nH+b+iCW+t?+4g6I zD{qto-oR~k@5yu~^m`i11MV*83HiOScKsv0+UcZ!<2+L}eE4By5H8o#kY5nVO&y%J zn_j!Dd82ZfYlgyMym?=V9jh}}@y4LqBdbmjq9i;1fj?{b{x0|-5ywE|$jnGBw9A6z zg*G^u0O(^)sQ5c1#mv;-Hw?uHszb$EjB}H5ij$WO>bl(}8wZfJ$p<(J7n$XPT?rC` zQ07)+_`7?qZe*GQ*kydfAP+~hD!z7XB=vJgwCY|Mjyi@haE?9`N7~dYB6{7RWj#k$ z!=S~psvu}qP7)y5S#kNlL34vCQare1{4SU8N0;*zLBuS1b&f(lhmYv zV4kFX%K9t|eju~r9>RB0K?lAO!@V_u9&ks|M^P+Oh{=iRYaDUwgyap{(Q(lSW6qNpPywrD&HLaN)G2OrNjCrpFB3{-fI2JJ|31)@LU_*$Ig ztJ5XrZ9tm|ezLv%8bx;=Lg7qZ9Y&&;vMEHI&J)XwH7DR5kjJhL&6zh1ekx;+#ktjw3F6)rQM`ye=#UhCdK7n7h z$nqs+Xw|nxr*t>Xkm^xs2JY@6jLnqOO}6b8hKx&(C9K+ND2r%g&Ac^9MWPZKL~+ zg@W#u*ii+E4(BaZ)CC-Qv*L^7Er9DV>%o$K$d(wThAine02kv&emmD)2KDEU2@SKh zHF?ekX|Ve?-p$4bj0Xhe6ET3inJ?$Vuyb;fL)PsGP*$y$llB_Wqm@H}nS!8fjTqxv-i&&WuQI5NjUsVY?akE`< zs##%W(;GptvmrN}3@Hi$g|;+4V`*0@bI*N-9s{V@s=4tEZ5hF$e7nUN%1CO^hSe{X zK;^Eepl#2av^+)$Rgk!Jv&iaRIzA_KQ?@keUW*Mpgh6DJ5}`A#Q;m)1r&Oj55rNMt zn%Cw{k*}GSWBVOz7Lnd7ml$a~`kPmE^<9ZtCQ7sBF?U+vt+wZPV<~PaZjsdnsvq$b z)F_vZ?XPOVv@qL(=-`^E%=8m+5&U6x3sd?EL2?xe@o`~Eslj|>5vRh&{97EZ-x*RO zHi91HsvBt63MYZ~gZ6LW*ktU<%BH(!7CWe$O*x3CVI^U(EhE8BJI)h|NfU8rHqOqj z!AJ)sSs#yTdgx94foZLkOLdmJASX!-Pc75QwYL+SpU@jz6(74>xf2Pam96x5y9(|r zrzaW|o!QToKA9nOjYROM!wRypj0Drs#d1)r(0-AF?mY8v7ndICN(~9iy8*<%J5sx2 zc#+d!eP2r}=g3btR$j-o=AvrTPSTY0_ZeB{Du=c+6`YDWni_?8n)%u_+RvN0D=ax~ z)@m=yE}jris?qL;cz&n%iD4wi~uPy%>NJV>ZDp9KL)VSzlE z-{GFb2&@(cgw zPEeQHbXKy4jb^ljK}X=~dH~&XHJ^2gv;5`Pj%4@_FB|q4eW0s5$edlbw6N<&;m3`~ zx0YVLyTYcoiMJ8{sLPJB*{>|r7%e*U$H}^_MkF4}59+b&Rh?w9AKH%4o%s{slUNaz zgGrF{Q!6kF{#^3>wPm^G^iI%ky=u+6aXasNCeJ5Ns1M2};t41%BPm`+jV??@W`fxN z3iU>UU%MTBibcmSjPwk!&zDL#96^{C@RlgUo>Uv~@x~0H>gQ=@7Kt{M2+3!Px5FMi zeY*F(GGP*t_76Hf2_R-(7DnPNBKiO~*PYIV&?YB@s*w2G7GQIdV|Nf!AYVW=*c((* zZ9H_KByYC5=5%itS&}^xZJ#}eF9hfm0`)ZSdLp%@xG&`RD_)?5IQ4Nv@TETm#v4*y zf)~&csorrz=I_ElD8s}*J%E^F90LCUF~`yOmWH(~ItsPYK>pnG<~~W{;N7NrUpH&b zv9%P+RHyeCuy?T`t7{-7qk*~);(Pxvb}FhIYPwRdL2zNKDY_Se+#~kD78q?=1m3N) z&F!R-MLq$i47LY;1?u)}mgXvaOfL{Grh$17BFo7$e!0tuWk8Dm8;u~2F^3)VZdSxwUIIYc1(E7S}kTXEgynze-AYkC7^~W+5O?h#7c^zJVC{o*N zE~+ov7}d1RQqRkYXlk7&Um%o(gnpPHVtT9KuX{E(2DBirhr$Qg2=6$`ozr6=#NN2Z zI=04*p%*_4FyXq{Yn9zN%JUf={lkk5wTDNx#E`9A6~O()8LVJS%j?1jylIkfRc9+h zH*cilbFTeCd$+NdQ&4B25#&n+OE}-+-&$rTq1GaMugM<*HdIrT8OCzWtt@M}D}8em z;r4f+eja3lxL1|O7srtVQPf_Yoj)Q1P);v`Y4!d>?^ShHR=MhVkzw%@D^Y4X2ExsU zV$vg=EF*=}o^)u_!evK-Z6Uc?!$Dkt2Q17M+XueLwEw9qwT|t`$nGG6fgb+&18^7~ z2;pFUmQT$KDKwaH>vR`XMYFaWMUb>1EThDTk*TKM=5l*L;MGHceH2fyr~bz0F-^6t z-GlrdFJ?7Kf9H;Szan^`${sR6Ji6CHyHfZwAr283`AEn;h9*|ee+8xwZIdFGD`%=Gy z-lR_vHzfL(`Qz3Q2$&O|0&Y*dB1wSr=hYJKMFOd_)|fE?A`)@Yy!{&z{+$Qs02`8| z^^>Q_x;R9=bNs#ZxZCx*)B+(jKfBiyHT?`o3M%0eqJBBRuBZzOp#WiSi4kG3L5{d8 zZm#JIPKX0pHR7NXZB(S3Bkcww{Z2X`m=m#iTco+ZX9ONGHVaoHnCM4^PzSdlMv7xv z@)#s~W&>eaCB$k>U)v6|TG!saZrF-0gDLO6Bi+*E8M=0^N!dNIU`6*)oR@TDI@+n! zQ$8#=eqMx`$RHBY+4^uMJV_(0!4O!~pqT%7ZQ8R%4GMj2a@I2U#jWO91pNw3-{Y2% znC|+0j>nGdB9Y>PVS{8V$wA~@rue}!Lqo8Tm=S@bK_E0CmTpUwT4l70{|THZyR@dI52mGG5mDfqCC zVY7U~YS~Z(cGOR;s9e{86cEzN&<}78SD8VB5T;F*>IG&=)%x8`Crt5b26gdpGfZiP+aLgtbzK0MTO*a_ z!m&e-n4mqG4l22I?0h=btZBI0K8jSF10!V_bHKA#zxGulrbcncuj6{KPQHI!V?DYJ z9yUjfyEQ&f-aZ-LT--S|JNZ~qYeoa3-zky0k2q5}-|7Y7@eNC)$=+(cC8uEpaDyXX zG;SpCc-}^sJH4KAXma1NOKH&oM|M`A<8a)iEzTA!Y`w-TMigL-(h7%yz;MN#D`t+V zN#}B=q{uNq;Sj%8yI68+1_bInc~48g0I=cVO2gFQg5ge0Ek^zz1eL^@+5!}(nbk zv;{T>#>|?#TtllRhq5KmegTnK#Qx7m=rsrKhNe|dD2B?4=G0aH8kQaGehyzJO*D0# ztzPS2P+nkOSO+aVTadk1OCtNBw5bepN~ag4$aN<$ddc zm-7^6>q&EaO-ki$bL};TfgH_!8)ZC~5XA0w!Jv>@!;9DWo)ncPX2AJ$jeiAA#)kTY zY)!{s_PJF(cWpbeEkj#zF6&y_*e8@0H3p&mG|0<_ZE1={>=qZC*TQUOKFfFryW&-q zYUOu~8+`JYRdr1c00oPDnK>#*I*pWnJA;rT870OB$TQ?{8&4C zy?!{)Gd-D67SR(c^C+=0q4f6V^#KGflY11)8$k^b%)z`xMCH%96F8#q{X@jt>YYO( zjK+=-BA83WMHGvR|9lsM?Jb3%<1fq?LSEU2dK4#ZBMwD7A{>uU-Hmx1S5KBmuZt=g zEFNr>zFRr>3D};st@uCW>U<~ReCO)0(b6;jCs&7#_P>*L57X(o1lWN_^7+<2m`vKnnn1Al0sQiK>%psZ8Z+_S98Nl?KOTv z&>ZFJFhNyt8E{SB6N(GpSWIJlEzgFGdsJC4#h%a(!wpvrD?Tn6j#*S6ohHI%v{WC& zv$#5e(w)ZL9(sS&&|aqpKZ#cieq3j$_y@%6Z9nd0KdKiejnSDy##b7?Z) z2mL~9XU}Kvu$G|Ijnb1B>$BJy;gD92AD&l8rtjN6m*$!+pK}1K9(Qi{-TEsniVfT@ z=N6GYil@;$G)(EvEi`XoOYi>>nRNeKrQ3gkkVeiy*Zw;q>j6^MCCB(f{T5?elHN@?W<9;D7gh+x)BjXGEKR;k`|$pW>;E&-|DEIg--Us6jNfkmL$LpMh8-;n)BllSx6kJ0 zF1P4%*!p;~AEYTPh*wn+Juc>nuLI=21=)Zs7pFXcMv2%}L##&7kSDy8kjE3QZ^KU} zDI{Vt(?h@Vled>CdW%S6SARVfwcjkwL2Y4&WPHI;$518CGJomyqIt1rit+Wm;k}V! z-L3Psee#j@a7dE0F-Qb(7%mY^!=u~3O1n4+?uHp(`(h>LV0pmlfPhmJY<4r_==gQz zxz&>o3>BZ>uA2ddx%N#FH8wLNRMwk`t<)TCy1fKy@dN3A@fPL_j-)|QxQjEak zSfiA26UEvcYw+tGYxR{HN2lqgJ0XI6^=(D?U6zL5H?f->1@hV>g&4x^l!rt`0~6>aL+?9gYa z*nPu^#f`wcrY>>o@oiw3nk1z@DLx{uNbc$6b;M_*rt$tF+YLRNMCAIP6H?f%+d1ea zr6H|YBeFYSwktMMEj&`>BRDo*oR3`h)gi7qJFIi9PIkD~G@h$Z)poV) z4zZ0VbA>BNXFvB8&WLm^lEdp~V8;QEvBAC3F?Iw!&yfpaFJ7E(Hk<%5w%|AHJyvr9 zH8=__HR0qwE7?@yAA4zgnrA(0`70dPmw8u@M$@-K(vvy}#E;q}(491yPsx-AA0bGQ zpZ;w<>{E|M!*=remw9CcKI;RVleCK;P@qvUIBkAck4J}qj`N57w_YB_k2@{e+Z(Z_ z#yf+%Zc~p=bbK_rjMNZ~R;I9Z^%Yhsi)U6Xw~_S`TFSH5t(6@Wj`zQ^4fic5EHygJ zkEz5;P!$vuBH5d?WtK_ z%ABsGDfsjD27XLPIQ>!-s^=}?51^sv`wdT^F(h#<>+FlR@EuFz{Ni%P#2=Ss44KQ4 zTq0R9h0qgK89s#@nPG>TEL=*=2`+Yhq73W{-)IV?wo(awKe9A~)7s@AfjBkwtrA4k zwO29B2~Nty=93eF#=LqPjS0zJhd8_v(Fkg;SMcuRCTcHxLXslwx%>gCVBk>kaREdUB==h zU(pHVTYeDC;>!e*k}oKR#HQr!^>L^tuMQ+Olno_RfH$Ae?Y#Qw79f_IrNyHq$;^3~ zILS8BMn&i~6S9&4S#>x*()+u)Ov zr@WGvbGWLmqtu1GEzrG5GA;oD8&QJ*g<(gmbZUhr0ge(F!WzTL7VS&^vi4Bijcir8 zyH>SLa+4}TpEcitp;i-Xo0Jp%_t1==Afc*iPQTF1XKspG-OYutfzjgV>@S}1IF<@E zxlK8^fd-WY1sO{PsaD-4#WH=Ips{*qOB+;D!@M8$krfWo-_HE@a}dJJ{g=hY3?1*{ zb7gEaN*>i!NKSm9etHB&UeO<#7{aLw+keEK&uPH?^~n-)!PqY_fOu_IM6jYO@C66Z z4fyPe@qK88xAjA5hsW_HDR$|RgerLm0>p>pz*Tujk!SZDu(EHkgjij)nYeA&J z9(dwag{JwU(dWP&QwaUAe9v^eP90{;&n=7~!9u4=F;uBEl&KrQNH7}{T)BvlN8Wve z8wl~3Fv)x7wov)4%ljCc6>|trfaoTXHK`6-6~&$~z_kc>=Mgmhh#>^LchJY$wSbF( znCsc9iJw!fmTCt^Web3siu5CJ<8$p$uZVWK?Fhvf`|y$IO_56t9aND=@kK~oluJNDkTS$&~w@>KoSR_ zh;?-T-EAT$)y!9T{_*@18>xz&$4q0K*F4ffyR8jX8DvEzEXc|Pe2c6 zShIMAsc>blIY0$%>CH*Yy~=g*w9?H?^rWsqDjE0u^=a2*QT4KH zTFjHyIg`K|Gc!Mrt>6ErVlF;b;e0VvIq(Tpo6stXfHdQgS9*;IyRC0R@dIi z)(FxJ9X8a_-;h}5O+u~VHR4vSxLXW9`Sbc3v~r<|435Gbsf?F(vc|U)Ej{y>>$|<3 z3nIuZK%JfjZ@9vV;k0^o%|lJr(mC8@gSwR9`H|-zih4fX#e@sdm>BEQyFVK-u`Fqu zwzbx*hoNbjx6xV7oO(ShgIl*1MaP|bnTa|Dh6~AEqA;18vxlJ_S=1eR(U2$Tux$Oz zyCl$AS>6VqFC|L^ms{7Xl4GZ?YD(h+V+V`$Q%fwmRef6uoi{jYkz2wNEq`&ilA4dm;Mh(_h*Ta=YYU z4byPF%iPsstHrO@!@WIQbP5@)z}8mN97xq#h&R1#YpvWJQ(OE+JaWw4>FB+%GY}HR zig~auZWx{6Yn3Wep5oJ~3CT#Zz$I5sat5^ni!=cM$)XoHp-pxJ3MGhr3VRePct&d; zr1$;*^8gGuhy7BwRnRYvy&XJMyo~a4gfw9v>xEg9$q^4o*d&sf{kWYc7*R#~Ji50WHLTh?Pog{8nF2m+4G zDz7cwoj{(a_X|y$Ck}$7Xy|`6bLHVscW?iBC^FWvWH$MGj^4ov1FH> ztjR9?RJIg~WGRyDTZ51_OHU?Sl1lcS_dBZRk*D{4uj~Emo$ETj-|POKbDwkW`#$%K z>+|{EM_Q(DIZL$U(*{2|a@NW3+^~B=MNkDgb(f`UShb)vHH>~M7^Ea(~wz2Ey=)Kqc_^Jf|< zd3eA1-Hj4JkuEYeYrY!emDtdz6d{OTlmfNk2huACqEq|NAWwOB%00yw1iffAcAd&N z{W|x$PiBe>7hx%80C$MA7CoW3xkO^Fx=LKAGx?LTcDpIOqRZpWJKm8T{lP5fxeep@ z#Vel|uau|DZY{|my=Ft(JimyX@Ue5LZX^||v){k5>BsA|>#KRqvOu}>3eSRZjrq9X zRk}qz%!dT}#(TqO+kZYz%$Q*;QKb}4IPs?%jaG6!frc*i zT6(NlK#7)7LQ1~I+elsq9$J!^=eiumIIrsDUE{AHp9RPA>9p0$-mJAABv;0!bbOWt za&X6duu1L7FmcmMk;{&ncIcMymyD{hfk%DX641Qk%H!K}yOX^-ra>y1lqfFu^y^Ov zOzm2q{O^hMT``vT{7XP4u!D+Hx^)O_9?HPAcICWvsOGbaAKaK*Qxw@bS{&fw#b^6X zomS>{mKTWM8iM@S7F0}kUj}cR`q(St<#t}pGd9qOZXLhxd})hVw>=ZdO`;Yi zL2CO-DNwW(ERU8pl)1!&gmX_aTb7UHZs#RT8gV=*6OGP2j|WlaCY(5|CZ?6#ND!k- zJ$a$)inm6NGaZ~g1J`NT&pCM0UaXySfUW!UtE0O+t$uUW;jWo$V{2GzQ`Aio=)rsrev9H@xD$MfU%@8gsO&>%Qy7PK+Sm!6m!0oXp=J>$;ooeYTT%7U z5j!Ae5hCpu)u)_QZbLO{&&njELsc5-7~t#=vA35%dZ%aw-I9%YG8?yuY;mW8N~)$x zG}PY*Z0ic~LA2N$U;7O7$>Y-bWGWm6c`{R$HK!J_n~8-^buaiE1Mmt-V;fDiH_Bx~ zJ!qG6x?$%Y_h^Y**^b2aZU1@QI)3Wz)XngxhB4U78Ru>L1wUOVk9rvUi9wbd8-^to z4EXpw7n@?0`MlKq9}_eC>XftxMG}K3uH2c9-qC{WDtfKipd8EMF`wCw`K!dDn84Y0 zMp7S>dO|sDx=67YU)oInqudaBt@r5V=d}TESFLtavv*&+$6E2z(1;^G$-FUIQC9w} zkDQhiPj4D=WRN>O9OKB#_J@g;1SO8jpxvyDF5=bQ`*bkt^LVOA0}F|P5(7{H%Ag75 zl;SZ}mCHU^o_*{j`$eH*okn}Hh?y3N%`L_F>h+?!7&C+slV>u+~L;AW`^VaoDZ?n4Gu{bG&exaeEvD@3@ zA-H&jb4OPBGaD8oZxk|lhia%AFfAe|E0AW8hX~GX{q&6X4jsxZrb@X`-iiv|` z^Rb`VU)~mFoqWjTrad^r&3&3=Wx?a9Hzm=uBo{pzGOZhZVQz(bNfi?+PEBpkupnb` zyx>}KNVFbUzu}K?b=Ea0y#^OngkD4G$yQw@YgYDx_ZqA*=dWdMB}b9&E&Y)>%9LKX z*|xkD!L8n>3u{g*xP*VzQRUrs>av_L`*4d!Q3;Cy1s=9`e|)-QHT-VEeCF_aXzJ+m z1lbD>gi70fTdtLIE50GulI4bo`PfZ3oGWeYjjiB??hu~n9u|5wzFrBL_02j?)ApU^ z(Bd#tzU_5~>{P-fg&Q*P?)1vTv=6LrZBeii&F>R}&&Zx})JT1QJI`&wmY$cPAVWmY zGkwUqO$ear5WwwV5Nfu9V?`@CPC^=+YK{9nUIM~i~ ze%R8jFZ>f0-EpTZ+wp6&!{w_ge7=ti3PilFt`i)3Ca?^g56X#~z;DV<#PXbWK(0&c z!rQ^o^}F-kq@0cD+nRpQvI0KuY;K}*;HK3?kMU*HWy95eyl92o*QD10xD2K|%T&8Z z<}IQzDm!VrvyDN4R~F`)dO?q`=I12cl3rD_Oztb>u1o6IZu!gQ9G=-N*a*x0jdCG! zLuh6iXC>%<)3LFN&(+8-W|e9xkSP!{uM!82ORz4WpR}WiUpPe4(Ky=dAUTZf8Y?E< z?l>mW7+F}a&~kZ9+QmROaKOP{ds`^*@*s=Ys9~#sos&ld7N`DI`8~SnXdEt@|38a9 zmR&($D(+x`T>f{U4&XmBonV- z{4^^%tHYvedWTlOVaqU>RvmeIodlJ?-6pA|bFFXeqtTn<`ZH0(u7_w z>6*o{xSOyTs@k}&k`))9EQ#2PIQ^jB7-qU$MlsteF%U^H4OPSi0trPHId3zyR%%{3?KGk=I(}0^`Aa@Rkh;bb6Z^lc(Gx*=AfIFujv( zSeDatx^auA!9zAZil|SGC(z29q{OVWyjsghBp8H|IJD-oT~3ZLt5{4s?O-{0^Oe#y zCD=&8C%wX6bAS|#bxS8asmDq6a8}%*zTS?_#u=+J@u9a>TugyuN3K%i2WELjW)R%ZzqSpzg0vsfzcj7vp!cAlBBQy~q89k!}PESloo7r(HT0yoi z8a-xabZZ!h{^dG(4xO-`w%Cf|nyyHvwqUImKd&%+@@Y1P>o}Z%GP>n5i*i%V{Mx%- z-4_$;9#YA1$vX2Dr+GE+6Ve$Yl+m_yy44PTS;+!1F222$W(KghGK@1M)_4QQn&=^0 zTK&Xrx+{ZKNm%^Stz=OD#dV*urLP!6byZw%?_d=hoG@Nud83kum{lv%HGTTK+#yGWm&jqmRoO6Eax58YmGbV!LLXUVR zqSX`L38_~KL{7E&H%r!6PzRMtHl~SI2pVwD)SP%dAMX-Zv06KK|U)|FV$xByC?uZo;v= z`%D8TXPi{y*xIKa+{Cf;_8Z5zJ>I2@K1V3!nyMnOiON(xbjs(n>U0eg)R3z%FHGtW zWlBj)Hvyg6HD6M!k~Dtkb^2lF=@XYZADp;?jKjBAPu_ZbZ)L+psKr9mS712yJo@Ye z$Gu*hXA4W4b|GrV{mZu~$MbEPbc(K%DK*Jf?aAI=eYQ~}vDx&z<}yUNW!;6MO%W+? z&Qfq}UHYOzPM(#FXd0teOikels8sFG=xtW$lw6 z!yi6dP&`I*;!G>EKx)f_#?-o=UcBI%{7(C+h*#pprWwV^iwQ4LMXkagWs~*&XYOA* zn(dhiel<^LbYoOK3uGLC_si9sNd~n{x9^swPa1?^UF;2n+-sMz;~i2m4^;B0cSUp_~*YF=dS!Q#G7AFWI(gNd(;R2d8fk3TR*0`q~x=Jl$5W7 z*SOg;DIbqHb`F<5b;NQraa`bLQ^P!4@aVMrFyz%d2WcX4tTW(!3O=y7FLAId$hh6K zlXd-e2=5~hIG)1HEc#qD>xAoC*0nWr?`~zN5-*e3-OwaMXnd{z#HBG zZ__&rcn|9%wQDHtOy+A}RkW7o*EICR&Drs~KLRy1`3$|e%mx}_{cQX!wI)k17O8V2 z+XhQ0y8Maxj^^~HOh?qEu*<F$-8jmFEJrOF3=dbCL`ysd_)dz=#*Xa12fu2v5O8&SrjY{ zr>FFnrV-h}ryd^Rvm3^o40jXjPr`K!KTFu9caUtu~iR_v!v)7J&>b}8=eb*@AJF9igu9}K|obLGSu@oB1W&h}pkFIx#+Vwwsg=p%2 z9w-qd6cAl$#}IAE)9D>iB@{qI72xFOdB@Gm8@9Ac~#@7L`Zf=GOEtt&KgDCD|&S(eLWRV{hxHd?cs340*n0Q z&2tqDc$irS|^~k@@nh0Wjon>p)_@$gc{dJaTlU>Y@iMGq1JoUn!XY1>`cwRk^ z+CR;1rsn-FrcnRj=YL1f{{X`NcR}=9{1plWz&`wyjFG}%0EiFZtYj>djIoj%S@shf z{dwJ!0l|j^8i2d*;io^a*uB2L!BENP00-KSq3)Ht`X$cx6)C|2^+(8?2k=uEcn^#I z6>j}WoB%?S3_pXR-?;};=iQtw@zx$DQb6feDP3!Ck4wMIaKN1B&26ov&YQcDX%63K z!&$pKd%9U#yMv+M3#6R0wz4xP(v@{d}MZsY( zG#q(JO3lsL(*;-+9>B-}HiipXxuuVk3LfB7T(z^b#;GYwse?TL{9HjnN(ERtFt^&uC zOJIlJ$3diYfiGrjIjkxc3xS{z5Qwx4&@ey)!VCsnQLyj#(kj3e`lAot2kIb%TL3plN62ZUWw$6ud_UAPc|m7PjAp2dNe+<^U_l*%nwCFyr^Y1WD<* zSUV|Ml370Aw*i(S@59N{(ee8q2%uZX)5Fou2^jNzGrt&oA3;F{C`$|wiGG+G0hozw z&ONh|O$D4GD^E-7zn_!MO?Cxf+Mg~!kWDT9qmiGHb&%Zzfk5DZ9Ht6fA%L#Esem7|4fwkZ z29=Qp&L;T-cKRU$?#bu%R~bwi4p{aV84L!61DWC%89=>40>=4OhJc|C_JhHYFd%0g z>?d<@UML(vW{mvO50JruI5;4a2GZ*R83F?EvkuDOsDpFB0QMFTpTFn>WXON_gCT(< zd!XOH=Y>JhsDtYR>`bPx{5lo}hx}_^7+m_`K45_D|D_KGB*}mDdAOMaq%k*g0>In( zS_3YZ!Z|wwd1EgZf~3@)Y@ER`a?}D}8|oOa30MxTB8^a1LBOTaSS%8PgkhzXFjyE0 zhCxfKBBde93ZVbJ3;76QoGn!d)|L+Lo>#z9NGMW883l*Jp;#0`8ii3t!-1Tks)|G? fA(2Wb1o;rTdzia Date: Thu, 27 Sep 2018 07:40:30 +0200 Subject: [PATCH 040/113] chg: [relationship] annotates relationship added (useful for the annotation object) --- relationships/definition.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/relationships/definition.json b/relationships/definition.json index 5279345..422834e 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -636,6 +636,13 @@ "format": [ "misp" ] + }, + { + "name": "annotates", + "description": "This relationships describes an object which annotates another object.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", From 10acf6289eb5a5644708e66c8796cbe594052669 Mon Sep 17 00:00:00 2001 From: aksha Date: Thu, 27 Sep 2018 11:46:32 +0100 Subject: [PATCH 041/113] add: Misp object for Mactime-timeline-analysis --- .../mactime-timeline-analysis/definition.json | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 objects/mactime-timeline-analysis/definition.json diff --git a/objects/mactime-timeline-analysis/definition.json b/objects/mactime-timeline-analysis/definition.json new file mode 100644 index 0000000..b09ea49 --- /dev/null +++ b/objects/mactime-timeline-analysis/definition.json @@ -0,0 +1,51 @@ +{ + "requiredOneOf": [ + "filepath", + "file_activity", + "datetime" + ], + "attributes": { + "file-path": { + "description": "Location of the file on the disc", + "ui-priority": 0, + "misp-attribute": "text" + }, + "datetime": { + "description": "Date and time when the operation was conducted on the file", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "file_size": { + "description": "Determines the file size in bytes", + "ui-priority": 0, + "misp-attribute": "text" + }, + "activityType": { + "description": "Determines the type of activity conducted on the file at a given time", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Accessed", + "Created", + "Changed", + "Modified", + "Other" + ] + }, + "filePermissions": { + "description": "Describes permissions assigned the file", + "ui-priority": 0, + "misp-attribute": "text" + }, + "file": { + "description": "Mactime output file", + "ui-priority": 0, + "misp-attribute": "attachment" + } + }, + "version": 1, + "description": "Mactime template, used in forensic investigations to describe the timeline of a file activity", + "meta-category": "file", + "uuid": "9297982e-be62-4772-a665-c91f5a8d639", + "name": "mactime-timeline-analysis" +} From 5acaa3498f193abec14a54b1af80236be5b9f12f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 27 Sep 2018 13:19:33 +0200 Subject: [PATCH 042/113] chg: jq all the things ;-) --- .../mactime-timeline-analysis/definition.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/objects/mactime-timeline-analysis/definition.json b/objects/mactime-timeline-analysis/definition.json index b09ea49..55d86e0 100644 --- a/objects/mactime-timeline-analysis/definition.json +++ b/objects/mactime-timeline-analysis/definition.json @@ -24,20 +24,20 @@ "description": "Determines the type of activity conducted on the file at a given time", "ui-priority": 0, "misp-attribute": "text", - "sane_default": [ - "Accessed", - "Created", - "Changed", - "Modified", - "Other" - ] + "sane_default": [ + "Accessed", + "Created", + "Changed", + "Modified", + "Other" + ] }, "filePermissions": { "description": "Describes permissions assigned the file", "ui-priority": 0, "misp-attribute": "text" }, - "file": { + "file": { "description": "Mactime output file", "ui-priority": 0, "misp-attribute": "attachment" From 0877fc80c5a20f0041bb3db2b38ef81887e4f6da Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 27 Sep 2018 13:30:44 +0200 Subject: [PATCH 043/113] chg: [doc] mactime template added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index b7b03f0..a8aad33 100644 --- a/README.md +++ b/README.md @@ -97,6 +97,7 @@ for a specific attribute. * [objects/legal-entity](objects/legal-entity/definition.json) - Object describing a legal entity, such as an organisation. * [objects/macho](objects/macho/definition.json) - Object describing a Mach object file format. * [objects/macho-section](objects/macho-section/definition.json) - Object describing a section of a Mach object file format. +* [objects/mactime-timeline-analysis](objects/mactime-timeline-analysis/definition.json) - Mactime template, used in forensic investigations to describe the timeline of a file activity. * [objects/malware-config](objects/malware-config/definition.json) - Object describing a malware configuration recovered or extracted from a malicious binary. * [objects/microblog](objects/microblog/definition.json) - Object describing microblog post like Twitter or Facebook. * [objects/mutex](objects/mutex/definition.json) - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program. From 98459432a2009a9d7de5176dfdbda4af2263e604 Mon Sep 17 00:00:00 2001 From: aksha Date: Fri, 28 Sep 2018 12:13:31 +0100 Subject: [PATCH 044/113] Add: Regripper 3 object templates including SAM hive and NTUSer.dat. --- objects/regripper-NTUser/definition.json | 95 +++++++++++++++++++ .../definition.json | 59 ++++++++++++ .../definition.json | 53 +++++++++++ 3 files changed, 207 insertions(+) create mode 100644 objects/regripper-NTUser/definition.json create mode 100644 objects/regripper-sam-hive-single-user/definition.json create mode 100644 objects/regripper-sam-hive-user-group/definition.json diff --git a/objects/regripper-NTUser/definition.json b/objects/regripper-NTUser/definition.json new file mode 100644 index 0000000..cb0a4a7 --- /dev/null +++ b/objects/regripper-NTUser/definition.json @@ -0,0 +1,95 @@ +{ + "required": [ + "key" + ], + "requiredOneOf": [ + "group-name" + ], + "attributes": { + "key": { + "description": "Registry key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "logon-user-name": { + "description": "Name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "recent-folders-accessed": { + "description": "List of recent folders accessed by the user.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple":"true" + }, + "recent-files-accessed": { + "description": "List of recent files accessed by the user.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple":"true" + }, + "typed-urls": { + "description": "Urls typed by the user in internet explorer", + "ui-priority": 0, + "misp-attribute": "text", + "multiple":"true" + }, + "applications-installed": { + "description": "List of applications installed.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple":"true" + }, + "applications-run": { + "description": "List of applications set to run on the system.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": "true" + }, + "external-devices": { + "description": "List of external devices connected to the system by the user.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": "true" + }, + "user-init": { + "description": "Applications or processes set to run when the user logs onto the windows system.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": "true" + }, + "nukeOnDelete": { + "description": "Determines if the Recycle bin option has been disabled.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "network-connected-to": { + "description": "List of networks the user connected the system to.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": "true" + }, + "mount-points": { + "description": "Details of the mount points created on the system.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": "true" + }, + "comments": { + "description": "Additional information related to the user profile", + "ui-priority": 0, + "misp-attribute": "text" + } + + }, + "version": 1, + "description": "Regripper Object template designed to present user specific configuration details extracted from the NTUSER.dat hive.", + "meta-category": "misc", + "uuid": "f9dc7b7e-8ab1-4dde-95d9-67e41b461c65", + "name": "regripper-NTUser" +} diff --git a/objects/regripper-sam-hive-single-user/definition.json b/objects/regripper-sam-hive-single-user/definition.json new file mode 100644 index 0000000..eb32b5b --- /dev/null +++ b/objects/regripper-sam-hive-single-user/definition.json @@ -0,0 +1,59 @@ +{ + "required": [ + "key" + ], + "requiredOneOf": [ + "user-name", + "last-login-time", + "login-count" + ], + "attributes": { + "key": { + "description": "Registry key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "user-name": { + "description": "User name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "full-user-name": { + "description": "Full name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-login-time": { + "description": "Date and time when the user last logged onto the system.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "pwd-reset-time": { + "description": "Date and time when the password was last reset.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "pwd-fail-date": { + "description": "Date and time when a password last failed for this user profile.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "login-count": { + "description": "Number of times the user logged-in onto the system.", + "ui-priority": 0, + "misp-attribute": "number" + } + + }, + "version": 1, + "description": "Regripper Object template designed to present user profile details extracted from the SAM hive.", + "meta-category": "misc", + "uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef", + "name": "regripper-sam-hive-single-user" + } + \ No newline at end of file diff --git a/objects/regripper-sam-hive-user-group/definition.json b/objects/regripper-sam-hive-user-group/definition.json new file mode 100644 index 0000000..1e41a1c --- /dev/null +++ b/objects/regripper-sam-hive-user-group/definition.json @@ -0,0 +1,53 @@ +{ + "required": [ + "key" + ], + "requiredOneOf": [ + "group-name" + ], + "attributes": { + "key": { + "description": "Registry key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "group-name": { + "description": "Name assigned to the profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "full-name": { + "description": "Full name assigned to the profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-date-time": { + "description": "Date and time when the group key was updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "group-comment": { + "description": "Name assigned to the profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "group-users": { + "description": "Users belonging to the group", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": "true" + } + + }, + "version": 1, + "description": "Regripper Object template designed to present group profile details extracted from the SAM hive.", + "meta-category": "misc", + "uuid": "b924bae1-2dec-4d2d-a8c2-b03305222b7c", + "name": "regripper-sam-hive-user-group" + } + \ No newline at end of file From 58ab539825af9a5844af90a435cdc4d671c8214b Mon Sep 17 00:00:00 2001 From: aksha Date: Fri, 28 Sep 2018 12:15:21 +0100 Subject: [PATCH 045/113] Fix: NTUser template --- objects/regripper-NTUser/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/regripper-NTUser/definition.json b/objects/regripper-NTUser/definition.json index cb0a4a7..264aae9 100644 --- a/objects/regripper-NTUser/definition.json +++ b/objects/regripper-NTUser/definition.json @@ -3,7 +3,7 @@ "key" ], "requiredOneOf": [ - "group-name" + "logon-user-name" ], "attributes": { "key": { From 25e9f5d51a5e276c99c4ec2c9cef535a70b4ba0e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 28 Sep 2018 15:14:51 +0200 Subject: [PATCH 046/113] chg: [phishing] new template object (first draft) based on the phishtank format --- objects/phishing/definition.json | 69 ++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 objects/phishing/definition.json diff --git a/objects/phishing/definition.json b/objects/phishing/definition.json new file mode 100644 index 0000000..3fc7948 --- /dev/null +++ b/objects/phishing/definition.json @@ -0,0 +1,69 @@ +{ + "requiredOneOf": [ + "url" + ], + "attributes": { + "url": { + "description": "Original url of the phishing website", + "ui-priority": 1, + "misp-attribute": "url" + }, + "phishtank-id": { + "description": "Phishtank ID of the reported phishing", + "ui-priority": 1, + "misp-attribute": "text" + }, + "phishtank-detail-url": { + "description": "Phishtank detail URL to the reported phishing", + "misp-attribute": "link", + "ui-priority": 1 + }, + "submission-time": { + "description": "When the phishing was submitted and/or reported", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "verified": { + "description": "The phishing has been verified by the team handling the phishing", + "ui-priority": 0, + "values_list": [ + "No", + "Yes" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "verification-time": { + "description": "When the phishing was verified", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "online": { + "description": "If the phishing is online and operational, by default is yes", + "ui-priority": 0, + "values_list": [ + "Yes", + "No" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "takedown-time": { + "description": "When the phishing was taken down", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "target": { + "description": "Targeted organisation by the phishing", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Phishing template to describe a phishing website and its analysis.", + "meta-category": "network", + "uuid": "2dad6f9d-d425-4217-8fda-0b0a2d815307", + "name": "phishing" +} From 58f39ff62dd3aa1f80ea2b4b02dbf10478a474b9 Mon Sep 17 00:00:00 2001 From: aksha Date: Sun, 30 Sep 2018 21:35:38 +0100 Subject: [PATCH 047/113] Add: regripper objects for system hive --- .../definition.json | 42 +++++++++ .../definition.json | 73 ++++++++++++++ .../definition.json | 93 ++++++++++++++++++ .../definition.json | 94 +++++++++++++++++++ 4 files changed, 302 insertions(+) create mode 100644 objects/regripper-system-hive-firewall-configuration/definition.json create mode 100644 objects/regripper-system-hive-general-configuration/definition.json create mode 100644 objects/regripper-system-hive-network-information/definition.json create mode 100644 objects/regripper-system-hive-service-drivers/definition.json diff --git a/objects/regripper-system-hive-firewall-configuration/definition.json b/objects/regripper-system-hive-firewall-configuration/definition.json new file mode 100644 index 0000000..7f361d8 --- /dev/null +++ b/objects/regripper-system-hive-firewall-configuration/definition.json @@ -0,0 +1,42 @@ +{ + "required": [ + "profile" + ], + "attributes": { + "profile": { + "description": "Firewall Profile type", + "ui-priority": 0, + "sane-default":[ + "Domain Profile", + "Standard Profile" + ], + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the firewall profile policy was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "enbled-firewall": { + "description": "Boolean flag to determine if the firewall is enabled.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "disable-notification": { + "description": "Boolean flag to determine if firewall notifications are enabled.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "" + } + }, + "version": 1, + "description": "Regripper Object template designed to present firewall configuration information extracted from the system-hive.", + "meta-category": "misc", + "uuid": "d9839b3c-c013-4ba7-b5e5-2787198b9e07", + "name": "regripper-system-hive-firewall-configuration" + } + \ No newline at end of file diff --git a/objects/regripper-system-hive-general-configuration/definition.json b/objects/regripper-system-hive-general-configuration/definition.json new file mode 100644 index 0000000..df2a4fe --- /dev/null +++ b/objects/regripper-system-hive-general-configuration/definition.json @@ -0,0 +1,73 @@ +{ + "required": [ + "computer-name" + ], + "attributes": { + "computer-name": { + "description": "name of the computer under analysis", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "shutdown-time": { + "description": "Date and time when the system was shutdown.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "timezone-last-write-time": { + "description": "Date and time when the timezone key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "timezone-bias": { + "description": "Offset in minutes from UTC. Offset added to the local time to get a UTC value.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "timezone-standard-name": { + "description": "Timezone standard name used during non-daylight saving months.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "timezone-standard-date": { + "description": "Standard date - non daylight saving months", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "timezone-standard-bias": { + "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during standard time.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "timezone-daylight-name": { + "description": "Timezone name used during daylight saving months.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "timezone-daylight-date": { + "description": "Daylight date - daylight saving months", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "timezone-daylight-bias": { + "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during daylight time.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "fDenyTSConnections:": { + "description": "Specifies whether remote connections are enabled or disabled on the system.", + "ui-priority": 0, + "misp-attribute": "boolean" + } + }, + "version": 1, + "description": "Regripper Object template designed to present general system properties extracted from the system-hive.", + "meta-category": "misc", + "uuid": "5ac85401-cbf1-4d05-a85e-1784546881e4", + "name": "regripper-system-hive-general-configuration" + } + \ No newline at end of file diff --git a/objects/regripper-system-hive-network-information/definition.json b/objects/regripper-system-hive-network-information/definition.json new file mode 100644 index 0000000..d2b07b5 --- /dev/null +++ b/objects/regripper-system-hive-network-information/definition.json @@ -0,0 +1,93 @@ +{ + "required": [ + "network-key" + ], + "attributes": { + "network-key": { + "description": "Registry key assigned to the network", + "ui-priority": 0, + "misp-attribute": "text" + }, + "network-key-last-write-time": { + "description": "Date and time when the network key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "network-key-path": { + "description": "Path of the key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "TCPIP-key": { + "description": "TCPIP key", + "ui-priority": 0, + "misp-attribute": "text" + }, + "TCPIP-key-last-write-time": { + "description": "Datetime when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "DHCP-domain": { + "description": "Name of the DHCP domain service", + "ui-priority": 0, + "misp-attribute": "text" + }, + "DHCP-IP-address": { + "description": "DHCP service - IP address", + "ui-priority": 0, + "misp-attribute": "ip-dist" + }, + "DHCP-subnet-mask": { + "description": "DHCP subnet mask - IP address.", + "ui-priority": 0, + "misp-attribute": "ip-dist" + }, + "DHCP-name-server": { + "description": "DHCP Name server - IP address.", + "ui-priority": 0, + "misp-attribute": "ip-dist" + }, + "DHCP-server": { + "description": "DHCP server - IP address.", + "ui-priority": 0, + "misp-attribute": "ip-dist" + }, + "interface-GUID": { + "description": "GUID value assigned to the interface.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "interface-last-write-time": { + "description": "Last date and time when the interface key was updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "interface-name": { + "description": "Name of the interface.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "interface-PnpInstanceID": { + "description": "Plug and Play instance ID assigned to the interface.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "interface-MediaSubType": { + "description": "", + "ui-priority": 0, + "misp-attribute": "number" + }, + "interface-IPcheckingEnabled": { + "description": "", + "ui-priority": 0, + "misp-attribute": "boolean" + } + }, + "version": 1, + "description": "Regripper object template designed to gather network information from the system-hive.", + "meta-category": "misc", + "uuid": "a5a3ba3a-ba2e-42a4-be45-b36809ae56f0", + "name": "regripper-system-hive-network-information." + } + \ No newline at end of file diff --git a/objects/regripper-system-hive-service-drivers/definition.json b/objects/regripper-system-hive-service-drivers/definition.json new file mode 100644 index 0000000..264cbc6 --- /dev/null +++ b/objects/regripper-system-hive-service-drivers/definition.json @@ -0,0 +1,94 @@ +{ + "required": [ + "name" + ], + "attributes": { + "name": { + "description": "name of the key", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "display": { + "description": "Display name/information of the service or the driver.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "image-path": { + "description": "Path of the service/drive", + "ui-priority": 0, + "misp-attribute": "text" + }, + "type": { + "description": "Service/driver type.", + "ui-priority": 0, + "sane_default": [ + "Kernel driver", + "File system driver", + "Own process", + "Share process", + "Interactive", + "Other" + ], + "misp-attribute": "text" + }, + "start": { + "description": "When the service/driver starts or executes.", + "ui-priority": 0, + "sane_default":[ + "Boot start", + "System start", + "Auto start", + "Manual", + "Disabled" + ], + "misp-attribute": "text" + }, + "group": { + "description": "Group to which the system/driver belong to.", + "ui-priority": 0, + "sane_default":[ + "Base", + "Boot Bus Extender", + "Boot File System", + "Cryptography", + "Extended base", + "Event Log", + "Filter", + "FSFilter Bottom", + "FSFilter Infrastructure", + "File System", + "FSFilter Virtualization", + "Keyboard Port", + "Network", + "NDIS", + "Parallel arbitrator", + "Pointer Port", + "PnP Filter", + "ProfSvc_Group", + "PNP_TDI", + "SCSI Miniport", + "SCSI CDROM Class", + "System Bus Extender", + "Video Save", + "other" + ], + "misp-attribute": "text" + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "" + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information regarding the services/drivers from the system-hive.", + "meta-category": "misc", + "uuid": "78cdae45-2061-4b49-b1d6-71f562094a73", + "name": "regripper-system-hive-services-drivers" + } + \ No newline at end of file From 44d92e95be12dbff8d078ed2ddff966b1a9808ef Mon Sep 17 00:00:00 2001 From: aksha Date: Mon, 1 Oct 2018 12:18:55 +0100 Subject: [PATCH 048/113] Add: Regripper objects (System + Software Hive) --- .../definition.json | 55 +++++++ .../definition.json | 51 +++++++ .../definition.json | 48 ++++++ .../definition.json | 55 +++++++ .../definition.json | 53 +++++++ .../definition.json | 114 +++++++++++++++ .../definition.json | 60 ++++++++ .../definition.json | 138 ++++++++++++++++++ .../definition.json | 3 +- 9 files changed, 576 insertions(+), 1 deletion(-) create mode 100644 objects/regripper-software-hive-BHO/definition.json create mode 100644 objects/regripper-software-hive-appInit-DLLS/definition.json create mode 100644 objects/regripper-software-hive-application-paths/definition.json create mode 100644 objects/regripper-software-hive-applications-installed/definition.json create mode 100644 objects/regripper-software-hive-command-shell/definition.json create mode 100644 objects/regripper-software-hive-general-windows-info/definition.json create mode 100644 objects/regripper-software-hive-software-run/definition.json create mode 100644 objects/regripper-software-hive-userprofile-winlogon/definition.json diff --git a/objects/regripper-software-hive-BHO/definition.json b/objects/regripper-software-hive-BHO/definition.json new file mode 100644 index 0000000..4b70d4a --- /dev/null +++ b/objects/regripper-software-hive-BHO/definition.json @@ -0,0 +1,55 @@ +{ + "required": [ + "key", + "BHO-name" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "BHO-name": { + "description": "Name of the browser helper object.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BHO-key-last-write-time": { + "description": "Date and time when the BHO key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "class": { + "description": "Class to which the BHO belongs to.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "module": { + "description": "DLL module the BHO belongs to.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "References to the BHO.", + "ui-priority": 0, + "misp-attribute": "links", + "multiple":true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the browser helper objects installed on the system.", + "meta-category": "misc", + "uuid": "e7b46b5a-d2d2-4a05-bc25-2ac8d4683ae2", + "name": "regripper-software-hive-BHO" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-appInit-DLLS/definition.json b/objects/regripper-software-hive-appInit-DLLS/definition.json new file mode 100644 index 0000000..9aa9753 --- /dev/null +++ b/objects/regripper-software-hive-appInit-DLLS/definition.json @@ -0,0 +1,51 @@ +{ + "required": [ + "key", + "DLL-name", + "DLL-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "DLL-name": { + "description": "Name of the DLL file.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "DLL-path": { + "description": "Path where the DLL file is stored.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "DLL-last-write-time": { + "description": "Date and time when the DLL file was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "References to the DLL file.", + "ui-priority": 0, + "misp-attribute": "links", + "multiple":true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the DLL files installed on the system.", + "meta-category": "misc", + "uuid": "7893be05-8398-451e-ab1e-5e25ea4a8859", + "name": "regripper-software-hive-appInit-DLLS" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-application-paths/definition.json b/objects/regripper-software-hive-application-paths/definition.json new file mode 100644 index 0000000..80787f8 --- /dev/null +++ b/objects/regripper-software-hive-application-paths/definition.json @@ -0,0 +1,48 @@ +{ + "required": [ + "key", + "executable-file-name", + "path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "executable-file-name": { + "description": "Name of the executable file.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple":true + }, + "path": { + "description": "Path of the executable file.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple":true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "References to the application installed.", + "ui-priority": 0, + "misp-attribute": "links", + "multiple":true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the application paths.", + "meta-category": "misc", + "uuid": "9f2d3c9b-9a82-42a7-82c2-733115d101c8", + "name": "regripper-software-hive-application-paths" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-applications-installed/definition.json b/objects/regripper-software-hive-applications-installed/definition.json new file mode 100644 index 0000000..f3bcddb --- /dev/null +++ b/objects/regripper-software-hive-applications-installed/definition.json @@ -0,0 +1,55 @@ +{ + "required": [ + "key", + "app-name" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "key-path": { + "description": "Path of the key.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "app-name": { + "description": "Name of the application.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "app-last-write-time": { + "description": "Date and time when the application key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "version": { + "description": "Version of the application.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "References to the application installed.", + "ui-priority": 0, + "misp-attribute": "links", + "multiple":true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the applications installed on the system.", + "meta-category": "misc", + "uuid": "7a8fb6b4-cbbd-4de5-b893-7b0a5c4858cd", + "name": "regripper-software-hive-applications-installed" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-command-shell/definition.json b/objects/regripper-software-hive-command-shell/definition.json new file mode 100644 index 0000000..fc98778 --- /dev/null +++ b/objects/regripper-software-hive-command-shell/definition.json @@ -0,0 +1,53 @@ +{ + "required": [ + "key", + "shell", + "shell-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "shell": { + "description": "Type of shell used to execute the command.