mirror of https://github.com/MISP/misp-objects
commit
b41a39e986
|
@ -271,6 +271,8 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
|
||||||
- [objects/macho](https://github.com/MISP/misp-objects/blob/main/objects/macho/definition.json) - Object describing a file in Mach-O format.
|
- [objects/macho](https://github.com/MISP/misp-objects/blob/main/objects/macho/definition.json) - Object describing a file in Mach-O format.
|
||||||
- [objects/macho-section](https://github.com/MISP/misp-objects/blob/main/objects/macho-section/definition.json) - Object describing a section of a file in Mach-O format.
|
- [objects/macho-section](https://github.com/MISP/misp-objects/blob/main/objects/macho-section/definition.json) - Object describing a section of a file in Mach-O format.
|
||||||
- [objects/mactime-timeline-analysis](https://github.com/MISP/misp-objects/blob/main/objects/mactime-timeline-analysis/definition.json) - Mactime template, used in forensic investigations to describe the timeline of a file activity.
|
- [objects/mactime-timeline-analysis](https://github.com/MISP/misp-objects/blob/main/objects/mactime-timeline-analysis/definition.json) - Mactime template, used in forensic investigations to describe the timeline of a file activity.
|
||||||
|
- [objects/malware](https://github.com/MISP/misp-objects/blob/main/objects/malware/definition.json) - Malware object to describe a malware instance. From STIX 2.1,
|
||||||
|
- [objects/malware-analysis](https://github.com/MISP/misp-objects/blob/main/objects/malware-analysis/definition.json) - Malware analysis object to capture the metadata and results of a particular static or dynamic analysis performed on a malware instance or family. From STIX 2.1
|
||||||
- [objects/malware-config](https://github.com/MISP/misp-objects/blob/main/objects/malware-config/definition.json) - Malware configuration recovered or extracted from a malicious binary.
|
- [objects/malware-config](https://github.com/MISP/misp-objects/blob/main/objects/malware-config/definition.json) - Malware configuration recovered or extracted from a malicious binary.
|
||||||
- [objects/meme-image](https://github.com/MISP/misp-objects/blob/main/objects/meme-image/definition.json) - Object describing a meme (image).
|
- [objects/meme-image](https://github.com/MISP/misp-objects/blob/main/objects/meme-image/definition.json) - Object describing a meme (image).
|
||||||
- [objects/microblog](https://github.com/MISP/misp-objects/blob/main/objects/microblog/definition.json) - Microblog post like a Twitter tweet or a post on a Facebook wall.
|
- [objects/microblog](https://github.com/MISP/misp-objects/blob/main/objects/microblog/definition.json) - Microblog post like a Twitter tweet or a post on a Facebook wall.
|
||||||
|
|
|
@ -0,0 +1,79 @@
|
||||||
|
{
|
||||||
|
"attributes": {
|
||||||
|
"analysis_definition_version": {
|
||||||
|
"description": "The version of the analysis definitions used by the analysis tool.",
|
||||||
|
"disable_correlation": true,
|
||||||
|
"misp-attribute": "text",
|
||||||
|
"ui-priority": 0
|
||||||
|
},
|
||||||
|
"analysis_engine_version": {
|
||||||
|
"description": "The version of the analysis engine or product that was used to perform the analysis.",
|
||||||
|
"disable_correlation": true,
|
||||||
|
"misp-attribute": "text",
|
||||||
|
"ui-priority": 0
|
||||||
|
},
|
||||||
|
"configuration_version": {
|
||||||
|
"description": "The named configuration of additional product configuration parameters for this analysis run.",
|
||||||
|
"disable_correlation": true,
|
||||||
|
"misp-attribute": "text",
|
||||||
|
"ui-priority": 0
|
||||||
|
},
|
||||||
|
"end_time": {
|
||||||
|
"description": "The date and time that the malware analysis ended.",
|
||||||
|
"misp-attribute": "datetime",
|
||||||
|
"ui-priority": 0
|
||||||
|
},
|
||||||
|
"module": {
|
||||||
|
