From 3382e18393781c2802b4fecde9662c87a78e47de Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 30 Apr 2018 16:27:17 +0200 Subject: [PATCH 001/244] add: new timestamp object --- objects/timestamp/definition.json | 45 +++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 objects/timestamp/definition.json diff --git a/objects/timestamp/definition.json b/objects/timestamp/definition.json new file mode 100644 index 0000000..c1a8da0 --- /dev/null +++ b/objects/timestamp/definition.json @@ -0,0 +1,45 @@ +{ + "requiredOneOf": [ + "first-seen", + "last-seen" + ], + "attributes": { + "text": { + "description": "Description of the time object.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "precision": { + "description": "Timestamp precision represents the precision given to first_seen and/or last_seen in this object.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "year", + "month", + "day", + "hour", + "minute", + "full" + ], + "disable_correlation": true + }, + "first-seen": { + "description": "First time that the linked object or attribute has been seen.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "last-seen": { + "description": "First time that the linked object or attribute has been seen.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + } + }, + "version": 1, + "description": "A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship.", + "meta-category": "misc", + "uuid": "c8c91e23-4221-4533-8bf7-64e12b05f265", + "name": "timestamp" +} From e9e1bdd56cd1fba09a525b1c27434d6ec2b3b9fd Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 1 May 2018 11:21:05 +0200 Subject: [PATCH 002/244] add: Context where the YARA rule can be applied --- objects/yara/definition.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/objects/yara/definition.json b/objects/yara/definition.json index 4b4724d..370bfdb 100644 --- a/objects/yara/definition.json +++ b/objects/yara/definition.json @@ -20,9 +20,20 @@ "description": "Version of the YARA rule depending where the yara rule is known to work as expected.", "ui-priority": 0, "misp-attribute": "text" + }, + "context": { + "description": "Context where the YARA rule can be applied", + "sane_default": [ + "all", + "disk", + "memory", + "network" + ], + "misp-attribute": "text", + "ui-priority": 0 } }, - "version": 2, + "version": 3, "description": "An object describing a YARA rule along with its version.", "meta-category": "misc", "uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", From e07f2d5c621ef99289b50518e23b01ed27146ab2 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 3 May 2018 14:11:14 +0200 Subject: [PATCH 003/244] Network connection object --- objects/network-connection/definition.json | 86 ++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 objects/network-connection/definition.json diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json new file mode 100644 index 0000000..ba2aa8f --- /dev/null +++ b/objects/network-connection/definition.json @@ -0,0 +1,86 @@ +{ + "name": "network-connection", + "uuid": "af16764b-f8e5-4603-9de1-de34d272f80b", + "meta-category": "network", + "description": "", + "version": 1, + "attributes":{ + "ip-src": { + "description": "Source IP address of the nework connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "ip-src" + }, + "ip-dst": { + "description": "Destination IP address of the nework connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "ip-dst" + }, + "src-port": { + "description": "Source port of the nework connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "port" + }, + "dst-port": { + "description": "Destination port of the nework connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "port" + }, + "layer3-protocol": { + "description": "Layer 3 protocol of the network connection.", + "ui-priority": 0, + "sane_default": [ + "IP", + "ICMP", + "ARP" + ], + "misp-attribute": "text" + }, + "layer4-protocol": { + "description": "Layer 4 protocol of the network connection.", + "ui-priority": 0, + "sane_default": [ + "TCP", + "UDP" + ], + "misp-attribute": "text" + }, + "layer7-protocol": { + "description": "Layer 7 protocol of the network connection.", + "ui-priority": 0, + "sane_default": [ + "HTTP", + "HTTPS", + "FTP" + ], + "misp-attribute": "text" + }, + "first-packet-seen": { + "misp-attribute": "datetime", + "ui-priority": 1, + "description": "Datetime of the first packet seen." + } + }, + "requireOneOf": [ + "first-packet-seen", + "ip-src", + "ip-dst", + "src-port", + "dst-port" + ] +} From 453fd31797318f3dd48390333cc89ef5be683ff7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 3 May 2018 14:18:15 +0200 Subject: [PATCH 004/244] fix: jq all --- objects/network-connection/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json index ba2aa8f..e81d72e 100644 --- a/objects/network-connection/definition.json +++ b/objects/network-connection/definition.json @@ -4,7 +4,7 @@ "meta-category": "network", "description": "", "version": 1, - "attributes":{ + "attributes": { "ip-src": { "description": "Source IP address of the nework connection.", "ui-priority": 1, From 554cfe29fe99ab58cb58098325130179dec3dea7 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 3 May 2018 14:21:36 +0200 Subject: [PATCH 005/244] Added definition --- objects/network-connection/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json index ba2aa8f..62f72ef 100644 --- a/objects/network-connection/definition.json +++ b/objects/network-connection/definition.json @@ -2,7 +2,7 @@ "name": "network-connection", "uuid": "af16764b-f8e5-4603-9de1-de34d272f80b", "meta-category": "network", - "description": "", + "description": "A local or remote network connection.", "version": 1, "attributes":{ "ip-src": { From 4cdfd7b0a019f5cd106d09cc6e63e46b817f4b7d Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 3 May 2018 14:28:46 +0200 Subject: [PATCH 006/244] fix: RequiredOneOf field Sorry, ate too much ananas in my pizza --- objects/network-connection/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json index 26961d3..481c04c 100644 --- a/objects/network-connection/definition.json +++ b/objects/network-connection/definition.json @@ -76,7 +76,7 @@ "description": "Datetime of the first packet seen." } }, - "requireOneOf": [ + "requiredOneOf": [ "first-packet-seen", "ip-src", "ip-dst", From 956e6493158565426c228bf1dadb3c60a738288e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Thu, 3 May 2018 20:49:48 +0200 Subject: [PATCH 007/244] chg: Update email template --- objects/email/definition.json | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/objects/email/definition.json b/objects/email/definition.json index 7551d0c..84c1465 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -3,7 +3,7 @@ "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "meta-category": "network", "description": "Email object describing an email with meta-information", - "version": 10, + "version": 11, "attributes": { "reply-to": { "description": "Email address the reply will be sent to", @@ -16,6 +16,7 @@ "message-id": { "description": "Message ID", "misp-attribute": "email-message-id", + "disable_correlation": true, "ui-priority": 0, "categories": [ "Payload delivery" @@ -24,6 +25,7 @@ "to": { "description": "Destination email address", "misp-attribute": "email-dst", + "disable_correlation": true, "ui-priority": 1, "categories": [ "Payload delivery" @@ -33,6 +35,7 @@ "cc": { "description": "Carbon copy", "misp-attribute": "email-dst", + "disable_correlation": true, "ui-priority": 1, "categories": [ "Payload delivery" @@ -59,6 +62,7 @@ "screenshot": { "description": "Screenshot of email", "misp-attribute": "attachment", + "disable_correlation": true, "ui-priority": 1, "categories": [ "External analysis" @@ -76,6 +80,7 @@ "x-mailer": { "description": "X-Mailer generally tells the program that was used to draft and send the original email", "misp-attribute": "email-x-mailer", + "disable_correlation": true, "ui-priority": 0, "categories": [ "Payload delivery" @@ -84,6 +89,7 @@ "header": { "description": "Full headers", "misp-attribute": "email-header", + "disable_correlation": true, "ui-priority": 0, "categories": [ "Payload delivery" @@ -102,6 +108,7 @@ "mime-boundary": { "description": "MIME Boundary", "misp-attribute": "email-mime-boundary", + "disable_correlation": true, "ui-priority": 0, "categories": [ "Payload delivery" @@ -110,6 +117,7 @@ "thread-index": { "description": "Identifies a particular conversation thread", "misp-attribute": "email-thread-index", + "disable_correlation": true, "ui-priority": 0, "categories": [ "Payload delivery" @@ -125,7 +133,7 @@ }, "return-path": { "description": "Message return path", - "misp-attribute": "text", + "misp-attribute": "email-src", "ui-priority": 1, "categories": [ "Payload delivery" @@ -142,14 +150,22 @@ "email-body": { "description": "Body of the email", "misp-attribute": "email-body", + "disable_correlation": true, "ui-priority": 1, "categories": [ "Payload delivery" ] }, + "user-agent": { + "description": "User Agent of the sender", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, "eml": { "description": "Full EML", "misp-attribute": "attachment", + "disable_correlation": true, "ui-priority": 1 } }, From 6faf42cbd20b00e722671204d757ef89cc5b2f5c Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 4 May 2018 16:34:35 +0200 Subject: [PATCH 008/244] First version of process object - Potentially more attributes to come --- objects/process/definition.json | 52 +++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 objects/process/definition.json diff --git a/objects/process/definition.json b/objects/process/definition.json new file mode 100644 index 0000000..a213e0d --- /dev/null +++ b/objects/process/definition.json @@ -0,0 +1,52 @@ +{ + "name": "process", + "uuid": "02aeef94-ac23-455c-addb-731757ceafb5", + "meta-category": "misc", + "description": "Object describing a system process.", + "version": 1, + "attributes": { + "creation-time": { + "description": "Local date/time at which the process was created.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "start-time": { + "description": "Local date/time at which the process was started.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Name of the process", + "ui-priority": 1, + "misp-attribute": "text" + }, + "pid": { + "description": "Process ID of the process.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "parent_pid": { + "description": "Process ID of the parent process.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "child-pid": { + "description": "Process ID of the child(ren) process.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "port": { + "description": "Port(s) owned by the process.", + "ui-priority": 1, + "misp-attribute": "src-port", + "multiple": true + } + }, + "requiredOneOf": [ + "name", + "pid" + ] +} From 13ec6018204e7c224bec31e184b22e2c65365514 Mon Sep 17 00:00:00 2001 From: Alexandre De Oliveira Date: Fri, 4 May 2018 19:09:54 +0200 Subject: [PATCH 009/244] Update definition.json To avoid having multiple object for each similar attacks coming from the same source, we allow multiple attack source in the same attack. --- objects/ss7-attack/definition.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index 6354c5d..e86cb16 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -34,6 +34,7 @@ }, "SccpCgGT": { "description": "Signaling Connection Control Part (SCCP) CgGT - Phone number.", + "multiple": true, "ui-priority": 0, "misp-attribute": "text" }, @@ -44,6 +45,7 @@ }, "SccpCgPC": { "description": "Signaling Connection Control Part (SCCP) CgPC - Phone number.", + "multiple": true, "ui-priority": 0, "misp-attribute": "text" }, From 443cce07bcd6129faa447f0b700e5bea79dd0e20 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 5 May 2018 12:39:22 +0200 Subject: [PATCH 010/244] Missing objects added --- README.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7452306..c6b11ce 100644 --- a/README.md +++ b/README.md @@ -76,9 +76,11 @@ for a specific attribute. * [objects/cap-resource](objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object. * [objects/coin-address](objects/coin-address/definition.json) - An address used in a cryptocurrency. * [objects/cookie](objects/cookie/definition.json) - A cookie object describes an HTTP cookie including its use in malicious cases. -* [objects/course-of-action](objects/course-of-action/definition.json) - An object describing a Course of Action. +* [objects/course-of-action](objects/course-of-action/definition.json) - An object describing a Course of Action such as a specific measure taken to prevent or respond to an attack. * [objects/cowrie](objects/cowrie/definition.json) - A cowrie object describes cowrie honeypot sessions. +* [objects/credential](objects/credential/definition.json) - A credential object describes one or more credential(s) including password(s), api key(s) or decryption key(s). * [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. +* [objects/diameter-attack](objects/diameter-attack/definition.json) - Attack as seen on diameter authentication against a GSM, UMTS or LTE network. * [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame. * [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF). * [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF). @@ -86,25 +88,34 @@ for a specific attribute. * [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object. * [objects/file](objects/file/definition.json) - File object describing a file with meta-information. * [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location. +* [objects/gtp-attack](objects/gtp-attack/definition.json) - GTP attack object as seen on a GSM, UMTS or LTE network. +* [objects/http-request](objects/http-request/definition.json) - A single HTTP request header object. * [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame. * [objects/ja3](objects/ja3/definition.json) - A ja3 object which describes an SSL client fingerprint in an easy to produce and shareable way. * [objects/legal-entity](objects/legal-entity/definition.json) - Object describing a legal entity, such as an organisation. * [objects/macho](objects/macho/definition.json) - Object describing a Mach object file format. * [objects/macho-section](objects/macho-section/definition.json) - Object describing a section of a Mach object file format. * [objects/microblog](objects/microblog/definition.json) - Object describing microblog post like Twitter or Facebook. +* [objects/mutex](objects/mutex/definition.json) - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program. * [objects/netflow](objects/netflow/definition.json) - Netflow object describes an network object based on the Netflowv5/v9 minimal definition. +* [objects/network](objects/network/definition.json) - Network object describes a local or remote network connection. * [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01). * [objects/paste](objects/paste/definition.json) - Object describing a paste or similar post from a website allowing to share privately or publicly posts. * [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object. * [objects/pe-section](objects/pe-section/definition.json) - Portable Executable (PE) object - section description. * [objects/person](objects/person/definition.json) - A person object which describes a person or an identity. * [objects/phone](objects/phone/definition.json) - A phone or mobile phone object. +* [objects/process](objects/process/definition.json) - A process object. * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object. * [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml. * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. +* [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. +* [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. * [objects/suricata](objects/suricata/definition.json) - Suricata rule with context. +* [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromissed internal system. +* [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. * [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. @@ -113,7 +124,7 @@ for a specific attribute. * [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused. * [objects/whois](objects/whois/definition.json) - Whois records information for a domain name. * [objects/x509](objects/x509/definition.json) - x509 object describing a X.509 certificate. -* [objects/yara](objects/yara/definition.json) - YARA object describing a YARA rule along with the version supported. +* [objects/yara](objects/yara/definition.json) - YARA object describing a YARA rule along with the version supported and context (such as memory, network, disk). ## MISP objects relationships From 8e831d682820bdc9656f4ceb4f132e304972a065 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 7 May 2018 09:11:31 +0200 Subject: [PATCH 011/244] Fixed link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c6b11ce..d4cbba3 100644 --- a/README.md +++ b/README.md @@ -98,7 +98,7 @@ for a specific attribute. * [objects/microblog](objects/microblog/definition.json) - Object describing microblog post like Twitter or Facebook. * [objects/mutex](objects/mutex/definition.json) - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program. * [objects/netflow](objects/netflow/definition.json) - Netflow object describes an network object based on the Netflowv5/v9 minimal definition. -* [objects/network](objects/network/definition.json) - Network object describes a local or remote network connection. +* [objects/network-connection](objects/network-connection/definition.json) - Network object describes a local or remote network connection. * [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01). * [objects/paste](objects/paste/definition.json) - Object describing a paste or similar post from a website allowing to share privately or publicly posts. * [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object. From 4d47c41f5ef805dcdd8c1a0799de8976e4c3d3a0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 8 May 2018 07:53:58 +0200 Subject: [PATCH 012/244] Network socket connection template object added --- objects/network-socket/definition.json | 183 +++++++++++++++++++++++++ 1 file changed, 183 insertions(+) create mode 100644 objects/network-socket/definition.json diff --git a/objects/network-socket/definition.json b/objects/network-socket/definition.json new file mode 100644 index 0000000..b702ac7 --- /dev/null +++ b/objects/network-socket/definition.json @@ -0,0 +1,183 @@ +{ + "name": "network-socket", + "uuid": "48bbfd72-ef8e-4649-b14d-41b4b5a0eba2", + "meta-category": "network", + "description": "Network socket object describes a local or remote network connections based on the socket data structure.", + "version": 1, + "attributes": { + "ip-src": { + "description": "Source (local) IP address of the network socket connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "ip-src" + }, + "hostname-src": { + "description": "Source (local) hostname of the network socket connection.", + "ui-priority": 1, + "misp-attribute": "hostname" + }, + "ip-dst": { + "description": "Destination IP address of the network socket connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "ip-dst" + }, + "hostname-dst": { + "description": "Destination hostname of the network socket connection.", + "ui-priority": 1, + "misp-attribute": "hostname" + }, + "src-port": { + "description": "Source (local) port of the network socket connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "port" + }, + "dst-port": { + "description": "Destination port of the network socket connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "port" + }, + "address-family": { + "description": "Address family who specifies the address family type (AF_*) of the socket connection.", + "ui-priority": 1, + "sane_default": [ + "AF_UNSPEC", + "AF_LOCAL", + "AF_UNIX", + "AF_FILE", + "AF_INET", + "AF_AX25", + "AF_IPX", + "AF_APPLETALK", + "AF_NETROM", + "AF_BRIDGE", + "AF_ATMPVC", + "AF_X25", + "AF_INET6", + "AF_ROSE", + "AF_DECnet", + "AF_NETBEUI", + "AF_SECURITY", + "AF_KEY", + "AF_NETLINK", + "AF_ROUTE", + "AF_PACKET", + "AF_ASH", + "AF_ECONET", + "AF_ATMSVC", + "AF_RDS", + "AF_SNA", + "AF_IRDA", + "AF_PPPOX", + "AF_WANPIPE", + "AF_LLC", + "AF_IB", + "AF_MPLS", + "AF_CAN", + "AF_TIPC", + "AF_BLUETOOTH", + "AF_IUCV", + "AF_RXRPC", + "AF_ISDN", + "AF_PHONET", + "AF_IEEE802154", + "AF_CAIF", + "AF_ALG", + "AF_NFC", + "AF_VSOCK", + "AF_KCM", + "AF_MAX" + ], + "misp-attribute": "text" + }, + "domain-family": { + "description": "Domain family who specifies the communication domain (PF_*) of the socket connection.", + "ui-priority": 1, + "sane_default": [ + "PF_UNSPEC", + "PF_LOCAL", + "PF_UNIX", + "PF_FILE", + "PF_INET", + "PF_AX25", + "PF_IPX", + "PF_APPLETALK", + "PF_NETROM", + "PF_BRIDGE", + "PF_ATMPVC", + "PF_X25", + "PF_INET6", + "PF_ROSE", + "PF_DECnet", + "PF_NETBEUI", + "PF_SECURITY", + "PF_KEY", + "PF_NETLINK", + "PF_ROUTE", + "PF_PACKET", + "PF_ASH", + "PF_ECONET", + "PF_ATMSVC", + "PF_RDS", + "PF_SNA", + "PF_IRDA", + "PF_PPPOX", + "PF_WANPIPE", + "PF_LLC", + "PF_IB", + "PF_MPLS", + "PF_CAN", + "PF_TIPC", + "PF_BLUETOOTH", + "PF_IUCV", + "PF_RXRPC", + "PF_ISDN", + "PF_PHONET", + "PF_IEEE802154", + "PF_CAIF", + "PF_ALG", + "PF_NFC", + "PF_VSOCK", + "PF_KCM", + "PF_MAX" + ], + "misp-attribute": "text" + }, + "state": { + "description": "State of the socket connection.", + "multiple": true, + "sane_default": [ + "blocking", + "listening" + ], + "misp-attribute": "text", + "ui-priority": 1 + }, + "option": { + "description": "Option on the socket connection.", + "multiple": true, + "misp-attribute": "text", + "ui-priority": 1 + } + }, + "requiredOneOf": [ + "ip-src", + "ip-dst", + "src-port", + "dst-port" + ] +} From 536f6471356da25c917c39ad53da08c143d4b173 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 8 May 2018 09:03:57 +0200 Subject: [PATCH 013/244] add: Added hostname (src & dst) attributes --- objects/network-connection/definition.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json index 481c04c..0aa9cba 100644 --- a/objects/network-connection/definition.json +++ b/objects/network-connection/definition.json @@ -41,6 +41,16 @@ ], "misp-attribute": "port" }, + "hostname-src": { + "description": "Source hostname of the network connection.", + "ui-priority": 1, + "misp-attribute": "hostname" + }, + "hostname-dst": { + "description": "Destination hostname of the network connection.", + "ui-priority": 1, + "misp-attribute": "hostname" + }, "layer3-protocol": { "description": "Layer 3 protocol of the network connection.", "ui-priority": 0, From b5f352e8c219f41557609bd9a1dcccea59a7d89a Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 8 May 2018 09:26:24 +0200 Subject: [PATCH 014/244] add: Added protocol attribute in the network socket object --- objects/network-socket/definition.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/objects/network-socket/definition.json b/objects/network-socket/definition.json index b702ac7..5bbd1ff 100644 --- a/objects/network-socket/definition.json +++ b/objects/network-socket/definition.json @@ -51,6 +51,17 @@ ], "misp-attribute": "port" }, + "protocol": { + "misp-attribute": "text", + "ui-priority": 0, + "values_list": [ + "TCP", + "UDP", + "ICMP", + "IP" + ], + "description": "Protocol used by the network socket." + }, "address-family": { "description": "Address family who specifies the address family type (AF_*) of the socket connection.", "ui-priority": 1, From 52e1316717b9e878c5da1606c256b6307a12bbb5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 21 May 2018 10:19:54 +0200 Subject: [PATCH 015/244] chg: Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence. --- objects/timecode/definition.json | 52 ++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 objects/timecode/definition.json diff --git a/objects/timecode/definition.json b/objects/timecode/definition.json new file mode 100644 index 0000000..8a2c6ff --- /dev/null +++ b/objects/timecode/definition.json @@ -0,0 +1,52 @@ +{ + "requiredOneOf": [ + "description", + "start-marker-timecode", + "end-marker-timecode", + "start-timecode", + "end-timecode", + "recording-date" + ], + "attributes": { + "description": { + "description": "Description of the video sequence", + "ui-priority": 1, + "misp-attribute": "text" + }, + "start-marker-timecode": { + "description": "Start marker timecode in the format hh:mm:ss;ff", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "end-marker-timecode": { + "description": "End marker timecode in the format hh:mm:ss;ff", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "start-timecode": { + "description": "Start marker timecode in the format hh:mm:ss.mms", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "end-timecode": { + "description": "End marker timecode in the format hh:mm:ss.mms", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "recording-date": { + "description": "Date of recording of the video sequence", + "ui-priority": 0, + "misp-attribute": "datetime", + "multiple": true + } + }, + "version": 1, + "description": "Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence.", + "meta-category": "misc", + "uuid": "60141eac-71d2-4173-930d-91dba8106c40", + "name": "timecode" +} From fb3333f629e41ab6c0d67df65866b14c841238dc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 21 May 2018 10:20:49 +0200 Subject: [PATCH 016/244] add: Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index d4cbba3..f5a3099 100644 --- a/README.md +++ b/README.md @@ -115,6 +115,7 @@ for a specific attribute. * [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. * [objects/suricata](objects/suricata/definition.json) - Suricata rule with context. * [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromissed internal system. +* [objects/timecode](objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence. * [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. * [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction. From e754719c000d732724077aaa141a4f313e885a5e Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 25 May 2018 09:13:14 +0200 Subject: [PATCH 017/244] Attribute typo --- objects/process/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/process/definition.json b/objects/process/definition.json index a213e0d..5fdcc2b 100644 --- a/objects/process/definition.json +++ b/objects/process/definition.json @@ -27,7 +27,7 @@ "ui-priority": 1, "misp-attribute": "text" }, - "parent_pid": { + "parent-pid": { "description": "Process ID of the parent process.", "ui-priority": 1, "misp-attribute": "text" From fe3a91b8d90476cbcc0854e3cc43b24962037504 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 29 May 2018 16:07:50 +0200 Subject: [PATCH 018/244] chg: change version of the SS7 template object --- objects/ss7-attack/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index e86cb16..7f9b138 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -169,7 +169,7 @@ "misp-attribute": "datetime" } }, - "version": 1, + "version": 2, "description": "SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging.", "meta-category": "network", "uuid": "f3493d8b-a7ab-48d0-a775-046c4d64d782", From d17d11df1a968ef2d79093268c462ec1c66d7369 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 4 Jun 2018 19:46:58 +0200 Subject: [PATCH 019/244] chg: username of the author added + disable correlation for origin --- objects/paste/definition.json | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/objects/paste/definition.json b/objects/paste/definition.json index 9d0002b..a7c31b0 100644 --- a/objects/paste/definition.json +++ b/objects/paste/definition.json @@ -23,13 +23,19 @@ ], "description": "Original source of the paste or post.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "title": { "misp-attribute": "text", "ui-priority": 0, "description": "Title of the paste or post." }, + "username": { + "misp-attribute": "text", + "ui-priority": 0, + "description": "User who posted the post." + }, "url": { "misp-attribute": "url", "ui-priority": 0, @@ -48,7 +54,7 @@ "misp-attribute": "datetime" } }, - "version": 2, + "version": 3, "description": "Paste or similar post from a website allowing to share privately or publicly posts.", "meta-category": "misc", "uuid": "cedc055c-78aa-49a4-bfd7-4cc30cecef12", From 19f7c90d1a560233b335494a1aa97f680ca0ff86 Mon Sep 17 00:00:00 2001 From: Corsin Camichel Date: Tue, 5 Jun 2018 11:04:15 +0200 Subject: [PATCH 020/244] Shortened link and its redirect target --- objects/shortened-link/definition.json | 67 ++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 objects/shortened-link/definition.json diff --git a/objects/shortened-link/definition.json b/objects/shortened-link/definition.json new file mode 100644 index 0000000..18ef819 --- /dev/null +++ b/objects/shortened-link/definition.json @@ -0,0 +1,67 @@ +{ + "required": [ + "url", + "shortened-url" + ], + "attributes": { + "port": { + "description": "Port number", + "ui-priority": 0, + "misp-attribute": "port", + "disable_correlation": true + }, + "scheme": { + "description": "Scheme", + "sane_default": [ + "http", + "https", + "ftp" + ], + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "first-seen": { + "description": "First time this URL has been seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "query_string": { + "description": "Query (after path, preceded by '?')", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "url": { + "description": "Redirected to URL", + "ui-priority": 1, + "misp-attribute": "url" + }, + "shortened-url": { + "description": "Shortened URL", + "ui-priority": 1, + "misp-attribute": "url" + }, + "domain": { + "description": "Full domain", + "ui-priority": 0, + "misp-attribute": "domain" + }, + "credential": { + "description": "Credential (username, password)", + "ui-priority": 0, + "misp-attribute": "text" + }, + "text": { + "description": "Description and context of the shortened URL ", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Shortened link and its redirect target", + "meta-category": "network", + "uuid": "3ac2857c-689f-11e8-adc0-fa7ae01bbebc", + "name": "shortened-link" +} From 69ed89cef07de061b356f8a5f3e0de50600c3e82 Mon Sep 17 00:00:00 2001 From: Corsin Camichel Date: Tue, 5 Jun 2018 14:35:42 +0200 Subject: [PATCH 021/244] updated definition, removed some attributes --- objects/shortened-link/definition.json | 27 ++------------------------ 1 file changed, 2 insertions(+), 25 deletions(-) diff --git a/objects/shortened-link/definition.json b/objects/shortened-link/definition.json index 18ef819..9423750 100644 --- a/objects/shortened-link/definition.json +++ b/objects/shortened-link/definition.json @@ -4,35 +4,12 @@ "shortened-url" ], "attributes": { - "port": { - "description": "Port number", - "ui-priority": 0, - "misp-attribute": "port", - "disable_correlation": true - }, - "scheme": { - "description": "Scheme", - "sane_default": [ - "http", - "https", - "ftp" - ], - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, "first-seen": { - "description": "First time this URL has been seen", + "description": "First time this shortened URL has been seen", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "datetime" }, - "query_string": { - "description": "Query (after path, preceded by '?')", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, "url": { "description": "Redirected to URL", "ui-priority": 1, @@ -62,6 +39,6 @@ "version": 1, "description": "Shortened link and its redirect target", "meta-category": "network", - "uuid": "3ac2857c-689f-11e8-adc0-fa7ae01bbebc", + "uuid": "99c2857c-689f-11e8-adc0-fa7ae01bbebc", "name": "shortened-link" } From 85901f995a3b573017d38facb576b167d68cd4b1 Mon Sep 17 00:00:00 2001 From: Corsin Camichel Date: Tue, 5 Jun 2018 14:39:12 +0200 Subject: [PATCH 022/244] renamed url attributed, versioning date based --- objects/shortened-link/definition.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/objects/shortened-link/definition.json b/objects/shortened-link/definition.json index 9423750..a2a2ff6 100644 --- a/objects/shortened-link/definition.json +++ b/objects/shortened-link/definition.json @@ -1,6 +1,6 @@ { "required": [ - "url", + "redirect-url", "shortened-url" ], "attributes": { @@ -10,7 +10,7 @@ "ui-priority": 0, "misp-attribute": "datetime" }, - "url": { + "redirect-url": { "description": "Redirected to URL", "ui-priority": 1, "misp-attribute": "url" @@ -36,9 +36,9 @@ "misp-attribute": "text" } }, - "version": 1, + "version": 2018060501, "description": "Shortened link and its redirect target", "meta-category": "network", - "uuid": "99c2857c-689f-11e8-adc0-fa7ae01bbebc", + "uuid": "361c0ae8-68bd-11e8-adc0-fa7ae01bbebc", "name": "shortened-link" } From a5c331038edcbb86557396cf39508f0e3e35a33b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 5 Jun 2018 15:22:17 +0200 Subject: [PATCH 023/244] chg: shortened-link template added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index f5a3099..09ce8b5 100644 --- a/README.md +++ b/README.md @@ -111,6 +111,7 @@ for a specific attribute. * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. +* [objects/shortened-link](objects/shortened-link/definition.json) - Shortened link and its redirect target. * [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. * [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. * [objects/suricata](objects/suricata/definition.json) - Suricata rule with context. From 07f41b0444e6ac548053803ab7cb8514e9abc43e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 9 Jun 2018 10:46:12 +0200 Subject: [PATCH 024/244] chg: EPSG and spacial-reference add fix #102 Following feedback during the last ENISA Cyber Europe 2018, we updated the geolocation object to the following: - Fixing ui-priority to ensure lat,long in order - Adding the ability to specify an EPSG value instead of coordinates (handy if you want to quickly express a known location/area) - Set a default spacial-reference to avoid confusion between reported value from GPS versus values projected into a specific spacial projection. default is WGS-84. --- objects/geolocation/definition.json | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/objects/geolocation/definition.json b/objects/geolocation/definition.json index 7a4902b..3fb7544 100644 --- a/objects/geolocation/definition.json +++ b/objects/geolocation/definition.json @@ -4,7 +4,8 @@ "longitude", "city", "region", - "country" + "country", + "epsg" ], "attributes": { "first-seen": { @@ -28,13 +29,13 @@ "latitude": { "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", "disable_correlation": true, - "ui-priority": 1, + "ui-priority": 90, "misp-attribute": "float" }, "longitude": { "description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference", "disable_correlation": true, - "ui-priority": 1, + "ui-priority": 89, "misp-attribute": "float" }, "altitude": { @@ -66,9 +67,23 @@ "description": "Country.", "misp-attribute": "text", "ui-priority": 1 + }, + "epsg": { + "description": "EPSG Geodetic Parameter value. This is an integer value of the EPSG.", + "misp-attribute": "text", + "ui-priority": 70 + }, + "spacial-reference": { + "description": "Default spacial or projection refence for this object.", + "misp-attribute": "text", + "disable_correlation": true, + "values_list": [ + "WGS84 EPSG:4326", + "Mercator EPSG:3857" + ] } }, - "version": 2, + "version": 3, "description": "An object to describe a geographic location.", "meta-category": "misc", "uuid": "fdd30d5f-6752-45ed-bef2-25e8ce4d8a3", From 1ca25a39ad467439848c65c091cf2738dd22eb77 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 9 Jun 2018 10:59:01 +0200 Subject: [PATCH 025/244] fix: missing ui-priority --- objects/geolocation/definition.json | 1 + 1 file changed, 1 insertion(+) diff --git a/objects/geolocation/definition.json b/objects/geolocation/definition.json index 3fb7544..9a129c3 100644 --- a/objects/geolocation/definition.json +++ b/objects/geolocation/definition.json @@ -76,6 +76,7 @@ "spacial-reference": { "description": "Default spacial or projection refence for this object.", "misp-attribute": "text", + "ui-priority": 1, "disable_correlation": true, "values_list": [ "WGS84 EPSG:4326", From b6f12a9f46ddf10743208b964d12b6618e2f0e11 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 9 Jun 2018 11:36:58 +0200 Subject: [PATCH 026/244] chg: new script template object Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts. Fix #101 --- README.md | 1 + objects/script/definition.json | 62 ++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 objects/script/definition.json diff --git a/README.md b/README.md index 09ce8b5..feee1c7 100644 --- a/README.md +++ b/README.md @@ -111,6 +111,7 @@ for a specific attribute. * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. +* [objects/script](objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts. * [objects/shortened-link](objects/shortened-link/definition.json) - Shortened link and its redirect target. * [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. * [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. diff --git a/objects/script/definition.json b/objects/script/definition.json new file mode 100644 index 0000000..1824f58 --- /dev/null +++ b/objects/script/definition.json @@ -0,0 +1,62 @@ +{ + "required": [ + "script" + ], + "attributes": { + "script": { + "description": "Free text of the script.", + "ui-priority": 10, + "misp-attribute": "text" + }, + "comment": { + "description": "Comment associated to the script.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "language": { + "description": "Scripting language used for the script.", + "ui-priority": 9, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "PowerShell", + "VBScript", + "Bash", + "Lua", + "JavaScript", + "AppleScript", + "AWK", + "Python", + "Perl", + "Ruby", + "Winbatch", + "AutoIt" + ] + }, + "filename": { + "description": "Filename used for the script.", + "ui-priority": 8, + "misp-attribute": "filename", + "multiple": true, + "disable_correlation": true + }, + "state": { + "misp-attribute": "text", + "ui-priority": 0, + "description": "Known state of the script.", + "multiple": true, + "disable_correlation": true, + "values_list": [ + "Malicious", + "Unknown", + "Harmless", + "Trusted" + ] + } + }, + "version": 1, + "description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.", + "meta-category": "misc", + "uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2", + "name": "script" +} From d2c9ae007a970491c9c611d496707ccea9d019ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thirion=20Aur=C3=A9lien?= Date: Tue, 12 Jun 2018 11:47:44 +0200 Subject: [PATCH 027/244] modify ail-leak object for the tagging system --- objects/ail-leak/definition.json | 20 ++++---------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/objects/ail-leak/definition.json b/objects/ail-leak/definition.json index 1243073..93f9073 100644 --- a/objects/ail-leak/definition.json +++ b/objects/ail-leak/definition.json @@ -3,10 +3,11 @@ "text", "first-seen", "last-seen", - "origin" + "origin", + "raw-data" ], "required": [ - "type" + "sensor" ], "attributes": { "sensor": { @@ -42,19 +43,6 @@ "ui-priority": 0, "misp-attribute": "datetime" }, - "type": { - "sane_default": [ - "Credential", - "CreditCards", - "Mail", - "Onion", - "Phone", - "Keys" - ], - "description": "Type of information leak as discovered and classified by an AIL module.", - "ui-priority": 0, - "misp-attribute": "text" - }, "last-seen": { "description": "When the leak has been accessible or seen for the last time.", "disable_correlation": true, @@ -74,7 +62,7 @@ "misp-attribute": "attachment" } }, - "version": 7, + "version": 8, "description": "An information leak as defined by the AIL Analysis Information Leak framework.", "meta-category": "misc", "uuid": "dc6a8fa2-0a43-4a0c-a5aa-b1a5336ca80e", From 7d1e3747d004a5289e05a76963b7057ec79e1d50 Mon Sep 17 00:00:00 2001 From: AH Date: Mon, 18 Jun 2018 19:12:27 -0400 Subject: [PATCH 028/244] STIX AIS Information source --- objects/ais-info/definition.json | 55 ++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 objects/ais-info/definition.json diff --git a/objects/ais-info/definition.json b/objects/ais-info/definition.json new file mode 100644 index 0000000..abb2cc7 --- /dev/null +++ b/objects/ais-info/definition.json @@ -0,0 +1,55 @@ +{ + "requiredOneOf": [ + "organisation", + "administrative-area", + "industry", + "country" + ], + "attributes": { + "organisation": { + "description": "AIS Organisation Name.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "administrative-area": { + "description": "AIS Administrative Area represented using ISO-3166-2.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "industry": { + "description": "AIS IndustryType.", + "misp-attribute": "text", + "ui-priority": 1, + "multiple": true, + "sane_default": [ + "Chemical Sector", + "Commercial Facilities Sector", + "Communications Sector", + "Critical Manufacturing Sector", + "Dams Sector", + "Defense Industrial Base Sector", + "Emergency Services Sector", + "Energy Sector", + "Financial Services Sector", + "Food and Agriculture Sector", + "Government Facilities Sector", + "Healthcare and Public Health Sector", + "Information Technology Sector", + "Nuclear Reactors, Materials, and Waste Sector", + "Transportation Systems Sector", + "Water and Wastewater Systems Sector", + "Other" + ] + }, + "country": { + "description": "AIS Country represented using ISO-3166-1_alpha-2.", + "misp-attribute": "text", + "ui-priority": 1 + } + }, + "version": 1, + "description": "Automated Indicator Sharing (AIS) Information Source Markings.", + "meta-category": "misc", + "uuid": "1f3f466d-465f-4c3a-8cce-933642c9ea83", + "name": "ais-info" +} \ No newline at end of file From d9a616095a3549a9730ee0421f6910dac1c3307a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 19 Jun 2018 21:11:24 +0200 Subject: [PATCH 029/244] Chg: jq all the things --- objects/ais-info/definition.json | 110 +++++++++++++++---------------- 1 file changed, 55 insertions(+), 55 deletions(-) diff --git a/objects/ais-info/definition.json b/objects/ais-info/definition.json index abb2cc7..05e9629 100644 --- a/objects/ais-info/definition.json +++ b/objects/ais-info/definition.json @@ -1,55 +1,55 @@ -{ - "requiredOneOf": [ - "organisation", - "administrative-area", - "industry", - "country" - ], - "attributes": { - "organisation": { - "description": "AIS Organisation Name.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "administrative-area": { - "description": "AIS Administrative Area represented using ISO-3166-2.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "industry": { - "description": "AIS IndustryType.", - "misp-attribute": "text", - "ui-priority": 1, - "multiple": true, - "sane_default": [ - "Chemical Sector", - "Commercial Facilities Sector", - "Communications Sector", - "Critical Manufacturing Sector", - "Dams Sector", - "Defense Industrial Base Sector", - "Emergency Services Sector", - "Energy Sector", - "Financial Services Sector", - "Food and Agriculture Sector", - "Government Facilities Sector", - "Healthcare and Public Health Sector", - "Information Technology Sector", - "Nuclear Reactors, Materials, and Waste Sector", - "Transportation Systems Sector", - "Water and Wastewater Systems Sector", - "Other" - ] - }, - "country": { - "description": "AIS Country represented using ISO-3166-1_alpha-2.", - "misp-attribute": "text", - "ui-priority": 1 - } - }, - "version": 1, - "description": "Automated Indicator Sharing (AIS) Information Source Markings.", - "meta-category": "misc", - "uuid": "1f3f466d-465f-4c3a-8cce-933642c9ea83", - "name": "ais-info" -} \ No newline at end of file +{ + "requiredOneOf": [ + "organisation", + "administrative-area", + "industry", + "country" + ], + "attributes": { + "organisation": { + "description": "AIS Organisation Name.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "administrative-area": { + "description": "AIS Administrative Area represented using ISO-3166-2.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "industry": { + "description": "AIS IndustryType.", + "misp-attribute": "text", + "ui-priority": 1, + "multiple": true, + "sane_default": [ + "Chemical Sector", + "Commercial Facilities Sector", + "Communications Sector", + "Critical Manufacturing Sector", + "Dams Sector", + "Defense Industrial Base Sector", + "Emergency Services Sector", + "Energy Sector", + "Financial Services Sector", + "Food and Agriculture Sector", + "Government Facilities Sector", + "Healthcare and Public Health Sector", + "Information Technology Sector", + "Nuclear Reactors, Materials, and Waste Sector", + "Transportation Systems Sector", + "Water and Wastewater Systems Sector", + "Other" + ] + }, + "country": { + "description": "AIS Country represented using ISO-3166-1_alpha-2.", + "misp-attribute": "text", + "ui-priority": 1 + } + }, + "version": 1, + "description": "Automated Indicator Sharing (AIS) Information Source Markings.", + "meta-category": "misc", + "uuid": "1f3f466d-465f-4c3a-8cce-933642c9ea83", + "name": "ais-info" +} From 3b21125acdc7bcddd5ab3a230d9460d5138c2cc2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 22 Jun 2018 07:44:20 +0200 Subject: [PATCH 030/244] add: missing timesketch-timeline object template --- objects/timesketch-timeline/definition.json | 33 +++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 objects/timesketch-timeline/definition.json diff --git a/objects/timesketch-timeline/definition.json b/objects/timesketch-timeline/definition.json new file mode 100644 index 0000000..994015f --- /dev/null +++ b/objects/timesketch-timeline/definition.json @@ -0,0 +1,33 @@ +{ + "requiredOneOf": [ + "message", + "datetime" + ], + "attributes": { + "message": { + "description": "Informative message of the event", + "ui-priority": 0, + "misp-attribute": "text" + }, + "timestamp": { + "description": "When the log entry was seen in microseconds since Unix epoch", + "ui-priority": 0, + "misp-attribute": "timestamp-microsec" + }, + "timestamp_desc": { + "description": "Text explaining what type of timestamp is it", + "ui-priority": 0, + "misp-attribute": "text" + }, + "datetime": { + "description": "When the log entry was seen", + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 2, + "description": "A timesketch timeline object based on mandatory field in timesketch to describe a log entry.", + "meta-category": "misc", + "uuid": "06db0221-cbc0-4ffc-ad98-7f34549310f1", + "name": "timesketch-timeline" +} From 99b4a20ebb6bd24b553bd386dabae4ef428b488e Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 22 Jun 2018 17:27:21 +0200 Subject: [PATCH 031/244] add: Added some relations seen on stix --- relationships/definition.json | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index d238116..79c9217 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -33,9 +33,25 @@ "stix-1.1" ] }, + { + "name": "connected-from", + "description": "The referenced source is connected from the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, { "name": "contains", - "description": "The references source is containing the target object.", + "description": "The referenced source is containing the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, + { + "name": "contained-within", + "description": "The referenced source is contained within the target object.", "format": [ "misp", "stix-1.1" @@ -99,7 +115,7 @@ }, { "name": "impersonates", - "description": "This relationship describe a source object which impersonates the target object", + "description": "This relationship describes a source object which impersonates the target object", "format": [ "misp", "stix-2.0" From 6c36a1df69e4ac46d650022b17bc2fa9997e3ef0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 4 Jul 2018 11:10:50 +0200 Subject: [PATCH 032/244] chg: [coin-address] XMR type address added in addition to the default Bitcoin address format --- objects/coin-address/definition.json | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/objects/coin-address/definition.json b/objects/coin-address/definition.json index e87b884..343f337 100644 --- a/objects/coin-address/definition.json +++ b/objects/coin-address/definition.json @@ -1,13 +1,19 @@ { "requiredOneOf": [ - "address" + "address", + "address-xmr" ], "attributes": { "address": { - "description": "Address used as a payment destination in a cryptocurrency", + "description": "Bitcoin address used as a payment destination in a cryptocurrency", "ui-priority": 1, "misp-attribute": "btc" }, + "address-xmr": { + "description": "Monero address used as a payment destination in a cryptocurrency", + "ui-priority": 1, + "misp-attribute": "xmr" + }, "symbol": { "description": "The (uppercase) symbol of the cryptocurrency used. Symbol should be from https://coinmarketcap.com/all/views/all/", "misp-attribute": "text", @@ -61,7 +67,7 @@ "recommended": false } }, - "version": 2, + "version": 3, "description": "An address used in a cryptocurrency", "meta-category": "financial", "uuid": "d0e6997e-78da-4815-a6a1-cfc1c1cb8a46", From 2b5592cfa6bdf8f00ecf7528bea669e0e233b9d7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 9 Jul 2018 21:50:44 +0200 Subject: [PATCH 033/244] fix: [suricata] allow multiple Suricata rules in the object (similar context) and fix the rule to be in Snort format Fix #106 --- objects/suricata/definition.json | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/objects/suricata/definition.json b/objects/suricata/definition.json index ddbe458..dce6dea 100644 --- a/objects/suricata/definition.json +++ b/objects/suricata/definition.json @@ -4,14 +4,15 @@ ], "attributes": { "comment": { - "description": "A description of the Suricata rule.", + "description": "A description of the Suricata rule(s).", "ui-priority": 0, "misp-attribute": "comment" }, "suricata": { "description": "Suricata rule.", "ui-priority": 0, - "misp-attribute": "suricata" + "misp-attribute": "snort", + "multiple": true }, "version": { "description": "Version of the Suricata rule depending where the suricata rule is known to work as expected.", @@ -24,8 +25,8 @@ "ui-priority": 0 } }, - "version": 1, - "description": "An object describing a Suricata rule along with its version and context", + "version": 2, + "description": "An object describing one or more Suricata rule(s) along with version and contextual information.", "meta-category": "network", "uuid": "3c177337-fb80-405a-a6c1-1b2ddea8684a", "name": "suricata" From 9eb578d7475c136cc702e85b9c6477e00709bfc4 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 10 Jul 2018 07:21:36 +0200 Subject: [PATCH 034/244] chg: [vulnerability] updated following NATO and CIRCL feedback - CVSS score added - CVSS string added - credit attribute added - text -> description - vulnerability attribute can now be any format (not only the CVE format) --- objects/vulnerability/definition.json | 31 +++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/objects/vulnerability/definition.json b/objects/vulnerability/definition.json index 88f0604..5d41971 100644 --- a/objects/vulnerability/definition.json +++ b/objects/vulnerability/definition.json @@ -5,17 +5,17 @@ "references", "vulnerable_configuration", "summary", - "text", + "description", "id" ], "attributes": { "id": { - "description": "Vulnerability ID (generally CVE, but not necessarely). The id is not required as the object itself has an UUID and the CVE id can updated later.", + "description": "Vulnerability ID (generally CVE, but not necessarely). The id is not required as the object itself has an UUID and the CVE id can be update or assigned later.", "ui-priority": 0, - "misp-attribute": "vulnerability", + "misp-attribute": "text", "multiple": true }, - "text": { + "description": { "description": "Description of the vulnerability", "ui-priority": 0, "misp-attribute": "text" @@ -69,10 +69,29 @@ ], "disable_correlation": true, "misp-attribute": "text" + }, + "cvss-score": { + "description": "Score of the Common Vulnerability Scoring System (version 3).", + "ui-priority": 1, + "disable_correlation": true, + "misp-attribute": "float" + }, + "cvss-string": { + "description": "String of the Common Vulnerability Scoring System (version 3).", + "ui-priority": 1, + "disable_correlation": true, + "misp-attribute": "text" + }, + "credit": { + "description": "Who reported/found the vulnerability such as an organisation, person or nickname.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true } }, - "version": 4, - "description": "Vulnerability object describing a common vulnerability enumeration which can describe unpublished, under review or embargo vulnerability for software, equipments or hardware.", + "version": 5, + "description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.", "meta-category": "network", "uuid": "81650945-f186-437b-8945-9f31715d32da", "name": "vulnerability" From 856cec8d0945c2715fe381da83d1ae080cd002be Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 10 Jul 2018 07:38:28 +0200 Subject: [PATCH 035/244] chg: [vulnerability] is now in its own vulnerability meta-category --- objects/vulnerability/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/vulnerability/definition.json b/objects/vulnerability/definition.json index 5d41971..bc5513e 100644 --- a/objects/vulnerability/definition.json +++ b/objects/vulnerability/definition.json @@ -92,7 +92,7 @@ }, "version": 5, "description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.", - "meta-category": "network", + "meta-category": "vulnerability", "uuid": "81650945-f186-437b-8945-9f31715d32da", "name": "vulnerability" } From 1a491dfd23014f2459e96418f9157d73df7b9c58 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 10 Jul 2018 07:39:58 +0200 Subject: [PATCH 036/244] chg: [JSON schema] vulnerability added as meta-category --- schema_objects.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/schema_objects.json b/schema_objects.json index fa4635e..0d80fa0 100644 --- a/schema_objects.json +++ b/schema_objects.json @@ -67,7 +67,8 @@ "network", "financial", "misc", - "internal" + "internal", + "vulnerability" ] }, "name": { From 021b06bacd8eaa4dd93a2aebac6f50df0a11b807 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 10 Jul 2018 07:41:09 +0200 Subject: [PATCH 037/244] new: exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object. --- objects/exploit-poc/definition.json | 44 +++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 objects/exploit-poc/definition.json diff --git a/objects/exploit-poc/definition.json b/objects/exploit-poc/definition.json new file mode 100644 index 0000000..21d2ce4 --- /dev/null +++ b/objects/exploit-poc/definition.json @@ -0,0 +1,44 @@ +{ + "requiredOneOf": [ + "vulnerable_configuration", + "description", + "poc" + ], + "attributes": { + "description": { + "description": "Description of the exploit - proof of concept", + "ui-priority": 0, + "misp-attribute": "text" + }, + "vulnerable_configuration": { + "description": "The vulnerable configuration described in CPE format where the exploit/proof of concept is valid", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "author": { + "description": "Author of the exploit - proof of concept", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "poc": { + "description": "Proof of Concept or exploit (as a script, binary or described process)", + "ui-priority": 0, + "misp-attribute": "attachment", + "disable_correlation": true + } + }, + "version": 1, + "description": "Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object.", + "meta-category": "vulnerability", + "uuid": "e3bdeef8-78c3-48d8-9c2f-1be5e5bde93b", + "name": "exploit-poc" +} From 26d142d37f605a3f9fb6c1b38455e300186b3a54 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 10 Jul 2018 07:42:47 +0200 Subject: [PATCH 038/244] chg: [exploit-poc] added to the list of objects --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index feee1c7..7e5424b 100644 --- a/README.md +++ b/README.md @@ -85,6 +85,7 @@ for a specific attribute. * [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF). * [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF). * [objects/email](objects/email/definition.json) - An email object. +* [objects/exploit-poc](objects/exploit-poc/definition.json) - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object. * [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object. * [objects/file](objects/file/definition.json) - File object describing a file with meta-information. * [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location. From 88819d6fa3fb75897f866bc787174b0678bfcbb6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 10 Jul 2018 09:32:12 +0200 Subject: [PATCH 039/244] chg: [exploit-poc] a same context can contains multiple PoC samples --- objects/exploit-poc/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/exploit-poc/definition.json b/objects/exploit-poc/definition.json index 21d2ce4..55d9bc7 100644 --- a/objects/exploit-poc/definition.json +++ b/objects/exploit-poc/definition.json @@ -33,10 +33,11 @@ "description": "Proof of Concept or exploit (as a script, binary or described process)", "ui-priority": 0, "misp-attribute": "attachment", - "disable_correlation": true + "disable_correlation": true, + "multiple": true } }, - "version": 1, + "version": 2, "description": "Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object.", "meta-category": "vulnerability", "uuid": "e3bdeef8-78c3-48d8-9c2f-1be5e5bde93b", From b92ab93c80b8f9e8ede7cf572f58bf2629db4c55 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 10 Jul 2018 09:41:27 +0200 Subject: [PATCH 040/244] chg: [relationship] exploits added --- relationships/definition.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/relationships/definition.json b/relationships/definition.json index 79c9217..65f0e33 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -512,6 +512,10 @@ "format": [ "cert-eu" ] + }, + { + "name": "exploits", + "descriptipn": "This relationships describes an object (like a PoC/exploit) which exploits another object (such as a vulnerability object)." } ], "description": "Default type of relationships in MISP objects.", From 6585ec3329c0dfaa1bf227116447e0781ccd1193 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 10 Jul 2018 10:40:03 +0200 Subject: [PATCH 041/244] add: Updated relationships list with Cybox relationships best practices --- relationships/definition.json | 96 +++++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) diff --git a/relationships/definition.json b/relationships/definition.json index 65f0e33..e66f470 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -49,6 +49,14 @@ "stix-1.1" ] }, + { + "name": "contained-by", + "description": "The referenced source is contained by the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, { "name": "contained-within", "description": "The referenced source is contained within the target object.", @@ -57,6 +65,94 @@ "stix-1.1" ] }, + { + "name": "characterized-by", + "description": "The referenced source is characterized by the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, + { + "name": "characterizes", + "description": "The referenced source is characterizing the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, + { + "name": "properties-queried", + "description": "The referenced source has queried the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, + { + "name": "properties-queried-by", + "description": "The referenced source is queried by the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, + { + "name": "extracted-from", + "description": "The referenced source is extracted from the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, + { + "name": "supra-domain-of", + "description": "The referenced source is a supra domain of the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, + { + "name": "sub-domain-of", + "description": "The referenced source is a sub domain of the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, + { + "name": "dropped", + "description": "The referenced source has dropped the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, + { + "name": "dropped-by", + "description": "The referenced source is dropped by the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, + { + "name": "downloaded", + "description": "The referenced source has downloaded the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, + { + "name": "downloaded-from", + "description": "The referenced source has been downloaded from the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, { "name": "resolved-to", "description": "The referenced source is resolved to the target object.", From 498c6f114bea7030090aee17cf864fd1f314a393 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 10 Jul 2018 10:47:31 +0200 Subject: [PATCH 042/244] fix: Fixed exploits relationship properties --- relationships/definition.