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default":[ + "exe", + "cmd", + "bat", + "hta", + "pif", + "Other" + ] + }, + "shell-path": { + "description": "Path of the shell.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "command": { + "description": "Command executed.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the shell commands executed on the system.", + "meta-category": "misc", + "uuid": "a7dc3697-89ce-46dc-a64d-0b1015457978", + "name": "regripper-software-hive-command-shell" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-general-windows-info/definition.json b/objects/regripper-software-hive-general-windows-info/definition.json new file mode 100644 index 0000000..01dff3e --- /dev/null +++ b/objects/regripper-software-hive-general-windows-info/definition.json @@ -0,0 +1,114 @@ +{ + "required": [ + "win-cv-path", + "CurrentVersion" + ], + "attributes": { + "win-cv-path": { + "description": "key where the windows information is retrieved from", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "RegisteredOrganization": { + "description": "Name of the registered organization.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "RegisteredOwner": { + "description": "Name of the registered owner.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CurrentVersion": { + "description": "Current version of windows", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CurrentBuild": { + "description": "Build number of the windows OS.", + "ui-priority": 0, + "misp-attribute": "number" + }, + "SoftwareType": { + "description": "Software type of windows.", + "ui-priority": 0, + "sane_default":[ + "System", + "Application", + "other" + ], + "misp-attribute": "text" + }, + "InstallationType": { + "description": "Type of windows installation.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "InstallDate": { + "description": "Date when windows was installed.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "SystemRoot": { + "description": "Root directory.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "PathName": { + "description": "Path to the root directory.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "EditionID": { + "description": "Windows edition.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ProductName": { + "description": "Name of the windows version.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ProductID": { + "description": "ID of the product version.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CSDVersion": { + "description": "Version of the service pack installed.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CurrentType": { + "description": "Current build type of the OS.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildLab": { + "description": "Windows BuildLab string.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildGUID": { + "description": "Build ID.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildLabEx": { + "description": "Windows BuildLabEx string.", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Regripper Object template designed to gather general windows information extracted from the software-hive.", + "meta-category": "misc", + "uuid": "03200c25-4bf5-4282-9852-001a51ab20f1", + "name": "regripper-software-hive-windows-general-info" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-software-run/definition.json b/objects/regripper-software-hive-software-run/definition.json new file mode 100644 index 0000000..83b968c --- /dev/null +++ b/objects/regripper-software-hive-software-run/definition.json @@ -0,0 +1,60 @@ +{ + "required": [ + "key", + "application-name", + "application-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "sane_default": [ + "Run", + "RunOnce", + "Runservices", + "Terminal", + "Other" + ], + "misp-attribute": "text" + }, + "key-path": { + "description": "Path of the key.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "application-name": { + "description": "Name of the application run.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple":true + }, + "application-path": { + "description": "Path where the application is installed.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple":true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "References to the applications.", + "ui-priority": 0, + "misp-attribute": "links", + "multiple":true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the applications set to run on the system.", + "meta-category": "misc", + "uuid": "4bae06d1-3996-4028-88ec-7c7d54cc1d94", + "name": "regripper-software-hive-software-run" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-userprofile-winlogon/definition.json b/objects/regripper-software-hive-userprofile-winlogon/definition.json new file mode 100644 index 0000000..0dd3289 --- /dev/null +++ b/objects/regripper-software-hive-userprofile-winlogon/definition.json @@ -0,0 +1,138 @@ +{ + "required": [ + "user-profile-key-path", + "SID" + ], + "attributes": { + "user-profile-key-path": { + "description": "key where the user-profile information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "user-profile-key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "user-profile-path": { + "description": "Path of the user profile on the system", + "ui-priority": 0, + "misp-attribute": "text" + }, + "SID": { + "description": "Security identifier assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "user-profile-last-write-time": { + "description": "Date and time when the user profile was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "winlogon-key-path": { + "description": "winlogon key referred in order to retrieve default user information", + "ui-priority": 0, + "misp-attribute": "text" + }, + "winlogon-key-last-write-time": { + "description": "Date and time when the winlogon key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "DefaultUserName": { + "description": "user-name of the default user.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Shell": { + "description": "Shell set to run when the user logs onto the system.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "UserInit": { + "description": "Applications and files set to run when the user logs onto the system (User logon activity).", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "Legal-notice-caption": { + "description": "Message title set to display when the user logs-in.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "Legal-notice-text": { + "description": "Message set to display when the user logs-in.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "PreCreateKnownFolders": { + "description": "create known folders key", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ReportBootOk": { + "description": "Flag to check if the reboot was successful.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "AutoRestartShell": { + "description": "Value of the flag set to auto restart the shell if it crashes or shuts down automatically.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "PasswordExpiryWarining": { + "description": "Number of times the password expiry warning appeared.", + "ui-priority": 0, + "misp-attribute": "number" + }, + "PowerdownAfterShutDown": { + "description": "Flag value- if the system is set to power down after it is shutdown.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "ShutdownWithoutLogon": { + "description": "Value of the flag set to enable shutdown without requiring a user to login.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "WinStationsDisabled": { + "description": "Flag value set to enable/disable logons to the system.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "DisableCAD": { + "description": "Flag to determine if user login is enabled by pressing Ctrl+ALT+Delete.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "AutoAdminLogon": { + "description": "Flag value to determine if autologon is enabled for a user without entering the password.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "CachedLogonCount": { + "description": "Number of times the user has logged into the system.", + "ui-priority": 0, + "misp-attribute": "number" + }, + "ShutdownFlags": { + "description": "Number of times shutdown is initiated from a process when the user is logged-in.", + "ui-priority": 0, + "misp-attribute": "number" + }, + "Comments": + { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Regripper Object template designed to gather user profile information when the user logs onto the system, gathered from the software hive.", + "meta-category": "misc", + "uuid": "df03d0e4-3e6b-4e56-951a-142eae4cad59", + "name": "regripper-software-hive-userprofile-winlogon" +} diff --git a/objects/regripper-system-hive-firewall-configuration/definition.json b/objects/regripper-system-hive-firewall-configuration/definition.json index 7f361d8..cd44858 100644 --- a/objects/regripper-system-hive-firewall-configuration/definition.json +++ b/objects/regripper-system-hive-firewall-configuration/definition.json @@ -8,7 +8,8 @@ "ui-priority": 0, "sane-default":[ "Domain Profile", - "Standard Profile" + "Standard Profile", + "other" ], "misp-attribute": "text" }, From 12166166f2186863ec7c8ba80b9f154f231be1e9 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 2 Oct 2018 07:43:07 +0200 Subject: [PATCH 049/113] chg: [phishing] new object added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index a8aad33..7eee687 100644 --- a/README.md +++ b/README.md @@ -109,6 +109,7 @@ for a specific attribute. * [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object. * [objects/pe-section](objects/pe-section/definition.json) - Portable Executable (PE) object - section description. * [objects/person](objects/person/definition.json) - A person object which describes a person or an identity. +* [objects/phishing](objects/phishing/definition.json) - Phishing template to describe a phishing website and its analysis. * [objects/phone](objects/phone/definition.json) - A phone or mobile phone object. * [objects/process](objects/process/definition.json) - A process object. * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object. From f8226fc2004dc4e9f4a5eb18cec12135404a3be5 Mon Sep 17 00:00:00 2001 From: aksha Date: Tue, 2 Oct 2018 10:14:19 +0100 Subject: [PATCH 050/113] Fix: Regripper object templates fixed --- objects/regripper-NTUser/definition.json | 28 ++++---- .../definition.json | 21 ++++-- .../definition.json | 11 +-- .../definition.json | 17 +++-- .../definition.json | 11 +-- .../definition.json | 8 ++- .../definition.json | 11 +-- .../definition.json | 9 ++- .../definition.json | 26 +++++-- .../definition.json | 14 ++-- .../definition.json | 67 +++++++++++++------ .../definition.json | 15 +++-- .../definition.json | 39 ++++++++--- .../definition.json | 38 +++++++---- .../definition.json | 15 +++-- 15 files changed, 222 insertions(+), 108 deletions(-) diff --git a/objects/regripper-NTUser/definition.json b/objects/regripper-NTUser/definition.json index 264aae9..6eb7193 100644 --- a/objects/regripper-NTUser/definition.json +++ b/objects/regripper-NTUser/definition.json @@ -14,7 +14,8 @@ "key-last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "logon-user-name": { "description": "Name assigned to the user profile.", @@ -25,65 +26,68 @@ "description": "List of recent folders accessed by the user.", "ui-priority": 0, "misp-attribute": "text", - "multiple":"true" + "multiple":true }, "recent-files-accessed": { "description": "List of recent files accessed by the user.", "ui-priority": 0, "misp-attribute": "text", - "multiple":"true" + "multiple":true }, "typed-urls": { "description": "Urls typed by the user in internet explorer", "ui-priority": 0, "misp-attribute": "text", - "multiple":"true" + "multiple":true }, "applications-installed": { "description": "List of applications installed.", "ui-priority": 0, "misp-attribute": "text", - "multiple":"true" + "multiple":true }, "applications-run": { "description": "List of applications set to run on the system.", "ui-priority": 0, "misp-attribute": "text", - "multiple": "true" + "multiple": true }, "external-devices": { "description": "List of external devices connected to the system by the user.", "ui-priority": 0, "misp-attribute": "text", - "multiple": "true" + "multiple": true }, "user-init": { "description": "Applications or processes set to run when the user logs onto the windows system.", "ui-priority": 0, "misp-attribute": "text", - "multiple": "true" + "multiple": true }, "nukeOnDelete": { "description": "Determines if the Recycle bin option has been disabled.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "network-connected-to": { "description": "List of networks the user connected the system to.", "ui-priority": 0, "misp-attribute": "text", - "multiple": "true" + "multiple": true }, "mount-points": { "description": "Details of the mount points created on the system.", "ui-priority": 0, "misp-attribute": "text", - "multiple": "true" + "multiple": true, + "disable_correlation": true }, "comments": { "description": "Additional information related to the user profile", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true } }, diff --git a/objects/regripper-sam-hive-single-user/definition.json b/objects/regripper-sam-hive-single-user/definition.json index eb32b5b..2cf93d9 100644 --- a/objects/regripper-sam-hive-single-user/definition.json +++ b/objects/regripper-sam-hive-single-user/definition.json @@ -16,7 +16,8 @@ "key-last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "user-name": { "description": "User name assigned to the user profile.", @@ -31,22 +32,32 @@ "last-login-time": { "description": "Date and time when the user last logged onto the system.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "pwd-reset-time": { "description": "Date and time when the password was last reset.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "pwd-fail-date": { "description": "Date and time when a password last failed for this user profile.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "login-count": { "description": "Number of times the user logged-in onto the system.", "ui-priority": 0, - "misp-attribute": "number" + "misp-attribute": "counter", + "disable_correlation": true + }, + "comments": { + "description": "Full name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true } }, diff --git a/objects/regripper-sam-hive-user-group/definition.json b/objects/regripper-sam-hive-user-group/definition.json index 1e41a1c..bcd2996 100644 --- a/objects/regripper-sam-hive-user-group/definition.json +++ b/objects/regripper-sam-hive-user-group/definition.json @@ -14,7 +14,8 @@ "key-last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "group-name": { "description": "Name assigned to the profile.", @@ -29,18 +30,20 @@ "last-write-date-time": { "description": "Date and time when the group key was updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "group-comment": { "description": "Name assigned to the profile.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "group-users": { "description": "Users belonging to the group", "ui-priority": 0, "misp-attribute": "text", - "multiple": "true" + "multiple": true } }, diff --git a/objects/regripper-software-hive-BHO/definition.json b/objects/regripper-software-hive-BHO/definition.json index 4b70d4a..7c64241 100644 --- a/objects/regripper-software-hive-BHO/definition.json +++ b/objects/regripper-software-hive-BHO/definition.json @@ -12,7 +12,8 @@ "last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "BHO-name": { "description": "Name of the browser helper object.", @@ -22,27 +23,31 @@ "BHO-key-last-write-time": { "description": "Date and time when the BHO key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "class": { "description": "Class to which the BHO belongs to.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "module": { "description": "DLL module the BHO belongs to.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "comments": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "references": { "description": "References to the BHO.", "ui-priority": 0, - "misp-attribute": "links", + "misp-attribute": "link", "multiple":true } }, diff --git a/objects/regripper-software-hive-appInit-DLLS/definition.json b/objects/regripper-software-hive-appInit-DLLS/definition.json index 9aa9753..3923e35 100644 --- a/objects/regripper-software-hive-appInit-DLLS/definition.json +++ b/objects/regripper-software-hive-appInit-DLLS/definition.json @@ -13,7 +13,8 @@ "last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "DLL-name": { "description": "Name of the DLL file.", @@ -28,17 +29,19 @@ "DLL-last-write-time": { "description": "Date and time when the DLL file was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "comments": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "references": { "description": "References to the DLL file.", "ui-priority": 0, - "misp-attribute": "links", + "misp-attribute": "link", "multiple":true } }, diff --git a/objects/regripper-software-hive-application-paths/definition.json b/objects/regripper-software-hive-application-paths/definition.json index 80787f8..939e39a 100644 --- a/objects/regripper-software-hive-application-paths/definition.json +++ b/objects/regripper-software-hive-application-paths/definition.json @@ -13,7 +13,8 @@ "last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "executable-file-name": { "description": "Name of the executable file.", @@ -30,12 +31,13 @@ "comments": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "references": { "description": "References to the application installed.", "ui-priority": 0, - "misp-attribute": "links", + "misp-attribute": "link", "multiple":true } }, diff --git a/objects/regripper-software-hive-applications-installed/definition.json b/objects/regripper-software-hive-applications-installed/definition.json index f3bcddb..55c58ea 100644 --- a/objects/regripper-software-hive-applications-installed/definition.json +++ b/objects/regripper-software-hive-applications-installed/definition.json @@ -17,7 +17,8 @@ "last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "app-name": { "description": "Name of the application.", @@ -27,7 +28,8 @@ "app-last-write-time": { "description": "Date and time when the application key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "version": { "description": "Version of the application.", @@ -37,12 +39,13 @@ "comments": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "references": { "description": "References to the application installed.", "ui-priority": 0, - "misp-attribute": "links", + "misp-attribute": "link", "multiple":true } }, diff --git a/objects/regripper-software-hive-command-shell/definition.json b/objects/regripper-software-hive-command-shell/definition.json index fc98778..593308d 100644 --- a/objects/regripper-software-hive-command-shell/definition.json +++ b/objects/regripper-software-hive-command-shell/definition.json @@ -13,7 +13,8 @@ "last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "shell": { "description": "Type of shell used to execute the command.", @@ -26,7 +27,8 @@ "hta", "pif", "Other" - ] + ], + "disable_correlation": true }, "shell-path": { "description": "Path of the shell.", @@ -41,7 +43,8 @@ "comments": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true } }, "version": 1, diff --git a/objects/regripper-software-hive-general-windows-info/definition.json b/objects/regripper-software-hive-general-windows-info/definition.json index 01dff3e..a05492f 100644 --- a/objects/regripper-software-hive-general-windows-info/definition.json +++ b/objects/regripper-software-hive-general-windows-info/definition.json @@ -12,7 +12,8 @@ "last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "RegisteredOrganization": { "description": "Name of the registered organization.", @@ -32,7 +33,7 @@ "CurrentBuild": { "description": "Build number of the windows OS.", "ui-priority": 0, - "misp-attribute": "number" + "misp-attribute": "text" }, "SoftwareType": { "description": "Software type of windows.", @@ -42,27 +43,32 @@ "Application", "other" ], - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "InstallationType": { "description": "Type of windows installation.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "InstallDate": { "description": "Date when windows was installed.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "SystemRoot": { "description": "Root directory.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "PathName": { "description": "Path to the root directory.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "EditionID": { "description": "Windows edition.", @@ -103,6 +109,12 @@ "description": "Windows BuildLabEx string.", "ui-priority": 0, "misp-attribute": "text" + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "", + "disable_correlation": true } }, "version": 1, diff --git a/objects/regripper-software-hive-software-run/definition.json b/objects/regripper-software-hive-software-run/definition.json index 83b968c..95e93cc 100644 --- a/objects/regripper-software-hive-software-run/definition.json +++ b/objects/regripper-software-hive-software-run/definition.json @@ -15,17 +15,20 @@ "Terminal", "Other" ], - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "key-path": { "description": "Path of the key.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "application-name": { "description": "Name of the application run.", @@ -42,12 +45,13 @@ "comments": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "references": { "description": "References to the applications.", "ui-priority": 0, - "misp-attribute": "links", + "misp-attribute": "link", "multiple":true } }, diff --git a/objects/regripper-software-hive-userprofile-winlogon/definition.json b/objects/regripper-software-hive-userprofile-winlogon/definition.json index 0dd3289..6dcbef9 100644 --- a/objects/regripper-software-hive-userprofile-winlogon/definition.json +++ b/objects/regripper-software-hive-userprofile-winlogon/definition.json @@ -7,47 +7,56 @@ "user-profile-key-path": { "description": "key where the user-profile information is retrieved from.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "user-profile-key-last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "user-profile-path": { "description": "Path of the user profile on the system", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "SID": { "description": "Security identifier assigned to the user profile.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "user-profile-last-write-time": { "description": "Date and time when the user profile was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "winlogon-key-path": { "description": "winlogon key referred in order to retrieve default user information", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "winlogon-key-last-write-time": { "description": "Date and time when the winlogon key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "DefaultUserName": { "description": "user-name of the default user.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "Shell": { "description": "Shell set to run when the user logs onto the system.", "ui-priority": 0, "misp-attribute": "text", + "disable_correlation": true, "multiple": true }, "UserInit": { @@ -60,74 +69,88 @@ "description": "Message title set to display when the user logs-in.", "ui-priority": 0, "misp-attribute": "text", - "multiple": true + "multiple": true, + "disable_correlation": true }, "Legal-notice-text": { "description": "Message set to display when the user logs-in.", "ui-priority": 0, "misp-attribute": "text", - "multiple": true + "multiple": true, + "disable_correlation": true }, "PreCreateKnownFolders": { "description": "create known folders key", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "ReportBootOk": { "description": "Flag to check if the reboot was successful.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "AutoRestartShell": { "description": "Value of the flag set to auto restart the shell if it crashes or shuts down automatically.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "PasswordExpiryWarining": { "description": "Number of times the password expiry warning appeared.", "ui-priority": 0, - "misp-attribute": "number" + "misp-attribute": "counter", + "disable_correlation": true }, "PowerdownAfterShutDown": { "description": "Flag value- if the system is set to power down after it is shutdown.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "ShutdownWithoutLogon": { "description": "Value of the flag set to enable shutdown without requiring a user to login.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "WinStationsDisabled": { "description": "Flag value set to enable/disable logons to the system.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "DisableCAD": { "description": "Flag to determine if user login is enabled by pressing Ctrl+ALT+Delete.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "AutoAdminLogon": { "description": "Flag value to determine if autologon is enabled for a user without entering the password.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "CachedLogonCount": { "description": "Number of times the user has logged into the system.", "ui-priority": 0, - "misp-attribute": "number" + "misp-attribute": "counter", + "disable_correlation": true }, "ShutdownFlags": { "description": "Number of times shutdown is initiated from a process when the user is logged-in.", "ui-priority": 0, - "misp-attribute": "number" + "misp-attribute": "counter", + "disable_correlation": true }, "Comments": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true } }, "version": 1, diff --git a/objects/regripper-system-hive-firewall-configuration/definition.json b/objects/regripper-system-hive-firewall-configuration/definition.json index cd44858..94ffeb8 100644 --- a/objects/regripper-system-hive-firewall-configuration/definition.json +++ b/objects/regripper-system-hive-firewall-configuration/definition.json @@ -11,27 +11,32 @@ "Standard Profile", "other" ], - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "last-write-time": { "description": "Date and time when the firewall profile policy was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "enbled-firewall": { "description": "Boolean flag to determine if the firewall is enabled.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "disable-notification": { "description": "Boolean flag to determine if firewall notifications are enabled.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "comment": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "" + "misp-attribute": "text", + "disable_correlation": true } }, "version": 1, diff --git a/objects/regripper-system-hive-general-configuration/definition.json b/objects/regripper-system-hive-general-configuration/definition.json index df2a4fe..c007e4a 100644 --- a/objects/regripper-system-hive-general-configuration/definition.json +++ b/objects/regripper-system-hive-general-configuration/definition.json @@ -11,57 +11,74 @@ "last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "shutdown-time": { "description": "Date and time when the system was shutdown.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "timezone-last-write-time": { "description": "Date and time when the timezone key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "timezone-bias": { "description": "Offset in minutes from UTC. Offset added to the local time to get a UTC value.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "timezone-standard-name": { "description": "Timezone standard name used during non-daylight saving months.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "timezone-standard-date": { "description": "Standard date - non daylight saving months", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "timezone-standard-bias": { "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during standard time.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "timezone-daylight-name": { "description": "Timezone name used during daylight saving months.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "timezone-daylight-date": { "description": "Daylight date - daylight saving months", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "timezone-daylight-bias": { "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during daylight time.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "fDenyTSConnections:": { "description": "Specifies whether remote connections are enabled or disabled on the system.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "", + "disable_correlation": true } }, "version": 1, diff --git a/objects/regripper-system-hive-network-information/definition.json b/objects/regripper-system-hive-network-information/definition.json index d2b07b5..3a872e1 100644 --- a/objects/regripper-system-hive-network-information/definition.json +++ b/objects/regripper-system-hive-network-information/definition.json @@ -11,12 +11,14 @@ "network-key-last-write-time": { "description": "Date and time when the network key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "network-key-path": { "description": "Path of the key where the information is retrieved from.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "TCPIP-key": { "description": "TCPIP key", @@ -26,7 +28,8 @@ "TCPIP-key-last-write-time": { "description": "Datetime when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "DHCP-domain": { "description": "Name of the DHCP domain service", @@ -36,32 +39,34 @@ "DHCP-IP-address": { "description": "DHCP service - IP address", "ui-priority": 0, - "misp-attribute": "ip-dist" + "misp-attribute": "ip-dst" }, "DHCP-subnet-mask": { "description": "DHCP subnet mask - IP address.", "ui-priority": 0, - "misp-attribute": "ip-dist" + "misp-attribute": "ip-dst" }, "DHCP-name-server": { "description": "DHCP Name server - IP address.", "ui-priority": 0, - "misp-attribute": "ip-dist" + "misp-attribute": "ip-dst" }, "DHCP-server": { "description": "DHCP server - IP address.", "ui-priority": 0, - "misp-attribute": "ip-dist" + "misp-attribute": "ip-dst" }, "interface-GUID": { "description": "GUID value assigned to the interface.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "interface-last-write-time": { "description": "Last date and time when the interface key was updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "interface-name": { "description": "Name of the interface.", @@ -71,17 +76,26 @@ "interface-PnpInstanceID": { "description": "Plug and Play instance ID assigned to the interface.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "interface-MediaSubType": { "description": "", "ui-priority": 0, - "misp-attribute": "number" + "misp-attribute": "text", + "disable_correlation": true }, "interface-IPcheckingEnabled": { "description": "", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true } }, "version": 1, diff --git a/objects/regripper-system-hive-service-drivers/definition.json b/objects/regripper-system-hive-service-drivers/definition.json index 264cbc6..ff7984c 100644 --- a/objects/regripper-system-hive-service-drivers/definition.json +++ b/objects/regripper-system-hive-service-drivers/definition.json @@ -11,7 +11,8 @@ "last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "display": { "description": "Display name/information of the service or the driver.", @@ -34,7 +35,8 @@ "Interactive", "Other" ], - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "start": { "description": "When the service/driver starts or executes.", @@ -46,7 +48,8 @@ "Manual", "Disabled" ], - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "group": { "description": "Group to which the system/driver belong to.", @@ -77,12 +80,14 @@ "Video Save", "other" ], - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "comment": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "" + "misp-attribute": "", + "disable_correlation": true } }, "version": 1, From 60f559f6da565764a4e3bcfd66fc09078b059074 Mon Sep 17 00:00:00 2001 From: DigitalLeukocyte <20444154+DigitalLeukocyte@users.noreply.github.com> Date: Tue, 2 Oct 2018 13:01:29 -0700 Subject: [PATCH 051/113] Create IP_API.JSON --- objects/IP_API.JSON | 90 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 objects/IP_API.JSON diff --git a/objects/IP_API.JSON b/objects/IP_API.JSON new file mode 100644 index 0000000..41b88d0 --- /dev/null +++ b/objects/IP_API.JSON @@ -0,0 +1,90 @@ +{ + "name": "IP Address", + "meta-category": "network", + "description": "IP Address informtion. Useful if you pull your ip information from ip-api.com", + "version": 1, + "uuid": "4336f124-6264-4f72-943e-cc3797e4122b", + + "attributes": { + "ip-src": { + "description": "Source IP address of the nework connection.", + "ui-priority": 1, + "misp-attribute": "ip-src" + }, + "asn": { + "description": "Autonomous System Number", + "ui-priority": 1, + "misp-attribute": "AS" + }, + "description": { + "description": "Description of the autonomous system", + "ui-priority": 1, + "misp-attribute": "text" + }, + "ISP": { + "description": "ISP.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "zipcode": { + "description": "Zip Code.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "city": { + "description": "City.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "state": { + "description": "State.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "country": { + "description": "Country name", + "ui-priority": 1, + "misp-attribute": "text" + }, + "country code": { + "description": "Country code ", + "ui-priority": 1, + "misp-attribute": "text" + }, + "region": { + "description": "Region. example: California.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "region code": { + "description": "Region code. example: CA", + "misp-attribute": "text", + "ui-priority": 1 + }, + "latitude": { + "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", + "disable_correlation": true, + "ui-priority": 90, + "misp-attribute": "float" + }, + "longitude": { + "description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference", + "disable_correlation": true, + "ui-priority": 89, + "misp-attribute": "float" + }, + "first-seen": { + "description": "First time the ASN was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "last-seen": { + "description": "Last time the ASN was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "requiredOneOf": [ "ip-src"] + } From ec75268f5c93ebbcec64b051e30172f5e8415013 Mon Sep 17 00:00:00 2001 From: DigitalLeukocyte <20444154+DigitalLeukocyte@users.noreply.github.com> Date: Tue, 2 Oct 2018 13:02:49 -0700 Subject: [PATCH 052/113] Created for data from ip-api.com --- objects/{IP_API.JSON => IP_API.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename objects/{IP_API.JSON => IP_API.json} (100%) diff --git a/objects/IP_API.JSON b/objects/IP_API.json similarity index 100% rename from objects/IP_API.JSON rename to objects/IP_API.json From 59b1dda754a68928051c0fe8b27c881d943cf551 Mon Sep 17 00:00:00 2001 From: DigitalLeukocyte <20444154+DigitalLeukocyte@users.noreply.github.com> Date: Thu, 4 Oct 2018 12:41:52 -0700 Subject: [PATCH 053/113] Updated to match more of ip-api.com --- objects/IP_API.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/objects/IP_API.json b/objects/IP_API.json index 41b88d0..449c74b 100644 --- a/objects/IP_API.json +++ b/objects/IP_API.json @@ -1,7 +1,7 @@ { "name": "IP Address", "meta-category": "network", - "description": "IP Address informtion. Useful if you pull your ip information from ip-api.com", + "description": "IP Address informtion. Useful if you are pulling your ip information from ip-api.com", "version": 1, "uuid": "4336f124-6264-4f72-943e-cc3797e4122b", @@ -16,10 +16,10 @@ "ui-priority": 1, "misp-attribute": "AS" }, - "description": { - "description": "Description of the autonomous system", + "organization": { + "description": "Organization", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "AS" }, "ISP": { "description": "ISP.", From 04aea7b5961795b61a49e725addde2064c200fbe Mon Sep 17 00:00:00 2001 From: DigitalLeukocyte <20444154+DigitalLeukocyte@users.noreply.github.com> Date: Thu, 4 Oct 2018 13:14:42 -0700 Subject: [PATCH 054/113] Uploaded IP_API Object in folder --- .../IP_API_IP_Address/IP_API_IP_Address.json | 90 +++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 objects/IP_API_IP_Address/IP_API_IP_Address.json diff --git a/objects/IP_API_IP_Address/IP_API_IP_Address.json b/objects/IP_API_IP_Address/IP_API_IP_Address.json new file mode 100644 index 0000000..aaf8a3e --- /dev/null +++ b/objects/IP_API_IP_Address/IP_API_IP_Address.json @@ -0,0 +1,90 @@ +{ + "name": "IP Address", + "meta-category": "network", + "description": "IP Address informtion. Useful if you are pulling your ip information from ip-api.com", + "version": 1, + "uuid": "4336f124-6264-4f72-943e-cc3797e4122b", + + "attributes": { + "ip-src": { + "description": "Source IP address of the nework connection.", + "ui-priority": 1, + "misp-attribute": "ip-src" + }, + "asn": { + "description": "Autonomous System Number", + "ui-priority": 1, + "misp-attribute": "AS" + }, + "organization": { + "description": "Organization", + "ui-priority": 1, + "misp-attribute": "AS" + }, + "ISP": { + "description": "ISP.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "zipcode": { + "description": "Zip Code.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "city": { + "description": "City.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "state": { + "description": "State.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "country": { + "description": "Country name", + "ui-priority": 1, + "misp-attribute": "text" + }, + "country code": { + "description": "Country code ", + "ui-priority": 1, + "misp-attribute": "text" + }, + "region": { + "description": "Region. example: California.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "region code": { + "description": "Region code. example: CA", + "misp-attribute": "text", + "ui-priority": 1 + }, + "latitude": { + "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", + "disable_correlation": true, + "ui-priority": 90, + "misp-attribute": "float" + }, + "longitude": { + "description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference", + "disable_correlation": true, + "ui-priority": 89, + "misp-attribute": "float" + }, + "first-seen": { + "description": "First time the ASN was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "last-seen": { + "description": "Last time the ASN was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "requiredOneOf": [ "ip-src"] + } \ No newline at end of file From c39ff94f415913f2b086f1ed545c56c39fda2e10 Mon Sep 17 00:00:00 2001 From: DigitalLeukocyte <20444154+DigitalLeukocyte@users.noreply.github.com> Date: Thu, 4 Oct 2018 13:15:55 -0700 Subject: [PATCH 055/113] Deleted IP_API single file --- objects/IP_API.json | 90 --------------------------------------------- 1 file changed, 90 deletions(-) delete mode 100644 objects/IP_API.json diff --git a/objects/IP_API.json b/objects/IP_API.json deleted file mode 100644 index 449c74b..0000000 --- a/objects/IP_API.