Merge pull request #403 from MISP/chrisr3d_patch

Malware & Malware Analysis objects
2023-08-16 22:40:01 +02:00 · 2023-08-16 22:40:01 +02:00 · b41a39e986
parent 0037856e60 c784a4a6e4
commit b41a39e986
3 changed files with 249 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -271,6 +271,8 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/macho](https://github.com/MISP/misp-objects/blob/main/objects/macho/definition.json) - Object describing a file in Mach-O format.
 - [objects/macho-section](https://github.com/MISP/misp-objects/blob/main/objects/macho-section/definition.json) - Object describing a section of a file in Mach-O format.
 - [objects/mactime-timeline-analysis](https://github.com/MISP/misp-objects/blob/main/objects/mactime-timeline-analysis/definition.json) - Mactime template, used in forensic investigations to describe the timeline of a file activity.
+- [objects/malware](https://github.com/MISP/misp-objects/blob/main/objects/malware/definition.json) - Malware object to describe a malware instance. From STIX 2.1, 
+- [objects/malware-analysis](https://github.com/MISP/misp-objects/blob/main/objects/malware-analysis/definition.json) - Malware analysis object to capture the metadata and results of a particular static or dynamic analysis performed on a malware instance or family. From STIX 2.1
 - [objects/malware-config](https://github.com/MISP/misp-objects/blob/main/objects/malware-config/definition.json) - Malware configuration recovered or extracted from a malicious binary.
 - [objects/meme-image](https://github.com/MISP/misp-objects/blob/main/objects/meme-image/definition.json) - Object describing a meme (image).
 - [objects/microblog](https://github.com/MISP/misp-objects/blob/main/objects/microblog/definition.json) - Microblog post like a Twitter tweet or a post on a Facebook wall.
--- a/objects/malware-analysis/definition.json
+++ b/objects/malware-analysis/definition.json
@ -0,0 +1,79 @@
+{
+  "attributes": {
+    "analysis_definition_version": {
+      "description": "The version of the analysis definitions used by the analysis tool.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "analysis_engine_version": {
+      "description": "The version of the analysis engine or product that was used to perform the analysis.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "configuration_version": {
+      "description": "The named configuration of additional product configuration parameters for this analysis run.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "end_time": {
+      "description": "The date and time that the malware analysis ended.",
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "module": {
+      "description": "The specific analysis module that was used and configured in the product during this analysis run.",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "product": {
+      "description": "The name of the analysis engine or product that was used.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "result": {
+      "description": "The classification result as determined by the scanner or tool analysis process.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "benign",
+        "malicious",
+        "suspicious",
+        "unknown"
+      ],
+      "ui-priority": 0
+    },
+    "result_name": {
+      "description": "The classification result or name assigned to the malware instance by the scanner tool.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "start_time": {
+      "description": "The date and time that the malware analysis was initiated.",
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "submitted_time": {
+      "description": "The date and time that the malware was first submitted for scanning or analysis.",
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "version": {
+      "description": "The version of the analysis product that was used to perform the analysis.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    }
+  },
+  "description": "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family.",
+  "meta-category": "misc",
+  "name": "malware-analysis",
+  "required": [
+    "product"
+  ],
+  "uuid": "8229ee82-7218-4ff5-9eac-57961a6f0288",
+  "version": 1
+}
--- a/objects/malware/definition.json
+++ b/objects/malware/definition.json
@ -0,0 +1,168 @@
+{
+  "attributes": {
+    "alias": {
+      "description": "Alternative name used to identify this malware or malware family.",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "architecture_execution_env": {
+      "description": "The processor architecture that the malware instance or family is executable on.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "sane_default": [
+        "alpha",
+        "arm",
+        "ia-64",
+        "mips",
+        "powerpc",
+        "sparc",
+        "x86",
+        "x86-64"
+      ],
+      "ui-priority": 0
+    },
+    "capability": {
+      "description": "Any of the capabilities identified for the malware instance or family.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "sane_default": [
+        "accesses-remote-machines",
+        "anti-debugging",
+        "anti-disassembly",
+        "anti-emulation",
+        "anti-memory-forensics",
+        "anti-sandbox",
+        "anti-vm",
+        "captures-input-peripherals",
+        "captures-output-peripherals",
+        "captures-system-state-data",
+        "cleans-traces-of-infection",
+        "commits-fraud",
+        "communicates-with-c2",
+        "compromises-data-availability",
+        "compromises-data-integrity",
+        "compromises-system-availability",
+        "controls-local-machine",
+        "degrades-security-software",
+        "degrades-system-updates",
+        "determines-c2-server",
+        "emails-spam",
+        "escalates-privileges",
+        "evades-av",
+        "exfiltrates-data",
+        "fingerprints-host",
+        "hides-artifacts",
+        "hides-executing-code",
+        "infects-files",
+        "infects-remote-machines",
+        "installs-other-components",
+        "persists-after-system-reboot",
+        "prevents-artifact-access",
+        "prevents-artifact-deletion",
+        "probes-network-environment",
+        "self-modifies",
+        "steals-authentication-credentials",
+        "violates-system-operational-integrity"
+      ],
+      "ui-priority": 0
+    },
+    "description": {
+      "description": "A description that provides more details and context about the malware instance or family, potentially including its purpose and its key characteristics.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "first_seen": {
+      "description": "The time that the malware instance or family was first seen.",
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "implementation_language": {
+      "description": "The programming language used to implement the malware instance or family.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "sane_default": [
+        "applescript",
+        "bash",
+        "c",
+        "c++",
+        "c#",
+        "go",
+        "java",
+        "javascript",
+        "lua",
+        "objective-c",
+        "perl",
+        "php",
+        "powershell",
+        "python",
+        "ruby",
+        "scala",
+        "swift",
+        "typescript",
+        "visual-basic",
+        "x86-32",
+        "x86-64"
+      ],
+      "ui-priority": 0
+    },
+    "is_family": {
+      "description": "Defines whether the object represents a malware family or a malware instance.",
+      "disable_correlation": true,
+      "misp-attribute": "boolean",
+      "ui-priority": 1
+    },
+    "last_seen": {
+      "description": "The time that the malware family or malware instance was last seen.",
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "malware_type": {
+      "description": "A set of categorizations for the malware being described.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "sane_default": [
+        "adware",
+        "backdoor",
+        "bot",
+        "bootkit",
+        "ddos",
+        "downloader",
+        "dropper",
+        "exploit-kit",
+        "keylogger",
+        "ransomware",
+        "remote-access-trojan",
+        "resource-exploitation",
+        "rogue-security-software",
+        "rootkit",
+        "screen-capture",
+        "spyware",
+        "trojan",
+        "unknown",
+        "virus",
+        "webshell",
+        "wiper",
+        "worm"
+      ],
+      "ui-priority": 0
+    },
+    "name": {
+      "description": "A name used to identify the malware instance or family. For a malware family the name MUST be defined. If a name for a malware instance is not available, the SHA-256 hash value or sample's filename MAY be used instead.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    }
+  },
+  "description": "Malware is a type of TTP that represents malicious code.",
+  "meta-category": "misc",
+  "name": "malware",
+  "required": [
+    "is_family"
+  ],
+  "uuid": "e5ad1d64-4b4e-44f5-9e00-88a705a67f9d",
+  "version": 1
+}