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index e66f470..e67c836 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -611,7 +611,10 @@ }, { "name": "exploits", - "descriptipn": "This relationships describes an object (like a PoC/exploit) which exploits another object (such as a vulnerability object)." + "description": "This relationships describes an object (like a PoC/exploit) which exploits another object (such as a vulnerability object).", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", From 9918cc393dfcdc56fcef7405f0c916e1bba78adc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 13 Jul 2018 17:07:35 +0200 Subject: [PATCH 043/244] chg: [coin-address] ETN symbol added --- objects/coin-address/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/coin-address/definition.json b/objects/coin-address/definition.json index 343f337..51876e7 100644 --- a/objects/coin-address/definition.json +++ b/objects/coin-address/definition.json @@ -44,7 +44,8 @@ "HSR", "STRAT", "WAVES", - "PPT" + "PPT", + "ETN" ] }, "last-seen": { @@ -67,7 +68,7 @@ "recommended": false } }, - "version": 3, + "version": 4, "description": "An address used in a cryptocurrency", "meta-category": "financial", "uuid": "d0e6997e-78da-4815-a6a1-cfc1c1cb8a46", From 0244bce6ef96c333e6e34bd0c1d3bf4e0920b7b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 16 Jul 2018 13:48:56 +0200 Subject: [PATCH 044/244] new: threatgrid-report object template --- objects/threatgrid-report/definition.json | 79 +++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 objects/threatgrid-report/definition.json diff --git a/objects/threatgrid-report/definition.json b/objects/threatgrid-report/definition.json new file mode 100644 index 0000000..e98da6b --- /dev/null +++ b/objects/threatgrid-report/definition.json @@ -0,0 +1,79 @@ +{ + "required": [ + "threat_score" + ], + "attributes": { + "threat_score": { + "description": "threat_score", + "disable_correlation": true, + "categories": [ + "External analysis" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "heuristic_raw_score": { + "description": "heuristic_raw_score", + "disable_correlation": true, + "categories": [ + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "text" + }, + "heuristic_score": { + "description": "heuristic_score", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "analysis_submitted_at": { + "description": "Submission date", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "original_filename": { + "description": "Original filename", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "permalink": { + "description": "permalink", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "id": { + "description": "ThreatGrid ID", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "iocs": { + "description": "iocs", + "categories": [ + "Other" + ], + "ui-priority": 0, + "multiple": true, + "misp-attribute": "text" + } + }, + "version": 6, + "description": "ThreatGrid report", + "meta-category": "misc", + "uuid": "23b3576b-2e68-4a86-a103-68820daef1d5", + "name": "threatgrid-report" +} From 319c2a3e9667544d3861496495ea1d9cf9ea15ed Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 17 Jul 2018 08:29:14 +0200 Subject: [PATCH 045/244] chg: [threadgrid-report] added in the list of objects --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 7e5424b..afb1b89 100644 --- a/README.md +++ b/README.md @@ -118,6 +118,7 @@ for a specific attribute. * [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. * [objects/suricata](objects/suricata/definition.json) - Suricata rule with context. * [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromissed internal system. +* [objects/threatgrid-report](objects/threatgrid-report/definition.json) - A threatgrid report object. * [objects/timecode](objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence. * [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. From 6bfa2797011a8d9888dc871c076a672619986a44 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 18 Jul 2018 09:52:31 +0200 Subject: [PATCH 046/244] new: [short-message-service] Short Message Service (SMS) object template describing one or more SMS message added --- README.md | 1 + objects/short-message-service/definition.json | 47 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 objects/short-message-service/definition.json diff --git a/README.md b/README.md index afb1b89..963e2f3 100644 --- a/README.md +++ b/README.md @@ -113,6 +113,7 @@ for a specific attribute. * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. * [objects/script](objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts. +* [objects/short-message-service](objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message(s). * [objects/shortened-link](objects/shortened-link/definition.json) - Shortened link and its redirect target. * [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. * [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. diff --git a/objects/short-message-service/definition.json b/objects/short-message-service/definition.json new file mode 100644 index 0000000..6ad1a92 --- /dev/null +++ b/objects/short-message-service/definition.json @@ -0,0 +1,47 @@ +{ + "requiredOneOf": [ + "body", + "from" + ], + "attributes": { + "body": { + "description": "Message body of the SMS", + "ui-priority": 1, + "misp-attribute": "text" + }, + "url-rfc5724": { + "description": "url representing SMS using RFC 5724 (not url contained in the SMS which should use an url object)", + "ui-priority": 6, + "misp-attribute": "url" + }, + "from": { + "description": "Phone number used to send the SMS", + "ui-priority": 1, + "misp-attribute": "phone-number", + "multiple": true + }, + "to": { + "description": "Phone number receiving the SMS", + "ui-priority": 1, + "misp-attribute": "phone-number", + "multiple": true + }, + "sent-date": { + "description": "Initial sent date of the SMS", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "received-date": { + "description": "Received date of the SMS", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + } + }, + "version": 1, + "description": "Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply.", + "meta-category": "misc", + "uuid": "4851a3dc-e1a6-43ac-9d97-f0d13a099fd2", + "name": "short-message-service" +} From 5af0d31c49092e67354b92a18432bc9dffe1b6f1 Mon Sep 17 00:00:00 2001 From: Andras Iklody Date: Fri, 20 Jul 2018 07:03:22 +0200 Subject: [PATCH 047/244] Allow multiple "pattern-in-file" in file object, fixes #109 --- objects/file/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 4c65a73..5c268db 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -98,7 +98,8 @@ "External analysis" ], "ui-priority": 1, - "misp-attribute": "pattern-in-file" + "misp-attribute": "pattern-in-file", + "multiple": true }, "text": { "description": "Free text value to attach to the file", @@ -164,7 +165,7 @@ ] } }, - "version": 11, + "version": 12, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From 9a72b539235f24577a7a597ff76ceeabd543fafc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 20 Jul 2018 10:12:09 +0200 Subject: [PATCH 048/244] chg: allow multiple domains too fix #108 --- objects/domain-ip/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/domain-ip/definition.json b/objects/domain-ip/definition.json index 7cd4d8a..8e56f07 100644 --- a/objects/domain-ip/definition.json +++ b/objects/domain-ip/definition.json @@ -30,7 +30,8 @@ "External analysis" ], "ui-priority": 1, - "misp-attribute": "domain" + "misp-attribute": "domain", + "multiple": true }, "ip": { "description": "IP Address", @@ -43,7 +44,7 @@ "multiple": true } }, - "version": 5, + "version": 6, "description": "A domain and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", From aae03a3db2ef70790a4ee369bb380c69dcc53083 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 22 Jul 2018 08:04:26 +0200 Subject: [PATCH 049/244] chg: [misp-objects] multiple flag is now visible in asciidoctor output --- tools/adoc_objects.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tools/adoc_objects.py b/tools/adoc_objects.py index de43cd2..c75e282 100755 --- a/tools/adoc_objects.py +++ b/tools/adoc_objects.py @@ -3,7 +3,7 @@ # # # A simple converter of MISP objects to asciidoctor format -# Copyright (C) 2017 Alexandre Dulaunoy +# Copyright (C) 2017-2018 Alexandre Dulaunoy # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as @@ -84,14 +84,18 @@ def asciidoc(content=False, adoc=None, t='title',title=''): #output = '\n{}\n'.format #output = '[cols=\",a\"]\n' output = output + '|===\n' - output = output + '|Object attribute | MISP attribute type | Description | Disable correlation\n' + output = output + '|Object attribute | MISP attribute type | Description | Disable correlation | Multiple\n' adoc = adoc + output for v in content['attributes']: disableCorrelation = 'icon:minus[] ' description = 'icon:minus[] ' + multiple = 'icon:minus[] ' if 'disable_correlation' in content['attributes'][v]: if content['attributes'][v]['disable_correlation']: disableCorrelation = 'icon:check[] ' + if 'multiple' in content['attributes'][v]: + if content['attributes'][v]['multiple']: + multiple = 'icon:check[] ' if 'description' in content['attributes'][v]: if content['attributes'][v]['description']: description = '{}'.format(content['attributes'][v]['description']) @@ -101,7 +105,7 @@ def asciidoc(content=False, adoc=None, t='title',title=''): if 'sane_default' in content['attributes'][v]: values = content['attributes'][v]['sane_default'] description = '{} {}'.format(content['attributes'][v]['description'],values) - output = '\n| {} | {} a| {} a| {}\n'.format(v, content['attributes'][v]['misp-attribute'], description ,disableCorrelation) + output = '\n| {} | {} a| {} a| {} a| {}\n'.format(v, content['attributes'][v]['misp-attribute'], description ,disableCorrelation, multiple) adoc = adoc + output output = '\n|===\n' adoc = adoc + output From 3aa3247b09f76e235fa4b94e216d5c879285c9d1 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 26 Jul 2018 14:06:39 +0200 Subject: [PATCH 050/244] chg: [paste object] add a link attribute when the paste reference is not malicious --- objects/paste/definition.json | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/objects/paste/definition.json b/objects/paste/definition.json index a7c31b0..09c5adf 100644 --- a/objects/paste/definition.json +++ b/objects/paste/definition.json @@ -19,7 +19,9 @@ "codepad.org", "safebin.net", "hastebin.com", - "ghostbin.com" + "ghostbin.com", + "paste.ee", + "0bin.net" ], "description": "Original source of the paste or post.", "ui-priority": 0, @@ -39,7 +41,12 @@ "url": { "misp-attribute": "url", "ui-priority": 0, - "description": "Link to the original source of the paste or post." + "description": "Link to the original source of the paste or post (when used maliciously)." + }, + "link": { + "misp-attribute": "link,", + "ui-priority": 0, + "description": "Link to the original source of the source or post (when used legitimately for OSINT source or alike)." }, "last-seen": { "description": "When the paste has been accessible or seen for the last time.", @@ -54,7 +61,7 @@ "misp-attribute": "datetime" } }, - "version": 3, + "version": 4, "description": "Paste or similar post from a website allowing to share privately or publicly posts.", "meta-category": "misc", "uuid": "cedc055c-78aa-49a4-bfd7-4cc30cecef12", From c1f5e7342bd7cc4257226f27c7191be6c23eb7c9 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 26 Jul 2018 15:49:44 +0200 Subject: [PATCH 051/244] url is not a field of email object, then not one of the requiredOneOf --- objects/email/definition.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/objects/email/definition.json b/objects/email/definition.json index 84c1465..a5099a6 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -3,7 +3,7 @@ "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "meta-category": "network", "description": "Email object describing an email with meta-information", - "version": 11, + "version": 12, "attributes": { "reply-to": { "description": "Email address the reply will be sent to", @@ -179,7 +179,6 @@ "message-id", "reply-to", "send-date", - "url", "mime-boundary", "thread-index", "header", From 4e23159cb0c7c46e84b5ff2ac0e59a377112ff03 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 27 Jul 2018 15:15:47 +0200 Subject: [PATCH 052/244] fix RequiredOneOf list in fle object --- objects/file/definition.json | 2 -- 1 file changed, 2 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 5c268db..972cf1a 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -4,8 +4,6 @@ "size-in-bytes", "authentihash", "ssdeep", - "imphash", - "pehash", "md5", "sha1", "sha224", From 60010ce556e580201e6302fd32188f7a170fa1e9 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 27 Jul 2018 15:19:15 +0200 Subject: [PATCH 053/244] fix file object version --- objects/file/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 972cf1a..49bbc28 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -163,7 +163,7 @@ ] } }, - "version": 12, + "version": 13, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From 0b164141af255dd8b8e0c71c9a73b0a0dae2b6d7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 4 Aug 2018 15:39:38 +0200 Subject: [PATCH 054/244] chg: [vehicle] Vehicle object template to describe a vehicle information and registration --- README.md | 3 +- objects/vehicle/definition.json | 52 +++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 objects/vehicle/definition.json diff --git a/README.md b/README.md index 963e2f3..dd87bb5 100644 --- a/README.md +++ b/README.md @@ -118,7 +118,7 @@ for a specific attribute. * [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. * [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. * [objects/suricata](objects/suricata/definition.json) - Suricata rule with context. -* [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromissed internal system. +* [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromised internal system. * [objects/threatgrid-report](objects/threatgrid-report/definition.json) - A threatgrid report object. * [objects/timecode](objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence. * [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship. @@ -127,6 +127,7 @@ for a specific attribute. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. * [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. * [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata. +* [objects/vehicle](objects/vehicle/definition.json) - Vehicle object template to describe a vehicle information and registration. * [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused. * [objects/whois](objects/whois/definition.json) - Whois records information for a domain name. * [objects/x509](objects/x509/definition.json) - x509 object describing a X.509 certificate. diff --git a/objects/vehicle/definition.json b/objects/vehicle/definition.json new file mode 100644 index 0000000..cc302f0 --- /dev/null +++ b/objects/vehicle/definition.json @@ -0,0 +1,52 @@ +{ + "requiredOneOf": [ + "description", + "year", + "make", + "model", + "license-plate-number", + "vin" + ], + "attributes": { + "description": { + "description": "Description of the vehicle", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "year": { + "description": "Year of manufacturing of the vehicle", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "make": { + "description": "Manufacturer of the vehicle", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "model": { + "description": "Model of the vehicle", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "vin": { + "description": "Vehicle identification number (VIN)", + "ui-priority": 0, + "misp-attribute": "text" + }, + "license-plate-number": { + "description": "License plate number", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + } + }, + "version": 1, + "description": "Vehicle object template to describe a vehicle information and registration", + "meta-category": "misc", + "uuid": "683c076c-f695-4ff2-8efa-e98a418049f4", + "name": "vehicle" +} From 487ff53afee98ffc3360424312bc7c82588de879 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 15 Aug 2018 18:26:10 +0200 Subject: [PATCH 055/244] fix: [geolocation] to include accuracy-radius as described by maxmind geoip2 API --- objects/geolocation/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/geolocation/definition.json b/objects/geolocation/definition.json index 9a129c3..b2c0393 100644 --- a/objects/geolocation/definition.json +++ b/objects/geolocation/definition.json @@ -63,6 +63,12 @@ "misp-attribute": "text", "ui-priority": 1 }, + "accuracy-radius": { + "description": "The approximate accuracy radius, in kilometers, around the latitude and longitude for the geographical entity (country, subdivision, city or postal code) associated with the related object. (based on geoip2 accuracy of maxmind)", + "misp-attribute": "float", + "ui-priority": 1, + "disable_correlation": true + }, "country": { "description": "Country.", "misp-attribute": "text", @@ -84,7 +90,7 @@ ] } }, - "version": 3, + "version": 4, "description": "An object to describe a geographic location.", "meta-category": "misc", "uuid": "fdd30d5f-6752-45ed-bef2-25e8ce4d8a3", From ab58f01666ba7c2325ab7092db3d5e4aaee8e0ba Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 15 Aug 2018 18:34:35 +0200 Subject: [PATCH 056/244] chg: [geolocation] disable correlation on specific attributes --- objects/geolocation/definition.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/objects/geolocation/definition.json b/objects/geolocation/definition.json index b2c0393..1189994 100644 --- a/objects/geolocation/definition.json +++ b/objects/geolocation/definition.json @@ -41,7 +41,8 @@ "altitude": { "description": "The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.", "ui-priority": 0, - "misp-attribute": "float" + "misp-attribute": "float", + "disable_correlation": true }, "address": { "description": "Address.", @@ -77,7 +78,8 @@ "epsg": { "description": "EPSG Geodetic Parameter value. This is an integer value of the EPSG.", "misp-attribute": "text", - "ui-priority": 70 + "ui-priority": 70, + "disable_correlation": true }, "spacial-reference": { "description": "Default spacial or projection refence for this object.", @@ -90,7 +92,7 @@ ] } }, - "version": 4, + "version": 5, "description": "An object to describe a geographic location.", "meta-category": "misc", "uuid": "fdd30d5f-6752-45ed-bef2-25e8ce4d8a3", From a2384e90324958d7c5b37dbd531eea01c644404a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 21 Aug 2018 10:22:42 +0200 Subject: [PATCH 057/244] added "signed-by" relationship fix #87 --- relationships/definition.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index e67c836..0010098 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1,5 +1,5 @@ { - "version": 12, + "version": 13, "values": [ { "name": "derived-from", @@ -615,6 +615,13 @@ "format": [ "misp" ] + }, + { + "name": "signed-by", + "description": "This relationship describes an object signed by another object.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", From e90b1ce4575c122d410f143d5205771614004d9f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 28 Aug 2018 14:30:29 +0200 Subject: [PATCH 058/244] chg: [ja3] categories removed (default attributes categories will be used) Fix MISP/MISP/issues/3593 --- objects/ja3/definition.json | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/objects/ja3/definition.json b/objects/ja3/definition.json index fb60f1c..6dcee9f 100644 --- a/objects/ja3/definition.json +++ b/objects/ja3/definition.json @@ -2,43 +2,27 @@ "name": "ja3", "meta-category": "network", "description": "JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3", - "version": 2, + "version": 3, "uuid": "09b45449-5d6e-492c-a68a-cb2e188cbfac", "attributes": { "ja3-fingerprint-md5": { "description": "Hash identifying source", "misp-attribute": "md5", - "ui-priority": 1, - "categories": [ - "Network activity", - "External analysis" - ] + "ui-priority": 1 }, "description": { "description": "Type of detected software ie software, malware", "misp-attribute": "text", - "ui-priority": 1, - "categories": [ - "Network activity", - "External analysis" - ] + "ui-priority": 1 }, "ip-src": { "description": "Source IP Address", "misp-attribute": "ip-src", - "categories": [ - "Network activity", - "External analysis" - ], "ui-priority": 1 }, "ip-dst": { "description": "Destination IP address", "misp-attribute": "ip-dst", - "categories": [ - "Network activity", - "External analysis" - ], "ui-priority": 1 }, "first-seen": { From b83e98bbd4cf891f1a486aba71ee6b81a2bc9f81 Mon Sep 17 00:00:00 2001 From: aksha Date: Mon, 3 Sep 2018 11:28:40 +0100 Subject: [PATCH 059/244] Add: Misp object for Digital Forensic - Case metadata --- .../definition.json | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 objects/digital-forensics-case-metadata/definition.json diff --git a/objects/digital-forensics-case-metadata/definition.json b/objects/digital-forensics-case-metadata/definition.json new file mode 100644 index 0000000..c1ab823 --- /dev/null +++ b/objects/digital-forensics-case-metadata/definition.json @@ -0,0 +1,68 @@ +{ + "requiredOneOf": [ + "case-number", + "name-of-the-analyst", + "crime-date", + "analysis-start-date" + ], + "attributes": { + "case-number": { + "description": "Any unique number assigned to the case for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "case-name": { + "description": "Name to address the case.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "name-of-the-analyst": { + "description": "Name(s) of the analyst assigned to the case.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "location-of-the-crime": { + "description": "Location where the crime took place.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "crime-date": { + "description": "Date and time when the crime occurred.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "describe-the-crime-scene": { + "description": "Description of the crime scene", + "ui-priority": 0, + "misp-attribute": "text" + }, + "objects-acquired": { + "description": "Digital evidence acquired from the crime scene.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "analysis-start-date": { + "description": "Date when the analysis began.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Describes details of the case under analysis.", + "meta-category": "misc", + "uuid": "3ea36022-ae93-455e-88b1-d43aca789cac", + "name": "Digital forensic - Case info" + } + \ No newline at end of file From 0c98a925f3db3184a9f44fdce7adcb3d3150806e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Sep 2018 13:54:59 +0200 Subject: [PATCH 060/244] chg: [forensic-case] object added based on the original one from @Aks6193 The idea is to separate the evidences from the case itself as you can have multiple acquisitions for a specific case. Another object template is required such as [forensic-evidence] to be able to link between the forensic-case object and one or more evidences. --- objects/forensic-case/definition.json | 47 +++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 objects/forensic-case/definition.json diff --git a/objects/forensic-case/definition.json b/objects/forensic-case/definition.json new file mode 100644 index 0000000..a15b7c2 --- /dev/null +++ b/objects/forensic-case/definition.json @@ -0,0 +1,47 @@ +{ + "requiredOneOf": [ + "case-number" + ], + "attributes": { + "case-number": { + "description": "Any unique number assigned to the case for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "case-name": { + "description": "Name to address the case.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "name-of-the-analyst": { + "description": "Name(s) of the analyst assigned to the case.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "analysis-start-date": { + "description": "Date when the analysis began.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "An object template to describe a digital forensic case.", + "meta-category": "misc", + "uuid": "3ea36022-ae93-455e-88b1-d43aca789cac", + "name": "forensic-case" +} From 7ee2ff1901ddea4b1464a4e39b4dc93dc5c943e6 Mon Sep 17 00:00:00 2001 From: aksha Date: Tue, 4 Sep 2018 12:31:13 +0100 Subject: [PATCH 061/244] Add: Object template for digital evidence --- .../definition.json | 68 ---------------- objects/forensic-evidence/definition.json | 78 +++++++++++++++++++ 2 files changed, 78 insertions(+), 68 deletions(-) delete mode 100644 objects/digital-forensics-case-metadata/definition.json create mode 100644 objects/forensic-evidence/definition.json diff --git a/objects/digital-forensics-case-metadata/definition.json b/objects/digital-forensics-case-metadata/definition.json deleted file mode 100644 index c1ab823..0000000 --- a/objects/digital-forensics-case-metadata/definition.json +++ /dev/null @@ -1,68 +0,0 @@ -{ - "requiredOneOf": [ - "case-number", - "name-of-the-analyst", - "crime-date", - "analysis-start-date" - ], - "attributes": { - "case-number": { - "description": "Any unique number assigned to the case for unique identification.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "case-name": { - "description": "Name to address the case.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "name-of-the-analyst": { - "description": "Name(s) of the analyst assigned to the case.", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "text" - }, - "location-of-the-crime": { - "description": "Location where the crime took place.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "crime-date": { - "description": "Date and time when the crime occurred.", - "ui-priority": 0, - "misp-attribute": "datetime" - }, - "describe-the-crime-scene": { - "description": "Description of the crime scene", - "ui-priority": 0, - "misp-attribute": "text" - }, - "objects-acquired": { - "description": "Digital evidence acquired from the crime scene.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "references": { - "description": "External references", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "link" - }, - "analysis-start-date": { - "description": "Date when the analysis began.", - "ui-priority": 0, - "misp-attribute": "datetime" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text" - } - }, - "version": 1, - "description": "Describes details of the case under analysis.", - "meta-category": "misc", - "uuid": "3ea36022-ae93-455e-88b1-d43aca789cac", - "name": "Digital forensic - Case info" - } - \ No newline at end of file diff --git a/objects/forensic-evidence/definition.json b/objects/forensic-evidence/definition.json new file mode 100644 index 0000000..eddb50e --- /dev/null +++ b/objects/forensic-evidence/definition.json @@ -0,0 +1,78 @@ +{ + "required": [ + "case-number", + "evidence-number" + ], + "attributes": { + "case-number": { + "description": "A unique number assigned to the case for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "evidence-number": { + "description": "A unique number assigned to the evidence for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "type": { + "description": "Evidence type.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Computer", + "Network", + "Mobile Device", + "Multimedia", + "Cloud", + "IoT", + "Other" + ], + "disable_correlation": true + }, + "name": { + "description": "Name", + "ui-priority": 0, + "misp-attribute": "text" + }, + "acquisition-hash-type": { + "description": "Hashing algorithm used on the evidence", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "MD5", + "SHA-1", + "Other" + ], + "disable_correlation": true + }, + "acquisition-hash": { + "description": "Acquisition hash of the evidence", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "file-upload": { + "description": "Upload any file pertaining to the evidence.", + "ui-priority": 0, + "misp-attribute": "attachment", + "multiple": true + } + }, + "version": 1, + "description": "An object template to describe a digital forensic evidence.", + "meta-category": "misc", + "uuid": "fe44c648-63ef-43fc-b3de-af71a2e023e4", + "name": "forensic-evidence" +} From 4e66e692d4d09a26ce25b216ccf20c76529fe44a Mon Sep 17 00:00:00 2001 From: aksha Date: Tue, 4 Sep 2018 12:46:00 +0100 Subject: [PATCH 062/244] fixed intendation --- objects/forensic-evidence/definition.json | 130 +++++++++++----------- 1 file changed, 65 insertions(+), 65 deletions(-) diff --git a/objects/forensic-evidence/definition.json b/objects/forensic-evidence/definition.json index eddb50e..a572b43 100644 --- a/objects/forensic-evidence/definition.json +++ b/objects/forensic-evidence/definition.json @@ -1,74 +1,74 @@ { "required": [ - "case-number", - "evidence-number" + "case-number", + "evidence-number" ], "attributes": { "case-number": { - "description": "A unique number assigned to the case for unique identification.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "evidence-number": { - "description": "A unique number assigned to the evidence for unique identification.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "type": { - "description": "Evidence type.", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "Computer", - "Network", - "Mobile Device", - "Multimedia", - "Cloud", - "IoT", - "Other" - ], - "disable_correlation": true - }, - "name": { - "description": "Name", - "ui-priority": 0, - "misp-attribute": "text" - }, - "acquisition-hash-type": { - "description": "Hashing algorithm used on the evidence", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "MD5", - "SHA-1", - "Other" - ], - "disable_correlation": true - }, - "acquisition-hash": { - "description": "Acquisition hash of the evidence", - "ui-priority": 0, - "misp-attribute": "text" - }, - "references": { - "description": "External references", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "link" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text" + "description": "A unique number assigned to the case for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" }, - "file-upload": { - "description": "Upload any file pertaining to the evidence.", - "ui-priority": 0, - "misp-attribute": "attachment", - "multiple": true - } + "evidence-number": { + "description": "A unique number assigned to the evidence for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "type": { + "description": "Evidence type.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Computer", + "Network", + "Mobile Device", + "Multimedia", + "Cloud", + "IoT", + "Other" + ], + "disable_correlation": true + }, + "name": { + "description": "Name", + "ui-priority": 0, + "misp-attribute": "text" + }, + "acquisition-hash-type": { + "description": "Hashing algorithm used on the evidence", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "MD5", + "SHA-1", + "Other" + ], + "disable_correlation": true + }, + "acquisition-hash": { + "description": "Acquisition hash of the evidence", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "file-upload": { + "description": "Upload any file pertaining to the evidence.", + "ui-priority": 0, + "misp-attribute": "attachment", + "multiple": true + } }, "version": 1, "description": "An object template to describe a digital forensic evidence.", From d2550dffb63b46a7c15f143485d1575af8c8c4f2 Mon Sep 17 00:00:00 2001 From: aksha Date: Tue, 4 Sep 2018 14:18:30 +0100 Subject: [PATCH 063/244] update: Forensic-evidence object --- objects/forensic-evidence/definition.json | 136 +++++++++++----------- 1 file changed, 71 insertions(+), 65 deletions(-) diff --git a/objects/forensic-evidence/definition.json b/objects/forensic-evidence/definition.json index a572b43..068a15e 100644 --- a/objects/forensic-evidence/definition.json +++ b/objects/forensic-evidence/definition.json @@ -4,71 +4,77 @@ "evidence-number" ], "attributes": { - "case-number": { - "description": "A unique number assigned to the case for unique identification.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "evidence-number": { - "description": "A unique number assigned to the evidence for unique identification.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "type": { - "description": "Evidence type.", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "Computer", - "Network", - "Mobile Device", - "Multimedia", - "Cloud", - "IoT", - "Other" - ], - "disable_correlation": true - }, - "name": { - "description": "Name", - "ui-priority": 0, - "misp-attribute": "text" - }, - "acquisition-hash-type": { - "description": "Hashing algorithm used on the evidence", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "MD5", - "SHA-1", - "Other" - ], - "disable_correlation": true - }, - "acquisition-hash": { - "description": "Acquisition hash of the evidence", - "ui-priority": 0, - "misp-attribute": "text" - }, - "references": { - "description": "External references", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "link" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "file-upload": { - "description": "Upload any file pertaining to the evidence.", - "ui-priority": 0, - "misp-attribute": "attachment", - "multiple": true - } + "case-number": { + "description": "A unique number assigned to the case for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "evidence-number": { + "description": "A unique number assigned to the evidence for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "type": { + "description": "Evidence type.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Computer", + "Network", + "Mobile Device", + "Multimedia", + "Cloud", + "IoT", + "Other" + ] + }, + "name": { + "description": "Name", + "ui-priority": 0, + "misp-attribute": "text" + }, + "acquisition-method": { + "description": "Method used for acquisition of the evidence.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Live acquisition", + "Dead/Offline acquisition", + "Physical collection", + "Logical collection", + "File system extraction", + "Chip-off", + "Other" + ] + }, + "acquisition-tools": { + "description": "Tools used for acquisition of the evidence.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple" : true, + "sane_default": [ + "DCFldd", + "EnCase", + "FTK Imager", + "FDAS", + "TrueBack", + "Guymager", + "IXimager", + "Other" + ] + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text" + } }, "version": 1, "description": "An object template to describe a digital forensic evidence.", From d84b499d3ab866d0a4cca1cfb392fbc0f23a4fc9 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 4 Sep 2018 16:15:08 +0200 Subject: [PATCH 064/244] fix: Some relationships typo fixed --- relationships/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index e67c836..2e35d42 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -187,7 +187,7 @@ }, { "name": "indicates", - "description": "This relationships describes that the source object indicates the target object.", + "description": "This relationship describes that the source object indicates the target object.", "format": [ "misp", "stix-2.0" @@ -611,7 +611,7 @@ }, { "name": "exploits", - "description": "This relationships describes an object (like a PoC/exploit) which exploits another object (such as a vulnerability object).", + "description": "This relationship describes an object (like a PoC/exploit) which exploits another object (such as a vulnerability object).", "format": [ "misp" ] From 3a81765d8fdcb8e10a67fd407b09ca33fe7f868d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 4 Sep 2018 20:40:16 +0200 Subject: [PATCH 065/244] jq all the things (tm) --- objects/forensic-evidence/definition.json | 146 +++++++++++----------- 1 file changed, 73 insertions(+), 73 deletions(-) diff --git a/objects/forensic-evidence/definition.json b/objects/forensic-evidence/definition.json index 068a15e..b0effd8 100644 --- a/objects/forensic-evidence/definition.json +++ b/objects/forensic-evidence/definition.json @@ -1,80 +1,80 @@ { "required": [ - "case-number", - "evidence-number" + "case-number", + "evidence-number" ], "attributes": { - "case-number": { - "description": "A unique number assigned to the case for unique identification.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "evidence-number": { - "description": "A unique number assigned to the evidence for unique identification.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "type": { - "description": "Evidence type.", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "Computer", - "Network", - "Mobile Device", - "Multimedia", - "Cloud", - "IoT", - "Other" - ] - }, - "name": { - "description": "Name", - "ui-priority": 0, - "misp-attribute": "text" - }, - "acquisition-method": { - "description": "Method used for acquisition of the evidence.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "Live acquisition", - "Dead/Offline acquisition", - "Physical collection", - "Logical collection", - "File system extraction", - "Chip-off", - "Other" - ] - }, - "acquisition-tools": { - "description": "Tools used for acquisition of the evidence.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple" : true, - "sane_default": [ - "DCFldd", - "EnCase", - "FTK Imager", - "FDAS", - "TrueBack", - "Guymager", - "IXimager", - "Other" - ] - }, - "references": { - "description": "External references", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "link" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text" - } + "case-number": { + "description": "A unique number assigned to the case for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "evidence-number": { + "description": "A unique number assigned to the evidence for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "type": { + "description": "Evidence type.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Computer", + "Network", + "Mobile Device", + "Multimedia", + "Cloud", + "IoT", + "Other" + ] + }, + "name": { + "description": "Name", + "ui-priority": 0, + "misp-attribute": "text" + }, + "acquisition-method": { + "description": "Method used for acquisition of the evidence.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Live acquisition", + "Dead/Offline acquisition", + "Physical collection", + "Logical collection", + "File system extraction", + "Chip-off", + "Other" + ] + }, + "acquisition-tools": { + "description": "Tools used for acquisition of the evidence.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "DCFldd", + "EnCase", + "FTK Imager", + "FDAS", + "TrueBack", + "Guymager", + "IXimager", + "Other" + ] + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text" + } }, "version": 1, "description": "An object template to describe a digital forensic evidence.", From 38071f4bd9e3de1138a096cbbf66089f5105d798 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 4 Sep 2018 20:48:51 +0200 Subject: [PATCH 066/244] chg: [forensic-evidence] updated to include other tools and correlation disabled for some fields --- objects/forensic-evidence/definition.json | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/objects/forensic-evidence/definition.json b/objects/forensic-evidence/definition.json index b0effd8..95e5398 100644 --- a/objects/forensic-evidence/definition.json +++ b/objects/forensic-evidence/definition.json @@ -27,10 +27,11 @@ "Cloud", "IoT", "Other" - ] + ], + "disable_correlation": true }, "name": { - "description": "Name", + "description": "Name of the evidence acquired.", "ui-priority": 0, "misp-attribute": "text" }, @@ -46,7 +47,8 @@ "File system extraction", "Chip-off", "Other" - ] + ], + "disable_correlation": true }, "acquisition-tools": { "description": "Tools used for acquisition of the evidence.", @@ -54,7 +56,9 @@ "misp-attribute": "text", "multiple": true, "sane_default": [ - "DCFldd", + "dd", + "dc3dd", + "dcfldd", "EnCase", "FTK Imager", "FDAS", @@ -62,7 +66,8 @@ "Guymager", "IXimager", "Other" - ] + ], + "disable_correlation": true }, "references": { "description": "External references", @@ -73,10 +78,11 @@ "additional-comments": { "description": "Comments.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true } }, - "version": 1, + "version": 2, "description": "An object template to describe a digital forensic evidence.", "meta-category": "misc", "uuid": "fe44c648-63ef-43fc-b3de-af71a2e023e4", From 089042085661bbfc36700fbd4d451996c10d3777 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 6 Sep 2018 11:20:26 +0200 Subject: [PATCH 067/244] new: New Object describing original files usedd to import data in MISP --- README.md | 1 + .../original-imported-file/definition.json | 34 +++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 objects/original-imported-file/definition.json diff --git a/README.md b/README.md index dd87bb5..472d106 100644 --- a/README.md +++ b/README.md @@ -100,6 +100,7 @@ for a specific attribute. * [objects/mutex](objects/mutex/definition.json) - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program. * [objects/netflow](objects/netflow/definition.json) - Netflow object describes an network object based on the Netflowv5/v9 minimal definition. * [objects/network-connection](objects/network-connection/definition.json) - Network object describes a local or remote network connection. +* [objects/original-imported-file](pbjects/original-imported-file/definition.json) - Object to describe the original files used to import data in MISP. * [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01). * [objects/paste](objects/paste/definition.json) - Object describing a paste or similar post from a website allowing to share privately or publicly posts. * [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object. diff --git a/objects/original-imported-file/definition.json b/objects/original-imported-file/definition.json new file mode 100644 index 0000000..2a2c0d9 --- /dev/null +++ b/objects/original-imported-file/definition.json @@ -0,0 +1,34 @@ +{ + "requiredOneOf": [ + "filename", + "imported-sample", + "type" + ], + "attributes": { + "filename": { + "description": "Original name of the file imported.", + "ui-priority": 1, + "misp-attribute": "filename" + }, + "imported-sample": { + "description": "The original imported file itself (binary).", + "ui-priority": 1, + "misp-attribute": "attachment" + }, + "type": { + "description": "Type of data imported.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "uri": { + "description": "URI related to the imported file.", + "ui-priority": 0, + "misp-attribute": "uri" + } + }, + "version": 1, + "description": "Object describing the original file used to import data in MISP.", + "meta-category": "file", + "uuid": "4cd560e9-2cfe-40a1-9964-7b2e797ecac5", + "name": "original-imported-file" +} From 1a02c6879eaf23bcfa78587cd6961ad2d41cf1a2 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 6 Sep 2018 14:54:39 +0200 Subject: [PATCH 068/244] chg: Deleted filename attribute since it is already contained in attachment --- objects/original-imported-file/definition.json | 6 ------ 1 file changed, 6 deletions(-) diff --git a/objects/original-imported-file/definition.json b/objects/original-imported-file/definition.json index 2a2c0d9..2afdc62 100644 --- a/objects/original-imported-file/definition.json +++ b/objects/original-imported-file/definition.json @@ -1,15 +1,9 @@ { "requiredOneOf": [ - "filename", "imported-sample", "type" ], "attributes": { - "filename": { - "description": "Original name of the file imported.", - "ui-priority": 1, - "misp-attribute": "filename" - }, "imported-sample": { "description": "The original imported file itself (binary).", "ui-priority": 1, From 767b46142937c50881bf0f55b9f7b27b518ad99a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 7 Sep 2018 11:26:37 +0200 Subject: [PATCH 069/244] chg: [file] following some CyBOX import adding a fullpath field which includes filename and path request --- objects/file/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 49bbc28..d58f4db 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -131,6 +131,12 @@ "ui-priority": 0, "misp-attribute": "text" }, + "fullpath": { + "description": "Complete path of the filename including the filename", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text" + }, "tlsh": { "description": "Fuzzy hash by Trend Micro: Locality Sensitive Hash", "ui-priority": 0, @@ -163,7 +169,7 @@ ] } }, - "version": 13, + "version": 14, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From 344b8f002eeddeebe19436449fc42202ee2c0828 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 7 Sep 2018 11:32:47 +0200 Subject: [PATCH 070/244] fix: Changed 'type' attribute that is more relevant as being called 'format' --- objects/original-imported-file/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/original-imported-file/definition.json b/objects/original-imported-file/definition.json index 2afdc62..3146241 100644 --- a/objects/original-imported-file/definition.json +++ b/objects/original-imported-file/definition.json @@ -9,8 +9,8 @@ "ui-priority": 1, "misp-attribute": "attachment" }, - "type": { - "description": "Type of data imported.", + "format": { + "description": "Format of data imported.", "ui-priority": 1, "misp-attribute": "text" }, From ac221f8927ff08f9099c19381918c9a0c73058f1 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 7 Sep 2018 11:37:55 +0200 Subject: [PATCH 071/244] fix: typo in link to an object --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 472d106..7bdfa9d 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ for a specific attribute. * [objects/mutex](objects/mutex/definition.json) - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program. * [objects/netflow](objects/netflow/definition.json) - Netflow object describes an network object based on the Netflowv5/v9 minimal definition. * [objects/network-connection](objects/network-connection/definition.json) - Network object describes a local or remote network connection. -* [objects/original-imported-file](pbjects/original-imported-file/definition.json) - Object to describe the original files used to import data in MISP. +* [objects/original-imported-file](objects/original-imported-file/definition.json) - Object to describe the original files used to import data in MISP. * [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01). * [objects/paste](objects/paste/definition.json) - Object describing a paste or similar post from a website allowing to share privately or publicly posts. * [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object. From c8ecf75fdcc880a358155286365e09b4e8e56707 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 9 Sep 2018 12:29:58 +0200 Subject: [PATCH 072/244] new: [tracking-id] Analytics and tracking ID such as used in Google Analytics or other analytic platform. --- objects/tracking-id/definition.json | 46 +++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 objects/tracking-id/definition.json diff --git a/objects/tracking-id/definition.json b/objects/tracking-id/definition.json new file mode 100644 index 0000000..509dbe7 --- /dev/null +++ b/objects/tracking-id/definition.json @@ -0,0 +1,46 @@ +{ + "requiredOneOf": [ + "id" + ], + "attributes": { + "id": { + "description": "Tracking code", + "ui-priority": 1, + "misp-attribute": "text" + }, + "description": { + "description": "Description of the tracking id", + "ui-priority": 1, + "misp-attribute": "text" + }, + "url": { + "description": "URL where the tracking id was found", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "url" + }, + "hostname": { + "description": "hostname where the tracking id was found", + "ui-priority": 0, + "misp-attribute": "hostname", + "multiple": true + }, + "first-seen": { + "description": "First time the tracking code was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "last-seen": { + "description": "Last time the tracking code was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "Analytics and tracking ID such as used in Google Analytics or other analytic platform.", + "meta-category": "network", + "uuid": "3681c62a-2c75-48d8-99f2-6a3444ce2393", + "name": "tracking-id" +} From ddd341d0ed2236e9d42ae742fc9a1e0b8420745b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 9 Sep 2018 12:31:53 +0200 Subject: [PATCH 073/244] chg: [doc] tracking-id added to the list of templates --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 7bdfa9d..f41ccdf 100644 --- a/README.md +++ b/README.md @@ -124,6 +124,7 @@ for a specific attribute. * [objects/timecode](objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence. * [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. +* [objects/tracking-id](objects/tracking-id/definition.json) - Analytics and tracking ID such as used in Google Analytics or other analytic platform. * [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. * [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. From 37a4a93326dc3189f03e015861b00a962edf626f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 9 Sep 2018 12:34:06 +0200 Subject: [PATCH 074/244] chg: [original-import-file] list of "sane" default format. --- objects/original-imported-file/definition.json | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/objects/original-imported-file/definition.json b/objects/original-imported-file/definition.json index 3146241..c2a5af5 100644 --- a/objects/original-imported-file/definition.json +++ b/objects/original-imported-file/definition.json @@ -12,7 +12,14 @@ "format": { "description": "Format of data imported.", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "sane_default": [ + "STIX 1.0", + "STIX 1.1", + "STIX 1.2", + "STIX 2.0", + "OpenIOC" + ] }, "uri": { "description": "URI related to the imported file.", @@ -20,7 +27,7 @@ "misp-attribute": "uri" } }, - "version": 1, + "version": 2, "description": "Object describing the original file used to import data in MISP.", "meta-category": "file", "uuid": "4cd560e9-2cfe-40a1-9964-7b2e797ecac5", From bb2b8d810fa2f34f9b32aebe37bcc3bfa750e43a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 9 Sep 2018 12:39:22 +0200 Subject: [PATCH 075/244] chg: [tracking-id] add the tracker origin such as the vendor or software --- objects/tracking-id/definition.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/objects/tracking-id/definition.json b/objects/tracking-id/definition.json index 509dbe7..79c374a 100644 --- a/objects/tracking-id/definition.json +++ b/objects/tracking-id/definition.json @@ -8,6 +8,18 @@ "ui-priority": 1, "misp-attribute": "text" }, + "tracker": { + "description": "Name of the tracker - organisation doing the tracking and/or analytics", + "ui-priority": 1, + "misp-attribute": "text", + "sane_default": [ + "Google Analytics", + "Piwik", + "Kissmetrics", + "Woopra", + "Chartbeat" + ] + }, "description": { "description": "Description of the tracking id", "ui-priority": 1, @@ -38,7 +50,7 @@ "misp-attribute": "datetime" } }, - "version": 1, + "version": 2, "description": "Analytics and tracking ID such as used in Google Analytics or other analytic platform.", "meta-category": "network", "uuid": "3681c62a-2c75-48d8-99f2-6a3444ce2393", From 76b3086356f2e6683199baacef97a0bcef6f568c Mon Sep 17 00:00:00 2001 From: Terrtia Date: Wed, 12 Sep 2018 16:49:28 +0200 Subject: [PATCH 076/244] fix: [ail-leak] disable correlation --- objects/ail-leak/definition.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/objects/ail-leak/definition.json b/objects/ail-leak/definition.json index 93f9073..7a4f9d5 100644 --- a/objects/ail-leak/definition.json +++ b/objects/ail-leak/definition.json @@ -12,6 +12,7 @@ "attributes": { "sensor": { "description": "The AIL sensor uuid where the leak was processed and analysed.", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" }, @@ -23,6 +24,7 @@ }, "duplicate_number": { "description": "Number of known duplicates.", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "counter" }, From 243396a34d11351803add157166d1a3ad73d92f5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 12 Sep 2018 22:11:46 +0200 Subject: [PATCH 077/244] chg: [ail] version of the template updated --- objects/ail-leak/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/ail-leak/definition.json b/objects/ail-leak/definition.json index 7a4f9d5..feae522 100644 --- a/objects/ail-leak/definition.json +++ b/objects/ail-leak/definition.json @@ -64,7 +64,7 @@ "misp-attribute": "attachment" } }, - "version": 8, + "version": 9, "description": "An information leak as defined by the AIL Analysis Information Leak framework.", "meta-category": "misc", "uuid": "dc6a8fa2-0a43-4a0c-a5aa-b1a5336ca80e", From 8b5b5df77c8105152799dc6faf4d36fce6fbc158 Mon Sep 17 00:00:00 2001 From: Stefan Kelm Date: Thu, 13 Sep 2018 14:05:45 +0200 Subject: [PATCH 078/244] bgp-hijack --- objects/bgp-hijack/definition.json | 53 ++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 objects/bgp-hijack/definition.json diff --git a/objects/bgp-hijack/definition.json b/objects/bgp-hijack/definition.json new file mode 100644 index 0000000..952ade7 --- /dev/null +++ b/objects/bgp-hijack/definition.json @@ -0,0 +1,53 @@ +{ + "required": [ + "expected-asn", + "detected-asn", + "start", + "subnet-announced" + ], + "attributes": { + "expected-asn": { + "description": "Expected Autonomous System Number", + "ui-priority": 1, + "misp-attribute": "AS" + }, + "detected-asn": { + "description": "Detected Autonomous System Number", + "ui-priority": 1, + "misp-attribute": "AS" + }, + "description": { + "description": "BGP Hijack details", + "ui-priority": 1, + "misp-attribute": "text" + }, + "country": { + "description": "Country code of the main location of the attacking autonomous system", + "ui-priority": 1, + "misp-attribute": "text" + }, + "subnet-announced": { + "description": "Subnet announced", + "ui-priority": 0, + "misp-attribute": "ip-src", + "multiple": true + }, + "start": { + "description": "First time the Prefix hijack was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "end": { + "description": "Last time the Prefix hijack was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "Object encapsulating BGP Hijack description as specified, for example, by bgpstream.com", + "meta-category": "network", + "uuid": "42355673-1fab-4908-8045-00bebd91c389", + "name": "bgp-hijack" +} From 76553f176c0421fe2d783e411bafb444fbef275e Mon Sep 17 00:00:00 2001 From: Stefan Kelm Date: Thu, 13 Sep 2018 14:10:52 +0200 Subject: [PATCH 079/244] bgp-hijack --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index f41ccdf..fe29188 100644 --- a/README.md +++ b/README.md @@ -71,6 +71,7 @@ for a specific attribute. * [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. * [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature. * [objects/bank-account](objects/bank-account/definition.json) - Object describing bank account information based on account description from goAML 4.0. +* [objects/bgp-hijack](objects/bgp-hijack/definition.json) - Object encapsulating BGP Hijack description as specified, for example, by bgpstream.com * [objects/cap-alert](objects/cap-alert/definition.json) - Common Alerting Protocol Version (CAP) alert object. * [objects/cap-info](objects/cap-info/definition.json) - Common Alerting Protocol Version (CAP) info object. * [objects/cap-resource](objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object. From 00184b6fc0b06f8c78d37e2fc7f9e8084c37209b Mon Sep 17 00:00:00 2001 From: Stefan Kelm Date: Thu, 13 Sep 2018 14:13:33 +0200 Subject: [PATCH 080/244] bgp-hijack --- objects/bgp-hijack/definition.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/objects/bgp-hijack/definition.json b/objects/bgp-hijack/definition.json index 952ade7..1955f9a 100644 --- a/objects/bgp-hijack/definition.json +++ b/objects/bgp-hijack/definition.json @@ -1,9 +1,9 @@ { "required": [ - "expected-asn", - "detected-asn", - "start", - "subnet-announced" + "expected-asn", + "detected-asn", + "start", + "subnet-announced" ], "attributes": { "expected-asn": { @@ -42,7 +42,7 @@ "description": "Last time the Prefix hijack was seen", "disable_correlation": true, "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime" } }, "version": 1, From d2b33810c567ceb0701f5511f4f77f17bec35a61 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 14 Sep 2018 18:39:20 +0200 Subject: [PATCH 081/244] chg: [relationships] updated with new relationships --- relationships/definition.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index f91926f..5279345 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1,5 +1,5 @@ { - "version": 13, + "version": 14, "values": [ { "name": "derived-from", @@ -622,6 +622,20 @@ "format": [ "misp" ] + }, + { + "name": "delivered-by", + "description": "This relationship describes an object by another object (such as exploit kit, dropper).", + "format": [ + "misp" + ] + }, + { + "name": "controls", + "description": "This relationship describes an object which controls another object.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", From 4d6e0d7580b6239e33ed268031b7a1297a6ad686 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 16 Sep 2018 17:13:30 +0200 Subject: [PATCH 082/244] chg: [file] fullpath can be part of a single file object --- objects/file/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index d58f4db..6083298 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -16,7 +16,8 @@ "pattern-in-file", "x509-fingerprint-sha1", "malware-sample", - "path" + "path", + "fullpath" ], "attributes": { "md5": { @@ -169,7 +170,7 @@ ] } }, - "version": 14, + "version": 15, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From 01ea4c30979d7bbaf07071ea502d1f492815b4d8 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 21 Sep 2018 07:11:38 +0200 Subject: [PATCH 083/244] chg: [malware-config] new object to describe malware configuration in clear-text or encrypted/encoded ref: fix https://github.com/MISP/MISP/issues/3679 --- objects/malware-config/definition.json | 51 ++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 objects/malware-config/definition.json diff --git a/objects/malware-config/definition.json b/objects/malware-config/definition.json new file mode 100644 index 0000000..435fc95 --- /dev/null +++ b/objects/malware-config/definition.json @@ -0,0 +1,51 @@ +{ + "requiredOneOf": [ + "config" + ], + "attributes": { + "config": { + "description": "Raw (decrypted, decoded) text of the malware configuration.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "format": { + "sane_default": [ + "JSON", + "yaml", + "INI", + "other" + ], + "description": "Original format of the malware configuration.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "encrypted": { + "description": "Encrypted or encoded text of the malware configuration in base64.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "password": { + "description": "Password or encryption key used to encrypt the malware configuration.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "last-seen": { + "description": "When the malware configuration has been seen for the last time.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "first-seen": { + "description": "When the malware configuration has been seen for the first time.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "Malware configuration recovered or extracted from a malicious binary.", + "meta-category": "file", + "uuid": "8200b79b-1d8c-49a8-9a63-7710e613c059", + "name": "malware-config" +} From 231fdaf92b2507f7dca38ce82e88c604d5ce19dc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 21 Sep 2018 07:13:23 +0200 Subject: [PATCH 084/244] chg: [README] malware-config object added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index fe29188..b7b03f0 100644 --- a/README.md +++ b/README.md @@ -97,6 +97,7 @@ for a specific attribute. * [objects/legal-entity](objects/legal-entity/definition.json) - Object describing a legal entity, such as an organisation. * [objects/macho](objects/macho/definition.json) - Object describing a Mach object file format. * [objects/macho-section](objects/macho-section/definition.json) - Object describing a section of a Mach object file format. +* [objects/malware-config](objects/malware-config/definition.json) - Object describing a malware configuration recovered or extracted from a malicious binary. * [objects/microblog](objects/microblog/definition.json) - Object describing microblog post like Twitter or Facebook. * [objects/mutex](objects/mutex/definition.json) - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program. * [objects/netflow](objects/netflow/definition.json) - Netflow object describes an network object based on the Netflowv5/v9 minimal definition. From 89e869c57790d6726cfbaf6c980fb2f135f7d292 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 21 Sep 2018 15:40:32 +0200 Subject: [PATCH 085/244] add docs - time related objects --- docs/time-related-objects.ods | Bin 0 -> 19977 bytes docs/time-related-objects.pdf | Bin 0 -> 23583 bytes 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 docs/time-related-objects.ods create mode 100644 docs/time-related-objects.pdf diff --git a/docs/time-related-objects.ods b/docs/time-related-objects.ods new file mode 100644 index 0000000000000000000000000000000000000000..637e8901aa3f4d350af3a33d9bc3f6125dd24d6a GIT binary patch literal 19977 zcmb5V1CTGl(;zsu-gxE>-q^Nn+qU%^+qP}nwrv}4YXK!L_Y-i+bV`2-Sb+UIfF)(&AH!