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "name": "IP Address", - "meta-category": "network", - "description": "IP Address informtion. Useful if you are pulling your ip information from ip-api.com", - "version": 1, - "uuid": "4336f124-6264-4f72-943e-cc3797e4122b", - - "attributes": { - "ip-src": { - "description": "Source IP address of the nework connection.", - "ui-priority": 1, - "misp-attribute": "ip-src" - }, - "asn": { - "description": "Autonomous System Number", - "ui-priority": 1, - "misp-attribute": "AS" - }, - "organization": { - "description": "Organization", - "ui-priority": 1, - "misp-attribute": "AS" - }, - "ISP": { - "description": "ISP.", - "ui-priority": 1, - "misp-attribute": "text" - }, - "zipcode": { - "description": "Zip Code.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "city": { - "description": "City.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "state": { - "description": "State.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "country": { - "description": "Country name", - "ui-priority": 1, - "misp-attribute": "text" - }, - "country code": { - "description": "Country code ", - "ui-priority": 1, - "misp-attribute": "text" - }, - "region": { - "description": "Region. example: California.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "region code": { - "description": "Region code. example: CA", - "misp-attribute": "text", - "ui-priority": 1 - }, - "latitude": { - "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", - "disable_correlation": true, - "ui-priority": 90, - "misp-attribute": "float" - }, - "longitude": { - "description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference", - "disable_correlation": true, - "ui-priority": 89, - "misp-attribute": "float" - }, - "first-seen": { - "description": "First time the ASN was seen", - "disable_correlation": true, - "ui-priority": 0, - "misp-attribute": "datetime" - }, - "last-seen": { - "description": "Last time the ASN was seen", - "disable_correlation": true, - "ui-priority": 0, - "misp-attribute": "datetime" - } - }, - "requiredOneOf": [ "ip-src"] - } From 237b5a364bef8357478be6775ca2d55c0594fe68 Mon Sep 17 00:00:00 2001 From: DigitalLeukocyte <20444154+DigitalLeukocyte@users.noreply.github.com> Date: Thu, 4 Oct 2018 13:42:07 -0700 Subject: [PATCH 056/113] Delete IP_API_IP_Address.json --- .../IP_API_IP_Address/IP_API_IP_Address.json | 90 ------------------- 1 file changed, 90 deletions(-) delete mode 100644 objects/IP_API_IP_Address/IP_API_IP_Address.json diff --git a/objects/IP_API_IP_Address/IP_API_IP_Address.json b/objects/IP_API_IP_Address/IP_API_IP_Address.json deleted file mode 100644 index aaf8a3e..0000000 --- a/objects/IP_API_IP_Address/IP_API_IP_Address.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "name": "IP Address", - "meta-category": "network", - "description": "IP Address informtion. Useful if you are pulling your ip information from ip-api.com", - "version": 1, - "uuid": "4336f124-6264-4f72-943e-cc3797e4122b", - - "attributes": { - "ip-src": { - "description": "Source IP address of the nework connection.", - "ui-priority": 1, - "misp-attribute": "ip-src" - }, - "asn": { - "description": "Autonomous System Number", - "ui-priority": 1, - "misp-attribute": "AS" - }, - "organization": { - "description": "Organization", - "ui-priority": 1, - "misp-attribute": "AS" - }, - "ISP": { - "description": "ISP.", - "ui-priority": 1, - "misp-attribute": "text" - }, - "zipcode": { - "description": "Zip Code.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "city": { - "description": "City.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "state": { - "description": "State.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "country": { - "description": "Country name", - "ui-priority": 1, - "misp-attribute": "text" - }, - "country code": { - "description": "Country code ", - "ui-priority": 1, - "misp-attribute": "text" - }, - "region": { - "description": "Region. example: California.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "region code": { - "description": "Region code. example: CA", - "misp-attribute": "text", - "ui-priority": 1 - }, - "latitude": { - "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", - "disable_correlation": true, - "ui-priority": 90, - "misp-attribute": "float" - }, - "longitude": { - "description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference", - "disable_correlation": true, - "ui-priority": 89, - "misp-attribute": "float" - }, - "first-seen": { - "description": "First time the ASN was seen", - "disable_correlation": true, - "ui-priority": 0, - "misp-attribute": "datetime" - }, - "last-seen": { - "description": "Last time the ASN was seen", - "disable_correlation": true, - "ui-priority": 0, - "misp-attribute": "datetime" - } - }, - "requiredOneOf": [ "ip-src"] - } \ No newline at end of file From afb1d28b2bf8b9e48d471d7e3dc2a68e14d38fe1 Mon Sep 17 00:00:00 2001 From: DigitalLeukocyte <20444154+DigitalLeukocyte@users.noreply.github.com> Date: Thu, 4 Oct 2018 13:45:22 -0700 Subject: [PATCH 057/113] Added ip-api-address object Object useful for IP data from http://ip-api.com. --- objects/ip-api-address/ip-api-address.json | 90 ++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 objects/ip-api-address/ip-api-address.json diff --git a/objects/ip-api-address/ip-api-address.json b/objects/ip-api-address/ip-api-address.json new file mode 100644 index 0000000..ab2a557 --- /dev/null +++ b/objects/ip-api-address/ip-api-address.json @@ -0,0 +1,90 @@ +{ + "name": "ip-api-address", + "meta-category": "network", + "description": "IP Address information. Useful if you are pulling your ip information from ip-api.com", + "version": 1, + "uuid": "4336f124-6264-4f72-943e-cc3797e4122b", + + "attributes": { + "ip-src": { + "description": "Source IP address of the network connection.", + "ui-priority": 1, + "misp-attribute": "ip-src" + }, + "asn": { + "description": "Autonomous System Number", + "ui-priority": 1, + "misp-attribute": "AS" + }, + "organization": { + "description": "organization", + "ui-priority": 1, + "misp-attribute": "text" + }, + "ISP": { + "description": "ISP.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "zipcode": { + "description": "Zip Code.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "city": { + "description": "City.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "state": { + "description": "State.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "country": { + "description": "Country name", + "ui-priority": 1, + "misp-attribute": "text" + }, + "country code": { + "description": "Country code ", + "ui-priority": 1, + "misp-attribute": "text" + }, + "region": { + "description": "Region. example: California.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "region code": { + "description": "Region code. example: CA", + "misp-attribute": "text", + "ui-priority": 1 + }, + "latitude": { + "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", + "disable_correlation": true, + "ui-priority": 90, + "misp-attribute": "float" + }, + "longitude": { + "description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference", + "disable_correlation": true, + "ui-priority": 89, + "misp-attribute": "float" + }, + "first-seen": { + "description": "First time the ASN was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "last-seen": { + "description": "Last time the ASN was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "requiredOneOf": [ "ip-src"] + } \ No newline at end of file From 9735995ba1deae580d8ba46e4f5a8187b25938da Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 6 Oct 2018 07:42:34 +0200 Subject: [PATCH 058/113] chg: [process] disable correlation where it's not required --- objects/process/definition.json | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/objects/process/definition.json b/objects/process/definition.json index 5fdcc2b..220d4e5 100644 --- a/objects/process/definition.json +++ b/objects/process/definition.json @@ -3,7 +3,7 @@ "uuid": "02aeef94-ac23-455c-addb-731757ceafb5", "meta-category": "misc", "description": "Object describing a system process.", - "version": 1, + "version": 2, "attributes": { "creation-time": { "description": "Local date/time at which the process was created.", @@ -25,24 +25,28 @@ "pid": { "description": "Process ID of the process.", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "parent-pid": { "description": "Process ID of the parent process.", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "child-pid": { "description": "Process ID of the child(ren) process.", "ui-priority": 1, "misp-attribute": "text", - "multiple": true + "multiple": true, + "disable_correlation": true }, "port": { "description": "Port(s) owned by the process.", "ui-priority": 1, "misp-attribute": "src-port", - "multiple": true + "multiple": true, + "disable_correlation": true } }, "requiredOneOf": [ From 09495c3f2a81d2da08fb83b7644c0ebc44e3fbba Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 6 Oct 2018 20:27:51 +0200 Subject: [PATCH 059/113] chg: [network-connection] disable correlation --- objects/network-connection/definition.json | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json index 0aa9cba..a9f4c01 100644 --- a/objects/network-connection/definition.json +++ b/objects/network-connection/definition.json @@ -3,7 +3,7 @@ "uuid": "af16764b-f8e5-4603-9de1-de34d272f80b", "meta-category": "network", "description": "A local or remote network connection.", - "version": 1, + "version": 2, "attributes": { "ip-src": { "description": "Source IP address of the nework connection.", @@ -59,7 +59,8 @@ "ICMP", "ARP" ], - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "layer4-protocol": { "description": "Layer 4 protocol of the network connection.", @@ -68,7 +69,8 @@ "TCP", "UDP" ], - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "layer7-protocol": { "description": "Layer 7 protocol of the network connection.", @@ -78,7 +80,8 @@ "HTTPS", "FTP" ], - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "first-packet-seen": { "misp-attribute": "datetime", From 5e468beb801b66bfc417ab21e8ed70c5abf46cd4 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 7 Oct 2018 11:13:17 +0200 Subject: [PATCH 060/113] chg: [relationships] references added (useful for *INT collection referencing something which needs further analysis) - Example: a tweet referencing a hash which needs further analysis: --- relationships/definition.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/relationships/definition.json b/relationships/definition.json index 422834e..c444212 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -643,6 +643,13 @@ "format": [ "misp" ] + }, + { + "name": "references", + "description": "This relationships describes an object which references another object or attribute.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", From 03f8622269dcc3697c57b9bf5ac8e2e7fdcb0d2b Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 11 Oct 2018 07:10:26 +0200 Subject: [PATCH 061/113] Updated list of objects in README --- README.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 7eee687..13cdafc 100644 --- a/README.md +++ b/README.md @@ -66,7 +66,8 @@ for a specific attribute. ## Existing MISP objects -* [objects/ail-leak](objects/ail-leak/definition.json) - information leak object as defined by the [AIL Analysis Information Leak framework](https://www.github.com/CIRCL/AIL-framework). +* [objects/ail-leak](objects/ail-leak/definition.json) - Information leak object as defined by the [AIL Analysis Information Leak framework](https://www.github.com/CIRCL/AIL-framework). +* [objects/ais-info](objects/ais-info/definition.json) - Object describing Automated Indicator Sharing (AIS) information source markings. * [objects/android-permission](objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. file). * [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. * [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature. @@ -89,9 +90,12 @@ for a specific attribute. * [objects/exploit-poc](objects/exploit-poc/definition.json) - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object. * [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object. * [objects/file](objects/file/definition.json) - File object describing a file with meta-information. +* [objects/forensic-case](objects/forensic-case/definition.json) - An object template to describe a digital forensic case. +* [objects/forensic-evidence](objects/forensic-evidence/definition.json) - An object template to describe a digital forensic evidence. * [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location. * [objects/gtp-attack](objects/gtp-attack/definition.json) - GTP attack object as seen on a GSM, UMTS or LTE network. * [objects/http-request](objects/http-request/definition.json) - A single HTTP request header object. +* [objects/ip-api-address](objects/ip-api-address/definition.json) - Object describing IP Address information, as defined in [ip-api.com](http://ip-api.com). * [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame. * [objects/ja3](objects/ja3/definition.json) - A ja3 object which describes an SSL client fingerprint in an easy to produce and shareable way. * [objects/legal-entity](objects/legal-entity/definition.json) - Object describing a legal entity, such as an organisation. @@ -103,6 +107,7 @@ for a specific attribute. * [objects/mutex](objects/mutex/definition.json) - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program. * [objects/netflow](objects/netflow/definition.json) - Netflow object describes an network object based on the Netflowv5/v9 minimal definition. * [objects/network-connection](objects/network-connection/definition.json) - Network object describes a local or remote network connection. +* [objects/network-socket](objects/network-socket/definition.json) - Object to describe a local or remote network connections based on the socket data structure. * [objects/original-imported-file](objects/original-imported-file/definition.json) - Object to describe the original files used to import data in MISP. * [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01). * [objects/paste](objects/paste/definition.json) - Object describing a paste or similar post from a website allowing to share privately or publicly posts. @@ -112,31 +117,35 @@ for a specific attribute. * [objects/phishing](objects/phishing/definition.json) - Phishing template to describe a phishing website and its analysis. * [objects/phone](objects/phone/definition.json) - A phone or mobile phone object. * [objects/process](objects/process/definition.json) - A process object. +* [objects/regexp](objects/regexp/definition.json) - An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression. * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object. * [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml. +* [objects/report](objects/report/definition.json) - Object to describe metadata used to generate an executive level report. * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. * [objects/script](objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts. -* [objects/short-message-service](objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message(s). * [objects/shortened-link](objects/shortened-link/definition.json) - Shortened link and its redirect target. +* [objects/short-message-service](objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message(s). * [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. * [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. * [objects/suricata](objects/suricata/definition.json) - Suricata rule with context. * [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromised internal system. * [objects/threatgrid-report](objects/threatgrid-report/definition.json) - A threatgrid report object. * [objects/timecode](objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence. +* [objects/timesketch-timeline](objects/timesketch-timeline/definition.json) - A timesketch timeline object based on mandatory field in timesketch to describe a log entry. * [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. * [objects/tracking-id](objects/tracking-id/definition.json) - Analytics and tracking ID such as used in Google Analytics or other analytic platform. * [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction. -* [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. -* [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. * [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata. * [objects/vehicle](objects/vehicle/definition.json) - Vehicle object template to describe a vehicle information and registration. * [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused. +* [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. +* [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. * [objects/whois](objects/whois/definition.json) - Whois records information for a domain name. * [objects/x509](objects/x509/definition.json) - x509 object describing a X.509 certificate. +* [objects/yabin](objects/yabin/definition.json) - yabin.py generates Yara rules from function prologs, for matching and hunting binaries. ref: [yabin](https://github.com/AlienVault-OTX/yabin). * [objects/yara](objects/yara/definition.json) - YARA object describing a YARA rule along with the version supported and context (such as memory, network, disk). ## MISP objects relationships From 8137a58f48ea40b1c18275b0022a9cf04c371b03 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 11 Oct 2018 07:11:28 +0200 Subject: [PATCH 062/113] fix: Fixed ip-api-address object template filename --- objects/ip-api-address/{ip-api-address.json => definition.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename objects/ip-api-address/{ip-api-address.json => definition.json} (100%) diff --git a/objects/ip-api-address/ip-api-address.json b/objects/ip-api-address/definition.json similarity index 100% rename from objects/ip-api-address/ip-api-address.json rename to objects/ip-api-address/definition.json From 141a0c8d4152c1be5d9872ee70d888cd63c737d5 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 11 Oct 2018 09:14:08 +0200 Subject: [PATCH 063/113] fix: JQed ip-api-address template --- objects/ip-api-address/definition.json | 181 +++++++++++++------------ 1 file changed, 91 insertions(+), 90 deletions(-) diff --git a/objects/ip-api-address/definition.json b/objects/ip-api-address/definition.json index ab2a557..fc326a9 100644 --- a/objects/ip-api-address/definition.json +++ b/objects/ip-api-address/definition.json @@ -1,90 +1,91 @@ -{ - "name": "ip-api-address", - "meta-category": "network", - "description": "IP Address information. Useful if you are pulling your ip information from ip-api.com", - "version": 1, - "uuid": "4336f124-6264-4f72-943e-cc3797e4122b", - - "attributes": { - "ip-src": { - "description": "Source IP address of the network connection.", - "ui-priority": 1, - "misp-attribute": "ip-src" - }, - "asn": { - "description": "Autonomous System Number", - "ui-priority": 1, - "misp-attribute": "AS" - }, - "organization": { - "description": "organization", - "ui-priority": 1, - "misp-attribute": "text" - }, - "ISP": { - "description": "ISP.", - "ui-priority": 1, - "misp-attribute": "text" - }, - "zipcode": { - "description": "Zip Code.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "city": { - "description": "City.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "state": { - "description": "State.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "country": { - "description": "Country name", - "ui-priority": 1, - "misp-attribute": "text" - }, - "country code": { - "description": "Country code ", - "ui-priority": 1, - "misp-attribute": "text" - }, - "region": { - "description": "Region. example: California.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "region code": { - "description": "Region code. example: CA", - "misp-attribute": "text", - "ui-priority": 1 - }, - "latitude": { - "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", - "disable_correlation": true, - "ui-priority": 90, - "misp-attribute": "float" - }, - "longitude": { - "description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference", - "disable_correlation": true, - "ui-priority": 89, - "misp-attribute": "float" - }, - "first-seen": { - "description": "First time the ASN was seen", - "disable_correlation": true, - "ui-priority": 0, - "misp-attribute": "datetime" - }, - "last-seen": { - "description": "Last time the ASN was seen", - "disable_correlation": true, - "ui-priority": 0, - "misp-attribute": "datetime" - } - }, - "requiredOneOf": [ "ip-src"] - } \ No newline at end of file +{ + "name": "ip-api-address", + "meta-category": "network", + "description": "IP Address information. Useful if you are pulling your ip information from ip-api.com", + "version": 1, + "uuid": "4336f124-6264-4f72-943e-cc3797e4122b", + "attributes": { + "ip-src": { + "description": "Source IP address of the network connection.", + "ui-priority": 1, + "misp-attribute": "ip-src" + }, + "asn": { + "description": "Autonomous System Number", + "ui-priority": 1, + "misp-attribute": "AS" + }, + "organization": { + "description": "organization", + "ui-priority": 1, + "misp-attribute": "text" + }, + "ISP": { + "description": "ISP.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "zipcode": { + "description": "Zip Code.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "city": { + "description": "City.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "state": { + "description": "State.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "country": { + "description": "Country name", + "ui-priority": 1, + "misp-attribute": "text" + }, + "country code": { + "description": "Country code ", + "ui-priority": 1, + "misp-attribute": "text" + }, + "region": { + "description": "Region. example: California.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "region code": { + "description": "Region code. example: CA", + "misp-attribute": "text", + "ui-priority": 1 + }, + "latitude": { + "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", + "disable_correlation": true, + "ui-priority": 90, + "misp-attribute": "float" + }, + "longitude": { + "description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference", + "disable_correlation": true, + "ui-priority": 89, + "misp-attribute": "float" + }, + "first-seen": { + "description": "First time the ASN was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "last-seen": { + "description": "Last time the ASN was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "requiredOneOf": [ + "ip-src" + ] +} From 711abb094a667e8907e378bd13d9385e3167b45a Mon Sep 17 00:00:00 2001 From: aksha Date: Mon, 15 Oct 2018 11:08:09 +0100 Subject: [PATCH 064/113] Add: python-etvx object --- objects/python-etvx-event-log/definition.json | 177 ++++++++++++++++++ 1 file changed, 177 insertions(+) create mode 100644 objects/python-etvx-event-log/definition.json diff --git a/objects/python-etvx-event-log/definition.json b/objects/python-etvx-event-log/definition.json new file mode 100644 index 0000000..e0fb273 --- /dev/null +++ b/objects/python-etvx-event-log/definition.json @@ -0,0 +1,177 @@ +{ + "required": [ + "source", + "type", + "name" + ], + "attributes": { + "event-id": { + "description": "A unique number which identifies the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "name": { + "description": "Name of the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "event-channel": + { + "description":" Channel through which the event occurred", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane-default":[ + "Application", + "System", + "Security", + "Setup", + "other" + ] + }, + "event-type": + { + "description": "Event-type assigned to the event", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane-default":[ + "Admin", + "Operational", + "Audit", + "Analytic", + "Debug", + "other" + ] + }, + "source": { + "description": "The source of the event log - application/software that logged the event.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "event-date-time": + { + "description": "Date and time when the event was logged.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "level": { + "description": "Determines the event severity.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default":[ + "Information", + "Warning", + "Error", + "Critical", + "Success Audit", + "Failure Audit" + ] + }, + "Computer": { + "description": "Computer name on which the event occurred", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "User": { + "description": "Name or the User ID the event is associated with.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Operational-code": { + "description": "The opcode (numeric value or name) associated with the activity carried out by the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "log": { + "description": "Log file where the event was recorded.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "task-category":{ + "description": "Activity by the event publisher", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Keywords":{ + "description" : "Tags used for the event for the purpose of filtering or searching.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default":[ + "Network", + "Security", + "Resource not found", + "other" + ] + }, + "Processor-ID": { + "description": "ID of the processor that processed the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Thread-ID": { + "description": "Thread id that generated the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Session-ID": { + "description": "Terminal server session ID.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Correlation-ID": { + "description": "Unique activity identity which relates the event to a process. ", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Relative-Correlation-ID": { + "description": "Related activity ID which identity similar activities which occurred as a part of the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "kernel-time": + { + "description": "Execution time of the kernel mode instruction.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "user-time": + { + "description": "Date and time when the user instruction was executed.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "Event-data": + { + "description": "Event data description.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Event log object template to share information of the activities conducted on a system. ", + "meta-category": "misc", + "uuid": "94e3aee9-cb99-4503-9bf6-7da3db5de55e", + "name": "python-etvx-event-log" +} From de3acf865ddad44a3511a23fa7740f4c8ed9eec3 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 22 Oct 2018 10:13:48 +0200 Subject: [PATCH 065/113] fix: Disabled correlation of imported files format attribute --- objects/original-imported-file/definition.json | 1 + 1 file changed, 1 insertion(+) diff --git a/objects/original-imported-file/definition.json b/objects/original-imported-file/definition.json index c2a5af5..c9d4762 100644 --- a/objects/original-imported-file/definition.json +++ b/objects/original-imported-file/definition.json @@ -12,6 +12,7 @@ "format": { "description": "Format of data imported.", "ui-priority": 1, + "disable_correlation": true, "misp-attribute": "text", "sane_default": [ "STIX 1.0", From 478dc899f2d0888e33187acb73c005bf09c4b4d1 Mon Sep 17 00:00:00 2001 From: aksha Date: Mon, 22 Oct 2018 09:35:21 +0100 Subject: [PATCH 066/113] Add: Web artefacts objects --- objects/TSK-Chats/definition.json | 84 ++++++++++++++++++++ objects/TSK-Web-Bookmark/definition.json | 67 ++++++++++++++++ objects/TSK-Web-Cookie/definition.json | 67 ++++++++++++++++ objects/TSK-Web-Downloads/definition.json | 55 +++++++++++++ objects/TSK-Web-History/definition.json | 68 ++++++++++++++++ objects/TSK-Web-Search-Query/definition.json | 66 +++++++++++++++ 6 files changed, 407 insertions(+) create mode 100644 objects/TSK-Chats/definition.json create mode 100644 objects/TSK-Web-Bookmark/definition.json create mode 100644 objects/TSK-Web-Cookie/definition.json create mode 100644 objects/TSK-Web-Downloads/definition.json create mode 100644 objects/TSK-Web-History/definition.json create mode 100644 objects/TSK-Web-Search-Query/definition.json diff --git a/objects/TSK-Chats/definition.json b/objects/TSK-Chats/definition.json new file mode 100644 index 0000000..bcda96a --- /dev/null +++ b/objects/TSK-Chats/definition.json @@ -0,0 +1,84 @@ +{ + "required": [ + "message-type", + "message" + ], + "attributes": { + "message-type": { + "description": "the type of message extracted from the forensic-evidence.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default":[ + "SMS", + "MMS", + "Instant Message (IM)", + "Voice Message" + ], + "disable_correlation": true + }, + "datetime-sent": { + "description": "date and the time when the message was sent.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "datetime-received": { + "description": "date and time when the message was received.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "Source": { + "description": "Source of the message.(Contact details)", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "destination": { + "description": "Destination of the message.(Contact details)", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "app-used": { + "description": "Application used to send the message.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "subject": { + "description": "Subject of the message if any.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "message": { + "description": "Message exchanged.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "attachments": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "categories": [ + "External analysis" + ], + "misp-attribute": "link" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation.", + "meta-category": "misc", + "uuid": "6b71f231-c502-467f-bc67-1423cd5bf800", + "name": "TSK-Chats" +} diff --git a/objects/TSK-Web-Bookmark/definition.json b/objects/TSK-Web-Bookmark/definition.json new file mode 100644 index 0000000..f5bd4b9 --- /dev/null +++ b/objects/TSK-Web-Bookmark/definition.json @@ -0,0 +1,67 @@ +{ + "required": [ + "URL" + ], + "attributes": { + "URL": { + "description": "The URL saved as bookmark.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-bookmarked": { + "description": "date and time when the URL was added to favorites.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Book mark name. ", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "title": { + "description": "Title of the web page", + "ui-priority": 0, + "misp-attribute": "text" + }, + "browser": { + "description": "Browser used to access the URL.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "domain-name": { + "description": "Domain of the URL.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the URL domain.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to add evidential bookmarks identified during a digital forensic investigation.", + "meta-category": "misc", + "uuid": "7d9a88a8-9934-4caa-a85b-f76bc97d5373", + "name": "TSK-Web-Bookmark" +} diff --git a/objects/TSK-Web-Cookie/definition.json b/objects/TSK-Web-Cookie/definition.json new file mode 100644 index 0000000..db4ded0 --- /dev/null +++ b/objects/TSK-Web-Cookie/definition.json @@ -0,0 +1,67 @@ +{ + "required": [ + "URL", + "name", + "value" + ], + "attributes": { + "URL": { + "description": "The website URL that created the cookie.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-created": { + "description": "date and time when the cookie was created.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Name of the cookie ", + "ui-priority": 0, + "misp-attribute": "text" + }, + "value": { + "description": "Value assigned to the cookie.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "browser": { + "description": "Browser on which the cookie was created.", + "ui-priority": 0, + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "misp-attribute": "text" + }, + "domain-name": { + "description": "Domain of the URL that created the cookie.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the domain that created the URL.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.", + "meta-category": "misc", + "uuid": "40d23a4f-43be-4c9e-8328-382a2188eb1d", + "name": "TSK-Web-Cookie" +} diff --git a/objects/TSK-Web-Downloads/definition.json b/objects/TSK-Web-Downloads/definition.json new file mode 100644 index 0000000..55ddf05 --- /dev/null +++ b/objects/TSK-Web-Downloads/definition.json @@ -0,0 +1,55 @@ +{ + "required": [ + "URL", + "name" + ], + "attributes": { + "URL": { + "description": "The URL used to download the file.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-accessed": { + "description": "date and time when the file was downloaded.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Name of the file downloaded.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "path-downloadedTo": { + "description": "Location the file was downloaded to.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "pathID": { + "description": "Id of the attribute file where the information is gathered from.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "attachment": { + "description": "The downloaded file itself.", + "ui-priority": 1, + "misp-attribute": "attachment", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to add web-downloads", + "meta-category": "File", + "uuid": "ab9603a1-9dcc-48e8-a51c-b8bccc7bcc26", + "name": "TSK-Web-Downloads" +} diff --git a/objects/TSK-Web-History/definition.json b/objects/TSK-Web-History/definition.json new file mode 100644 index 0000000..84be3b9 --- /dev/null +++ b/objects/TSK-Web-History/definition.json @@ -0,0 +1,68 @@ +{ + "required": [ + "URL", + "datetime-accessed" + ], + "attributes": { + "URL": { + "description": "The URL accessed.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-accessed": { + "description": "date and the time when the URL was accessed.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "referrer": { + "description": "where the URL was referred from ", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "title": { + "description": "Title of the web page", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-name": { + "description": "Domain of the URL.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the URL domain.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "browser": { + "description": "Browser used to access the URL.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to share web history information", + "meta-category": "misc", + "uuid": "e1325e52-e52e-49b1-89ad-d503c127c698", + "name": "TSK-Web-History" +} diff --git a/objects/TSK-Web-Search-Query/definition.json b/objects/TSK-Web-Search-Query/definition.json new file mode 100644 index 0000000..8e66b0d --- /dev/null +++ b/objects/TSK-Web-Search-Query/definition.json @@ -0,0 +1,66 @@ +{ + "required": [ + "domain", + "text" + ], + "attributes": { + "domain": { + "description": "The domain of the search engine.", + "ui-priority": 0, + "misp-attribute": "link", + "sane_default": [ + "Google", + "Yahoo", + "Bing", + "Alta Vista", + "MSN" + ], + "disable_correlation": true + }, + "text": { + "description": "the search word or sentence.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "datetime-searched": { + "description": "date and time when the search was conducted.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "browser": { + "description": "Browser used.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "username": { + "description": "User name or ID associated with the search.