Merge pull request #403 from MISP/chrisr3d_patch

Malware & Malware Analysis objects
pull/404/head
Alexandre Dulaunoy 2023-08-16 22:40:01 +02:00 committed by GitHub
commit b41a39e986
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 249 additions and 0 deletions

View File

@ -271,6 +271,8 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/macho](https://github.com/MISP/misp-objects/blob/main/objects/macho/definition.json) - Object describing a file in Mach-O format.
- [objects/macho-section](https://github.com/MISP/misp-objects/blob/main/objects/macho-section/definition.json) - Object describing a section of a file in Mach-O format.
- [objects/mactime-timeline-analysis](https://github.com/MISP/misp-objects/blob/main/objects/mactime-timeline-analysis/definition.json) - Mactime template, used in forensic investigations to describe the timeline of a file activity.
- [objects/malware](https://github.com/MISP/misp-objects/blob/main/objects/malware/definition.json) - Malware object to describe a malware instance. From STIX 2.1,
- [objects/malware-analysis](https://github.com/MISP/misp-objects/blob/main/objects/malware-analysis/definition.json) - Malware analysis object to capture the metadata and results of a particular static or dynamic analysis performed on a malware instance or family. From STIX 2.1
- [objects/malware-config](https://github.com/MISP/misp-objects/blob/main/objects/malware-config/definition.json) - Malware configuration recovered or extracted from a malicious binary.
- [objects/meme-image](https://github.com/MISP/misp-objects/blob/main/objects/meme-image/definition.json) - Object describing a meme (image).
- [objects/microblog](https://github.com/MISP/misp-objects/blob/main/objects/microblog/definition.json) - Microblog post like a Twitter tweet or a post on a Facebook wall.

View File

@ -0,0 +1,79 @@
{
"attributes": {
"analysis_definition_version": {
"description": "The version of the analysis definitions used by the analysis tool.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"analysis_engine_version": {
"description": "The version of the analysis engine or product that was used to perform the analysis.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"configuration_version": {
"description": "The named configuration of additional product configuration parameters for this analysis run.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"end_time": {
"description": "The date and time that the malware analysis ended.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"module": {
"description": "The specific analysis module that was used and configured in the product during this analysis run.",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"product": {
"description": "The name of the analysis engine or product that was used.",
"misp-attribute": "text",
"ui-priority": 1
},
"result": {
"description": "The classification result as determined by the scanner or tool analysis process.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"benign",
"malicious",
"suspicious",
"unknown"
],
"ui-priority": 0
},
"result_name": {
"description": "The classification result or name assigned to the malware instance by the scanner tool.",
"misp-attribute": "text",
"ui-priority": 0
},
"start_time": {
"description": "The date and time that the malware analysis was initiated.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"submitted_time": {
"description": "The date and time that the malware was first submitted for scanning or analysis.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"version": {
"description": "The version of the analysis product that was used to perform the analysis.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
}
},
"description": "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family.",
"meta-category": "misc",
"name": "malware-analysis",
"required": [
"product"
],
"uuid": "8229ee82-7218-4ff5-9eac-57961a6f0288",
"version": 1
}

View File

@ -0,0 +1,168 @@
{
"attributes": {
"alias": {
"description": "Alternative name used to identify this malware or malware family.",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"architecture_execution_env": {
"description": "The processor architecture that the malware instance or family is executable on.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"alpha",
"arm",
"ia-64",
"mips",
"powerpc",
"sparc",
"x86",
"x86-64"
],
"ui-priority": 0
},
"capability": {
"description": "Any of the capabilities identified for the malware instance or family.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"accesses-remote-machines",
"anti-debugging",
"anti-disassembly",
"anti-emulation",
"anti-memory-forensics",
"anti-sandbox",
"anti-vm",
"captures-input-peripherals",
"captures-output-peripherals",
"captures-system-state-data",
"cleans-traces-of-infection",
"commits-fraud",
"communicates-with-c2",
"compromises-data-availability",
"compromises-data-integrity",
"compromises-system-availability",
"controls-local-machine",
"degrades-security-software",
"degrades-system-updates",
"determines-c2-server",
"emails-spam",
"escalates-privileges",
"evades-av",
"exfiltrates-data",
"fingerprints-host",
"hides-artifacts",
"hides-executing-code",
"infects-files",
"infects-remote-machines",
"installs-other-components",
"persists-after-system-reboot",
"prevents-artifact-access",
"prevents-artifact-deletion",
"probes-network-environment",
"self-modifies",
"steals-authentication-credentials",
"violates-system-operational-integrity"
],
"ui-priority": 0
},
"description": {
"description": "A description that provides more details and context about the malware instance or family, potentially including its purpose and its key characteristics.",
"misp-attribute": "text",
"ui-priority": 0
},
"first_seen": {
"description": "The time that the malware instance or family was first seen.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"implementation_language": {
"description": "The programming language used to implement the malware instance or family.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"applescript",
"bash",
"c",
"c++",
"c#",
"go",
"java",
"javascript",
"lua",
"objective-c",
"perl",
"php",
"powershell",
"python",
"ruby",
"scala",
"swift",
"typescript",
"visual-basic",
"x86-32",
"x86-64"
],
"ui-priority": 0
},
"is_family": {
"description": "Defines whether the object represents a malware family or a malware instance.",
"disable_correlation": true,
"misp-attribute": "boolean",
"ui-priority": 1
},
"last_seen": {
"description": "The time that the malware family or malware instance was last seen.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"malware_type": {
"description": "A set of categorizations for the malware being described.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"adware",
"backdoor",
"bot",
"bootkit",
"ddos",
"downloader",
"dropper",
"exploit-kit",
"keylogger",
"ransomware",
"remote-access-trojan",
"resource-exploitation",
"rogue-security-software",
"rootkit",
"screen-capture",
"spyware",
"trojan",
"unknown",
"virus",
"webshell",
"wiper",
"worm"
],
"ui-priority": 0
},
"name": {
"description": "A name used to identify the malware instance or family. For a malware family the name MUST be defined. If a name for a malware instance is not available, the SHA-256 hash value or sample's filename MAY be used instead.",
"misp-attribute": "text",
"ui-priority": 0
}
},
"description": "Malware is a type of TTP that represents malicious code.",
"meta-category": "misc",
"name": "malware",
"required": [
"is_family"
],
"uuid": "e5ad1d64-4b4e-44f5-9e00-88a705a67f9d",
"version": 1
}