%Uo|1V?uZ(S0%Pyzw{2QdGQ zsci0SV`yt&VeLc*_@7l;dt0+`d08=d7;Kn-ufR))3oHJ+kN<-oDA0dbYc7ybARv%0 zd1+-45MU5+2xv%XcvuK9C`dSXC@0VWO+?jK?tLP{Jm1_BHOqTgr~gufZcaESUm>F3)S=hNaSQvTOnK?PRs9E`G*#%j+g*gQ! zc*GR=S*eA&m;`va#Ce(dc?E^}c_al`r35(@#d(EaTHB^w& z4OR6mb@YujjjVOd9E>z%jkT4G^>r-uRjrLQ9n5r%jEoFSEsf2sElmup%}uPVt&Odn zOzl0a9GtBHUQSkq4z`wVwk803YfpRAe{ClxCr1|#fV;P+i=(%jlc%SrwX46QXONS3 zn1_$Qi(iD7f3Rm@ly_*nzpG84r&EBBXP6Hl*xxI{&owH@Gd|QiC@3f}G$Jr8Dk3Bx zIy@*UDk?B4F*G4HG%h_dE-5lGGchVCE;c?RAtEs`F+L?DDJ?5KIUzeeDJwHGDkU!| zt0=ReET^nKKQ+2AGpQguy(~MaC@-rrKeeJTv!N`zu&|(@q@uW@y1b;IvaGnWva+bE zskW}Bq^_f?zNwzs=cnXv$3+Vv9Y10y{Wycy``b6y{W6KtGczn zrF)>IZ@jyIsB>_tXLP>5wW`0PvA?@xth;HjuX}o+b#kzCZnV3vuWw*vd}w@fd}Ls1 zd}Lx`VqkJtJ>7YG9#& z>G9Ro)#=s!_3hQ={p;P;+2h^S-QC^&^V`$w$LsUs`|H#9_cw(=NH-7=89+iqB?9n%MPu(rwO@nYY$`W_ICPh@lZ&>^mZVmt1Vao=v1w%<y5#Y%w)*tF@TZgFez^Scub~l!q$B&JEmf0{tn9bK7w{0|Kk(bR`Mw4I z?oe`d+{VzN3LST(I4EZ@! zkQa|mC+`A!e3#@vm;%0t)a#J%RW=3SEz6_ETTD;uU3a9g^jI>|tM)?XNImW&@p>dm zd|qxN4nFN-I!GV=b9x5He8ba`#sTMRD{3C}OLNR3h=#IaoS!&H}eD4>hw+|>2D9K!I$eGyc)T|IJHrjup-)DD=hJD*CjmjR` zc69#r7you!AWs1AA!7{5-+7v}3x9MDPX~SrUkEB6O@uYcXsGCS;$ilF;r14(xTalB zN|ZcLbEvo*T6VR$zb)#!O1rCLN}CY7zv#7=hx1U}|Jc2yLVys%F=QM(R6e z#o3<9+A7vt4IEBQNCb*tPT$NDBO~RP7SG;y#BgY>09FR3K>^9LRA^P!>m*M&tAql8 zhqCz@8-!Z52PaHr@u!Qoy4|Ea01=;%29tiQ%Fub(o@BtC7<&`L{>I(f5|U8;>=HVt zxq4Wo%8lH}$V~Da)w+ee1)Sw+ZK@5UVtCQ*@iW zs5#*?%bkr7rLNzLWC#QDAGlkPK3&r3=adb!M=1$n&(ciJSn>3d^56nWHlv)~+Rm3- zWh*Ii{X=fm@XP=kNke1g%7y;J(Qwc00ORAp(TK&pzBkhME^;+J=>eM&Aiu42KFs{fd-hA`4Q8g$72>oDV~q)R3l6 zkk*1!R~0@$v(~IJ1=i7kr30t4=)XLmjFzW|wv%iPQd1;ZZaB+w2y$B`8E)95ftaLS z6d;bu5~NvYN0f{Vz#{P^ilMnxyyesVuft0{aU+@+fes( zo3jd(84yqh*c4a6-fUlr7hpT!YaJU{SS4(VY@N01sG}d2>hy|sv=OF6TS-RyH6!nM z*!;RzgA%V`(|# zfAUaO_SMK)I!pHzeNa!E>l;qxwOe@h^BfmG)2sPQiNWT(|LiW-CT%4{`PaiTBz~{Q z@%F%Ibba`Z*s`45!|V9d$p!ip`8REqxb@Vm+f${UsYN#g-aD5_qmiaC6(My;Q}5m^=?>#M%$8u*gE?_b3G68g&0VPk2%o%d%+ z8reI6uAi&HiU*risx+I@ix|ErH>>fjpTnB70yzmsPy1qtD|Cr6Op+Mg>SOW^2Os18 zCB@ot@3aC5nbGWmsG~E7doKWLfeq8T3;m-o3uf=K55cJhc zdtdz@(vJ4_aUmyb4fK%n)1gOma9n~5``D}mRW}OqQb@~S3Z60icN_&RH7OE(-7(V@ zCNXK!rf!R?!4&GHEgeAkh~s!%I`UWM@R zaR7|s0?-n;3LD0eIkCw`+EWk?4wXEp+l=OL6f1oWX;@-@wfF+qec`SgPBkg8oVp+U zb5jl9s~W^(l!FXW%6a2Nz=ZI}0Ivrd@$QFMZG{P!cLbuODr(JIm(@eAkleJT|49fh zB~#t)Y@DECk8>z;2QXS68{|V26gAj%2Yi(#QDpTqRLbF`(cCZwW7owU&)(+2d7}jE zEX5#=CGi(O$4NG_~( z${xjGSY2H#TnVwJyqZnY^rQ2OvK;~BqP@35vrv;!*%zZN09R|_CvfYe1 z9cXtG2vtQJPJ~T{wq35EEO6$%9+Q2aV-3pb0el6kLQE!Pa~pGI`h1Y$b?UTrKgPdP zGp6GTSRCu(1KirWGuF|LEyM)(ze13LMM_|iX0ZRBlBr|!tQZ;-$hzXV}a~_Ift$@l>TDdst ztn~W4m0IQor6!}CDVn4*(y-XUTM3DYu7lgXZV$P`?^wJH*-2b(3$M@jNl!V;fSzod zsY!QpZiV(hvNsBqa>$lTV2eOAD?Dtuq-!_1t?$jJIk$nnwU59Th9>7pSp;_7@pMks zCymEQj4<=8gm}y>|uk(EZGICBVEv=^30w!nc!~N4%tp%&#bLlL?plg?r zA^Isk-AifQO-uzsZ<+?c@3916`#+45%@u5PkBC^w%u`aS~e|N0TCsLH#|u zHo2YOph=+n*lgMX$HN@GpIWn>oq;_+nXc~co$%LtEXCY}e+>g5+YV7tlj;kI6TLC& z!|QYIvh21R%24pofVQ;ak*V*_!!>%W7s>2^axZs#t~7WX$?eY~v1WaDyV-r-Z1iDK zXo#F4t>3IY7Z`1OfeW8$BXPZB+DVo=AFsTx_+fjo9xa>rArW%65**|ZJN!%3DsPsY zU7ydMy7zKKWAn)%s=6SOFHkSl5L;Z=y#QGCc^Yokd!DH*NA#y|&c9@vm%kkOtPFG) zDXa9*KR({{I(^`H;7Kbj-A+fvlO)u86ENGzI0Xd|UO_&o`itA+7qY(HxyI#m%AGeW>{o6EX{vK`x;;zjs#& z(0gtb!=AZjmy>9)yFk2L-sRI)t>Ic&q_Em_@ML^Aim$^6;f_ZFlR$#ESEBE$kKaBD z!oeE=ea^zMbrdAPHw$j*jSkY@pNqH|IFlhD$YfYx1br02)x2(CO))i&G-U;%hQyi@ zTCy=Rf)~3Bj>J}iA*${o)rAXo_#zNZkm%_a2`wg5(&Mh&XL1^-2~H%K)*p()Jo&th z6Emwh^U;f^c;a6ym~RCPtzumCO5ya?-H(+pEdQ@2>^Cq^%s?LCqi z<>2EPPHHD63X$hWg_A=^YIZ&bsBKuUH!Zmj1BvIxyj&vbVd%|Dr@0<)kL?jEJQX0w zIwyy%t^WR{yKY3=EJ6H8{^ zxLw-K?V{}=we&E_wVMtnR7m!XjYe29yuvW@j;}L>U0frGv=9xsd*+6MH5=@9ik9vr zS$@%S&_sPOUAkiW+CLX9@x6*j6ke^}w0GB;t&j#(&E-&MELKo)37;jyUT-`#5$Vj^_}96nx^k4i8Z|qSiv9UhGPK8Se)L2( zI0U#oSM$TLpVm(!xjN+%g6YqAUq}1^V;zy*6D2Ppk_?E!qur35>fx?_ezMWDQOsY; zMPdW@##41Oi~*v*^T>8^@oVOUNF)kq2e*18KS}NlLw2BQWA_a$T~Ja(#_c38k;jJj z${euFv3~c((_vNZcDY)MScj2TPxqN(*01IVwja4cIA@7V==i50iMnCAW2HBLw;%$A zkimVLkV{Ce;Y~czi{T{)H_J3bvAAU++cYt^h(dyNntw15c_6DBd2~JRoIxy8$i0p0 z0x7GpNG@_@7aZ=CQ)VwurTa!5TCVIr;0lH=Px%ZnZ+2?G5*mDLF5~Wi2I=Jo{SAtB z;GX8Z*B{1W0|hR^4^Ru9OI!9rRJ+}H5eX3KEw+T1VBi`Gg6h#RM9&hW8qX0sGld|( zeDY(7F>4T`9hg3(lFfkm7HPe$%x59Ce1P^YsH8>=d&p}_+Khuk0T3jC)m@YqZ!)&OVKtdAEMehEA9!R zx}mNmw1j!d53i4)+YfpZUK(NxE8WfSJm2H7DTkvJ98nfqxkDg;_@!2pS}X2&mqs#s za_^;@&Z~pf#^K`tx1Z)=@v{c<>rha2ha^@uOrp$=47#nHPaM^lu2Eh8znsSY!w^5 za1kj&$bzC>b0G=rX=YV)r*srr1w9O}JXK>~>1W;)?=(~3En>s-um>_dzDWkF!iVkx zrL{RuYylVD1U4`e*uR#>&3tG6>kt-)0uNKhKTN3wa_*YWZE6+du`J550!pP{Rfk?T zl4XiH3Z_A?N-!K2&F@|B74>j9B4XJL**`9&NrUYi28vR=%$Oh#o6=eYR#X$?;NS6(NNJ=PGHMT%cyEX7-+T#HrsT7wj{?>uK5g!;0v!Tu|x^;tg$m81^HbX2*)k`uuV zYdvRZrQZGvWzTGOo3SG%UC3h#NJdMB=3}Ii7L><*xoCc;8^-n=*t~tKd?n!uo8Phq zz|^a&CO#)d>90CJ5Oc>2{G7l#$W0&|gn^`PYroQSnfQBw0z7w7y;j<^53${(SN=An zd#g=71rInDNkQ<@ig}%rlzzXzalpTEU=kL>2oZQf^=E+ecK|#o0dflv-nkZ#nFi2W zF1S{q!4OO26_5>Vo%;hm#m_)$h`wlq%XI7Q-~y*Mb_K)NvTvL%wHFj}(FCrdx2wP} zXOhmSf}(Xb-=`8uv}S-#i$}yAn8cHT2_#Hcl0+vH8`ZyGt1TzWq@S_99yJCq_rhM8 zJ-1vPjFgvL6Qu?jxmAq&zi+PW&P&kc;#_P^Wbg6tHKtD7=k?yLy1vg`+4pDcDidOZ+%@ms@vR)~^v0=V6cFM}sHYb-UHS2t>Qj0;*SZC2;* zR8Tovleu(XG}{-|1~= zu3XfY8k-Y`8X&j$Ky0zI|Di!Y4es|x=zMHbbLY&huy+PF0vRx5Jp`Cg5w`mi?m{c8|u9f)yOxZ=Ng_5`( zdHh@*=mp_t@HGphzrvD|ro^Wa|d>RLf<*nT*t! z|M|86u%Pt6EjaKO%d(q3@-Po2y=JN5q^&=c1{Gz&=FsT!&=ftM@uzEgpC7G6@!}hb zim5cWv5-5<&SFICYUZx|(a1arwFAyw`Bq5I1hXR67r8#PT818t>JfY1bvAStR?;1+ zsCT#NyHvY2T zfS|okF!l59Z{WIhrklb@6~|4i7#7#WXenY_&fgacu^*>lMrzQ&6D%;0Vo^13P2R0l z^6S@eU$oZDnfV5E`d=_YWCNr}XBh1$Ay#}bZMDOyW<#bc<8}UqK3y8AgMzWcq%f_P z4d}QOU|`S8a8%eDdLz~>oq`Bo1@)z4?Q|DvnAk9f`?YJW^fN=>zUz!z^6Dg7v*(VO zGl0RE4wG#}qS-;p7UGzY5M(dt7Wz$ITiZ{hHw@CyNgY&s+$ZTaSu0`ahW07vC8m8& z8sg>MaJif6*xmdeBJaHXtHn#5Wwa*d9@BtgkC)d59w$LYsnq7T;mKJNuLRz1)sC}( z-jP--!(xxt*9Np*yjS3Y-KtmbN;RY%P+tl5JAjM8D(cZVmtE~QU}tBz0Uyt5I;-%h zgbKyyE^!E6S|Df67}kcAg}J!oDdU6YvD-zH?j}3pCVX@LMyL@(bS4?#Wba( zoQKg?npiH^ zA`QiyiHS6pq^9L1wu>k?Sh)#=`G~eOP;-ttH;;qbtisBgM|~{9qk57XMk!*Vaa}#8m`!7-MT}s z;A}sFO!h=f%Jv67M?no&V?`@I9Q({|k>M(Xu*AXlbgl7Fh^Z<2M$N-4F znLzn>r0$%$ypx>for%~au!b2H`zoM5PxITzzavlbY%V%ogQi7iWYcSdlc*AF&E|c& z7#uG}G@y$$Ci=2<*QEMuz7^UtsX@zDVtQgO8I;9a(@q&WmYv(hSXC=|uBy0%v&y|#Nkek5d#3K!_lzAxtL(3wtgtY7 zTIPlE_zSz9TbH#bwAREziVh~if;M7yPXqhKueGx1Tsin0X_)A8EjPh@3ug!e;e0Fr zMBbo*E%jKRchW^zt6qZR03ZEdh@S!KcQoOwUW4bh6#=_m@GWZ|giCN*PL`0LyQrbU zP$8pcp2OI{W;&Oh-nxgFXbtEFUa*6mhvyk2X5Gs!UxO1bSWwy7GRbj|@|!_E2p?Zc zli2Ukq$aCE%MiT0T78hVqR(M&=&CWT`zI;B8QLe+-o#&-P8BXe<54*G=+ZzJrwW~x zj(91T_axj0$t#q#FA)iwR2&~c5C@5!xbM*t6KB~d)+!L98_99 zV^``uL1K6!;oZ60jxkXCq5ohjHVGwEEK&i9cUWZ-)$Y8zpwE5JKd{1PuKN?X-fIvVZRF z@;SKnrVr+65d3GGy~CkqE5jPoF@nPuF!ih!L)mUiSLG4Zv&{4{eER!LXhyrfS;huW z-syQR``2N!#~Fcq0P&dT-(&(04)5Z}4V}Lf&Q2`b-ooYZ?^|9~$3DrDVvB52wL4i_ zM_Nv;NkuowlQ&aXRS>qll~UJn=X&E3K4*eu6g?Z2jx%OV#By1=zK+3DC+3$uM+c*e z&Q0z{%@}7I=kBBrM_VP}!&W46C*3FCH^jEsG@b-Uq4HnnKWP*?miLTR)ERjAt_v?G zWQBUWRE*-?5vrx(wI8QBrxKD+6c3CGuH4)|*WaCvPgK9&TkgH?d_u^~Kxbt6{77|p z&d7cW4$CvtB4gR4nHB)uzT1GmC}ufjIRq~>&(#vNZtsG9ew%l>T5gVJWCR}~qTZxj z-ltj>Nu0~`DLSILJWJlUNKaT!lP`#BSvBR<9}QIvW%aMBEz)|T_*S_9)s{pv7hG5K zdJ>_Zb?jH)u8{p7zi6W`Bi^of=IDPbvz4}4cB$MYcBDy$mH6k;gw^4*0;PI|hk3j9 z+YWfHB7J=i=KYc10WIXVWJ6&Ebw2HwMzgcXNn^0Yw`X#YEAQjEFI<5u=@f3XT zg@xe)!&DkgGRK;;o|q4N=<@Lrs$y)@>+c{9LH%&9@KgA2gbCep=*rjJ^zK36uc9Jh zK(){K_w*l%?MAZ8&d;Gw-^>@q%XzsS5Z+Oql%9K)HCI>D$7dt+T9RtUgJ_ zhnm*cgiu~wO%8TlzoLzRAfm87)?9J4l0ugs?TO|YPEp-7jSO;S3Tw>k!FjiD`xHOe zq@e+-vDsjtNdbqf?;K=mr5pKb2A3L`8K^|+Q;(3aj#rbM$Stc004BI-ulhs%QzG^0jAz4AS>o}H_l75XduY;# z%P06Ly41XGI@?~2VpFm+1&5F^mmtdUjODKi3rQY8+-3F-bW-OQi9m+P$d>{SYpG;M zj9#v#OI$>oTebS(@4UiJz1YgOU#NW?7Ot(TrvLWNexB~wB%LP=_>+V^sCK!isU zUP_?kPCGp`Wa+43-jglqN-7ku=7O5)U^hcbziuf5nLjH*(FgG^*8d#0l5LFYDV~S5MJ86RPdHZeaLt7J-hvJ@ zZXCHb)a~dgjaigSoH3|RsC}`<%`p}xo`EtEJcHAM!KF9OOANKs>X7}HrCF937Bv+5 zhlXxomC*S{?E2WYtpkv%RC>QX^>zx`YYib|IDH`s-PJ8IHMls-d8o^m?Z4eJu>YwJ zrNIM%XYn|*OcR<3Rz`7z0>%KtIgrT`8{T0wOQe=jRXj|W?0L2OZ~Atr>N7xK?^I~< zNAvu>%O^?yuxchg2+10xtng6t+xV>UZ1tIT%jKz$hRJ|XTyW-gKT2-5MEPQ;ZaKL` z*N4SQ!jWOB`~4huJP!pCU1Su)u6OpUKmkDFem-;n3%D1fEJ z`FcK069Ya&S!|baztF^LTV{Mk8`I?)jAXTRuWk3ejZMYwLTRi`C%#(C$<8_|Y1>_i zUvp%DoKm0WoyqT;7t_^-KMrh`Vm-;E93GjcRJarj3$(TH+h?Pp)woIl_?jtqaxV}1sw@N-Lc z%hNcy1;j4`2kIh@WCY;kWZfp0wNU70CSogc-TQN8E7Ak*jdlG`&;Kmg|0+Uuwx$+l&W`^h za@L8F4q#_zZEs*}VomqI$NNu=?Ee?O)0nOK|rBX0NKVg6U& z=>#wUI6M8HQ?z%qGjlX?`v1ZFuPEBv**n|+XPW=b9RDlMm|EKz08IY7`QiT;oUyPm zFf(zY6SM%>7}z`gACml!5dUA+KtVzMkI?CVRQ{g=`>$qXXAAgGT(p~w^_7m6-C+x| z4`1(qy+5IQo}GjX3Y&xiGx=Q3Hf`Nz&T}&QC?gwcxsYN{mY#1&hlUIFC`SJ@>68$1 z;^6*mCaf8`M#q-}Uib=X)4t?R^GCLBCpe>g)Z}f=*9m@a+{JV3%TI^OAp@fRm~x!( z9~$VSrq|Zs!eT7bZr3Z}$^3$l%>1HXY5DLWln@$G*sA5BXWAN(^|191w@GcB8v|R{ zoNMznQN@MZX0qXxh3O@YI*?qNV9lIfRW7*PYynYd1$e_t_be300h6Ph&qEt-YgaR- zjWd@8g@CoI-K{Oa;*R28UQr|pjUpvFK)^3^3h>?wCg&q>6!nLI_$!%GgcI~>vvA@EI$dZiZz5Ci{ zXy$Qs6j7>kVZO$RV*{-WWcn~WHC;h%l&V-#VcTzNUC9Bmd&h+BLpwjmh9uX*RzPhm zu=)rXO(482g4I6+@I|YLl*XAzmpuk-UE+nHqx`=#61Y;12lOf$P&ASy@ zt95fwhK;0RWU(6by}PE6LI-)d8}6Hv`lYm9l6Z1}9|B^^Xl~0{As*p(jeVJBojhdS z)JqdgXfpq-0P2n&tp(BVVsYa+%(+t)?y4x=Z8iY&Zge&iV0h#LXElqL{&>K4;R-*u zvnIC928Auet3u?cy44!fD29K88ED`S((yNI)g+dPcsgd6Vd?6&NcqIl(w6un<_L!;vcap)CkZ`BLSFrT30a z5l_F`N4{~FdP?TbuqJx+0wd%1JkqTeJbg(Lcn4`7U8^9n_-j`al?aiGlily__j{)c zrl9b=4%LYc;An}>>c;V|Y*N*I)=AKWdx~h5ukMBx{-??DdzK;wxJHP0;Rc8I2L)a#$cx*V{2BEKczXVP; zWO{V=hJY06|NcTN;@mg~dyelMkwZxQI6l{JA5~7{0c!;??THu#1*4iHFCvN8dq!Ij zUT#!SQcYB7j>u4-5<)Vb95>iiX-E`dIwEJR&EvViI`e`HqVg~-U$YZ@)sfoE#vdmy zfA4x;kj8%IRD?NTQ-+(zg4L@>NRmuCCwrrJuD)wm2$k*S6N{2;;95zSi~FsKXd@du z!#8n*Q#7S%0>R@6T{()JL`ZV+JLpZWq$^G_M=L4WV082pSgj(gU9l_B@=D8S;h%rQe1w2^IcxQ zIJ!=4M4U0d>uzMtn35*7A3TI(mT}INQ&RB}$+Je_H?nIZ3d*g2N2QrAmXcU?``qBtR~z`~%;%SbobPIoTpbsFf>-_&0MudH}#AFvIU(jB+^ zBO{l0UqREjJ|(GUp4Usd%<2<}`wIWO=Q>Z{Tk^M)`qgBW!bwqxaTMHT)z)LA(#-7g z<$ZNlR&%JVIlMW;CT$sarV2XjlQldv`Tbq-oP3w279>gKPG?g+dS=BIEmev2k-&Eq zWf$_awLH>L7P@u2>#3!a_iG$10`+ig&jh-dd9*C{Y+ve^`BZbiI^rL_0OkNZ!l@e3 zo!w!r-BPZ#jNh!+siPnw?R`uBysQOHW`U+Wea(TitXCm2X=A&g)b5^c->j(DHTbbA z7pU01oWh5@2uTSR!&v>FoCg++rvf%W%IUe0IAF&QSeubyL?7p$2hJB;StCvef_ElZ zGgR`=Ntk$&mMHMNx_Iy>VH0A4f&3&39_+E9Oi|-OzQz58kPoklIU_+Zb362z{R<~o z(E{ZJTxl=%c!;G34Q;B2i*2n5BjA!e_olLVyKOJT8`~djBgEHx6{|uWFlW+E`0Kxc z6hT2PIMDE>MEj0X+Aaq0rVHndrQeJXr-^?@5mC7wayCCJ7r(I%_d+$-z}{7C>xiIM z!r}cKR=n`~5+(;?qJZ*}*}}=h9^8=|qTaXLgR;*U<9rPM_>cWO=XGprPO%@beny&K!e$sh)?4Hx3b( zMe%jYihssb7$U$z=>~RjXMHIE%k4Od+ZWa=x&&3nz!DNhxQj6l1&CCpWyW-Miz z=uagr7wvm0`Su0j97%fD$6wPk0HLJ&sIrpEVuF-LaYD-fHz= zd!OabJ6$K{C|EdtULiXWu`kQo3b>UZ!48$<)YVkB)F*YjUsm?+QR*@?>f{{q2@Yy4 zhBZtsb_K1bT4okFZ%==yJ%z}1U7S|Gb4DgU>&|emHRMi8zi%}%^lGvR_~P@kGDhmv ztGbRqzpQ z<-f9g|3}iG3Bce#W^Z(&Kk z?C%dlF4@Ly9FNDtOm{m7?cH3>#IAswrbex#VpJ0SVxj6VSGUm6HA^Sv}N|)yn+~+HPGKi| zb3b~ye6>h@r9iXEfAVMVr*wDBF$^PV&C{hl%%36Z0NwBoH|FRhm`?Ne_f;KV>^}uc z!oo5;Tff?$_`>-9BT|RZSjlW)ARw848J7Qhk^Uzk(+S{iZQ}GFp>Atx*=@3-`s~&s zDeJHKjd!ri7|}V@HDB1;&_6ctphpRhTT>|Hk#n8Z;@37@$7ge%9fQe;_?+Bk-DnF- z^7eK~)HnM#@e_B}eWjae(ZfmvH5?82{9G41nd;T_aF97f3AROvtC!Fl$@beaP*c-p zp-Hj08>BL8AQm_yv%b=z1bub6ASy$Bcu^RV3JtmX1 z(c&u9Wm8huWi58NNteLvqOOI9qa-jx!Zla5^^<=93~I3^Q)@c6ZOt~{qUMI4Fd~Dg z%%}nfVNz33rIb-Skc8^h_urXzS=LY)>6dx^t22|5&sd5Q%Yoql1sO`}_E4^BM}L_` zoYO^pY!b%Tn!qAPXSp1fo#DH2gY75`<5u?e$+^MUt1!td@GWpoI&t>< zqQ%_ z>$1-L3?%1y{9vQq@~G)oAn!e1XVA!0YzjzEP%E00j`^{16p2d%QxB)W!#_p!9|0x5 z<0&rAnO8v>D%m7Ubz4F?EDQ)>$uTC-SuI3Q&_!@uzz%n^)ucHM=>)&Xbjx0uVy{s- zokT(RT8;b(k_8jeu9{I9tqh@YritpR(<9j7Eq++hin}BJYctNT6l6ztX(u2Xfv?5R zVy*?h401zEf2jL#K+#f0jva`+pC^7C!ezSw`}*rsCni&6P@3VaMW4PqR;G3g zo8ba{%MXrN+cd2f{Z^o=lQ2r0w(7+9)1uqkw%cDK92mFBQG72_;{xGt5uREm*P#lS zk-TB|U#5)a{)TLJf}u6mTO9c~`MBEbtX0$^xI6EHj05wU;3L@}7zoCCldRlhYq31? zqM9^jr#yPYhM_-Fl5w{hY2*HJtq7v+&NsUoHfRVpYk#at>xVFTAnx65Oq&Fm?mjCj zRWGsVyRg)>{a4DWJ2KwCBt^?Y-2egv4 z%g4&1L|=o@CGk9OYuJks!zU9p&r3McIL=}-ScXszPpLgI;+*HSENV1^;IH|)z(By) zAVnkB2HUge^a}hz@F2Qtswk+D^_FGA2qC0}{e|KK<909}TP0)R>d)&0-VaUpwVlQZ zYU;%Yb8G7ctI%-Fwrdqo*!}g6tJ=AJa=7ZyW_kk&{3>_rk5-n*=&X6BU!fg${Es^<~v}IArcn{r+OtrvJSsdb(5BXB$?5(s@jJhNEDFodT7ei()-NF*cqmRG zRPi+hSQUM=;#Lnj9ATk)nzLwRP=4h#N%663aWTioV@k0rfTXY!)ty`saF{7LVR*M! z^a+Q@Ed_>)0u4R5(|OGR{RTOAIhSpmnN&MbuSZVuxX%^v=pe${Fb+OF1p0TN=Wl(X&0bl)1=nSf1LDT>+Ac4p&4a?mF`|qX zG2bGtdoIHeeG~#!q^!`|pdvY6OL5M(9T@9TX>P1Zzr0svYmv&UXRhP~vf&P zMv54HVtm)=NC}TE84OAR#%FGUnlC%jlq`B@C}?x19RlH#4wBvT5}P0o7rNZ1^5qf| z`Cn;g{xvOU)`macVLXW^)*$q^NyX9D>am$>}h2p$<(jK0pay>5vYy~Ego z!MZxSx;dR!0z3(=;^rc{!u9SqU3Er&kt47i{W8t(dIK2V1XHSXJgPk!wX7=){biPM zyp{o*`**aKyQg$mQS`q7X)0={q+w-KJE_(zdo?{uKZ!37*vdM-y97n`hDPG5ijxsg z^oNz7$AaD%_QPzUXk+U@+7YdwIljkkuw;AfNACYzblf(aAN?M>jW_YgopmgN7PriA;aDQygFElf?E0JM(ArqhYjwt@6WK{wpNCNpdNbl~8Q zfm(u8OS?5F^Q@QMHT0{ONTY0OuI2nnO6olW04JI{mRTn6eJVk=FMkR zoSn4o#haWPYb{jx8Mt?rfyKF$9j>;N9C|6iG;DCzvyBDhZW#~Ua$SV|%j^!~a3f7I zP|$eMf)-ClUf3Kn2hgT!3V@5eIQN%7JdxX+<#`P-1}%!+p)G&n{rRJzr6+;_fjAwq zQo~Fs4+E|#R57z_J7I7oe|7h|>#nr}cfFF$J+6&BoEL}hc8QYo zvly@C&O5o>e@?z>XMeB`YMWeyt@&pP&EDfqn(pyc#A^S;zNQ!R1@M1{M&N&IX#9tL z|5qPZ9u8%@#>WyuXvi5c6D=Z3ePj8oF_Vd`Gc}QAEQzsY7s@V7ma=9`N_`3$%Dy`Y zeHF(#G#uMu>|?SkKgaQpZj{R`?;U{_g=S`owv86EA~I7#)6r- z*B2#fsbQ5snd5mMA1SR5Z{w47h8?kw**PAs zP{#!rkp%Je((0b&0ND#K2xenR_$(%$w3wNBGvSrYs^HS|eGT{l?`ZJr%1?*YoM9_fPGM#l)TP(;K@UM+;mu_=~enS$D<7*j5ynki5}yQr)xIp|C_Z}ZYM zzwHMU(|V+A>hfIIFgmJB@+nx#Np7o5qIJL*))f{9b+$oZcAks`5IV|r>!Ajyg2nk_ zV$iCSl=X5#GqAQ@5ld`Ka3W*?O--#i8q5t;OBWY1!~_S#t=%;Pr<`kGRbTr=bFUW6 zntWRq)i@Nuel7jTSB@IbAdYIJN`rJZ_XwL><_YwVT5k_i6+sP>m_}3{m!A8&9n5bd zx!+l!VPh5)CsymT-YbwO#p%$8+EPSEpTZVj}|e05{1mO-|?9iuw)vowbQ2b>IVMpwU)V zXm@RK(P}4P#Qn5oe^^&S@!Eb~}Hij(*gmf~}SzmYR4-Pe(Pjgbq zXd!SY&(XtcsNes2$;gRCKD@nWo3AdJZz!Xr_&uebze4C#$ZO*iwUGO%;VOTojjq{9 zo-Z9wF0y5i0W z=#k!!Bj7;|$^`B=-Iw8c5Wn7AHp1}*(J%Gy-|zzDi5Rg>SB#6r=NGd&PY%X%aIG~5 zo`d%%yA|9D(>fgC`S{53Z(TPoX1RZKjX)%fV8wyJHPe*HkR!!kdUAmu^}`Os6Qt@p zBrL_feYcj_W8$uj6*k_XFvlc+eCazHm13lub)@!fOOsjNr~7izR^z6d*jMVr#GNHp zrmq|Ljwx6pswFqukt}gaue7v(Ch2fbvwyoCoS)yW2M>R2m5$NwWlDruXmNpD@7nT~ z8m6^3frp~q8uP?1|5Qw9iMhBF>>l( zn#eoVT={!T@RkFpbtw8GX4T%`&ZRtK^M#%CTxsrF&~u~K3cC^|Zt;nt?TP$;FEwCg z;aL7+O5XE3a+m#WPa;d z6kx^MTqAsGNO(I5V<9VIG+1%_o$HRV$vdn0{$eGe2s;Icp;;2?gWtG@Ap0a?8S_ZZ zVDs*cvt>^Qr=@e`!XlM@&Ewqc?}5(6cJg-qjf*G@3O7zNj0B&kh2;^*LYEi%r)MTR zo^^@D`gkchNN2vVuj(Ouo-(-MTse`E7E1!xI3z}$ZBV5^ii~nF+JO%wdCWCKZAmVw z%PWg6Ngl#Avi~3x)>bSRz&Ry=Ix_0^Izaxptqtt72Ahxd8J8h3yv2A>eKq29aBV%C zoIV-7m#=;8#VNshJ#|J>^Xt@k159k%DttPFC%R`IiV@JGv5BYs z`?QyYd*qduH%Gq>iop8S!!@eDci<%{G5O<}3&D;ulZ|qD5pwe!3Tnbb;xC|rTdZ{@ z3;wsvE^Uv1H*l*BFV&M!TVi!QFqf{Z;Pr{2utZ){FYI&NW zCn34SavSBGm2-oqQLFK%%evV$7l=bFiQkFmwOZn3vv9RinME#y}}vVId@UE1~$+<1#L`)qpP0wsP9!t7AsRL$y;#`*Wb zJFLL7y#b#>I<-lXT1XWz6Yjwoi74B}V5Dg(tAQS*_+H4(dwrpx*%*s8NZf*_2v*0L z@~>yqUp%)yQ6xON8ckYUlLjJQe(ucm2`@*bx$d;Kl6{J;wvVn zHPPEEB}>8-a+_N)6D{h;l$i?UsE4C8D=q3w%mRRe=P^-3&tN~NGwns~ow!7YpsCA) z<}dAKp`!o*nqo^gO{rfMYDQ&y_a5lDzve&D-~IOCp)1`7v(U6|y5aX>*{ysZ%(Q!7 z)B7+nD&Yt7?Dj}h`q%jER>luz+U=3qeoPEX`N2Fit(d#qJOEX^-SMMupDLEM|y+t%CAn*~9SM~i2rYYM^1Nh5AxX=HDV$MDr7OCxAv zZf{^qBWSK;Z@_P$XQgkz#RXw!Z)>1q0pXlpt|k#h)Ck=^Sy@!;bAF`uOPlu3}M+*o^H>JgHew^6+gk(OSwCSJ43R0acKtUWe|= z#zzM$Az|lC8lOA2FW(T#(idG+G{`JX`O;ssGg4l( z9g<(P9hvUCfw}Lympo4VhKuQLc?#u?E-q@d3%QIjzuIp(vF*$s(O6!uX2WrDwr(pQ zV-Hbj8=h2ERsEdN9XVqo|=sz5yjSbM=miQYvb!NI2B!6%Fa zCB%5P^t-RmkN2zi{cTh49#z2nlqNpkqw2>)W>vucVq@P|X!H9n1h{(sZxr5Atghgq z1q>Nc4Srx{AObd&Ms4t5_0RoJW9jI2Gcr2llV|qNz%_1vU-;g`ceajd&yD zzk@;vxD9=aMF|)a#kj}zuh{_-~b3? z2mob@t0C4W&%9M(xZmDgN8W_hpwqMPLb~866@-y}KPmZzuvAZ5RD%J;n&iYkKbJ-JE;UzHnJ0liTR)!3v3hRO3O-#^e zP{h>ULIO;LV)O{ae|z@0$OtsG(QC@9@CCEPhFWh6YzY4{1G|=GJ`k%Zng$qG1&od} z&~26vJDsq)5b=ehIR~2&z;dA~F2hf6EEP_28dy~T20Ii$-tL)nmN9@nZW}|)7MM~_ z!8HS@mSs*X@KyHX$W!?TGEvaK>85QphUg0)Ix!V>NQ_C@+xqL-4V-8crey$qA#c24 zz-%#I&|761e5NI|8x;h9f|GU{8Fl+c=JCf>`GS+^r|096@_N|$zq!n77jOHu$p?UZ z6UY|n`zEm6Rz$#0Dn;w zOe9J9VuhIW%?dja!)!>*;U8A;sW#!L3jZwgC<>0AKm;-Xn+mh2MCZgvjf^)Oje(vC zQfPe>Uuu2eKMM5-#Uy+3KeTj<@k83=!~Tm_$nbw?aiRZ*7Wuzu5$6A-xRDivfZNFr zXCxUa-Ta;=J53mEcEYN%ihDU=Ix>_00nIy()qn{{@I+25GlK zP0;8MtjwKoOT2iBsvYR{%P1>Brs2cmHe3C9h^i#- z;e`sz%g{(G72U`VZ5_Eqzrs$>gBb8#!@k_%o-mc8g^mL>eeuD`G~R07^-q8CFcH0% z_$zxQy@F*G)oV%tkj_q@+AG&J8X6tre1E?rGw$jbK_S zRri76wH6%Unh*YzT`%>>kt%B1i{1X9UTXJ}d2`|RL9bl{)D#`d?oOi}7{z`GqGvYd zNc82%^WbwI1ZO#~=L;*HQ$}4`*>+xDOE;_D3cWN-NQCtZPlkoXDj;?-38~8D`-w$mf`>WQH1Dw7e!l1fB$s3NO6mM^lJSZ%20DW9N481_ zg*6W#&mLe)h%9#^*55{NArT;a(ATn0jOP&yC@@)Sh3_ECisW|2Fc*8N>;8Rq;*c98 zN`5}o&##4c&7BtaF`PatDUDB1cVAS^1c|ViaXbo7du z7FrZRs6znS#!QVCYEUU;tiPJ}4>)V1#a8+A1NrJr+)|E6^pH|)wsM;+|4sM8=V0*p z2T<*_UW~RInl4J0&|XPixTd`LTDN!C;kV*+ulOTdjnn z`imK1Xw%uPTXB4Iu6KNM6kb+ zg6iQQ#uUUagF^cj^ABkC9s1wi-rK4SXL@gC<&{Awy4vudF91M4OCD`NcR?Rcm*|`A zCW>c29Em^`&~_hf5p$p2pEVkAYFBMe(esF6^Ddd{o|-LizTC}N+sMZr=B?NY`25fa@8KZ&UjMseo z6!)Dg8az35rUFX@L`kHc&4ow8pF-iMtbv7P>lY2~a(~8TC7Y{Nu}o`w{2)tboQs!j zCUAfE9ce^mAi3Ew>VSqidTN8aUXa3wkQUf@wa)ACknKGRlk7hdf}vS~^%{m?4_(Tr z);I1x7)F(+$nk+yUl>P;+W?cmsH9gaR+G$CJD{QUIXD9V`pr3UGCB9T|2_R-KN3D{ zxdjnpH+jdE7#VdjVuJhl!w=LuZ57_=1^0qFH3q`KQvY8Ezc1O@5k{PNJQLBPb?XOBlSa>JylVHkd%1(}U`f)s7baP~B+L(=oqa07zz*-UNw^+u8fdgX-5nv%iZkBbKW_JD6ZNhT13+;v zLt$x$6~{E3m9BnpHX1&_W7RrN;#=LYmZ#v9ad*0(^J@* z51n7_^Kty-Hpdksj`F-zc3`-~zAgS}u^UUJyTA%Fcoa@|Bn;lT6oivlj=)1|#N-Kf zVe#EMPkx9@i6Bg_*78b;V@ah=*cPhihIV{n&z*^mt90@DEuh4(SmqV9NxQxp%!&$* z-z5v@*@55>AjZ?A%nc5h=C2%t)2U9lk2PlmSma9N+!<&+YBMxp65aZD&B@hzh=^7ygR)!!Tis7k4 z0=9?a_0Gpj5AG?Zo1^Y?2vfv`FCfbi6yy2BLilYZ@ekTj=rxaN7e4R$u;{uQJ_6cOGT5UUASEJTR33yA6G!;XQtAl6-uK;8mhF;Ng_c{CYLtZ|z+}7a#RG;N^(SO+ePU>X9K^P~nIK_JS($=A-D1By zz;12B=17Eg#>-}cXlW`3*eyyhpr^`kyjlB2(+lO8E^UFSG5lSAmy#h;UArnC^ATO< zKSh zlbqyM)c}d7dC?8Qe-kU}bcv@dk_)OWxuf)e(I@ie;jN#~Cb66Wwjm(kLrb%G*_JEA zu?S?M_%$D0@qlA7Ie4}5FBB#5hLMR7=VnL>xM8thBbH*{3tZy{n!55?lTIKCH!a55M~n0kX;*i&JyVpj}oa~F4-ZZ!)&t%6EYe{Bi+0s;#CPQ+0ob=FO^jOBc7G!K|w$TuWc=T8m#A zBn`a!>s|CE0uhuNmm*s0)$=j*)*UuCk*&})+G}(}jGAYruOIKHTxvQh5s@lr39McsJA zrt|`Jal8;-o2Xb3ZJplGRIr!_sVza|;S)h1`uuS}^9%q$oCFI$Hc_=pWTM_ z|JrTX{vURmfBmjOheyXq%f|e_|BA8h>gFy#Uw@@}nC@~g#*o4w@{`_(e$PNN8kFV- z8!&?JUlCyfbXp=lLtY>e!yza=Y(te10SG9TwKZOvfss$l#f!)$MTdJpu zd%$yn)ljx(v&$5J?}gV_kIu`=%dvF31x>f}`UOq1^ZLb1qLofMVSf5Q&N=pXFTJoE zw!Odoqm{q_-3AMa+MF^f5w>^ztykH5&D^{kw_@e|!8H7ja8y=n^X*Rh7qRg9(|Ltg zBs6%uv^~%4;qg@-@uN~Sf{zp`7j!TO<4iQ#r^RS!X*T`{H+Y|yy76Lvgx*JK_?}xV zRh-{zVR-s}dJjH;HSBYFSzV1kA1>;=65)$%TazLD=AFPK%*)Go2zvF?p?}%JGKc*u z$pHuYl${j(H?e_DbIRDk)sIeuF@;Jo?KfLLKAYU^jD}o+VUvLr$@AyyOk0jifO>Xw zDC-c)1LrBiK`c^DN_6$4$?2G!2Hiu{XOimCGU5zgn7aU1+T1mzOB^SU?q2=yT=Wl@ zIX7)m+*rB20Ixyh=Vl%BA5k%j!?%0WUVMWwuR8H>@H4a%uz377343I9Ib5)KmW0bN zn>{F3(Z96~+8Lr7(fu#CnP3NoZ00OU*(4o%2yE36w`Z$%qtIbOf(P zHqqJow*k#&r}7UG?j?ou0PkC5jluW6Z7^aZG(v4iwe9^1M%L;OHJu>?bS`=Y1jClX z^ooly8h@`w$wR$8sf^^csZoUCnd3QsYig%tXOmFz0#jFJ)3-D7odw;n#VI;ZW^_r( z#&D(7f4mRBjZe?`%*BCX<(~GLL-o@_SPrF9_1MhB(o}szTFYrVU^G#)D$mhI;yx!p z0WyB%`S#aD7KhP8S;{^`0V*mo%HDy#k;JW`>sm26b7{Z1C_Tmf#A58E@ypISrO_-RbyOIOa;z_X#I6iS1p z%ns0sjk%Fk+`~;%t+d9Jlz6WZB48x=NTc_Gk9-&I+5kyvzn!>+?nr*27^$Aa_MKp= zmY_Cs;%Mn~$0jeg20O$Agd2#r(iZ4Z?pv0yH_L2jSsPy!=uoK4X43p@1Nn7^%ipga5HI5L&IXc>93fjhnz$UeYIeIv_ ziWty_Y28!A$5IzYc!k3pou=8?Tm9%RcHQb8TR)c|MXsV4(7LU7T!dhcOdP28+7!N@ z;sUJ~wwK2?FW@qBE9YRCIa!vem4n+(YcT~f`jGL_%9}GDV|`z|02tYa|6s|Z6wLtq zhoimnBf-I#ay1K<*tMdBb5e=I`ub8&AW>kyEXshen~<)2SyO5`MYC&_hm1PN$mr_S z4J$b|M@Of)<9k7TJp3ksC?!=N*=PlhIk^46+Ia;)MXO|U|9%KL*Im`*D#G1#6(8h2 zwo~=iRkgB-smjWc#!6LGpGTnzCu>-!0JwDZ8t#paqXQg-%0q}}Wc$&HHg>CF@8 zb!nA%uO%Bkn$S_PjM-o-t%Obx&aRyf6`zb+!OY(zwKks0$yMUP_!ks*7E>Is2J&q`<&zSSTUML~8B)1;Ol57zB@L1`If#eRj+XkG{{~DD{?3pPj z=>ZbAPn)rOJfFLkA)z)s~%T~%IHW3ZOKYn-6j+;PkIN#(u|9+ z#l>LMir=?)2@ynL8nTzT9x@|hRkR-Kua9kWrCHUw5GrQO6w^}xn)6|9THCD*d^s9} ztDizOkri^klB~M{R%O03b|9IscQ5GF<2~J9_^OhAKQUR!&vvt^7m)jS*tn6u_qn|C z7qp6m#L6r;{6cG?BBLhGkt|0{ZQeyAz5PKJj>!yzil!79bibGNZi!Yo8+v)K?kWu4 zbjB4n&FAB@93ir5dP3%+JgCPIs0oVmL{k!XXfY@`t*oz(O;qJFCXMG*MMT{ojCSN? z!K&wh85x;*6A>hX=xJ;o^2E#Ste?6`+4s?k@bq!D z9uo{OCgczy#5c&EHLe#C5#h9AxT&xwH))o-QMRZ@0UyJVmo1ghyx?n1!E{$E*Ur}> zICtb30p z$o-c!*ALb#b6HW>gb@=qHuj8ObMh^hFh3fa*@K)9)g1<>v}Rt0E0o&RF?8VC^~|}g zTD93w5t|IF)F5Hd(d-H=)#(jlVoEY)<1NY+Rkd^0tlC3_ED1-K9l6+EB&M6PM?FHF1+h?C8};g3q{B+zE*ZWC9f6~ z)tl-ZPjxZWO!TyD8;uQjmrvadOl!z6BwXY0geBtyOS`)kPwrJm`MYw%M8hod?Hw6Q z%=7clFteh@)il{l=VVTg23 zsE9*nBRp=CM^|izC8V@T3IX$2O(_F|MhoIni;Ii=3`WMaWEm-El#8;ut3J??Xv%~-ilxG*n1ay!F5VB= zpIynVH#2m${Ulq>Q1@CVtJ2cb_B?}h| z3kp@_WS?BMLKW(cLiD8A&xC{Gj^V_DSg|C75Ra`5Ux*VDc41P5g>ljns2nC!fZ?K8 zJ(p`Ul!~&5=)2NES-4rp>bvJWSi-sb7c0P!i9QQoZ?4oT!YJzHArB9Grq!M4Q5_># z!t8wP4uOUPcAIHq!wyN7G9Z66Pffh2sv%ylG~jR7c^#i9nC&T~N>-VkbQd)2y*Qq~}c;hoNoz+3Rs)Lz0&%G2`l{09J+H)nF%FK`LPLypb?MH~0$`J#N@O54C<5Z)9J1(sx`;?sZ}0M-S!*cBzibR00b4k*X}^ z`jlfBFM6x}AZ4V@@!^Bw{>w&sO&p7}eyGwg+jb*?zONN_Iu+3{M*J>XFL^3rlb;4A zA~g-+a_Ay1xsfux^;!PELi^4sJ>j== z>kT2`lizRCiZb}f-rzCGX0#iK=_)XT=;++7~&VSN^s z?!~$QV}7DCeZNnml+OBcW+eAXTyX&fOs!sj|2!U+y>r;P?5Va8AQ~XcJSnqgJ%6GB zyY6Y{I`2CZx})-Nr!vYsXhCkyuSOE15*p?$V?~P=7i-^!m&`wPOodUFf!$AHY!DJ_ zB9>dkFY4?!$DXay+uovrXOg?SP z!gAoqY)xoQqXhkf3j@tz+QFv1g%=G0BN$OhFo2*C;Z@!bKZMAI0Xtdd9Hw+x*Z$fz zLn;gtb+njrYw{N`q8sYq2vj21$c_lex-O{M8hJi(&lCsE-KJL2d`Z?(cfmBcMPU|> zOq8y@UbtP#$>y9ByDGzl^m~uirFml|g`12AYUyg`X8!|r_^Louhcf9Hv7oX1z|o|h z>JP;ktSq7nB%MG0OuC&zOd-<5yeVMI1WN*N{H(-1g9L5(Kv)Rdn%D3#m~c+P>VLvR z(+L*Bun^SH_f?6o;iJOV2zM^|Eu+8|35+T<`~`I5hK339g0B*vvWMC!dthv$hBPR6 zThUOO`9JMr_(J2rbCSX22PCgGWu*C&NfJY_;B`N&rd>vG`L=1CWw1v9^6F zPUC`UH*`Q0?t*pB1!Ub@DkOCoR!71I;+^+hdlPys$0`W4)sgZ;=4o81$%8UerZJm8 z!uy(2!K^wty^p^wg&b|N0jV^Fi0vcEIkNDIpR;f)+uI~BEXb~nH+b+iCW+t?+4g6I zD{qto-oR~k@5yu~^m`i11MV*83HiOScKsv0+UcZ!<2+L}eE4By5H8o#kY5nVO&y%J zn_j!Dd82ZfYlgyMym?=V9jh}}@y4LqBdbmjq9i;1fj?{b{x0|-5ywE|$jnGBw9A6z zg*G^u0O(^)sQ5c1#mv;-Hw?uHszb$EjB}H5ij$WO>bl(}8wZfJ$p<(J7n$XPT?rC` zQ07)+_`7?qZe*GQ*kydfAP+~hD!z7XB=vJgwCY|Mjyi@haE?9`N7~dYB6{7RWj#k$ z!=S~psvu}qP7)y5S#kNlL34vCQare1{4SU8N0;*zLBuS1b&f(lhmYv zV4kFX%K9t|eju~r9>RB0K?lAO!@V_u9&ks|M^P+Oh{=iRYaDUwgyap{(Q(lSW6qNpPywrD&HLaN)G2OrNjCrpFB3{-fI2JJ|31)@LU_*$Ig ztJ5XrZ9tm|ezLv%8bx;=Lg7qZ9Y&&;vMEHI&J)XwH7DR5kjJhL&6zh1ekx;+#ktjw3F6)rQM`ye=#UhCdK7n7h z$nqs+Xw|nxr*t>Xkm^xs2JY@6jLnqOO}6b8hKx&(C9K+ND2r%g&Ac^9MWPZKL~+ zg@W#u*ii+E4(BaZ)CC-Qv*L^7Er9DV>%o$K$d(wThAine02kv&emmD)2KDEU2@SKh zHF?ekX|Ve?-p$4bj0Xhe6ET3inJ?$Vuyb;fL)PsGP*$y$llB_Wqm@H}nS!8fjTqxv-i&&WuQI5NjUsVY?akE`< zs##%W(;GptvmrN}3@Hi$g|;+4V`*0@bI*N-9s{V@s=4tEZ5hF$e7nUN%1CO^hSe{X zK;^Eepl#2av^+)$Rgk!Jv&iaRIzA_KQ?@keUW*Mpgh6DJ5}`A#Q;m)1r&Oj55rNMt zn%Cw{k*}GSWBVOz7Lnd7ml$a~`kPmE^<9ZtCQ7sBF?U+vt+wZPV<~PaZjsdnsvq$b z)F_vZ?XPOVv@qL(=-`^E%=8m+5&U6x3sd?EL2?xe@o`~Eslj|>5vRh&{97EZ-x*RO zHi91HsvBt63MYZ~gZ6LW*ktU<%BH(!7CWe$O*x3CVI^U(EhE8BJI)h|NfU8rHqOqj z!AJ)sSs#yTdgx94foZLkOLdmJASX!-Pc75QwYL+SpU@jz6(74>xf2Pam96x5y9(|r zrzaW|o!QToKA9nOjYROM!wRypj0Drs#d1)r(0-AF?mY8v7ndICN(~9iy8*<%J5sx2 zc#+d!eP2r}=g3btR$j-o=AvrTPSTY0_ZeB{Du=c+6`YDWni_?8n)%u_+RvN0D=ax~ z)@m=yE}jris?qL;cz&n%iD4wi~uPy%>NJV>ZDp9KL)VSzlE z-{GFb2&@(cgw zPEeQHbXKy4jb^ljK}X=~dH~&XHJ^2gv;5`Pj%4@_FB|q4eW0s5$edlbw6N<&;m3`~ zx0YVLyTYcoiMJ8{sLPJB*{>|r7%e*U$H}^_MkF4}59+b&Rh?w9AKH%4o%s{slUNaz zgGrF{Q!6kF{#^3>wPm^G^iI%ky=u+6aXasNCeJ5Ns1M2};t41%BPm`+jV??@W`fxN z3iU>UU%MTBibcmSjPwk!&zDL#96^{C@RlgUo>Uv~@x~0H>gQ=@7Kt{M2+3!Px5FMi zeY*F(GGP*t_76Hf2_R-(7DnPNBKiO~*PYIV&?YB@s*w2G7GQIdV|Nf!AYVW=*c((* zZ9H_KByYC5=5%itS&}^xZJ#}eF9hfm0`)ZSdLp%@xG&`RD_)?5IQ4Nv@TETm#v4*y zf)~&csorrz=I_ElD8s}*J%E^F90LCUF~`yOmWH(~ItsPYK>pnG<~~W{;N7NrUpH&b zv9%P+RHyeCuy?T`t7{-7qk*~);(Pxvb}FhIYPwRdL2zNKDY_Se+#~kD78q?=1m3N) z&F!R-MLq$i47LY;1?u)}mgXvaOfL{Grh$17BFo7$e!0tuWk8Dm8;u~2F^3)VZdSxwUIIYc1(E7S}kTXEgynze-AYkC7^~W+5O?h#7c^zJVC{o*N zE~+ov7}d1RQqRkYXlk7&Um%o(gnpPHVtT9KuX{E(2DBirhr$Qg2=6$`ozr6=#NN2Z zI=04*p%*_4FyXq{Yn9zN%JUf={lkk5wTDNx#E`9A6~O()8LVJS%j?1jylIkfRc9+h zH*cilbFTeCd$+NdQ&4B25#&n+OE}-+-&$rTq1GaMugM<*HdIrT8OCzWtt@M}D}8em z;r4f+eja3lxL1|O7srtVQPf_Yoj)Q1P);v`Y4!d>?^ShHR=MhVkzw%@D^Y4X2ExsU zV$vg=EF*=}o^)u_!evK-Z6Uc?!$Dkt2Q17M+XueLwEw9qwT|t`$nGG6fgb+&18^7~ z2;pFUmQT$KDKwaH>vR`XMYFaWMUb>1EThDTk*TKM=5l*L;MGHceH2fyr~bz0F-^6t z-GlrdFJ?7Kf9H;Szan^`${sR6Ji6CHyHfZwAr283`AEn;h9*|ee+8xwZIdFGD`%=Gy z-lR_vHzfL(`Qz3Q2$&O|0&Y*dB1wSr=hYJKMFOd_)|fE?A`)@Yy!{&z{+$Qs02`8| z^^>Q_x;R9=bNs#ZxZCx*)B+(jKfBiyHT?`o3M%0eqJBBRuBZzOp#WiSi4kG3L5{d8 zZm#JIPKX0pHR7NXZB(S3Bkcww{Z2X`m=m#iTco+ZX9ONGHVaoHnCM4^PzSdlMv7xv z@)#s~W&>eaCB$k>U)v6|TG!saZrF-0gDLO6Bi+*E8M=0^N!dNIU`6*)oR@TDI@+n! zQ$8#=eqMx`$RHBY+4^uMJV_(0!4O!~pqT%7ZQ8R%4GMj2a@I2U#jWO91pNw3-{Y2% znC|+0j>nGdB9Y>PVS{8V$wA~@rue}!Lqo8Tm=S@bK_E0CmTpUwT4l70{|THZyR@dI52mGG5mDfqCC zVY7U~YS~Z(cGOR;s9e{86cEzN&<}78SD8VB5T;F*>IG&=)%x8`Crt5b26gdpGfZiP+aLgtbzK0MTO*a_ z!m&e-n4mqG4l22I?0h=btZBI0K8jSF10!V_bHKA#zxGulrbcncuj6{KPQHI!V?DYJ z9yUjfyEQ&f-aZ-LT--S|JNZ~qYeoa3-zky0k2q5}-|7Y7@eNC)$=+(cC8uEpaDyXX zG;SpCc-}^sJH4KAXma1NOKH&oM|M`A<8a)iEzTA!Y`w-TMigL-(h7%yz;MN#D`t+V zN#}B=q{uNq;Sj%8yI68+1_bInc~48g0I=cVO2gFQg5ge0Ek^zz1eL^@+5!}(nbk zv;{T>#>|?#TtllRhq5KmegTnK#Qx7m=rsrKhNe|dD2B?4=G0aH8kQaGehyzJO*D0# ztzPS2P+nkOSO+aVTadk1OCtNBw5bepN~ag4$aN<$ddc zm-7^6>q&EaO-ki$bL};TfgH_!8)ZC~5XA0w!Jv>@!;9DWo)ncPX2AJ$jeiAA#)kTY zY)!{s_PJF(cWpbeEkj#zF6&y_*e8@0H3p&mG|0<_ZE1={>=qZC*TQUOKFfFryW&-q zYUOu~8+`JYRdr1c00oPDnK>#*I*pWnJA;rT870OB$TQ?{8&4C zy?!{)Gd-D67SR(c^C+=0q4f6V^#KGflY11)8$k^b%)z`xMCH%96F8#q{X@jt>YYO( zjK+=-BA83WMHGvR|9lsM?Jb3%<1fq?LSEU2dK4#ZBMwD7A{>uU-Hmx1S5KBmuZt=g zEFNr>zFRr>3D};st@uCW>U<~ReCO)0(b6;jCs&7#_P>*L57X(o1lWN_^7+<2m`vKnnn1Al0sQiK>%psZ8Z+_S98Nl?KOTv z&>ZFJFhNyt8E{SB6N(GpSWIJlEzgFGdsJC4#h%a(!wpvrD?Tn6j#*S6ohHI%v{WC& zv$#5e(w)ZL9(sS&&|aqpKZ#cieq3j$_y@%6Z9nd0KdKiejnSDy##b7?Z) z2mL~9XU}Kvu$G|Ijnb1B>$BJy;gD92AD&l8rtjN6m*$!+pK}1K9(Qi{-TEsniVfT@ z=N6GYil@;$G)(EvEi`XoOYi>>nRNeKrQ3gkkVeiy*Zw;q>j6^MCCB(f{T5?elHN@?W<9;D7gh+x)BjXGEKR;k`|$pW>;E&-|DEIg--Us6jNfkmL$LpMh8-;n)BllSx6kJ0 zF1P4%*!p;~AEYTPh*wn+Juc>nuLI=21=)Zs7pFXcMv2%}L##&7kSDy8kjE3QZ^KU} zDI{Vt(?h@Vled>CdW%S6SARVfwcjkwL2Y4&WPHI;$518CGJomyqIt1rit+Wm;k}V! z-L3Psee#j@a7dE0F-Qb(7%mY^!=u~3O1n4+?uHp(`(h>LV0pmlfPhmJY<4r_==gQz zxz&>o3>BZ>uA2ddx%N#FH8wLNRMwk`t<)TCy1fKy@dN3A@fPL_j-)|QxQjEak zSfiA26UEvcYw+tGYxR{HN2lqgJ0XI6^=(D?U6zL5H?f->1@hV>g&4x^l!rt`0~6>aL+?9gYa z*nPu^#f`wcrY>>o@oiw3nk1z@DLx{uNbc$6b;M_*rt$tF+YLRNMCAIP6H?f%+d1ea zr6H|YBeFYSwktMMEj&`>BRDo*oR3`h)gi7qJFIi9PIkD~G@h$Z)poV) z4zZ0VbA>BNXFvB8&WLm^lEdp~V8;QEvBAC3F?Iw!&yfpaFJ7E(Hk<%5w%|AHJyvr9 zH8=__HR0qwE7?@yAA4zgnrA(0`70dPmw8u@M$@-K(vvy}#E;q}(491yPsx-AA0bGQ zpZ;w<>{E|M!*=remw9CcKI;RVleCK;P@qvUIBkAck4J}qj`N57w_YB_k2@{e+Z(Z_ z#yf+%Zc~p=bbK_rjMNZ~R;I9Z^%Yhsi)U6Xw~_S`TFSH5t(6@Wj`zQ^4fic5EHygJ zkEz5;P!$vuBH5d?WtK_ z%ABsGDfsjD27XLPIQ>!-s^=}?51^sv`wdT^F(h#<>+FlR@EuFz{Ni%P#2=Ss44KQ4 zTq0R9h0qgK89s#@nPG>TEL=*=2`+Yhq73W{-)IV?wo(awKe9A~)7s@AfjBkwtrA4k zwO29B2~Nty=93eF#=LqPjS0zJhd8_v(Fkg;SMcuRCTcHxLXslwx%>gCVBk>kaREdUB==h zU(pHVTYeDC;>!e*k}oKR#HQr!^>L^tuMQ+Olno_RfH$Ae?Y#Qw79f_IrNyHq$;^3~ zILS8BMn&i~6S9&4S#>x*()+u)Ov zr@WGvbGWLmqtu1GEzrG5GA;oD8&QJ*g<(gmbZUhr0ge(F!WzTL7VS&^vi4Bijcir8 zyH>SLa+4}TpEcitp;i-Xo0Jp%_t1==Afc*iPQTF1XKspG-OYutfzjgV>@S}1IF<@E zxlK8^fd-WY1sO{PsaD-4#WH=Ips{*qOB+;D!@M8$krfWo-_HE@a}dJJ{g=hY3?1*{ zb7gEaN*>i!NKSm9etHB&UeO<#7{aLw+keEK&uPH?^~n-)!PqY_fOu_IM6jYO@C66Z z4fyPe@qK88xAjA5hsW_HDR$|RgerLm0>p>pz*Tujk!SZDu(EHkgjij)nYeA&J z9(dwag{JwU(dWP&QwaUAe9v^eP90{;&n=7~!9u4=F;uBEl&KrQNH7}{T)BvlN8Wve z8wl~3Fv)x7wov)4%ljCc6>|trfaoTXHK`6-6~&$~z_kc>=Mgmhh#>^LchJY$wSbF( znCsc9iJw!fmTCt^Web3siu5CJ<8$p$uZVWK?Fhvf`|y$IO_56t9aND=@kK~oluJNDkTS$&~w@>KoSR_ zh;?-T-EAT$)y!9T{_*@18>xz&$4q0K*F4ffyR8jX8DvEzEXc|Pe2c6 zShIMAsc>blIY0$%>CH*Yy~=g*w9?H?^rWsqDjE0u^=a2*QT4KH zTFjHyIg`K|Gc!Mrt>6ErVlF;b;e0VvIq(Tpo6stXfHdQgS9*;IyRC0R@dIi z)(FxJ9X8a_-;h}5O+u~VHR4vSxLXW9`Sbc3v~r<|435Gbsf?F(vc|U)Ej{y>>$|<3 z3nIuZK%JfjZ@9vV;k0^o%|lJr(mC8@gSwR9`H|-zih4fX#e@sdm>BEQyFVK-u`Fqu zwzbx*hoNbjx6xV7oO(ShgIl*1MaP|bnTa|Dh6~AEqA;18vxlJ_S=1eR(U2$Tux$Oz zyCl$AS>6VqFC|L^ms{7Xl4GZ?YD(h+V+V`$Q%fwmRef6uoi{jYkz2wNEq`&ilA4dm;Mh(_h*Ta=YYU z4byPF%iPsstHrO@!@WIQbP5@)z}8mN97xq#h&R1#YpvWJQ(OE+JaWw4>FB+%GY}HR zig~auZWx{6Yn3Wep5oJ~3CT#Zz$I5sat5^ni!=cM$)XoHp-pxJ3MGhr3VRePct&d; zr1$;*^8gGuhy7BwRnRYvy&XJMyo~a4gfw9v>xEg9$q^4o*d&sf{kWYc7*R#~Ji50WHLTh?Pog{8nF2m+4G zDz7cwoj{(a_X|y$Ck}$7Xy|`6bLHVscW?iBC^FWvWH$MGj^4ov1FH> ztjR9?RJIg~WGRyDTZ51_OHU?Sl1lcS_dBZRk*D{4uj~Emo$ETj-|POKbDwkW`#$%K z>+|{EM_Q(DIZL$U(*{2|a@NW3+^~B=MNkDgb(f`UShb)vHH>~M7^Ea(~wz2Ey=)Kqc_^Jf|< zd3eA1-Hj4JkuEYeYrY!emDtdz6d{OTlmfNk2huACqEq|NAWwOB%00yw1iffAcAd&N z{W|x$PiBe>7hx%80C$MA7CoW3xkO^Fx=LKAGx?LTcDpIOqRZpWJKm8T{lP5fxeep@ z#Vel|uau|DZY{|my=Ft(JimyX@Ue5LZX^||v){k5>BsA|>#KRqvOu}>3eSRZjrq9X zRk}qz%!dT}#(TqO+kZYz%$Q*;QKb}4IPs?%jaG6!frc*i zT6(NlK#7)7LQ1~I+elsq9$J!^=eiumIIrsDUE{AHp9RPA>9p0$-mJAABv;0!bbOWt za&X6duu1L7FmcmMk;{&ncIcMymyD{hfk%DX641Qk%H!K}yOX^-ra>y1lqfFu^y^Ov zOzm2q{O^hMT``vT{7XP4u!D+Hx^)O_9?HPAcICWvsOGbaAKaK*Qxw@bS{&fw#b^6X zomS>{mKTWM8iM@S7F0}kUj}cR`q(St<#t}pGd9qOZXLhxd})hVw>=ZdO`;Yi zL2CO-DNwW(ERU8pl)1!&gmX_aTb7UHZs#RT8gV=*6OGP2j|WlaCY(5|CZ?6#ND!k- zJ$a$)inm6NGaZ~g1J`NT&pCM0UaXySfUW!UtE0O+t$uUW;jWo$V{2GzQ`Aio=)rsrev9H@xD$MfU%@8gsO&>%Qy7PK+Sm!6m!0oXp=J>$;ooeYTT%7U z5j!Ae5hCpu)u)_QZbLO{&&njELsc5-7~t#=vA35%dZ%aw-I9%YG8?yuY;mW8N~)$x zG}PY*Z0ic~LA2N$U;7O7$>Y-bWGWm6c`{R$HK!J_n~8-^buaiE1Mmt-V;fDiH_Bx~ zJ!qG6x?$%Y_h^Y**^b2aZU1@QI)3Wz)XngxhB4U78Ru>L1wUOVk9rvUi9wbd8-^to z4EXpw7n@?0`MlKq9}_eC>XftxMG}K3uH2c9-qC{WDtfKipd8EMF`wCw`K!dDn84Y0 zMp7S>dO|sDx=67YU)oInqudaBt@r5V=d}TESFLtavv*&+$6E2z(1;^G$-FUIQC9w} zkDQhiPj4D=WRN>O9OKB#_J@g;1SO8jpxvyDF5=bQ`*bkt^LVOA0}F|P5(7{H%Ag75 zl;SZ}mCHU^o_*{j`$eH*okn}Hh?y3N%`L_F>h+?!7&C+slV>u+~L;AW`^VaoDZ?n4Gu{bG&exaeEvD@3@ zA-H&jb4OPBGaD8oZxk|lhia%AFfAe|E0AW8hX~GX{q&6X4jsxZrb@X`-iiv|` z^Rb`VU)~mFoqWjTrad^r&3&3=Wx?a9Hzm=uBo{pzGOZhZVQz(bNfi?+PEBpkupnb` zyx>}KNVFbUzu}K?b=Ea0y#^OngkD4G$yQw@YgYDx_ZqA*=dWdMB}b9&E&Y)>%9LKX z*|xkD!L8n>3u{g*xP*VzQRUrs>av_L`*4d!Q3;Cy1s=9`e|)-QHT-VEeCF_aXzJ+m z1lbD>gi70fTdtLIE50GulI4bo`PfZ3oGWeYjjiB??hu~n9u|5wzFrBL_02j?)ApU^ z(Bd#tzU_5~>{P-fg&Q*P?)1vTv=6LrZBeii&F>R}&&Zx})JT1QJI`&wmY$cPAVWmY zGkwUqO$ear5WwwV5Nfu9V?`@CPC^=+YK{9nUIM~i~ ze%R8jFZ>f0-EpTZ+wp6&!{w_ge7=ti3PilFt`i)3Ca?^g56X#~z;DV<#PXbWK(0&c z!rQ^o^}F-kq@0cD+nRpQvI0KuY;K}*;HK3?kMU*HWy95eyl92o*QD10xD2K|%T&8Z z<}IQzDm!VrvyDN4R~F`)dO?q`=I12cl3rD_Oztb>u1o6IZu!gQ9G=-N*a*x0jdCG! zLuh6iXC>%<)3LFN&(+8-W|e9xkSP!{uM!82ORz4WpR}WiUpPe4(Ky=dAUTZf8Y?E< z?l>mW7+F}a&~kZ9+QmROaKOP{ds`^*@*s=Ys9~#sos&ld7N`DI`8~SnXdEt@|38a9 zmR&($D(+x`T>f{U4&XmBonV- z{4^^%tHYvedWTlOVaqU>RvmeIodlJ?-6pA|bFFXeqtTn<`ZH0(u7_w z>6*o{xSOyTs@k}&k`))9EQ#2PIQ^jB7-qU$MlsteF%U^H4OPSi0trPHId3zyR%%{3?KGk=I(}0^`Aa@Rkh;bb6Z^lc(Gx*=AfIFujv( zSeDatx^auA!9zAZil|SGC(z29q{OVWyjsghBp8H|IJD-oT~3ZLt5{4s?O-{0^Oe#y zCD=&8C%wX6bAS|#bxS8asmDq6a8}%*zTS?_#u=+J@u9a>TugyuN3K%i2WELjW)R%ZzqSpzg0vsfzcj7vp!cAlBBQy~q89k!}PESloo7r(HT0yoi z8a-xabZZ!h{^dG(4xO-`w%Cf|nyyHvwqUImKd&%+@@Y1P>o}Z%GP>n5i*i%V{Mx%- z-4_$;9#YA1$vX2Dr+GE+6Ve$Yl+m_yy44PTS;+!1F222$W(KghGK@1M)_4QQn&=^0 zTK&Xrx+{ZKNm%^Stz=OD#dV*urLP!6byZw%?_d=hoG@Nud83kum{lv%HGTTK+#yGWm&jqmRoO6Eax58YmGbV!LLXUVR zqSX`L38_~KL{7E&H%r!6PzRMtHl~SI2pVwD)SP%dAMX-Zv06KK|U)|FV$xByC?uZo;v= z`%D8TXPi{y*xIKa+{Cf;_8Z5zJ>I2@K1V3!nyMnOiON(xbjs(n>U0eg)R3z%FHGtW zWlBj)Hvyg6HD6M!k~Dtkb^2lF=@XYZADp;?jKjBAPu_ZbZ)L+psKr9mS712yJo@Ye z$Gu*hXA4W4b|GrV{mZu~$MbEPbc(K%DK*Jf?aAI=eYQ~}vDx&z<}yUNW!;6MO%W+? z&Qfq}UHYOzPM(#FXd0teOikels8sFG=xtW$lw6 z!yi6dP&`I*;!G>EKx)f_#?-o=UcBI%{7(C+h*#pprWwV^iwQ4LMXkagWs~*&XYOA* zn(dhiel<^LbYoOK3uGLC_si9sNd~n{x9^swPa1?^UF;2n+-sMz;~i2m4^;B0cSUp_~*YF=dS!Q#G7AFWI(gNd(;R2d8fk3TR*0`q~x=Jl$5W7 z*SOg;DIbqHb`F<5b;NQraa`bLQ^P!4@aVMrFyz%d2WcX4tTW(!3O=y7FLAId$hh6K zlXd-e2=5~hIG)1HEc#qD>xAoC*0nWr?`~zN5-*e3-OwaMXnd{z#HBG zZ__&rcn|9%wQDHtOy+A}RkW7o*EICR&Drs~KLRy1`3$|e%mx}_{cQX!wI)k17O8V2 z+XhQ0y8Maxj^^~HOh?qEu*<F$-8jmFEJrOF3=dbCL`ysd_)dz=#*Xa12fu2v5O8&SrjY{ zr>FFnrV-h}ryd^Rvm3^o40jXjPr`K!KTFu9caUtu~iR_v!v)7J&>b}8=eb*@AJF9igu9}K|obLGSu@oB1W&h}pkFIx#+Vwwsg=p%2 z9w-qd6cAl$#}IAE)9D>iB@{qI72xFOdB@Gm8@9Ac~#@7L`Zf=GOEtt&KgDCD|&S(eLWRV{hxHd?cs340*n0Q z&2tqDc$irS|^~k@@nh0Wjon>p)_@$gc{dJaTlU>Y@iMGq1JoUn!XY1>`cwRk^ z+CR;1rsn-FrcnRj=YL1f{{X`NcR}=9{1plWz&`wyjFG}%0EiFZtYj>djIoj%S@shf z{dwJ!0l|j^8i2d*;io^a*uB2L!BENP00-KSq3)Ht`X$cx6)C|2^+(8?2k=uEcn^#I z6>j}WoB%?S3_pXR-?;};=iQtw@zx$DQb6feDP3!Ck4wMIaKN1B&26ov&YQcDX%63K z!&$pKd%9U#yMv+M3#6R0wz4xP(v@{d}MZsY( zG#q(JO3lsL(*;-+9>B-}HiipXxuuVk3LfB7T(z^b#;GYwse?TL{9HjnN(ERtFt^&uC zOJIlJ$3diYfiGrjIjkxc3xS{z5Qwx4&@ey)!VCsnQLyj#(kj3e`lAot2kIb%TL3plN62ZUWw$6ud_UAPc|m7PjAp2dNe+<^U_l*%nwCFyr^Y1WD<* zSUV|Ml370Aw*i(S@59N{(ee8q2%uZX)5Fou2^jNzGrt&oA3;F{C`$|wiGG+G0hozw z&ONh|O$D4GD^E-7zn_!MO?Cxf+Mg~!kWDT9qmiGHb&%Zzfk5DZ9Ht6fA%L#Esem7|4fwkZ z29=Qp&L;T-cKRU$?#bu%R~bwi4p{aV84L!61DWC%89=>40>=4OhJc|C_JhHYFd%0g z>?d<@UML(vW{mvO50JruI5;4a2GZ*R83F?EvkuDOsDpFB0QMFTpTFn>WXON_gCT(< zd!XOH=Y>JhsDtYR>`bPx{5lo}hx}_^7+m_`K45_D|D_KGB*}mDdAOMaq%k*g0>In( zS_3YZ!Z|wwd1EgZf~3@)Y@ER`a?}D}8|oOa30MxTB8^a1LBOTaSS%8PgkhzXFjyE0 zhCxfKBBde93ZVbJ3;76QoGn!d)|L+Lo>#z9NGMW883l*Jp;#0`8ii3t!-1Tks)|G? fA(2Wb1o;rTdzia Date: Thu, 27 Sep 2018 07:40:30 +0200 Subject: [PATCH 086/244] chg: [relationship] annotates relationship added (useful for the annotation object) --- relationships/definition.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/relationships/definition.json b/relationships/definition.json index 5279345..422834e 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -636,6 +636,13 @@ "format": [ "misp" ] + }, + { + "name": "annotates", + "description": "This relationships describes an object which annotates another object.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", From 10acf6289eb5a5644708e66c8796cbe594052669 Mon Sep 17 00:00:00 2001 From: aksha Date: Thu, 27 Sep 2018 11:46:32 +0100 Subject: [PATCH 087/244] add: Misp object for Mactime-timeline-analysis --- .../mactime-timeline-analysis/definition.json | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 objects/mactime-timeline-analysis/definition.json diff --git a/objects/mactime-timeline-analysis/definition.json b/objects/mactime-timeline-analysis/definition.json new file mode 100644 index 0000000..b09ea49 --- /dev/null +++ b/objects/mactime-timeline-analysis/definition.json @@ -0,0 +1,51 @@ +{ + "requiredOneOf": [ + "filepath", + "file_activity", + "datetime" + ], + "attributes": { + "file-path": { + "description": "Location of the file on the disc", + "ui-priority": 0, + "misp-attribute": "text" + }, + "datetime": { + "description": "Date and time when the operation was conducted on the file", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "file_size": { + "description": "Determines the file size in bytes", + "ui-priority": 0, + "misp-attribute": "text" + }, + "activityType": { + "description": "Determines the type of activity conducted on the file at a given time", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Accessed", + "Created", + "Changed", + "Modified", + "Other" + ] + }, + "filePermissions": { + "description": "Describes permissions assigned the file", + "ui-priority": 0, + "misp-attribute": "text" + }, + "file": { + "description": "Mactime output file", + "ui-priority": 0, + "misp-attribute": "attachment" + } + }, + "version": 1, + "description": "Mactime template, used in forensic investigations to describe the timeline of a file activity", + "meta-category": "file", + "uuid": "9297982e-be62-4772-a665-c91f5a8d639", + "name": "mactime-timeline-analysis" +} From 5acaa3498f193abec14a54b1af80236be5b9f12f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 27 Sep 2018 13:19:33 +0200 Subject: [PATCH 088/244] chg: jq all the things ;-) --- .../mactime-timeline-analysis/definition.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/objects/mactime-timeline-analysis/definition.json b/objects/mactime-timeline-analysis/definition.json index b09ea49..55d86e0 100644 --- a/objects/mactime-timeline-analysis/definition.json +++ b/objects/mactime-timeline-analysis/definition.json @@ -24,20 +24,20 @@ "description": "Determines the type of activity conducted on the file at a given time", "ui-priority": 0, "misp-attribute": "text", - "sane_default": [ - "Accessed", - "Created", - "Changed", - "Modified", - "Other" - ] + "sane_default": [ + "Accessed", + "Created", + "Changed", + "Modified", + "Other" + ] }, "filePermissions": { "description": "Describes permissions assigned the file", "ui-priority": 0, "misp-attribute": "text" }, - "file": { + "file": { "description": "Mactime output file", "ui-priority": 0, "misp-attribute": "attachment" From 0877fc80c5a20f0041bb3db2b38ef81887e4f6da Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 27 Sep 2018 13:30:44 +0200 Subject: [PATCH 089/244] chg: [doc] mactime template added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index b7b03f0..a8aad33 100644 --- a/README.md +++ b/README.md @@ -97,6 +97,7 @@ for a specific attribute. * [objects/legal-entity](objects/legal-entity/definition.json) - Object describing a legal entity, such as an organisation. * [objects/macho](objects/macho/definition.json) - Object describing a Mach object file format. * [objects/macho-section](objects/macho-section/definition.json) - Object describing a section of a Mach object file format. +* [objects/mactime-timeline-analysis](objects/mactime-timeline-analysis/definition.json) - Mactime template, used in forensic investigations to describe the timeline of a file activity. * [objects/malware-config](objects/malware-config/definition.json) - Object describing a malware configuration recovered or extracted from a malicious binary. * [objects/microblog](objects/microblog/definition.json) - Object describing microblog post like Twitter or Facebook. * [objects/mutex](objects/mutex/definition.json) - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program. From 98459432a2009a9d7de5176dfdbda4af2263e604 Mon Sep 17 00:00:00 2001 From: aksha Date: Fri, 28 Sep 2018 12:13:31 +0100 Subject: [PATCH 090/244] Add: Regripper 3 object templates including SAM hive and NTUSer.dat. --- objects/regripper-NTUser/definition.json | 95 +++++++++++++++++++ .../definition.json | 59 ++++++++++++ .../definition.json | 53 +++++++++++ 3 files changed, 207 insertions(+) create mode 100644 objects/regripper-NTUser/definition.json create mode 100644 objects/regripper-sam-hive-single-user/definition.json create mode 100644 objects/regripper-sam-hive-user-group/definition.json diff --git a/objects/regripper-NTUser/definition.json b/objects/regripper-NTUser/definition.json new file mode 100644 index 0000000..cb0a4a7 --- /dev/null +++ b/objects/regripper-NTUser/definition.json @@ -0,0 +1,95 @@ +{ + "required": [ + "key" + ], + "requiredOneOf": [ + "group-name" + ], + "attributes": { + "key": { + "description": "Registry key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "logon-user-name": { + "description": "Name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "recent-folders-accessed": { + "description": "List of recent folders accessed by the user.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple":"true" + }, + "recent-files-accessed": { + "description": "List of recent files accessed by the user.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple":"true" + }, + "typed-urls": { + "description": "Urls typed by the user in internet explorer", + "ui-priority": 0, + "misp-attribute": "text", + "multiple":"true" + }, + "applications-installed": { + "description": "List of applications installed.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple":"true" + }, + "applications-run": { + "description": "List of applications set to run on the system.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": "true" + }, + "external-devices": { + "description": "List of external devices connected to the system by the user.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": "true" + }, + "user-init": { + "description": "Applications or processes set to run when the user logs onto the windows system.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": "true" + }, + "nukeOnDelete": { + "description": "Determines if the Recycle bin option has been disabled.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "network-connected-to": { + "description": "List of networks the user connected the system to.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": "true" + }, + "mount-points": { + "description": "Details of the mount points created on the system.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": "true" + }, + "comments": { + "description": "Additional information related to the user profile", + "ui-priority": 0, + "misp-attribute": "text" + } + + }, + "version": 1, + "description": "Regripper Object template designed to present user specific configuration details extracted from the NTUSER.dat hive.", + "meta-category": "misc", + "uuid": "f9dc7b7e-8ab1-4dde-95d9-67e41b461c65", + "name": "regripper-NTUser" +} diff --git a/objects/regripper-sam-hive-single-user/definition.json b/objects/regripper-sam-hive-single-user/definition.json new file mode 100644 index 0000000..eb32b5b --- /dev/null +++ b/objects/regripper-sam-hive-single-user/definition.json @@ -0,0 +1,59 @@ +{ + "required": [ + "key" + ], + "requiredOneOf": [ + "user-name", + "last-login-time", + "login-count" + ], + "attributes": { + "key": { + "description": "Registry key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "user-name": { + "description": "User name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "full-user-name": { + "description": "Full name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-login-time": { + "description": "Date and time when the user last logged onto the system.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "pwd-reset-time": { + "description": "Date and time when the password was last reset.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "pwd-fail-date": { + "description": "Date and time when a password last failed for this user profile.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "login-count": { + "description": "Number of times the user logged-in onto the system.", + "ui-priority": 0, + "misp-attribute": "number" + } + + }, + "version": 1, + "description": "Regripper Object template designed to present user profile details extracted from the SAM hive.", + "meta-category": "misc", + "uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef", + "name": "regripper-sam-hive-single-user" + } + \ No newline at end of file diff --git a/objects/regripper-sam-hive-user-group/definition.json b/objects/regripper-sam-hive-user-group/definition.json new file mode 100644 index 0000000..1e41a1c --- /dev/null +++ b/objects/regripper-sam-hive-user-group/definition.json @@ -0,0 +1,53 @@ +{ + "required": [ + "key" + ], + "requiredOneOf": [ + "group-name" + ], + "attributes": { + "key": { + "description": "Registry key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "group-name": { + "description": "Name assigned to the profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "full-name": { + "description": "Full name assigned to the profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-date-time": { + "description": "Date and time when the group key was updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "group-comment": { + "description": "Name assigned to the profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "group-users": { + "description": "Users belonging to the group", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": "true" + } + + }, + "version": 1, + "description": "Regripper Object template designed to present group profile details extracted from the SAM hive.", + "meta-category": "misc", + "uuid": "b924bae1-2dec-4d2d-a8c2-b03305222b7c", + "name": "regripper-sam-hive-user-group" + } + \ No newline at end of file From 58ab539825af9a5844af90a435cdc4d671c8214b Mon Sep 17 00:00:00 2001 From: aksha Date: Fri, 28 Sep 2018 12:15:21 +0100 Subject: [PATCH 091/244] Fix: NTUser template --- objects/regripper-NTUser/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/regripper-NTUser/definition.json b/objects/regripper-NTUser/definition.json index cb0a4a7..264aae9 100644 --- a/objects/regripper-NTUser/definition.json +++ b/objects/regripper-NTUser/definition.json @@ -3,7 +3,7 @@ "key" ], "requiredOneOf": [ - "group-name" + "logon-user-name" ], "attributes": { "key": { From 25e9f5d51a5e276c99c4ec2c9cef535a70b4ba0e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 28 Sep 2018 15:14:51 +0200 Subject: [PATCH 092/244] chg: [phishing] new template object (first draft) based on the phishtank format --- objects/phishing/definition.json | 69 ++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 objects/phishing/definition.json diff --git a/objects/phishing/definition.json b/objects/phishing/definition.json new file mode 100644 index 0000000..3fc7948 --- /dev/null +++ b/objects/phishing/definition.json @@ -0,0 +1,69 @@ +{ + "requiredOneOf": [ + "url" + ], + "attributes": { + "url": { + "description": "Original url of the phishing website", + "ui-priority": 1, + "misp-attribute": "url" + }, + "phishtank-id": { + "description": "Phishtank ID of the reported phishing", + "ui-priority": 1, + "misp-attribute": "text" + }, + "phishtank-detail-url": { + "description": "Phishtank detail URL to the reported phishing", + "misp-attribute": "link", + "ui-priority": 1 + }, + "submission-time": { + "description": "When the phishing was submitted and/or reported", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "verified": { + "description": "The phishing has been verified by the team handling the phishing", + "ui-priority": 0, + "values_list": [ + "No", + "Yes" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "verification-time": { + "description": "When the phishing was verified", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "online": { + "description": "If the phishing is online and operational, by default is yes", + "ui-priority": 0, + "values_list": [ + "Yes", + "No" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "takedown-time": { + "description": "When the phishing was taken down", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "target": { + "description": "Targeted organisation by the phishing", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Phishing template to describe a phishing website and its analysis.", + "meta-category": "network", + "uuid": "2dad6f9d-d425-4217-8fda-0b0a2d815307", + "name": "phishing" +} From 58f39ff62dd3aa1f80ea2b4b02dbf10478a474b9 Mon Sep 17 00:00:00 2001 From: aksha Date: Sun, 30 Sep 2018 21:35:38 +0100 Subject: [PATCH 093/244] Add: regripper objects for system hive --- .../definition.json | 42 +++++++++ .../definition.json | 73 ++++++++++++++ .../definition.json | 93 ++++++++++++++++++ .../definition.json | 94 +++++++++++++++++++ 4 files changed, 302 insertions(+) create mode 100644 objects/regripper-system-hive-firewall-configuration/definition.json create mode 100644 objects/regripper-system-hive-general-configuration/definition.json create mode 100644 objects/regripper-system-hive-network-information/definition.json create mode 100644 objects/regripper-system-hive-service-drivers/definition.json diff --git a/objects/regripper-system-hive-firewall-configuration/definition.json b/objects/regripper-system-hive-firewall-configuration/definition.json new file mode 100644 index 0000000..7f361d8 --- /dev/null +++ b/objects/regripper-system-hive-firewall-configuration/definition.json @@ -0,0 +1,42 @@ +{ + "required": [ + "profile" + ], + "attributes": { + "profile": { + "description": "Firewall Profile type", + "ui-priority": 0, + "sane-default":[ + "Domain Profile", + "Standard Profile" + ], + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the firewall profile policy was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "enbled-firewall": { + "description": "Boolean flag to determine if the firewall is enabled.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "disable-notification": { + "description": "Boolean flag to determine if firewall notifications are enabled.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "" + } + }, + "version": 1, + "description": "Regripper Object template designed to present firewall configuration information extracted from the system-hive.", + "meta-category": "misc", + "uuid": "d9839b3c-c013-4ba7-b5e5-2787198b9e07", + "name": "regripper-system-hive-firewall-configuration" + } + \ No newline at end of file diff --git a/objects/regripper-system-hive-general-configuration/definition.json b/objects/regripper-system-hive-general-configuration/definition.json new file mode 100644 index 0000000..df2a4fe --- /dev/null +++ b/objects/regripper-system-hive-general-configuration/definition.json @@ -0,0 +1,73 @@ +{ + "required": [ + "computer-name" + ], + "attributes": { + "computer-name": { + "description": "name of the computer under analysis", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "shutdown-time": { + "description": "Date and time when the system was shutdown.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "timezone-last-write-time": { + "description": "Date and time when the timezone key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "timezone-bias": { + "description": "Offset in minutes from UTC. Offset added to the local time to get a UTC value.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "timezone-standard-name": { + "description": "Timezone standard name used during non-daylight saving months.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "timezone-standard-date": { + "description": "Standard date - non daylight saving months", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "timezone-standard-bias": { + "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during standard time.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "timezone-daylight-name": { + "description": "Timezone name used during daylight saving months.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "timezone-daylight-date": { + "description": "Daylight date - daylight saving months", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "timezone-daylight-bias": { + "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during daylight time.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "fDenyTSConnections:": { + "description": "Specifies whether remote connections are enabled or disabled on the system.", + "ui-priority": 0, + "misp-attribute": "boolean" + } + }, + "version": 1, + "description": "Regripper Object template designed to present general system properties extracted from the system-hive.", + "meta-category": "misc", + "uuid": "5ac85401-cbf1-4d05-a85e-1784546881e4", + "name": "regripper-system-hive-general-configuration" + } + \ No newline at end of file diff --git a/objects/regripper-system-hive-network-information/definition.json b/objects/regripper-system-hive-network-information/definition.json new file mode 100644 index 0000000..d2b07b5 --- /dev/null +++ b/objects/regripper-system-hive-network-information/definition.json @@ -0,0 +1,93 @@ +{ + "required": [ + "network-key" + ], + "attributes": { + "network-key": { + "description": "Registry key assigned to the network", + "ui-priority": 0, + "misp-attribute": "text" + }, + "network-key-last-write-time": { + "description": "Date and time when the network key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "network-key-path": { + "description": "Path of the key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "TCPIP-key": { + "description": "TCPIP key", + "ui-priority": 0, + "misp-attribute": "text" + }, + "TCPIP-key-last-write-time": { + "description": "Datetime when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "DHCP-domain": { + "description": "Name of the DHCP domain service", + "ui-priority": 0, + "misp-attribute": "text" + }, + "DHCP-IP-address": { + "description": "DHCP service - IP address", + "ui-priority": 0, + "misp-attribute": "ip-dist" + }, + "DHCP-subnet-mask": { + "description": "DHCP subnet mask - IP address.", + "ui-priority": 0, + "misp-attribute": "ip-dist" + }, + "DHCP-name-server": { + "description": "DHCP Name server - IP address.", + "ui-priority": 0, + "misp-attribute": "ip-dist" + }, + "DHCP-server": { + "description": "DHCP server - IP address.", + "ui-priority": 0, + "misp-attribute": "ip-dist" + }, + "interface-GUID": { + "description": "GUID value assigned to the interface.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "interface-last-write-time": { + "description": "Last date and time when the interface key was updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "interface-name": { + "description": "Name of the interface.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "interface-PnpInstanceID": { + "description": "Plug and Play instance ID assigned to the interface.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "interface-MediaSubType": { + "description": "", + "ui-priority": 0, + "misp-attribute": "number" + }, + "interface-IPcheckingEnabled": { + "description": "", + "ui-priority": 0, + "misp-attribute": "boolean" + } + }, + "version": 1, + "description": "Regripper object template designed to gather network information from the system-hive.", + "meta-category": "misc", + "uuid": "a5a3ba3a-ba2e-42a4-be45-b36809ae56f0", + "name": "regripper-system-hive-network-information." + } + \ No newline at end of file diff --git a/objects/regripper-system-hive-service-drivers/definition.json b/objects/regripper-system-hive-service-drivers/definition.json new file mode 100644 index 0000000..264cbc6 --- /dev/null +++ b/objects/regripper-system-hive-service-drivers/definition.json @@ -0,0 +1,94 @@ +{ + "required": [ + "name" + ], + "attributes": { + "name": { + "description": "name of the key", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "display": { + "description": "Display name/information of the service or the driver.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "image-path": { + "description": "Path of the service/drive", + "ui-priority": 0, + "misp-attribute": "text" + }, + "type": { + "description": "Service/driver type.", + "ui-priority": 0, + "sane_default": [ + "Kernel driver", + "File system driver", + "Own process", + "Share process", + "Interactive", + "Other" + ], + "misp-attribute": "text" + }, + "start": { + "description": "When the service/driver starts or executes.", + "ui-priority": 0, + "sane_default":[ + "Boot start", + "System start", + "Auto start", + "Manual", + "Disabled" + ], + "misp-attribute": "text" + }, + "group": { + "description": "Group to which the system/driver belong to.", + "ui-priority": 0, + "sane_default":[ + "Base", + "Boot Bus Extender", + "Boot File System", + "Cryptography", + "Extended base", + "Event Log", + "Filter", + "FSFilter Bottom", + "FSFilter Infrastructure", + "File System", + "FSFilter Virtualization", + "Keyboard Port", + "Network", + "NDIS", + "Parallel arbitrator", + "Pointer Port", + "PnP Filter", + "ProfSvc_Group", + "PNP_TDI", + "SCSI Miniport", + "SCSI CDROM Class", + "System Bus Extender", + "Video Save", + "other" + ], + "misp-attribute": "text" + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "" + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information regarding the services/drivers from the system-hive.", + "meta-category": "misc", + "uuid": "78cdae45-2061-4b49-b1d6-71f562094a73", + "name": "regripper-system-hive-services-drivers" + } + \ No newline at end of file From 44d92e95be12dbff8d078ed2ddff966b1a9808ef Mon Sep 17 00:00:00 2001 From: aksha Date: Mon, 1 Oct 2018 12:18:55 +0100 Subject: [PATCH 094/244] Add: Regripper objects (System + Software Hive) --- .../definition.json | 55 +++++++ .../definition.json | 51 +++++++ .../definition.json | 48 ++++++ .../definition.json | 55 +++++++ .../definition.json | 53 +++++++ .../definition.json | 114 +++++++++++++++ .../definition.json | 60 ++++++++ .../definition.json | 138 ++++++++++++++++++ .../definition.json | 3 +- 9 files changed, 576 insertions(+), 1 deletion(-) create mode 100644 objects/regripper-software-hive-BHO/definition.json create mode 100644 objects/regripper-software-hive-appInit-DLLS/definition.json create mode 100644 objects/regripper-software-hive-application-paths/definition.json create mode 100644 objects/regripper-software-hive-applications-installed/definition.json create mode 100644 objects/regripper-software-hive-command-shell/definition.json create mode 100644 objects/regripper-software-hive-general-windows-info/definition.json create mode 100644 objects/regripper-software-hive-software-run/definition.json create mode 100644 objects/regripper-software-hive-userprofile-winlogon/definition.json diff --git a/objects/regripper-software-hive-BHO/definition.json b/objects/regripper-software-hive-BHO/definition.json new file mode 100644 index 0000000..4b70d4a --- /dev/null +++ b/objects/regripper-software-hive-BHO/definition.json @@ -0,0 +1,55 @@ +{ + "required": [ + "key", + "BHO-name" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "BHO-name": { + "description": "Name of the browser helper object.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BHO-key-last-write-time": { + "description": "Date and time when the BHO key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "class": { + "description": "Class to which the BHO belongs to.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "module": { + "description": "DLL module the BHO belongs to.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "References to the BHO.", + "ui-priority": 0, + "misp-attribute": "links", + "multiple":true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the browser helper objects installed on the system.", + "meta-category": "misc", + "uuid": "e7b46b5a-d2d2-4a05-bc25-2ac8d4683ae2", + "name": "regripper-software-hive-BHO" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-appInit-DLLS/definition.json b/objects/regripper-software-hive-appInit-DLLS/definition.json new file mode 100644 index 0000000..9aa9753 --- /dev/null +++ b/objects/regripper-software-hive-appInit-DLLS/definition.json @@ -0,0 +1,51 @@ +{ + "required": [ + "key", + "DLL-name", + "DLL-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "DLL-name": { + "description": "Name of the DLL file.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "DLL-path": { + "description": "Path where the DLL file is stored.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "DLL-last-write-time": { + "description": "Date and time when the DLL file was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "References to the DLL file.", + "ui-priority": 0, + "misp-attribute": "links", + "multiple":true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the DLL files installed on the system.", + "meta-category": "misc", + "uuid": "7893be05-8398-451e-ab1e-5e25ea4a8859", + "name": "regripper-software-hive-appInit-DLLS" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-application-paths/definition.json b/objects/regripper-software-hive-application-paths/definition.json new file mode 100644 index 0000000..80787f8 --- /dev/null +++ b/objects/regripper-software-hive-application-paths/definition.json @@ -0,0 +1,48 @@ +{ + "required": [ + "key", + "executable-file-name", + "path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "executable-file-name": { + "description": "Name of the executable file.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple":true + }, + "path": { + "description": "Path of the executable file.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple":true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "References to the application installed.", + "ui-priority": 0, + "misp-attribute": "links", + "multiple":true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the application paths.", + "meta-category": "misc", + "uuid": "9f2d3c9b-9a82-42a7-82c2-733115d101c8", + "name": "regripper-software-hive-application-paths" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-applications-installed/definition.json b/objects/regripper-software-hive-applications-installed/definition.json new file mode 100644 index 0000000..f3bcddb --- /dev/null +++ b/objects/regripper-software-hive-applications-installed/definition.json @@ -0,0 +1,55 @@ +{ + "required": [ + "key", + "app-name" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "key-path": { + "description": "Path of the key.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "app-name": { + "description": "Name of the application.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "app-last-write-time": { + "description": "Date and time when the application key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "version": { + "description": "Version of the application.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "References to the application installed.", + "ui-priority": 0, + "misp-attribute": "links", + "multiple":true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the applications installed on the system.", + "meta-category": "misc", + "uuid": "7a8fb6b4-cbbd-4de5-b893-7b0a5c4858cd", + "name": "regripper-software-hive-applications-installed" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-command-shell/definition.json b/objects/regripper-software-hive-command-shell/definition.json new file mode 100644 index 0000000..fc98778 --- /dev/null +++ b/objects/regripper-software-hive-command-shell/definition.json @@ -0,0 +1,53 @@ +{ + "required": [ + "key", + "shell", + "shell-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "shell": { + "description": "Type of shell used to execute the command.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default":[ + "exe", + "cmd", + "bat", + "hta", + "pif", + "Other" + ] + }, + "shell-path": { + "description": "Path of the shell.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "command": { + "description": "Command executed.