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to share web search query information", + "meta-category": "misc", + "uuid": "16b3f8d0-fd09-4812-a42c-b5aeff2d4c2e", + "name": "TSK-Web-Search-Query" +} From 332cf5475c1afd090c2995603b09b86f72042c15 Mon Sep 17 00:00:00 2001 From: Tobias Mainka Date: Mon, 22 Oct 2018 14:55:27 +0200 Subject: [PATCH 067/113] enable multiple summary attribute in report object --- objects/report/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/report/definition.json b/objects/report/definition.json index a0908ad..cce9d89 100644 --- a/objects/report/definition.json +++ b/objects/report/definition.json @@ -10,7 +10,8 @@ "categories": [ "Other", "Internal reference" - ] + ], + "multiple": true }, "case-number": { "description": "Case number", From 0db808ab6a09a420ac4523d986ad154d91ba00ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 22 Oct 2018 12:19:47 -0400 Subject: [PATCH 068/113] new: Add Alfred relationships (CCCS) --- relationships/definition.json | 301 ++++++++++++++++++++- tools/alfred_links_to_relarelationships.py | 48 ++++ 2 files changed, 337 insertions(+), 12 deletions(-) create mode 100644 tools/alfred_links_to_relarelationships.py diff --git a/relationships/definition.json b/relationships/definition.json index c444212..e27168b 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -6,7 +6,8 @@ "description": "The information in the target object is based on information from the source object.", "format": [ "misp", - "stix-2.0" + "stix-2.0", + "alfred" ] }, { @@ -22,7 +23,8 @@ "description": "The referenced source is related to the target object.", "format": [ "misp", - "stix-2.0" + "stix-2.0", + "alfred" ] }, { @@ -46,7 +48,8 @@ "description": "The referenced source is containing the target object.", "format": [ "misp", - "stix-1.1" + "stix-1.1", + "alfred" ] }, { @@ -182,7 +185,8 @@ "description": "This relationship describes the use by the source object of the target object.", "format": [ "misp", - "stix-2.0" + "stix-2.0", + "alfred" ] }, { @@ -206,7 +210,8 @@ "description": "This relationship describes a source object which is a variant of the target object", "format": [ "misp", - "stix-2.0" + "stix-2.0", + "alfred" ] }, { @@ -284,14 +289,16 @@ "name": "affects", "description": "This relationship describes an object affected by another object.", "format": [ - "misp" + "misp", + "alfred" ] }, { "name": "beacons-to", "description": "This relationship describes an object beaconing to another object.", "format": [ - "misp" + "misp", + "alfred" ] }, { @@ -305,21 +312,24 @@ "name": "exfiltrates-to", "description": "This relationship describes an object exfiltrating to another object.", "format": [ - "misp" + "misp", + "alfred" ] }, { "name": "identifies", "description": "This relationship describes an object which identifies another object.", "format": [ - "misp" + "misp", + "alfred" ] }, { "name": "intercepts", "description": "This relationship describes an object which intercepts another object.", "format": [ - "misp" + "misp", + "alfred" ] }, { @@ -578,7 +588,8 @@ "name": "owner-of", "description": "This relationship describes an object which owns another object.", "format": [ - "cert-eu" + "cert-eu", + "alfred" ] }, { @@ -650,9 +661,275 @@ "format": [ "misp" ] + }, + { + "name": "child-of", + "description": "A child semantic link to a parent.", + "format": [ + "alfred" + ] + }, + { + "name": "compromised", + "description": "Represents the semantic link of having compromised something.", + "format": [ + "alfred" + ] + }, + { + "name": "connects", + "description": "The initiator of a connection.", + "format": [ + "alfred" + ] + }, + { + "name": "connects-to", + "description": "The destination or target of a connection.", + "format": [ + "alfred" + ] + }, + { + "name": "cover-term-for", + "description": "Represents the semantic link of one thing being the cover term for another.", + "format": [ + "alfred" + ] + }, + { + "name": "disclosed-to", + "description": "Semantic link indicating where information is disclosed to.", + "format": [ + "alfred" + ] + }, + { + "name": "downloads", + "description": "Represents the semantic link of one thing downloading another.", + "format": [ + "alfred" + ] + }, + { + "name": "downloads-from", + "description": "Represents the semantic link of malware being downloaded from a location.", + "format": [ + "alfred" + ] + }, + { + "name": "generated", + "description": "Represents the semantic link of an alert generated from a signature.", + "format": [ + "alfred" + ] + }, + { + "name": "implements", + "description": "One data object implements another.", + "format": [ + "alfred" + ] + }, + { + "name": "initiates", + "description": "Represents the semantic link of a communication initiating an event.", + "format": [ + "alfred" + ] + }, + { + "name": "instance-of", + "description": "Represents the semantic link between a FILE and FILE_BINARY.", + "format": [ + "alfred" + ] + }, + { + "name": "issuer-of", + "description": "Represents the semantic link of being the issuer of something.", + "format": [ + "alfred" + ] + }, + { + "name": "linked-to", + "description": "Represents the semantic link of being associated with something.", + "format": [ + "alfred" + ] + }, + { + "name": "not-relevant-to", + "description": "Represents the semantic link of a comm that is not relevant to an EVENT.", + "format": [ + "alfred" + ] + }, + { + "name": "part-of", + "description": "Represents the semantic link that defines one thing to be part of another in a hierachial structure from the child to the parent.", + "format": [ + "alfred" + ] + }, + { + "name": "processed-by", + "description": "Represents the semantic link of something has been processed by another program.", + "format": [ + "alfred" + ] + }, + { + "name": "produced", + "description": "Represents the semantic link of something having produced something else.", + "format": [ + "alfred" + ] + }, + { + "name": "queried-for", + "description": "The IP Address or domain being queried for.", + "format": [ + "alfred" + ] + }, + { + "name": "query-returned", + "description": "The IP Address or domain returned as the result of a query.", + "format": [ + "alfred" + ] + }, + { + "name": "registered", + "description": "Represents the semantic link of someone registered some thing.", + "format": [ + "alfred" + ] + }, + { + "name": "registered-to", + "description": "Represents the semantic link of something being registered to.", + "format": [ + "alfred" + ] + }, + { + "name": "relates", + "description": "Represents the semantic link between HBS Comms and communication addresses.", + "format": [ + "alfred" + ] + }, + { + "name": "relevant-to", + "description": "Represents the semantic link of a comm that is relevant to an EVENT.", + "format": [ + "alfred" + ] + }, + { + "name": "resolves-to", + "description": "Represents the semantic link of resolving to something.", + "format": [ + "alfred" + ] + }, + { + "name": "responsible-for", + "description": "Represents the semantic link of some entity being responsible for something.", + "format": [ + "alfred" + ] + }, + { + "name": "seeded", + "description": "Represents the semantic link of a seeded domain redirecting to another site.", + "format": [ + "alfred" + ] + }, + { + "name": "sends", + "description": "A sends semantic link meaning 'who sends what'.", + "format": [ + "alfred" + ] + }, + { + "name": "sends-as-bcc-to", + "description": "A sends to as BCC semantic link meaning 'what sends to who as BCC'.", + "format": [ + "alfred" + ] + }, + { + "name": "sends-as-cc-to", + "description": "A sends to as CC semantic link meaning 'what sends to who as CC'.", + "format": [ + "alfred" + ] + }, + { + "name": "sends-to", + "description": "A sends to semantic link meaning 'what sends to who'.", + "format": [ + "alfred" + ] + }, + { + "name": "spoofer-of", + "description": "The represents the semantic link of having spoofed something.", + "format": [ + "alfred" + ] + }, + { + "name": "subdomain-of", + "description": "Represents a domain being a subdomain of another.", + "format": [ + "alfred" + ] + }, + { + "name": "supersedes", + "description": "One data object supersedes another.", + "format": [ + "alfred" + ] + }, + { + "name": "triggered-on", + "description": "Represents the semantic link of an alert triggered on an event.", + "format": [ + "alfred" + ] + }, + { + "name": "uploads", + "description": "Represents the semantic link of one thing uploading another.", + "format": [ + "alfred" + ] + }, + { + "name": "user-of", + "description": "The represents the semantic link of being the user of something.", + "format": [ + "alfred" + ] + }, + { + "name": "works-for", + "description": "Represents the semantic link of working for something.", + "format": [ + "alfred" + ] } ], "description": "Default type of relationships in MISP objects.", "uuid": "b002c0d6-320f-450d-82c4-b3aa15bbbd6c", "name": "relationships" -} +} \ No newline at end of file diff --git a/tools/alfred_links_to_relarelationships.py b/tools/alfred_links_to_relarelationships.py new file mode 100644 index 0000000..bab18a2 --- /dev/null +++ b/tools/alfred_links_to_relarelationships.py @@ -0,0 +1,48 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +from pathlib import Path +import json + +name_ontology = 'alfred' + +relationships_path = Path('..', 'relationships', 'definition.json') + +with open(relationships_path) as f: + relationships = json.load(f) + +rel_fast_lookup = {entry['name']: entry for entry in relationships['values']} + +ontology_path = Path('alfred-ontology.json') + +with open(ontology_path) as f: + ontology = json.load(f) + +links = ontology['data']['linkTypes'] + + +for linktype in links: + link_name = linktype['name'].lower().replace('_', '-') + link_description = linktype['description'] + if link_name in rel_fast_lookup: + if rel_fast_lookup[link_name]['description'] != link_description: + print(link_name) + print('\t MISP:', rel_fast_lookup[link_name]['description']) + print('\t Alfred:', link_description) + for entry in relationships['values']: + if entry['name'] == link_name: + if name_ontology not in entry['format']: + entry['format'].append(name_ontology) + break + # Update the fast lookup to avoid duplicates. + rel_fast_lookup = {entry['name']: entry for entry in relationships['values']} + else: + if link_name not in rel_fast_lookup: + linktype['name'] = link_name + linktype['format'] = [name_ontology] + relationships['values'].append(linktype) + else: + print("Duplicate", link_name) + +with open(relationships_path, 'w') as f: + json.dump(relationships, f, indent=2) From ae103f60809567d507414bbae68a70a3c6065e0d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 23 Oct 2018 08:43:35 +0200 Subject: [PATCH 069/113] chg: [person] add attributes to whois-related information which can be associated to a person --- objects/person/definition.json | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index a041ede..d8950f0 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -94,7 +94,7 @@ "misp-attribute": "redress-number" }, "social-security-number": { - "description": "Social security number", + "description": "Social security number.", "ui-priority": 0, "misp-attribute": "text" }, @@ -104,9 +104,39 @@ "misp-attribute": "nationality", "multiple": true, "disable_correlation": true + }, + "nic-hdl": { + "description": "NIC Handle (Network Information Centre handle) of the person.", + "ui-priority": 10, + "misp-attribute": "text", + "multiple": true + }, + "phone-number": { + "description": "Phone number of the person.", + "ui-priority": 10, + "misp-attribute": "phone-number", + "multiple": true + }, + "fax-number": { + "description": "Fax number of the person.", + "ui-priority": 10, + "misp-attribute": "phone-number", + "multiple": true + }, + "address": { + "description": "Postal address of the person.", + "ui-priority": 10, + "misp-attribute": "text", + "multiple": true + }, + "e-mail": { + "description": "Email address of the person.", + "ui-priority": 10, + "misp-attribute": "email-src", + "multiple": true } }, - "version": 3, + "version": 4, "description": "An object which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", From 49dee77a7fecf3120198f01cad1e712e93ebc1ef Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 23 Oct 2018 09:04:57 +0200 Subject: [PATCH 070/113] chg: [relationships] newline and relationship file ;-) --- relationships/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index e27168b..c6c94bb 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -932,4 +932,4 @@ "description": "Default type of relationships in MISP objects.", "uuid": "b002c0d6-320f-450d-82c4-b3aa15bbbd6c", "name": "relationships" -} \ No newline at end of file +} From 1a1972003d63a28b884791e596dad1f782168b8a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 23 Oct 2018 16:35:08 +0200 Subject: [PATCH 071/113] add: [pcap-metadata] new object template for pcap file metadata (WiP) --- objects/pcap-metadata/definition.json | 54 +++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 objects/pcap-metadata/definition.json diff --git a/objects/pcap-metadata/definition.json b/objects/pcap-metadata/definition.json new file mode 100644 index 0000000..3ede7ee --- /dev/null +++ b/objects/pcap-metadata/definition.json @@ -0,0 +1,54 @@ +{ + "requiredOneOf": [ + "text", + "first-packet-seen", + "last-packet-seen" + ], + "attributes": { + "capture-length": { + "description": "Capture length set on the captured interface.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "capture-interface": { + "description": "Interface name where the packet capture was running.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "protocol": { + "description": "Capture protocol (linktype name).", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text", + "sane_default": [ + "LINKTYPE_NULL", + "LINKTYPE_ETHERNET" + ] + }, + "text": { + "description": "A description of the packet capture.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "first-packet-seen": { + "description": "When the first packet has been seen.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "last-packet-seen": { + "description": "When the last packet has been seen.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "Network packet capture metadata", + "meta-category": "network", + "uuid": "0784aefa-ec3a-4eca-a431-c31ed7058bd3", + "name": "pcap-metadata" +} From 3bf8c938aadf7363d1f59a1258a20fa446d1a806 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 23 Oct 2018 20:03:58 +0200 Subject: [PATCH 072/113] fix the required part of the url --- objects/url/definition.json | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/objects/url/definition.json b/objects/url/definition.json index 10729f9..8248ed6 100644 --- a/objects/url/definition.json +++ b/objects/url/definition.json @@ -1,6 +1,7 @@ { - "required": [ - "url" + "requiredOneOf": [ + "url", + "resource_path" ], "attributes": { "fragment": { @@ -95,7 +96,7 @@ "misp-attribute": "hostname" } }, - "version": 6, + "version": 7, "description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.", "meta-category": "network", "uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5", From a2ce46ecad9796f28055191e53a6a55bf21f7a28 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 24 Oct 2018 07:35:31 +0200 Subject: [PATCH 073/113] chg: [pcap-metadata] linktype added in the sane default --- objects/pcap-metadata/definition.json | 205 +++++++++++++++++++++++++- 1 file changed, 202 insertions(+), 3 deletions(-) diff --git a/objects/pcap-metadata/definition.json b/objects/pcap-metadata/definition.json index 3ede7ee..c454f26 100644 --- a/objects/pcap-metadata/definition.json +++ b/objects/pcap-metadata/definition.json @@ -23,8 +23,207 @@ "ui-priority": 1, "misp-attribute": "text", "sane_default": [ - "LINKTYPE_NULL", - "LINKTYPE_ETHERNET" + "PER_PACKET", + "UNKNOWN", + "ETHERNET", + "TOKEN_RING", + "SLIP", + "PPP", + "FDDI", + "FDDI_BITSWAPPED", + "RAW_IP", + "ARCNET", + "ARCNET_LINUX", + "ATM_RFC1483", + "LINUX_ATM_CLIP", + "LAPB", + "ATM_PDUS", + "ATM_PDUS_UNTRUNCATED", + "NULL", + "ASCEND", + "ISDN", + "IP_OVER_FC", + "PPP_WITH_PHDR", + "IEEE_802_11", + "IEEE_802_11_PRISM", + "IEEE_802_11_WITH_RADIO", + "IEEE_802_11_RADIOTAP", + "IEEE_802_11_AVS", + "SLL", + "FRELAY", + "FRELAY_WITH_PHDR", + "CHDLC", + "CISCO_IOS", + "LOCALTALK", + "OLD_PFLOG", + "HHDLC", + "DOCSIS", + "COSINE", + "WFLEET_HDLC", + "SDLC", + "TZSP", + "ENC", + "PFLOG", + "CHDLC_WITH_PHDR", + "BLUETOOTH_H4", + "MTP2", + "MTP3", + "IRDA", + "USER0", + "USER1", + "USER2", + "USER3", + "USER4", + "USER5", + "USER6", + "USER7", + "USER8", + "USER9", + "USER10", + "USER11", + "USER12", + "USER13", + "USER14", + "USER15", + "SYMANTEC", + "APPLE_IP_OVER_IEEE1394", + "BACNET_MS_TP", + "NETTL_RAW_ICMP", + "NETTL_RAW_ICMPV6", + "GPRS_LLC", + "JUNIPER_ATM1", + "JUNIPER_ATM2", + "REDBACK", + "NETTL_RAW_IP", + "NETTL_ETHERNET", + "NETTL_TOKEN_RING", + "NETTL_FDDI", + "NETTL_UNKNOWN", + "MTP2_WITH_PHDR", + "JUNIPER_PPPOE", + "GCOM_TIE1", + "GCOM_SERIAL", + "NETTL_X25", + "K12", + "JUNIPER_MLPPP", + "JUNIPER_MLFR", + "JUNIPER_ETHER", + "JUNIPER_PPP", + "JUNIPER_FRELAY", + "JUNIPER_CHDLC", + "JUNIPER_GGSN", + "LINUX_LAPD", + "CATAPULT_DCT2000", + "BER", + "JUNIPER_VP", + "USB_FREEBSD", + "IEEE802_16_MAC_CPS", + "NETTL_RAW_TELNET", + "USB_LINUX", + "MPEG", + "PPI", + "ERF", + "BLUETOOTH_H4_WITH_PHDR", + "SITA", + "SCCP", + "BLUETOOTH_HCI", + "IPMB", + "IEEE802_15_4", + "X2E_XORAYA", + "FLEXRAY", + "LIN", + "MOST", + "CAN20B", + "LAYER1_EVENT", + "X2E_SERIAL", + "I2C", + "IEEE802_15_4_NONASK_PHY", + "TNEF", + "USB_LINUX_MMAPPED", + "GSM_UM", + "DPNSS", + "PACKETLOGGER", + "NSTRACE_1_0", + "NSTRACE_2_0", + "FIBRE_CHANNEL_FC2", + "FIBRE_CHANNEL_FC2_WITH_FRAME_DELIMS", + "JPEG_JFIF", + "IPNET", + "SOCKETCAN", + "IEEE_802_11_NETMON", + "IEEE802_15_4_NOFCS", + "RAW_IPFIX", + "RAW_IP4", + "RAW_IP6", + "LAPD", + "DVBCI", + "MUX27010", + "MIME", + "NETANALYZER", + "NETANALYZER_TRANSPARENT", + "IP_OVER_IB_SNOOP", + "MPEG_2_TS", + "PPP_ETHER", + "NFC_LLCP", + "NFLOG", + "V5_EF", + "BACNET_MS_TP_WITH_PHDR", + "IXVERIWAVE", + "SDH", + "DBUS", + "AX25_KISS", + "AX25", + "SCTP", + "INFINIBAND", + "JUNIPER_SVCS", + "USBPCAP", + "RTAC_SERIAL", + "BLUETOOTH_LE_LL", + "WIRESHARK_UPPER_PDU", + "STANAG_4607", + "STANAG_5066_D_PDU", + "NETLINK", + "BLUETOOTH_LINUX_MONITOR", + "BLUETOOTH_BREDR_BB", + "BLUETOOTH_LE_LL_WITH_PHDR", + "NSTRACE_3_0", + "LOGCAT", + "LOGCAT_BRIEF", + "LOGCAT_PROCESS", + "LOGCAT_TAG", + "LOGCAT_THREAD", + "LOGCAT_TIME", + "LOGCAT_THREADTIME", + "LOGCAT_LONG", + "PKTAP", + "EPON", + "IPMI_TRACE", + "LOOP", + "JSON", + "NSTRACE_3_5", + "ISO14443", + "GFP_T", + "GFP_F", + "IP_OVER_IB_PCAP", + "JUNIPER_VN", + "USB_DARWIN", + "LORATAP", + "3MB_ETHERNET", + "VSOCK", + "NORDIC_BLE", + "NETMON_NET_NETEVENT", + "NETMON_HEADER", + "NETMON_NET_FILTER", + "NETMON_NETWORK_INFO_EX", + "MA_WFP_CAPTURE_V4", + "MA_WFP_CAPTURE_V6", + "MA_WFP_CAPTURE_2V4", + "MA_WFP_CAPTURE_2V6", + "MA_WFP_CAPTURE_AUTH_V4", + "MA_WFP_CAPTURE_AUTH_V6", + "JUNIPER_ST", + "ETHERNET_MPACKET", + "DOCSIS31_XRA31" ] }, "text": { @@ -46,7 +245,7 @@ "misp-attribute": "datetime" } }, - "version": 1, + "version": 2, "description": "Network packet capture metadata", "meta-category": "network", "uuid": "0784aefa-ec3a-4eca-a431-c31ed7058bd3", From 675b60703b3571874949c3fe2c90ba4d735aedde Mon Sep 17 00:00:00 2001 From: Tobias Mainka Date: Wed, 24 Oct 2018 13:58:38 +0200 Subject: [PATCH 074/113] added sandbox-file type as attribute for storing e.g. sandbox results file in sandbox-report object --- objects/sandbox-report/definition.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/objects/sandbox-report/definition.json b/objects/sandbox-report/definition.json index b294575..6b4a403 100644 --- a/objects/sandbox-report/definition.json +++ b/objects/sandbox-report/definition.json @@ -44,6 +44,16 @@ "ui-priority": 0, "misp-attribute": "text" }, + "sandbox-file": { + "description": "File related to sandbox run", + "misp-attribute": "attachment", + "disable_correlation": true, + "ui-priority": 1, + "categories": [ + "External analysis" + ], + "multiple": true + }, "sandbox-type": { "description": "The type of sandbox used", "misp-attribute": "text", @@ -92,7 +102,7 @@ ] } }, - "version": 1, + "version": 2, "description": "Sandbox report", "meta-category": "misc", "uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef", From 8b861df87648e83589345ad1e283f215fc48f2cc Mon Sep 17 00:00:00 2001 From: Tobias Mainka Date: Wed, 24 Oct 2018 14:14:32 +0200 Subject: [PATCH 075/113] fix failing check via running .jq_all_the_things.sh --- objects/sandbox-report/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/sandbox-report/definition.json b/objects/sandbox-report/definition.json index 6b4a403..eeb637d 100644 --- a/objects/sandbox-report/definition.json +++ b/objects/sandbox-report/definition.json @@ -50,10 +50,10 @@ "disable_correlation": true, "ui-priority": 1, "categories": [ - "External analysis" + "External analysis" ], "multiple": true - }, + }, "sandbox-type": { "description": "The type of sandbox used", "misp-attribute": "text", From 1cedea6506a3dba87dfd5fdaea963d7e3cbe2863 Mon Sep 17 00:00:00 2001 From: aksha Date: Thu, 25 Oct 2018 12:39:48 +0100 Subject: [PATCH 076/113] Chg: Jq'ed all the objects --- objects/TSK-Chats/definition.json | 168 ++++----- objects/TSK-Web-Bookmark/definition.json | 134 ++++---- objects/TSK-Web-Cookie/definition.json | 134 ++++---- objects/TSK-Web-Downloads/definition.json | 110 +++--- objects/TSK-Web-History/definition.json | 136 ++++---- objects/TSK-Web-Search-Query/definition.json | 132 ++++---- objects/python-etvx-event-log/definition.json | 320 +++++++++--------- objects/regripper-NTUser/definition.json | 11 +- .../definition.json | 134 ++++---- .../definition.json | 106 +++--- .../definition.json | 115 ++++--- .../definition.json | 103 +++--- .../definition.json | 95 +++--- .../definition.json | 111 +++--- .../definition.json | 107 +++--- .../definition.json | 247 +++++++------- .../definition.json | 123 ++++--- .../definition.json | 3 +- .../definition.json | 94 ++--- .../definition.json | 175 +++++----- .../definition.json | 209 ++++++------ .../definition.json | 193 ++++++----- 22 files changed, 1470 insertions(+), 1490 deletions(-) diff --git a/objects/TSK-Chats/definition.json b/objects/TSK-Chats/definition.json index bcda96a..ed5f00a 100644 --- a/objects/TSK-Chats/definition.json +++ b/objects/TSK-Chats/definition.json @@ -1,84 +1,84 @@ -{ - "required": [ - "message-type", - "message" - ], - "attributes": { - "message-type": { - "description": "the type of message extracted from the forensic-evidence.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default":[ - "SMS", - "MMS", - "Instant Message (IM)", - "Voice Message" - ], - "disable_correlation": true - }, - "datetime-sent": { - "description": "date and the time when the message was sent.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "datetime-received": { - "description": "date and time when the message was received.", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "Source": { - "description": "Source of the message.(Contact details)", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "destination": { - "description": "Destination of the message.(Contact details)", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "app-used": { - "description": "Application used to send the message.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "subject": { - "description": "Subject of the message if any.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "message": { - "description": "Message exchanged.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "attachments": { - "description": "External references", - "multiple": true, - "ui-priority": 0, - "categories": [ - "External analysis" - ], - "misp-attribute": "link" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation.", - "meta-category": "misc", - "uuid": "6b71f231-c502-467f-bc67-1423cd5bf800", - "name": "TSK-Chats" -} +{ + "required": [ + "message-type", + "message" + ], + "attributes": { + "message-type": { + "description": "the type of message extracted from the forensic-evidence.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "SMS", + "MMS", + "Instant Message (IM)", + "Voice Message" + ], + "disable_correlation": true + }, + "datetime-sent": { + "description": "date and the time when the message was sent.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "datetime-received": { + "description": "date and time when the message was received.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "Source": { + "description": "Source of the message.(Contact details)", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "destination": { + "description": "Destination of the message.(Contact details)", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "app-used": { + "description": "Application used to send the message.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "subject": { + "description": "Subject of the message if any.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "message": { + "description": "Message exchanged.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "attachments": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "categories": [ + "External analysis" + ], + "misp-attribute": "link" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation.", + "meta-category": "misc", + "uuid": "6b71f231-c502-467f-bc67-1423cd5bf800", + "name": "TSK-Chats" +} diff --git a/objects/TSK-Web-Bookmark/definition.json b/objects/TSK-Web-Bookmark/definition.json index f5bd4b9..485577e 100644 --- a/objects/TSK-Web-Bookmark/definition.json +++ b/objects/TSK-Web-Bookmark/definition.json @@ -1,67 +1,67 @@ -{ - "required": [ - "URL" - ], - "attributes": { - "URL": { - "description": "The URL saved as bookmark.", - "ui-priority": 0, - "misp-attribute": "link" - }, - "datetime-bookmarked": { - "description": "date and time when the URL was added to favorites.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "name": { - "description": "Book mark name. ", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "title": { - "description": "Title of the web page", - "ui-priority": 0, - "misp-attribute": "text" - }, - "browser": { - "description": "Browser used to access the URL.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "IE", - "Safari", - "Chrome", - "Firefox", - "Opera mini", - "Chromium" - ], - "disable_correlation": true - }, - "domain-name": { - "description": "Domain of the URL.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "domain-ip": { - "description": "IP of the URL domain.", - "ui-priority": 0, - "misp-attribute": "ip-src" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An Object Template to add evidential bookmarks identified during a digital forensic investigation.", - "meta-category": "misc", - "uuid": "7d9a88a8-9934-4caa-a85b-f76bc97d5373", - "name": "TSK-Web-Bookmark" -} +{ + "required": [ + "URL" + ], + "attributes": { + "URL": { + "description": "The URL saved as bookmark.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-bookmarked": { + "description": "date and time when the URL was added to favorites.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Book mark name. ", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "title": { + "description": "Title of the web page", + "ui-priority": 0, + "misp-attribute": "text" + }, + "browser": { + "description": "Browser used to access the URL.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "domain-name": { + "description": "Domain of the URL.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the URL domain.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to add evidential bookmarks identified during a digital forensic investigation.", + "meta-category": "misc", + "uuid": "7d9a88a8-9934-4caa-a85b-f76bc97d5373", + "name": "TSK-Web-Bookmark" +} diff --git a/objects/TSK-Web-Cookie/definition.json b/objects/TSK-Web-Cookie/definition.json index db4ded0..03cf240 100644 --- a/objects/TSK-Web-Cookie/definition.json +++ b/objects/TSK-Web-Cookie/definition.json @@ -1,67 +1,67 @@ -{ - "required": [ - "URL", - "name", - "value" - ], - "attributes": { - "URL": { - "description": "The website URL that created the cookie.", - "ui-priority": 0, - "misp-attribute": "link" - }, - "datetime-created": { - "description": "date and time when the cookie was created.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "name": { - "description": "Name of the cookie ", - "ui-priority": 0, - "misp-attribute": "text" - }, - "value": { - "description": "Value assigned to the cookie.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "browser": { - "description": "Browser on which the cookie was created.", - "ui-priority": 0, - "sane_default": [ - "IE", - "Safari", - "Chrome", - "Firefox", - "Opera mini", - "Chromium" - ], - "misp-attribute": "text" - }, - "domain-name": { - "description": "Domain of the URL that created the cookie.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "domain-ip": { - "description": "IP of the domain that created the URL.", - "ui-priority": 0, - "misp-attribute": "ip-src" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.", - "meta-category": "misc", - "uuid": "40d23a4f-43be-4c9e-8328-382a2188eb1d", - "name": "TSK-Web-Cookie" -} +{ + "required": [ + "URL", + "name", + "value" + ], + "attributes": { + "URL": { + "description": "The website URL that created the cookie.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-created": { + "description": "date and time when the cookie was created.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Name of the cookie ", + "ui-priority": 0, + "misp-attribute": "text" + }, + "value": { + "description": "Value assigned to the cookie.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "browser": { + "description": "Browser on which the cookie was created.", + "ui-priority": 0, + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "misp-attribute": "text" + }, + "domain-name": { + "description": "Domain of the URL that created the cookie.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the domain that created the URL.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.", + "meta-category": "misc", + "uuid": "40d23a4f-43be-4c9e-8328-382a2188eb1d", + "name": "TSK-Web-Cookie" +} diff --git a/objects/TSK-Web-Downloads/definition.json b/objects/TSK-Web-Downloads/definition.json index 55ddf05..061fa64 100644 --- a/objects/TSK-Web-Downloads/definition.json +++ b/objects/TSK-Web-Downloads/definition.json @@ -1,55 +1,55 @@ -{ - "required": [ - "URL", - "name" - ], - "attributes": { - "URL": { - "description": "The URL used to download the file.", - "ui-priority": 0, - "misp-attribute": "link" - }, - "datetime-accessed": { - "description": "date and time when the file was downloaded.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "name": { - "description": "Name of the file downloaded.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "path-downloadedTo": { - "description": "Location the file was downloaded to.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "pathID": { - "description": "Id of the attribute file where the information is gathered from.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "attachment": { - "description": "The downloaded file itself.", - "ui-priority": 1, - "misp-attribute": "attachment", - "disable_correlation": true - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An Object Template to add web-downloads", - "meta-category": "File", - "uuid": "ab9603a1-9dcc-48e8-a51c-b8bccc7bcc26", - "name": "TSK-Web-Downloads" -} +{ + "required": [ + "URL", + "name" + ], + "attributes": { + "URL": { + "description": "The URL used to download the file.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-accessed": { + "description": "date and time when the file was downloaded.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Name of the file downloaded.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "path-downloadedTo": { + "description": "Location the file was downloaded to.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "pathID": { + "description": "Id of the attribute file where the information is gathered from.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "attachment": { + "description": "The downloaded file itself.", + "ui-priority": 1, + "misp-attribute": "attachment", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to add web-downloads", + "meta-category": "File", + "uuid": "ab9603a1-9dcc-48e8-a51c-b8bccc7bcc26", + "name": "TSK-Web-Downloads" +} diff --git a/objects/TSK-Web-History/definition.json b/objects/TSK-Web-History/definition.json index 84be3b9..897e13b 100644 --- a/objects/TSK-Web-History/definition.json +++ b/objects/TSK-Web-History/definition.json @@ -1,68 +1,68 @@ -{ - "required": [ - "URL", - "datetime-accessed" - ], - "attributes": { - "URL": { - "description": "The URL accessed.", - "ui-priority": 0, - "misp-attribute": "link" - }, - "datetime-accessed": { - "description": "date and the time when the URL was accessed.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "referrer": { - "description": "where the URL was referred from ", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "title": { - "description": "Title of the web page", - "ui-priority": 0, - "misp-attribute": "text" - }, - "domain-name": { - "description": "Domain of the URL.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "domain-ip": { - "description": "IP of the URL domain.", - "ui-priority": 0, - "misp-attribute": "ip-src" - }, - "browser": { - "description": "Browser used to access the URL.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "IE", - "Safari", - "Chrome", - "Firefox", - "Opera mini", - "Chromium" - ], - "disable_correlation": true - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An Object Template to share web history information", - "meta-category": "misc", - "uuid": "e1325e52-e52e-49b1-89ad-d503c127c698", - "name": "TSK-Web-History" -} +{ + "required": [ + "URL", + "datetime-accessed" + ], + "attributes": { + "URL": { + "description": "The URL accessed.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-accessed": { + "description": "date and the time when the URL was accessed.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "referrer": { + "description": "where the URL was referred from ", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "title": { + "description": "Title of the web page", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-name": { + "description": "Domain of the URL.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the URL domain.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "browser": { + "description": "Browser used to access the URL.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to share web history information", + "meta-category": "misc", + "uuid": "e1325e52-e52e-49b1-89ad-d503c127c698", + "name": "TSK-Web-History" +} diff --git a/objects/TSK-Web-Search-Query/definition.json b/objects/TSK-Web-Search-Query/definition.json index 8e66b0d..046c266 100644 --- a/objects/TSK-Web-Search-Query/definition.json +++ b/objects/TSK-Web-Search-Query/definition.json @@ -1,66 +1,66 @@ -{ - "required": [ - "domain", - "text" - ], - "attributes": { - "domain": { - "description": "The domain of the search engine.", - "ui-priority": 0, - "misp-attribute": "link", - "sane_default": [ - "Google", - "Yahoo", - "Bing", - "Alta Vista", - "MSN" - ], - "disable_correlation": true - }, - "text": { - "description": "the search word or sentence.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "datetime-searched": { - "description": "date and time when the search was conducted.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "browser": { - "description": "Browser used.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "IE", - "Safari", - "Chrome", - "Firefox", - "Opera mini", - "Chromium" - ], - "disable_correlation": true - }, - "username": { - "description": "User name or ID associated with the search.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An Object Template to share web search query information", - "meta-category": "misc", - "uuid": "16b3f8d0-fd09-4812-a42c-b5aeff2d4c2e", - "name": "TSK-Web-Search-Query" -} +{ + "required": [ + "domain", + "text" + ], + "attributes": { + "domain": { + "description": "The domain of the search engine.", + "ui-priority": 0, + "misp-attribute": "link", + "sane_default": [ + "Google", + "Yahoo", + "Bing", + "Alta Vista", + "MSN" + ], + "disable_correlation": true + }, + "text": { + "description": "the search word or sentence.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "datetime-searched": { + "description": "date and time when the search was conducted.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "browser": { + "description": "Browser used.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "username": { + "description": "User name or ID associated with the search.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to share web search query information", + "meta-category": "misc", + "uuid": "16b3f8d0-fd09-4812-a42c-b5aeff2d4c2e", + "name": "TSK-Web-Search-Query" +} diff --git a/objects/python-etvx-event-log/definition.json b/objects/python-etvx-event-log/definition.json index e0fb273..79a2d13 100644 --- a/objects/python-etvx-event-log/definition.json +++ b/objects/python-etvx-event-log/definition.json @@ -5,169 +5,163 @@ "name" ], "attributes": { - "event-id": { - "description": "A unique number which identifies the event.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "name": { - "description": "Name of the event.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "event-channel": - { - "description":" Channel through which the event occurred", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true, - "sane-default":[ - "Application", - "System", - "Security", - "Setup", - "other" - ] - }, - "event-type": - { - "description": "Event-type assigned to the event", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true, - "sane-default":[ - "Admin", - "Operational", - "Audit", - "Analytic", - "Debug", - "other" - ] - }, - "source": { - "description": "The source of the event log - application/software that logged the event.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "event-date-time": - { - "description": "Date and time when the event was logged.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "level": { - "description": "Determines the event severity.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default":[ - "Information", - "Warning", - "Error", - "Critical", - "Success Audit", - "Failure Audit" - ] - }, - "Computer": { - "description": "Computer name on which the event occurred", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "User": { - "description": "Name or the User ID the event is associated with.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Operational-code": { - "description": "The opcode (numeric value or name) associated with the activity carried out by the event.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "log": { - "description": "Log file where the event was recorded.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "task-category":{ - "description": "Activity by the event publisher", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Keywords":{ - "description" : "Tags used for the event for the purpose of filtering or searching.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default":[ - "Network", - "Security", - "Resource not found", - "other" - ] - }, - "Processor-ID": { - "description": "ID of the processor that processed the event.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Thread-ID": { - "description": "Thread id that generated the event.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Session-ID": { - "description": "Terminal server session ID.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Correlation-ID": { - "description": "Unique activity identity which relates the event to a process. ", - "ui-priority": 0, - "misp-attribute": "text" - }, - "Relative-Correlation-ID": { - "description": "Related activity ID which identity similar activities which occurred as a part of the event.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "kernel-time": - { - "description": "Execution time of the kernel mode instruction.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "user-time": - { - "description": "Date and time when the user instruction was executed.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "Event-data": - { - "description": "Event data description.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "comment": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } + "event-id": { + "description": "A unique number which identifies the event.", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "name": { + "description": "Name of the event.", + "ui-priority": 2, + "misp-attribute": "text", + "disable_correlation": true + }, + "event-channel": { + "description": " Channel through which the event occurred", + "ui-priority": 3, + "misp-attribute": "text", + "disable_correlation": true, + "sane-default": [ + "Application", + "System", + "Security", + "Setup", + "other" + ] + }, + "event-type": { + "description": "Event-type assigned to the event", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane-default": [ + "Admin", + "Operational", + "Audit", + "Analytic", + "Debug", + "other" + ] + }, + "source": { + "description": "The source of the event log - application/software that logged the event.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "event-date-time": { + "description": "Date and time when the event was logged.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "level": { + "description": "Determines the event severity.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Information", + "Warning", + "Error", + "Critical", + "Success Audit", + "Failure Audit" + ] + }, + "Computer": { + "description": "Computer name on which the event occurred", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "User": { + "description": "Name or the User ID the event is associated with.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Operational-code": { + "description": "The opcode (numeric value or name) associated with the activity carried out by the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "log": { + "description": "Log file where the event was recorded.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "task-category": { + "description": "Activity by the event publisher", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Keywords": { + "description": "Tags used for the event for the purpose of filtering or searching.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Network", + "Security", + "Resource not found", + "other" + ] + }, + "Processor-ID": { + "description": "ID of the processor that processed the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Thread-ID": { + "description": "Thread id that generated the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Session-ID": { + "description": "Terminal server session ID.