"description": "The specific analysis module that was used and configured in the product during this analysis run.",
|
||||||
|
"misp-attribute": "text",
|
||||||
|
"multiple": true,
|
||||||
|
"ui-priority": 0
|
||||||
|
},
|
||||||
|
"product": {
|
||||||
|
"description": "The name of the analysis engine or product that was used.",
|
||||||
|
"misp-attribute": "text",
|
||||||
|
"ui-priority": 1
|
||||||
|
},
|
||||||
|
"result": {
|
||||||
|
"description": "The classification result as determined by the scanner or tool analysis process.",
|
||||||
|
"disable_correlation": true,
|
||||||
|
"misp-attribute": "text",
|
||||||
|
"sane_default": [
|
||||||
|
"benign",
|
||||||
|
"malicious",
|
||||||
|
"suspicious",
|
||||||
|
"unknown"
|
||||||
|
],
|
||||||
|
"ui-priority": 0
|
||||||
|
},
|
||||||
|
"result_name": {
|
||||||
|
"description": "The classification result or name assigned to the malware instance by the scanner tool.",
|
||||||
|
"misp-attribute": "text",
|
||||||
|
"ui-priority": 0
|
||||||
|
},
|
||||||
|
"start_time": {
|
||||||
|
"description": "The date and time that the malware analysis was initiated.",
|
||||||
|
"misp-attribute": "datetime",
|
||||||
|
"ui-priority": 0
|
||||||
|
},
|
||||||
|
"submitted_time": {
|
||||||
|
"description": "The date and time that the malware was first submitted for scanning or analysis.",
|
||||||
|
"misp-attribute": "datetime",
|
||||||
|
"ui-priority": 0
|
||||||
|
},
|
||||||
|
"version": {
|
||||||
|
"description": "The version of the analysis product that was used to perform the analysis.",
|
||||||
|
"disable_correlation": true,
|
||||||
|
"misp-attribute": "text",
|
||||||
|
"ui-priority": 0
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"description": "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family.",
|
||||||
|
"meta-category": "misc",
|
||||||
|
"name": "malware-analysis",
|
||||||
|
"required": [
|
||||||
|
"product"
|
||||||
|
],
|
||||||
|
"uuid": "8229ee82-7218-4ff5-9eac-57961a6f0288",
|
||||||
|
"version": 1
|
||||||
|
}
|
|
@ -0,0 +1,168 @@
|
||||||
|
{
|
||||||
|
"attributes": {
|
||||||
|
"alias": {
|
||||||
|
"description": "Alternative name used to identify this malware or malware family.",
|
||||||
|
"misp-attribute": "text",
|
||||||
|
"multiple": true,
|
||||||
|
"ui-priority": 0
|
||||||
|
},
|
||||||
|
"architecture_execution_env": {
|
||||||
|
"description": "The processor architecture that the malware instance or family is executable on.",
|
||||||
|
"disable_correlation": true,
|
||||||
|
"misp-attribute": "text",
|
||||||
|
"multiple": true,
|
||||||
|
"sane_default": [
|
||||||
|
"alpha",
|
||||||
|
"arm",
|
||||||
|
"ia-64",
|
||||||
|
"mips",
|
||||||
|
"powerpc",
|
||||||
|
"sparc",
|
||||||
|
"x86",
|
||||||
|
"x86-64"
|
||||||
|
],
|
||||||
|
"ui-priority": 0
|
||||||
|
},
|
||||||
|
"capability": {
|
||||||
|
"description": "Any of the capabilities identified for the malware instance or family.",
|
||||||
|
"disable_correlation": true,
|
||||||
|
"misp-attribute": "text",
|
||||||
|
"multiple": true,
|
||||||
|
"sane_default": [
|
||||||
|
"accesses-remote-machines",
|
||||||
|
"anti-debugging",
|
||||||
|
"anti-disassembly",
|
||||||
|
"anti-emulation",
|
||||||
|
"anti-memory-forensics",
|
||||||
|
"anti-sandbox",
|
||||||
|
"anti-vm",
|
||||||
|
"captures-input-peripherals",
|
||||||
|
"captures-output-peripherals",
|
||||||
|
"captures-system-state-data",
|
||||||
|
"cleans-traces-of-infection",
|
||||||
|
"commits-fraud",
|
||||||
|
"communicates-with-c2",
|
||||||
|
"compromises-data-availability",
|
||||||
|
"compromises-data-integrity",
|
||||||
|
"compromises-system-availability",
|
||||||
|
"controls-local-machine",
|
||||||
|
"degrades-security-software",
|
||||||
|
"degrades-system-updates",
|
||||||
|
"determines-c2-server",
|
||||||
|
"emails-spam",
|
||||||
|
"escalates-privileges",
|
||||||