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the shell commands executed on the system.", + "meta-category": "misc", + "uuid": "a7dc3697-89ce-46dc-a64d-0b1015457978", + "name": "regripper-software-hive-command-shell" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-general-windows-info/definition.json b/objects/regripper-software-hive-general-windows-info/definition.json new file mode 100644 index 0000000..01dff3e --- /dev/null +++ b/objects/regripper-software-hive-general-windows-info/definition.json @@ -0,0 +1,114 @@ +{ + "required": [ + "win-cv-path", + "CurrentVersion" + ], + "attributes": { + "win-cv-path": { + "description": "key where the windows information is retrieved from", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "RegisteredOrganization": { + "description": "Name of the registered organization.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "RegisteredOwner": { + "description": "Name of the registered owner.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CurrentVersion": { + "description": "Current version of windows", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CurrentBuild": { + "description": "Build number of the windows OS.", + "ui-priority": 0, + "misp-attribute": "number" + }, + "SoftwareType": { + "description": "Software type of windows.", + "ui-priority": 0, + "sane_default":[ + "System", + "Application", + "other" + ], + "misp-attribute": "text" + }, + "InstallationType": { + "description": "Type of windows installation.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "InstallDate": { + "description": "Date when windows was installed.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "SystemRoot": { + "description": "Root directory.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "PathName": { + "description": "Path to the root directory.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "EditionID": { + "description": "Windows edition.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ProductName": { + "description": "Name of the windows version.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ProductID": { + "description": "ID of the product version.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CSDVersion": { + "description": "Version of the service pack installed.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CurrentType": { + "description": "Current build type of the OS.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildLab": { + "description": "Windows BuildLab string.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildGUID": { + "description": "Build ID.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildLabEx": { + "description": "Windows BuildLabEx string.", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Regripper Object template designed to gather general windows information extracted from the software-hive.", + "meta-category": "misc", + "uuid": "03200c25-4bf5-4282-9852-001a51ab20f1", + "name": "regripper-software-hive-windows-general-info" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-software-run/definition.json b/objects/regripper-software-hive-software-run/definition.json new file mode 100644 index 0000000..83b968c --- /dev/null +++ b/objects/regripper-software-hive-software-run/definition.json @@ -0,0 +1,60 @@ +{ + "required": [ + "key", + "application-name", + "application-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "sane_default": [ + "Run", + "RunOnce", + "Runservices", + "Terminal", + "Other" + ], + "misp-attribute": "text" + }, + "key-path": { + "description": "Path of the key.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "application-name": { + "description": "Name of the application run.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple":true + }, + "application-path": { + "description": "Path where the application is installed.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple":true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "references": { + "description": "References to the applications.", + "ui-priority": 0, + "misp-attribute": "links", + "multiple":true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the applications set to run on the system.", + "meta-category": "misc", + "uuid": "4bae06d1-3996-4028-88ec-7c7d54cc1d94", + "name": "regripper-software-hive-software-run" + } + \ No newline at end of file diff --git a/objects/regripper-software-hive-userprofile-winlogon/definition.json b/objects/regripper-software-hive-userprofile-winlogon/definition.json new file mode 100644 index 0000000..0dd3289 --- /dev/null +++ b/objects/regripper-software-hive-userprofile-winlogon/definition.json @@ -0,0 +1,138 @@ +{ + "required": [ + "user-profile-key-path", + "SID" + ], + "attributes": { + "user-profile-key-path": { + "description": "key where the user-profile information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "user-profile-key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "user-profile-path": { + "description": "Path of the user profile on the system", + "ui-priority": 0, + "misp-attribute": "text" + }, + "SID": { + "description": "Security identifier assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "user-profile-last-write-time": { + "description": "Date and time when the user profile was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "winlogon-key-path": { + "description": "winlogon key referred in order to retrieve default user information", + "ui-priority": 0, + "misp-attribute": "text" + }, + "winlogon-key-last-write-time": { + "description": "Date and time when the winlogon key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "DefaultUserName": { + "description": "user-name of the default user.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Shell": { + "description": "Shell set to run when the user logs onto the system.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "UserInit": { + "description": "Applications and files set to run when the user logs onto the system (User logon activity).", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "Legal-notice-caption": { + "description": "Message title set to display when the user logs-in.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "Legal-notice-text": { + "description": "Message set to display when the user logs-in.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "PreCreateKnownFolders": { + "description": "create known folders key", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ReportBootOk": { + "description": "Flag to check if the reboot was successful.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "AutoRestartShell": { + "description": "Value of the flag set to auto restart the shell if it crashes or shuts down automatically.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "PasswordExpiryWarining": { + "description": "Number of times the password expiry warning appeared.", + "ui-priority": 0, + "misp-attribute": "number" + }, + "PowerdownAfterShutDown": { + "description": "Flag value- if the system is set to power down after it is shutdown.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "ShutdownWithoutLogon": { + "description": "Value of the flag set to enable shutdown without requiring a user to login.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "WinStationsDisabled": { + "description": "Flag value set to enable/disable logons to the system.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "DisableCAD": { + "description": "Flag to determine if user login is enabled by pressing Ctrl+ALT+Delete.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "AutoAdminLogon": { + "description": "Flag value to determine if autologon is enabled for a user without entering the password.", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "CachedLogonCount": { + "description": "Number of times the user has logged into the system.", + "ui-priority": 0, + "misp-attribute": "number" + }, + "ShutdownFlags": { + "description": "Number of times shutdown is initiated from a process when the user is logged-in.", + "ui-priority": 0, + "misp-attribute": "number" + }, + "Comments": + { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Regripper Object template designed to gather user profile information when the user logs onto the system, gathered from the software hive.", + "meta-category": "misc", + "uuid": "df03d0e4-3e6b-4e56-951a-142eae4cad59", + "name": "regripper-software-hive-userprofile-winlogon" +} diff --git a/objects/regripper-system-hive-firewall-configuration/definition.json b/objects/regripper-system-hive-firewall-configuration/definition.json index 7f361d8..cd44858 100644 --- a/objects/regripper-system-hive-firewall-configuration/definition.json +++ b/objects/regripper-system-hive-firewall-configuration/definition.json @@ -8,7 +8,8 @@ "ui-priority": 0, "sane-default":[ "Domain Profile", - "Standard Profile" + "Standard Profile", + "other" ], "misp-attribute": "text" }, From 12166166f2186863ec7c8ba80b9f154f231be1e9 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 2 Oct 2018 07:43:07 +0200 Subject: [PATCH 095/244] chg: [phishing] new object added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index a8aad33..7eee687 100644 --- a/README.md +++ b/README.md @@ -109,6 +109,7 @@ for a specific attribute. * [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object. * [objects/pe-section](objects/pe-section/definition.json) - Portable Executable (PE) object - section description. * [objects/person](objects/person/definition.json) - A person object which describes a person or an identity. +* [objects/phishing](objects/phishing/definition.json) - Phishing template to describe a phishing website and its analysis. * [objects/phone](objects/phone/definition.json) - A phone or mobile phone object. * [objects/process](objects/process/definition.json) - A process object. * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object. From f8226fc2004dc4e9f4a5eb18cec12135404a3be5 Mon Sep 17 00:00:00 2001 From: aksha Date: Tue, 2 Oct 2018 10:14:19 +0100 Subject: [PATCH 096/244] Fix: Regripper object templates fixed --- objects/regripper-NTUser/definition.json | 28 ++++---- .../definition.json | 21 ++++-- .../definition.json | 11 +-- .../definition.json | 17 +++-- .../definition.json | 11 +-- .../definition.json | 8 ++- .../definition.json | 11 +-- .../definition.json | 9 ++- .../definition.json | 26 +++++-- .../definition.json | 14 ++-- .../definition.json | 67 +++++++++++++------ .../definition.json | 15 +++-- .../definition.json | 39 ++++++++--- .../definition.json | 38 +++++++---- .../definition.json | 15 +++-- 15 files changed, 222 insertions(+), 108 deletions(-) diff --git a/objects/regripper-NTUser/definition.json b/objects/regripper-NTUser/definition.json index 264aae9..6eb7193 100644 --- a/objects/regripper-NTUser/definition.json +++ b/objects/regripper-NTUser/definition.json @@ -14,7 +14,8 @@ "key-last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "logon-user-name": { "description": "Name assigned to the user profile.", @@ -25,65 +26,68 @@ "description": "List of recent folders accessed by the user.", "ui-priority": 0, "misp-attribute": "text", - "multiple":"true" + "multiple":true }, "recent-files-accessed": { "description": "List of recent files accessed by the user.", "ui-priority": 0, "misp-attribute": "text", - "multiple":"true" + "multiple":true }, "typed-urls": { "description": "Urls typed by the user in internet explorer", "ui-priority": 0, "misp-attribute": "text", - "multiple":"true" + "multiple":true }, "applications-installed": { "description": "List of applications installed.", "ui-priority": 0, "misp-attribute": "text", - "multiple":"true" + "multiple":true }, "applications-run": { "description": "List of applications set to run on the system.", "ui-priority": 0, "misp-attribute": "text", - "multiple": "true" + "multiple": true }, "external-devices": { "description": "List of external devices connected to the system by the user.", "ui-priority": 0, "misp-attribute": "text", - "multiple": "true" + "multiple": true }, "user-init": { "description": "Applications or processes set to run when the user logs onto the windows system.", "ui-priority": 0, "misp-attribute": "text", - "multiple": "true" + "multiple": true }, "nukeOnDelete": { "description": "Determines if the Recycle bin option has been disabled.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "network-connected-to": { "description": "List of networks the user connected the system to.", "ui-priority": 0, "misp-attribute": "text", - "multiple": "true" + "multiple": true }, "mount-points": { "description": "Details of the mount points created on the system.", "ui-priority": 0, "misp-attribute": "text", - "multiple": "true" + "multiple": true, + "disable_correlation": true }, "comments": { "description": "Additional information related to the user profile", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true } }, diff --git a/objects/regripper-sam-hive-single-user/definition.json b/objects/regripper-sam-hive-single-user/definition.json index eb32b5b..2cf93d9 100644 --- a/objects/regripper-sam-hive-single-user/definition.json +++ b/objects/regripper-sam-hive-single-user/definition.json @@ -16,7 +16,8 @@ "key-last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "user-name": { "description": "User name assigned to the user profile.", @@ -31,22 +32,32 @@ "last-login-time": { "description": "Date and time when the user last logged onto the system.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "pwd-reset-time": { "description": "Date and time when the password was last reset.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "pwd-fail-date": { "description": "Date and time when a password last failed for this user profile.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "login-count": { "description": "Number of times the user logged-in onto the system.", "ui-priority": 0, - "misp-attribute": "number" + "misp-attribute": "counter", + "disable_correlation": true + }, + "comments": { + "description": "Full name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true } }, diff --git a/objects/regripper-sam-hive-user-group/definition.json b/objects/regripper-sam-hive-user-group/definition.json index 1e41a1c..bcd2996 100644 --- a/objects/regripper-sam-hive-user-group/definition.json +++ b/objects/regripper-sam-hive-user-group/definition.json @@ -14,7 +14,8 @@ "key-last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "group-name": { "description": "Name assigned to the profile.", @@ -29,18 +30,20 @@ "last-write-date-time": { "description": "Date and time when the group key was updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "group-comment": { "description": "Name assigned to the profile.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "group-users": { "description": "Users belonging to the group", "ui-priority": 0, "misp-attribute": "text", - "multiple": "true" + "multiple": true } }, diff --git a/objects/regripper-software-hive-BHO/definition.json b/objects/regripper-software-hive-BHO/definition.json index 4b70d4a..7c64241 100644 --- a/objects/regripper-software-hive-BHO/definition.json +++ b/objects/regripper-software-hive-BHO/definition.json @@ -12,7 +12,8 @@ "last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "BHO-name": { "description": "Name of the browser helper object.", @@ -22,27 +23,31 @@ "BHO-key-last-write-time": { "description": "Date and time when the BHO key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "class": { "description": "Class to which the BHO belongs to.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "module": { "description": "DLL module the BHO belongs to.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "comments": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "references": { "description": "References to the BHO.", "ui-priority": 0, - "misp-attribute": "links", + "misp-attribute": "link", "multiple":true } }, diff --git a/objects/regripper-software-hive-appInit-DLLS/definition.json b/objects/regripper-software-hive-appInit-DLLS/definition.json index 9aa9753..3923e35 100644 --- a/objects/regripper-software-hive-appInit-DLLS/definition.json +++ b/objects/regripper-software-hive-appInit-DLLS/definition.json @@ -13,7 +13,8 @@ "last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "DLL-name": { "description": "Name of the DLL file.", @@ -28,17 +29,19 @@ "DLL-last-write-time": { "description": "Date and time when the DLL file was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "comments": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "references": { "description": "References to the DLL file.", "ui-priority": 0, - "misp-attribute": "links", + "misp-attribute": "link", "multiple":true } }, diff --git a/objects/regripper-software-hive-application-paths/definition.json b/objects/regripper-software-hive-application-paths/definition.json index 80787f8..939e39a 100644 --- a/objects/regripper-software-hive-application-paths/definition.json +++ b/objects/regripper-software-hive-application-paths/definition.json @@ -13,7 +13,8 @@ "last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "executable-file-name": { "description": "Name of the executable file.", @@ -30,12 +31,13 @@ "comments": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "references": { "description": "References to the application installed.", "ui-priority": 0, - "misp-attribute": "links", + "misp-attribute": "link", "multiple":true } }, diff --git a/objects/regripper-software-hive-applications-installed/definition.json b/objects/regripper-software-hive-applications-installed/definition.json index f3bcddb..55c58ea 100644 --- a/objects/regripper-software-hive-applications-installed/definition.json +++ b/objects/regripper-software-hive-applications-installed/definition.json @@ -17,7 +17,8 @@ "last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "app-name": { "description": "Name of the application.", @@ -27,7 +28,8 @@ "app-last-write-time": { "description": "Date and time when the application key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "version": { "description": "Version of the application.", @@ -37,12 +39,13 @@ "comments": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "references": { "description": "References to the application installed.", "ui-priority": 0, - "misp-attribute": "links", + "misp-attribute": "link", "multiple":true } }, diff --git a/objects/regripper-software-hive-command-shell/definition.json b/objects/regripper-software-hive-command-shell/definition.json index fc98778..593308d 100644 --- a/objects/regripper-software-hive-command-shell/definition.json +++ b/objects/regripper-software-hive-command-shell/definition.json @@ -13,7 +13,8 @@ "last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "shell": { "description": "Type of shell used to execute the command.", @@ -26,7 +27,8 @@ "hta", "pif", "Other" - ] + ], + "disable_correlation": true }, "shell-path": { "description": "Path of the shell.", @@ -41,7 +43,8 @@ "comments": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true } }, "version": 1, diff --git a/objects/regripper-software-hive-general-windows-info/definition.json b/objects/regripper-software-hive-general-windows-info/definition.json index 01dff3e..a05492f 100644 --- a/objects/regripper-software-hive-general-windows-info/definition.json +++ b/objects/regripper-software-hive-general-windows-info/definition.json @@ -12,7 +12,8 @@ "last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "RegisteredOrganization": { "description": "Name of the registered organization.", @@ -32,7 +33,7 @@ "CurrentBuild": { "description": "Build number of the windows OS.", "ui-priority": 0, - "misp-attribute": "number" + "misp-attribute": "text" }, "SoftwareType": { "description": "Software type of windows.", @@ -42,27 +43,32 @@ "Application", "other" ], - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "InstallationType": { "description": "Type of windows installation.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "InstallDate": { "description": "Date when windows was installed.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "SystemRoot": { "description": "Root directory.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "PathName": { "description": "Path to the root directory.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "EditionID": { "description": "Windows edition.", @@ -103,6 +109,12 @@ "description": "Windows BuildLabEx string.", "ui-priority": 0, "misp-attribute": "text" + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "", + "disable_correlation": true } }, "version": 1, diff --git a/objects/regripper-software-hive-software-run/definition.json b/objects/regripper-software-hive-software-run/definition.json index 83b968c..95e93cc 100644 --- a/objects/regripper-software-hive-software-run/definition.json +++ b/objects/regripper-software-hive-software-run/definition.json @@ -15,17 +15,20 @@ "Terminal", "Other" ], - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "key-path": { "description": "Path of the key.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "application-name": { "description": "Name of the application run.", @@ -42,12 +45,13 @@ "comments": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "references": { "description": "References to the applications.", "ui-priority": 0, - "misp-attribute": "links", + "misp-attribute": "link", "multiple":true } }, diff --git a/objects/regripper-software-hive-userprofile-winlogon/definition.json b/objects/regripper-software-hive-userprofile-winlogon/definition.json index 0dd3289..6dcbef9 100644 --- a/objects/regripper-software-hive-userprofile-winlogon/definition.json +++ b/objects/regripper-software-hive-userprofile-winlogon/definition.json @@ -7,47 +7,56 @@ "user-profile-key-path": { "description": "key where the user-profile information is retrieved from.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "user-profile-key-last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "user-profile-path": { "description": "Path of the user profile on the system", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "SID": { "description": "Security identifier assigned to the user profile.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "user-profile-last-write-time": { "description": "Date and time when the user profile was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "winlogon-key-path": { "description": "winlogon key referred in order to retrieve default user information", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "winlogon-key-last-write-time": { "description": "Date and time when the winlogon key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "DefaultUserName": { "description": "user-name of the default user.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "Shell": { "description": "Shell set to run when the user logs onto the system.", "ui-priority": 0, "misp-attribute": "text", + "disable_correlation": true, "multiple": true }, "UserInit": { @@ -60,74 +69,88 @@ "description": "Message title set to display when the user logs-in.", "ui-priority": 0, "misp-attribute": "text", - "multiple": true + "multiple": true, + "disable_correlation": true }, "Legal-notice-text": { "description": "Message set to display when the user logs-in.", "ui-priority": 0, "misp-attribute": "text", - "multiple": true + "multiple": true, + "disable_correlation": true }, "PreCreateKnownFolders": { "description": "create known folders key", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "ReportBootOk": { "description": "Flag to check if the reboot was successful.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "AutoRestartShell": { "description": "Value of the flag set to auto restart the shell if it crashes or shuts down automatically.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "PasswordExpiryWarining": { "description": "Number of times the password expiry warning appeared.", "ui-priority": 0, - "misp-attribute": "number" + "misp-attribute": "counter", + "disable_correlation": true }, "PowerdownAfterShutDown": { "description": "Flag value- if the system is set to power down after it is shutdown.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "ShutdownWithoutLogon": { "description": "Value of the flag set to enable shutdown without requiring a user to login.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "WinStationsDisabled": { "description": "Flag value set to enable/disable logons to the system.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "DisableCAD": { "description": "Flag to determine if user login is enabled by pressing Ctrl+ALT+Delete.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "AutoAdminLogon": { "description": "Flag value to determine if autologon is enabled for a user without entering the password.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "CachedLogonCount": { "description": "Number of times the user has logged into the system.", "ui-priority": 0, - "misp-attribute": "number" + "misp-attribute": "counter", + "disable_correlation": true }, "ShutdownFlags": { "description": "Number of times shutdown is initiated from a process when the user is logged-in.", "ui-priority": 0, - "misp-attribute": "number" + "misp-attribute": "counter", + "disable_correlation": true }, "Comments": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true } }, "version": 1, diff --git a/objects/regripper-system-hive-firewall-configuration/definition.json b/objects/regripper-system-hive-firewall-configuration/definition.json index cd44858..94ffeb8 100644 --- a/objects/regripper-system-hive-firewall-configuration/definition.json +++ b/objects/regripper-system-hive-firewall-configuration/definition.json @@ -11,27 +11,32 @@ "Standard Profile", "other" ], - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "last-write-time": { "description": "Date and time when the firewall profile policy was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "enbled-firewall": { "description": "Boolean flag to determine if the firewall is enabled.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "disable-notification": { "description": "Boolean flag to determine if firewall notifications are enabled.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "comment": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "" + "misp-attribute": "text", + "disable_correlation": true } }, "version": 1, diff --git a/objects/regripper-system-hive-general-configuration/definition.json b/objects/regripper-system-hive-general-configuration/definition.json index df2a4fe..c007e4a 100644 --- a/objects/regripper-system-hive-general-configuration/definition.json +++ b/objects/regripper-system-hive-general-configuration/definition.json @@ -11,57 +11,74 @@ "last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "shutdown-time": { "description": "Date and time when the system was shutdown.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "timezone-last-write-time": { "description": "Date and time when the timezone key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "timezone-bias": { "description": "Offset in minutes from UTC. Offset added to the local time to get a UTC value.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "timezone-standard-name": { "description": "Timezone standard name used during non-daylight saving months.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "timezone-standard-date": { "description": "Standard date - non daylight saving months", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "timezone-standard-bias": { "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during standard time.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "timezone-daylight-name": { "description": "Timezone name used during daylight saving months.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "timezone-daylight-date": { "description": "Daylight date - daylight saving months", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "timezone-daylight-bias": { "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during daylight time.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "fDenyTSConnections:": { "description": "Specifies whether remote connections are enabled or disabled on the system.", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "", + "disable_correlation": true } }, "version": 1, diff --git a/objects/regripper-system-hive-network-information/definition.json b/objects/regripper-system-hive-network-information/definition.json index d2b07b5..3a872e1 100644 --- a/objects/regripper-system-hive-network-information/definition.json +++ b/objects/regripper-system-hive-network-information/definition.json @@ -11,12 +11,14 @@ "network-key-last-write-time": { "description": "Date and time when the network key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "network-key-path": { "description": "Path of the key where the information is retrieved from.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "TCPIP-key": { "description": "TCPIP key", @@ -26,7 +28,8 @@ "TCPIP-key-last-write-time": { "description": "Datetime when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "DHCP-domain": { "description": "Name of the DHCP domain service", @@ -36,32 +39,34 @@ "DHCP-IP-address": { "description": "DHCP service - IP address", "ui-priority": 0, - "misp-attribute": "ip-dist" + "misp-attribute": "ip-dst" }, "DHCP-subnet-mask": { "description": "DHCP subnet mask - IP address.", "ui-priority": 0, - "misp-attribute": "ip-dist" + "misp-attribute": "ip-dst" }, "DHCP-name-server": { "description": "DHCP Name server - IP address.", "ui-priority": 0, - "misp-attribute": "ip-dist" + "misp-attribute": "ip-dst" }, "DHCP-server": { "description": "DHCP server - IP address.", "ui-priority": 0, - "misp-attribute": "ip-dist" + "misp-attribute": "ip-dst" }, "interface-GUID": { "description": "GUID value assigned to the interface.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "interface-last-write-time": { "description": "Last date and time when the interface key was updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "interface-name": { "description": "Name of the interface.", @@ -71,17 +76,26 @@ "interface-PnpInstanceID": { "description": "Plug and Play instance ID assigned to the interface.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "interface-MediaSubType": { "description": "", "ui-priority": 0, - "misp-attribute": "number" + "misp-attribute": "text", + "disable_correlation": true }, "interface-IPcheckingEnabled": { "description": "", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true } }, "version": 1, diff --git a/objects/regripper-system-hive-service-drivers/definition.json b/objects/regripper-system-hive-service-drivers/definition.json index 264cbc6..ff7984c 100644 --- a/objects/regripper-system-hive-service-drivers/definition.json +++ b/objects/regripper-system-hive-service-drivers/definition.json @@ -11,7 +11,8 @@ "last-write-time": { "description": "Date and time when the key was last updated.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "display": { "description": "Display name/information of the service or the driver.", @@ -34,7 +35,8 @@ "Interactive", "Other" ], - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "start": { "description": "When the service/driver starts or executes.", @@ -46,7 +48,8 @@ "Manual", "Disabled" ], - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "group": { "description": "Group to which the system/driver belong to.", @@ -77,12 +80,14 @@ "Video Save", "other" ], - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "comment": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "" + "misp-attribute": "", + "disable_correlation": true } }, "version": 1, From 60f559f6da565764a4e3bcfd66fc09078b059074 Mon Sep 17 00:00:00 2001 From: DigitalLeukocyte <20444154+DigitalLeukocyte@users.noreply.github.com> Date: Tue, 2 Oct 2018 13:01:29 -0700 Subject: [PATCH 097/244] Create IP_API.JSON --- objects/IP_API.JSON | 90 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 objects/IP_API.JSON diff --git a/objects/IP_API.JSON b/objects/IP_API.JSON new file mode 100644 index 0000000..41b88d0 --- /dev/null +++ b/objects/IP_API.JSON @@ -0,0 +1,90 @@ +{ + "name": "IP Address", + "meta-category": "network", + "description": "IP Address informtion. Useful if you pull your ip information from ip-api.com", + "version": 1, + "uuid": "4336f124-6264-4f72-943e-cc3797e4122b", + + "attributes": { + "ip-src": { + "description": "Source IP address of the nework connection.", + "ui-priority": 1, + "misp-attribute": "ip-src" + }, + "asn": { + "description": "Autonomous System Number", + "ui-priority": 1, + "misp-attribute": "AS" + }, + "description": { + "description": "Description of the autonomous system", + "ui-priority": 1, + "misp-attribute": "text" + }, + "ISP": { + "description": "ISP.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "zipcode": { + "description": "Zip Code.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "city": { + "description": "City.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "state": { + "description": "State.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "country": { + "description": "Country name", + "ui-priority": 1, + "misp-attribute": "text" + }, + "country code": { + "description": "Country code ", + "ui-priority": 1, + "misp-attribute": "text" + }, + "region": { + "description": "Region. example: California.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "region code": { + "description": "Region code. example: CA", + "misp-attribute": "text", + "ui-priority": 1 + }, + "latitude": { + "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", + "disable_correlation": true, + "ui-priority": 90, + "misp-attribute": "float" + }, + "longitude": { + "description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference", + "disable_correlation": true, + "ui-priority": 89, + "misp-attribute": "float" + }, + "first-seen": { + "description": "First time the ASN was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "last-seen": { + "description": "Last time the ASN was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "requiredOneOf": [ "ip-src"] + } From ec75268f5c93ebbcec64b051e30172f5e8415013 Mon Sep 17 00:00:00 2001 From: DigitalLeukocyte <20444154+DigitalLeukocyte@users.noreply.github.com> Date: Tue, 2 Oct 2018 13:02:49 -0700 Subject: [PATCH 098/244] Created for data from ip-api.com --- objects/{IP_API.JSON => IP_API.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename objects/{IP_API.JSON => IP_API.json} (100%) diff --git a/objects/IP_API.JSON b/objects/IP_API.json similarity index 100% rename from objects/IP_API.JSON rename to objects/IP_API.json From 59b1dda754a68928051c0fe8b27c881d943cf551 Mon Sep 17 00:00:00 2001 From: DigitalLeukocyte <20444154+DigitalLeukocyte@users.noreply.github.com> Date: Thu, 4 Oct 2018 12:41:52 -0700 Subject: [PATCH 099/244] Updated to match more of ip-api.com --- objects/IP_API.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/objects/IP_API.json b/objects/IP_API.json index 41b88d0..449c74b 100644 --- a/objects/IP_API.json +++ b/objects/IP_API.json @@ -1,7 +1,7 @@ { "name": "IP Address", "meta-category": "network", - "description": "IP Address informtion. Useful if you pull your ip information from ip-api.com", + "description": "IP Address informtion. Useful if you are pulling your ip information from ip-api.com", "version": 1, "uuid": "4336f124-6264-4f72-943e-cc3797e4122b", @@ -16,10 +16,10 @@ "ui-priority": 1, "misp-attribute": "AS" }, - "description": { - "description": "Description of the autonomous system", + "organization": { + "description": "Organization", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "AS" }, "ISP": { "description": "ISP.", From 04aea7b5961795b61a49e725addde2064c200fbe Mon Sep 17 00:00:00 2001 From: DigitalLeukocyte <20444154+DigitalLeukocyte@users.noreply.github.com> Date: Thu, 4 Oct 2018 13:14:42 -0700 Subject: [PATCH 100/244] Uploaded IP_API Object in folder --- .../IP_API_IP_Address/IP_API_IP_Address.json | 90 +++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 objects/IP_API_IP_Address/IP_API_IP_Address.json diff --git a/objects/IP_API_IP_Address/IP_API_IP_Address.json b/objects/IP_API_IP_Address/IP_API_IP_Address.json new file mode 100644 index 0000000..aaf8a3e --- /dev/null +++ b/objects/IP_API_IP_Address/IP_API_IP_Address.json @@ -0,0 +1,90 @@ +{ + "name": "IP Address", + "meta-category": "network", + "description": "IP Address informtion. Useful if you are pulling your ip information from ip-api.com", + "version": 1, + "uuid": "4336f124-6264-4f72-943e-cc3797e4122b", + + "attributes": { + "ip-src": { + "description": "Source IP address of the nework connection.", + "ui-priority": 1, + "misp-attribute": "ip-src" + }, + "asn": { + "description": "Autonomous System Number", + "ui-priority": 1, + "misp-attribute": "AS" + }, + "organization": { + "description": "Organization", + "ui-priority": 1, + "misp-attribute": "AS" + }, + "ISP": { + "description": "ISP.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "zipcode": { + "description": "Zip Code.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "city": { + "description": "City.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "state": { + "description": "State.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "country": { + "description": "Country name", + "ui-priority": 1, + "misp-attribute": "text" + }, + "country code": { + "description": "Country code ", + "ui-priority": 1, + "misp-attribute": "text" + }, + "region": { + "description": "Region. example: California.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "region code": { + "description": "Region code. example: CA", + "misp-attribute": "text", + "ui-priority": 1 + }, + "latitude": { + "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", + "disable_correlation": true, + "ui-priority": 90, + "misp-attribute": "float" + }, + "longitude": { + "description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference", + "disable_correlation": true, + "ui-priority": 89, + "misp-attribute": "float" + }, + "first-seen": { + "description": "First time the ASN was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "last-seen": { + "description": "Last time the ASN was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "requiredOneOf": [ "ip-src"] + } \ No newline at end of file From c39ff94f415913f2b086f1ed545c56c39fda2e10 Mon Sep 17 00:00:00 2001 From: DigitalLeukocyte <20444154+DigitalLeukocyte@users.noreply.github.com> Date: Thu, 4 Oct 2018 13:15:55 -0700 Subject: [PATCH 101/244] Deleted IP_API single file --- objects/IP_API.json | 90 --------------------------------------------- 1 file changed, 90 deletions(-) delete mode 100644 objects/IP_API.json diff --git a/objects/IP_API.json b/objects/IP_API.json deleted file mode 100644 index 449c74b..0000000 --- a/objects/IP_API.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "name": "IP Address", - "meta-category": "network", - "description": "IP Address informtion. Useful if you are pulling your ip information from ip-api.com", - "version": 1, - "uuid": "4336f124-6264-4f72-943e-cc3797e4122b", - - "attributes": { - "ip-src": { - "description": "Source IP address of the nework connection.", - "ui-priority": 1, - "misp-attribute": "ip-src" - }, - "asn": { - "description": "Autonomous System Number", - "ui-priority": 1, - "misp-attribute": "AS" - }, - "organization": { - "description": "Organization", - "ui-priority": 1, - "misp-attribute": "AS" - }, - "ISP": { - "description": "ISP.", - "ui-priority": 1, - "misp-attribute": "text" - }, - "zipcode": { - "description": "Zip Code.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "city": { - "description": "City.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "state": { - "description": "State.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "country": { - "description": "Country name", - "ui-priority": 1, - "misp-attribute": "text" - }, - "country code": { - "description": "Country code ", - "ui-priority": 1, - "misp-attribute": "text" - }, - "region": { - "description": "Region. example: California.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "region code": { - "description": "Region code. example: CA", - "misp-attribute": "text", - "ui-priority": 1 - }, - "latitude": { - "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", - "disable_correlation": true, - "ui-priority": 90, - "misp-attribute": "float" - }, - "longitude": { - "description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference", - "disable_correlation": true, - "ui-priority": 89, - "misp-attribute": "float" - }, - "first-seen": { - "description": "First time the ASN was seen", - "disable_correlation": true, - "ui-priority": 0, - "misp-attribute": "datetime" - }, - "last-seen": { - "description": "Last time the ASN was seen", - "disable_correlation": true, - "ui-priority": 0, - "misp-attribute": "datetime" - } - }, - "requiredOneOf": [ "ip-src"] - } From 237b5a364bef8357478be6775ca2d55c0594fe68 Mon Sep 17 00:00:00 2001 From: DigitalLeukocyte <20444154+DigitalLeukocyte@users.noreply.github.com> Date: Thu, 4 Oct 2018 13:42:07 -0700 Subject: [PATCH 102/244] Delete IP_API_IP_Address.json --- .../IP_API_IP_Address/IP_API_IP_Address.json | 90 ------------------- 1 file changed, 90 deletions(-) delete mode 100644 objects/IP_API_IP_Address/IP_API_IP_Address.json diff --git a/objects/IP_API_IP_Address/IP_API_IP_Address.json b/objects/IP_API_IP_Address/IP_API_IP_Address.json deleted file mode 100644 index aaf8a3e..0000000 --- a/objects/IP_API_IP_Address/IP_API_IP_Address.json +++ /dev/null @@ -1,90 +0,0 @@ -{ - "name": "IP Address", - "meta-category": "network", - "description": "IP Address informtion. Useful if you are pulling your ip information from ip-api.com", - "version": 1, - "uuid": "4336f124-6264-4f72-943e-cc3797e4122b", - - "attributes": { - "ip-src": { - "description": "Source IP address of the nework connection.", - "ui-priority": 1, - "misp-attribute": "ip-src" - }, - "asn": { - "description": "Autonomous System Number", - "ui-priority": 1, - "misp-attribute": "AS" - }, - "organization": { - "description": "Organization", - "ui-priority": 1, - "misp-attribute": "AS" - }, - "ISP": { - "description": "ISP.", - "ui-priority": 1, - "misp-attribute": "text" - }, - "zipcode": { - "description": "Zip Code.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "city": { - "description": "City.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "state": { - "description": "State.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "country": { - "description": "Country name", - "ui-priority": 1, - "misp-attribute": "text" - }, - "country code": { - "description": "Country code ", - "ui-priority": 1, - "misp-attribute": "text" - }, - "region": { - "description": "Region. example: California.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "region code": { - "description": "Region code. example: CA", - "misp-attribute": "text", - "ui-priority": 1 - }, - "latitude": { - "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", - "disable_correlation": true, - "ui-priority": 90, - "misp-attribute": "float" - }, - "longitude": { - "description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference", - "disable_correlation": true, - "ui-priority": 89, - "misp-attribute": "float" - }, - "first-seen": { - "description": "First time the ASN was seen", - "disable_correlation": true, - "ui-priority": 0, - "misp-attribute": "datetime" - }, - "last-seen": { - "description": "Last time the ASN was seen", - "disable_correlation": true, - "ui-priority": 0, - "misp-attribute": "datetime" - } - }, - "requiredOneOf": [ "ip-src"] - } \ No newline at end of file From afb1d28b2bf8b9e48d471d7e3dc2a68e14d38fe1 Mon Sep 17 00:00:00 2001 From: DigitalLeukocyte <20444154+DigitalLeukocyte@users.noreply.github.com> Date: Thu, 4 Oct 2018 13:45:22 -0700 Subject: [PATCH 103/244] Added ip-api-address object Object useful for IP data from http://ip-api.com. --- objects/ip-api-address/ip-api-address.json | 90 ++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 objects/ip-api-address/ip-api-address.json diff --git a/objects/ip-api-address/ip-api-address.json b/objects/ip-api-address/ip-api-address.json new file mode 100644 index 0000000..ab2a557 --- /dev/null +++ b/objects/ip-api-address/ip-api-address.json @@ -0,0 +1,90 @@ +{ + "name": "ip-api-address", + "meta-category": "network", + "description": "IP Address information. Useful if you are pulling your ip information from ip-api.com", + "version": 1, + "uuid": "4336f124-6264-4f72-943e-cc3797e4122b", + + "attributes": { + "ip-src": { + "description": "Source IP address of the network connection.", + "ui-priority": 1, + "misp-attribute": "ip-src" + }, + "asn": { + "description": "Autonomous System Number", + "ui-priority": 1, + "misp-attribute": "AS" + }, + "organization": { + "description": "organization", + "ui-priority": 1, + "misp-attribute": "text" + }, + "ISP": { + "description": "ISP.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "zipcode": { + "description": "Zip Code.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "city": { + "description": "City.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "state": { + "description": "State.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "country": { + "description": "Country name", + "ui-priority": 1, + "misp-attribute": "text" + }, + "country code": { + "description": "Country code ", + "ui-priority": 1, + "misp-attribute": "text" + }, + "region": { + "description": "Region. example: California.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "region code": { + "description": "Region code. example: CA", + "misp-attribute": "text", + "ui-priority": 1 + }, + "latitude": { + "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", + "disable_correlation": true, + "ui-priority": 90, + "misp-attribute": "float" + }, + "longitude": { + "description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference", + "disable_correlation": true, + "ui-priority": 89, + "misp-attribute": "float" + }, + "first-seen": { + "description": "First time the ASN was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "last-seen": { + "description": "Last time the ASN was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "requiredOneOf": [ "ip-src"] + } \ No newline at end of file From 9735995ba1deae580d8ba46e4f5a8187b25938da Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 6 Oct 2018 07:42:34 +0200 Subject: [PATCH 104/244] chg: [process] disable correlation where it's not required --- objects/process/definition.json | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/objects/process/definition.json b/objects/process/definition.json index 5fdcc2b..220d4e5 100644 --- a/objects/process/definition.json +++ b/objects/process/definition.json @@ -3,7 +3,7 @@ "uuid": "02aeef94-ac23-455c-addb-731757ceafb5", "meta-category": "misc", "description": "Object describing a system process.", - "version": 1, + "version": 2, "attributes": { "creation-time": { "description": "Local date/time at which the process was created.", @@ -25,24 +25,28 @@ "pid": { "description": "Process ID of the process.", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "parent-pid": { "description": "Process ID of the parent process.", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "child-pid": { "description": "Process ID of the child(ren) process.", "ui-priority": 1, "misp-attribute": "text", - "multiple": true + "multiple": true, + "disable_correlation": true }, "port": { "description": "Port(s) owned by the process.", "ui-priority": 1, "misp-attribute": "src-port", - "multiple": true + "multiple": true, + "disable_correlation": true } }, "requiredOneOf": [ From 09495c3f2a81d2da08fb83b7644c0ebc44e3fbba Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 6 Oct 2018 20:27:51 +0200 Subject: [PATCH 105/244] chg: [network-connection] disable correlation --- objects/network-connection/definition.json | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json index 0aa9cba..a9f4c01 100644 --- a/objects/network-connection/definition.json +++ b/objects/network-connection/definition.json @@ -3,7 +3,7 @@ "uuid": "af16764b-f8e5-4603-9de1-de34d272f80b", "meta-category": "network", "description": "A local or remote network connection.", - "version": 1, + "version": 2, "attributes": { "ip-src": { "description": "Source IP address of the nework connection.", @@ -59,7 +59,8 @@ "ICMP", "ARP" ], - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "layer4-protocol": { "description": "Layer 4 protocol of the network connection.", @@ -68,7 +69,8 @@ "TCP", "UDP" ], - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "layer7-protocol": { "description": "Layer 7 protocol of the network connection.", @@ -78,7 +80,8 @@ "HTTPS", "FTP" ], - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "first-packet-seen": { "misp-attribute": "datetime", From 5e468beb801b66bfc417ab21e8ed70c5abf46cd4 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 7 Oct 2018 11:13:17 +0200 Subject: [PATCH 106/244] chg: [relationships] references added (useful for *INT collection referencing something which needs further analysis) - Example: a tweet referencing a hash which needs further analysis: --- relationships/definition.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/relationships/definition.json b/relationships/definition.json index 422834e..c444212 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -643,6 +643,13 @@ "format": [ "misp" ] + }, + { + "name": "references", + "description": "This relationships describes an object which references another object or attribute.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", From 03f8622269dcc3697c57b9bf5ac8e2e7fdcb0d2b Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 11 Oct 2018 07:10:26 +0200 Subject: [PATCH 107/244] Updated list of objects in README --- README.md | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 7eee687..13cdafc 100644 --- a/README.md +++ b/README.md @@ -66,7 +66,8 @@ for a specific attribute. ## Existing MISP objects -* [objects/ail-leak](objects/ail-leak/definition.json) - information leak object as defined by the [AIL Analysis Information Leak framework](https://www.github.com/CIRCL/AIL-framework). +* [objects/ail-leak](objects/ail-leak/definition.json) - Information leak object as defined by the [AIL Analysis Information Leak framework](https://www.github.com/CIRCL/AIL-framework). +* [objects/ais-info](objects/ais-info/definition.json) - Object describing Automated Indicator Sharing (AIS) information source markings. * [objects/android-permission](objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. file). * [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. * [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature. @@ -89,9 +90,12 @@ for a specific attribute. * [objects/exploit-poc](objects/exploit-poc/definition.json) - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object. * [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object. * [objects/file](objects/file/definition.json) - File object describing a file with meta-information. +* [objects/forensic-case](objects/forensic-case/definition.json) - An object template to describe a digital forensic case. +* [objects/forensic-evidence](objects/forensic-evidence/definition.json) - An object template to describe a digital forensic evidence. * [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location. * [objects/gtp-attack](objects/gtp-attack/definition.json) - GTP attack object as seen on a GSM, UMTS or LTE network. * [objects/http-request](objects/http-request/definition.json) - A single HTTP request header object. +* [objects/ip-api-address](objects/ip-api-address/definition.json) - Object describing IP Address information, as defined in [ip-api.com](http://ip-api.com). * [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame. * [objects/ja3](objects/ja3/definition.json) - A ja3 object which describes an SSL client fingerprint in an easy to produce and shareable way. * [objects/legal-entity](objects/legal-entity/definition.json) - Object describing a legal entity, such as an organisation. @@ -103,6 +107,7 @@ for a specific attribute. * [objects/mutex](objects/mutex/definition.json) - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program. * [objects/netflow](objects/netflow/definition.json) - Netflow object describes an network object based on the Netflowv5/v9 minimal definition. * [objects/network-connection](objects/network-connection/definition.json) - Network object describes a local or remote network connection. +* [objects/network-socket](objects/network-socket/definition.json) - Object to describe a local or remote network connections based on the socket data structure. * [objects/original-imported-file](objects/original-imported-file/definition.json) - Object to describe the original files used to import data in MISP. * [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01). * [objects/paste](objects/paste/definition.json) - Object describing a paste or similar post from a website allowing to share privately or publicly posts. @@ -112,31 +117,35 @@ for a specific attribute. * [objects/phishing](objects/phishing/definition.json) - Phishing template to describe a phishing website and its analysis. * [objects/phone](objects/phone/definition.json) - A phone or mobile phone object. * [objects/process](objects/process/definition.json) - A process object. +* [objects/regexp](objects/regexp/definition.json) - An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression. * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object. * [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml. +* [objects/report](objects/report/definition.json) - Object to describe metadata used to generate an executive level report. * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. * [objects/script](objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts. -* [objects/short-message-service](objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message(s). * [objects/shortened-link](objects/shortened-link/definition.json) - Shortened link and its redirect target. +* [objects/short-message-service](objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message(s). * [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. * [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. * [objects/suricata](objects/suricata/definition.json) - Suricata rule with context. * [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromised internal system. * [objects/threatgrid-report](objects/threatgrid-report/definition.json) - A threatgrid report object. * [objects/timecode](objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence. +* [objects/timesketch-timeline](objects/timesketch-timeline/definition.json) - A timesketch timeline object based on mandatory field in timesketch to describe a log entry. * [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. * [objects/tracking-id](objects/tracking-id/definition.json) - Analytics and tracking ID such as used in Google Analytics or other analytic platform. * [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction. -* [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. -* [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. * [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata. * [objects/vehicle](objects/vehicle/definition.json) - Vehicle object template to describe a vehicle information and registration. * [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused. +* [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. +* [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. * [objects/whois](objects/whois/definition.json) - Whois records information for a domain name. * [objects/x509](objects/x509/definition.json) - x509 object describing a X.509 certificate. +* [objects/yabin](objects/yabin/definition.json) - yabin.py generates Yara rules from function prologs, for matching and hunting binaries. ref: [yabin](https://github.com/AlienVault-OTX/yabin). * [objects/yara](objects/yara/definition.json) - YARA object describing a YARA rule along with the version supported and context (such as memory, network, disk). ## MISP objects relationships From 8137a58f48ea40b1c18275b0022a9cf04c371b03 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 11 Oct 2018 07:11:28 +0200 Subject: [PATCH 108/244] fix: Fixed ip-api-address object template filename --- objects/ip-api-address/{ip-api-address.json => definition.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename objects/ip-api-address/{ip-api-address.json => definition.json} (100%) diff --git a/objects/ip-api-address/ip-api-address.json b/objects/ip-api-address/definition.json similarity index 100% rename from objects/ip-api-address/ip-api-address.json rename to objects/ip-api-address/definition.json From 141a0c8d4152c1be5d9872ee70d888cd63c737d5 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 11 Oct 2018 09:14:08 +0200 Subject: [PATCH 109/244] fix: JQed ip-api-address template --- objects/ip-api-address/definition.json | 181 +++++++++++++------------ 1 file changed, 91 insertions(+), 90 deletions(-) diff --git a/objects/ip-api-address/definition.json b/objects/ip-api-address/definition.json index ab2a557..fc326a9 100644 --- a/objects/ip-api-address/definition.json +++ b/objects/ip-api-address/definition.json @@ -1,90 +1,91 @@ -{ - "name": "ip-api-address", - "meta-category": "network", - "description": "IP Address information. Useful if you are pulling your ip information from ip-api.com", - "version": 1, - "uuid": "4336f124-6264-4f72-943e-cc3797e4122b", - - "attributes": { - "ip-src": { - "description": "Source IP address of the network connection.", - "ui-priority": 1, - "misp-attribute": "ip-src" - }, - "asn": { - "description": "Autonomous System Number", - "ui-priority": 1, - "misp-attribute": "AS" - }, - "organization": { - "description": "organization", - "ui-priority": 1, - "misp-attribute": "text" - }, - "ISP": { - "description": "ISP.", - "ui-priority": 1, - "misp-attribute": "text" - }, - "zipcode": { - "description": "Zip Code.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "city": { - "description": "City.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "state": { - "description": "State.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "country": { - "description": "Country name", - "ui-priority": 1, - "misp-attribute": "text" - }, - "country code": { - "description": "Country code ", - "ui-priority": 1, - "misp-attribute": "text" - }, - "region": { - "description": "Region. example: California.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "region code": { - "description": "Region code. example: CA", - "misp-attribute": "text", - "ui-priority": 1 - }, - "latitude": { - "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", - "disable_correlation": true, - "ui-priority": 90, - "misp-attribute": "float" - }, - "longitude": { - "description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference", - "disable_correlation": true, - "ui-priority": 89, - "misp-attribute": "float" - }, - "first-seen": { - "description": "First time the ASN was seen", - "disable_correlation": true, - "ui-priority": 0, - "misp-attribute": "datetime" - }, - "last-seen": { - "description": "Last time the ASN was seen", - "disable_correlation": true, - "ui-priority": 0, - "misp-attribute": "datetime" - } - }, - "requiredOneOf": [ "ip-src"] - } \ No newline at end of file +{ + "name": "ip-api-address", + "meta-category": "network", + "description": "IP Address information. Useful if you are pulling your ip information from ip-api.com", + "version": 1, + "uuid": "4336f124-6264-4f72-943e-cc3797e4122b", + "attributes": { + "ip-src": { + "description": "Source IP address of the network connection.", + "ui-priority": 1, + "misp-attribute": "ip-src" + }, + "asn": { + "description": "Autonomous System Number", + "ui-priority": 1, + "misp-attribute": "AS" + }, + "organization": { + "description": "organization", + "ui-priority": 1, + "misp-attribute": "text" + }, + "ISP": { + "description": "ISP.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "zipcode": { + "description": "Zip Code.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "city": { + "description": "City.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "state": { + "description": "State.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "country": { + "description": "Country name", + "ui-priority": 1, + "misp-attribute": "text" + }, + "country code": { + "description": "Country code ", + "ui-priority": 1, + "misp-attribute": "text" + }, + "region": { + "description": "Region. example: California.