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Correlation-ID": { + "description": "Unique activity identity which relates the event to a process. ", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Relative-Correlation-ID": { + "description": "Related activity ID which identity similar activities which occurred as a part of the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "kernel-time": { + "description": "Execution time of the kernel mode instruction.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "user-time": { + "description": "Date and time when the user instruction was executed.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "Event-data": { + "description": "Event data description.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } }, "version": 1, "description": "Event log object template to share information of the activities conducted on a system. ", diff --git a/objects/regripper-NTUser/definition.json b/objects/regripper-NTUser/definition.json index 6eb7193..9ec80c5 100644 --- a/objects/regripper-NTUser/definition.json +++ b/objects/regripper-NTUser/definition.json @@ -26,25 +26,25 @@ "description": "List of recent folders accessed by the user.", "ui-priority": 0, "misp-attribute": "text", - "multiple":true + "multiple": true }, "recent-files-accessed": { "description": "List of recent files accessed by the user.", "ui-priority": 0, "misp-attribute": "text", - "multiple":true + "multiple": true }, "typed-urls": { "description": "Urls typed by the user in internet explorer", "ui-priority": 0, "misp-attribute": "text", - "multiple":true + "multiple": true }, "applications-installed": { "description": "List of applications installed.", "ui-priority": 0, "misp-attribute": "text", - "multiple":true + "multiple": true }, "applications-run": { "description": "List of applications set to run on the system.", @@ -58,7 +58,7 @@ "misp-attribute": "text", "multiple": true }, - "user-init": { + "user-init": { "description": "Applications or processes set to run when the user logs onto the windows system.", "ui-priority": 0, "misp-attribute": "text", @@ -89,7 +89,6 @@ "misp-attribute": "text", "disable_correlation": true } - }, "version": 1, "description": "Regripper Object template designed to present user specific configuration details extracted from the NTUSER.dat hive.", diff --git a/objects/regripper-sam-hive-single-user/definition.json b/objects/regripper-sam-hive-single-user/definition.json index 2cf93d9..11632e3 100644 --- a/objects/regripper-sam-hive-single-user/definition.json +++ b/objects/regripper-sam-hive-single-user/definition.json @@ -1,70 +1,68 @@ { - "required": [ - "key" - ], - "requiredOneOf": [ - "user-name", - "last-login-time", - "login-count" - ], - "attributes": { - "key": { - "description": "Registry key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "key-last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "user-name": { - "description": "User name assigned to the user profile.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "full-user-name": { - "description": "Full name assigned to the user profile.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-login-time": { - "description": "Date and time when the user last logged onto the system.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "pwd-reset-time": { - "description": "Date and time when the password was last reset.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "pwd-fail-date": { - "description": "Date and time when a password last failed for this user profile.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "login-count": { - "description": "Number of times the user logged-in onto the system.", - "ui-priority": 0, - "misp-attribute": "counter", - "disable_correlation": true - }, - "comments": { - "description": "Full name assigned to the user profile.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } - + "required": [ + "key" + ], + "requiredOneOf": [ + "user-name", + "last-login-time", + "login-count" + ], + "attributes": { + "key": { + "description": "Registry key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper Object template designed to present user profile details extracted from the SAM hive.", - "meta-category": "misc", - "uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef", - "name": "regripper-sam-hive-single-user" - } - \ No newline at end of file + "key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "user-name": { + "description": "User name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "full-user-name": { + "description": "Full name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-login-time": { + "description": "Date and time when the user last logged onto the system.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "pwd-reset-time": { + "description": "Date and time when the password was last reset.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "pwd-fail-date": { + "description": "Date and time when a password last failed for this user profile.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "login-count": { + "description": "Number of times the user logged-in onto the system.", + "ui-priority": 0, + "misp-attribute": "counter", + "disable_correlation": true + }, + "comments": { + "description": "Full name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to present user profile details extracted from the SAM hive.", + "meta-category": "misc", + "uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef", + "name": "regripper-sam-hive-single-user" +} diff --git a/objects/regripper-sam-hive-user-group/definition.json b/objects/regripper-sam-hive-user-group/definition.json index bcd2996..64119d0 100644 --- a/objects/regripper-sam-hive-user-group/definition.json +++ b/objects/regripper-sam-hive-user-group/definition.json @@ -1,56 +1,54 @@ { - "required": [ - "key" - ], - "requiredOneOf": [ - "group-name" - ], - "attributes": { - "key": { - "description": "Registry key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "key-last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "group-name": { - "description": "Name assigned to the profile.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "full-name": { - "description": "Full name assigned to the profile.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-date-time": { - "description": "Date and time when the group key was updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "group-comment": { - "description": "Name assigned to the profile.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "group-users": { - "description": "Users belonging to the group", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - } - + "required": [ + "key" + ], + "requiredOneOf": [ + "group-name" + ], + "attributes": { + "key": { + "description": "Registry key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper Object template designed to present group profile details extracted from the SAM hive.", - "meta-category": "misc", - "uuid": "b924bae1-2dec-4d2d-a8c2-b03305222b7c", - "name": "regripper-sam-hive-user-group" - } - \ No newline at end of file + "key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "group-name": { + "description": "Name assigned to the profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "full-name": { + "description": "Full name assigned to the profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-date-time": { + "description": "Date and time when the group key was updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "group-comment": { + "description": "Any group comment added.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "group-users": { + "description": "Users belonging to the group", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to present group profile details extracted from the SAM hive.", + "meta-category": "misc", + "uuid": "b924bae1-2dec-4d2d-a8c2-b03305222b7c", + "name": "regripper-sam-hive-user-group" +} diff --git a/objects/regripper-software-hive-BHO/definition.json b/objects/regripper-software-hive-BHO/definition.json index 7c64241..0b43791 100644 --- a/objects/regripper-software-hive-BHO/definition.json +++ b/objects/regripper-software-hive-BHO/definition.json @@ -1,60 +1,59 @@ { - "required": [ - "key", - "BHO-name" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "BHO-name": { - "description": "Name of the browser helper object.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "BHO-key-last-write-time": { - "description": "Date and time when the BHO key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "class": { - "description": "Class to which the BHO belongs to.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "module": { - "description": "DLL module the BHO belongs to.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "references": { - "description": "References to the BHO.", - "ui-priority": 0, - "misp-attribute": "link", - "multiple":true - } + "required": [ + "key", + "BHO-name" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper Object template designed to gather information of the browser helper objects installed on the system.", - "meta-category": "misc", - "uuid": "e7b46b5a-d2d2-4a05-bc25-2ac8d4683ae2", - "name": "regripper-software-hive-BHO" - } - \ No newline at end of file + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "BHO-name": { + "description": "Name of the browser helper object.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BHO-key-last-write-time": { + "description": "Date and time when the BHO key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "class": { + "description": "Class to which the BHO belongs to.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "module": { + "description": "DLL module the BHO belongs to.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "References to the BHO.", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the browser helper objects installed on the system.", + "meta-category": "misc", + "uuid": "e7b46b5a-d2d2-4a05-bc25-2ac8d4683ae2", + "name": "regripper-software-hive-BHO" +} diff --git a/objects/regripper-software-hive-appInit-DLLS/definition.json b/objects/regripper-software-hive-appInit-DLLS/definition.json index 3923e35..d089224 100644 --- a/objects/regripper-software-hive-appInit-DLLS/definition.json +++ b/objects/regripper-software-hive-appInit-DLLS/definition.json @@ -1,54 +1,53 @@ { - "required": [ - "key", - "DLL-name", - "DLL-path" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "DLL-name": { - "description": "Name of the DLL file.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "DLL-path": { - "description": "Path where the DLL file is stored.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "DLL-last-write-time": { - "description": "Date and time when the DLL file was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "references": { - "description": "References to the DLL file.", - "ui-priority": 0, - "misp-attribute": "link", - "multiple":true - } + "required": [ + "key", + "DLL-name", + "DLL-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper Object template designed to gather information of the DLL files installed on the system.", - "meta-category": "misc", - "uuid": "7893be05-8398-451e-ab1e-5e25ea4a8859", - "name": "regripper-software-hive-appInit-DLLS" - } - \ No newline at end of file + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "DLL-name": { + "description": "Name of the DLL file.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "DLL-path": { + "description": "Path where the DLL file is stored.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "DLL-last-write-time": { + "description": "Date and time when the DLL file was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "References to the DLL file.", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the DLL files installed on the system.", + "meta-category": "misc", + "uuid": "7893be05-8398-451e-ab1e-5e25ea4a8859", + "name": "regripper-software-hive-appInit-DLLS" +} diff --git a/objects/regripper-software-hive-application-paths/definition.json b/objects/regripper-software-hive-application-paths/definition.json index 939e39a..3929d42 100644 --- a/objects/regripper-software-hive-application-paths/definition.json +++ b/objects/regripper-software-hive-application-paths/definition.json @@ -1,50 +1,49 @@ { - "required": [ - "key", - "executable-file-name", - "path" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "executable-file-name": { - "description": "Name of the executable file.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple":true - }, - "path": { - "description": "Path of the executable file.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple":true - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "references": { - "description": "References to the application installed.", - "ui-priority": 0, - "misp-attribute": "link", - "multiple":true - } + "required": [ + "key", + "executable-file-name", + "path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper Object template designed to gather information of the application paths.", - "meta-category": "misc", - "uuid": "9f2d3c9b-9a82-42a7-82c2-733115d101c8", - "name": "regripper-software-hive-application-paths" - } - \ No newline at end of file + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "executable-file-name": { + "description": "Name of the executable file.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "path": { + "description": "Path of the executable file.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "References to the application installed.", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the application paths.", + "meta-category": "misc", + "uuid": "9f2d3c9b-9a82-42a7-82c2-733115d101c8", + "name": "regripper-software-hive-application-paths" +} diff --git a/objects/regripper-software-hive-applications-installed/definition.json b/objects/regripper-software-hive-applications-installed/definition.json index 55c58ea..c8229c7 100644 --- a/objects/regripper-software-hive-applications-installed/definition.json +++ b/objects/regripper-software-hive-applications-installed/definition.json @@ -1,58 +1,57 @@ { - "required": [ - "key", - "app-name" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "key-path": { - "description": "Path of the key.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "app-name": { - "description": "Name of the application.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "app-last-write-time": { - "description": "Date and time when the application key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "version": { - "description": "Version of the application.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "references": { - "description": "References to the application installed.", - "ui-priority": 0, - "misp-attribute": "link", - "multiple":true - } + "required": [ + "key", + "app-name" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper Object template designed to gather information of the applications installed on the system.", - "meta-category": "misc", - "uuid": "7a8fb6b4-cbbd-4de5-b893-7b0a5c4858cd", - "name": "regripper-software-hive-applications-installed" - } - \ No newline at end of file + "key-path": { + "description": "Path of the key.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "app-name": { + "description": "Name of the application.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "app-last-write-time": { + "description": "Date and time when the application key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "version": { + "description": "Version of the application.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "References to the application installed.", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the applications installed on the system.", + "meta-category": "misc", + "uuid": "7a8fb6b4-cbbd-4de5-b893-7b0a5c4858cd", + "name": "regripper-software-hive-applications-installed" +} diff --git a/objects/regripper-software-hive-command-shell/definition.json b/objects/regripper-software-hive-command-shell/definition.json index 593308d..0d060d6 100644 --- a/objects/regripper-software-hive-command-shell/definition.json +++ b/objects/regripper-software-hive-command-shell/definition.json @@ -1,56 +1,55 @@ { - "required": [ - "key", - "shell", - "shell-path" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "shell": { - "description": "Type of shell used to execute the command.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default":[ - "exe", - "cmd", - "bat", - "hta", - "pif", - "Other" - ], - "disable_correlation": true - }, - "shell-path": { - "description": "Path of the shell.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "command": { - "description": "Command executed.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } + "required": [ + "key", + "shell", + "shell-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper Object template designed to gather information of the shell commands executed on the system.", - "meta-category": "misc", - "uuid": "a7dc3697-89ce-46dc-a64d-0b1015457978", - "name": "regripper-software-hive-command-shell" - } - \ No newline at end of file + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "shell": { + "description": "Type of shell used to execute the command.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "exe", + "cmd", + "bat", + "hta", + "pif", + "Other" + ], + "disable_correlation": true + }, + "shell-path": { + "description": "Path of the shell.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "command": { + "description": "Command executed.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the shell commands executed on the system.", + "meta-category": "misc", + "uuid": "a7dc3697-89ce-46dc-a64d-0b1015457978", + "name": "regripper-software-hive-command-shell" +} diff --git a/objects/regripper-software-hive-general-windows-info/definition.json b/objects/regripper-software-hive-general-windows-info/definition.json index a05492f..85b5538 100644 --- a/objects/regripper-software-hive-general-windows-info/definition.json +++ b/objects/regripper-software-hive-general-windows-info/definition.json @@ -1,126 +1,125 @@ { - "required": [ - "win-cv-path", - "CurrentVersion" - ], - "attributes": { - "win-cv-path": { - "description": "key where the windows information is retrieved from", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "RegisteredOrganization": { - "description": "Name of the registered organization.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "RegisteredOwner": { - "description": "Name of the registered owner.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "CurrentVersion": { - "description": "Current version of windows", - "ui-priority": 0, - "misp-attribute": "text" - }, - "CurrentBuild": { - "description": "Build number of the windows OS.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "SoftwareType": { - "description": "Software type of windows.", - "ui-priority": 0, - "sane_default":[ - "System", - "Application", - "other" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "InstallationType": { - "description": "Type of windows installation.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "InstallDate": { - "description": "Date when windows was installed.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "SystemRoot": { - "description": "Root directory.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "PathName": { - "description": "Path to the root directory.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "EditionID": { - "description": "Windows edition.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "ProductName": { - "description": "Name of the windows version.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "ProductID": { - "description": "ID of the product version.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "CSDVersion": { - "description": "Version of the service pack installed.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "CurrentType": { - "description": "Current build type of the OS.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "BuildLab": { - "description": "Windows BuildLab string.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "BuildGUID": { - "description": "Build ID.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "BuildLabEx": { - "description": "Windows BuildLabEx string.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "comment": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "", - "disable_correlation": true - } + "required": [ + "win-cv-path", + "CurrentVersion" + ], + "attributes": { + "win-cv-path": { + "description": "key where the windows information is retrieved from", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper Object template designed to gather general windows information extracted from the software-hive.", - "meta-category": "misc", - "uuid": "03200c25-4bf5-4282-9852-001a51ab20f1", - "name": "regripper-software-hive-windows-general-info" - } - \ No newline at end of file + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "RegisteredOrganization": { + "description": "Name of the registered organization.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "RegisteredOwner": { + "description": "Name of the registered owner.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CurrentVersion": { + "description": "Current version of windows", + "ui-priority": 0, + "disable_correlation": true + }, + "CurrentBuild": { + "description": "Build number of the windows OS.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "SoftwareType": { + "description": "Software type of windows.", + "ui-priority": 0, + "sane_default": [ + "System", + "Application", + "other" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "InstallationType": { + "description": "Type of windows installation.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "InstallDate": { + "description": "Date when windows was installed.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "SystemRoot": { + "description": "Root directory.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "PathName": { + "description": "Path to the root directory.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "EditionID": { + "description": "Windows edition.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ProductName": { + "description": "Name of the windows version.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ProductID": { + "description": "ID of the product version.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CSDVersion": { + "description": "Version of the service pack installed.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CurrentBuildType": { + "description": "Current build type of the OS.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildLab": { + "description": "Windows BuildLab string.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildGUID": { + "description": "Build ID.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildLabEx": { + "description": "Windows BuildLabEx string.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather general windows information extracted from the software-hive.", + "meta-category": "misc", + "uuid": "03200c25-4bf5-4282-9852-001a51ab20f1", + "name": "regripper-software-hive-windows-general-info" +} diff --git a/objects/regripper-software-hive-software-run/definition.json b/objects/regripper-software-hive-software-run/definition.json index 95e93cc..35cb1f5 100644 --- a/objects/regripper-software-hive-software-run/definition.json +++ b/objects/regripper-software-hive-software-run/definition.json @@ -1,64 +1,63 @@ { - "required": [ - "key", - "application-name", - "application-path" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "sane_default": [ - "Run", - "RunOnce", - "Runservices", - "Terminal", - "Other" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "key-path": { - "description": "Path of the key.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "application-name": { - "description": "Name of the application run.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple":true - }, - "application-path": { - "description": "Path where the application is installed.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple":true - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "references": { - "description": "References to the applications.", - "ui-priority": 0, - "misp-attribute": "link", - "multiple":true - } + "required": [ + "key", + "application-name", + "application-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "sane_default": [ + "Run", + "RunOnce", + "Runservices", + "Terminal", + "Other" + ], + "misp-attribute": "text", + "disable_correlation": true }, - "version": 1, - "description": "Regripper Object template designed to gather information of the applications set to run on the system.", - "meta-category": "misc", - "uuid": "4bae06d1-3996-4028-88ec-7c7d54cc1d94", - "name": "regripper-software-hive-software-run" - } - \ No newline at end of file + "key-path": { + "description": "Path of the key.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "application-name": { + "description": "Name of the application run.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "application-path": { + "description": "Path where the application is installed.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "References to the applications.", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the applications set to run on the system.", + "meta-category": "misc", + "uuid": "4bae06d1-3996-4028-88ec-7c7d54cc1d94", + "name": "regripper-software-hive-software-run" +} diff --git a/objects/regripper-software-hive-userprofile-winlogon/definition.json b/objects/regripper-software-hive-userprofile-winlogon/definition.json index 6dcbef9..e38ebd0 100644 --- a/objects/regripper-software-hive-userprofile-winlogon/definition.json +++ b/objects/regripper-software-hive-userprofile-winlogon/definition.json @@ -145,8 +145,7 @@ "misp-attribute": "counter", "disable_correlation": true }, - "Comments": - { + "Comments": { "description": "Additional comments.", "ui-priority": 0, "misp-attribute": "text", diff --git a/objects/regripper-system-hive-firewall-configuration/definition.json b/objects/regripper-system-hive-firewall-configuration/definition.json index 94ffeb8..fdd0663 100644 --- a/objects/regripper-system-hive-firewall-configuration/definition.json +++ b/objects/regripper-system-hive-firewall-configuration/definition.json @@ -1,48 +1,50 @@ { - "required": [ - "profile" - ], - "attributes": { - "profile": { - "description": "Firewall Profile type", - "ui-priority": 0, - "sane-default":[ - "Domain Profile", - "Standard Profile", - "other" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "last-write-time": { - "description": "Date and time when the firewall profile policy was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "enbled-firewall": { - "description": "Boolean flag to determine if the firewall is enabled.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "disable-notification": { - "description": "Boolean flag to determine if firewall notifications are enabled.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "comment": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } + "required": [ + "profile" + ], + "attributes": { + "profile": { + "description": "Firewall Profile type", + "ui-priority": 0, + "sane-default": [ + "Domain Profile", + "Standard Profile", + "Network Profile", + "Public Profile", + "Private Profile", + "other" + ], + "misp-attribute": "text", + "disable_correlation": true }, - "version": 1, - "description": "Regripper Object template designed to present firewall configuration information extracted from the system-hive.", - "meta-category": "misc", - "uuid": "d9839b3c-c013-4ba7-b5e5-2787198b9e07", - "name": "regripper-system-hive-firewall-configuration" - } - \ No newline at end of file + "last-write-time": { + "description": "Date and time when the firewall profile policy was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "enbled-firewall": { + "description": "Boolean flag to determine if the firewall is enabled.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "disable-notification": { + "description": "Boolean flag to determine if firewall notifications are enabled.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to present firewall configuration information extracted from the system-hive.", + "meta-category": "misc", + "uuid": "d9839b3c-c013-4ba7-b5e5-2787198b9e07", + "name": "regripper-system-hive-firewall-configuration" +} diff --git a/objects/regripper-system-hive-general-configuration/definition.json b/objects/regripper-system-hive-general-configuration/definition.json index c007e4a..04a67fc 100644 --- a/objects/regripper-system-hive-general-configuration/definition.json +++ b/objects/regripper-system-hive-general-configuration/definition.json @@ -1,90 +1,89 @@ { - "required": [ - "computer-name" - ], - "attributes": { - "computer-name": { - "description": "name of the computer under analysis", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "shutdown-time": { - "description": "Date and time when the system was shutdown.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "timezone-last-write-time": { - "description": "Date and time when the timezone key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "timezone-bias": { - "description": "Offset in minutes from UTC. Offset added to the local time to get a UTC value.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "timezone-standard-name": { - "description": "Timezone standard name used during non-daylight saving months.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "timezone-standard-date": { - "description": "Standard date - non daylight saving months", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "timezone-standard-bias": { - "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during standard time.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "timezone-daylight-name": { - "description": "Timezone name used during daylight saving months.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "timezone-daylight-date": { - "description": "Daylight date - daylight saving months", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "timezone-daylight-bias": { - "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during daylight time.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "fDenyTSConnections:": { - "description": "Specifies whether remote connections are enabled or disabled on the system.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "comment": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "", - "disable_correlation": true - } + "required": [ + "computer-name" + ], + "attributes": { + "computer-name": { + "description": "name of the computer under analysis", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper Object template designed to present general system properties extracted from the system-hive.", - "meta-category": "misc", - "uuid": "5ac85401-cbf1-4d05-a85e-1784546881e4", - "name": "regripper-system-hive-general-configuration" - } - \ No newline at end of file + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "shutdown-time": { + "description": "Date and time when the system was shutdown.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "timezone-last-write-time": { + "description": "Date and time when the timezone key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "timezone-bias": { + "description": "Offset in minutes from UTC. Offset added to the local time to get a UTC value.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "timezone-standard-name": { + "description": "Timezone standard name used during non-daylight saving months.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "timezone-standard-date": { + "description": "Standard date - non daylight saving months", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "timezone-standard-bias": { + "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during standard time.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "timezone-daylight-name": { + "description": "Timezone name used during daylight saving months.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "timezone-daylight-date": { + "description": "Daylight date - daylight saving months", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "timezone-daylight-bias": { + "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during daylight time.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "fDenyTSConnections:": { + "description": "Specifies whether remote connections are enabled or disabled on the system.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to present general system properties extracted from the system-hive.", + "meta-category": "misc", + "uuid": "5ac85401-cbf1-4d05-a85e-1784546881e4", + "name": "regripper-system-hive-general-configuration" +} diff --git a/objects/regripper-system-hive-network-information/definition.json b/objects/regripper-system-hive-network-information/definition.json index 3a872e1..dfd3e85 100644 --- a/objects/regripper-system-hive-network-information/definition.json +++ b/objects/regripper-system-hive-network-information/definition.json @@ -1,107 +1,106 @@ { - "required": [ - "network-key" - ], - "attributes": { - "network-key": { - "description": "Registry key assigned to the network", - "ui-priority": 0, - "misp-attribute": "text" - }, - "network-key-last-write-time": { - "description": "Date and time when the network key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "network-key-path": { - "description": "Path of the key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "TCPIP-key": { - "description": "TCPIP key", - "ui-priority": 0, - "misp-attribute": "text" - }, - "TCPIP-key-last-write-time": { - "description": "Datetime when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "DHCP-domain": { - "description": "Name of the DHCP domain service", - "ui-priority": 0, - "misp-attribute": "text" - }, - "DHCP-IP-address": { - "description": "DHCP service - IP address", - "ui-priority": 0, - "misp-attribute": "ip-dst" - }, - "DHCP-subnet-mask": { - "description": "DHCP subnet mask - IP address.", - "ui-priority": 0, - "misp-attribute": "ip-dst" - }, - "DHCP-name-server": { - "description": "DHCP Name server - IP address.", - "ui-priority": 0, - "misp-attribute": "ip-dst" - }, - "DHCP-server": { - "description": "DHCP server - IP address.", - "ui-priority": 0, - "misp-attribute": "ip-dst" - }, - "interface-GUID": { - "description": "GUID value assigned to the interface.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "interface-last-write-time": { - "description": "Last date and time when the interface key was updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "interface-name": { - "description": "Name of the interface.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "interface-PnpInstanceID": { - "description": "Plug and Play instance ID assigned to the interface.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "interface-MediaSubType": { - "description": "", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "interface-IPcheckingEnabled": { - "description": "", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } + "required": [ + "network-key" + ], + "attributes": { + "network-key": { + "description": "Registry key assigned to the network", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper object template designed to gather network information from the system-hive.", - "meta-category": "misc", - "uuid": "a5a3ba3a-ba2e-42a4-be45-b36809ae56f0", - "name": "regripper-system-hive-network-information." - } - \ No newline at end of file + "network-key-last-write-time": { + "description": "Date and time when the network key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "network-key-path": { + "description": "Path of the key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "TCPIP-key": { + "description": "TCPIP key", + "ui-priority": 0, + "misp-attribute": "text" + }, + "TCPIP-key-last-write-time": { + "description": "Datetime when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "DHCP-domain": { + "description": "Name of the DHCP domain service", + "ui-priority": 0, + "misp-attribute": "text" + }, + "DHCP-IP-address": { + "description": "DHCP service - IP address", + "ui-priority": 0, + "misp-attribute": "ip-dst" + }, + "DHCP-subnet-mask": { + "description": "DHCP subnet mask - IP address.", + "ui-priority": 0, + "misp-attribute": "ip-dst" + }, + "DHCP-name-server": { + "description": "DHCP Name server - IP address.", + "ui-priority": 0, + "misp-attribute": "ip-dst" + }, + "DHCP-server": { + "description": "DHCP server - IP address.", + "ui-priority": 0, + "misp-attribute": "ip-dst" + }, + "interface-GUID": { + "description": "GUID value assigned to the interface.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "interface-last-write-time": { + "description": "Last date and time when the interface key was updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "interface-name": { + "description": "Name of the interface.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "interface-PnpInstanceID": { + "description": "Plug and Play instance ID assigned to the interface.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "interface-MediaSubType": { + "description": "", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "interface-IPcheckingEnabled": { + "description": "", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper object template designed to gather network information from the system-hive.", + "meta-category": "misc", + "uuid": "a5a3ba3a-ba2e-42a4-be45-b36809ae56f0", + "name": "regripper-system-hive-network-information." +} diff --git a/objects/regripper-system-hive-service-drivers/definition.json b/objects/regripper-system-hive-service-drivers/definition.json index ff7984c..35054ab 100644 --- a/objects/regripper-system-hive-service-drivers/definition.json +++ b/objects/regripper-system-hive-service-drivers/definition.json @@ -1,99 +1,98 @@ { - "required": [ - "name" - ], - "attributes": { - "name": { - "description": "name of the key", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "display": { - "description": "Display name/information of the service or the driver.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "image-path": { - "description": "Path of the service/drive", - "ui-priority": 0, - "misp-attribute": "text" - }, - "type": { - "description": "Service/driver type.", - "ui-priority": 0, - "sane_default": [ - "Kernel driver", - "File system driver", - "Own process", - "Share process", - "Interactive", - "Other" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "start": { - "description": "When the service/driver starts or executes.", - "ui-priority": 0, - "sane_default":[ - "Boot start", - "System start", - "Auto start", - "Manual", - "Disabled" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "group": { - "description": "Group to which the system/driver belong to.", - "ui-priority": 0, - "sane_default":[ - "Base", - "Boot Bus Extender", - "Boot File System", - "Cryptography", - "Extended base", - "Event Log", - "Filter", - "FSFilter Bottom", - "FSFilter Infrastructure", - "File System", - "FSFilter Virtualization", - "Keyboard Port", - "Network", - "NDIS", - "Parallel arbitrator", - "Pointer Port", - "PnP Filter", - "ProfSvc_Group", - "PNP_TDI", - "SCSI Miniport", - "SCSI CDROM Class", - "System Bus Extender", - "Video Save", - "other" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "comment": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "", - "disable_correlation": true - } + "required": [ + "name" + ], + "attributes": { + "name": { + "description": "name of the key", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper Object template designed to gather information regarding the services/drivers from the system-hive.", - "meta-category": "misc", - "uuid": "78cdae45-2061-4b49-b1d6-71f562094a73", - "name": "regripper-system-hive-services-drivers" - } - \ No newline at end of file + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "display": { + "description": "Display name/information of the service or the driver.