|
"evades-av",
|
||||||
|
"exfiltrates-data",
|
||||||
|
"fingerprints-host",
|
||||||
|
"hides-artifacts",
|
||||||
|
"hides-executing-code",
|
||||||
|
"infects-files",
|
||||||
|
"infects-remote-machines",
|
||||||
|
"installs-other-components",
|
||||||
|
"persists-after-system-reboot",
|
||||||
|
"prevents-artifact-access",
|
||||||
|
"prevents-artifact-deletion",
|
||||||
|
"probes-network-environment",
|
||||||
|
"self-modifies",
|
||||||
|
"steals-authentication-credentials",
|
||||||
|
"violates-system-operational-integrity"
|
||||||
|
],
|
||||||
|
"ui-priority": 0
|
||||||
|
},
|
||||||
|
"description": {
|
||||||
|
"description": "A description that provides more details and context about the malware instance or family, potentially including its purpose and its key characteristics.",
|
||||||
|
"misp-attribute": "text",
|
||||||
|
"ui-priority": 0
|
||||||
|
},
|
||||||
|
"first_seen": {
|
||||||
|
"description": "The time that the malware instance or family was first seen.",
|
||||||
|
"misp-attribute": "datetime",
|
||||||
|
"ui-priority": 0
|
||||||
|
},
|
||||||
|
"implementation_language": {
|
||||||
|
"description": "The programming language used to implement the malware instance or family.",
|
||||||
|
"disable_correlation": true,
|
||||||
|
"misp-attribute": "text",
|
||||||
|
"multiple": true,
|
||||||
|
"sane_default": [
|
||||||
|
"applescript",
|
||||||
|
"bash",
|
||||||
|
"c",
|
||||||
|
"c++",
|
||||||
|
"c#",
|
||||||
|
"go",
|
||||||
|
"java",
|
||||||
|
"javascript",
|
||||||
|
"lua",
|
||||||
|
"objective-c",
|
||||||
|
"perl",
|
||||||
|
"php",
|
||||||
|
"powershell",
|
||||||
|
"python",
|
||||||
|
"ruby",
|
||||||
|
"scala",
|
||||||
|
"swift",
|
||||||
|
"typescript",
|
||||||
|
"visual-basic",
|
||||||
|
"x86-32",
|
||||||
|
"x86-64"
|
||||||
|
],
|
||||||
|
"ui-priority": 0
|
||||||
|
},
|
||||||
|
"is_family": {
|
||||||
|
"description": "Defines whether the object represents a malware family or a malware instance.",
|
||||||
|
"disable_correlation": true,
|
||||||
|
"misp-attribute": "boolean",
|
||||||
|
"ui-priority": 1
|
||||||
|
},
|
||||||
|
"last_seen": {
|
||||||
|
"description": "The time that the malware family or malware instance was last seen.",
|
||||||
|
"misp-attribute": "datetime",
|
||||||
|
"ui-priority": 0
|
||||||
|
},
|
||||||
|
"malware_type": {
|
||||||
|
"description": "A set of categorizations for the malware being described.",
|
||||||
|
"disable_correlation": true,
|
||||||
|
"misp-attribute": "text",
|
||||||
|
"multiple": true,
|
||||||
|
"sane_default": [
|
||||||
|
"adware",
|
||||||
|
"backdoor",
|
||||||
|
"bot",
|
||||||
|
"bootkit",
|
||||||
|
"ddos",
|
||||||
|
"downloader",
|
||||||
|
"dropper",
|
||||||
|
"exploit-kit",
|
||||||
|
"keylogger",
|
||||||
|
"ransomware",
|
||||||
|
"remote-access-trojan",
|
||||||
|
"resource-exploitation",
|
||||||
|
"rogue-security-software",
|
||||||
|
"rootkit",
|
||||||
|
"screen-capture",
|
||||||
|
"spyware",
|
||||||
|
"trojan",
|
||||||
|
"unknown",
|
||||||
|
"virus",
|
||||||
|
"webshell",
|
||||||
|
"wiper",
|
||||||
|
"worm"
|
||||||
|
],
|
||||||
|
"ui-priority": 0
|
||||||
|
},
|
||||||
|
"name": {
|
||||||
|
"description": "A name used to identify the malware instance or family. For a malware family the name MUST be defined. If a name for a malware instance is not available, the SHA-256 hash value or sample's filename MAY be used instead.",
|
||||||
|
"misp-attribute": "text",
|
||||||
|
"ui-priority": 0
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"description": "Malware is a type of TTP that represents malicious code.",
|
||||||
|
"meta-category": "misc",
|
||||||
|
"name": "malware",
|
||||||
|
"required": [
|
||||||
|
"is_family"
|
||||||
|
],
|
||||||
|
"uuid": "e5ad1d64-4b4e-44f5-9e00-88a705a67f9d",
|
||||||
|
"version": 1
|
||||||
|
}
|
Loading…
Reference in New Issue