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "region code": { + "description": "Region code. example: CA", + "misp-attribute": "text", + "ui-priority": 1 + }, + "latitude": { + "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", + "disable_correlation": true, + "ui-priority": 90, + "misp-attribute": "float" + }, + "longitude": { + "description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference", + "disable_correlation": true, + "ui-priority": 89, + "misp-attribute": "float" + }, + "first-seen": { + "description": "First time the ASN was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "last-seen": { + "description": "Last time the ASN was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "requiredOneOf": [ + "ip-src" + ] +} From 711abb094a667e8907e378bd13d9385e3167b45a Mon Sep 17 00:00:00 2001 From: aksha Date: Mon, 15 Oct 2018 11:08:09 +0100 Subject: [PATCH 110/244] Add: python-etvx object --- objects/python-etvx-event-log/definition.json | 177 ++++++++++++++++++ 1 file changed, 177 insertions(+) create mode 100644 objects/python-etvx-event-log/definition.json diff --git a/objects/python-etvx-event-log/definition.json b/objects/python-etvx-event-log/definition.json new file mode 100644 index 0000000..e0fb273 --- /dev/null +++ b/objects/python-etvx-event-log/definition.json @@ -0,0 +1,177 @@ +{ + "required": [ + "source", + "type", + "name" + ], + "attributes": { + "event-id": { + "description": "A unique number which identifies the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "name": { + "description": "Name of the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "event-channel": + { + "description":" Channel through which the event occurred", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane-default":[ + "Application", + "System", + "Security", + "Setup", + "other" + ] + }, + "event-type": + { + "description": "Event-type assigned to the event", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane-default":[ + "Admin", + "Operational", + "Audit", + "Analytic", + "Debug", + "other" + ] + }, + "source": { + "description": "The source of the event log - application/software that logged the event.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "event-date-time": + { + "description": "Date and time when the event was logged.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "level": { + "description": "Determines the event severity.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default":[ + "Information", + "Warning", + "Error", + "Critical", + "Success Audit", + "Failure Audit" + ] + }, + "Computer": { + "description": "Computer name on which the event occurred", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "User": { + "description": "Name or the User ID the event is associated with.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Operational-code": { + "description": "The opcode (numeric value or name) associated with the activity carried out by the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "log": { + "description": "Log file where the event was recorded.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "task-category":{ + "description": "Activity by the event publisher", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Keywords":{ + "description" : "Tags used for the event for the purpose of filtering or searching.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default":[ + "Network", + "Security", + "Resource not found", + "other" + ] + }, + "Processor-ID": { + "description": "ID of the processor that processed the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Thread-ID": { + "description": "Thread id that generated the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Session-ID": { + "description": "Terminal server session ID.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Correlation-ID": { + "description": "Unique activity identity which relates the event to a process. ", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Relative-Correlation-ID": { + "description": "Related activity ID which identity similar activities which occurred as a part of the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "kernel-time": + { + "description": "Execution time of the kernel mode instruction.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "user-time": + { + "description": "Date and time when the user instruction was executed.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "Event-data": + { + "description": "Event data description.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Event log object template to share information of the activities conducted on a system. ", + "meta-category": "misc", + "uuid": "94e3aee9-cb99-4503-9bf6-7da3db5de55e", + "name": "python-etvx-event-log" +} From de3acf865ddad44a3511a23fa7740f4c8ed9eec3 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 22 Oct 2018 10:13:48 +0200 Subject: [PATCH 111/244] fix: Disabled correlation of imported files format attribute --- objects/original-imported-file/definition.json | 1 + 1 file changed, 1 insertion(+) diff --git a/objects/original-imported-file/definition.json b/objects/original-imported-file/definition.json index c2a5af5..c9d4762 100644 --- a/objects/original-imported-file/definition.json +++ b/objects/original-imported-file/definition.json @@ -12,6 +12,7 @@ "format": { "description": "Format of data imported.", "ui-priority": 1, + "disable_correlation": true, "misp-attribute": "text", "sane_default": [ "STIX 1.0", From 478dc899f2d0888e33187acb73c005bf09c4b4d1 Mon Sep 17 00:00:00 2001 From: aksha Date: Mon, 22 Oct 2018 09:35:21 +0100 Subject: [PATCH 112/244] Add: Web artefacts objects --- objects/TSK-Chats/definition.json | 84 ++++++++++++++++++++ objects/TSK-Web-Bookmark/definition.json | 67 ++++++++++++++++ objects/TSK-Web-Cookie/definition.json | 67 ++++++++++++++++ objects/TSK-Web-Downloads/definition.json | 55 +++++++++++++ objects/TSK-Web-History/definition.json | 68 ++++++++++++++++ objects/TSK-Web-Search-Query/definition.json | 66 +++++++++++++++ 6 files changed, 407 insertions(+) create mode 100644 objects/TSK-Chats/definition.json create mode 100644 objects/TSK-Web-Bookmark/definition.json create mode 100644 objects/TSK-Web-Cookie/definition.json create mode 100644 objects/TSK-Web-Downloads/definition.json create mode 100644 objects/TSK-Web-History/definition.json create mode 100644 objects/TSK-Web-Search-Query/definition.json diff --git a/objects/TSK-Chats/definition.json b/objects/TSK-Chats/definition.json new file mode 100644 index 0000000..bcda96a --- /dev/null +++ b/objects/TSK-Chats/definition.json @@ -0,0 +1,84 @@ +{ + "required": [ + "message-type", + "message" + ], + "attributes": { + "message-type": { + "description": "the type of message extracted from the forensic-evidence.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default":[ + "SMS", + "MMS", + "Instant Message (IM)", + "Voice Message" + ], + "disable_correlation": true + }, + "datetime-sent": { + "description": "date and the time when the message was sent.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "datetime-received": { + "description": "date and time when the message was received.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "Source": { + "description": "Source of the message.(Contact details)", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "destination": { + "description": "Destination of the message.(Contact details)", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "app-used": { + "description": "Application used to send the message.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "subject": { + "description": "Subject of the message if any.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "message": { + "description": "Message exchanged.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "attachments": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "categories": [ + "External analysis" + ], + "misp-attribute": "link" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation.", + "meta-category": "misc", + "uuid": "6b71f231-c502-467f-bc67-1423cd5bf800", + "name": "TSK-Chats" +} diff --git a/objects/TSK-Web-Bookmark/definition.json b/objects/TSK-Web-Bookmark/definition.json new file mode 100644 index 0000000..f5bd4b9 --- /dev/null +++ b/objects/TSK-Web-Bookmark/definition.json @@ -0,0 +1,67 @@ +{ + "required": [ + "URL" + ], + "attributes": { + "URL": { + "description": "The URL saved as bookmark.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-bookmarked": { + "description": "date and time when the URL was added to favorites.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Book mark name. ", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "title": { + "description": "Title of the web page", + "ui-priority": 0, + "misp-attribute": "text" + }, + "browser": { + "description": "Browser used to access the URL.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "domain-name": { + "description": "Domain of the URL.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the URL domain.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to add evidential bookmarks identified during a digital forensic investigation.", + "meta-category": "misc", + "uuid": "7d9a88a8-9934-4caa-a85b-f76bc97d5373", + "name": "TSK-Web-Bookmark" +} diff --git a/objects/TSK-Web-Cookie/definition.json b/objects/TSK-Web-Cookie/definition.json new file mode 100644 index 0000000..db4ded0 --- /dev/null +++ b/objects/TSK-Web-Cookie/definition.json @@ -0,0 +1,67 @@ +{ + "required": [ + "URL", + "name", + "value" + ], + "attributes": { + "URL": { + "description": "The website URL that created the cookie.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-created": { + "description": "date and time when the cookie was created.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Name of the cookie ", + "ui-priority": 0, + "misp-attribute": "text" + }, + "value": { + "description": "Value assigned to the cookie.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "browser": { + "description": "Browser on which the cookie was created.", + "ui-priority": 0, + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "misp-attribute": "text" + }, + "domain-name": { + "description": "Domain of the URL that created the cookie.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the domain that created the URL.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.", + "meta-category": "misc", + "uuid": "40d23a4f-43be-4c9e-8328-382a2188eb1d", + "name": "TSK-Web-Cookie" +} diff --git a/objects/TSK-Web-Downloads/definition.json b/objects/TSK-Web-Downloads/definition.json new file mode 100644 index 0000000..55ddf05 --- /dev/null +++ b/objects/TSK-Web-Downloads/definition.json @@ -0,0 +1,55 @@ +{ + "required": [ + "URL", + "name" + ], + "attributes": { + "URL": { + "description": "The URL used to download the file.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-accessed": { + "description": "date and time when the file was downloaded.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Name of the file downloaded.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "path-downloadedTo": { + "description": "Location the file was downloaded to.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "pathID": { + "description": "Id of the attribute file where the information is gathered from.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "attachment": { + "description": "The downloaded file itself.", + "ui-priority": 1, + "misp-attribute": "attachment", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to add web-downloads", + "meta-category": "File", + "uuid": "ab9603a1-9dcc-48e8-a51c-b8bccc7bcc26", + "name": "TSK-Web-Downloads" +} diff --git a/objects/TSK-Web-History/definition.json b/objects/TSK-Web-History/definition.json new file mode 100644 index 0000000..84be3b9 --- /dev/null +++ b/objects/TSK-Web-History/definition.json @@ -0,0 +1,68 @@ +{ + "required": [ + "URL", + "datetime-accessed" + ], + "attributes": { + "URL": { + "description": "The URL accessed.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-accessed": { + "description": "date and the time when the URL was accessed.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "referrer": { + "description": "where the URL was referred from ", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "title": { + "description": "Title of the web page", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-name": { + "description": "Domain of the URL.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the URL domain.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "browser": { + "description": "Browser used to access the URL.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to share web history information", + "meta-category": "misc", + "uuid": "e1325e52-e52e-49b1-89ad-d503c127c698", + "name": "TSK-Web-History" +} diff --git a/objects/TSK-Web-Search-Query/definition.json b/objects/TSK-Web-Search-Query/definition.json new file mode 100644 index 0000000..8e66b0d --- /dev/null +++ b/objects/TSK-Web-Search-Query/definition.json @@ -0,0 +1,66 @@ +{ + "required": [ + "domain", + "text" + ], + "attributes": { + "domain": { + "description": "The domain of the search engine.", + "ui-priority": 0, + "misp-attribute": "link", + "sane_default": [ + "Google", + "Yahoo", + "Bing", + "Alta Vista", + "MSN" + ], + "disable_correlation": true + }, + "text": { + "description": "the search word or sentence.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "datetime-searched": { + "description": "date and time when the search was conducted.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "browser": { + "description": "Browser used.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "username": { + "description": "User name or ID associated with the search.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to share web search query information", + "meta-category": "misc", + "uuid": "16b3f8d0-fd09-4812-a42c-b5aeff2d4c2e", + "name": "TSK-Web-Search-Query" +} From 332cf5475c1afd090c2995603b09b86f72042c15 Mon Sep 17 00:00:00 2001 From: Tobias Mainka Date: Mon, 22 Oct 2018 14:55:27 +0200 Subject: [PATCH 113/244] enable multiple summary attribute in report object --- objects/report/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/report/definition.json b/objects/report/definition.json index a0908ad..cce9d89 100644 --- a/objects/report/definition.json +++ b/objects/report/definition.json @@ -10,7 +10,8 @@ "categories": [ "Other", "Internal reference" - ] + ], + "multiple": true }, "case-number": { "description": "Case number", From 0db808ab6a09a420ac4523d986ad154d91ba00ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 22 Oct 2018 12:19:47 -0400 Subject: [PATCH 114/244] new: Add Alfred relationships (CCCS) --- relationships/definition.json | 301 ++++++++++++++++++++- tools/alfred_links_to_relarelationships.py | 48 ++++ 2 files changed, 337 insertions(+), 12 deletions(-) create mode 100644 tools/alfred_links_to_relarelationships.py diff --git a/relationships/definition.json b/relationships/definition.json index c444212..e27168b 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -6,7 +6,8 @@ "description": "The information in the target object is based on information from the source object.", "format": [ "misp", - "stix-2.0" + "stix-2.0", + "alfred" ] }, { @@ -22,7 +23,8 @@ "description": "The referenced source is related to the target object.", "format": [ "misp", - "stix-2.0" + "stix-2.0", + "alfred" ] }, { @@ -46,7 +48,8 @@ "description": "The referenced source is containing the target object.", "format": [ "misp", - "stix-1.1" + "stix-1.1", + "alfred" ] }, { @@ -182,7 +185,8 @@ "description": "This relationship describes the use by the source object of the target object.", "format": [ "misp", - "stix-2.0" + "stix-2.0", + "alfred" ] }, { @@ -206,7 +210,8 @@ "description": "This relationship describes a source object which is a variant of the target object", "format": [ "misp", - "stix-2.0" + "stix-2.0", + "alfred" ] }, { @@ -284,14 +289,16 @@ "name": "affects", "description": "This relationship describes an object affected by another object.", "format": [ - "misp" + "misp", + "alfred" ] }, { "name": "beacons-to", "description": "This relationship describes an object beaconing to another object.", "format": [ - "misp" + "misp", + "alfred" ] }, { @@ -305,21 +312,24 @@ "name": "exfiltrates-to", "description": "This relationship describes an object exfiltrating to another object.", "format": [ - "misp" + "misp", + "alfred" ] }, { "name": "identifies", "description": "This relationship describes an object which identifies another object.", "format": [ - "misp" + "misp", + "alfred" ] }, { "name": "intercepts", "description": "This relationship describes an object which intercepts another object.", "format": [ - "misp" + "misp", + "alfred" ] }, { @@ -578,7 +588,8 @@ "name": "owner-of", "description": "This relationship describes an object which owns another object.", "format": [ - "cert-eu" + "cert-eu", + "alfred" ] }, { @@ -650,9 +661,275 @@ "format": [ "misp" ] + }, + { + "name": "child-of", + "description": "A child semantic link to a parent.", + "format": [ + "alfred" + ] + }, + { + "name": "compromised", + "description": "Represents the semantic link of having compromised something.", + "format": [ + "alfred" + ] + }, + { + "name": "connects", + "description": "The initiator of a connection.", + "format": [ + "alfred" + ] + }, + { + "name": "connects-to", + "description": "The destination or target of a connection.", + "format": [ + "alfred" + ] + }, + { + "name": "cover-term-for", + "description": "Represents the semantic link of one thing being the cover term for another.", + "format": [ + "alfred" + ] + }, + { + "name": "disclosed-to", + "description": "Semantic link indicating where information is disclosed to.", + "format": [ + "alfred" + ] + }, + { + "name": "downloads", + "description": "Represents the semantic link of one thing downloading another.", + "format": [ + "alfred" + ] + }, + { + "name": "downloads-from", + "description": "Represents the semantic link of malware being downloaded from a location.", + "format": [ + "alfred" + ] + }, + { + "name": "generated", + "description": "Represents the semantic link of an alert generated from a signature.", + "format": [ + "alfred" + ] + }, + { + "name": "implements", + "description": "One data object implements another.", + "format": [ + "alfred" + ] + }, + { + "name": "initiates", + "description": "Represents the semantic link of a communication initiating an event.", + "format": [ + "alfred" + ] + }, + { + "name": "instance-of", + "description": "Represents the semantic link between a FILE and FILE_BINARY.", + "format": [ + "alfred" + ] + }, + { + "name": "issuer-of", + "description": "Represents the semantic link of being the issuer of something.", + "format": [ + "alfred" + ] + }, + { + "name": "linked-to", + "description": "Represents the semantic link of being associated with something.", + "format": [ + "alfred" + ] + }, + { + "name": "not-relevant-to", + "description": "Represents the semantic link of a comm that is not relevant to an EVENT.", + "format": [ + "alfred" + ] + }, + { + "name": "part-of", + "description": "Represents the semantic link that defines one thing to be part of another in a hierachial structure from the child to the parent.", + "format": [ + "alfred" + ] + }, + { + "name": "processed-by", + "description": "Represents the semantic link of something has been processed by another program.", + "format": [ + "alfred" + ] + }, + { + "name": "produced", + "description": "Represents the semantic link of something having produced something else.", + "format": [ + "alfred" + ] + }, + { + "name": "queried-for", + "description": "The IP Address or domain being queried for.", + "format": [ + "alfred" + ] + }, + { + "name": "query-returned", + "description": "The IP Address or domain returned as the result of a query.", + "format": [ + "alfred" + ] + }, + { + "name": "registered", + "description": "Represents the semantic link of someone registered some thing.", + "format": [ + "alfred" + ] + }, + { + "name": "registered-to", + "description": "Represents the semantic link of something being registered to.", + "format": [ + "alfred" + ] + }, + { + "name": "relates", + "description": "Represents the semantic link between HBS Comms and communication addresses.", + "format": [ + "alfred" + ] + }, + { + "name": "relevant-to", + "description": "Represents the semantic link of a comm that is relevant to an EVENT.", + "format": [ + "alfred" + ] + }, + { + "name": "resolves-to", + "description": "Represents the semantic link of resolving to something.", + "format": [ + "alfred" + ] + }, + { + "name": "responsible-for", + "description": "Represents the semantic link of some entity being responsible for something.", + "format": [ + "alfred" + ] + }, + { + "name": "seeded", + "description": "Represents the semantic link of a seeded domain redirecting to another site.", + "format": [ + "alfred" + ] + }, + { + "name": "sends", + "description": "A sends semantic link meaning 'who sends what'.", + "format": [ + "alfred" + ] + }, + { + "name": "sends-as-bcc-to", + "description": "A sends to as BCC semantic link meaning 'what sends to who as BCC'.", + "format": [ + "alfred" + ] + }, + { + "name": "sends-as-cc-to", + "description": "A sends to as CC semantic link meaning 'what sends to who as CC'.", + "format": [ + "alfred" + ] + }, + { + "name": "sends-to", + "description": "A sends to semantic link meaning 'what sends to who'.", + "format": [ + "alfred" + ] + }, + { + "name": "spoofer-of", + "description": "The represents the semantic link of having spoofed something.", + "format": [ + "alfred" + ] + }, + { + "name": "subdomain-of", + "description": "Represents a domain being a subdomain of another.", + "format": [ + "alfred" + ] + }, + { + "name": "supersedes", + "description": "One data object supersedes another.", + "format": [ + "alfred" + ] + }, + { + "name": "triggered-on", + "description": "Represents the semantic link of an alert triggered on an event.", + "format": [ + "alfred" + ] + }, + { + "name": "uploads", + "description": "Represents the semantic link of one thing uploading another.", + "format": [ + "alfred" + ] + }, + { + "name": "user-of", + "description": "The represents the semantic link of being the user of something.", + "format": [ + "alfred" + ] + }, + { + "name": "works-for", + "description": "Represents the semantic link of working for something.", + "format": [ + "alfred" + ] } ], "description": "Default type of relationships in MISP objects.", "uuid": "b002c0d6-320f-450d-82c4-b3aa15bbbd6c", "name": "relationships" -} +} \ No newline at end of file diff --git a/tools/alfred_links_to_relarelationships.py b/tools/alfred_links_to_relarelationships.py new file mode 100644 index 0000000..bab18a2 --- /dev/null +++ b/tools/alfred_links_to_relarelationships.py @@ -0,0 +1,48 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +from pathlib import Path +import json + +name_ontology = 'alfred' + +relationships_path = Path('..', 'relationships', 'definition.json') + +with open(relationships_path) as f: + relationships = json.load(f) + +rel_fast_lookup = {entry['name']: entry for entry in relationships['values']} + +ontology_path = Path('alfred-ontology.json') + +with open(ontology_path) as f: + ontology = json.load(f) + +links = ontology['data']['linkTypes'] + + +for linktype in links: + link_name = linktype['name'].lower().replace('_', '-') + link_description = linktype['description'] + if link_name in rel_fast_lookup: + if rel_fast_lookup[link_name]['description'] != link_description: + print(link_name) + print('\t MISP:', rel_fast_lookup[link_name]['description']) + print('\t Alfred:', link_description) + for entry in relationships['values']: + if entry['name'] == link_name: + if name_ontology not in entry['format']: + entry['format'].append(name_ontology) + break + # Update the fast lookup to avoid duplicates. + rel_fast_lookup = {entry['name']: entry for entry in relationships['values']} + else: + if link_name not in rel_fast_lookup: + linktype['name'] = link_name + linktype['format'] = [name_ontology] + relationships['values'].append(linktype) + else: + print("Duplicate", link_name) + +with open(relationships_path, 'w') as f: + json.dump(relationships, f, indent=2) From ae103f60809567d507414bbae68a70a3c6065e0d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 23 Oct 2018 08:43:35 +0200 Subject: [PATCH 115/244] chg: [person] add attributes to whois-related information which can be associated to a person --- objects/person/definition.json | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index a041ede..d8950f0 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -94,7 +94,7 @@ "misp-attribute": "redress-number" }, "social-security-number": { - "description": "Social security number", + "description": "Social security number.", "ui-priority": 0, "misp-attribute": "text" }, @@ -104,9 +104,39 @@ "misp-attribute": "nationality", "multiple": true, "disable_correlation": true + }, + "nic-hdl": { + "description": "NIC Handle (Network Information Centre handle) of the person.", + "ui-priority": 10, + "misp-attribute": "text", + "multiple": true + }, + "phone-number": { + "description": "Phone number of the person.", + "ui-priority": 10, + "misp-attribute": "phone-number", + "multiple": true + }, + "fax-number": { + "description": "Fax number of the person.", + "ui-priority": 10, + "misp-attribute": "phone-number", + "multiple": true + }, + "address": { + "description": "Postal address of the person.", + "ui-priority": 10, + "misp-attribute": "text", + "multiple": true + }, + "e-mail": { + "description": "Email address of the person.", + "ui-priority": 10, + "misp-attribute": "email-src", + "multiple": true } }, - "version": 3, + "version": 4, "description": "An object which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", From 49dee77a7fecf3120198f01cad1e712e93ebc1ef Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 23 Oct 2018 09:04:57 +0200 Subject: [PATCH 116/244] chg: [relationships] newline and relationship file ;-) --- relationships/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index e27168b..c6c94bb 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -932,4 +932,4 @@ "description": "Default type of relationships in MISP objects.", "uuid": "b002c0d6-320f-450d-82c4-b3aa15bbbd6c", "name": "relationships" -} \ No newline at end of file +} From 1a1972003d63a28b884791e596dad1f782168b8a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 23 Oct 2018 16:35:08 +0200 Subject: [PATCH 117/244] add: [pcap-metadata] new object template for pcap file metadata (WiP) --- objects/pcap-metadata/definition.json | 54 +++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 objects/pcap-metadata/definition.json diff --git a/objects/pcap-metadata/definition.json b/objects/pcap-metadata/definition.json new file mode 100644 index 0000000..3ede7ee --- /dev/null +++ b/objects/pcap-metadata/definition.json @@ -0,0 +1,54 @@ +{ + "requiredOneOf": [ + "text", + "first-packet-seen", + "last-packet-seen" + ], + "attributes": { + "capture-length": { + "description": "Capture length set on the captured interface.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "capture-interface": { + "description": "Interface name where the packet capture was running.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "protocol": { + "description": "Capture protocol (linktype name).", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text", + "sane_default": [ + "LINKTYPE_NULL", + "LINKTYPE_ETHERNET" + ] + }, + "text": { + "description": "A description of the packet capture.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "first-packet-seen": { + "description": "When the first packet has been seen.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "last-packet-seen": { + "description": "When the last packet has been seen.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "Network packet capture metadata", + "meta-category": "network", + "uuid": "0784aefa-ec3a-4eca-a431-c31ed7058bd3", + "name": "pcap-metadata" +} From 3bf8c938aadf7363d1f59a1258a20fa446d1a806 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 23 Oct 2018 20:03:58 +0200 Subject: [PATCH 118/244] fix the required part of the url --- objects/url/definition.json | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/objects/url/definition.json b/objects/url/definition.json index 10729f9..8248ed6 100644 --- a/objects/url/definition.json +++ b/objects/url/definition.json @@ -1,6 +1,7 @@ { - "required": [ - "url" + "requiredOneOf": [ + "url", + "resource_path" ], "attributes": { "fragment": { @@ -95,7 +96,7 @@ "misp-attribute": "hostname" } }, - "version": 6, + "version": 7, "description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.", "meta-category": "network", "uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5", From a2ce46ecad9796f28055191e53a6a55bf21f7a28 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 24 Oct 2018 07:35:31 +0200 Subject: [PATCH 119/244] chg: [pcap-metadata] linktype added in the sane default --- objects/pcap-metadata/definition.json | 205 +++++++++++++++++++++++++- 1 file changed, 202 insertions(+), 3 deletions(-) diff --git a/objects/pcap-metadata/definition.json b/objects/pcap-metadata/definition.json index 3ede7ee..c454f26 100644 --- a/objects/pcap-metadata/definition.json +++ b/objects/pcap-metadata/definition.json @@ -23,8 +23,207 @@ "ui-priority": 1, "misp-attribute": "text", "sane_default": [ - "LINKTYPE_NULL", - "LINKTYPE_ETHERNET" + "PER_PACKET", + "UNKNOWN", + "ETHERNET", + "TOKEN_RING", + "SLIP", + "PPP", + "FDDI", + "FDDI_BITSWAPPED", + "RAW_IP", + "ARCNET", + "ARCNET_LINUX", + "ATM_RFC1483", + "LINUX_ATM_CLIP", + "LAPB", + "ATM_PDUS", + "ATM_PDUS_UNTRUNCATED", + "NULL", + "ASCEND", + "ISDN", + "IP_OVER_FC", + "PPP_WITH_PHDR", + "IEEE_802_11", + "IEEE_802_11_PRISM", + "IEEE_802_11_WITH_RADIO", + "IEEE_802_11_RADIOTAP", + "IEEE_802_11_AVS", + "SLL", + "FRELAY", + "FRELAY_WITH_PHDR", + "CHDLC", + "CISCO_IOS", + "LOCALTALK", + "OLD_PFLOG", + "HHDLC", + "DOCSIS", + "COSINE", + "WFLEET_HDLC", + "SDLC", + "TZSP", + "ENC", + "PFLOG", + "CHDLC_WITH_PHDR", + "BLUETOOTH_H4", + "MTP2", + "MTP3", + "IRDA", + "USER0", + "USER1", + "USER2", + "USER3", + "USER4", + "USER5", + "USER6", + "USER7", + "USER8", + "USER9", + "USER10", + "USER11", + "USER12", + "USER13", + "USER14", + "USER15", + "SYMANTEC", + "APPLE_IP_OVER_IEEE1394", + "BACNET_MS_TP", + "NETTL_RAW_ICMP", + "NETTL_RAW_ICMPV6", + "GPRS_LLC", + "JUNIPER_ATM1", + "JUNIPER_ATM2", + "REDBACK", + "NETTL_RAW_IP", + "NETTL_ETHERNET", + "NETTL_TOKEN_RING", + "NETTL_FDDI", + "NETTL_UNKNOWN", + "MTP2_WITH_PHDR", + "JUNIPER_PPPOE", + "GCOM_TIE1", + "GCOM_SERIAL", + "NETTL_X25", + "K12", + "JUNIPER_MLPPP", + "JUNIPER_MLFR", + "JUNIPER_ETHER", + "JUNIPER_PPP", + "JUNIPER_FRELAY", + "JUNIPER_CHDLC", + "JUNIPER_GGSN", + "LINUX_LAPD", + "CATAPULT_DCT2000", + "BER", + "JUNIPER_VP", + "USB_FREEBSD", + "IEEE802_16_MAC_CPS", + "NETTL_RAW_TELNET", + "USB_LINUX", + "MPEG", + "PPI", + "ERF", + "BLUETOOTH_H4_WITH_PHDR", + "SITA", + "SCCP", + "BLUETOOTH_HCI", + "IPMB", + "IEEE802_15_4", + "X2E_XORAYA", + "FLEXRAY", + "LIN", + "MOST", + "CAN20B", + "LAYER1_EVENT", + "X2E_SERIAL", + "I2C", + "IEEE802_15_4_NONASK_PHY", + "TNEF", + "USB_LINUX_MMAPPED", + "GSM_UM", + "DPNSS", + "PACKETLOGGER", + "NSTRACE_1_0", + "NSTRACE_2_0", + "FIBRE_CHANNEL_FC2", + "FIBRE_CHANNEL_FC2_WITH_FRAME_DELIMS", + "JPEG_JFIF", + "IPNET", + "SOCKETCAN", + "IEEE_802_11_NETMON", + "IEEE802_15_4_NOFCS", + "RAW_IPFIX", + "RAW_IP4", + "RAW_IP6", + "LAPD", + "DVBCI", + "MUX27010", + "MIME", + "NETANALYZER", + "NETANALYZER_TRANSPARENT", + "IP_OVER_IB_SNOOP", + "MPEG_2_TS", + "PPP_ETHER", + "NFC_LLCP", + "NFLOG", + "V5_EF", + "BACNET_MS_TP_WITH_PHDR", + "IXVERIWAVE", + "SDH", + "DBUS", + "AX25_KISS", + "AX25", + "SCTP", + "INFINIBAND", + "JUNIPER_SVCS", + "USBPCAP", + "RTAC_SERIAL", + "BLUETOOTH_LE_LL", + "WIRESHARK_UPPER_PDU", + "STANAG_4607", + "STANAG_5066_D_PDU", + "NETLINK", + "BLUETOOTH_LINUX_MONITOR", + "BLUETOOTH_BREDR_BB", + "BLUETOOTH_LE_LL_WITH_PHDR", + "NSTRACE_3_0", + "LOGCAT", + "LOGCAT_BRIEF", + "LOGCAT_PROCESS", + "LOGCAT_TAG", + "LOGCAT_THREAD", + "LOGCAT_TIME", + "LOGCAT_THREADTIME", + "LOGCAT_LONG", + "PKTAP", + "EPON", + "IPMI_TRACE", + "LOOP", + "JSON", + "NSTRACE_3_5", + "ISO14443", + "GFP_T", + "GFP_F", + "IP_OVER_IB_PCAP", + "JUNIPER_VN", + "USB_DARWIN", + "LORATAP", + "3MB_ETHERNET", + "VSOCK", + "NORDIC_BLE", + "NETMON_NET_NETEVENT", + "NETMON_HEADER", + "NETMON_NET_FILTER", + "NETMON_NETWORK_INFO_EX", + "MA_WFP_CAPTURE_V4", + "MA_WFP_CAPTURE_V6", + "MA_WFP_CAPTURE_2V4", + "MA_WFP_CAPTURE_2V6", + "MA_WFP_CAPTURE_AUTH_V4", + "MA_WFP_CAPTURE_AUTH_V6", + "JUNIPER_ST", + "ETHERNET_MPACKET", + "DOCSIS31_XRA31" ] }, "text": { @@ -46,7 +245,7 @@ "misp-attribute": "datetime" } }, - "version": 1, + "version": 2, "description": "Network packet capture metadata", "meta-category": "network", "uuid": "0784aefa-ec3a-4eca-a431-c31ed7058bd3", From 675b60703b3571874949c3fe2c90ba4d735aedde Mon Sep 17 00:00:00 2001 From: Tobias Mainka Date: Wed, 24 Oct 2018 13:58:38 +0200 Subject: [PATCH 120/244] added sandbox-file type as attribute for storing e.g. sandbox results file in sandbox-report object --- objects/sandbox-report/definition.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/objects/sandbox-report/definition.json b/objects/sandbox-report/definition.json index b294575..6b4a403 100644 --- a/objects/sandbox-report/definition.json +++ b/objects/sandbox-report/definition.json @@ -44,6 +44,16 @@ "ui-priority": 0, "misp-attribute": "text" }, + "sandbox-file": { + "description": "File related to sandbox run", + "misp-attribute": "attachment", + "disable_correlation": true, + "ui-priority": 1, + "categories": [ + "External analysis" + ], + "multiple": true + }, "sandbox-type": { "description": "The type of sandbox used", "misp-attribute": "text", @@ -92,7 +102,7 @@ ] } }, - "version": 1, + "version": 2, "description": "Sandbox report", "meta-category": "misc", "uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef", From 8b861df87648e83589345ad1e283f215fc48f2cc Mon Sep 17 00:00:00 2001 From: Tobias Mainka Date: Wed, 24 Oct 2018 14:14:32 +0200 Subject: [PATCH 121/244] fix failing check via running .jq_all_the_things.sh --- objects/sandbox-report/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/sandbox-report/definition.json b/objects/sandbox-report/definition.json index 6b4a403..eeb637d 100644 --- a/objects/sandbox-report/definition.json +++ b/objects/sandbox-report/definition.json @@ -50,10 +50,10 @@ "disable_correlation": true, "ui-priority": 1, "categories": [ - "External analysis" + "External analysis" ], "multiple": true - }, + }, "sandbox-type": { "description": "The type of sandbox used", "misp-attribute": "text", From 1cedea6506a3dba87dfd5fdaea963d7e3cbe2863 Mon Sep 17 00:00:00 2001 From: aksha Date: Thu, 25 Oct 2018 12:39:48 +0100 Subject: [PATCH 122/244] Chg: Jq'ed all the objects --- objects/TSK-Chats/definition.json | 168 ++++----- objects/TSK-Web-Bookmark/definition.json | 134 ++++---- objects/TSK-Web-Cookie/definition.json | 134 ++++---- objects/TSK-Web-Downloads/definition.json | 110 +++--- objects/TSK-Web-History/definition.json | 136 ++++---- objects/TSK-Web-Search-Query/definition.json | 132 ++++---- objects/python-etvx-event-log/definition.json | 320 +++++++++--------- objects/regripper-NTUser/definition.json | 11 +- .../definition.json | 134 ++++---- .../definition.json | 106 +++--- .../definition.json | 115 ++++--- .../definition.json | 103 +++--- .../definition.json | 95 +++--- .../definition.json | 111 +++--- .../definition.json | 107 +++--- .../definition.json | 247 +++++++------- .../definition.json | 123 ++++--- .../definition.json | 3 +- .../definition.json | 94 ++--- .../definition.json | 175 +++++----- .../definition.json | 209 ++++++------ .../definition.json | 193 ++++++----- 22 files changed, 1470 insertions(+), 1490 deletions(-) diff --git a/objects/TSK-Chats/definition.json b/objects/TSK-Chats/definition.json index bcda96a..ed5f00a 100644 --- a/objects/TSK-Chats/definition.json +++ b/objects/TSK-Chats/definition.json @@ -1,84 +1,84 @@ -{ - "required": [ - "message-type", - "message" - ], - "attributes": { - "message-type": { - "description": "the type of message extracted from the forensic-evidence.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default":[ - "SMS", - "MMS", - "Instant Message (IM)", - "Voice Message" - ], - "disable_correlation": true - }, - "datetime-sent": { - "description": "date and the time when the message was sent.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "datetime-received": { - "description": "date and time when the message was received.", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "Source": { - "description": "Source of the message.(Contact details)", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "destination": { - "description": "Destination of the message.(Contact details)", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "app-used": { - "description": "Application used to send the message.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "subject": { - "description": "Subject of the message if any.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "message": { - "description": "Message exchanged.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "attachments": { - "description": "External references", - "multiple": true, - "ui-priority": 0, - "categories": [ - "External analysis" - ], - "misp-attribute": "link" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation.", - "meta-category": "misc", - "uuid": "6b71f231-c502-467f-bc67-1423cd5bf800", - "name": "TSK-Chats" -} +{ + "required": [ + "message-type", + "message" + ], + "attributes": { + "message-type": { + "description": "the type of message extracted from the forensic-evidence.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "SMS", + "MMS", + "Instant Message (IM)", + "Voice Message" + ], + "disable_correlation": true + }, + "datetime-sent": { + "description": "date and the time when the message was sent.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "datetime-received": { + "description": "date and time when the message was received.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "Source": { + "description": "Source of the message.(Contact details)", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "destination": { + "description": "Destination of the message.(Contact details)", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "app-used": { + "description": "Application used to send the message.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "subject": { + "description": "Subject of the message if any.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "message": { + "description": "Message exchanged.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "attachments": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "categories": [ + "External analysis" + ], + "misp-attribute": "link" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation.", + "meta-category": "misc", + "uuid": "6b71f231-c502-467f-bc67-1423cd5bf800", + "name": "TSK-Chats" +} diff --git a/objects/TSK-Web-Bookmark/definition.json b/objects/TSK-Web-Bookmark/definition.json index f5bd4b9..485577e 100644 --- a/objects/TSK-Web-Bookmark/definition.json +++ b/objects/TSK-Web-Bookmark/definition.json @@ -1,67 +1,67 @@ -{ - "required": [ - "URL" - ], - "attributes": { - "URL": { - "description": "The URL saved as bookmark.", - "ui-priority": 0, - "misp-attribute": "link" - }, - "datetime-bookmarked": { - "description": "date and time when the URL was added to favorites.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "name": { - "description": "Book mark name. ", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "title": { - "description": "Title of the web page", - "ui-priority": 0, - "misp-attribute": "text" - }, - "browser": { - "description": "Browser used to access the URL.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "IE", - "Safari", - "Chrome", - "Firefox", - "Opera mini", - "Chromium" - ], - "disable_correlation": true - }, - "domain-name": { - "description": "Domain of the URL.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "domain-ip": { - "description": "IP of the URL domain.", - "ui-priority": 0, - "misp-attribute": "ip-src" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An Object Template to add evidential bookmarks identified during a digital forensic investigation.", - "meta-category": "misc", - "uuid": "7d9a88a8-9934-4caa-a85b-f76bc97d5373", - "name": "TSK-Web-Bookmark" -} +{ + "required": [ + "URL" + ], + "attributes": { + "URL": { + "description": "The URL saved as bookmark.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-bookmarked": { + "description": "date and time when the URL was added to favorites.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Book mark name. ", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "title": { + "description": "Title of the web page", + "ui-priority": 0, + "misp-attribute": "text" + }, + "browser": { + "description": "Browser used to access the URL.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "domain-name": { + "description": "Domain of the URL.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the URL domain.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to add evidential bookmarks identified during a digital forensic investigation.", + "meta-category": "misc", + "uuid": "7d9a88a8-9934-4caa-a85b-f76bc97d5373", + "name": "TSK-Web-Bookmark" +} diff --git a/objects/TSK-Web-Cookie/definition.json b/objects/TSK-Web-Cookie/definition.json index db4ded0..03cf240 100644 --- a/objects/TSK-Web-Cookie/definition.json +++ b/objects/TSK-Web-Cookie/definition.json @@ -1,67 +1,67 @@ -{ - "required": [ - "URL", - "name", - "value" - ], - "attributes": { - "URL": { - "description": "The website URL that created the cookie.", - "ui-priority": 0, - "misp-attribute": "link" - }, - "datetime-created": { - "description": "date and time when the cookie was created.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "name": { - "description": "Name of the cookie ", - "ui-priority": 0, - "misp-attribute": "text" - }, - "value": { - "description": "Value assigned to the cookie.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "browser": { - "description": "Browser on which the cookie was created.", - "ui-priority": 0, - "sane_default": [ - "IE", - "Safari", - "Chrome", - "Firefox", - "Opera mini", - "Chromium" - ], - "misp-attribute": "text" - }, - "domain-name": { - "description": "Domain of the URL that created the cookie.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "domain-ip": { - "description": "IP of the domain that created the URL.", - "ui-priority": 0, - "misp-attribute": "ip-src" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.", - "meta-category": "misc", - "uuid": "40d23a4f-43be-4c9e-8328-382a2188eb1d", - "name": "TSK-Web-Cookie" -} +{ + "required": [ + "URL", + "name", + "value" + ], + "attributes": { + "URL": { + "description": "The website URL that created the cookie.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-created": { + "description": "date and time when the cookie was created.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Name of the cookie ", + "ui-priority": 0, + "misp-attribute": "text" + }, + "value": { + "description": "Value assigned to the cookie.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "browser": { + "description": "Browser on which the cookie was created.", + "ui-priority": 0, + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "misp-attribute": "text" + }, + "domain-name": { + "description": "Domain of the URL that created the cookie.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the domain that created the URL.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.", + "meta-category": "misc", + "uuid": "40d23a4f-43be-4c9e-8328-382a2188eb1d", + "name": "TSK-Web-Cookie" +} diff --git a/objects/TSK-Web-Downloads/definition.json b/objects/TSK-Web-Downloads/definition.json index 55ddf05..061fa64 100644 --- a/objects/TSK-Web-Downloads/definition.json +++ b/objects/TSK-Web-Downloads/definition.json @@ -1,55 +1,55 @@ -{ - "required": [ - "URL", - "name" - ], - "attributes": { - "URL": { - "description": "The URL used to download the file.", - "ui-priority": 0, - "misp-attribute": "link" - }, - "datetime-accessed": { - "description": "date and time when the file was downloaded.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "name": { - "description": "Name of the file downloaded.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "path-downloadedTo": { - "description": "Location the file was downloaded to.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "pathID": { - "description": "Id of the attribute file where the information is gathered from.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "attachment": { - "description": "The downloaded file itself.", - "ui-priority": 1, - "misp-attribute": "attachment", - "disable_correlation": true - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An Object Template to add web-downloads", - "meta-category": "File", - "uuid": "ab9603a1-9dcc-48e8-a51c-b8bccc7bcc26", - "name": "TSK-Web-Downloads" -} +{ + "required": [ + "URL", + "name" + ], + "attributes": { + "URL": { + "description": "The URL used to download the file.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-accessed": { + "description": "date and time when the file was downloaded.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Name of the file downloaded.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "path-downloadedTo": { + "description": "Location the file was downloaded to.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "pathID": { + "description": "Id of the attribute file where the information is gathered from.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "attachment": { + "description": "The downloaded file itself.", + "ui-priority": 1, + "misp-attribute": "attachment", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to add web-downloads", + "meta-category": "File", + "uuid": "ab9603a1-9dcc-48e8-a51c-b8bccc7bcc26", + "name": "TSK-Web-Downloads" +} diff --git a/objects/TSK-Web-History/definition.json b/objects/TSK-Web-History/definition.json index 84be3b9..897e13b 100644 --- a/objects/TSK-Web-History/definition.json +++ b/objects/TSK-Web-History/definition.json @@ -1,68 +1,68 @@ -{ - "required": [ - "URL", - "datetime-accessed" - ], - "attributes": { - "URL": { - "description": "The URL accessed.", - "ui-priority": 0, - "misp-attribute": "link" - }, - "datetime-accessed": { - "description": "date and the time when the URL was accessed.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "referrer": { - "description": "where the URL was referred from ", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "title": { - "description": "Title of the web page", - "ui-priority": 0, - "misp-attribute": "text" - }, - "domain-name": { - "description": "Domain of the URL.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "domain-ip": { - "description": "IP of the URL domain.", - "ui-priority": 0, - "misp-attribute": "ip-src" - }, - "browser": { - "description": "Browser used to access the URL.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "IE", - "Safari", - "Chrome", - "Firefox", - "Opera mini", - "Chromium" - ], - "disable_correlation": true - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An Object Template to share web history information", - "meta-category": "misc", - "uuid": "e1325e52-e52e-49b1-89ad-d503c127c698", - "name": "TSK-Web-History" -} +{ + "required": [ + "URL", + "datetime-accessed" + ], + "attributes": { + "URL": { + "description": "The URL accessed.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-accessed": { + "description": "date and the time when the URL was accessed.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "referrer": { + "description": "where the URL was referred from ", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "title": { + "description": "Title of the web page", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-name": { + "description": "Domain of the URL.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the URL domain.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "browser": { + "description": "Browser used to access the URL.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to share web history information", + "meta-category": "misc", + "uuid": "e1325e52-e52e-49b1-89ad-d503c127c698", + "name": "TSK-Web-History" +} diff --git a/objects/TSK-Web-Search-Query/definition.json b/objects/TSK-Web-Search-Query/definition.json index 8e66b0d..046c266 100644 --- a/objects/TSK-Web-Search-Query/definition.json +++ b/objects/TSK-Web-Search-Query/definition.json @@ -1,66 +1,66 @@ -{ - "required": [ - "domain", - "text" - ], - "attributes": { - "domain": { - "description": "The domain of the search engine.", - "ui-priority": 0, - "misp-attribute": "link", - "sane_default": [ - "Google", - "Yahoo", - "Bing", - "Alta Vista", - "MSN" - ], - "disable_correlation": true - }, - "text": { - "description": "the search word or sentence.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "datetime-searched": { - "description": "date and time when the search was conducted.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "browser": { - "description": "Browser used.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "IE", - "Safari", - "Chrome", - "Firefox", - "Opera mini", - "Chromium" - ], - "disable_correlation": true - }, - "username": { - "description": "User name or ID associated with the search.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An Object Template to share web search query information", - "meta-category": "misc", - "uuid": "16b3f8d0-fd09-4812-a42c-b5aeff2d4c2e", - "name": "TSK-Web-Search-Query" -} +{ + "required": [ + "domain", + "text" + ], + "attributes": { + "domain": { + "description": "The domain of the search engine.", + "ui-priority": 0, + "misp-attribute": "link", + "sane_default": [ + "Google", + "Yahoo", + "Bing", + "Alta Vista", + "MSN" + ], + "disable_correlation": true + }, + "text": { + "description": "the search word or sentence.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "datetime-searched": { + "description": "date and time when the search was conducted.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "browser": { + "description": "Browser used.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "username": { + "description": "User name or ID associated with the search.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to share web search query information", + "meta-category": "misc", + "uuid": "16b3f8d0-fd09-4812-a42c-b5aeff2d4c2e", + "name": "TSK-Web-Search-Query" +} diff --git a/objects/python-etvx-event-log/definition.json b/objects/python-etvx-event-log/definition.json index e0fb273..79a2d13 100644 --- a/objects/python-etvx-event-log/definition.json +++ b/objects/python-etvx-event-log/definition.json @@ -5,169 +5,163 @@ "name" ], "attributes": { - "event-id": { - "description": "A unique number which identifies the event.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "name": { - "description": "Name of the event.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "event-channel": - { - "description":" Channel through which the event occurred", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true, - "sane-default":[ - "Application", - "System", - "Security", - "Setup", - "other" - ] - }, - "event-type": - { - "description": "Event-type assigned to the event", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true, - "sane-default":[ - "Admin", - "Operational", - "Audit", - "Analytic", - "Debug", - "other" - ] - }, - "source": { - "description": "The source of the event log - application/software that logged the event.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "event-date-time": - { - "description": "Date and time when the event was logged.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "level": { - "description": "Determines the event severity.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default":[ - "Information", - "Warning", - "Error", - "Critical", - "Success Audit", - "Failure Audit" - ] - }, - "Computer": { - "description": "Computer name on which the event occurred", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "User": { - "description": "Name or the User ID the event is associated with.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Operational-code": { - "description": "The opcode (numeric value or name) associated with the activity carried out by the event.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "log": { - "description": "Log file where the event was recorded.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "task-category":{ - "description": "Activity by the event publisher", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Keywords":{ - "description" : "Tags used for the event for the purpose of filtering or searching.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default":[ - "Network", - "Security", - "Resource not found", - "other" - ] - }, - "Processor-ID": { - "description": "ID of the processor that processed the event.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Thread-ID": { - "description": "Thread id that generated the event.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Session-ID": { - "description": "Terminal server session ID.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Correlation-ID": { - "description": "Unique activity identity which relates the event to a process. ", - "ui-priority": 0, - "misp-attribute": "text" - }, - "Relative-Correlation-ID": { - "description": "Related activity ID which identity similar activities which occurred as a part of the event.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "kernel-time": - { - "description": "Execution time of the kernel mode instruction.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "user-time": - { - "description": "Date and time when the user instruction was executed.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "Event-data": - { - "description": "Event data description.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "comment": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } + "event-id": { + "description": "A unique number which identifies the event.", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "name": { + "description": "Name of the event.", + "ui-priority": 2, + "misp-attribute": "text", + "disable_correlation": true + }, + "event-channel": { + "description": " Channel through which the event occurred", + "ui-priority": 3, + "misp-attribute": "text", + "disable_correlation": true, + "sane-default": [ + "Application", + "System", + "Security", + "Setup", + "other" + ] + }, + "event-type": { + "description": "Event-type assigned to the event", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane-default": [ + "Admin", + "Operational", + "Audit", + "Analytic", + "Debug", + "other" + ] + }, + "source": { + "description": "The source of the event log - application/software that logged the event.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "event-date-time": { + "description": "Date and time when the event was logged.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "level": { + "description": "Determines the event severity.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Information", + "Warning", + "Error", + "Critical", + "Success Audit", + "Failure Audit" + ] + }, + "Computer": { + "description": "Computer name on which the event occurred", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "User": { + "description": "Name or the User ID the event is associated with.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Operational-code": { + "description": "The opcode (numeric value or name) associated with the activity carried out by the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "log": { + "description": "Log file where the event was recorded.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "task-category": { + "description": "Activity by the event publisher", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Keywords": { + "description": "Tags used for the event for the purpose of filtering or searching.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Network", + "Security", + "Resource not found", + "other" + ] + }, + "Processor-ID": { + "description": "ID of the processor that processed the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Thread-ID": { + "description": "Thread id that generated the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Session-ID": { + "description": "Terminal server session ID.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Correlation-ID": { + "description": "Unique activity identity which relates the event to a process. ", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Relative-Correlation-ID": { + "description": "Related activity ID which identity similar activities which occurred as a part of the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "kernel-time": { + "description": "Execution time of the kernel mode instruction.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "user-time": { + "description": "Date and time when the user instruction was executed.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "Event-data": { + "description": "Event data description.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } }, "version": 1, "description": "Event log object template to share information of the activities conducted on a system. ", diff --git a/objects/regripper-NTUser/definition.json b/objects/regripper-NTUser/definition.json index 6eb7193..9ec80c5 100644 --- a/objects/regripper-NTUser/definition.json +++ b/objects/regripper-NTUser/definition.json @@ -26,25 +26,25 @@ "description": "List of recent folders accessed by the user.", "ui-priority": 0, "misp-attribute": "text", - "multiple":true + "multiple": true }, "recent-files-accessed": { "description": "List of recent files accessed by the user.", "ui-priority": 0, "misp-attribute": "text", - "multiple":true + "multiple": true }, "typed-urls": { "description": "Urls typed by the user in internet explorer", "ui-priority": 0, "misp-attribute": "text", - "multiple":true + "multiple": true }, "applications-installed": { "description": "List of applications installed.", "ui-priority": 0, "misp-attribute": "text", - "multiple":true + "multiple": true }, "applications-run": { "description": "List of applications set to run on the system.", @@ -58,7 +58,7 @@ "misp-attribute": "text", "multiple": true }, - "user-init": { + "user-init": { "description": "Applications or processes set to run when the user logs onto the windows system.", "ui-priority": 0, "misp-attribute": "text", @@ -89,7 +89,6 @@ "misp-attribute": "text", "disable_correlation": true } - }, "version": 1, "description": "Regripper Object template designed to present user specific configuration details extracted from the NTUSER.dat hive.", diff --git a/objects/regripper-sam-hive-single-user/definition.json b/objects/regripper-sam-hive-single-user/definition.json index 2cf93d9..11632e3 100644 --- a/objects/regripper-sam-hive-single-user/definition.json +++ b/objects/regripper-sam-hive-single-user/definition.json @@ -1,70 +1,68 @@ { - "required": [ - "key" - ], - "requiredOneOf": [ - "user-name", - "last-login-time", - "login-count" - ], - "attributes": { - "key": { - "description": "Registry key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "key-last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "user-name": { - "description": "User name assigned to the user profile.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "full-user-name": { - "description": "Full name assigned to the user profile.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-login-time": { - "description": "Date and time when the user last logged onto the system.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "pwd-reset-time": { - "description": "Date and time when the password was last reset.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "pwd-fail-date": { - "description": "Date and time when a password last failed for this user profile.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "login-count": { - "description": "Number of times the user logged-in onto the system.", - "ui-priority": 0, - "misp-attribute": "counter", - "disable_correlation": true - }, - "comments": { - "description": "Full name assigned to the user profile.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } - + "required": [ + "key" + ], + "requiredOneOf": [ + "user-name", + "last-login-time", + "login-count" + ], + "attributes": { + "key": { + "description": "Registry key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper Object template designed to present user profile details extracted from the SAM hive.", - "meta-category": "misc", - "uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef", - "name": "regripper-sam-hive-single-user" - } - \ No newline at end of file + "key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "user-name": { + "description": "User name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "full-user-name": { + "description": "Full name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-login-time": { + "description": "Date and time when the user last logged onto the system.