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "image-path": { + "description": "Path of the service/drive", + "ui-priority": 0, + "misp-attribute": "text" + }, + "type": { + "description": "Service/driver type.", + "ui-priority": 0, + "sane_default": [ + "Kernel driver", + "File system driver", + "Own process", + "Share process", + "Interactive", + "Other" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "start": { + "description": "When the service/driver starts or executes.", + "ui-priority": 0, + "sane_default": [ + "Boot start", + "System start", + "Auto start", + "Manual", + "Disabled" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "group": { + "description": "Group to which the system/driver belong to.", + "ui-priority": 0, + "sane_default": [ + "Base", + "Boot Bus Extender", + "Boot File System", + "Cryptography", + "Extended base", + "Event Log", + "Filter", + "FSFilter Bottom", + "FSFilter Infrastructure", + "File System", + "FSFilter Virtualization", + "Keyboard Port", + "Network", + "NDIS", + "Parallel arbitrator", + "Pointer Port", + "PnP Filter", + "ProfSvc_Group", + "PNP_TDI", + "SCSI Miniport", + "SCSI CDROM Class", + "System Bus Extender", + "Video Save", + "other" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information regarding the services/drivers from the system-hive.", + "meta-category": "misc", + "uuid": "78cdae45-2061-4b49-b1d6-71f562094a73", + "name": "regripper-system-hive-services-drivers" +} From bb119724bad7e255763e8c44aa98782d036c9895 Mon Sep 17 00:00:00 2001 From: aksha Date: Thu, 25 Oct 2018 13:21:08 +0100 Subject: [PATCH 077/113] fix: Changed TSK object names to lower case --- objects/TSK-Chats/definition.json | 2 +- objects/TSK-Web-Bookmark/definition.json | 2 +- objects/TSK-Web-Cookie/definition.json | 2 +- objects/TSK-Web-Downloads/definition.json | 2 +- objects/TSK-Web-History/definition.json | 2 +- objects/TSK-Web-Search-Query/definition.json | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/objects/TSK-Chats/definition.json b/objects/TSK-Chats/definition.json index ed5f00a..9ffffe0 100644 --- a/objects/TSK-Chats/definition.json +++ b/objects/TSK-Chats/definition.json @@ -80,5 +80,5 @@ "description": "An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation.", "meta-category": "misc", "uuid": "6b71f231-c502-467f-bc67-1423cd5bf800", - "name": "TSK-Chats" + "name": "tsk-chats" } diff --git a/objects/TSK-Web-Bookmark/definition.json b/objects/TSK-Web-Bookmark/definition.json index 485577e..99475d3 100644 --- a/objects/TSK-Web-Bookmark/definition.json +++ b/objects/TSK-Web-Bookmark/definition.json @@ -63,5 +63,5 @@ "description": "An Object Template to add evidential bookmarks identified during a digital forensic investigation.", "meta-category": "misc", "uuid": "7d9a88a8-9934-4caa-a85b-f76bc97d5373", - "name": "TSK-Web-Bookmark" + "name": "tsk-web-bookmark" } diff --git a/objects/TSK-Web-Cookie/definition.json b/objects/TSK-Web-Cookie/definition.json index 03cf240..edf2e40 100644 --- a/objects/TSK-Web-Cookie/definition.json +++ b/objects/TSK-Web-Cookie/definition.json @@ -63,5 +63,5 @@ "description": "An TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.", "meta-category": "misc", "uuid": "40d23a4f-43be-4c9e-8328-382a2188eb1d", - "name": "TSK-Web-Cookie" + "name": "tsk-web-cookie" } diff --git a/objects/TSK-Web-Downloads/definition.json b/objects/TSK-Web-Downloads/definition.json index 061fa64..d7c8f69 100644 --- a/objects/TSK-Web-Downloads/definition.json +++ b/objects/TSK-Web-Downloads/definition.json @@ -51,5 +51,5 @@ "description": "An Object Template to add web-downloads", "meta-category": "File", "uuid": "ab9603a1-9dcc-48e8-a51c-b8bccc7bcc26", - "name": "TSK-Web-Downloads" + "name": "tsk-web-downloads" } diff --git a/objects/TSK-Web-History/definition.json b/objects/TSK-Web-History/definition.json index 897e13b..4c9bd86 100644 --- a/objects/TSK-Web-History/definition.json +++ b/objects/TSK-Web-History/definition.json @@ -64,5 +64,5 @@ "description": "An Object Template to share web history information", "meta-category": "misc", "uuid": "e1325e52-e52e-49b1-89ad-d503c127c698", - "name": "TSK-Web-History" + "name": "tsk-web-history" } diff --git a/objects/TSK-Web-Search-Query/definition.json b/objects/TSK-Web-Search-Query/definition.json index 046c266..43d94c5 100644 --- a/objects/TSK-Web-Search-Query/definition.json +++ b/objects/TSK-Web-Search-Query/definition.json @@ -62,5 +62,5 @@ "description": "An Object Template to share web search query information", "meta-category": "misc", "uuid": "16b3f8d0-fd09-4812-a42c-b5aeff2d4c2e", - "name": "TSK-Web-Search-Query" + "name": "tsk-web-search-query" } From b93ad7969f3ecc5fa8b0d105ad5512523fd7c54d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 25 Oct 2018 17:31:36 +0200 Subject: [PATCH 078/113] fix: jq all the things(tm) --- objects/TSK-Chats/definition.json | 168 ++++----- objects/TSK-Web-Bookmark/definition.json | 134 +++---- objects/TSK-Web-Cookie/definition.json | 134 +++---- objects/TSK-Web-Downloads/definition.json | 110 +++--- objects/TSK-Web-History/definition.json | 136 +++---- objects/TSK-Web-Search-Query/definition.json | 132 +++---- objects/python-etvx-event-log/definition.json | 342 +++++++++--------- objects/regripper-NTUser/definition.json | 196 +++++----- .../definition.json | 136 +++---- .../definition.json | 108 +++--- .../definition.json | 118 +++--- .../definition.json | 106 +++--- .../definition.json | 98 ++--- .../definition.json | 114 +++--- .../definition.json | 110 +++--- .../definition.json | 250 ++++++------- .../definition.json | 126 +++---- .../definition.json | 320 ++++++++-------- .../definition.json | 100 ++--- .../definition.json | 178 ++++----- .../definition.json | 212 +++++------ .../definition.json | 196 +++++----- 22 files changed, 1762 insertions(+), 1762 deletions(-) diff --git a/objects/TSK-Chats/definition.json b/objects/TSK-Chats/definition.json index 9ffffe0..05b18a2 100644 --- a/objects/TSK-Chats/definition.json +++ b/objects/TSK-Chats/definition.json @@ -1,84 +1,84 @@ -{ - "required": [ - "message-type", - "message" - ], - "attributes": { - "message-type": { - "description": "the type of message extracted from the forensic-evidence.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "SMS", - "MMS", - "Instant Message (IM)", - "Voice Message" - ], - "disable_correlation": true - }, - "datetime-sent": { - "description": "date and the time when the message was sent.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "datetime-received": { - "description": "date and time when the message was received.", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "Source": { - "description": "Source of the message.(Contact details)", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "destination": { - "description": "Destination of the message.(Contact details)", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "app-used": { - "description": "Application used to send the message.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "subject": { - "description": "Subject of the message if any.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "message": { - "description": "Message exchanged.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "attachments": { - "description": "External references", - "multiple": true, - "ui-priority": 0, - "categories": [ - "External analysis" - ], - "misp-attribute": "link" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation.", - "meta-category": "misc", - "uuid": "6b71f231-c502-467f-bc67-1423cd5bf800", - "name": "tsk-chats" -} +{ + "required": [ + "message-type", + "message" + ], + "attributes": { + "message-type": { + "description": "the type of message extracted from the forensic-evidence.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "SMS", + "MMS", + "Instant Message (IM)", + "Voice Message" + ], + "disable_correlation": true + }, + "datetime-sent": { + "description": "date and the time when the message was sent.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "datetime-received": { + "description": "date and time when the message was received.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "Source": { + "description": "Source of the message.(Contact details)", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "destination": { + "description": "Destination of the message.(Contact details)", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "app-used": { + "description": "Application used to send the message.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "subject": { + "description": "Subject of the message if any.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "message": { + "description": "Message exchanged.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "attachments": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "categories": [ + "External analysis" + ], + "misp-attribute": "link" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation.", + "meta-category": "misc", + "uuid": "6b71f231-c502-467f-bc67-1423cd5bf800", + "name": "tsk-chats" +} diff --git a/objects/TSK-Web-Bookmark/definition.json b/objects/TSK-Web-Bookmark/definition.json index 99475d3..28fca9e 100644 --- a/objects/TSK-Web-Bookmark/definition.json +++ b/objects/TSK-Web-Bookmark/definition.json @@ -1,67 +1,67 @@ -{ - "required": [ - "URL" - ], - "attributes": { - "URL": { - "description": "The URL saved as bookmark.", - "ui-priority": 0, - "misp-attribute": "link" - }, - "datetime-bookmarked": { - "description": "date and time when the URL was added to favorites.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "name": { - "description": "Book mark name. ", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "title": { - "description": "Title of the web page", - "ui-priority": 0, - "misp-attribute": "text" - }, - "browser": { - "description": "Browser used to access the URL.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "IE", - "Safari", - "Chrome", - "Firefox", - "Opera mini", - "Chromium" - ], - "disable_correlation": true - }, - "domain-name": { - "description": "Domain of the URL.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "domain-ip": { - "description": "IP of the URL domain.", - "ui-priority": 0, - "misp-attribute": "ip-src" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An Object Template to add evidential bookmarks identified during a digital forensic investigation.", - "meta-category": "misc", - "uuid": "7d9a88a8-9934-4caa-a85b-f76bc97d5373", - "name": "tsk-web-bookmark" -} +{ + "required": [ + "URL" + ], + "attributes": { + "URL": { + "description": "The URL saved as bookmark.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-bookmarked": { + "description": "date and time when the URL was added to favorites.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Book mark name. ", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "title": { + "description": "Title of the web page", + "ui-priority": 0, + "misp-attribute": "text" + }, + "browser": { + "description": "Browser used to access the URL.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "domain-name": { + "description": "Domain of the URL.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the URL domain.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to add evidential bookmarks identified during a digital forensic investigation.", + "meta-category": "misc", + "uuid": "7d9a88a8-9934-4caa-a85b-f76bc97d5373", + "name": "tsk-web-bookmark" +} diff --git a/objects/TSK-Web-Cookie/definition.json b/objects/TSK-Web-Cookie/definition.json index edf2e40..03e841e 100644 --- a/objects/TSK-Web-Cookie/definition.json +++ b/objects/TSK-Web-Cookie/definition.json @@ -1,67 +1,67 @@ -{ - "required": [ - "URL", - "name", - "value" - ], - "attributes": { - "URL": { - "description": "The website URL that created the cookie.", - "ui-priority": 0, - "misp-attribute": "link" - }, - "datetime-created": { - "description": "date and time when the cookie was created.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "name": { - "description": "Name of the cookie ", - "ui-priority": 0, - "misp-attribute": "text" - }, - "value": { - "description": "Value assigned to the cookie.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "browser": { - "description": "Browser on which the cookie was created.", - "ui-priority": 0, - "sane_default": [ - "IE", - "Safari", - "Chrome", - "Firefox", - "Opera mini", - "Chromium" - ], - "misp-attribute": "text" - }, - "domain-name": { - "description": "Domain of the URL that created the cookie.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "domain-ip": { - "description": "IP of the domain that created the URL.", - "ui-priority": 0, - "misp-attribute": "ip-src" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.", - "meta-category": "misc", - "uuid": "40d23a4f-43be-4c9e-8328-382a2188eb1d", - "name": "tsk-web-cookie" -} +{ + "required": [ + "URL", + "name", + "value" + ], + "attributes": { + "URL": { + "description": "The website URL that created the cookie.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-created": { + "description": "date and time when the cookie was created.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Name of the cookie ", + "ui-priority": 0, + "misp-attribute": "text" + }, + "value": { + "description": "Value assigned to the cookie.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "browser": { + "description": "Browser on which the cookie was created.", + "ui-priority": 0, + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "misp-attribute": "text" + }, + "domain-name": { + "description": "Domain of the URL that created the cookie.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the domain that created the URL.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.", + "meta-category": "misc", + "uuid": "40d23a4f-43be-4c9e-8328-382a2188eb1d", + "name": "tsk-web-cookie" +} diff --git a/objects/TSK-Web-Downloads/definition.json b/objects/TSK-Web-Downloads/definition.json index d7c8f69..6659d0e 100644 --- a/objects/TSK-Web-Downloads/definition.json +++ b/objects/TSK-Web-Downloads/definition.json @@ -1,55 +1,55 @@ -{ - "required": [ - "URL", - "name" - ], - "attributes": { - "URL": { - "description": "The URL used to download the file.", - "ui-priority": 0, - "misp-attribute": "link" - }, - "datetime-accessed": { - "description": "date and time when the file was downloaded.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "name": { - "description": "Name of the file downloaded.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "path-downloadedTo": { - "description": "Location the file was downloaded to.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "pathID": { - "description": "Id of the attribute file where the information is gathered from.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "attachment": { - "description": "The downloaded file itself.", - "ui-priority": 1, - "misp-attribute": "attachment", - "disable_correlation": true - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An Object Template to add web-downloads", - "meta-category": "File", - "uuid": "ab9603a1-9dcc-48e8-a51c-b8bccc7bcc26", - "name": "tsk-web-downloads" -} +{ + "required": [ + "URL", + "name" + ], + "attributes": { + "URL": { + "description": "The URL used to download the file.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-accessed": { + "description": "date and time when the file was downloaded.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Name of the file downloaded.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "path-downloadedTo": { + "description": "Location the file was downloaded to.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "pathID": { + "description": "Id of the attribute file where the information is gathered from.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "attachment": { + "description": "The downloaded file itself.", + "ui-priority": 1, + "misp-attribute": "attachment", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to add web-downloads", + "meta-category": "File", + "uuid": "ab9603a1-9dcc-48e8-a51c-b8bccc7bcc26", + "name": "tsk-web-downloads" +} diff --git a/objects/TSK-Web-History/definition.json b/objects/TSK-Web-History/definition.json index 4c9bd86..b38fd8d 100644 --- a/objects/TSK-Web-History/definition.json +++ b/objects/TSK-Web-History/definition.json @@ -1,68 +1,68 @@ -{ - "required": [ - "URL", - "datetime-accessed" - ], - "attributes": { - "URL": { - "description": "The URL accessed.", - "ui-priority": 0, - "misp-attribute": "link" - }, - "datetime-accessed": { - "description": "date and the time when the URL was accessed.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "referrer": { - "description": "where the URL was referred from ", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "title": { - "description": "Title of the web page", - "ui-priority": 0, - "misp-attribute": "text" - }, - "domain-name": { - "description": "Domain of the URL.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "domain-ip": { - "description": "IP of the URL domain.", - "ui-priority": 0, - "misp-attribute": "ip-src" - }, - "browser": { - "description": "Browser used to access the URL.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "IE", - "Safari", - "Chrome", - "Firefox", - "Opera mini", - "Chromium" - ], - "disable_correlation": true - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An Object Template to share web history information", - "meta-category": "misc", - "uuid": "e1325e52-e52e-49b1-89ad-d503c127c698", - "name": "tsk-web-history" -} +{ + "required": [ + "URL", + "datetime-accessed" + ], + "attributes": { + "URL": { + "description": "The URL accessed.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-accessed": { + "description": "date and the time when the URL was accessed.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "referrer": { + "description": "where the URL was referred from ", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "title": { + "description": "Title of the web page", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-name": { + "description": "Domain of the URL.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the URL domain.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "browser": { + "description": "Browser used to access the URL.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to share web history information", + "meta-category": "misc", + "uuid": "e1325e52-e52e-49b1-89ad-d503c127c698", + "name": "tsk-web-history" +} diff --git a/objects/TSK-Web-Search-Query/definition.json b/objects/TSK-Web-Search-Query/definition.json index 43d94c5..0b0afdd 100644 --- a/objects/TSK-Web-Search-Query/definition.json +++ b/objects/TSK-Web-Search-Query/definition.json @@ -1,66 +1,66 @@ -{ - "required": [ - "domain", - "text" - ], - "attributes": { - "domain": { - "description": "The domain of the search engine.", - "ui-priority": 0, - "misp-attribute": "link", - "sane_default": [ - "Google", - "Yahoo", - "Bing", - "Alta Vista", - "MSN" - ], - "disable_correlation": true - }, - "text": { - "description": "the search word or sentence.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "datetime-searched": { - "description": "date and time when the search was conducted.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "browser": { - "description": "Browser used.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "IE", - "Safari", - "Chrome", - "Firefox", - "Opera mini", - "Chromium" - ], - "disable_correlation": true - }, - "username": { - "description": "User name or ID associated with the search.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An Object Template to share web search query information", - "meta-category": "misc", - "uuid": "16b3f8d0-fd09-4812-a42c-b5aeff2d4c2e", - "name": "tsk-web-search-query" -} +{ + "required": [ + "domain", + "text" + ], + "attributes": { + "domain": { + "description": "The domain of the search engine.", + "ui-priority": 0, + "misp-attribute": "link", + "sane_default": [ + "Google", + "Yahoo", + "Bing", + "Alta Vista", + "MSN" + ], + "disable_correlation": true + }, + "text": { + "description": "the search word or sentence.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "datetime-searched": { + "description": "date and time when the search was conducted.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "browser": { + "description": "Browser used.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "username": { + "description": "User name or ID associated with the search.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to share web search query information", + "meta-category": "misc", + "uuid": "16b3f8d0-fd09-4812-a42c-b5aeff2d4c2e", + "name": "tsk-web-search-query" +} diff --git a/objects/python-etvx-event-log/definition.json b/objects/python-etvx-event-log/definition.json index 79a2d13..62566f4 100644 --- a/objects/python-etvx-event-log/definition.json +++ b/objects/python-etvx-event-log/definition.json @@ -1,171 +1,171 @@ -{ - "required": [ - "source", - "type", - "name" - ], - "attributes": { - "event-id": { - "description": "A unique number which identifies the event.", - "ui-priority": 1, - "misp-attribute": "text", - "disable_correlation": true - }, - "name": { - "description": "Name of the event.", - "ui-priority": 2, - "misp-attribute": "text", - "disable_correlation": true - }, - "event-channel": { - "description": " Channel through which the event occurred", - "ui-priority": 3, - "misp-attribute": "text", - "disable_correlation": true, - "sane-default": [ - "Application", - "System", - "Security", - "Setup", - "other" - ] - }, - "event-type": { - "description": "Event-type assigned to the event", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true, - "sane-default": [ - "Admin", - "Operational", - "Audit", - "Analytic", - "Debug", - "other" - ] - }, - "source": { - "description": "The source of the event log - application/software that logged the event.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "event-date-time": { - "description": "Date and time when the event was logged.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "level": { - "description": "Determines the event severity.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "Information", - "Warning", - "Error", - "Critical", - "Success Audit", - "Failure Audit" - ] - }, - "Computer": { - "description": "Computer name on which the event occurred", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "User": { - "description": "Name or the User ID the event is associated with.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Operational-code": { - "description": "The opcode (numeric value or name) associated with the activity carried out by the event.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "log": { - "description": "Log file where the event was recorded.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "task-category": { - "description": "Activity by the event publisher", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Keywords": { - "description": "Tags used for the event for the purpose of filtering or searching.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "Network", - "Security", - "Resource not found", - "other" - ] - }, - "Processor-ID": { - "description": "ID of the processor that processed the event.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Thread-ID": { - "description": "Thread id that generated the event.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Session-ID": { - "description": "Terminal server session ID.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Correlation-ID": { - "description": "Unique activity identity which relates the event to a process. ", - "ui-priority": 0, - "misp-attribute": "text" - }, - "Relative-Correlation-ID": { - "description": "Related activity ID which identity similar activities which occurred as a part of the event.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "kernel-time": { - "description": "Execution time of the kernel mode instruction.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "user-time": { - "description": "Date and time when the user instruction was executed.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "Event-data": { - "description": "Event data description.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "comment": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } - }, - "version": 1, - "description": "Event log object template to share information of the activities conducted on a system. ", - "meta-category": "misc", - "uuid": "94e3aee9-cb99-4503-9bf6-7da3db5de55e", - "name": "python-etvx-event-log" -} +{ + "required": [ + "source", + "type", + "name" + ], + "attributes": { + "event-id": { + "description": "A unique number which identifies the event.", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "name": { + "description": "Name of the event.", + "ui-priority": 2, + "misp-attribute": "text", + "disable_correlation": true + }, + "event-channel": { + "description": " Channel through which the event occurred", + "ui-priority": 3, + "misp-attribute": "text", + "disable_correlation": true, + "sane-default": [ + "Application", + "System", + "Security", + "Setup", + "other" + ] + }, + "event-type": { + "description": "Event-type assigned to the event", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane-default": [ + "Admin", + "Operational", + "Audit", + "Analytic", + "Debug", + "other" + ] + }, + "source": { + "description": "The source of the event log - application/software that logged the event.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "event-date-time": { + "description": "Date and time when the event was logged.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "level": { + "description": "Determines the event severity.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Information", + "Warning", + "Error", + "Critical", + "Success Audit", + "Failure Audit" + ] + }, + "Computer": { + "description": "Computer name on which the event occurred", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "User": { + "description": "Name or the User ID the event is associated with.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Operational-code": { + "description": "The opcode (numeric value or name) associated with the activity carried out by the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "log": { + "description": "Log file where the event was recorded.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "task-category": { + "description": "Activity by the event publisher", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Keywords": { + "description": "Tags used for the event for the purpose of filtering or searching.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Network", + "Security", + "Resource not found", + "other" + ] + }, + "Processor-ID": { + "description": "ID of the processor that processed the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Thread-ID": { + "description": "Thread id that generated the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Session-ID": { + "description": "Terminal server session ID.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Correlation-ID": { + "description": "Unique activity identity which relates the event to a process. ", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Relative-Correlation-ID": { + "description": "Related activity ID which identity similar activities which occurred as a part of the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "kernel-time": { + "description": "Execution time of the kernel mode instruction.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "user-time": { + "description": "Date and time when the user instruction was executed.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "Event-data": { + "description": "Event data description.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Event log object template to share information of the activities conducted on a system. ", + "meta-category": "misc", + "uuid": "94e3aee9-cb99-4503-9bf6-7da3db5de55e", + "name": "python-etvx-event-log" +} diff --git a/objects/regripper-NTUser/definition.json b/objects/regripper-NTUser/definition.json index 9ec80c5..b9ed227 100644 --- a/objects/regripper-NTUser/definition.json +++ b/objects/regripper-NTUser/definition.json @@ -1,98 +1,98 @@ -{ - "required": [ - "key" - ], - "requiredOneOf": [ - "logon-user-name" - ], - "attributes": { - "key": { - "description": "Registry key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "key-last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "logon-user-name": { - "description": "Name assigned to the user profile.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "recent-folders-accessed": { - "description": "List of recent folders accessed by the user.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "recent-files-accessed": { - "description": "List of recent files accessed by the user.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "typed-urls": { - "description": "Urls typed by the user in internet explorer", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "applications-installed": { - "description": "List of applications installed.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "applications-run": { - "description": "List of applications set to run on the system.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "external-devices": { - "description": "List of external devices connected to the system by the user.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "user-init": { - "description": "Applications or processes set to run when the user logs onto the windows system.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "nukeOnDelete": { - "description": "Determines if the Recycle bin option has been disabled.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "network-connected-to": { - "description": "List of networks the user connected the system to.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "mount-points": { - "description": "Details of the mount points created on the system.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true, - "disable_correlation": true - }, - "comments": { - "description": "Additional information related to the user profile", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } - }, - "version": 1, - "description": "Regripper Object template designed to present user specific configuration details extracted from the NTUSER.dat hive.", - "meta-category": "misc", - "uuid": "f9dc7b7e-8ab1-4dde-95d9-67e41b461c65", - "name": "regripper-NTUser" -} +{ + "required": [ + "key" + ], + "requiredOneOf": [ + "logon-user-name" + ], + "attributes": { + "key": { + "description": "Registry key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "logon-user-name": { + "description": "Name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "recent-folders-accessed": { + "description": "List of recent folders accessed by the user.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "recent-files-accessed": { + "description": "List of recent files accessed by the user.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "typed-urls": { + "description": "Urls typed by the user in internet explorer", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "applications-installed": { + "description": "List of applications installed.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "applications-run": { + "description": "List of applications set to run on the system.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "external-devices": { + "description": "List of external devices connected to the system by the user.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "user-init": { + "description": "Applications or processes set to run when the user logs onto the windows system.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "nukeOnDelete": { + "description": "Determines if the Recycle bin option has been disabled.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "network-connected-to": { + "description": "List of networks the user connected the system to.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "mount-points": { + "description": "Details of the mount points created on the system.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true, + "disable_correlation": true + }, + "comments": { + "description": "Additional information related to the user profile", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to present user specific configuration details extracted from the NTUSER.dat hive.", + "meta-category": "misc", + "uuid": "f9dc7b7e-8ab1-4dde-95d9-67e41b461c65", + "name": "regripper-NTUser" +} diff --git a/objects/regripper-sam-hive-single-user/definition.json b/objects/regripper-sam-hive-single-user/definition.json index 11632e3..598144b 100644 --- a/objects/regripper-sam-hive-single-user/definition.json +++ b/objects/regripper-sam-hive-single-user/definition.json @@ -1,68 +1,68 @@ -{ - "required": [ - "key" - ], - "requiredOneOf": [ - "user-name", - "last-login-time", - "login-count" - ], - "attributes": { - "key": { - "description": "Registry key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "key-last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "user-name": { - "description": "User name assigned to the user profile.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "full-user-name": { - "description": "Full name assigned to the user profile.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-login-time": { - "description": "Date and time when the user last logged onto the system.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "pwd-reset-time": { - "description": "Date and time when the password was last reset.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "pwd-fail-date": { - "description": "Date and time when a password last failed for this user profile.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "login-count": { - "description": "Number of times the user logged-in onto the system.", - "ui-priority": 0, - "misp-attribute": "counter", - "disable_correlation": true - }, - "comments": { - "description": "Full name assigned to the user profile.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } - }, - "version": 1, - "description": "Regripper Object template designed to present user profile details extracted from the SAM hive.", - "meta-category": "misc", - "uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef", - "name": "regripper-sam-hive-single-user" -} +{ + "required": [ + "key" + ], + "requiredOneOf": [ + "user-name", + "last-login-time", + "login-count" + ], + "attributes": { + "key": { + "description": "Registry key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "user-name": { + "description": "User name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "full-user-name": { + "description": "Full name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-login-time": { + "description": "Date and time when the user last logged onto the system.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "pwd-reset-time": { + "description": "Date and time when the password was last reset.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "pwd-fail-date": { + "description": "Date and time when a password last failed for this user profile.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "login-count": { + "description": "Number of times the user logged-in onto the system.", + "ui-priority": 0, + "misp-attribute": "counter", + "disable_correlation": true + }, + "comments": { + "description": "Full name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to present user profile details extracted from the SAM hive.", + "meta-category": "misc", + "uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef", + "name": "regripper-sam-hive-single-user" +} diff --git a/objects/regripper-sam-hive-user-group/definition.json b/objects/regripper-sam-hive-user-group/definition.json index 64119d0..55df836 100644 --- a/objects/regripper-sam-hive-user-group/definition.json +++ b/objects/regripper-sam-hive-user-group/definition.json @@ -1,54 +1,54 @@ -{ - "required": [ - "key" - ], - "requiredOneOf": [ - "group-name" - ], - "attributes": { - "key": { - "description": "Registry key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "key-last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "group-name": { - "description": "Name assigned to the profile.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "full-name": { - "description": "Full name assigned to the profile.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-date-time": { - "description": "Date and time when the group key was updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "group-comment": { - "description": "Any group comment added.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "group-users": { - "description": "Users belonging to the group", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - } - }, - "version": 1, - "description": "Regripper Object template designed to present group profile details extracted from the SAM hive.", - "meta-category": "misc", - "uuid": "b924bae1-2dec-4d2d-a8c2-b03305222b7c", - "name": "regripper-sam-hive-user-group" -} +{ + "required": [ + "key" + ], + "requiredOneOf": [ + "group-name" + ], + "attributes": { + "key": { + "description": "Registry key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "group-name": { + "description": "Name assigned to the profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "full-name": { + "description": "Full name assigned to the profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-date-time": { + "description": "Date and time when the group key was updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "group-comment": { + "description": "Any group comment added.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "group-users": { + "description": "Users belonging to the group", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to present group profile details extracted from the SAM hive.", + "meta-category": "misc", + "uuid": "b924bae1-2dec-4d2d-a8c2-b03305222b7c", + "name": "regripper-sam-hive-user-group" +} diff --git a/objects/regripper-software-hive-BHO/definition.json b/objects/regripper-software-hive-BHO/definition.json index 0b43791..3c392f6 100644 --- a/objects/regripper-software-hive-BHO/definition.json +++ b/objects/regripper-software-hive-BHO/definition.json @@ -1,59 +1,59 @@ -{ - "required": [ - "key", - "BHO-name" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "BHO-name": { - "description": "Name of the browser helper object.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "BHO-key-last-write-time": { - "description": "Date and time when the BHO key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "class": { - "description": "Class to which the BHO belongs to.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "module": { - "description": "DLL module the BHO belongs to.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "references": { - "description": "References to the BHO.", - "ui-priority": 0, - "misp-attribute": "link", - "multiple": true - } - }, - "version": 1, - "description": "Regripper Object template designed to gather information of the browser helper objects installed on the system.", - "meta-category": "misc", - "uuid": "e7b46b5a-d2d2-4a05-bc25-2ac8d4683ae2", - "name": "regripper-software-hive-BHO" -} +{ + "required": [ + "key", + "BHO-name" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "BHO-name": { + "description": "Name of the browser helper object.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BHO-key-last-write-time": { + "description": "Date and time when the BHO key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "class": { + "description": "Class to which the BHO belongs to.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "module": { + "description": "DLL module the BHO belongs to.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "References to the BHO.", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the browser helper objects installed on the system.", + "meta-category": "misc", + "uuid": "e7b46b5a-d2d2-4a05-bc25-2ac8d4683ae2", + "name": "regripper-software-hive-BHO" +} diff --git a/objects/regripper-software-hive-appInit-DLLS/definition.json b/objects/regripper-software-hive-appInit-DLLS/definition.json index d089224..7bd9395 100644 --- a/objects/regripper-software-hive-appInit-DLLS/definition.json +++ b/objects/regripper-software-hive-appInit-DLLS/definition.json @@ -1,53 +1,53 @@ -{ - "required": [ - "key", - "DLL-name", - "DLL-path" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "DLL-name": { - "description": "Name of the DLL file.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "DLL-path": { - "description": "Path where the DLL file is stored.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "DLL-last-write-time": { - "description": "Date and time when the DLL file was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "references": { - "description": "References to the DLL file.", - "ui-priority": 0, - "misp-attribute": "link", - "multiple": true - } - }, - "version": 1, - "description": "Regripper Object template designed to gather information of the DLL files installed on the system.", - "meta-category": "misc", - "uuid": "7893be05-8398-451e-ab1e-5e25ea4a8859", - "name": "regripper-software-hive-appInit-DLLS" -} +{ + "required": [ + "key", + "DLL-name", + "DLL-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "DLL-name": { + "description": "Name of the DLL file.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "DLL-path": { + "description": "Path where the DLL file is stored.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "DLL-last-write-time": { + "description": "Date and time when the DLL file was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "References to the DLL file.", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the DLL files installed on the system.", + "meta-category": "misc", + "uuid": "7893be05-8398-451e-ab1e-5e25ea4a8859", + "name": "regripper-software-hive-appInit-DLLS" +} diff --git a/objects/regripper-software-hive-application-paths/definition.json b/objects/regripper-software-hive-application-paths/definition.json index 3929d42..62aacc5 100644 --- a/objects/regripper-software-hive-application-paths/definition.json +++ b/objects/regripper-software-hive-application-paths/definition.json @@ -1,49 +1,49 @@ -{ - "required": [ - "key", - "executable-file-name", - "path" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "executable-file-name": { - "description": "Name of the executable file.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "path": { - "description": "Path of the executable file.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "references": { - "description": "References to the application installed.", - "ui-priority": 0, - "misp-attribute": "link", - "multiple": true - } - }, - "version": 1, - "description": "Regripper Object template designed to gather information of the application paths.", - "meta-category": "misc", - "uuid": "9f2d3c9b-9a82-42a7-82c2-733115d101c8", - "name": "regripper-software-hive-application-paths" -} +{ + "required": [ + "key", + "executable-file-name", + "path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "executable-file-name": { + "description": "Name of the executable file.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "path": { + "description": "Path of the executable file.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "References to the application installed.", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the application paths.", + "meta-category": "misc", + "uuid": "9f2d3c9b-9a82-42a7-82c2-733115d101c8", + "name": "regripper-software-hive-application-paths" +} diff --git a/objects/regripper-software-hive-applications-installed/definition.json b/objects/regripper-software-hive-applications-installed/definition.json index c8229c7..2b7d153 100644 --- a/objects/regripper-software-hive-applications-installed/definition.json +++ b/objects/regripper-software-hive-applications-installed/definition.json @@ -1,57 +1,57 @@ -{ - "required": [ - "key", - "app-name" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "key-path": { - "description": "Path of the key.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "app-name": { - "description": "Name of the application.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "app-last-write-time": { - "description": "Date and time when the application key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "version": { - "description": "Version of the application.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "references": { - "description": "References to the application installed.", - "ui-priority": 0, - "misp-attribute": "link", - "multiple": true - } - }, - "version": 1, - "description": "Regripper Object template designed to gather information of the applications installed on the system.", - "meta-category": "misc", - "uuid": "7a8fb6b4-cbbd-4de5-b893-7b0a5c4858cd", - "name": "regripper-software-hive-applications-installed" -} +{ + "required": [ + "key", + "app-name" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "key-path": { + "description": "Path of the key.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "app-name": { + "description": "Name of the application.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "app-last-write-time": { + "description": "Date and time when the application key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "version": { + "description": "Version of the application.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "References to the application installed.", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the applications installed on the system.", + "meta-category": "misc", + "uuid": "7a8fb6b4-cbbd-4de5-b893-7b0a5c4858cd", + "name": "regripper-software-hive-applications-installed" +} diff --git a/objects/regripper-software-hive-command-shell/definition.json b/objects/regripper-software-hive-command-shell/definition.json index 0d060d6..0245221 100644 --- a/objects/regripper-software-hive-command-shell/definition.json +++ b/objects/regripper-software-hive-command-shell/definition.json @@ -1,55 +1,55 @@ -{ - "required": [ - "key", - "shell", - "shell-path" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "shell": { - "description": "Type of shell used to execute the command.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "exe", - "cmd", - "bat", - "hta", - "pif", - "Other" - ], - "disable_correlation": true - }, - "shell-path": { - "description": "Path of the shell.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "command": { - "description": "Command executed.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } - }, - "version": 1, - "description": "Regripper Object template designed to gather information of the shell commands executed on the system.", - "meta-category": "misc", - "uuid": "a7dc3697-89ce-46dc-a64d-0b1015457978", - "name": "regripper-software-hive-command-shell" -} +{ + "required": [ + "key", + "shell", + "shell-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "shell": { + "description": "Type of shell used to execute the command.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "exe", + "cmd", + "bat", + "hta", + "pif", + "Other" + ], + "disable_correlation": true + }, + "shell-path": { + "description": "Path of the shell.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "command": { + "description": "Command executed.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the shell commands executed on the system.", + "meta-category": "misc", + "uuid": "a7dc3697-89ce-46dc-a64d-0b1015457978", + "name": "regripper-software-hive-command-shell" +} diff --git a/objects/regripper-software-hive-general-windows-info/definition.json b/objects/regripper-software-hive-general-windows-info/definition.json index 85b5538..ca14989 100644 --- a/objects/regripper-software-hive-general-windows-info/definition.json +++ b/objects/regripper-software-hive-general-windows-info/definition.json @@ -1,125 +1,125 @@ -{ - "required": [ - "win-cv-path", - "CurrentVersion" - ], - "attributes": { - "win-cv-path": { - "description": "key where the windows information is retrieved from", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "RegisteredOrganization": { - "description": "Name of the registered organization.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "RegisteredOwner": { - "description": "Name of the registered owner.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "CurrentVersion": { - "description": "Current version of windows", - "ui-priority": 0, - "disable_correlation": true - }, - "CurrentBuild": { - "description": "Build number of the windows OS.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "SoftwareType": { - "description": "Software type of windows.", - "ui-priority": 0, - "sane_default": [ - "System", - "Application", - "other" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "InstallationType": { - "description": "Type of windows installation.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "InstallDate": { - "description": "Date when windows was installed.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "SystemRoot": { - "description": "Root directory.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "PathName": { - "description": "Path to the root directory.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "EditionID": { - "description": "Windows edition.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "ProductName": { - "description": "Name of the windows version.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "ProductID": { - "description": "ID of the product version.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "CSDVersion": { - "description": "Version of the service pack installed.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "CurrentBuildType": { - "description": "Current build type of the OS.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "BuildLab": { - "description": "Windows BuildLab string.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "BuildGUID": { - "description": "Build ID.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "BuildLabEx": { - "description": "Windows BuildLabEx string.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "comment": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "", - "disable_correlation": true - } - }, - "version": 1, - "description": "Regripper Object template designed to gather general windows information extracted from the software-hive.", - "meta-category": "misc", - "uuid": "03200c25-4bf5-4282-9852-001a51ab20f1", - "name": "regripper-software-hive-windows-general-info" -} +{ + "required": [ + "win-cv-path", + "CurrentVersion" + ], + "attributes": { + "win-cv-path": { + "description": "key where the windows information is retrieved from", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "RegisteredOrganization": { + "description": "Name of the registered organization.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "RegisteredOwner": { + "description": "Name of the registered owner.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CurrentVersion": { + "description": "Current version of windows", + "ui-priority": 0, + "disable_correlation": true + }, + "CurrentBuild": { + "description": "Build number of the windows OS.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "SoftwareType": { + "description": "Software type of windows.", + "ui-priority": 0, + "sane_default": [ + "System", + "Application", + "other" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "InstallationType": { + "description": "Type of windows installation.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "InstallDate": { + "description": "Date when windows was installed.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "SystemRoot": { + "description": "Root directory.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "PathName": { + "description": "Path to the root directory.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "EditionID": { + "description": "Windows edition.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ProductName": { + "description": "Name of the windows version.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ProductID": { + "description": "ID of the product version.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CSDVersion": { + "description": "Version of the service pack installed.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CurrentBuildType": { + "description": "Current build type of the OS.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildLab": { + "description": "Windows BuildLab string.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildGUID": { + "description": "Build ID.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildLabEx": { + "description": "Windows BuildLabEx string.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather general windows information extracted from the software-hive.", + "meta-category": "misc", + "uuid": "03200c25-4bf5-4282-9852-001a51ab20f1", + "name": "regripper-software-hive-windows-general-info" +} diff --git a/objects/regripper-software-hive-software-run/definition.json b/objects/regripper-software-hive-software-run/definition.json index 35cb1f5..5e26a8a 100644 --- a/objects/regripper-software-hive-software-run/definition.json +++ b/objects/regripper-software-hive-software-run/definition.json @@ -1,63 +1,63 @@ -{ - "required": [ - "key", - "application-name", - "application-path" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "sane_default": [ - "Run", - "RunOnce", - "Runservices", - "Terminal", - "Other" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "key-path": { - "description": "Path of the key.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "application-name": { - "description": "Name of the application run.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "application-path": { - "description": "Path where the application is installed.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "references": { - "description": "References to the applications.", - "ui-priority": 0, - "misp-attribute": "link", - "multiple": true - } - }, - "version": 1, - "description": "Regripper Object template designed to gather information of the applications set to run on the system.", - "meta-category": "misc", - "uuid": "4bae06d1-3996-4028-88ec-7c7d54cc1d94", - "name": "regripper-software-hive-software-run" -} +{ + "required": [ + "key", + "application-name", + "application-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "sane_default": [ + "Run", + "RunOnce", + "Runservices", + "Terminal", + "Other" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "key-path": { + "description": "Path of the key.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "application-name": { + "description": "Name of the application run.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "application-path": { + "description": "Path where the application is installed.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "References to the applications.", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the applications set to run on the system.", + "meta-category": "misc", + "uuid": "4bae06d1-3996-4028-88ec-7c7d54cc1d94", + "name": "regripper-software-hive-software-run" +} diff --git a/objects/regripper-software-hive-userprofile-winlogon/definition.json b/objects/regripper-software-hive-userprofile-winlogon/definition.json index e38ebd0..15a3efc 100644 --- a/objects/regripper-software-hive-userprofile-winlogon/definition.json +++ b/objects/regripper-software-hive-userprofile-winlogon/definition.json @@ -1,160 +1,160 @@ -{ - "required": [ - "user-profile-key-path", - "SID" - ], - "attributes": { - "user-profile-key-path": { - "description": "key where the user-profile information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "user-profile-key-last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "user-profile-path": { - "description": "Path of the user profile on the system", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "SID": { - "description": "Security identifier assigned to the user profile.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "user-profile-last-write-time": { - "description": "Date and time when the user profile was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "winlogon-key-path": { - "description": "winlogon key referred in order to retrieve default user information", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "winlogon-key-last-write-time": { - "description": "Date and time when the winlogon key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "DefaultUserName": { - "description": "user-name of the default user.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Shell": { - "description": "Shell set to run when the user logs onto the system.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true, - "multiple": true - }, - "UserInit": { - "description": "Applications and files set to run when the user logs onto the system (User logon activity).", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "Legal-notice-caption": { - "description": "Message title set to display when the user logs-in.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true, - "disable_correlation": true - }, - "Legal-notice-text": { - "description": "Message set to display when the user logs-in.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true, - "disable_correlation": true - }, - "PreCreateKnownFolders": { - "description": "create known folders key", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "ReportBootOk": { - "description": "Flag to check if the reboot was successful.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "AutoRestartShell": { - "description": "Value of the flag set to auto restart the shell if it crashes or shuts down automatically.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "PasswordExpiryWarining": { - "description": "Number of times the password expiry warning appeared.", - "ui-priority": 0, - "misp-attribute": "counter", - "disable_correlation": true - }, - "PowerdownAfterShutDown": { - "description": "Flag value- if the system is set to power down after it is shutdown.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "ShutdownWithoutLogon": { - "description": "Value of the flag set to enable shutdown without requiring a user to login.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "WinStationsDisabled": { - "description": "Flag value set to enable/disable logons to the system.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "DisableCAD": { - "description": "Flag to determine if user login is enabled by pressing Ctrl+ALT+Delete.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "AutoAdminLogon": { - "description": "Flag value to determine if autologon is enabled for a user without entering the password.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "CachedLogonCount": { - "description": "Number of times the user has logged into the system.", - "ui-priority": 0, - "misp-attribute": "counter", - "disable_correlation": true - }, - "ShutdownFlags": { - "description": "Number of times shutdown is initiated from a process when the user is logged-in.", - "ui-priority": 0, - "misp-attribute": "counter", - "disable_correlation": true - }, - "Comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } - }, - "version": 1, - "description": "Regripper Object template designed to gather user profile information when the user logs onto the system, gathered from the software hive.", - "meta-category": "misc", - "uuid": "df03d0e4-3e6b-4e56-951a-142eae4cad59", - "name": "regripper-software-hive-userprofile-winlogon" -} +{ + "required": [ + "user-profile-key-path", + "SID" + ], + "attributes": { + "user-profile-key-path": { + "description": "key where the user-profile information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "user-profile-key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "user-profile-path": { + "description": "Path of the user profile on the system", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "SID": { + "description": "Security identifier assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "user-profile-last-write-time": { + "description": "Date and time when the user profile was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "winlogon-key-path": { + "description": "winlogon key referred in order to retrieve default user information", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "winlogon-key-last-write-time": { + "description": "Date and time when the winlogon key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "DefaultUserName": { + "description": "user-name of the default user.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Shell": { + "description": "Shell set to run when the user logs onto the system.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "multiple": true + }, + "UserInit": { + "description": "Applications and files set to run when the user logs onto the system (User logon activity).", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "Legal-notice-caption": { + "description": "Message title set to display when the user logs-in.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true, + "disable_correlation": true + }, + "Legal-notice-text": { + "description": "Message set to display when the user logs-in.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true, + "disable_correlation": true + }, + "PreCreateKnownFolders": { + "description": "create known folders key", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "ReportBootOk": { + "description": "Flag to check if the reboot was successful.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "AutoRestartShell": { + "description": "Value of the flag set to auto restart the shell if it crashes or shuts down automatically.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "PasswordExpiryWarining": { + "description": "Number of times the password expiry warning appeared.", + "ui-priority": 0, + "misp-attribute": "counter", + "disable_correlation": true + }, + "PowerdownAfterShutDown": { + "description": "Flag value- if the system is set to power down after it is shutdown.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "ShutdownWithoutLogon": { + "description": "Value of the flag set to enable shutdown without requiring a user to login.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "WinStationsDisabled": { + "description": "Flag value set to enable/disable logons to the system.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "DisableCAD": { + "description": "Flag to determine if user login is enabled by pressing Ctrl+ALT+Delete.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "AutoAdminLogon": { + "description": "Flag value to determine if autologon is enabled for a user without entering the password.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "CachedLogonCount": { + "description": "Number of times the user has logged into the system.", + "ui-priority": 0, + "misp-attribute": "counter", + "disable_correlation": true + }, + "ShutdownFlags": { + "description": "Number of times shutdown is initiated from a process when the user is logged-in.", + "ui-priority": 0, + "misp-attribute": "counter", + "disable_correlation": true + }, + "Comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather user profile information when the user logs onto the system, gathered from the software hive.", + "meta-category": "misc", + "uuid": "df03d0e4-3e6b-4e56-951a-142eae4cad59", + "name": "regripper-software-hive-userprofile-winlogon" +} diff --git a/objects/regripper-system-hive-firewall-configuration/definition.json b/objects/regripper-system-hive-firewall-configuration/definition.json index fdd0663..abac192 100644 --- a/objects/regripper-system-hive-firewall-configuration/definition.json +++ b/objects/regripper-system-hive-firewall-configuration/definition.json @@ -1,50 +1,50 @@ -{ - "required": [ - "profile" - ], - "attributes": { - "profile": { - "description": "Firewall Profile type", - "ui-priority": 0, - "sane-default": [ - "Domain Profile", - "Standard Profile", - "Network Profile", - "Public Profile", - "Private Profile", - "other" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "last-write-time": { - "description": "Date and time when the firewall profile policy was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "enbled-firewall": { - "description": "Boolean flag to determine if the firewall is enabled.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "disable-notification": { - "description": "Boolean flag to determine if firewall notifications are enabled.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "comment": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } - }, - "version": 1, - "description": "Regripper Object template designed to present firewall configuration information extracted from the system-hive.", - "meta-category": "misc", - "uuid": "d9839b3c-c013-4ba7-b5e5-2787198b9e07", - "name": "regripper-system-hive-firewall-configuration" -} +{ + "required": [ + "profile" + ], + "attributes": { + "profile": { + "description": "Firewall Profile type", + "ui-priority": 0, + "sane-default": [ + "Domain Profile", + "Standard Profile", + "Network Profile", + "Public Profile", + "Private Profile", + "other" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "last-write-time": { + "description": "Date and time when the firewall profile policy was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "enbled-firewall": { + "description": "Boolean flag to determine if the firewall is enabled.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "disable-notification": { + "description": "Boolean flag to determine if firewall notifications are enabled.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to present firewall configuration information extracted from the system-hive.", + "meta-category": "misc", + "uuid": "d9839b3c-c013-4ba7-b5e5-2787198b9e07", + "name": "regripper-system-hive-firewall-configuration" +} diff --git a/objects/regripper-system-hive-general-configuration/definition.json b/objects/regripper-system-hive-general-configuration/definition.json index 04a67fc..b2fe81b 100644 --- a/objects/regripper-system-hive-general-configuration/definition.json +++ b/objects/regripper-system-hive-general-configuration/definition.json @@ -1,89 +1,89 @@ -{ - "required": [ - "computer-name" - ], - "attributes": { - "computer-name": { - "description": "name of the computer under analysis", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "shutdown-time": { - "description": "Date and time when the system was shutdown.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "timezone-last-write-time": { - "description": "Date and time when the timezone key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "timezone-bias": { - "description": "Offset in minutes from UTC. Offset added to the local time to get a UTC value.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "timezone-standard-name": { - "description": "Timezone standard name used during non-daylight saving months.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "timezone-standard-date": { - "description": "Standard date - non daylight saving months", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "timezone-standard-bias": { - "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during standard time.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "timezone-daylight-name": { - "description": "Timezone name used during daylight saving months.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "timezone-daylight-date": { - "description": "Daylight date - daylight saving months", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "timezone-daylight-bias": { - "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during daylight time.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "fDenyTSConnections:": { - "description": "Specifies whether remote connections are enabled or disabled on the system.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "comment": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "", - "disable_correlation": true - } - }, - "version": 1, - "description": "Regripper Object template designed to present general system properties extracted from the system-hive.", - "meta-category": "misc", - "uuid": "5ac85401-cbf1-4d05-a85e-1784546881e4", - "name": "regripper-system-hive-general-configuration" -} +{ + "required": [ + "computer-name" + ], + "attributes": { + "computer-name": { + "description": "name of the computer under analysis", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "shutdown-time": { + "description": "Date and time when the system was shutdown.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "timezone-last-write-time": { + "description": "Date and time when the timezone key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "timezone-bias": { + "description": "Offset in minutes from UTC. Offset added to the local time to get a UTC value.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "timezone-standard-name": { + "description": "Timezone standard name used during non-daylight saving months.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "timezone-standard-date": { + "description": "Standard date - non daylight saving months", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "timezone-standard-bias": { + "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during standard time.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "timezone-daylight-name": { + "description": "Timezone name used during daylight saving months.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "timezone-daylight-date": { + "description": "Daylight date - daylight saving months", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "timezone-daylight-bias": { + "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during daylight time.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "fDenyTSConnections:": { + "description": "Specifies whether remote connections are enabled or disabled on the system.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to present general system properties extracted from the system-hive.", + "meta-category": "misc", + "uuid": "5ac85401-cbf1-4d05-a85e-1784546881e4", + "name": "regripper-system-hive-general-configuration" +} diff --git a/objects/regripper-system-hive-network-information/definition.json b/objects/regripper-system-hive-network-information/definition.json index dfd3e85..7676c59 100644 --- a/objects/regripper-system-hive-network-information/definition.json +++ b/objects/regripper-system-hive-network-information/definition.json @@ -1,106 +1,106 @@ -{ - "required": [ - "network-key" - ], - "attributes": { - "network-key": { - "description": "Registry key assigned to the network", - "ui-priority": 0, - "misp-attribute": "text" - }, - "network-key-last-write-time": { - "description": "Date and time when the network key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "network-key-path": { - "description": "Path of the key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "TCPIP-key": { - "description": "TCPIP key", - "ui-priority": 0, - "misp-attribute": "text" - }, - "TCPIP-key-last-write-time": { - "description": "Datetime when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "DHCP-domain": { - "description": "Name of the DHCP domain service", - "ui-priority": 0, - "misp-attribute": "text" - }, - "DHCP-IP-address": { - "description": "DHCP service - IP address", - "ui-priority": 0, - "misp-attribute": "ip-dst" - }, - "DHCP-subnet-mask": { - "description": "DHCP subnet mask - IP address.", - "ui-priority": 0, - "misp-attribute": "ip-dst" - }, - "DHCP-name-server": { - "description": "DHCP Name server - IP address.", - "ui-priority": 0, - "misp-attribute": "ip-dst" - }, - "DHCP-server": { - "description": "DHCP server - IP address.", - "ui-priority": 0, - "misp-attribute": "ip-dst" - }, - "interface-GUID": { - "description": "GUID value assigned to the interface.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "interface-last-write-time": { - "description": "Last date and time when the interface key was updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "interface-name": { - "description": "Name of the interface.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "interface-PnpInstanceID": { - "description": "Plug and Play instance ID assigned to the interface.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "interface-MediaSubType": { - "description": "", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "interface-IPcheckingEnabled": { - "description": "", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } - }, - "version": 1, - "description": "Regripper object template designed to gather network information from the system-hive.", - "meta-category": "misc", - "uuid": "a5a3ba3a-ba2e-42a4-be45-b36809ae56f0", - "name": "regripper-system-hive-network-information." -} +{ + "required": [ + "network-key" + ], + "attributes": { + "network-key": { + "description": "Registry key assigned to the network", + "ui-priority": 0, + "misp-attribute": "text" + }, + "network-key-last-write-time": { + "description": "Date and time when the network key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "network-key-path": { + "description": "Path of the key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "TCPIP-key": { + "description": "TCPIP key", + "ui-priority": 0, + "misp-attribute": "text" + }, + "TCPIP-key-last-write-time": { + "description": "Datetime when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "DHCP-domain": { + "description": "Name of the DHCP domain service", + "ui-priority": 0, + "misp-attribute": "text" + }, + "DHCP-IP-address": { + "description": "DHCP service - IP address", + "ui-priority": 0, + "misp-attribute": "ip-dst" + }, + "DHCP-subnet-mask": { + "description": "DHCP subnet mask - IP address.", + "ui-priority": 0, + "misp-attribute": "ip-dst" + }, + "DHCP-name-server": { + "description": "DHCP Name server - IP address.", + "ui-priority": 0, + "misp-attribute": "ip-dst" + }, + "DHCP-server": { + "description": "DHCP server - IP address.", + "ui-priority": 0, + "misp-attribute": "ip-dst" + }, + "interface-GUID": { + "description": "GUID value assigned to the interface.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "interface-last-write-time": { + "description": "Last date and time when the interface key was updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "interface-name": { + "description": "Name of the interface.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "interface-PnpInstanceID": { + "description": "Plug and Play instance ID assigned to the interface.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "interface-MediaSubType": { + "description": "", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "interface-IPcheckingEnabled": { + "description": "", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper object template designed to gather network information from the system-hive.", + "meta-category": "misc", + "uuid": "a5a3ba3a-ba2e-42a4-be45-b36809ae56f0", + "name": "regripper-system-hive-network-information." +} diff --git a/objects/regripper-system-hive-service-drivers/definition.json b/objects/regripper-system-hive-service-drivers/definition.json index 35054ab..b5dcaf5 100644 --- a/objects/regripper-system-hive-service-drivers/definition.json +++ b/objects/regripper-system-hive-service-drivers/definition.json @@ -1,98 +1,98 @@ -{ - "required": [ - "name" - ], - "attributes": { - "name": { - "description": "name of the key", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "display": { - "description": "Display name/information of the service or the driver.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "image-path": { - "description": "Path of the service/drive", - "ui-priority": 0, - "misp-attribute": "text" - }, - "type": { - "description": "Service/driver type.", - "ui-priority": 0, - "sane_default": [ - "Kernel driver", - "File system driver", - "Own process", - "Share process", - "Interactive", - "Other" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "start": { - "description": "When the service/driver starts or executes.", - "ui-priority": 0, - "sane_default": [ - "Boot start", - "System start", - "Auto start", - "Manual", - "Disabled" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "group": { - "description": "Group to which the system/driver belong to.", - "ui-priority": 0, - "sane_default": [ - "Base", - "Boot Bus Extender", - "Boot File System", - "Cryptography", - "Extended base", - "Event Log", - "Filter", - "FSFilter Bottom", - "FSFilter Infrastructure", - "File System", - "FSFilter Virtualization", - "Keyboard Port", - "Network", - "NDIS", - "Parallel arbitrator", - "Pointer Port", - "PnP Filter", - "ProfSvc_Group", - "PNP_TDI", - "SCSI Miniport", - "SCSI CDROM Class", - "System Bus Extender", - "Video Save", - "other" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "comment": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "", - "disable_correlation": true - } - }, - "version": 1, - "description": "Regripper Object template designed to gather information regarding the services/drivers from the system-hive.", - "meta-category": "misc", - "uuid": "78cdae45-2061-4b49-b1d6-71f562094a73", - "name": "regripper-system-hive-services-drivers" -} +{ + "required": [ + "name" + ], + "attributes": { + "name": { + "description": "name of the key", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "display": { + "description": "Display name/information of the service or the driver.