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "pwd-reset-time": { + "description": "Date and time when the password was last reset.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "pwd-fail-date": { + "description": "Date and time when a password last failed for this user profile.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "login-count": { + "description": "Number of times the user logged-in onto the system.", + "ui-priority": 0, + "misp-attribute": "counter", + "disable_correlation": true + }, + "comments": { + "description": "Full name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to present user profile details extracted from the SAM hive.", + "meta-category": "misc", + "uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef", + "name": "regripper-sam-hive-single-user" +} diff --git a/objects/regripper-sam-hive-user-group/definition.json b/objects/regripper-sam-hive-user-group/definition.json index bcd2996..64119d0 100644 --- a/objects/regripper-sam-hive-user-group/definition.json +++ b/objects/regripper-sam-hive-user-group/definition.json @@ -1,56 +1,54 @@ { - "required": [ - "key" - ], - "requiredOneOf": [ - "group-name" - ], - "attributes": { - "key": { - "description": "Registry key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "key-last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "group-name": { - "description": "Name assigned to the profile.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "full-name": { - "description": "Full name assigned to the profile.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-date-time": { - "description": "Date and time when the group key was updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "group-comment": { - "description": "Name assigned to the profile.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "group-users": { - "description": "Users belonging to the group", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - } - + "required": [ + "key" + ], + "requiredOneOf": [ + "group-name" + ], + "attributes": { + "key": { + "description": "Registry key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper Object template designed to present group profile details extracted from the SAM hive.", - "meta-category": "misc", - "uuid": "b924bae1-2dec-4d2d-a8c2-b03305222b7c", - "name": "regripper-sam-hive-user-group" - } - \ No newline at end of file + "key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "group-name": { + "description": "Name assigned to the profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "full-name": { + "description": "Full name assigned to the profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-date-time": { + "description": "Date and time when the group key was updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "group-comment": { + "description": "Any group comment added.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "group-users": { + "description": "Users belonging to the group", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to present group profile details extracted from the SAM hive.", + "meta-category": "misc", + "uuid": "b924bae1-2dec-4d2d-a8c2-b03305222b7c", + "name": "regripper-sam-hive-user-group" +} diff --git a/objects/regripper-software-hive-BHO/definition.json b/objects/regripper-software-hive-BHO/definition.json index 7c64241..0b43791 100644 --- a/objects/regripper-software-hive-BHO/definition.json +++ b/objects/regripper-software-hive-BHO/definition.json @@ -1,60 +1,59 @@ { - "required": [ - "key", - "BHO-name" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "BHO-name": { - "description": "Name of the browser helper object.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "BHO-key-last-write-time": { - "description": "Date and time when the BHO key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "class": { - "description": "Class to which the BHO belongs to.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "module": { - "description": "DLL module the BHO belongs to.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "references": { - "description": "References to the BHO.", - "ui-priority": 0, - "misp-attribute": "link", - "multiple":true - } + "required": [ + "key", + "BHO-name" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper Object template designed to gather information of the browser helper objects installed on the system.", - "meta-category": "misc", - "uuid": "e7b46b5a-d2d2-4a05-bc25-2ac8d4683ae2", - "name": "regripper-software-hive-BHO" - } - \ No newline at end of file + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "BHO-name": { + "description": "Name of the browser helper object.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BHO-key-last-write-time": { + "description": "Date and time when the BHO key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "class": { + "description": "Class to which the BHO belongs to.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "module": { + "description": "DLL module the BHO belongs to.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "References to the BHO.", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the browser helper objects installed on the system.", + "meta-category": "misc", + "uuid": "e7b46b5a-d2d2-4a05-bc25-2ac8d4683ae2", + "name": "regripper-software-hive-BHO" +} diff --git a/objects/regripper-software-hive-appInit-DLLS/definition.json b/objects/regripper-software-hive-appInit-DLLS/definition.json index 3923e35..d089224 100644 --- a/objects/regripper-software-hive-appInit-DLLS/definition.json +++ b/objects/regripper-software-hive-appInit-DLLS/definition.json @@ -1,54 +1,53 @@ { - "required": [ - "key", - "DLL-name", - "DLL-path" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "DLL-name": { - "description": "Name of the DLL file.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "DLL-path": { - "description": "Path where the DLL file is stored.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "DLL-last-write-time": { - "description": "Date and time when the DLL file was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "references": { - "description": "References to the DLL file.", - "ui-priority": 0, - "misp-attribute": "link", - "multiple":true - } + "required": [ + "key", + "DLL-name", + "DLL-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper Object template designed to gather information of the DLL files installed on the system.", - "meta-category": "misc", - "uuid": "7893be05-8398-451e-ab1e-5e25ea4a8859", - "name": "regripper-software-hive-appInit-DLLS" - } - \ No newline at end of file + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "DLL-name": { + "description": "Name of the DLL file.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "DLL-path": { + "description": "Path where the DLL file is stored.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "DLL-last-write-time": { + "description": "Date and time when the DLL file was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "References to the DLL file.", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the DLL files installed on the system.", + "meta-category": "misc", + "uuid": "7893be05-8398-451e-ab1e-5e25ea4a8859", + "name": "regripper-software-hive-appInit-DLLS" +} diff --git a/objects/regripper-software-hive-application-paths/definition.json b/objects/regripper-software-hive-application-paths/definition.json index 939e39a..3929d42 100644 --- a/objects/regripper-software-hive-application-paths/definition.json +++ b/objects/regripper-software-hive-application-paths/definition.json @@ -1,50 +1,49 @@ { - "required": [ - "key", - "executable-file-name", - "path" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "executable-file-name": { - "description": "Name of the executable file.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple":true - }, - "path": { - "description": "Path of the executable file.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple":true - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "references": { - "description": "References to the application installed.", - "ui-priority": 0, - "misp-attribute": "link", - "multiple":true - } + "required": [ + "key", + "executable-file-name", + "path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper Object template designed to gather information of the application paths.", - "meta-category": "misc", - "uuid": "9f2d3c9b-9a82-42a7-82c2-733115d101c8", - "name": "regripper-software-hive-application-paths" - } - \ No newline at end of file + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "executable-file-name": { + "description": "Name of the executable file.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "path": { + "description": "Path of the executable file.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "References to the application installed.", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the application paths.", + "meta-category": "misc", + "uuid": "9f2d3c9b-9a82-42a7-82c2-733115d101c8", + "name": "regripper-software-hive-application-paths" +} diff --git a/objects/regripper-software-hive-applications-installed/definition.json b/objects/regripper-software-hive-applications-installed/definition.json index 55c58ea..c8229c7 100644 --- a/objects/regripper-software-hive-applications-installed/definition.json +++ b/objects/regripper-software-hive-applications-installed/definition.json @@ -1,58 +1,57 @@ { - "required": [ - "key", - "app-name" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "key-path": { - "description": "Path of the key.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "app-name": { - "description": "Name of the application.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "app-last-write-time": { - "description": "Date and time when the application key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "version": { - "description": "Version of the application.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "references": { - "description": "References to the application installed.", - "ui-priority": 0, - "misp-attribute": "link", - "multiple":true - } + "required": [ + "key", + "app-name" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper Object template designed to gather information of the applications installed on the system.", - "meta-category": "misc", - "uuid": "7a8fb6b4-cbbd-4de5-b893-7b0a5c4858cd", - "name": "regripper-software-hive-applications-installed" - } - \ No newline at end of file + "key-path": { + "description": "Path of the key.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "app-name": { + "description": "Name of the application.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "app-last-write-time": { + "description": "Date and time when the application key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "version": { + "description": "Version of the application.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "References to the application installed.", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the applications installed on the system.", + "meta-category": "misc", + "uuid": "7a8fb6b4-cbbd-4de5-b893-7b0a5c4858cd", + "name": "regripper-software-hive-applications-installed" +} diff --git a/objects/regripper-software-hive-command-shell/definition.json b/objects/regripper-software-hive-command-shell/definition.json index 593308d..0d060d6 100644 --- a/objects/regripper-software-hive-command-shell/definition.json +++ b/objects/regripper-software-hive-command-shell/definition.json @@ -1,56 +1,55 @@ { - "required": [ - "key", - "shell", - "shell-path" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "shell": { - "description": "Type of shell used to execute the command.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default":[ - "exe", - "cmd", - "bat", - "hta", - "pif", - "Other" - ], - "disable_correlation": true - }, - "shell-path": { - "description": "Path of the shell.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "command": { - "description": "Command executed.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } + "required": [ + "key", + "shell", + "shell-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper Object template designed to gather information of the shell commands executed on the system.", - "meta-category": "misc", - "uuid": "a7dc3697-89ce-46dc-a64d-0b1015457978", - "name": "regripper-software-hive-command-shell" - } - \ No newline at end of file + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "shell": { + "description": "Type of shell used to execute the command.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "exe", + "cmd", + "bat", + "hta", + "pif", + "Other" + ], + "disable_correlation": true + }, + "shell-path": { + "description": "Path of the shell.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "command": { + "description": "Command executed.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the shell commands executed on the system.", + "meta-category": "misc", + "uuid": "a7dc3697-89ce-46dc-a64d-0b1015457978", + "name": "regripper-software-hive-command-shell" +} diff --git a/objects/regripper-software-hive-general-windows-info/definition.json b/objects/regripper-software-hive-general-windows-info/definition.json index a05492f..85b5538 100644 --- a/objects/regripper-software-hive-general-windows-info/definition.json +++ b/objects/regripper-software-hive-general-windows-info/definition.json @@ -1,126 +1,125 @@ { - "required": [ - "win-cv-path", - "CurrentVersion" - ], - "attributes": { - "win-cv-path": { - "description": "key where the windows information is retrieved from", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "RegisteredOrganization": { - "description": "Name of the registered organization.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "RegisteredOwner": { - "description": "Name of the registered owner.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "CurrentVersion": { - "description": "Current version of windows", - "ui-priority": 0, - "misp-attribute": "text" - }, - "CurrentBuild": { - "description": "Build number of the windows OS.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "SoftwareType": { - "description": "Software type of windows.", - "ui-priority": 0, - "sane_default":[ - "System", - "Application", - "other" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "InstallationType": { - "description": "Type of windows installation.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "InstallDate": { - "description": "Date when windows was installed.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "SystemRoot": { - "description": "Root directory.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "PathName": { - "description": "Path to the root directory.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "EditionID": { - "description": "Windows edition.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "ProductName": { - "description": "Name of the windows version.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "ProductID": { - "description": "ID of the product version.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "CSDVersion": { - "description": "Version of the service pack installed.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "CurrentType": { - "description": "Current build type of the OS.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "BuildLab": { - "description": "Windows BuildLab string.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "BuildGUID": { - "description": "Build ID.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "BuildLabEx": { - "description": "Windows BuildLabEx string.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "comment": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "", - "disable_correlation": true - } + "required": [ + "win-cv-path", + "CurrentVersion" + ], + "attributes": { + "win-cv-path": { + "description": "key where the windows information is retrieved from", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper Object template designed to gather general windows information extracted from the software-hive.", - "meta-category": "misc", - "uuid": "03200c25-4bf5-4282-9852-001a51ab20f1", - "name": "regripper-software-hive-windows-general-info" - } - \ No newline at end of file + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "RegisteredOrganization": { + "description": "Name of the registered organization.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "RegisteredOwner": { + "description": "Name of the registered owner.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CurrentVersion": { + "description": "Current version of windows", + "ui-priority": 0, + "disable_correlation": true + }, + "CurrentBuild": { + "description": "Build number of the windows OS.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "SoftwareType": { + "description": "Software type of windows.", + "ui-priority": 0, + "sane_default": [ + "System", + "Application", + "other" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "InstallationType": { + "description": "Type of windows installation.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "InstallDate": { + "description": "Date when windows was installed.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "SystemRoot": { + "description": "Root directory.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "PathName": { + "description": "Path to the root directory.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "EditionID": { + "description": "Windows edition.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ProductName": { + "description": "Name of the windows version.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ProductID": { + "description": "ID of the product version.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CSDVersion": { + "description": "Version of the service pack installed.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CurrentBuildType": { + "description": "Current build type of the OS.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildLab": { + "description": "Windows BuildLab string.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildGUID": { + "description": "Build ID.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildLabEx": { + "description": "Windows BuildLabEx string.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather general windows information extracted from the software-hive.", + "meta-category": "misc", + "uuid": "03200c25-4bf5-4282-9852-001a51ab20f1", + "name": "regripper-software-hive-windows-general-info" +} diff --git a/objects/regripper-software-hive-software-run/definition.json b/objects/regripper-software-hive-software-run/definition.json index 95e93cc..35cb1f5 100644 --- a/objects/regripper-software-hive-software-run/definition.json +++ b/objects/regripper-software-hive-software-run/definition.json @@ -1,64 +1,63 @@ { - "required": [ - "key", - "application-name", - "application-path" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "sane_default": [ - "Run", - "RunOnce", - "Runservices", - "Terminal", - "Other" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "key-path": { - "description": "Path of the key.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "application-name": { - "description": "Name of the application run.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple":true - }, - "application-path": { - "description": "Path where the application is installed.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple":true - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "references": { - "description": "References to the applications.", - "ui-priority": 0, - "misp-attribute": "link", - "multiple":true - } + "required": [ + "key", + "application-name", + "application-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "sane_default": [ + "Run", + "RunOnce", + "Runservices", + "Terminal", + "Other" + ], + "misp-attribute": "text", + "disable_correlation": true }, - "version": 1, - "description": "Regripper Object template designed to gather information of the applications set to run on the system.", - "meta-category": "misc", - "uuid": "4bae06d1-3996-4028-88ec-7c7d54cc1d94", - "name": "regripper-software-hive-software-run" - } - \ No newline at end of file + "key-path": { + "description": "Path of the key.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "application-name": { + "description": "Name of the application run.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "application-path": { + "description": "Path where the application is installed.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "References to the applications.", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the applications set to run on the system.", + "meta-category": "misc", + "uuid": "4bae06d1-3996-4028-88ec-7c7d54cc1d94", + "name": "regripper-software-hive-software-run" +} diff --git a/objects/regripper-software-hive-userprofile-winlogon/definition.json b/objects/regripper-software-hive-userprofile-winlogon/definition.json index 6dcbef9..e38ebd0 100644 --- a/objects/regripper-software-hive-userprofile-winlogon/definition.json +++ b/objects/regripper-software-hive-userprofile-winlogon/definition.json @@ -145,8 +145,7 @@ "misp-attribute": "counter", "disable_correlation": true }, - "Comments": - { + "Comments": { "description": "Additional comments.", "ui-priority": 0, "misp-attribute": "text", diff --git a/objects/regripper-system-hive-firewall-configuration/definition.json b/objects/regripper-system-hive-firewall-configuration/definition.json index 94ffeb8..fdd0663 100644 --- a/objects/regripper-system-hive-firewall-configuration/definition.json +++ b/objects/regripper-system-hive-firewall-configuration/definition.json @@ -1,48 +1,50 @@ { - "required": [ - "profile" - ], - "attributes": { - "profile": { - "description": "Firewall Profile type", - "ui-priority": 0, - "sane-default":[ - "Domain Profile", - "Standard Profile", - "other" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "last-write-time": { - "description": "Date and time when the firewall profile policy was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "enbled-firewall": { - "description": "Boolean flag to determine if the firewall is enabled.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "disable-notification": { - "description": "Boolean flag to determine if firewall notifications are enabled.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "comment": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } + "required": [ + "profile" + ], + "attributes": { + "profile": { + "description": "Firewall Profile type", + "ui-priority": 0, + "sane-default": [ + "Domain Profile", + "Standard Profile", + "Network Profile", + "Public Profile", + "Private Profile", + "other" + ], + "misp-attribute": "text", + "disable_correlation": true }, - "version": 1, - "description": "Regripper Object template designed to present firewall configuration information extracted from the system-hive.", - "meta-category": "misc", - "uuid": "d9839b3c-c013-4ba7-b5e5-2787198b9e07", - "name": "regripper-system-hive-firewall-configuration" - } - \ No newline at end of file + "last-write-time": { + "description": "Date and time when the firewall profile policy was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "enbled-firewall": { + "description": "Boolean flag to determine if the firewall is enabled.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "disable-notification": { + "description": "Boolean flag to determine if firewall notifications are enabled.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to present firewall configuration information extracted from the system-hive.", + "meta-category": "misc", + "uuid": "d9839b3c-c013-4ba7-b5e5-2787198b9e07", + "name": "regripper-system-hive-firewall-configuration" +} diff --git a/objects/regripper-system-hive-general-configuration/definition.json b/objects/regripper-system-hive-general-configuration/definition.json index c007e4a..04a67fc 100644 --- a/objects/regripper-system-hive-general-configuration/definition.json +++ b/objects/regripper-system-hive-general-configuration/definition.json @@ -1,90 +1,89 @@ { - "required": [ - "computer-name" - ], - "attributes": { - "computer-name": { - "description": "name of the computer under analysis", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "shutdown-time": { - "description": "Date and time when the system was shutdown.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "timezone-last-write-time": { - "description": "Date and time when the timezone key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "timezone-bias": { - "description": "Offset in minutes from UTC. Offset added to the local time to get a UTC value.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "timezone-standard-name": { - "description": "Timezone standard name used during non-daylight saving months.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "timezone-standard-date": { - "description": "Standard date - non daylight saving months", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "timezone-standard-bias": { - "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during standard time.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "timezone-daylight-name": { - "description": "Timezone name used during daylight saving months.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "timezone-daylight-date": { - "description": "Daylight date - daylight saving months", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "timezone-daylight-bias": { - "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during daylight time.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "fDenyTSConnections:": { - "description": "Specifies whether remote connections are enabled or disabled on the system.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "comment": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "", - "disable_correlation": true - } + "required": [ + "computer-name" + ], + "attributes": { + "computer-name": { + "description": "name of the computer under analysis", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper Object template designed to present general system properties extracted from the system-hive.", - "meta-category": "misc", - "uuid": "5ac85401-cbf1-4d05-a85e-1784546881e4", - "name": "regripper-system-hive-general-configuration" - } - \ No newline at end of file + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "shutdown-time": { + "description": "Date and time when the system was shutdown.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "timezone-last-write-time": { + "description": "Date and time when the timezone key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "timezone-bias": { + "description": "Offset in minutes from UTC. Offset added to the local time to get a UTC value.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "timezone-standard-name": { + "description": "Timezone standard name used during non-daylight saving months.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "timezone-standard-date": { + "description": "Standard date - non daylight saving months", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "timezone-standard-bias": { + "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during standard time.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "timezone-daylight-name": { + "description": "Timezone name used during daylight saving months.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "timezone-daylight-date": { + "description": "Daylight date - daylight saving months", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "timezone-daylight-bias": { + "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during daylight time.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "fDenyTSConnections:": { + "description": "Specifies whether remote connections are enabled or disabled on the system.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to present general system properties extracted from the system-hive.", + "meta-category": "misc", + "uuid": "5ac85401-cbf1-4d05-a85e-1784546881e4", + "name": "regripper-system-hive-general-configuration" +} diff --git a/objects/regripper-system-hive-network-information/definition.json b/objects/regripper-system-hive-network-information/definition.json index 3a872e1..dfd3e85 100644 --- a/objects/regripper-system-hive-network-information/definition.json +++ b/objects/regripper-system-hive-network-information/definition.json @@ -1,107 +1,106 @@ { - "required": [ - "network-key" - ], - "attributes": { - "network-key": { - "description": "Registry key assigned to the network", - "ui-priority": 0, - "misp-attribute": "text" - }, - "network-key-last-write-time": { - "description": "Date and time when the network key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "network-key-path": { - "description": "Path of the key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "TCPIP-key": { - "description": "TCPIP key", - "ui-priority": 0, - "misp-attribute": "text" - }, - "TCPIP-key-last-write-time": { - "description": "Datetime when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "DHCP-domain": { - "description": "Name of the DHCP domain service", - "ui-priority": 0, - "misp-attribute": "text" - }, - "DHCP-IP-address": { - "description": "DHCP service - IP address", - "ui-priority": 0, - "misp-attribute": "ip-dst" - }, - "DHCP-subnet-mask": { - "description": "DHCP subnet mask - IP address.", - "ui-priority": 0, - "misp-attribute": "ip-dst" - }, - "DHCP-name-server": { - "description": "DHCP Name server - IP address.", - "ui-priority": 0, - "misp-attribute": "ip-dst" - }, - "DHCP-server": { - "description": "DHCP server - IP address.", - "ui-priority": 0, - "misp-attribute": "ip-dst" - }, - "interface-GUID": { - "description": "GUID value assigned to the interface.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "interface-last-write-time": { - "description": "Last date and time when the interface key was updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "interface-name": { - "description": "Name of the interface.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "interface-PnpInstanceID": { - "description": "Plug and Play instance ID assigned to the interface.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "interface-MediaSubType": { - "description": "", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "interface-IPcheckingEnabled": { - "description": "", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } + "required": [ + "network-key" + ], + "attributes": { + "network-key": { + "description": "Registry key assigned to the network", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper object template designed to gather network information from the system-hive.", - "meta-category": "misc", - "uuid": "a5a3ba3a-ba2e-42a4-be45-b36809ae56f0", - "name": "regripper-system-hive-network-information." - } - \ No newline at end of file + "network-key-last-write-time": { + "description": "Date and time when the network key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "network-key-path": { + "description": "Path of the key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "TCPIP-key": { + "description": "TCPIP key", + "ui-priority": 0, + "misp-attribute": "text" + }, + "TCPIP-key-last-write-time": { + "description": "Datetime when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "DHCP-domain": { + "description": "Name of the DHCP domain service", + "ui-priority": 0, + "misp-attribute": "text" + }, + "DHCP-IP-address": { + "description": "DHCP service - IP address", + "ui-priority": 0, + "misp-attribute": "ip-dst" + }, + "DHCP-subnet-mask": { + "description": "DHCP subnet mask - IP address.", + "ui-priority": 0, + "misp-attribute": "ip-dst" + }, + "DHCP-name-server": { + "description": "DHCP Name server - IP address.", + "ui-priority": 0, + "misp-attribute": "ip-dst" + }, + "DHCP-server": { + "description": "DHCP server - IP address.", + "ui-priority": 0, + "misp-attribute": "ip-dst" + }, + "interface-GUID": { + "description": "GUID value assigned to the interface.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "interface-last-write-time": { + "description": "Last date and time when the interface key was updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "interface-name": { + "description": "Name of the interface.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "interface-PnpInstanceID": { + "description": "Plug and Play instance ID assigned to the interface.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "interface-MediaSubType": { + "description": "", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "interface-IPcheckingEnabled": { + "description": "", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper object template designed to gather network information from the system-hive.", + "meta-category": "misc", + "uuid": "a5a3ba3a-ba2e-42a4-be45-b36809ae56f0", + "name": "regripper-system-hive-network-information." +} diff --git a/objects/regripper-system-hive-service-drivers/definition.json b/objects/regripper-system-hive-service-drivers/definition.json index ff7984c..35054ab 100644 --- a/objects/regripper-system-hive-service-drivers/definition.json +++ b/objects/regripper-system-hive-service-drivers/definition.json @@ -1,99 +1,98 @@ { - "required": [ - "name" - ], - "attributes": { - "name": { - "description": "name of the key", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "display": { - "description": "Display name/information of the service or the driver.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "image-path": { - "description": "Path of the service/drive", - "ui-priority": 0, - "misp-attribute": "text" - }, - "type": { - "description": "Service/driver type.", - "ui-priority": 0, - "sane_default": [ - "Kernel driver", - "File system driver", - "Own process", - "Share process", - "Interactive", - "Other" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "start": { - "description": "When the service/driver starts or executes.", - "ui-priority": 0, - "sane_default":[ - "Boot start", - "System start", - "Auto start", - "Manual", - "Disabled" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "group": { - "description": "Group to which the system/driver belong to.", - "ui-priority": 0, - "sane_default":[ - "Base", - "Boot Bus Extender", - "Boot File System", - "Cryptography", - "Extended base", - "Event Log", - "Filter", - "FSFilter Bottom", - "FSFilter Infrastructure", - "File System", - "FSFilter Virtualization", - "Keyboard Port", - "Network", - "NDIS", - "Parallel arbitrator", - "Pointer Port", - "PnP Filter", - "ProfSvc_Group", - "PNP_TDI", - "SCSI Miniport", - "SCSI CDROM Class", - "System Bus Extender", - "Video Save", - "other" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "comment": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "", - "disable_correlation": true - } + "required": [ + "name" + ], + "attributes": { + "name": { + "description": "name of the key", + "ui-priority": 0, + "misp-attribute": "text" }, - "version": 1, - "description": "Regripper Object template designed to gather information regarding the services/drivers from the system-hive.", - "meta-category": "misc", - "uuid": "78cdae45-2061-4b49-b1d6-71f562094a73", - "name": "regripper-system-hive-services-drivers" - } - \ No newline at end of file + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "display": { + "description": "Display name/information of the service or the driver.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "image-path": { + "description": "Path of the service/drive", + "ui-priority": 0, + "misp-attribute": "text" + }, + "type": { + "description": "Service/driver type.", + "ui-priority": 0, + "sane_default": [ + "Kernel driver", + "File system driver", + "Own process", + "Share process", + "Interactive", + "Other" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "start": { + "description": "When the service/driver starts or executes.", + "ui-priority": 0, + "sane_default": [ + "Boot start", + "System start", + "Auto start", + "Manual", + "Disabled" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "group": { + "description": "Group to which the system/driver belong to.", + "ui-priority": 0, + "sane_default": [ + "Base", + "Boot Bus Extender", + "Boot File System", + "Cryptography", + "Extended base", + "Event Log", + "Filter", + "FSFilter Bottom", + "FSFilter Infrastructure", + "File System", + "FSFilter Virtualization", + "Keyboard Port", + "Network", + "NDIS", + "Parallel arbitrator", + "Pointer Port", + "PnP Filter", + "ProfSvc_Group", + "PNP_TDI", + "SCSI Miniport", + "SCSI CDROM Class", + "System Bus Extender", + "Video Save", + "other" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information regarding the services/drivers from the system-hive.", + "meta-category": "misc", + "uuid": "78cdae45-2061-4b49-b1d6-71f562094a73", + "name": "regripper-system-hive-services-drivers" +} From bb119724bad7e255763e8c44aa98782d036c9895 Mon Sep 17 00:00:00 2001 From: aksha Date: Thu, 25 Oct 2018 13:21:08 +0100 Subject: [PATCH 123/244] fix: Changed TSK object names to lower case --- objects/TSK-Chats/definition.json | 2 +- objects/TSK-Web-Bookmark/definition.json | 2 +- objects/TSK-Web-Cookie/definition.json | 2 +- objects/TSK-Web-Downloads/definition.json | 2 +- objects/TSK-Web-History/definition.json | 2 +- objects/TSK-Web-Search-Query/definition.json | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/objects/TSK-Chats/definition.json b/objects/TSK-Chats/definition.json index ed5f00a..9ffffe0 100644 --- a/objects/TSK-Chats/definition.json +++ b/objects/TSK-Chats/definition.json @@ -80,5 +80,5 @@ "description": "An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation.", "meta-category": "misc", "uuid": "6b71f231-c502-467f-bc67-1423cd5bf800", - "name": "TSK-Chats" + "name": "tsk-chats" } diff --git a/objects/TSK-Web-Bookmark/definition.json b/objects/TSK-Web-Bookmark/definition.json index 485577e..99475d3 100644 --- a/objects/TSK-Web-Bookmark/definition.json +++ b/objects/TSK-Web-Bookmark/definition.json @@ -63,5 +63,5 @@ "description": "An Object Template to add evidential bookmarks identified during a digital forensic investigation.", "meta-category": "misc", "uuid": "7d9a88a8-9934-4caa-a85b-f76bc97d5373", - "name": "TSK-Web-Bookmark" + "name": "tsk-web-bookmark" } diff --git a/objects/TSK-Web-Cookie/definition.json b/objects/TSK-Web-Cookie/definition.json index 03cf240..edf2e40 100644 --- a/objects/TSK-Web-Cookie/definition.json +++ b/objects/TSK-Web-Cookie/definition.json @@ -63,5 +63,5 @@ "description": "An TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.", "meta-category": "misc", "uuid": "40d23a4f-43be-4c9e-8328-382a2188eb1d", - "name": "TSK-Web-Cookie" + "name": "tsk-web-cookie" } diff --git a/objects/TSK-Web-Downloads/definition.json b/objects/TSK-Web-Downloads/definition.json index 061fa64..d7c8f69 100644 --- a/objects/TSK-Web-Downloads/definition.json +++ b/objects/TSK-Web-Downloads/definition.json @@ -51,5 +51,5 @@ "description": "An Object Template to add web-downloads", "meta-category": "File", "uuid": "ab9603a1-9dcc-48e8-a51c-b8bccc7bcc26", - "name": "TSK-Web-Downloads" + "name": "tsk-web-downloads" } diff --git a/objects/TSK-Web-History/definition.json b/objects/TSK-Web-History/definition.json index 897e13b..4c9bd86 100644 --- a/objects/TSK-Web-History/definition.json +++ b/objects/TSK-Web-History/definition.json @@ -64,5 +64,5 @@ "description": "An Object Template to share web history information", "meta-category": "misc", "uuid": "e1325e52-e52e-49b1-89ad-d503c127c698", - "name": "TSK-Web-History" + "name": "tsk-web-history" } diff --git a/objects/TSK-Web-Search-Query/definition.json b/objects/TSK-Web-Search-Query/definition.json index 046c266..43d94c5 100644 --- a/objects/TSK-Web-Search-Query/definition.json +++ b/objects/TSK-Web-Search-Query/definition.json @@ -62,5 +62,5 @@ "description": "An Object Template to share web search query information", "meta-category": "misc", "uuid": "16b3f8d0-fd09-4812-a42c-b5aeff2d4c2e", - "name": "TSK-Web-Search-Query" + "name": "tsk-web-search-query" } From b93ad7969f3ecc5fa8b0d105ad5512523fd7c54d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 25 Oct 2018 17:31:36 +0200 Subject: [PATCH 124/244] fix: jq all the things(tm) --- objects/TSK-Chats/definition.json | 168 ++++----- objects/TSK-Web-Bookmark/definition.json | 134 +++---- objects/TSK-Web-Cookie/definition.json | 134 +++---- objects/TSK-Web-Downloads/definition.json | 110 +++--- objects/TSK-Web-History/definition.json | 136 +++---- objects/TSK-Web-Search-Query/definition.json | 132 +++---- objects/python-etvx-event-log/definition.json | 342 +++++++++--------- objects/regripper-NTUser/definition.json | 196 +++++----- .../definition.json | 136 +++---- .../definition.json | 108 +++--- .../definition.json | 118 +++--- .../definition.json | 106 +++--- .../definition.json | 98 ++--- .../definition.json | 114 +++--- .../definition.json | 110 +++--- .../definition.json | 250 ++++++------- .../definition.json | 126 +++---- .../definition.json | 320 ++++++++-------- .../definition.json | 100 ++--- .../definition.json | 178 ++++----- .../definition.json | 212 +++++------ .../definition.json | 196 +++++----- 22 files changed, 1762 insertions(+), 1762 deletions(-) diff --git a/objects/TSK-Chats/definition.json b/objects/TSK-Chats/definition.json index 9ffffe0..05b18a2 100644 --- a/objects/TSK-Chats/definition.json +++ b/objects/TSK-Chats/definition.json @@ -1,84 +1,84 @@ -{ - "required": [ - "message-type", - "message" - ], - "attributes": { - "message-type": { - "description": "the type of message extracted from the forensic-evidence.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "SMS", - "MMS", - "Instant Message (IM)", - "Voice Message" - ], - "disable_correlation": true - }, - "datetime-sent": { - "description": "date and the time when the message was sent.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "datetime-received": { - "description": "date and time when the message was received.", - "multiple": true, - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "Source": { - "description": "Source of the message.(Contact details)", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "destination": { - "description": "Destination of the message.(Contact details)", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "app-used": { - "description": "Application used to send the message.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "subject": { - "description": "Subject of the message if any.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "message": { - "description": "Message exchanged.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "attachments": { - "description": "External references", - "multiple": true, - "ui-priority": 0, - "categories": [ - "External analysis" - ], - "misp-attribute": "link" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation.", - "meta-category": "misc", - "uuid": "6b71f231-c502-467f-bc67-1423cd5bf800", - "name": "tsk-chats" -} +{ + "required": [ + "message-type", + "message" + ], + "attributes": { + "message-type": { + "description": "the type of message extracted from the forensic-evidence.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "SMS", + "MMS", + "Instant Message (IM)", + "Voice Message" + ], + "disable_correlation": true + }, + "datetime-sent": { + "description": "date and the time when the message was sent.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "datetime-received": { + "description": "date and time when the message was received.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "Source": { + "description": "Source of the message.(Contact details)", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "destination": { + "description": "Destination of the message.(Contact details)", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "app-used": { + "description": "Application used to send the message.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "subject": { + "description": "Subject of the message if any.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "message": { + "description": "Message exchanged.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "attachments": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "categories": [ + "External analysis" + ], + "misp-attribute": "link" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation.", + "meta-category": "misc", + "uuid": "6b71f231-c502-467f-bc67-1423cd5bf800", + "name": "tsk-chats" +} diff --git a/objects/TSK-Web-Bookmark/definition.json b/objects/TSK-Web-Bookmark/definition.json index 99475d3..28fca9e 100644 --- a/objects/TSK-Web-Bookmark/definition.json +++ b/objects/TSK-Web-Bookmark/definition.json @@ -1,67 +1,67 @@ -{ - "required": [ - "URL" - ], - "attributes": { - "URL": { - "description": "The URL saved as bookmark.", - "ui-priority": 0, - "misp-attribute": "link" - }, - "datetime-bookmarked": { - "description": "date and time when the URL was added to favorites.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "name": { - "description": "Book mark name. ", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "title": { - "description": "Title of the web page", - "ui-priority": 0, - "misp-attribute": "text" - }, - "browser": { - "description": "Browser used to access the URL.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "IE", - "Safari", - "Chrome", - "Firefox", - "Opera mini", - "Chromium" - ], - "disable_correlation": true - }, - "domain-name": { - "description": "Domain of the URL.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "domain-ip": { - "description": "IP of the URL domain.", - "ui-priority": 0, - "misp-attribute": "ip-src" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An Object Template to add evidential bookmarks identified during a digital forensic investigation.", - "meta-category": "misc", - "uuid": "7d9a88a8-9934-4caa-a85b-f76bc97d5373", - "name": "tsk-web-bookmark" -} +{ + "required": [ + "URL" + ], + "attributes": { + "URL": { + "description": "The URL saved as bookmark.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-bookmarked": { + "description": "date and time when the URL was added to favorites.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Book mark name. ", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "title": { + "description": "Title of the web page", + "ui-priority": 0, + "misp-attribute": "text" + }, + "browser": { + "description": "Browser used to access the URL.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "domain-name": { + "description": "Domain of the URL.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the URL domain.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to add evidential bookmarks identified during a digital forensic investigation.", + "meta-category": "misc", + "uuid": "7d9a88a8-9934-4caa-a85b-f76bc97d5373", + "name": "tsk-web-bookmark" +} diff --git a/objects/TSK-Web-Cookie/definition.json b/objects/TSK-Web-Cookie/definition.json index edf2e40..03e841e 100644 --- a/objects/TSK-Web-Cookie/definition.json +++ b/objects/TSK-Web-Cookie/definition.json @@ -1,67 +1,67 @@ -{ - "required": [ - "URL", - "name", - "value" - ], - "attributes": { - "URL": { - "description": "The website URL that created the cookie.", - "ui-priority": 0, - "misp-attribute": "link" - }, - "datetime-created": { - "description": "date and time when the cookie was created.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "name": { - "description": "Name of the cookie ", - "ui-priority": 0, - "misp-attribute": "text" - }, - "value": { - "description": "Value assigned to the cookie.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "browser": { - "description": "Browser on which the cookie was created.", - "ui-priority": 0, - "sane_default": [ - "IE", - "Safari", - "Chrome", - "Firefox", - "Opera mini", - "Chromium" - ], - "misp-attribute": "text" - }, - "domain-name": { - "description": "Domain of the URL that created the cookie.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "domain-ip": { - "description": "IP of the domain that created the URL.", - "ui-priority": 0, - "misp-attribute": "ip-src" - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.", - "meta-category": "misc", - "uuid": "40d23a4f-43be-4c9e-8328-382a2188eb1d", - "name": "tsk-web-cookie" -} +{ + "required": [ + "URL", + "name", + "value" + ], + "attributes": { + "URL": { + "description": "The website URL that created the cookie.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-created": { + "description": "date and time when the cookie was created.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Name of the cookie ", + "ui-priority": 0, + "misp-attribute": "text" + }, + "value": { + "description": "Value assigned to the cookie.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "browser": { + "description": "Browser on which the cookie was created.", + "ui-priority": 0, + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "misp-attribute": "text" + }, + "domain-name": { + "description": "Domain of the URL that created the cookie.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the domain that created the URL.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.", + "meta-category": "misc", + "uuid": "40d23a4f-43be-4c9e-8328-382a2188eb1d", + "name": "tsk-web-cookie" +} diff --git a/objects/TSK-Web-Downloads/definition.json b/objects/TSK-Web-Downloads/definition.json index d7c8f69..6659d0e 100644 --- a/objects/TSK-Web-Downloads/definition.json +++ b/objects/TSK-Web-Downloads/definition.json @@ -1,55 +1,55 @@ -{ - "required": [ - "URL", - "name" - ], - "attributes": { - "URL": { - "description": "The URL used to download the file.", - "ui-priority": 0, - "misp-attribute": "link" - }, - "datetime-accessed": { - "description": "date and time when the file was downloaded.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "name": { - "description": "Name of the file downloaded.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "path-downloadedTo": { - "description": "Location the file was downloaded to.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "pathID": { - "description": "Id of the attribute file where the information is gathered from.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "attachment": { - "description": "The downloaded file itself.", - "ui-priority": 1, - "misp-attribute": "attachment", - "disable_correlation": true - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An Object Template to add web-downloads", - "meta-category": "File", - "uuid": "ab9603a1-9dcc-48e8-a51c-b8bccc7bcc26", - "name": "tsk-web-downloads" -} +{ + "required": [ + "URL", + "name" + ], + "attributes": { + "URL": { + "description": "The URL used to download the file.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-accessed": { + "description": "date and time when the file was downloaded.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Name of the file downloaded.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "path-downloadedTo": { + "description": "Location the file was downloaded to.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "pathID": { + "description": "Id of the attribute file where the information is gathered from.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "attachment": { + "description": "The downloaded file itself.", + "ui-priority": 1, + "misp-attribute": "attachment", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to add web-downloads", + "meta-category": "File", + "uuid": "ab9603a1-9dcc-48e8-a51c-b8bccc7bcc26", + "name": "tsk-web-downloads" +} diff --git a/objects/TSK-Web-History/definition.json b/objects/TSK-Web-History/definition.json index 4c9bd86..b38fd8d 100644 --- a/objects/TSK-Web-History/definition.json +++ b/objects/TSK-Web-History/definition.json @@ -1,68 +1,68 @@ -{ - "required": [ - "URL", - "datetime-accessed" - ], - "attributes": { - "URL": { - "description": "The URL accessed.", - "ui-priority": 0, - "misp-attribute": "link" - }, - "datetime-accessed": { - "description": "date and the time when the URL was accessed.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "referrer": { - "description": "where the URL was referred from ", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "title": { - "description": "Title of the web page", - "ui-priority": 0, - "misp-attribute": "text" - }, - "domain-name": { - "description": "Domain of the URL.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "domain-ip": { - "description": "IP of the URL domain.", - "ui-priority": 0, - "misp-attribute": "ip-src" - }, - "browser": { - "description": "Browser used to access the URL.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "IE", - "Safari", - "Chrome", - "Firefox", - "Opera mini", - "Chromium" - ], - "disable_correlation": true - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An Object Template to share web history information", - "meta-category": "misc", - "uuid": "e1325e52-e52e-49b1-89ad-d503c127c698", - "name": "tsk-web-history" -} +{ + "required": [ + "URL", + "datetime-accessed" + ], + "attributes": { + "URL": { + "description": "The URL accessed.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "datetime-accessed": { + "description": "date and the time when the URL was accessed.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "referrer": { + "description": "where the URL was referred from ", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "title": { + "description": "Title of the web page", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-name": { + "description": "Domain of the URL.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "domain-ip": { + "description": "IP of the URL domain.", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "browser": { + "description": "Browser used to access the URL.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to share web history information", + "meta-category": "misc", + "uuid": "e1325e52-e52e-49b1-89ad-d503c127c698", + "name": "tsk-web-history" +} diff --git a/objects/TSK-Web-Search-Query/definition.json b/objects/TSK-Web-Search-Query/definition.json index 43d94c5..0b0afdd 100644 --- a/objects/TSK-Web-Search-Query/definition.json +++ b/objects/TSK-Web-Search-Query/definition.json @@ -1,66 +1,66 @@ -{ - "required": [ - "domain", - "text" - ], - "attributes": { - "domain": { - "description": "The domain of the search engine.", - "ui-priority": 0, - "misp-attribute": "link", - "sane_default": [ - "Google", - "Yahoo", - "Bing", - "Alta Vista", - "MSN" - ], - "disable_correlation": true - }, - "text": { - "description": "the search word or sentence.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "datetime-searched": { - "description": "date and time when the search was conducted.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "browser": { - "description": "Browser used.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "IE", - "Safari", - "Chrome", - "Firefox", - "Opera mini", - "Chromium" - ], - "disable_correlation": true - }, - "username": { - "description": "User name or ID associated with the search.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "categories": [ - "External analysis" - ], - "disable_correlation": true - } - }, - "version": 1, - "description": "An Object Template to share web search query information", - "meta-category": "misc", - "uuid": "16b3f8d0-fd09-4812-a42c-b5aeff2d4c2e", - "name": "tsk-web-search-query" -} +{ + "required": [ + "domain", + "text" + ], + "attributes": { + "domain": { + "description": "The domain of the search engine.", + "ui-priority": 0, + "misp-attribute": "link", + "sane_default": [ + "Google", + "Yahoo", + "Bing", + "Alta Vista", + "MSN" + ], + "disable_correlation": true + }, + "text": { + "description": "the search word or sentence.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "datetime-searched": { + "description": "date and time when the search was conducted.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "browser": { + "description": "Browser used.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "IE", + "Safari", + "Chrome", + "Firefox", + "Opera mini", + "Chromium" + ], + "disable_correlation": true + }, + "username": { + "description": "User name or ID associated with the search.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "categories": [ + "External analysis" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An Object Template to share web search query information", + "meta-category": "misc", + "uuid": "16b3f8d0-fd09-4812-a42c-b5aeff2d4c2e", + "name": "tsk-web-search-query" +} diff --git a/objects/python-etvx-event-log/definition.json b/objects/python-etvx-event-log/definition.json index 79a2d13..62566f4 100644 --- a/objects/python-etvx-event-log/definition.json +++ b/objects/python-etvx-event-log/definition.json @@ -1,171 +1,171 @@ -{ - "required": [ - "source", - "type", - "name" - ], - "attributes": { - "event-id": { - "description": "A unique number which identifies the event.", - "ui-priority": 1, - "misp-attribute": "text", - "disable_correlation": true - }, - "name": { - "description": "Name of the event.", - "ui-priority": 2, - "misp-attribute": "text", - "disable_correlation": true - }, - "event-channel": { - "description": " Channel through which the event occurred", - "ui-priority": 3, - "misp-attribute": "text", - "disable_correlation": true, - "sane-default": [ - "Application", - "System", - "Security", - "Setup", - "other" - ] - }, - "event-type": { - "description": "Event-type assigned to the event", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true, - "sane-default": [ - "Admin", - "Operational", - "Audit", - "Analytic", - "Debug", - "other" - ] - }, - "source": { - "description": "The source of the event log - application/software that logged the event.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "event-date-time": { - "description": "Date and time when the event was logged.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "level": { - "description": "Determines the event severity.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "Information", - "Warning", - "Error", - "Critical", - "Success Audit", - "Failure Audit" - ] - }, - "Computer": { - "description": "Computer name on which the event occurred", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "User": { - "description": "Name or the User ID the event is associated with.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Operational-code": { - "description": "The opcode (numeric value or name) associated with the activity carried out by the event.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "log": { - "description": "Log file where the event was recorded.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "task-category": { - "description": "Activity by the event publisher", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Keywords": { - "description": "Tags used for the event for the purpose of filtering or searching.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "Network", - "Security", - "Resource not found", - "other" - ] - }, - "Processor-ID": { - "description": "ID of the processor that processed the event.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Thread-ID": { - "description": "Thread id that generated the event.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Session-ID": { - "description": "Terminal server session ID.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Correlation-ID": { - "description": "Unique activity identity which relates the event to a process. ", - "ui-priority": 0, - "misp-attribute": "text" - }, - "Relative-Correlation-ID": { - "description": "Related activity ID which identity similar activities which occurred as a part of the event.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "kernel-time": { - "description": "Execution time of the kernel mode instruction.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "user-time": { - "description": "Date and time when the user instruction was executed.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "Event-data": { - "description": "Event data description.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "comment": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } - }, - "version": 1, - "description": "Event log object template to share information of the activities conducted on a system. ", - "meta-category": "misc", - "uuid": "94e3aee9-cb99-4503-9bf6-7da3db5de55e", - "name": "python-etvx-event-log" -} +{ + "required": [ + "source", + "type", + "name" + ], + "attributes": { + "event-id": { + "description": "A unique number which identifies the event.", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "name": { + "description": "Name of the event.", + "ui-priority": 2, + "misp-attribute": "text", + "disable_correlation": true + }, + "event-channel": { + "description": " Channel through which the event occurred", + "ui-priority": 3, + "misp-attribute": "text", + "disable_correlation": true, + "sane-default": [ + "Application", + "System", + "Security", + "Setup", + "other" + ] + }, + "event-type": { + "description": "Event-type assigned to the event", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane-default": [ + "Admin", + "Operational", + "Audit", + "Analytic", + "Debug", + "other" + ] + }, + "source": { + "description": "The source of the event log - application/software that logged the event.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "event-date-time": { + "description": "Date and time when the event was logged.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "level": { + "description": "Determines the event severity.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Information", + "Warning", + "Error", + "Critical", + "Success Audit", + "Failure Audit" + ] + }, + "Computer": { + "description": "Computer name on which the event occurred", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "User": { + "description": "Name or the User ID the event is associated with.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Operational-code": { + "description": "The opcode (numeric value or name) associated with the activity carried out by the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "log": { + "description": "Log file where the event was recorded.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "task-category": { + "description": "Activity by the event publisher", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Keywords": { + "description": "Tags used for the event for the purpose of filtering or searching.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Network", + "Security", + "Resource not found", + "other" + ] + }, + "Processor-ID": { + "description": "ID of the processor that processed the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Thread-ID": { + "description": "Thread id that generated the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Session-ID": { + "description": "Terminal server session ID.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Correlation-ID": { + "description": "Unique activity identity which relates the event to a process. ", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Relative-Correlation-ID": { + "description": "Related activity ID which identity similar activities which occurred as a part of the event.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "kernel-time": { + "description": "Execution time of the kernel mode instruction.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "user-time": { + "description": "Date and time when the user instruction was executed.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "Event-data": { + "description": "Event data description.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Event log object template to share information of the activities conducted on a system. ", + "meta-category": "misc", + "uuid": "94e3aee9-cb99-4503-9bf6-7da3db5de55e", + "name": "python-etvx-event-log" +} diff --git a/objects/regripper-NTUser/definition.json b/objects/regripper-NTUser/definition.json index 9ec80c5..b9ed227 100644 --- a/objects/regripper-NTUser/definition.json +++ b/objects/regripper-NTUser/definition.json @@ -1,98 +1,98 @@ -{ - "required": [ - "key" - ], - "requiredOneOf": [ - "logon-user-name" - ], - "attributes": { - "key": { - "description": "Registry key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "key-last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "logon-user-name": { - "description": "Name assigned to the user profile.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "recent-folders-accessed": { - "description": "List of recent folders accessed by the user.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "recent-files-accessed": { - "description": "List of recent files accessed by the user.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "typed-urls": { - "description": "Urls typed by the user in internet explorer", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "applications-installed": { - "description": "List of applications installed.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "applications-run": { - "description": "List of applications set to run on the system.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "external-devices": { - "description": "List of external devices connected to the system by the user.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "user-init": { - "description": "Applications or processes set to run when the user logs onto the windows system.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "nukeOnDelete": { - "description": "Determines if the Recycle bin option has been disabled.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "network-connected-to": { - "description": "List of networks the user connected the system to.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "mount-points": { - "description": "Details of the mount points created on the system.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true, - "disable_correlation": true - }, - "comments": { - "description": "Additional information related to the user profile", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } - }, - "version": 1, - "description": "Regripper Object template designed to present user specific configuration details extracted from the NTUSER.dat hive.", - "meta-category": "misc", - "uuid": "f9dc7b7e-8ab1-4dde-95d9-67e41b461c65", - "name": "regripper-NTUser" -} +{ + "required": [ + "key" + ], + "requiredOneOf": [ + "logon-user-name" + ], + "attributes": { + "key": { + "description": "Registry key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "logon-user-name": { + "description": "Name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "recent-folders-accessed": { + "description": "List of recent folders accessed by the user.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "recent-files-accessed": { + "description": "List of recent files accessed by the user.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "typed-urls": { + "description": "Urls typed by the user in internet explorer", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "applications-installed": { + "description": "List of applications installed.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "applications-run": { + "description": "List of applications set to run on the system.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "external-devices": { + "description": "List of external devices connected to the system by the user.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "user-init": { + "description": "Applications or processes set to run when the user logs onto the windows system.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "nukeOnDelete": { + "description": "Determines if the Recycle bin option has been disabled.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "network-connected-to": { + "description": "List of networks the user connected the system to.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "mount-points": { + "description": "Details of the mount points created on the system.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true, + "disable_correlation": true + }, + "comments": { + "description": "Additional information related to the user profile", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to present user specific configuration details extracted from the NTUSER.dat hive.", + "meta-category": "misc", + "uuid": "f9dc7b7e-8ab1-4dde-95d9-67e41b461c65", + "name": "regripper-NTUser" +} diff --git a/objects/regripper-sam-hive-single-user/definition.json b/objects/regripper-sam-hive-single-user/definition.json index 11632e3..598144b 100644 --- a/objects/regripper-sam-hive-single-user/definition.json +++ b/objects/regripper-sam-hive-single-user/definition.json @@ -1,68 +1,68 @@ -{ - "required": [ - "key" - ], - "requiredOneOf": [ - "user-name", - "last-login-time", - "login-count" - ], - "attributes": { - "key": { - "description": "Registry key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "key-last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "user-name": { - "description": "User name assigned to the user profile.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "full-user-name": { - "description": "Full name assigned to the user profile.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-login-time": { - "description": "Date and time when the user last logged onto the system.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "pwd-reset-time": { - "description": "Date and time when the password was last reset.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "pwd-fail-date": { - "description": "Date and time when a password last failed for this user profile.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "login-count": { - "description": "Number of times the user logged-in onto the system.", - "ui-priority": 0, - "misp-attribute": "counter", - "disable_correlation": true - }, - "comments": { - "description": "Full name assigned to the user profile.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } - }, - "version": 1, - "description": "Regripper Object template designed to present user profile details extracted from the SAM hive.", - "meta-category": "misc", - "uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef", - "name": "regripper-sam-hive-single-user" -} +{ + "required": [ + "key" + ], + "requiredOneOf": [ + "user-name", + "last-login-time", + "login-count" + ], + "attributes": { + "key": { + "description": "Registry key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "user-name": { + "description": "User name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "full-user-name": { + "description": "Full name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-login-time": { + "description": "Date and time when the user last logged onto the system.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "pwd-reset-time": { + "description": "Date and time when the password was last reset.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "pwd-fail-date": { + "description": "Date and time when a password last failed for this user profile.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "login-count": { + "description": "Number of times the user logged-in onto the system.", + "ui-priority": 0, + "misp-attribute": "counter", + "disable_correlation": true + }, + "comments": { + "description": "Full name assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to present user profile details extracted from the SAM hive.", + "meta-category": "misc", + "uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef", + "name": "regripper-sam-hive-single-user" +} diff --git a/objects/regripper-sam-hive-user-group/definition.json b/objects/regripper-sam-hive-user-group/definition.json index 64119d0..55df836 100644 --- a/objects/regripper-sam-hive-user-group/definition.json +++ b/objects/regripper-sam-hive-user-group/definition.json @@ -1,54 +1,54 @@ -{ - "required": [ - "key" - ], - "requiredOneOf": [ - "group-name" - ], - "attributes": { - "key": { - "description": "Registry key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "key-last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "group-name": { - "description": "Name assigned to the profile.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "full-name": { - "description": "Full name assigned to the profile.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-date-time": { - "description": "Date and time when the group key was updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "group-comment": { - "description": "Any group comment added.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "group-users": { - "description": "Users belonging to the group", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - } - }, - "version": 1, - "description": "Regripper Object template designed to present group profile details extracted from the SAM hive.", - "meta-category": "misc", - "uuid": "b924bae1-2dec-4d2d-a8c2-b03305222b7c", - "name": "regripper-sam-hive-user-group" -} +{ + "required": [ + "key" + ], + "requiredOneOf": [ + "group-name" + ], + "attributes": { + "key": { + "description": "Registry key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "group-name": { + "description": "Name assigned to the profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "full-name": { + "description": "Full name assigned to the profile.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-date-time": { + "description": "Date and time when the group key was updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "group-comment": { + "description": "Any group comment added.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "group-users": { + "description": "Users belonging to the group", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to present group profile details extracted from the SAM hive.", + "meta-category": "misc", + "uuid": "b924bae1-2dec-4d2d-a8c2-b03305222b7c", + "name": "regripper-sam-hive-user-group" +} diff --git a/objects/regripper-software-hive-BHO/definition.json b/objects/regripper-software-hive-BHO/definition.json index 0b43791..3c392f6 100644 --- a/objects/regripper-software-hive-BHO/definition.json +++ b/objects/regripper-software-hive-BHO/definition.json @@ -1,59 +1,59 @@ -{ - "required": [ - "key", - "BHO-name" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "BHO-name": { - "description": "Name of the browser helper object.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "BHO-key-last-write-time": { - "description": "Date and time when the BHO key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "class": { - "description": "Class to which the BHO belongs to.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "module": { - "description": "DLL module the BHO belongs to.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "references": { - "description": "References to the BHO.", - "ui-priority": 0, - "misp-attribute": "link", - "multiple": true - } - }, - "version": 1, - "description": "Regripper Object template designed to gather information of the browser helper objects installed on the system.", - "meta-category": "misc", - "uuid": "e7b46b5a-d2d2-4a05-bc25-2ac8d4683ae2", - "name": "regripper-software-hive-BHO" -} +{ + "required": [ + "key", + "BHO-name" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "BHO-name": { + "description": "Name of the browser helper object.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BHO-key-last-write-time": { + "description": "Date and time when the BHO key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "class": { + "description": "Class to which the BHO belongs to.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "module": { + "description": "DLL module the BHO belongs to.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "References to the BHO.", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the browser helper objects installed on the system.", + "meta-category": "misc", + "uuid": "e7b46b5a-d2d2-4a05-bc25-2ac8d4683ae2", + "name": "regripper-software-hive-BHO" +} diff --git a/objects/regripper-software-hive-appInit-DLLS/definition.json b/objects/regripper-software-hive-appInit-DLLS/definition.json index d089224..7bd9395 100644 --- a/objects/regripper-software-hive-appInit-DLLS/definition.json +++ b/objects/regripper-software-hive-appInit-DLLS/definition.json @@ -1,53 +1,53 @@ -{ - "required": [ - "key", - "DLL-name", - "DLL-path" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "DLL-name": { - "description": "Name of the DLL file.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "DLL-path": { - "description": "Path where the DLL file is stored.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "DLL-last-write-time": { - "description": "Date and time when the DLL file was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "references": { - "description": "References to the DLL file.", - "ui-priority": 0, - "misp-attribute": "link", - "multiple": true - } - }, - "version": 1, - "description": "Regripper Object template designed to gather information of the DLL files installed on the system.", - "meta-category": "misc", - "uuid": "7893be05-8398-451e-ab1e-5e25ea4a8859", - "name": "regripper-software-hive-appInit-DLLS" -} +{ + "required": [ + "key", + "DLL-name", + "DLL-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "DLL-name": { + "description": "Name of the DLL file.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "DLL-path": { + "description": "Path where the DLL file is stored.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "DLL-last-write-time": { + "description": "Date and time when the DLL file was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "References to the DLL file.", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the DLL files installed on the system.", + "meta-category": "misc", + "uuid": "7893be05-8398-451e-ab1e-5e25ea4a8859", + "name": "regripper-software-hive-appInit-DLLS" +} diff --git a/objects/regripper-software-hive-application-paths/definition.json b/objects/regripper-software-hive-application-paths/definition.json index 3929d42..62aacc5 100644 --- a/objects/regripper-software-hive-application-paths/definition.json +++ b/objects/regripper-software-hive-application-paths/definition.json @@ -1,49 +1,49 @@ -{ - "required": [ - "key", - "executable-file-name", - "path" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "executable-file-name": { - "description": "Name of the executable file.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "path": { - "description": "Path of the executable file.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "references": { - "description": "References to the application installed.", - "ui-priority": 0, - "misp-attribute": "link", - "multiple": true - } - }, - "version": 1, - "description": "Regripper Object template designed to gather information of the application paths.", - "meta-category": "misc", - "uuid": "9f2d3c9b-9a82-42a7-82c2-733115d101c8", - "name": "regripper-software-hive-application-paths" -} +{ + "required": [ + "key", + "executable-file-name", + "path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "executable-file-name": { + "description": "Name of the executable file.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "path": { + "description": "Path of the executable file.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "References to the application installed.", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the application paths.", + "meta-category": "misc", + "uuid": "9f2d3c9b-9a82-42a7-82c2-733115d101c8", + "name": "regripper-software-hive-application-paths" +} diff --git a/objects/regripper-software-hive-applications-installed/definition.json b/objects/regripper-software-hive-applications-installed/definition.json index c8229c7..2b7d153 100644 --- a/objects/regripper-software-hive-applications-installed/definition.json +++ b/objects/regripper-software-hive-applications-installed/definition.json @@ -1,57 +1,57 @@ -{ - "required": [ - "key", - "app-name" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "key-path": { - "description": "Path of the key.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "app-name": { - "description": "Name of the application.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "app-last-write-time": { - "description": "Date and time when the application key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "version": { - "description": "Version of the application.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "references": { - "description": "References to the application installed.", - "ui-priority": 0, - "misp-attribute": "link", - "multiple": true - } - }, - "version": 1, - "description": "Regripper Object template designed to gather information of the applications installed on the system.", - "meta-category": "misc", - "uuid": "7a8fb6b4-cbbd-4de5-b893-7b0a5c4858cd", - "name": "regripper-software-hive-applications-installed" -} +{ + "required": [ + "key", + "app-name" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "key-path": { + "description": "Path of the key.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "app-name": { + "description": "Name of the application.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "app-last-write-time": { + "description": "Date and time when the application key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "version": { + "description": "Version of the application.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "References to the application installed.", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the applications installed on the system.", + "meta-category": "misc", + "uuid": "7a8fb6b4-cbbd-4de5-b893-7b0a5c4858cd", + "name": "regripper-software-hive-applications-installed" +} diff --git a/objects/regripper-software-hive-command-shell/definition.json b/objects/regripper-software-hive-command-shell/definition.json index 0d060d6..0245221 100644 --- a/objects/regripper-software-hive-command-shell/definition.json +++ b/objects/regripper-software-hive-command-shell/definition.json @@ -1,55 +1,55 @@ -{ - "required": [ - "key", - "shell", - "shell-path" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "shell": { - "description": "Type of shell used to execute the command.", - "ui-priority": 0, - "misp-attribute": "text", - "sane_default": [ - "exe", - "cmd", - "bat", - "hta", - "pif", - "Other" - ], - "disable_correlation": true - }, - "shell-path": { - "description": "Path of the shell.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "command": { - "description": "Command executed.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } - }, - "version": 1, - "description": "Regripper Object template designed to gather information of the shell commands executed on the system.", - "meta-category": "misc", - "uuid": "a7dc3697-89ce-46dc-a64d-0b1015457978", - "name": "regripper-software-hive-command-shell" -} +{ + "required": [ + "key", + "shell", + "shell-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "shell": { + "description": "Type of shell used to execute the command.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "exe", + "cmd", + "bat", + "hta", + "pif", + "Other" + ], + "disable_correlation": true + }, + "shell-path": { + "description": "Path of the shell.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "command": { + "description": "Command executed.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the shell commands executed on the system.", + "meta-category": "misc", + "uuid": "a7dc3697-89ce-46dc-a64d-0b1015457978", + "name": "regripper-software-hive-command-shell" +} diff --git a/objects/regripper-software-hive-general-windows-info/definition.json b/objects/regripper-software-hive-general-windows-info/definition.json index 85b5538..ca14989 100644 --- a/objects/regripper-software-hive-general-windows-info/definition.json +++ b/objects/regripper-software-hive-general-windows-info/definition.json @@ -1,125 +1,125 @@ -{ - "required": [ - "win-cv-path", - "CurrentVersion" - ], - "attributes": { - "win-cv-path": { - "description": "key where the windows information is retrieved from", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "RegisteredOrganization": { - "description": "Name of the registered organization.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "RegisteredOwner": { - "description": "Name of the registered owner.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "CurrentVersion": { - "description": "Current version of windows", - "ui-priority": 0, - "disable_correlation": true - }, - "CurrentBuild": { - "description": "Build number of the windows OS.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "SoftwareType": { - "description": "Software type of windows.", - "ui-priority": 0, - "sane_default": [ - "System", - "Application", - "other" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "InstallationType": { - "description": "Type of windows installation.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "InstallDate": { - "description": "Date when windows was installed.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "SystemRoot": { - "description": "Root directory.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "PathName": { - "description": "Path to the root directory.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "EditionID": { - "description": "Windows edition.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "ProductName": { - "description": "Name of the windows version.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "ProductID": { - "description": "ID of the product version.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "CSDVersion": { - "description": "Version of the service pack installed.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "CurrentBuildType": { - "description": "Current build type of the OS.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "BuildLab": { - "description": "Windows BuildLab string.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "BuildGUID": { - "description": "Build ID.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "BuildLabEx": { - "description": "Windows BuildLabEx string.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "comment": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "", - "disable_correlation": true - } - }, - "version": 1, - "description": "Regripper Object template designed to gather general windows information extracted from the software-hive.", - "meta-category": "misc", - "uuid": "03200c25-4bf5-4282-9852-001a51ab20f1", - "name": "regripper-software-hive-windows-general-info" -} +{ + "required": [ + "win-cv-path", + "CurrentVersion" + ], + "attributes": { + "win-cv-path": { + "description": "key where the windows information is retrieved from", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "RegisteredOrganization": { + "description": "Name of the registered organization.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "RegisteredOwner": { + "description": "Name of the registered owner.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CurrentVersion": { + "description": "Current version of windows", + "ui-priority": 0, + "disable_correlation": true + }, + "CurrentBuild": { + "description": "Build number of the windows OS.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "SoftwareType": { + "description": "Software type of windows.", + "ui-priority": 0, + "sane_default": [ + "System", + "Application", + "other" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "InstallationType": { + "description": "Type of windows installation.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "InstallDate": { + "description": "Date when windows was installed.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "SystemRoot": { + "description": "Root directory.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "PathName": { + "description": "Path to the root directory.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "EditionID": { + "description": "Windows edition.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ProductName": { + "description": "Name of the windows version.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ProductID": { + "description": "ID of the product version.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CSDVersion": { + "description": "Version of the service pack installed.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "CurrentBuildType": { + "description": "Current build type of the OS.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildLab": { + "description": "Windows BuildLab string.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildGUID": { + "description": "Build ID.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "BuildLabEx": { + "description": "Windows BuildLabEx string.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather general windows information extracted from the software-hive.", + "meta-category": "misc", + "uuid": "03200c25-4bf5-4282-9852-001a51ab20f1", + "name": "regripper-software-hive-windows-general-info" +} diff --git a/objects/regripper-software-hive-software-run/definition.json b/objects/regripper-software-hive-software-run/definition.json index 35cb1f5..5e26a8a 100644 --- a/objects/regripper-software-hive-software-run/definition.json +++ b/objects/regripper-software-hive-software-run/definition.json @@ -1,63 +1,63 @@ -{ - "required": [ - "key", - "application-name", - "application-path" - ], - "attributes": { - "key": { - "description": "Software hive key where the information is retrieved from.", - "ui-priority": 0, - "sane_default": [ - "Run", - "RunOnce", - "Runservices", - "Terminal", - "Other" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "key-path": { - "description": "Path of the key.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "application-name": { - "description": "Name of the application run.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "application-path": { - "description": "Path where the application is installed.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "references": { - "description": "References to the applications.", - "ui-priority": 0, - "misp-attribute": "link", - "multiple": true - } - }, - "version": 1, - "description": "Regripper Object template designed to gather information of the applications set to run on the system.", - "meta-category": "misc", - "uuid": "4bae06d1-3996-4028-88ec-7c7d54cc1d94", - "name": "regripper-software-hive-software-run" -} +{ + "required": [ + "key", + "application-name", + "application-path" + ], + "attributes": { + "key": { + "description": "Software hive key where the information is retrieved from.", + "ui-priority": 0, + "sane_default": [ + "Run", + "RunOnce", + "Runservices", + "Terminal", + "Other" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "key-path": { + "description": "Path of the key.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "application-name": { + "description": "Name of the application run.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "application-path": { + "description": "Path where the application is installed.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "References to the applications.", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information of the applications set to run on the system.", + "meta-category": "misc", + "uuid": "4bae06d1-3996-4028-88ec-7c7d54cc1d94", + "name": "regripper-software-hive-software-run" +} diff --git a/objects/regripper-software-hive-userprofile-winlogon/definition.json b/objects/regripper-software-hive-userprofile-winlogon/definition.json index e38ebd0..15a3efc 100644 --- a/objects/regripper-software-hive-userprofile-winlogon/definition.json +++ b/objects/regripper-software-hive-userprofile-winlogon/definition.json @@ -1,160 +1,160 @@ -{ - "required": [ - "user-profile-key-path", - "SID" - ], - "attributes": { - "user-profile-key-path": { - "description": "key where the user-profile information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "user-profile-key-last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "user-profile-path": { - "description": "Path of the user profile on the system", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "SID": { - "description": "Security identifier assigned to the user profile.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "user-profile-last-write-time": { - "description": "Date and time when the user profile was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "winlogon-key-path": { - "description": "winlogon key referred in order to retrieve default user information", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "winlogon-key-last-write-time": { - "description": "Date and time when the winlogon key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "DefaultUserName": { - "description": "user-name of the default user.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "Shell": { - "description": "Shell set to run when the user logs onto the system.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true, - "multiple": true - }, - "UserInit": { - "description": "Applications and files set to run when the user logs onto the system (User logon activity).", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true - }, - "Legal-notice-caption": { - "description": "Message title set to display when the user logs-in.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true, - "disable_correlation": true - }, - "Legal-notice-text": { - "description": "Message set to display when the user logs-in.", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true, - "disable_correlation": true - }, - "PreCreateKnownFolders": { - "description": "create known folders key", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "ReportBootOk": { - "description": "Flag to check if the reboot was successful.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "AutoRestartShell": { - "description": "Value of the flag set to auto restart the shell if it crashes or shuts down automatically.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "PasswordExpiryWarining": { - "description": "Number of times the password expiry warning appeared.", - "ui-priority": 0, - "misp-attribute": "counter", - "disable_correlation": true - }, - "PowerdownAfterShutDown": { - "description": "Flag value- if the system is set to power down after it is shutdown.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "ShutdownWithoutLogon": { - "description": "Value of the flag set to enable shutdown without requiring a user to login.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "WinStationsDisabled": { - "description": "Flag value set to enable/disable logons to the system.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "DisableCAD": { - "description": "Flag to determine if user login is enabled by pressing Ctrl+ALT+Delete.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "AutoAdminLogon": { - "description": "Flag value to determine if autologon is enabled for a user without entering the password.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "CachedLogonCount": { - "description": "Number of times the user has logged into the system.", - "ui-priority": 0, - "misp-attribute": "counter", - "disable_correlation": true - }, - "ShutdownFlags": { - "description": "Number of times shutdown is initiated from a process when the user is logged-in.", - "ui-priority": 0, - "misp-attribute": "counter", - "disable_correlation": true - }, - "Comments": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } - }, - "version": 1, - "description": "Regripper Object template designed to gather user profile information when the user logs onto the system, gathered from the software hive.", - "meta-category": "misc", - "uuid": "df03d0e4-3e6b-4e56-951a-142eae4cad59", - "name": "regripper-software-hive-userprofile-winlogon" -} +{ + "required": [ + "user-profile-key-path", + "SID" + ], + "attributes": { + "user-profile-key-path": { + "description": "key where the user-profile information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "user-profile-key-last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "user-profile-path": { + "description": "Path of the user profile on the system", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "SID": { + "description": "Security identifier assigned to the user profile.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "user-profile-last-write-time": { + "description": "Date and time when the user profile was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "winlogon-key-path": { + "description": "winlogon key referred in order to retrieve default user information", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "winlogon-key-last-write-time": { + "description": "Date and time when the winlogon key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "DefaultUserName": { + "description": "user-name of the default user.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "Shell": { + "description": "Shell set to run when the user logs onto the system.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "multiple": true + }, + "UserInit": { + "description": "Applications and files set to run when the user logs onto the system (User logon activity).", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "Legal-notice-caption": { + "description": "Message title set to display when the user logs-in.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true, + "disable_correlation": true + }, + "Legal-notice-text": { + "description": "Message set to display when the user logs-in.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true, + "disable_correlation": true + }, + "PreCreateKnownFolders": { + "description": "create known folders key", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "ReportBootOk": { + "description": "Flag to check if the reboot was successful.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "AutoRestartShell": { + "description": "Value of the flag set to auto restart the shell if it crashes or shuts down automatically.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "PasswordExpiryWarining": { + "description": "Number of times the password expiry warning appeared.", + "ui-priority": 0, + "misp-attribute": "counter", + "disable_correlation": true + }, + "PowerdownAfterShutDown": { + "description": "Flag value- if the system is set to power down after it is shutdown.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "ShutdownWithoutLogon": { + "description": "Value of the flag set to enable shutdown without requiring a user to login.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "WinStationsDisabled": { + "description": "Flag value set to enable/disable logons to the system.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "DisableCAD": { + "description": "Flag to determine if user login is enabled by pressing Ctrl+ALT+Delete.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "AutoAdminLogon": { + "description": "Flag value to determine if autologon is enabled for a user without entering the password.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "CachedLogonCount": { + "description": "Number of times the user has logged into the system.", + "ui-priority": 0, + "misp-attribute": "counter", + "disable_correlation": true + }, + "ShutdownFlags": { + "description": "Number of times shutdown is initiated from a process when the user is logged-in.", + "ui-priority": 0, + "misp-attribute": "counter", + "disable_correlation": true + }, + "Comments": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather user profile information when the user logs onto the system, gathered from the software hive.", + "meta-category": "misc", + "uuid": "df03d0e4-3e6b-4e56-951a-142eae4cad59", + "name": "regripper-software-hive-userprofile-winlogon" +} diff --git a/objects/regripper-system-hive-firewall-configuration/definition.json b/objects/regripper-system-hive-firewall-configuration/definition.json index fdd0663..abac192 100644 --- a/objects/regripper-system-hive-firewall-configuration/definition.json +++ b/objects/regripper-system-hive-firewall-configuration/definition.json @@ -1,50 +1,50 @@ -{ - "required": [ - "profile" - ], - "attributes": { - "profile": { - "description": "Firewall Profile type", - "ui-priority": 0, - "sane-default": [ - "Domain Profile", - "Standard Profile", - "Network Profile", - "Public Profile", - "Private Profile", - "other" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "last-write-time": { - "description": "Date and time when the firewall profile policy was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "enbled-firewall": { - "description": "Boolean flag to determine if the firewall is enabled.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "disable-notification": { - "description": "Boolean flag to determine if firewall notifications are enabled.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "comment": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } - }, - "version": 1, - "description": "Regripper Object template designed to present firewall configuration information extracted from the system-hive.", - "meta-category": "misc", - "uuid": "d9839b3c-c013-4ba7-b5e5-2787198b9e07", - "name": "regripper-system-hive-firewall-configuration" -} +{ + "required": [ + "profile" + ], + "attributes": { + "profile": { + "description": "Firewall Profile type", + "ui-priority": 0, + "sane-default": [ + "Domain Profile", + "Standard Profile", + "Network Profile", + "Public Profile", + "Private Profile", + "other" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "last-write-time": { + "description": "Date and time when the firewall profile policy was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "enbled-firewall": { + "description": "Boolean flag to determine if the firewall is enabled.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "disable-notification": { + "description": "Boolean flag to determine if firewall notifications are enabled.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to present firewall configuration information extracted from the system-hive.", + "meta-category": "misc", + "uuid": "d9839b3c-c013-4ba7-b5e5-2787198b9e07", + "name": "regripper-system-hive-firewall-configuration" +} diff --git a/objects/regripper-system-hive-general-configuration/definition.json b/objects/regripper-system-hive-general-configuration/definition.json index 04a67fc..b2fe81b 100644 --- a/objects/regripper-system-hive-general-configuration/definition.json +++ b/objects/regripper-system-hive-general-configuration/definition.json @@ -1,89 +1,89 @@ -{ - "required": [ - "computer-name" - ], - "attributes": { - "computer-name": { - "description": "name of the computer under analysis", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "shutdown-time": { - "description": "Date and time when the system was shutdown.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "timezone-last-write-time": { - "description": "Date and time when the timezone key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "timezone-bias": { - "description": "Offset in minutes from UTC. Offset added to the local time to get a UTC value.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "timezone-standard-name": { - "description": "Timezone standard name used during non-daylight saving months.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "timezone-standard-date": { - "description": "Standard date - non daylight saving months", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "timezone-standard-bias": { - "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during standard time.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "timezone-daylight-name": { - "description": "Timezone name used during daylight saving months.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "timezone-daylight-date": { - "description": "Daylight date - daylight saving months", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "timezone-daylight-bias": { - "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during daylight time.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "fDenyTSConnections:": { - "description": "Specifies whether remote connections are enabled or disabled on the system.", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "comment": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "", - "disable_correlation": true - } - }, - "version": 1, - "description": "Regripper Object template designed to present general system properties extracted from the system-hive.", - "meta-category": "misc", - "uuid": "5ac85401-cbf1-4d05-a85e-1784546881e4", - "name": "regripper-system-hive-general-configuration" -} +{ + "required": [ + "computer-name" + ], + "attributes": { + "computer-name": { + "description": "name of the computer under analysis", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "shutdown-time": { + "description": "Date and time when the system was shutdown.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "timezone-last-write-time": { + "description": "Date and time when the timezone key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "timezone-bias": { + "description": "Offset in minutes from UTC. Offset added to the local time to get a UTC value.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "timezone-standard-name": { + "description": "Timezone standard name used during non-daylight saving months.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "timezone-standard-date": { + "description": "Standard date - non daylight saving months", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "timezone-standard-bias": { + "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during standard time.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "timezone-daylight-name": { + "description": "Timezone name used during daylight saving months.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "timezone-daylight-date": { + "description": "Daylight date - daylight saving months", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "timezone-daylight-bias": { + "description": "value in minutes to be added to the value of timezone-bias to generate the bias used during daylight time.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "fDenyTSConnections:": { + "description": "Specifies whether remote connections are enabled or disabled on the system.", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to present general system properties extracted from the system-hive.", + "meta-category": "misc", + "uuid": "5ac85401-cbf1-4d05-a85e-1784546881e4", + "name": "regripper-system-hive-general-configuration" +} diff --git a/objects/regripper-system-hive-network-information/definition.json b/objects/regripper-system-hive-network-information/definition.json index dfd3e85..7676c59 100644 --- a/objects/regripper-system-hive-network-information/definition.json +++ b/objects/regripper-system-hive-network-information/definition.json @@ -1,106 +1,106 @@ -{ - "required": [ - "network-key" - ], - "attributes": { - "network-key": { - "description": "Registry key assigned to the network", - "ui-priority": 0, - "misp-attribute": "text" - }, - "network-key-last-write-time": { - "description": "Date and time when the network key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "network-key-path": { - "description": "Path of the key where the information is retrieved from.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "TCPIP-key": { - "description": "TCPIP key", - "ui-priority": 0, - "misp-attribute": "text" - }, - "TCPIP-key-last-write-time": { - "description": "Datetime when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "DHCP-domain": { - "description": "Name of the DHCP domain service", - "ui-priority": 0, - "misp-attribute": "text" - }, - "DHCP-IP-address": { - "description": "DHCP service - IP address", - "ui-priority": 0, - "misp-attribute": "ip-dst" - }, - "DHCP-subnet-mask": { - "description": "DHCP subnet mask - IP address.", - "ui-priority": 0, - "misp-attribute": "ip-dst" - }, - "DHCP-name-server": { - "description": "DHCP Name server - IP address.", - "ui-priority": 0, - "misp-attribute": "ip-dst" - }, - "DHCP-server": { - "description": "DHCP server - IP address.", - "ui-priority": 0, - "misp-attribute": "ip-dst" - }, - "interface-GUID": { - "description": "GUID value assigned to the interface.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "interface-last-write-time": { - "description": "Last date and time when the interface key was updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "interface-name": { - "description": "Name of the interface.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "interface-PnpInstanceID": { - "description": "Plug and Play instance ID assigned to the interface.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "interface-MediaSubType": { - "description": "", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "interface-IPcheckingEnabled": { - "description": "", - "ui-priority": 0, - "misp-attribute": "boolean", - "disable_correlation": true - }, - "additional-comments": { - "description": "Comments.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - } - }, - "version": 1, - "description": "Regripper object template designed to gather network information from the system-hive.", - "meta-category": "misc", - "uuid": "a5a3ba3a-ba2e-42a4-be45-b36809ae56f0", - "name": "regripper-system-hive-network-information." -} +{ + "required": [ + "network-key" + ], + "attributes": { + "network-key": { + "description": "Registry key assigned to the network", + "ui-priority": 0, + "misp-attribute": "text" + }, + "network-key-last-write-time": { + "description": "Date and time when the network key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "network-key-path": { + "description": "Path of the key where the information is retrieved from.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "TCPIP-key": { + "description": "TCPIP key", + "ui-priority": 0, + "misp-attribute": "text" + }, + "TCPIP-key-last-write-time": { + "description": "Datetime when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "DHCP-domain": { + "description": "Name of the DHCP domain service", + "ui-priority": 0, + "misp-attribute": "text" + }, + "DHCP-IP-address": { + "description": "DHCP service - IP address", + "ui-priority": 0, + "misp-attribute": "ip-dst" + }, + "DHCP-subnet-mask": { + "description": "DHCP subnet mask - IP address.", + "ui-priority": 0, + "misp-attribute": "ip-dst" + }, + "DHCP-name-server": { + "description": "DHCP Name server - IP address.", + "ui-priority": 0, + "misp-attribute": "ip-dst" + }, + "DHCP-server": { + "description": "DHCP server - IP address.", + "ui-priority": 0, + "misp-attribute": "ip-dst" + }, + "interface-GUID": { + "description": "GUID value assigned to the interface.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "interface-last-write-time": { + "description": "Last date and time when the interface key was updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "interface-name": { + "description": "Name of the interface.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "interface-PnpInstanceID": { + "description": "Plug and Play instance ID assigned to the interface.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "interface-MediaSubType": { + "description": "", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "interface-IPcheckingEnabled": { + "description": "", + "ui-priority": 0, + "misp-attribute": "boolean", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper object template designed to gather network information from the system-hive.", + "meta-category": "misc", + "uuid": "a5a3ba3a-ba2e-42a4-be45-b36809ae56f0", + "name": "regripper-system-hive-network-information." +} diff --git a/objects/regripper-system-hive-service-drivers/definition.json b/objects/regripper-system-hive-service-drivers/definition.json index 35054ab..b5dcaf5 100644 --- a/objects/regripper-system-hive-service-drivers/definition.json +++ b/objects/regripper-system-hive-service-drivers/definition.json @@ -1,98 +1,98 @@ -{ - "required": [ - "name" - ], - "attributes": { - "name": { - "description": "name of the key", - "ui-priority": 0, - "misp-attribute": "text" - }, - "last-write-time": { - "description": "Date and time when the key was last updated.", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "display": { - "description": "Display name/information of the service or the driver.", - "ui-priority": 0, - "misp-attribute": "text" - }, - "image-path": { - "description": "Path of the service/drive", - "ui-priority": 0, - "misp-attribute": "text" - }, - "type": { - "description": "Service/driver type.", - "ui-priority": 0, - "sane_default": [ - "Kernel driver", - "File system driver", - "Own process", - "Share process", - "Interactive", - "Other" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "start": { - "description": "When the service/driver starts or executes.", - "ui-priority": 0, - "sane_default": [ - "Boot start", - "System start", - "Auto start", - "Manual", - "Disabled" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "group": { - "description": "Group to which the system/driver belong to.", - "ui-priority": 0, - "sane_default": [ - "Base", - "Boot Bus Extender", - "Boot File System", - "Cryptography", - "Extended base", - "Event Log", - "Filter", - "FSFilter Bottom", - "FSFilter Infrastructure", - "File System", - "FSFilter Virtualization", - "Keyboard Port", - "Network", - "NDIS", - "Parallel arbitrator", - "Pointer Port", - "PnP Filter", - "ProfSvc_Group", - "PNP_TDI", - "SCSI Miniport", - "SCSI CDROM Class", - "System Bus Extender", - "Video Save", - "other" - ], - "misp-attribute": "text", - "disable_correlation": true - }, - "comment": { - "description": "Additional comments.", - "ui-priority": 0, - "misp-attribute": "", - "disable_correlation": true - } - }, - "version": 1, - "description": "Regripper Object template designed to gather information regarding the services/drivers from the system-hive.", - "meta-category": "misc", - "uuid": "78cdae45-2061-4b49-b1d6-71f562094a73", - "name": "regripper-system-hive-services-drivers" -} +{ + "required": [ + "name" + ], + "attributes": { + "name": { + "description": "name of the key", + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-write-time": { + "description": "Date and time when the key was last updated.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "display": { + "description": "Display name/information of the service or the driver.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "image-path": { + "description": "Path of the service/drive", + "ui-priority": 0, + "misp-attribute": "text" + }, + "type": { + "description": "Service/driver type.", + "ui-priority": 0, + "sane_default": [ + "Kernel driver", + "File system driver", + "Own process", + "Share process", + "Interactive", + "Other" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "start": { + "description": "When the service/driver starts or executes.", + "ui-priority": 0, + "sane_default": [ + "Boot start", + "System start", + "Auto start", + "Manual", + "Disabled" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "group": { + "description": "Group to which the system/driver belong to.", + "ui-priority": 0, + "sane_default": [ + "Base", + "Boot Bus Extender", + "Boot File System", + "Cryptography", + "Extended base", + "Event Log", + "Filter", + "FSFilter Bottom", + "FSFilter Infrastructure", + "File System", + "FSFilter Virtualization", + "Keyboard Port", + "Network", + "NDIS", + "Parallel arbitrator", + "Pointer Port", + "PnP Filter", + "ProfSvc_Group", + "PNP_TDI", + "SCSI Miniport", + "SCSI CDROM Class", + "System Bus Extender", + "Video Save", + "other" + ], + "misp-attribute": "text", + "disable_correlation": true + }, + "comment": { + "description": "Additional comments.", + "ui-priority": 0, + "misp-attribute": "", + "disable_correlation": true + } + }, + "version": 1, + "description": "Regripper Object template designed to gather information regarding the services/drivers from the system-hive.", + "meta-category": "misc", + "uuid": "78cdae45-2061-4b49-b1d6-71f562094a73", + "name": "regripper-system-hive-services-drivers" +} From 26fcbcd3bf29475cbce3e56684407404d3075f25 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 25 Oct 2018 17:35:50 +0200 Subject: [PATCH 125/244] fix typo --- objects/python-etvx-event-log/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/python-etvx-event-log/definition.json b/objects/python-etvx-event-log/definition.json index 62566f4..2c50d9a 100644 --- a/objects/python-etvx-event-log/definition.json +++ b/objects/python-etvx-event-log/definition.json @@ -22,7 +22,7 @@ "ui-priority": 3, "misp-attribute": "text", "disable_correlation": true, - "sane-default": [ + "sane_default": [ "Application", "System", "Security", @@ -35,7 +35,7 @@ "ui-priority": 0, "misp-attribute": "text", "disable_correlation": true, - "sane-default": [ + "sane_default": [ "Admin", "Operational", "Audit", From 7a70a1ece3743de6103bac5c8d5a6337d2e673a5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 25 Oct 2018 17:38:26 +0200 Subject: [PATCH 126/244] fix: various typos --- .../definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/regripper-software-hive-general-windows-info/definition.json b/objects/regripper-software-hive-general-windows-info/definition.json index ca14989..e1ed4d5 100644 --- a/objects/regripper-software-hive-general-windows-info/definition.json +++ b/objects/regripper-software-hive-general-windows-info/definition.json @@ -28,7 +28,8 @@ "CurrentVersion": { "description": "Current version of windows", "ui-priority": 0, - "disable_correlation": true + "disable_correlation": true, + "misp-attribute": "text" }, "CurrentBuild": { "description": "Build number of the windows OS.", @@ -113,7 +114,7 @@ "comment": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "", + "misp-attribute": "comment", "disable_correlation": true } }, From 38a37186934db5b1ab45c242cdadf146ca2f332b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 25 Oct 2018 17:42:57 +0200 Subject: [PATCH 127/244] typo fixed --- .../definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/regripper-system-hive-firewall-configuration/definition.json b/objects/regripper-system-hive-firewall-configuration/definition.json index abac192..b7e5fb6 100644 --- a/objects/regripper-system-hive-firewall-configuration/definition.json +++ b/objects/regripper-system-hive-firewall-configuration/definition.json @@ -6,7 +6,7 @@ "profile": { "description": "Firewall Profile type", "ui-priority": 0, - "sane-default": [ + "sane_default": [ "Domain Profile", "Standard Profile", "Network Profile", From 5e952a4bf7349f9ef955ec1b9448f2b31aaac63b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 25 Oct 2018 17:45:58 +0200 Subject: [PATCH 128/244] chg: [tsk-web-downloads] including link versus url (we assume it's malicious link by default) --- objects/TSK-Web-Downloads/definition.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/objects/TSK-Web-Downloads/definition.json b/objects/TSK-Web-Downloads/definition.json index 6659d0e..ba60ce2 100644 --- a/objects/TSK-Web-Downloads/definition.json +++ b/objects/TSK-Web-Downloads/definition.json @@ -1,13 +1,13 @@ { "required": [ - "URL", + "url", "name" ], "attributes": { - "URL": { + "url": { "description": "The URL used to download the file.", "ui-priority": 0, - "misp-attribute": "link" + "misp-attribute": "url" }, "datetime-accessed": { "description": "date and time when the file was downloaded.", @@ -49,7 +49,7 @@ }, "version": 1, "description": "An Object Template to add web-downloads", - "meta-category": "File", + "meta-category": "file", "uuid": "ab9603a1-9dcc-48e8-a51c-b8bccc7bcc26", "name": "tsk-web-downloads" } From 2f1ed1ee0c772508208506646d55da72e95cd582 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 25 Oct 2018 17:49:20 +0200 Subject: [PATCH 129/244] chg: [regripper-sam-hive-single-user] uuid fixed --- objects/regripper-sam-hive-single-user/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/regripper-sam-hive-single-user/definition.json b/objects/regripper-sam-hive-single-user/definition.json index 598144b..0bef376 100644 --- a/objects/regripper-sam-hive-single-user/definition.json +++ b/objects/regripper-sam-hive-single-user/definition.json @@ -63,6 +63,6 @@ "version": 1, "description": "Regripper Object template designed to present user profile details extracted from the SAM hive.", "meta-category": "misc", - "uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef", + "uuid": "112efd9a-2137-4198-92ed-7c91043e2cd4", "name": "regripper-sam-hive-single-user" } From 1a0d055caa67aa2e3fe0024815df8d9dbc63703f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Thu, 25 Oct 2018 13:47:20 -0400 Subject: [PATCH 130/244] new: Internal reference object --- objects/internal-reference/definition.json | 36 ++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 objects/internal-reference/definition.json diff --git a/objects/internal-reference/definition.json b/objects/internal-reference/definition.json new file mode 100644 index 0000000..ea2ed12 --- /dev/null +++ b/objects/internal-reference/definition.json @@ -0,0 +1,36 @@ +{ + "required": [ + "identifier" + ], + "attributes": { + "identifier": { + "description": "Identifier of the reference. Should be unique in your system.", + "ui-priority": 1, + "misp-attribute": "text", + "categories": [ + "Internal reference" + ] + }, + "comment": { + "description": "Comment associated to the identifier.", + "ui-priority": 0, + "misp-attribute": "comment", + "categories": [ + "Internal reference" + ] + }, + "link": { + "description": "Link associated to the identifier.", + "ui-priority": 1, + "misp-attribute": "link", + "categories": [ + "Internal reference" + ] + } + }, + "version": 1, + "description": "Internal reference.", + "meta-category": "misc", + "uuid": "a3984dc5-5f70-4776-9262-c19641c0ff6a", + "name": "internal-reference" +} From e3d5d636e49b5da243b567ce1a7a27dec55f0b97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Thu, 25 Oct 2018 15:47:04 -0400 Subject: [PATCH 131/244] chg: Add type of internal reference --- objects/internal-reference/definition.