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "image-path": { + "description": "Path of the service/drive", + "ui-priority": 0, + "misp-attribute": "text" + }, + "type": { + "description": "Service/driver type.", + "ui-priority": 0, + "sane_default": [ + "Kernel driver", + "File system driver", + "Own process", + "Share process", + "Interactive", + "Other" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "start": { + "description": "When the service/driver starts or executes.", + "ui-priority": 0, + "sane_default": [ + "Boot start", + "System start", + "Auto start", + "Manual", + "Disabled" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "group": { + "description": "Group to which the system/driver belong to.", + "ui-priority": 0, + "sane_default": [ + "Base", + "Boot Bus Extender", + "Boot File System", + "Cryptography", + "Extended base", + "Event Log", + "Filter", + "FSFilter Bottom", + "FSFilter Infrastructure", + "File System", + "FSFilter Virtualization", + "Keyboard Port", + "Network", + "NDIS", + "Parallel arbitrator", + "Pointer Port", + "PnP Filter", + "ProfSvc_Group", + "PNP_TDI", + "SCSI Miniport", + "SCSI CDROM Class", + "System Bus Extender", + "Video Save", + "other" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information regarding the services/drivers from the system-hive.", + "meta-category": "misc", + "uuid": "78cdae45-2061-4b49-b1d6-71f562094a73", + "name": "regripper-system-hive-services-drivers" +} From 26fcbcd3bf29475cbce3e56684407404d3075f25 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 25 Oct 2018 17:35:50 +0200 Subject: [PATCH 079/113] fix typo --- objects/python-etvx-event-log/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/python-etvx-event-log/definition.json b/objects/python-etvx-event-log/definition.json index 62566f4..2c50d9a 100644 --- a/objects/python-etvx-event-log/definition.json +++ b/objects/python-etvx-event-log/definition.json @@ -22,7 +22,7 @@ "ui-priority": 3, "misp-attribute": "text", "disable_correlation": true, - "sane-default": [ + "sane_default": [ "Application", "System", "Security", @@ -35,7 +35,7 @@ "ui-priority": 0, "misp-attribute": "text", "disable_correlation": true, - "sane-default": [ + "sane_default": [ "Admin", "Operational", "Audit", From 7a70a1ece3743de6103bac5c8d5a6337d2e673a5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 25 Oct 2018 17:38:26 +0200 Subject: [PATCH 080/113] fix: various typos --- .../definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/regripper-software-hive-general-windows-info/definition.json b/objects/regripper-software-hive-general-windows-info/definition.json index ca14989..e1ed4d5 100644 --- a/objects/regripper-software-hive-general-windows-info/definition.json +++ b/objects/regripper-software-hive-general-windows-info/definition.json @@ -28,7 +28,8 @@ "CurrentVersion": { "description": "Current version of windows", "ui-priority": 0, - "disable_correlation": true + "disable_correlation": true, + "misp-attribute": "text" }, "CurrentBuild": { "description": "Build number of the windows OS.", @@ -113,7 +114,7 @@ "comment": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "", + "misp-attribute": "comment", "disable_correlation": true } }, From 38a37186934db5b1ab45c242cdadf146ca2f332b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 25 Oct 2018 17:42:57 +0200 Subject: [PATCH 081/113] typo fixed --- .../definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/regripper-system-hive-firewall-configuration/definition.json b/objects/regripper-system-hive-firewall-configuration/definition.json index abac192..b7e5fb6 100644 --- a/objects/regripper-system-hive-firewall-configuration/definition.json +++ b/objects/regripper-system-hive-firewall-configuration/definition.json @@ -6,7 +6,7 @@ "profile": { "description": "Firewall Profile type", "ui-priority": 0, - "sane-default": [ + "sane_default": [ "Domain Profile", "Standard Profile", "Network Profile", From 5e952a4bf7349f9ef955ec1b9448f2b31aaac63b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 25 Oct 2018 17:45:58 +0200 Subject: [PATCH 082/113] chg: [tsk-web-downloads] including link versus url (we assume it's malicious link by default) --- objects/TSK-Web-Downloads/definition.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/objects/TSK-Web-Downloads/definition.json b/objects/TSK-Web-Downloads/definition.json index 6659d0e..ba60ce2 100644 --- a/objects/TSK-Web-Downloads/definition.json +++ b/objects/TSK-Web-Downloads/definition.json @@ -1,13 +1,13 @@ { "required": [ - "URL", + "url", "name" ], "attributes": { - "URL": { + "url": { "description": "The URL used to download the file.", "ui-priority": 0, - "misp-attribute": "link" + "misp-attribute": "url" }, "datetime-accessed": { "description": "date and time when the file was downloaded.", @@ -49,7 +49,7 @@ }, "version": 1, "description": "An Object Template to add web-downloads", - "meta-category": "File", + "meta-category": "file", "uuid": "ab9603a1-9dcc-48e8-a51c-b8bccc7bcc26", "name": "tsk-web-downloads" } From 2f1ed1ee0c772508208506646d55da72e95cd582 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 25 Oct 2018 17:49:20 +0200 Subject: [PATCH 083/113] chg: [regripper-sam-hive-single-user] uuid fixed --- objects/regripper-sam-hive-single-user/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/regripper-sam-hive-single-user/definition.json b/objects/regripper-sam-hive-single-user/definition.json index 598144b..0bef376 100644 --- a/objects/regripper-sam-hive-single-user/definition.json +++ b/objects/regripper-sam-hive-single-user/definition.json @@ -63,6 +63,6 @@ "version": 1, "description": "Regripper Object template designed to present user profile details extracted from the SAM hive.", "meta-category": "misc", - "uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef", + "uuid": "112efd9a-2137-4198-92ed-7c91043e2cd4", "name": "regripper-sam-hive-single-user" } From 1a0d055caa67aa2e3fe0024815df8d9dbc63703f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Thu, 25 Oct 2018 13:47:20 -0400 Subject: [PATCH 084/113] new: Internal reference object --- objects/internal-reference/definition.json | 36 ++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 objects/internal-reference/definition.json diff --git a/objects/internal-reference/definition.json b/objects/internal-reference/definition.json new file mode 100644 index 0000000..ea2ed12 --- /dev/null +++ b/objects/internal-reference/definition.json @@ -0,0 +1,36 @@ +{ + "required": [ + "identifier" + ], + "attributes": { + "identifier": { + "description": "Identifier of the reference. Should be unique in your system.", + "ui-priority": 1, + "misp-attribute": "text", + "categories": [ + "Internal reference" + ] + }, + "comment": { + "description": "Comment associated to the identifier.", + "ui-priority": 0, + "misp-attribute": "comment", + "categories": [ + "Internal reference" + ] + }, + "link": { + "description": "Link associated to the identifier.", + "ui-priority": 1, + "misp-attribute": "link", + "categories": [ + "Internal reference" + ] + } + }, + "version": 1, + "description": "Internal reference.", + "meta-category": "misc", + "uuid": "a3984dc5-5f70-4776-9262-c19641c0ff6a", + "name": "internal-reference" +} From e3d5d636e49b5da243b567ce1a7a27dec55f0b97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Thu, 25 Oct 2018 15:47:04 -0400 Subject: [PATCH 085/113] chg: Add type of internal reference --- objects/internal-reference/definition.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/objects/internal-reference/definition.json b/objects/internal-reference/definition.json index ea2ed12..b657cec 100644 --- a/objects/internal-reference/definition.json +++ b/objects/internal-reference/definition.json @@ -19,6 +19,14 @@ "Internal reference" ] }, + "type": { + "description": "Type of internal reference.", + "ui-priority": 1, + "misp-attribute": "text", + "categories": [ + "Internal reference" + ] + }, "link": { "description": "Link associated to the identifier.", "ui-priority": 1, @@ -28,7 +36,7 @@ ] } }, - "version": 1, + "version": 2, "description": "Internal reference.", "meta-category": "misc", "uuid": "a3984dc5-5f70-4776-9262-c19641c0ff6a", From decd49b6fcf9a02d9093b1c7d263c42f44bef185 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Thu, 25 Oct 2018 17:45:47 -0400 Subject: [PATCH 086/113] fix: JQ things --- objects/internal-reference/definition.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/objects/internal-reference/definition.json b/objects/internal-reference/definition.json index b657cec..f5ff0e3 100644 --- a/objects/internal-reference/definition.json +++ b/objects/internal-reference/definition.json @@ -8,7 +8,7 @@ "ui-priority": 1, "misp-attribute": "text", "categories": [ - "Internal reference" + "Internal reference" ] }, "comment": { @@ -16,7 +16,7 @@ "ui-priority": 0, "misp-attribute": "comment", "categories": [ - "Internal reference" + "Internal reference" ] }, "type": { @@ -24,7 +24,7 @@ "ui-priority": 1, "misp-attribute": "text", "categories": [ - "Internal reference" + "Internal reference" ] }, "link": { @@ -32,7 +32,7 @@ "ui-priority": 1, "misp-attribute": "link", "categories": [ - "Internal reference" + "Internal reference" ] } }, From ccab94e1b75303b8712b28f76e10cb2459255944 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 28 Oct 2018 15:07:35 +0100 Subject: [PATCH 087/113] chg: [ip-api-adress] updated to ensure correlation disabled --- objects/ip-api-address/definition.json | 32 +++++++++++++++++--------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/objects/ip-api-address/definition.json b/objects/ip-api-address/definition.json index fc326a9..88030d3 100644 --- a/objects/ip-api-address/definition.json +++ b/objects/ip-api-address/definition.json @@ -2,7 +2,7 @@ "name": "ip-api-address", "meta-category": "network", "description": "IP Address information. Useful if you are pulling your ip information from ip-api.com", - "version": 1, + "version": 2, "uuid": "4336f124-6264-4f72-943e-cc3797e4122b", "attributes": { "ip-src": { @@ -13,52 +13,62 @@ "asn": { "description": "Autonomous System Number", "ui-priority": 1, - "misp-attribute": "AS" + "misp-attribute": "AS", + "disable_correlation": true }, "organization": { "description": "organization", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "ISP": { "description": "ISP.", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "zipcode": { "description": "Zip Code.", "misp-attribute": "text", - "ui-priority": 1 + "ui-priority": 1, + "disable_correlation": true }, "city": { "description": "City.", "misp-attribute": "text", - "ui-priority": 1 + "ui-priority": 1, + "disable_correlation": true }, "state": { "description": "State.", "misp-attribute": "text", - "ui-priority": 1 + "ui-priority": 1, + "disable_correlation": true }, "country": { "description": "Country name", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "country code": { "description": "Country code ", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "region": { "description": "Region. example: California.", "misp-attribute": "text", - "ui-priority": 1 + "ui-priority": 1, + "disable_correlation": true }, "region code": { "description": "Region code. example: CA", "misp-attribute": "text", - "ui-priority": 1 + "ui-priority": 1, + "disable_correlation": true }, "latitude": { "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", From a4207d1f3636ec8a2132b5112062ac21822262ff Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 29 Oct 2018 20:43:36 +0100 Subject: [PATCH 088/113] chg: [mactime-timeline-analysis] disable some correlations --- .../mactime-timeline-analysis/definition.json | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/objects/mactime-timeline-analysis/definition.json b/objects/mactime-timeline-analysis/definition.json index 55d86e0..a8f32e9 100644 --- a/objects/mactime-timeline-analysis/definition.json +++ b/objects/mactime-timeline-analysis/definition.json @@ -13,12 +13,14 @@ "datetime": { "description": "Date and time when the operation was conducted on the file", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "file_size": { "description": "Determines the file size in bytes", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "activityType": { "description": "Determines the type of activity conducted on the file at a given time", @@ -30,20 +32,23 @@ "Changed", "Modified", "Other" - ] + ], + "disable_correlation": true }, "filePermissions": { "description": "Describes permissions assigned the file", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "file": { "description": "Mactime output file", "ui-priority": 0, - "misp-attribute": "attachment" + "misp-attribute": "attachment", + "disable_correlation": true } }, - "version": 1, + "version": 3, "description": "Mactime template, used in forensic investigations to describe the timeline of a file activity", "meta-category": "file", "uuid": "9297982e-be62-4772-a665-c91f5a8d639", From 6560a53b800ee175cc4b80b66411bcd7806e4a34 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Tue, 30 Oct 2018 21:30:09 +0900 Subject: [PATCH 089/113] chg: [definition] Extended crypto coin object to be able to enrich with interesting data --- objects/coin-address/definition.json | 34 ++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/objects/coin-address/definition.json b/objects/coin-address/definition.json index 51876e7..803f4a7 100644 --- a/objects/coin-address/definition.json +++ b/objects/coin-address/definition.json @@ -60,6 +60,40 @@ "ui-priority": 0, "misp-attribute": "datetime" }, + "last-updated": { + "description": "Last time the balances and totals have been updated", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "current-balance": { + "description": "Current balance of address", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text", + "recommended": false + }, + "total-transactions": { + "description": "Total transactions performed", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text", + "recommended": false + }, + "total-received": { + "description": "Total balance received", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "float", + "recommended": false + }, + "total-sent": { + "description": "Total balance sent", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "float", + "recommended": false + }, "text": { "description": "Free text value", "disable_correlation": true, From e132ea8e03fe1b855d9f862c5d65014fda445b36 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Tue, 30 Oct 2018 22:58:54 +0900 Subject: [PATCH 090/113] fix: [definition] Fixed current balance type, is float. --- objects/coin-address/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/coin-address/definition.json b/objects/coin-address/definition.json index 803f4a7..47b1805 100644 --- a/objects/coin-address/definition.json +++ b/objects/coin-address/definition.json @@ -70,7 +70,7 @@ "description": "Current balance of address", "disable_correlation": true, "ui-priority": 1, - "misp-attribute": "text", + "misp-attribute": "float", "recommended": false }, "total-transactions": { From d41b642bc4344db7b538e5824117403192f3ee2f Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 2 Nov 2018 00:35:28 +0100 Subject: [PATCH 091/113] Extension of process object --- objects/process/definition.json | 44 +++++++++++++++++++++++++++++++-- 1 file changed, 42 insertions(+), 2 deletions(-) diff --git a/objects/process/definition.json b/objects/process/definition.json index 220d4e5..e0420ee 100644 --- a/objects/process/definition.json +++ b/objects/process/definition.json @@ -3,7 +3,7 @@ "uuid": "02aeef94-ac23-455c-addb-731757ceafb5", "meta-category": "misc", "description": "Object describing a system process.", - "version": 2, + "version": 3, "attributes": { "creation-time": { "description": "Local date/time at which the process was created.", @@ -47,10 +47,50 @@ "misp-attribute": "src-port", "multiple": true, "disable_correlation": true + }, + "command-line": { + "description": "Command line of the process", + "ui-priority": 1, + "misp-attribute": "text" + }, + "current-directory": { + "description": "Current working directory of the process", + "ui-priority": 2, + "misp-attribute": "filename", + "disable_correlation": true + }, + "image": { + "description": "Path of process image", + "ui-priority": 1, + "misp-attribute": "filename" + }, + "parent-command-line": { + "description": "Command line of the parent process", + "ui-priority": 1, + "misp-attribute": "text" + }, + "parent-image": { + "description": "Path of parent process image", + "ui-priority": 1, + "misp-attribute": "filename" + }, + "user": { + "description": "User context of the process", + "ui-priority": 2, + "misp-attribute": "text", + "disable_correlation": true + }, + "integrity-level": { + "description": "Integrity level of the process", + "ui-priority": 2, + "misp-attribute": "text", + "disable_correlation": true } }, "requiredOneOf": [ "name", - "pid" + "pid", + "image", + "command-line" ] } From e12f15d5daae3f4c53293bb2a2b6483bcd97a366 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 2 Nov 2018 00:40:55 +0100 Subject: [PATCH 092/113] Fixed misp-attribute in link attribute of paste object --- objects/paste/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/paste/definition.json b/objects/paste/definition.json index 09c5adf..7eace76 100644 --- a/objects/paste/definition.json +++ b/objects/paste/definition.json @@ -44,7 +44,7 @@ "description": "Link to the original source of the paste or post (when used maliciously)." }, "link": { - "misp-attribute": "link,", + "misp-attribute": "link", "ui-priority": 0, "description": "Link to the original source of the source or post (when used legitimately for OSINT source or alike)." }, From d61a1f33909f8f8d996ef526ee0db75a8a1052f6 Mon Sep 17 00:00:00 2001 From: Hendrik Date: Fri, 9 Nov 2018 12:37:34 +0100 Subject: [PATCH 093/113] Added cortex taxonomy object definition --- objects/cortex-taxonomy/definition.json | 59 +++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 objects/cortex-taxonomy/definition.json diff --git a/objects/cortex-taxonomy/definition.json b/objects/cortex-taxonomy/definition.json new file mode 100644 index 0000000..6ece6f9 --- /dev/null +++ b/objects/cortex-taxonomy/definition.json @@ -0,0 +1,59 @@ +{ + "required": [ + "level", + "predicate", + "value", + "namespace" + ], + "attributes": { + "namespace": { + "categories": ["External analysis"], + "description": "Cortex Taxonomy Namespace", + "disable_correlation": true, + "multiple": false, + "ui-priority": 0, + "misp-attribute": "text" + }, + "predicate": { + "categories": ["External analysis"], + "description": "Cortex Taxonomy Predicate", + "disable_correlation": true, + "multiple": false, + "ui-priority": 0, + "misp-attribute": "text" + }, + "value": { + "categories": ["External analysis"], + "description": "Cortex Taxonomy Value", + "disable_correlation": true, + "multiple": false, + "ui-priority": 0, + "misp-attribute": "text" + }, + "level": { + "categories": ["External analysis"], + "description": "Cortex Taxonomy Level", + "disable_correlation": true, + "multiple": false, + "misp-attribute": "text", + "ui-priority": 0, + "values_list": [ + "info", + "safe", + "suspicious", + "malicious" + ] + }, + "cortex_url": { + "description": "URL to the Cortex job", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "link" + } + }, + "version": 3, + "description": "Cortex object describing an Cortex Taxonomy", + "meta-category": "misc", + "uuid": "bef7d23b-e796-4d46-803a-32e317896894", + "name": "cortex-taxonomy" +} From 0f1f23fbb546870e383daac28784d91e9568b137 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 9 Nov 2018 14:21:10 +0100 Subject: [PATCH 094/113] fix: [cortex-taxonomy] jq all the things(tm) --- objects/cortex-taxonomy/definition.json | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/objects/cortex-taxonomy/definition.json b/objects/cortex-taxonomy/definition.json index 6ece6f9..f368967 100644 --- a/objects/cortex-taxonomy/definition.json +++ b/objects/cortex-taxonomy/definition.json @@ -7,7 +7,9 @@ ], "attributes": { "namespace": { - "categories": ["External analysis"], + "categories": [ + "External analysis" + ], "description": "Cortex Taxonomy Namespace", "disable_correlation": true, "multiple": false, @@ -15,7 +17,9 @@ "misp-attribute": "text" }, "predicate": { - "categories": ["External analysis"], + "categories": [ + "External analysis" + ], "description": "Cortex Taxonomy Predicate", "disable_correlation": true, "multiple": false, @@ -23,7 +27,9 @@ "misp-attribute": "text" }, "value": { - "categories": ["External analysis"], + "categories": [ + "External analysis" + ], "description": "Cortex Taxonomy Value", "disable_correlation": true, "multiple": false, @@ -31,7 +37,9 @@ "misp-attribute": "text" }, "level": { - "categories": ["External analysis"], + "categories": [ + "External analysis" + ], "description": "Cortex Taxonomy Level", "disable_correlation": true, "multiple": false, From 3ec98a8a6590276e46ae3a47c50971397d9a18bc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 18 Nov 2018 10:11:25 +0100 Subject: [PATCH 095/113] chg: [cortex-taxonomy] aka mini-report --- objects/cortex-taxonomy/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/cortex-taxonomy/definition.json b/objects/cortex-taxonomy/definition.json index f368967..edb3580 100644 --- a/objects/cortex-taxonomy/definition.json +++ b/objects/cortex-taxonomy/definition.json @@ -59,8 +59,8 @@ "misp-attribute": "link" } }, - "version": 3, - "description": "Cortex object describing an Cortex Taxonomy", + "version": 4, + "description": "Cortex object describing an Cortex Taxonomy (or mini report)", "meta-category": "misc", "uuid": "bef7d23b-e796-4d46-803a-32e317896894", "name": "cortex-taxonomy" From 39dd150e2a85b2b5a041a202343ecefa4d34b43a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 18 Nov 2018 10:28:18 +0100 Subject: [PATCH 096/113] add: [cortex] new object based on a discussion with Jerome L. from TheHive (thanks to SNCF) --- objects/cortex/definition.json | 48 ++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 objects/cortex/definition.json diff --git a/objects/cortex/definition.json b/objects/cortex/definition.json new file mode 100644 index 0000000..1d6679c --- /dev/null +++ b/objects/cortex/definition.json @@ -0,0 +1,48 @@ +{ + "requiredOneOf": [ + "full" + ], + "attributes": { + "summary": { + "description": "Cortex summary object (summary) in JSON", + "disable_correlation": false, + "ui-priority": 0, + "misp-attribute": "text" + }, + "full": { + "description": "Cortex report object (full report) in JSON", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "start-date": { + "description": "When the Cortex analyser was started", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "name": { + "description": "Cortex analyser/worker name", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "server-name": { + "description": "Name of the cortex server", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "success": { + "description": "Result of the cortex job", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "boolean" + } + }, + "version": 1, + "description": "Cortex object describing a complete cortex analysis", + "meta-category": "misc", + "uuid": "144988f3-fa00-4374-8015-c1a32092f451", + "name": "cortex" +} From 7808850ce246b901e485552b45fbdc295982455e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 18 Nov 2018 10:29:42 +0100 Subject: [PATCH 097/113] chg: [cortex] description updated as TheHive/Cortex observables will be attributes with relationships from this object --- objects/cortex/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/cortex/definition.json b/objects/cortex/definition.json index 1d6679c..a45a0a3 100644 --- a/objects/cortex/definition.json +++ b/objects/cortex/definition.json @@ -41,7 +41,7 @@ } }, "version": 1, - "description": "Cortex object describing a complete cortex analysis", + "description": "Cortex object describing a complete cortex analysis. Observables would be attribute with a relationship from this object.", "meta-category": "misc", "uuid": "144988f3-fa00-4374-8015-c1a32092f451", "name": "cortex" From e44dd16b1841035df0f4a2e8e98a753952eff9cc Mon Sep 17 00:00:00 2001 From: Alexander J Date: Fri, 23 Nov 2018 15:40:57 +0100 Subject: [PATCH 098/113] new misp object for a timesketch message to be able to push timesketch messages (timesketch.org) to a misp event it is handy to have a specific type of object for it. --- objects/timesketch_message/definition.json | 26 ++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 objects/timesketch_message/definition.json diff --git a/objects/timesketch_message/definition.json b/objects/timesketch_message/definition.json new file mode 100644 index 0000000..9185646 --- /dev/null +++ b/objects/timesketch_message/definition.json @@ -0,0 +1,26 @@ +{ + "required": [ + "datetime", + "message" + ], + "attributes": { + "datetime": { + "description": "datetime of the message", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "datetime", + "recommended": true + }, + "message": { + "description": "message", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "A timesketch message entry.", + "meta-category": "misc", + "uuid": "ef27fb19-7e71-43e0-b6f6-6f03ab67666f", + "name": "timesketch_message" +} From 6cc29aad3dda895de95fe9f0d86bb9a7007af7c2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 26 Nov 2018 22:21:51 +0100 Subject: [PATCH 099/113] chg: [microblog] a small clarification about the username to avoid the @ --- objects/microblog/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/microblog/definition.json b/objects/microblog/definition.json index 906a03c..847fceb 100644 --- a/objects/microblog/definition.json +++ b/objects/microblog/definition.json @@ -30,7 +30,7 @@ ] }, "username": { - "description": "Username who posted the microblog post", + "description": "Username who posted the microblog post (without the @ prefix)", "ui-priority": 0, "misp-attribute": "text" }, @@ -62,7 +62,7 @@ "misp-attribute": "text" } }, - "version": 4, + "version": 5, "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.", "meta-category": "misc", "uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60", From 11a462e79b02428a08b11698d45aa8aa5ab6887d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 4 Dec 2018 15:39:51 +0100 Subject: [PATCH 100/113] chg: [person] OFAC fields - Office of Foreign Assets Control --- objects/person/definition.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index d8950f0..d2ad496 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -98,6 +98,16 @@ "ui-priority": 0, "misp-attribute": "text" }, + "birth-certificate-number": { + "description": "Birth Certificate Number", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ofac-identification-number": { + "description": "ofac-identification Number", + "ui-priority": 0, + "misp-attribute": "text" + }, "nationality": { "description": "The nationality of a natural person.", "ui-priority": 0, @@ -136,7 +146,7 @@ "multiple": true } }, - "version": 4, + "version": 5, "description": "An object which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", From 7dfa69a743078d8bdddb664604aaff3e40054b3f Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 21 Dec 2018 12:27:11 +0100 Subject: [PATCH 101/113] Object Victim - Extended requiredOneof --- objects/victim/definition.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/objects/victim/definition.json b/objects/victim/definition.json index 346dc70..2ef946c 100644 --- a/objects/victim/definition.json +++ b/objects/victim/definition.json @@ -1,6 +1,8 @@ { "requiredOneOf": [ - "name" + "name", + "regions", + "sectors" ], "attributes": { "description": { From 5a9800ab6aba54fe1019fabd167b6dc13e4e2fd7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 21 Dec 2018 20:28:24 +0100 Subject: [PATCH 102/113] chg: [person] portrait added #133 --- objects/person/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index d2ad496..6dd31b5 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -144,9 +144,15 @@ "ui-priority": 10, "misp-attribute": "email-src", "multiple": true + }, + "portrait": { + "description": "Portrait of the person.", + "ui-priority": 10, + "misp-attribute": "attachment", + "multiple": true } }, - "version": 5, + "version": 6, "description": "An object which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", From 9b84576442c82259104814404f21264f1f94a790 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 21 Dec 2018 20:41:45 +0100 Subject: [PATCH 103/113] add: [facial-composite] new facial composite object --- objects/facial-composite/definition.json | 39 ++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 objects/facial-composite/definition.json diff --git a/objects/facial-composite/definition.json b/objects/facial-composite/definition.json new file mode 100644 index 0000000..585f4ee --- /dev/null +++ b/objects/facial-composite/definition.json @@ -0,0 +1,39 @@ +{ + "requiredOneOf": [ + "facial-composite", + "text" + ], + "attributes": { + "text": { + "description": "A description of the facial composite.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "technique": { + "description": "Construction technique of the facial composite.", + "ui-priority": 0, + "misp-attribute": "text", + "values_list": [ + "E-FIT", + "PROfit", + "Sketch", + "Photofit", + "EvoFIT", + "PortraitPad" + ], + "disable_correlation": true + }, + "facial-composite": { + "description": "Facial composite image.", + "ui-priority": 10, + "misp-attribute": "attachment", + "multiple": true + } + }, + "version": 1, + "description": "An object which describes a facial composite.", + "meta-category": "misc", + "uuid": "d727bc27-d1b9-4754-972c-dea305bd5976", + "name": "facial-composite" +} From e634e50e898e27a2cc0ad1a84a225d64ce8e30c3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 21 Dec 2018 20:44:01 +0100 Subject: [PATCH 104/113] chg: [doc] facial-composite object added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 13cdafc..5bf98d9 100644 --- a/README.md +++ b/README.md @@ -88,6 +88,7 @@ for a specific attribute. * [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF). * [objects/email](objects/email/definition.json) - An email object. * [objects/exploit-poc](objects/exploit-poc/definition.json) - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object. +* [objects/facial-composite](objects/facial-composite/definition.json) A facial composite object. * [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object. * [objects/file](objects/file/definition.json) - File object describing a file with meta-information. * [objects/forensic-case](objects/forensic-case/definition.json) - An object template to describe a digital forensic case. From 39bd2641aa33ce733151bbf74fdbd3da6118a20e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 21 Dec 2018 20:50:12 +0100 Subject: [PATCH 105/113] chg: [relationships] witness-of added --- relationships/definition.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/relationships/definition.json b/relationships/definition.json index c6c94bb..0242365 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -927,6 +927,13 @@ "format": [ "alfred" ] + }, + { + "name": "witness-of", + "description": "Represents an object being a witness of something.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", From 25dc125a307648ff3d48d148ca57328cecf625d9 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Sat, 22 Dec 2018 07:23:17 +0100 Subject: [PATCH 106/113] fix: [relationships] removed duplicate --- relationships/definition.json | 7 ------- 1 file changed, 7 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index 0242365..6b12f4a 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -264,13 +264,6 @@ "misp" ] }, - { - "name": "dropped-by", - "description": "This relationship describes an object dropped by another object.", - "format": [ - "misp" - ] - }, { "name": "drops", "description": "This relationship describes an object which drops another object", From 68ca8b0a92cfc145d74a11703785718c8d35af62 Mon Sep 17 00:00:00 2001 From: eCrimeLabs Date: Sun, 30 Dec 2018 12:31:17 +0100 Subject: [PATCH 107/113] Updated JA3 to have own data type ja3-fingerprint-md5 and bumped the version --- objects/ja3/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/ja3/definition.json b/objects/ja3/definition.json index 6dcee9f..39b539d 100644 --- a/objects/ja3/definition.json +++ b/objects/ja3/definition.json @@ -2,12 +2,12 @@ "name": "ja3", "meta-category": "network", "description": "JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3", - "version": 3, + "version": 4, "uuid": "09b45449-5d6e-492c-a68a-cb2e188cbfac", "attributes": { "ja3-fingerprint-md5": { "description": "Hash identifying source", - "misp-attribute": "md5", + "misp-attribute": "ja3-fingerprint-md5", "ui-priority": 1 }, "description": { From d98cfd6d1601fabe6a6260f3765fbf0c5b4cd804 Mon Sep 17 00:00:00 2001 From: Stefan Kelm Date: Wed, 2 Jan 2019 16:19:08 +0100 Subject: [PATCH 108/113] New object: Information related to known scanning activity (e.g. from research projects) --- README.md | 1 + objects/research-scanner/definition.json | 80 ++++++++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 objects/research-scanner/definition.json diff --git a/README.md b/README.md index 5bf98d9..2be07a3 100644 --- a/README.md +++ b/README.md @@ -122,6 +122,7 @@ for a specific attribute. * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object. * [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml. * [objects/report](objects/report/definition.json) - Object to describe metadata used to generate an executive level report. +* [objects/research-scanner](objects/research-scanner/definition.json) - Information related to known scanning activity (e.g. from research projects) * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. diff --git a/objects/research-scanner/definition.json b/objects/research-scanner/definition.json new file mode 100644 index 0000000..8822c4e --- /dev/null +++ b/objects/research-scanner/definition.json @@ -0,0 +1,80 @@ +{ + "required": [ + "project", + "scanning_ip" + ], + "attributes": { + "project": { + "description": "Description of scanning project", + "ui-priority": 1, + "disable_correlation": true, + "misp-attribute": "text" + }, + "scanning_ip": { + "description": "IP address used by project", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "ip-src", + "multiple": true + }, + "domain": { + "description": "Domain related to project", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "domain" + }, + "asn": { + "description": "Autonomous System Number related to project", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "AS" + }, + "scheduled_start": { + "description": "Scheduled start of scanning activity", + "disable_correlation": true, + "ui-priority": 1, + "multiple": true, + "misp-attribute": "datetime" + }, + "scheduled_end": { + "description": "Scheduled end of scanning activity", + "disable_correlation": true, + "ui-priority": 0, + "multiple": true, + "misp-attribute": "datetime" + }, + "contact_email": { + "description": "Project contact information", + "disable_correlation": true, + "categories": [ + "Network activity", + "Social network" + ], + "ui-priority": 1, + "misp-attribute": "email-dst", + "multiple": true + }, + "contact_phone": { + "description": "Phone number related to project", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "phone-number", + "multiple": true + }, + "project_url": { + "description": "URL related to project", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 20190102, + "description": "Information related to known scanning activity (e.g. from research projects)", + "meta-category": "network", + "uuid": "d690e956-fc8a-11e8-8eb2-f2801f1b9fd1", + "name": "research-scanner" +} From 12f51e2ad5378fe7615b7b1a4fb929540f7ccc33 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 2 Jan 2019 22:05:02 +0100 Subject: [PATCH 109/113] chg: [doc] copyright date fixed --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2be07a3..48aab48 100644 --- a/README.md +++ b/README.md @@ -187,9 +187,9 @@ The MISP objects model allows to add new combined indicators format based on the ~~~~ -Copyright (C) 2016-2018 Andras Iklody -Copyright (C) 2016-2018 Alexandre Dulaunoy -Copyright (C) 2016-2018 CIRCL - Computer Incident Response Center Luxembourg +Copyright (C) 2016-2019 Andras Iklody +Copyright (C) 2016-2019 Alexandre Dulaunoy +Copyright (C) 2016-2019 CIRCL - Computer Incident Response Center Luxembourg This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by From ae32e23fbf79d106caa0d3341e2a403171d9799c Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Thu, 3 Jan 2019 15:07:08 +0100 Subject: [PATCH 110/113] chg: [http-request] IP as allowed type --- objects/http-request/definition.json | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/objects/http-request/definition.json b/objects/http-request/definition.json index 76bb081..04c4e6e 100644 --- a/objects/http-request/definition.json +++ b/objects/http-request/definition.json @@ -51,6 +51,15 @@ "ui-priority": 1, "misp-attribute": "hostname" }, + "ip": { + "categories": [ + "Network activity", + "Payload delivery" + ], + "description": "The IP address of the server", + "ui-priority": 1, + "misp-attribute": "ip-dst" + }, "method": { "categories": [ "Network activity" @@ -111,7 +120,7 @@ "misp-attribute": "user-agent" } }, - "version": 2, + "version": 3, "description": "A single HTTP request header", "meta-category": "network", "uuid": "b4a8d163-8110-4239-bfcf-e08f3a9fdf7b", From b0d8e91f0faff0b83904e2dac68346f20ee5ff98 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 11 Jan 2019 15:02:06 +0100 Subject: [PATCH 111/113] add alias as a requiredOneof attribute --- objects/person/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index 6dd31b5..d6c2c2f 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -1,7 +1,8 @@ { "requiredOneOf": [ "first-name", - "last-name" + "last-name", + "alias" ], "attributes": { "text": { From d6299e65425b781a8ea9fdd51f60f0ebc3835b16 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 11 Jan 2019 15:03:11 +0100 Subject: [PATCH 112/113] update person object version --- objects/person/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index d6c2c2f..2c0b080 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -153,7 +153,7 @@ "multiple": true } }, - "version": 6, + "version": 7, "description": "An object which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", From cf8c50b72e76483c4175b9cd798e262eba3234b2 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 11 Jan 2019 16:50:29 +0100 Subject: [PATCH 113/113] fix: Disabled correlation for original imported samples --- objects/original-imported-file/definition.json | 1 + 1 file changed, 1 insertion(+) diff --git a/objects/original-imported-file/definition.json b/objects/original-imported-file/definition.json index c9d4762..5bd93ff 100644 --- a/objects/original-imported-file/definition.json +++ b/objects/original-imported-file/definition.json @@ -7,6 +7,7 @@ "imported-sample": { "description": "The original imported file itself (binary).", "ui-priority": 1, + "disable_correlation": true, "misp-attribute": "attachment" }, "format": {