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/objects/internal-reference/definition.json b/objects/internal-reference/definition.json index ea2ed12..b657cec 100644 --- a/objects/internal-reference/definition.json +++ b/objects/internal-reference/definition.json @@ -19,6 +19,14 @@ "Internal reference" ] }, + "type": { + "description": "Type of internal reference.", + "ui-priority": 1, + "misp-attribute": "text", + "categories": [ + "Internal reference" + ] + }, "link": { "description": "Link associated to the identifier.", "ui-priority": 1, @@ -28,7 +36,7 @@ ] } }, - "version": 1, + "version": 2, "description": "Internal reference.", "meta-category": "misc", "uuid": "a3984dc5-5f70-4776-9262-c19641c0ff6a", From decd49b6fcf9a02d9093b1c7d263c42f44bef185 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Thu, 25 Oct 2018 17:45:47 -0400 Subject: [PATCH 132/244] fix: JQ things --- objects/internal-reference/definition.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/objects/internal-reference/definition.json b/objects/internal-reference/definition.json index b657cec..f5ff0e3 100644 --- a/objects/internal-reference/definition.json +++ b/objects/internal-reference/definition.json @@ -8,7 +8,7 @@ "ui-priority": 1, "misp-attribute": "text", "categories": [ - "Internal reference" + "Internal reference" ] }, "comment": { @@ -16,7 +16,7 @@ "ui-priority": 0, "misp-attribute": "comment", "categories": [ - "Internal reference" + "Internal reference" ] }, "type": { @@ -24,7 +24,7 @@ "ui-priority": 1, "misp-attribute": "text", "categories": [ - "Internal reference" + "Internal reference" ] }, "link": { @@ -32,7 +32,7 @@ "ui-priority": 1, "misp-attribute": "link", "categories": [ - "Internal reference" + "Internal reference" ] } }, From ccab94e1b75303b8712b28f76e10cb2459255944 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 28 Oct 2018 15:07:35 +0100 Subject: [PATCH 133/244] chg: [ip-api-adress] updated to ensure correlation disabled --- objects/ip-api-address/definition.json | 32 +++++++++++++++++--------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/objects/ip-api-address/definition.json b/objects/ip-api-address/definition.json index fc326a9..88030d3 100644 --- a/objects/ip-api-address/definition.json +++ b/objects/ip-api-address/definition.json @@ -2,7 +2,7 @@ "name": "ip-api-address", "meta-category": "network", "description": "IP Address information. Useful if you are pulling your ip information from ip-api.com", - "version": 1, + "version": 2, "uuid": "4336f124-6264-4f72-943e-cc3797e4122b", "attributes": { "ip-src": { @@ -13,52 +13,62 @@ "asn": { "description": "Autonomous System Number", "ui-priority": 1, - "misp-attribute": "AS" + "misp-attribute": "AS", + "disable_correlation": true }, "organization": { "description": "organization", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "ISP": { "description": "ISP.", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "zipcode": { "description": "Zip Code.", "misp-attribute": "text", - "ui-priority": 1 + "ui-priority": 1, + "disable_correlation": true }, "city": { "description": "City.", "misp-attribute": "text", - "ui-priority": 1 + "ui-priority": 1, + "disable_correlation": true }, "state": { "description": "State.", "misp-attribute": "text", - "ui-priority": 1 + "ui-priority": 1, + "disable_correlation": true }, "country": { "description": "Country name", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "country code": { "description": "Country code ", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "region": { "description": "Region. example: California.", "misp-attribute": "text", - "ui-priority": 1 + "ui-priority": 1, + "disable_correlation": true }, "region code": { "description": "Region code. example: CA", "misp-attribute": "text", - "ui-priority": 1 + "ui-priority": 1, + "disable_correlation": true }, "latitude": { "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", From a4207d1f3636ec8a2132b5112062ac21822262ff Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 29 Oct 2018 20:43:36 +0100 Subject: [PATCH 134/244] chg: [mactime-timeline-analysis] disable some correlations --- .../mactime-timeline-analysis/definition.json | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/objects/mactime-timeline-analysis/definition.json b/objects/mactime-timeline-analysis/definition.json index 55d86e0..a8f32e9 100644 --- a/objects/mactime-timeline-analysis/definition.json +++ b/objects/mactime-timeline-analysis/definition.json @@ -13,12 +13,14 @@ "datetime": { "description": "Date and time when the operation was conducted on the file", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "file_size": { "description": "Determines the file size in bytes", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "activityType": { "description": "Determines the type of activity conducted on the file at a given time", @@ -30,20 +32,23 @@ "Changed", "Modified", "Other" - ] + ], + "disable_correlation": true }, "filePermissions": { "description": "Describes permissions assigned the file", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "file": { "description": "Mactime output file", "ui-priority": 0, - "misp-attribute": "attachment" + "misp-attribute": "attachment", + "disable_correlation": true } }, - "version": 1, + "version": 3, "description": "Mactime template, used in forensic investigations to describe the timeline of a file activity", "meta-category": "file", "uuid": "9297982e-be62-4772-a665-c91f5a8d639", From 6560a53b800ee175cc4b80b66411bcd7806e4a34 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Tue, 30 Oct 2018 21:30:09 +0900 Subject: [PATCH 135/244] chg: [definition] Extended crypto coin object to be able to enrich with interesting data --- objects/coin-address/definition.json | 34 ++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/objects/coin-address/definition.json b/objects/coin-address/definition.json index 51876e7..803f4a7 100644 --- a/objects/coin-address/definition.json +++ b/objects/coin-address/definition.json @@ -60,6 +60,40 @@ "ui-priority": 0, "misp-attribute": "datetime" }, + "last-updated": { + "description": "Last time the balances and totals have been updated", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "current-balance": { + "description": "Current balance of address", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text", + "recommended": false + }, + "total-transactions": { + "description": "Total transactions performed", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text", + "recommended": false + }, + "total-received": { + "description": "Total balance received", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "float", + "recommended": false + }, + "total-sent": { + "description": "Total balance sent", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "float", + "recommended": false + }, "text": { "description": "Free text value", "disable_correlation": true, From e132ea8e03fe1b855d9f862c5d65014fda445b36 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Tue, 30 Oct 2018 22:58:54 +0900 Subject: [PATCH 136/244] fix: [definition] Fixed current balance type, is float. --- objects/coin-address/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/coin-address/definition.json b/objects/coin-address/definition.json index 803f4a7..47b1805 100644 --- a/objects/coin-address/definition.json +++ b/objects/coin-address/definition.json @@ -70,7 +70,7 @@ "description": "Current balance of address", "disable_correlation": true, "ui-priority": 1, - "misp-attribute": "text", + "misp-attribute": "float", "recommended": false }, "total-transactions": { From d41b642bc4344db7b538e5824117403192f3ee2f Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 2 Nov 2018 00:35:28 +0100 Subject: [PATCH 137/244] Extension of process object --- objects/process/definition.json | 44 +++++++++++++++++++++++++++++++-- 1 file changed, 42 insertions(+), 2 deletions(-) diff --git a/objects/process/definition.json b/objects/process/definition.json index 220d4e5..e0420ee 100644 --- a/objects/process/definition.json +++ b/objects/process/definition.json @@ -3,7 +3,7 @@ "uuid": "02aeef94-ac23-455c-addb-731757ceafb5", "meta-category": "misc", "description": "Object describing a system process.", - "version": 2, + "version": 3, "attributes": { "creation-time": { "description": "Local date/time at which the process was created.", @@ -47,10 +47,50 @@ "misp-attribute": "src-port", "multiple": true, "disable_correlation": true + }, + "command-line": { + "description": "Command line of the process", + "ui-priority": 1, + "misp-attribute": "text" + }, + "current-directory": { + "description": "Current working directory of the process", + "ui-priority": 2, + "misp-attribute": "filename", + "disable_correlation": true + }, + "image": { + "description": "Path of process image", + "ui-priority": 1, + "misp-attribute": "filename" + }, + "parent-command-line": { + "description": "Command line of the parent process", + "ui-priority": 1, + "misp-attribute": "text" + }, + "parent-image": { + "description": "Path of parent process image", + "ui-priority": 1, + "misp-attribute": "filename" + }, + "user": { + "description": "User context of the process", + "ui-priority": 2, + "misp-attribute": "text", + "disable_correlation": true + }, + "integrity-level": { + "description": "Integrity level of the process", + "ui-priority": 2, + "misp-attribute": "text", + "disable_correlation": true } }, "requiredOneOf": [ "name", - "pid" + "pid", + "image", + "command-line" ] } From e12f15d5daae3f4c53293bb2a2b6483bcd97a366 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 2 Nov 2018 00:40:55 +0100 Subject: [PATCH 138/244] Fixed misp-attribute in link attribute of paste object --- objects/paste/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/paste/definition.json b/objects/paste/definition.json index 09c5adf..7eace76 100644 --- a/objects/paste/definition.json +++ b/objects/paste/definition.json @@ -44,7 +44,7 @@ "description": "Link to the original source of the paste or post (when used maliciously)." }, "link": { - "misp-attribute": "link,", + "misp-attribute": "link", "ui-priority": 0, "description": "Link to the original source of the source or post (when used legitimately for OSINT source or alike)." }, From d61a1f33909f8f8d996ef526ee0db75a8a1052f6 Mon Sep 17 00:00:00 2001 From: Hendrik Date: Fri, 9 Nov 2018 12:37:34 +0100 Subject: [PATCH 139/244] Added cortex taxonomy object definition --- objects/cortex-taxonomy/definition.json | 59 +++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 objects/cortex-taxonomy/definition.json diff --git a/objects/cortex-taxonomy/definition.json b/objects/cortex-taxonomy/definition.json new file mode 100644 index 0000000..6ece6f9 --- /dev/null +++ b/objects/cortex-taxonomy/definition.json @@ -0,0 +1,59 @@ +{ + "required": [ + "level", + "predicate", + "value", + "namespace" + ], + "attributes": { + "namespace": { + "categories": ["External analysis"], + "description": "Cortex Taxonomy Namespace", + "disable_correlation": true, + "multiple": false, + "ui-priority": 0, + "misp-attribute": "text" + }, + "predicate": { + "categories": ["External analysis"], + "description": "Cortex Taxonomy Predicate", + "disable_correlation": true, + "multiple": false, + "ui-priority": 0, + "misp-attribute": "text" + }, + "value": { + "categories": ["External analysis"], + "description": "Cortex Taxonomy Value", + "disable_correlation": true, + "multiple": false, + "ui-priority": 0, + "misp-attribute": "text" + }, + "level": { + "categories": ["External analysis"], + "description": "Cortex Taxonomy Level", + "disable_correlation": true, + "multiple": false, + "misp-attribute": "text", + "ui-priority": 0, + "values_list": [ + "info", + "safe", + "suspicious", + "malicious" + ] + }, + "cortex_url": { + "description": "URL to the Cortex job", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "link" + } + }, + "version": 3, + "description": "Cortex object describing an Cortex Taxonomy", + "meta-category": "misc", + "uuid": "bef7d23b-e796-4d46-803a-32e317896894", + "name": "cortex-taxonomy" +} From 0f1f23fbb546870e383daac28784d91e9568b137 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 9 Nov 2018 14:21:10 +0100 Subject: [PATCH 140/244] fix: [cortex-taxonomy] jq all the things(tm) --- objects/cortex-taxonomy/definition.json | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/objects/cortex-taxonomy/definition.json b/objects/cortex-taxonomy/definition.json index 6ece6f9..f368967 100644 --- a/objects/cortex-taxonomy/definition.json +++ b/objects/cortex-taxonomy/definition.json @@ -7,7 +7,9 @@ ], "attributes": { "namespace": { - "categories": ["External analysis"], + "categories": [ + "External analysis" + ], "description": "Cortex Taxonomy Namespace", "disable_correlation": true, "multiple": false, @@ -15,7 +17,9 @@ "misp-attribute": "text" }, "predicate": { - "categories": ["External analysis"], + "categories": [ + "External analysis" + ], "description": "Cortex Taxonomy Predicate", "disable_correlation": true, "multiple": false, @@ -23,7 +27,9 @@ "misp-attribute": "text" }, "value": { - "categories": ["External analysis"], + "categories": [ + "External analysis" + ], "description": "Cortex Taxonomy Value", "disable_correlation": true, "multiple": false, @@ -31,7 +37,9 @@ "misp-attribute": "text" }, "level": { - "categories": ["External analysis"], + "categories": [ + "External analysis" + ], "description": "Cortex Taxonomy Level", "disable_correlation": true, "multiple": false, From 3ec98a8a6590276e46ae3a47c50971397d9a18bc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 18 Nov 2018 10:11:25 +0100 Subject: [PATCH 141/244] chg: [cortex-taxonomy] aka mini-report --- objects/cortex-taxonomy/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/cortex-taxonomy/definition.json b/objects/cortex-taxonomy/definition.json index f368967..edb3580 100644 --- a/objects/cortex-taxonomy/definition.json +++ b/objects/cortex-taxonomy/definition.json @@ -59,8 +59,8 @@ "misp-attribute": "link" } }, - "version": 3, - "description": "Cortex object describing an Cortex Taxonomy", + "version": 4, + "description": "Cortex object describing an Cortex Taxonomy (or mini report)", "meta-category": "misc", "uuid": "bef7d23b-e796-4d46-803a-32e317896894", "name": "cortex-taxonomy" From 39dd150e2a85b2b5a041a202343ecefa4d34b43a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 18 Nov 2018 10:28:18 +0100 Subject: [PATCH 142/244] add: [cortex] new object based on a discussion with Jerome L. from TheHive (thanks to SNCF) --- objects/cortex/definition.json | 48 ++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 objects/cortex/definition.json diff --git a/objects/cortex/definition.json b/objects/cortex/definition.json new file mode 100644 index 0000000..1d6679c --- /dev/null +++ b/objects/cortex/definition.json @@ -0,0 +1,48 @@ +{ + "requiredOneOf": [ + "full" + ], + "attributes": { + "summary": { + "description": "Cortex summary object (summary) in JSON", + "disable_correlation": false, + "ui-priority": 0, + "misp-attribute": "text" + }, + "full": { + "description": "Cortex report object (full report) in JSON", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "start-date": { + "description": "When the Cortex analyser was started", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "name": { + "description": "Cortex analyser/worker name", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "server-name": { + "description": "Name of the cortex server", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "success": { + "description": "Result of the cortex job", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "boolean" + } + }, + "version": 1, + "description": "Cortex object describing a complete cortex analysis", + "meta-category": "misc", + "uuid": "144988f3-fa00-4374-8015-c1a32092f451", + "name": "cortex" +} From 7808850ce246b901e485552b45fbdc295982455e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 18 Nov 2018 10:29:42 +0100 Subject: [PATCH 143/244] chg: [cortex] description updated as TheHive/Cortex observables will be attributes with relationships from this object --- objects/cortex/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/cortex/definition.json b/objects/cortex/definition.json index 1d6679c..a45a0a3 100644 --- a/objects/cortex/definition.json +++ b/objects/cortex/definition.json @@ -41,7 +41,7 @@ } }, "version": 1, - "description": "Cortex object describing a complete cortex analysis", + "description": "Cortex object describing a complete cortex analysis. Observables would be attribute with a relationship from this object.", "meta-category": "misc", "uuid": "144988f3-fa00-4374-8015-c1a32092f451", "name": "cortex" From e44dd16b1841035df0f4a2e8e98a753952eff9cc Mon Sep 17 00:00:00 2001 From: Alexander J Date: Fri, 23 Nov 2018 15:40:57 +0100 Subject: [PATCH 144/244] new misp object for a timesketch message to be able to push timesketch messages (timesketch.org) to a misp event it is handy to have a specific type of object for it. --- objects/timesketch_message/definition.json | 26 ++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 objects/timesketch_message/definition.json diff --git a/objects/timesketch_message/definition.json b/objects/timesketch_message/definition.json new file mode 100644 index 0000000..9185646 --- /dev/null +++ b/objects/timesketch_message/definition.json @@ -0,0 +1,26 @@ +{ + "required": [ + "datetime", + "message" + ], + "attributes": { + "datetime": { + "description": "datetime of the message", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "datetime", + "recommended": true + }, + "message": { + "description": "message", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "A timesketch message entry.", + "meta-category": "misc", + "uuid": "ef27fb19-7e71-43e0-b6f6-6f03ab67666f", + "name": "timesketch_message" +} From 6cc29aad3dda895de95fe9f0d86bb9a7007af7c2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 26 Nov 2018 22:21:51 +0100 Subject: [PATCH 145/244] chg: [microblog] a small clarification about the username to avoid the @ --- objects/microblog/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/microblog/definition.json b/objects/microblog/definition.json index 906a03c..847fceb 100644 --- a/objects/microblog/definition.json +++ b/objects/microblog/definition.json @@ -30,7 +30,7 @@ ] }, "username": { - "description": "Username who posted the microblog post", + "description": "Username who posted the microblog post (without the @ prefix)", "ui-priority": 0, "misp-attribute": "text" }, @@ -62,7 +62,7 @@ "misp-attribute": "text" } }, - "version": 4, + "version": 5, "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.", "meta-category": "misc", "uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60", From 11a462e79b02428a08b11698d45aa8aa5ab6887d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 4 Dec 2018 15:39:51 +0100 Subject: [PATCH 146/244] chg: [person] OFAC fields - Office of Foreign Assets Control --- objects/person/definition.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index d8950f0..d2ad496 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -98,6 +98,16 @@ "ui-priority": 0, "misp-attribute": "text" }, + "birth-certificate-number": { + "description": "Birth Certificate Number", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ofac-identification-number": { + "description": "ofac-identification Number", + "ui-priority": 0, + "misp-attribute": "text" + }, "nationality": { "description": "The nationality of a natural person.", "ui-priority": 0, @@ -136,7 +146,7 @@ "multiple": true } }, - "version": 4, + "version": 5, "description": "An object which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", From 7dfa69a743078d8bdddb664604aaff3e40054b3f Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 21 Dec 2018 12:27:11 +0100 Subject: [PATCH 147/244] Object Victim - Extended requiredOneof --- objects/victim/definition.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/objects/victim/definition.json b/objects/victim/definition.json index 346dc70..2ef946c 100644 --- a/objects/victim/definition.json +++ b/objects/victim/definition.json @@ -1,6 +1,8 @@ { "requiredOneOf": [ - "name" + "name", + "regions", + "sectors" ], "attributes": { "description": { From 5a9800ab6aba54fe1019fabd167b6dc13e4e2fd7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 21 Dec 2018 20:28:24 +0100 Subject: [PATCH 148/244] chg: [person] portrait added #133 --- objects/person/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index d2ad496..6dd31b5 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -144,9 +144,15 @@ "ui-priority": 10, "misp-attribute": "email-src", "multiple": true + }, + "portrait": { + "description": "Portrait of the person.", + "ui-priority": 10, + "misp-attribute": "attachment", + "multiple": true } }, - "version": 5, + "version": 6, "description": "An object which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", From 9b84576442c82259104814404f21264f1f94a790 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 21 Dec 2018 20:41:45 +0100 Subject: [PATCH 149/244] add: [facial-composite] new facial composite object --- objects/facial-composite/definition.json | 39 ++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 objects/facial-composite/definition.json diff --git a/objects/facial-composite/definition.json b/objects/facial-composite/definition.json new file mode 100644 index 0000000..585f4ee --- /dev/null +++ b/objects/facial-composite/definition.json @@ -0,0 +1,39 @@ +{ + "requiredOneOf": [ + "facial-composite", + "text" + ], + "attributes": { + "text": { + "description": "A description of the facial composite.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "technique": { + "description": "Construction technique of the facial composite.", + "ui-priority": 0, + "misp-attribute": "text", + "values_list": [ + "E-FIT", + "PROfit", + "Sketch", + "Photofit", + "EvoFIT", + "PortraitPad" + ], + "disable_correlation": true + }, + "facial-composite": { + "description": "Facial composite image.", + "ui-priority": 10, + "misp-attribute": "attachment", + "multiple": true + } + }, + "version": 1, + "description": "An object which describes a facial composite.", + "meta-category": "misc", + "uuid": "d727bc27-d1b9-4754-972c-dea305bd5976", + "name": "facial-composite" +} From e634e50e898e27a2cc0ad1a84a225d64ce8e30c3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 21 Dec 2018 20:44:01 +0100 Subject: [PATCH 150/244] chg: [doc] facial-composite object added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 13cdafc..5bf98d9 100644 --- a/README.md +++ b/README.md @@ -88,6 +88,7 @@ for a specific attribute. * [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF). * [objects/email](objects/email/definition.json) - An email object. * [objects/exploit-poc](objects/exploit-poc/definition.json) - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object. +* [objects/facial-composite](objects/facial-composite/definition.json) A facial composite object. * [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object. * [objects/file](objects/file/definition.json) - File object describing a file with meta-information. * [objects/forensic-case](objects/forensic-case/definition.json) - An object template to describe a digital forensic case. From 39bd2641aa33ce733151bbf74fdbd3da6118a20e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 21 Dec 2018 20:50:12 +0100 Subject: [PATCH 151/244] chg: [relationships] witness-of added --- relationships/definition.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/relationships/definition.json b/relationships/definition.json index c6c94bb..0242365 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -927,6 +927,13 @@ "format": [ "alfred" ] + }, + { + "name": "witness-of", + "description": "Represents an object being a witness of something.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", From 25dc125a307648ff3d48d148ca57328cecf625d9 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Sat, 22 Dec 2018 07:23:17 +0100 Subject: [PATCH 152/244] fix: [relationships] removed duplicate --- relationships/definition.json | 7 ------- 1 file changed, 7 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index 0242365..6b12f4a 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -264,13 +264,6 @@ "misp" ] }, - { - "name": "dropped-by", - "description": "This relationship describes an object dropped by another object.", - "format": [ - "misp" - ] - }, { "name": "drops", "description": "This relationship describes an object which drops another object", From 68ca8b0a92cfc145d74a11703785718c8d35af62 Mon Sep 17 00:00:00 2001 From: eCrimeLabs Date: Sun, 30 Dec 2018 12:31:17 +0100 Subject: [PATCH 153/244] Updated JA3 to have own data type ja3-fingerprint-md5 and bumped the version --- objects/ja3/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/ja3/definition.json b/objects/ja3/definition.json index 6dcee9f..39b539d 100644 --- a/objects/ja3/definition.json +++ b/objects/ja3/definition.json @@ -2,12 +2,12 @@ "name": "ja3", "meta-category": "network", "description": "JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3", - "version": 3, + "version": 4, "uuid": "09b45449-5d6e-492c-a68a-cb2e188cbfac", "attributes": { "ja3-fingerprint-md5": { "description": "Hash identifying source", - "misp-attribute": "md5", + "misp-attribute": "ja3-fingerprint-md5", "ui-priority": 1 }, "description": { From d98cfd6d1601fabe6a6260f3765fbf0c5b4cd804 Mon Sep 17 00:00:00 2001 From: Stefan Kelm Date: Wed, 2 Jan 2019 16:19:08 +0100 Subject: [PATCH 154/244] New object: Information related to known scanning activity (e.g. from research projects) --- README.md | 1 + objects/research-scanner/definition.json | 80 ++++++++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 objects/research-scanner/definition.json diff --git a/README.md b/README.md index 5bf98d9..2be07a3 100644 --- a/README.md +++ b/README.md @@ -122,6 +122,7 @@ for a specific attribute. * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object. * [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml. * [objects/report](objects/report/definition.json) - Object to describe metadata used to generate an executive level report. +* [objects/research-scanner](objects/research-scanner/definition.json) - Information related to known scanning activity (e.g. from research projects) * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. diff --git a/objects/research-scanner/definition.json b/objects/research-scanner/definition.json new file mode 100644 index 0000000..8822c4e --- /dev/null +++ b/objects/research-scanner/definition.json @@ -0,0 +1,80 @@ +{ + "required": [ + "project", + "scanning_ip" + ], + "attributes": { + "project": { + "description": "Description of scanning project", + "ui-priority": 1, + "disable_correlation": true, + "misp-attribute": "text" + }, + "scanning_ip": { + "description": "IP address used by project", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "ip-src", + "multiple": true + }, + "domain": { + "description": "Domain related to project", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "domain" + }, + "asn": { + "description": "Autonomous System Number related to project", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "AS" + }, + "scheduled_start": { + "description": "Scheduled start of scanning activity", + "disable_correlation": true, + "ui-priority": 1, + "multiple": true, + "misp-attribute": "datetime" + }, + "scheduled_end": { + "description": "Scheduled end of scanning activity", + "disable_correlation": true, + "ui-priority": 0, + "multiple": true, + "misp-attribute": "datetime" + }, + "contact_email": { + "description": "Project contact information", + "disable_correlation": true, + "categories": [ + "Network activity", + "Social network" + ], + "ui-priority": 1, + "misp-attribute": "email-dst", + "multiple": true + }, + "contact_phone": { + "description": "Phone number related to project", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "phone-number", + "multiple": true + }, + "project_url": { + "description": "URL related to project", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 20190102, + "description": "Information related to known scanning activity (e.g. from research projects)", + "meta-category": "network", + "uuid": "d690e956-fc8a-11e8-8eb2-f2801f1b9fd1", + "name": "research-scanner" +} From 12f51e2ad5378fe7615b7b1a4fb929540f7ccc33 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 2 Jan 2019 22:05:02 +0100 Subject: [PATCH 155/244] chg: [doc] copyright date fixed --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2be07a3..48aab48 100644 --- a/README.md +++ b/README.md @@ -187,9 +187,9 @@ The MISP objects model allows to add new combined indicators format based on the ~~~~ -Copyright (C) 2016-2018 Andras Iklody -Copyright (C) 2016-2018 Alexandre Dulaunoy -Copyright (C) 2016-2018 CIRCL - Computer Incident Response Center Luxembourg +Copyright (C) 2016-2019 Andras Iklody +Copyright (C) 2016-2019 Alexandre Dulaunoy +Copyright (C) 2016-2019 CIRCL - Computer Incident Response Center Luxembourg This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by From ae32e23fbf79d106caa0d3341e2a403171d9799c Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Thu, 3 Jan 2019 15:07:08 +0100 Subject: [PATCH 156/244] chg: [http-request] IP as allowed type --- objects/http-request/definition.json | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/objects/http-request/definition.json b/objects/http-request/definition.json index 76bb081..04c4e6e 100644 --- a/objects/http-request/definition.json +++ b/objects/http-request/definition.json @@ -51,6 +51,15 @@ "ui-priority": 1, "misp-attribute": "hostname" }, + "ip": { + "categories": [ + "Network activity", + "Payload delivery" + ], + "description": "The IP address of the server", + "ui-priority": 1, + "misp-attribute": "ip-dst" + }, "method": { "categories": [ "Network activity" @@ -111,7 +120,7 @@ "misp-attribute": "user-agent" } }, - "version": 2, + "version": 3, "description": "A single HTTP request header", "meta-category": "network", "uuid": "b4a8d163-8110-4239-bfcf-e08f3a9fdf7b", From b0d8e91f0faff0b83904e2dac68346f20ee5ff98 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 11 Jan 2019 15:02:06 +0100 Subject: [PATCH 157/244] add alias as a requiredOneof attribute --- objects/person/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index 6dd31b5..d6c2c2f 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -1,7 +1,8 @@ { "requiredOneOf": [ "first-name", - "last-name" + "last-name", + "alias" ], "attributes": { "text": { From d6299e65425b781a8ea9fdd51f60f0ebc3835b16 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 11 Jan 2019 15:03:11 +0100 Subject: [PATCH 158/244] update person object version --- objects/person/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index d6c2c2f..2c0b080 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -153,7 +153,7 @@ "multiple": true } }, - "version": 6, + "version": 7, "description": "An object which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", From cf8c50b72e76483c4175b9cd798e262eba3234b2 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 11 Jan 2019 16:50:29 +0100 Subject: [PATCH 159/244] fix: Disabled correlation for original imported samples --- objects/original-imported-file/definition.json | 1 + 1 file changed, 1 insertion(+) diff --git a/objects/original-imported-file/definition.json b/objects/original-imported-file/definition.json index c9d4762..5bd93ff 100644 --- a/objects/original-imported-file/definition.json +++ b/objects/original-imported-file/definition.json @@ -7,6 +7,7 @@ "imported-sample": { "description": "The original imported file itself (binary).", "ui-priority": 1, + "disable_correlation": true, "misp-attribute": "attachment" }, "format": { From beb0ec8bb7556fdbd2cdb64f9566d5543c56192a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 24 Jan 2019 13:36:09 +0100 Subject: [PATCH 160/244] chg: [script] added PHP in the most used programming language (at least when looking at malicious WebShells on the Internet) - I sense a new stackoverflow survey category Signed-off: 5c45721d-de08-4fff-b9b0-168a02de0b81 --- objects/script/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/script/definition.json b/objects/script/definition.json index 1824f58..f95d34f 100644 --- a/objects/script/definition.json +++ b/objects/script/definition.json @@ -30,7 +30,8 @@ "Perl", "Ruby", "Winbatch", - "AutoIt" + "AutoIt", + "PHP" ] }, "filename": { @@ -54,7 +55,7 @@ ] } }, - "version": 1, + "version": 2, "description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.", "meta-category": "misc", "uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2", From 15337038948153987823e3f5980f697215de0424 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 28 Jan 2019 15:26:49 +0100 Subject: [PATCH 161/244] add interpol notice object --- README.md | 1 + objects/interpol-notice/definition.json | 144 ++++++++++++++++++++++++ 2 files changed, 145 insertions(+) create mode 100644 objects/interpol-notice/definition.json diff --git a/README.md b/README.md index 48aab48..1c06b0b 100644 --- a/README.md +++ b/README.md @@ -96,6 +96,7 @@ for a specific attribute. * [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location. * [objects/gtp-attack](objects/gtp-attack/definition.json) - GTP attack object as seen on a GSM, UMTS or LTE network. * [objects/http-request](objects/http-request/definition.json) - A single HTTP request header object. +* [objects/interpol-notice](objects/interpol-notice/definition.json) - Object used to represent an Interpol notice * [objects/ip-api-address](objects/ip-api-address/definition.json) - Object describing IP Address information, as defined in [ip-api.com](http://ip-api.com). * [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame. * [objects/ja3](objects/ja3/definition.json) - A ja3 object which describes an SSL client fingerprint in an easy to produce and shareable way. diff --git a/objects/interpol-notice/definition.json b/objects/interpol-notice/definition.json new file mode 100644 index 0000000..1bc0729 --- /dev/null +++ b/objects/interpol-notice/definition.json @@ -0,0 +1,144 @@ +{ + "requiredOneOf": [ + "first-name", + "last-name", + ], + "attributes": { + "notice-color": { + "description": "The color/type of the notice", + "misp-attribute": "text", + "ui-priority": 1, + "sane_default": [ + "Red", + "Yellow", + "Blue", + "Black", + "Green", + "Orange", + "Purple" + ] + }, + "present-family-name": { + "description": "Last name of a natural person.", + "ui-priority": 0, + "misp-attribute": "last-name" + }, + "Forename": { + "description": "First name of a natural person.", + "ui-priority": 0, + "misp-attribute": "first-name", + "disable_correlation": true + }, + "alias": { + "description": "Alias name or known as.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "father-s-family-name-&-forename": { + "description": "Father's family name & forename.", + "ui-priority": 0, + "misp-attribute": "text", + }, + "mother-s-family-name-&-forename": { + "description": "Mother's family name & forename.", + "ui-priority": 0, + "misp-attribute": "text", + }, + "date-of-birth": { + "description": "Date of birth of a natural person (in YYYY-MM-DD format).", + "ui-priority": 0, + "misp-attribute": "date-of-birth" + }, + "place-of-birth": { + "description": "Place of birth of a natural person.", + "ui-priority": 0, + "misp-attribute": "place-of-birth", + "disable_correlation": true + }, + "sex": { + "description": "The gender of a natural person.", + "ui-priority": 0, + "misp-attribute": "gender", + "values_list": [ + "Male", + "Female", + "Other", + "Prefer not to say" + ], + "disable_correlation": true + }, + "nationality": { + "description": "The nationality of a natural person.", + "ui-priority": 0, + "misp-attribute": "nationality", + "multiple": true, + "disable_correlation": true + }, + "language-spoken": { + "description": "Languages spoken by a person.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true, + "disable_correlation": true + }, + "charges": { + "description": "Charges published as provided by requesting entity", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true, + "disable_correlation": true + }, + "date-of-disappearance": { + "description": "Date of disappearance of a missing person.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "place-of-disappearance": { + "description": "Place of birth of a natural person.", + "ui-priority": 0, + "misp-attribute": "text", + }, + "height": { + "description": "Height of a person.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "weight": { + "description": "weight of a person.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "colour-of-hair": { + "description": "Description of a person's colour of hair.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "colour-of-eyes": { + "description": "Description of a person's colour of eyes.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "distinguishing-marks-and-characteristics": { + "description": "Distinguishing marks and characteristics of a person.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "portrait": { + "description": "Portrait of the person.", + "ui-priority": 10, + "misp-attribute": "attachment", + "multiple": true + } + }, + "version": 1, + "description": "An object which describes a Interpol notice.", + "meta-category": "misc", + "uuid": "24927972-1e4a-11e9-857e-3b2306b99911", + "name": "interpol-notice" +} From 0f6f7de3845e4100a89a41f840bbff4f186358dd Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 28 Jan 2019 15:40:07 +0100 Subject: [PATCH 162/244] fix required field for interpol notice --- objects/interpol-notice/definition.json | 49 ++++++++++++------------- 1 file changed, 24 insertions(+), 25 deletions(-) diff --git a/objects/interpol-notice/definition.json b/objects/interpol-notice/definition.json index 1bc0729..95aacaa 100644 --- a/objects/interpol-notice/definition.json +++ b/objects/interpol-notice/definition.json @@ -1,7 +1,6 @@ { - "requiredOneOf": [ - "first-name", - "last-name", + "required": [ + "notice-color" ], "attributes": { "notice-color": { @@ -23,7 +22,7 @@ "ui-priority": 0, "misp-attribute": "last-name" }, - "Forename": { + "forename": { "description": "First name of a natural person.", "ui-priority": 0, "misp-attribute": "first-name", @@ -38,12 +37,12 @@ "father-s-family-name-&-forename": { "description": "Father's family name & forename.", "ui-priority": 0, - "misp-attribute": "text", + "misp-attribute": "text" }, "mother-s-family-name-&-forename": { "description": "Mother's family name & forename.", "ui-priority": 0, - "misp-attribute": "text", + "misp-attribute": "text" }, "date-of-birth": { "description": "Date of birth of a natural person (in YYYY-MM-DD format).", @@ -97,38 +96,38 @@ "place-of-disappearance": { "description": "Place of birth of a natural person.", "ui-priority": 0, - "misp-attribute": "text", + "misp-attribute": "text" }, - "height": { + "height": { "description": "Height of a person.", "ui-priority": 0, "misp-attribute": "text", "disable_correlation": true }, - "weight": { - "description": "weight of a person.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true + "weight": { + "description": "weight of a person.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true }, - "colour-of-hair": { - "description": "Description of a person's colour of hair.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true + "colour-of-hair": { + "description": "Description of a person's colour of hair.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true }, - "colour-of-eyes": { - "description": "Description of a person's colour of eyes.", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true + "colour-of-eyes": { + "description": "Description of a person's colour of eyes.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true }, - "distinguishing-marks-and-characteristics": { + "distinguishing-marks-and-characteristics": { "description": "Distinguishing marks and characteristics of a person.", "ui-priority": 0, "misp-attribute": "text", "disable_correlation": true - }, + }, "portrait": { "description": "Portrait of the person.", "ui-priority": 10, From b4c2de001c54cec63956835faae00e785dc0cc14 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 28 Jan 2019 16:06:05 +0100 Subject: [PATCH 163/244] fix jq_all_the_things script --- jq_all_the_things.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/jq_all_the_things.sh b/jq_all_the_things.sh index 78d58b9..ad80ca2 100755 --- a/jq_all_the_things.sh +++ b/jq_all_the_things.sh @@ -1,5 +1,17 @@ #!/bin/bash +# Seeds sponge, from moreutils + +#Validate all Jsons first +for dir in `find . -name "*.json"` +do + echo validating ${dir} + # python3 -c "import json; f_in = open('${dir}'); data = json.load(f_in); f_in.close(); f_out = open('${dir}', 'w'); json.dump(data, f_out, indent=2, sort_keys=True, ensure_ascii=False); f_out.close();" + cat ${dir} | jq . >/dev/null + rc=$? + if [[ $rc != 0 ]]; then exit $rc; fi +done + set -e set -x From b141dce58128419fc414373f6aa3c1d9b425e3ad Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 31 Jan 2019 22:41:23 +0100 Subject: [PATCH 164/244] add: [anonymisation] Anonymisation object describing an anonymisation technique which is used in MISP anonymised attributes. --- objects/anonymisation/definition.json | 190 ++++++++++++++++++++++++++ 1 file changed, 190 insertions(+) create mode 100644 objects/anonymisation/definition.json diff --git a/objects/anonymisation/definition.json b/objects/anonymisation/definition.json new file mode 100644 index 0000000..5cf596b --- /dev/null +++ b/objects/anonymisation/definition.json @@ -0,0 +1,190 @@ +{ + "requiredOneOf": [ + "description", + "method", + "key", + "keyed-hash-function", + "encryption-function", + "regexp", + "iv" + ], + "attributes": { + "method": { + "description": "Anonymisation (pseudo or not) method(s) used", + "ui-priority": 1, + "disable_correlation": true, + "sane_default": [ + "hiding - Attribute is replaced with a constant value (typically 0) of the same size. Sometimes called 'black marker'.", + "hash - A hash function maps each attribute to a new (not necessarily unique) attribute.", + "permutation - Maps each original value to a unique new value.", + "prefix-preserving - Any two values that had the same n-bit prefix before anonymization will still have the same n-bit prefix as each other after anonymization. (Would be more accurately called 'prefix-relationship-preserving', because the actual prefix values are not preserved.) ", + "shift - Adds a fixed offset to each value/attribute.", + "enumeration - Map each original value to a new value such that their ordering is preserved.", + "partitioning - Possible values are partitioned into meaningful sets; actual values are replaced with a fixed value from the same set. E.g., TCP port numbers 0 to 1023 are replaced with 0, and 1024 to 65535 replaced with 65535.", + "updated - Checksums are recalculated to reflect changes made to other fields.", + "truncation - Field is shortened, losing data at the end.", + "encryption - Attribute is encrypted." + ], + "misp-attribute": "text", + "multiple": true + }, + "key": { + "description": "Key (such as a PSK in a keyed-hash-function) used to anonymise the attribute", + "ui-priority": 1, + "disable_correlation": true, + "misp-attribute": "text" + }, + "iv": { + "description": "Initialisation vector for the encryption function used to anonymise the attribute", + "ui-priority": 1, + "disable_correlation": true, + "misp-attribute": "text" + }, + "keyed-hash-function": { + "description": "Keyed-hash function used to anonymise the attribute", + "ui-priority": 1, + "disable_correlation": true, + "sane_default": [ + "hmac-sha1", + "hmac-md5", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ], + "misp-attribute": "text" + }, + "encryption-function": { + "description": "Encryption function or algorithm used to anonymise the attribute", + "ui-priority": 1, + "disable_correlation": true, + "sane_default": [ + "bf-cbc", + "bf", + "blowfish", + "bf-cfb", + "bf-ecb", + "bf-ofb", + "cast-cbc", + "cast", + "cast5-cbc", + "cast5-cfb", + "cast5-ecb", + "cast5-ofb", + "des-cbc", + "des", + "des-cfb", + "des-ofb", + "des-ecb", + "des-ede-cbc", + "des-ede", + "des-ede-cfb", + "des-ede-ofb", + "des-ede3-cbc", + "des-ede3", + "des3", + "des-ede3-cfb", + "des-ede3-ofb", + "desx", + "gost89", + "gost89-cnt", + "idea-cbc", + "idea", + "idea-cfb", + "idea-ecb", + "idea-ofb", + "rc2-cbc", + "rc2", + "rc2-cfb", + "rc2-ecb", + "rc2-ofb", + "rc2-64-cbc", + "rc2-40-cbc", + "rc4", + "rc4-64", + "rc4-40", + "rc5-cbc", + "rc5", + "rc5-cfb", + "rc5-ecb", + "rc5-ofb", + "seed-cbc", + "seed", + "seed-cfb", + "seed-ecb", + "seed-ofb", + "sm4-cbc", + "sm4", + "sm4-cfb", + "sm4-ctr", + "sm4-ecb", + "sm4-ofb", + "aes-128-cbc", + "aes128", + "aes-128-cfb", + "aes-128-cfb1", + "aes-128-cfb8", + "aes-128-ctr", + "aes-128-ecb", + "aes-128-ofb", + "aes-128-cbc", + "aes128", + "aes-192-cfb", + "aes-192-cfb1", + "aes-192-cfb8", + "aes-192-ctr", + "aes-192-ecb", + "aes-192-ofb", + "aes-192-cbc", + "aes192", + "aes-256-cfb", + "aes-256-cfb1", + "aes-256-cfb8", + "aes-256-ctr", + "aes-256-ecb", + "aes-256-ofb", + "camellia-128-cbc", + "camellia128", + "camellia-128-cfb", + "camellia-128-cfb1", + "camellia-128-cfb8", + "camellia-128-ctr", + "camellia-128-ecb", + "camellia-128-ofb", + "camellia-192-cbc", + "camellia192", + "camellia-192-cfb", + "camellia-192-cfb1", + "camellia-192-cfb8", + "camellia-192-ctr", + "camellia-192-ecb", + "camellia-192-ofb", + "camellia-256-cbc", + "camellia256", + "camellia-256-cfb", + "camellia-256-cfb1", + "camellia-256-cfb8", + "camellia-256-ctr", + "camellia-256-ecb", + "camellia-256-ofb" + ], + "misp-attribute": "text" + }, + "regexp": { + "description": "Regular expression to perfom the anonymisation (reversible or not)", + "ui-priority": 10, + "disable_correlation": true, + "misp-attribute": "text" + }, + "description": { + "description": "Description of the anonymisation technique or tool used", + "ui-priority": 1, + "disable_correlation": true, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Anonymisation object describing an anonymisation technique which is used in MISP anonymised attributes. Reference: https://www.caida.org/tools/taxonomy/anonymization.xml", + "meta-category": "misc", + "uuid": "5867cffe-60ff-44f6-b097-e5f36b5de0ac", + "name": "anonymisation" +} From 86a116770bcd48c56eb7887d26dab7f742e4d7fb Mon Sep 17 00:00:00 2001 From: Andras Iklody Date: Thu, 31 Jan 2019 22:57:49 +0100 Subject: [PATCH 165/244] Update definition.json --- objects/anonymisation/definition.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/objects/anonymisation/definition.json b/objects/anonymisation/definition.json index 5cf596b..acbec67 100644 --- a/objects/anonymisation/definition.json +++ b/objects/anonymisation/definition.json @@ -10,14 +10,14 @@ ], "attributes": { "method": { - "description": "Anonymisation (pseudo or not) method(s) used", + "description": "Anonymisation (or pseudo-anonymisation) method(s) used", "ui-priority": 1, "disable_correlation": true, "sane_default": [ "hiding - Attribute is replaced with a constant value (typically 0) of the same size. Sometimes called 'black marker'.", "hash - A hash function maps each attribute to a new (not necessarily unique) attribute.", "permutation - Maps each original value to a unique new value.", - "prefix-preserving - Any two values that had the same n-bit prefix before anonymization will still have the same n-bit prefix as each other after anonymization. (Would be more accurately called 'prefix-relationship-preserving', because the actual prefix values are not preserved.) ", + "prefix-preserving - Any two values that had the same n-bit prefix before anonymisation will still have the same n-bit prefix as each other after anonymization. (Would be more accurately called 'prefix-relationship-preserving', because the actual prefix values are not preserved.) ", "shift - Adds a fixed offset to each value/attribute.", "enumeration - Map each original value to a new value such that their ordering is preserved.", "partitioning - Possible values are partitioned into meaningful sets; actual values are replaced with a fixed value from the same set. E.g., TCP port numbers 0 to 1023 are replaced with 0, and 1024 to 65535 replaced with 65535.", @@ -183,7 +183,7 @@ } }, "version": 1, - "description": "Anonymisation object describing an anonymisation technique which is used in MISP anonymised attributes. Reference: https://www.caida.org/tools/taxonomy/anonymization.xml", + "description": "Anonymisation object describing an anonymisation technique used to encode MISP attribute values. Reference: https://www.caida.org/tools/taxonomy/anonymization.xml", "meta-category": "misc", "uuid": "5867cffe-60ff-44f6-b097-e5f36b5de0ac", "name": "anonymisation" From f5c7530e0b375cdd1b72a98f532dca731f8a0b80 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 31 Jan 2019 23:01:08 +0100 Subject: [PATCH 166/244] chg: [anonymisation] algo list fixed --- objects/anonymisation/definition.json | 136 +++++++++++++------------- 1 file changed, 67 insertions(+), 69 deletions(-) diff --git a/objects/anonymisation/definition.json b/objects/anonymisation/definition.json index acbec67..d3233a0 100644 --- a/objects/anonymisation/definition.json +++ b/objects/anonymisation/definition.json @@ -58,114 +58,112 @@ "ui-priority": 1, "disable_correlation": true, "sane_default": [ - "bf-cbc", - "bf", - "blowfish", - "bf-cfb", - "bf-ecb", - "bf-ofb", - "cast-cbc", - "cast", - "cast5-cbc", - "cast5-cfb", - "cast5-ecb", - "cast5-ofb", - "des-cbc", - "des", - "des-cfb", - "des-ofb", - "des-ecb", - "des-ede-cbc", - "des-ede", - "des-ede-cfb", - "des-ede-ofb", - "des-ede3-cbc", - "des-ede3", - "des3", - "des-ede3-cfb", - "des-ede3-ofb", - "desx", - "gost89", - "gost89-cnt", - "idea-cbc", - "idea", - "idea-cfb", - "idea-ecb", - "idea-ofb", - "rc2-cbc", - "rc2", - "rc2-cfb", - "rc2-ecb", - "rc2-ofb", - "rc2-64-cbc", - "rc2-40-cbc", - "rc4", - "rc4-64", - "rc4-40", - "rc5-cbc", - "rc5", - "rc5-cfb", - "rc5-ecb", - "rc5-ofb", - "seed-cbc", - "seed", - "seed-cfb", - "seed-ecb", - "seed-ofb", - "sm4-cbc", - "sm4", - "sm4-cfb", - "sm4-ctr", - "sm4-ecb", - "sm4-ofb", - "aes-128-cbc", "aes128", + "aes-128-cbc", "aes-128-cfb", "aes-128-cfb1", "aes-128-cfb8", "aes-128-ctr", "aes-128-ecb", "aes-128-ofb", - "aes-128-cbc", - "aes128", + "aes192", + "aes-192-cbc", "aes-192-cfb", "aes-192-cfb1", "aes-192-cfb8", "aes-192-ctr", "aes-192-ecb", "aes-192-ofb", - "aes-192-cbc", - "aes192", "aes-256-cfb", "aes-256-cfb1", "aes-256-cfb8", "aes-256-ctr", "aes-256-ecb", "aes-256-ofb", - "camellia-128-cbc", + "bf", + "bf-cbc", + "bf-cfb", + "bf-ecb", + "bf-ofb", + "blowfish", "camellia128", + "camellia-128-cbc", "camellia-128-cfb", "camellia-128-cfb1", "camellia-128-cfb8", "camellia-128-ctr", "camellia-128-ecb", "camellia-128-ofb", - "camellia-192-cbc", "camellia192", + "camellia-192-cbc", "camellia-192-cfb", "camellia-192-cfb1", "camellia-192-cfb8", "camellia-192-ctr", "camellia-192-ecb", "camellia-192-ofb", - "camellia-256-cbc", "camellia256", + "camellia-256-cbc", "camellia-256-cfb", "camellia-256-cfb1", "camellia-256-cfb8", "camellia-256-ctr", "camellia-256-ecb", - "camellia-256-ofb" + "camellia-256-ofb", + "cast", + "cast5-cbc", + "cast5-cfb", + "cast5-ecb", + "cast5-ofb", + "cast-cbc", + "des", + "des3", + "des-cbc", + "des-cfb", + "des-ecb", + "des-ede", + "des-ede3", + "des-ede3-cbc", + "des-ede3-cfb", + "des-ede3-ofb", + "des-ede-cbc", + "des-ede-cfb", + "des-ede-ofb", + "des-ofb", + "desx", + "gost89", + "gost89-cnt", + "idea", + "idea-cbc", + "idea-cfb", + "idea-ecb", + "idea-ofb", + "rc2", + "rc2-40-cbc", + "rc2-64-cbc", + "rc2-cbc", + "rc2-cfb", + "rc2-ecb", + "rc2-ofb", + "rc4", + "rc4-40", + "rc4-64", + "rc5", + "rc5-cbc", + "rc5-cfb", + "rc5-ecb", + "rc5-ofb", + "seed", + "seed-cbc", + "seed-cfb", + "seed-ecb", + "seed-ofb", + "sm4", + "sm4-cbc", + "sm4-cfb", + "sm4-ctr", + "sm4-ecb", + "sm4-ofb" ], "misp-attribute": "text" }, From 732476d7cae836b02a7e0648f5349a7faae3c3f4 Mon Sep 17 00:00:00 2001 From: Sascha Rommelfangen Date: Fri, 1 Feb 2019 09:37:31 +0100 Subject: [PATCH 167/244] added values valuable to operators --- objects/phishing/definition.json | 35 +++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/objects/phishing/definition.json b/objects/phishing/definition.json index 3fc7948..958295c 100644 --- a/objects/phishing/definition.json +++ b/objects/phishing/definition.json @@ -55,13 +55,46 @@ "misp-attribute": "datetime", "disable_correlation": true }, + "takedown-request": { + "description": "When the phishing was requested to be taken down", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "takedown-request-to": { + "description": "Destination email address for take-down request", + "misp-attribute": "email-dst", + "disable_correlation": true, + "ui-priority": 1, + "categories": [ + "Network activity" + ], + "multiple": true + }, "target": { "description": "Targeted organisation by the phishing", "ui-priority": 0, "misp-attribute": "text" + }, + "screenshot": { + "description": "Screenshot of phishing site", + "misp-attribute": "attachment", + "disable_correlation": true, + "ui-priority": 1, + "categories": [ + "External analysis" + ] + }, + "internal reference": { + "description": "Internal reference such as ticket ID", + "ui-priority": 1, + "misp-attribute": "text", + "categories": [ + "Internal reference" + ] } }, - "version": 1, + "version": 2, "description": "Phishing template to describe a phishing website and its analysis.", "meta-category": "network", "uuid": "2dad6f9d-d425-4217-8fda-0b0a2d815307", From 36dc6efab3b01eb92790b57a552cfb32d919fb6f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 1 Feb 2019 10:19:25 +0100 Subject: [PATCH 168/244] chg: [anonymisation] add level-of-knowledge to request for more information if needed --- objects/anonymisation/definition.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/objects/anonymisation/definition.json b/objects/anonymisation/definition.json index d3233a0..d9da978 100644 --- a/objects/anonymisation/definition.json +++ b/objects/anonymisation/definition.json @@ -178,9 +178,19 @@ "ui-priority": 1, "disable_correlation": true, "misp-attribute": "text" + }, + "level-of-knowledge": { + "description": "Level of knowledge of the organisation who created this object", + "ui-priority": 10, + "values_list": [ + "Only the anonymised data is known", + "Deanonymised data is known" + ], + "disable_correlation": true, + "misp-attribute": "text" } }, - "version": 1, + "version": 2, "description": "Anonymisation object describing an anonymisation technique used to encode MISP attribute values. Reference: https://www.caida.org/tools/taxonomy/anonymization.xml", "meta-category": "misc", "uuid": "5867cffe-60ff-44f6-b097-e5f36b5de0ac", From f09a392d49ce752a187eb04ee52c051a8c0ba3c0 Mon Sep 17 00:00:00 2001 From: Sascha Rommelfangen Date: Thu, 7 Feb 2019 14:58:40 +0100 Subject: [PATCH 169/244] added hostname attribute to the phishing object --- objects/phishing/definition.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/objects/phishing/definition.json b/objects/phishing/definition.json index 958295c..bb886e7 100644 --- a/objects/phishing/definition.json +++ b/objects/phishing/definition.json @@ -8,6 +8,11 @@ "ui-priority": 1, "misp-attribute": "url" }, + "hostname": { + "description": "host of the phishing website", + "ui-priority": 1, + "misp-attribute": "hostname" + }, "phishtank-id": { "description": "Phishtank ID of the reported phishing", "ui-priority": 1, @@ -94,7 +99,7 @@ ] } }, - "version": 2, + "version": 3, "description": "Phishing template to describe a phishing website and its analysis.", "meta-category": "network", "uuid": "2dad6f9d-d425-4217-8fda-0b0a2d815307", From f9bb8bfa9bfe0eb3813df4dc5efa355bece53ce7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 11 Feb 2019 06:45:18 +0100 Subject: [PATCH 170/244] chg: [phishing] removed the IDS flag on the email used for takedown - and change attribute type --- objects/phishing/definition.json | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/objects/phishing/definition.json b/objects/phishing/definition.json index bb886e7..3b0c4d2 100644 --- a/objects/phishing/definition.json +++ b/objects/phishing/definition.json @@ -68,13 +68,14 @@ }, "takedown-request-to": { "description": "Destination email address for take-down request", - "misp-attribute": "email-dst", + "misp-attribute": "text", "disable_correlation": true, "ui-priority": 1, "categories": [ - "Network activity" + "Other" ], - "multiple": true + "multiple": true, + "to_ids": false }, "target": { "description": "Targeted organisation by the phishing", @@ -99,7 +100,7 @@ ] } }, - "version": 3, + "version": 4, "description": "Phishing template to describe a phishing website and its analysis.", "meta-category": "network", "uuid": "2dad6f9d-d425-4217-8fda-0b0a2d815307", From be9ea96c2a333a19b9701adc7b8080880f0ae58a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 11 Feb 2019 06:58:27 +0100 Subject: [PATCH 171/244] chg: [doc] to_ids flag was missing in the README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1c06b0b..f1cf85f 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,7 @@ allowing advanced users to show all the attributes depending of their configurat shall be set to true if multiple elements of the same key can be used in the object. An optional **values_list** where this list of value can be selected as a value for an attribute. An optional **sane_default** where this list of value recommend potential a sane default for an attribute. An optional **disable_correlation** boolean field to suggest the disabling of correlation -for a specific attribute. +for a specific attribute. An optional **to_ids** boolean field to disable the IDS flag of an attribute. ## Existing MISP objects From 8a4f2c96b848a552e9b91361dc737c5661c3571a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 14 Feb 2019 14:16:01 +0100 Subject: [PATCH 172/244] chg: [file] preferred charset used by the file (if decoded from mime-type parsing) --- objects/file/definition.json | 268 ++++++++++++++++++++++++++++++++++- 1 file changed, 267 insertions(+), 1 deletion(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 6083298..7c79f77 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -168,9 +168,275 @@ "Expired", "Trusted" ] + }, + "file-encoding": { + "misp-attribute": "text", + "ui-priority": 0, + "description": "Encoding format of the file", + "disable_correlation": true, + "sane_default": [ + "Adobe-Standard-Encoding", + "Adobe-Symbol-Encoding", + "Amiga-1251", + "ANSI_X3.110-1983", + "ASMO_449", + "Big5", + "Big5-HKSCS", + "BOCU-1", + "BRF", + "BS_4730", + "BS_viewdata", + "CESU-8", + "CP50220", + "CP51932", + "CSA_Z243.4-1985-1", + "CSA_Z243.4-1985-2", + "CSA_Z243.4-1985-gr", + "CSN_369103", + "DEC-MCS", + "DIN_66003", + "dk-us", + "DS_2089", + "EBCDIC-AT-DE", + "EBCDIC-AT-DE-A", + "EBCDIC-CA-FR", + "EBCDIC-DK-NO", + "EBCDIC-DK-NO-A", + "EBCDIC-ES", + "EBCDIC-ES-A", + "EBCDIC-ES-S", + "EBCDIC-FI-SE", + "EBCDIC-FI-SE-A", + "EBCDIC-FR", + "EBCDIC-IT", + "EBCDIC-PT", + "EBCDIC-UK", + "EBCDIC-US", + "ECMA-cyrillic", + "ES", + "ES2", + "EUC-KR", + "Extended_UNIX_Code_Fixed_Width_for_Japanese", + "Extended_UNIX_Code_Packed_Format_for_Japanese", + "GB18030", + "GB_1988-80", + "GB2312", + "GB_2312-80", + "GBK", + "GOST_19768-74", + "greek7", + "greek7-old", + "greek-ccitt", + "HP-DeskTop", + "HP-Legal", + "HP-Math8", + "HP-Pi-font", + "hp-roman8", + "HZ-GB-2312", + "IBM00858", + "IBM00924", + "IBM01140", + "IBM01141", + "IBM01142", + "IBM01143", + "IBM01144", + "IBM01145", + "IBM01146", + "IBM01147", + "IBM01148", + "IBM01149", + "IBM037", + "IBM038", + "IBM1026", + "IBM1047", + "IBM273", + "IBM274", + "IBM275", + "IBM277", + "IBM278", + "IBM280", + "IBM281", + "IBM284", + "IBM285", + "IBM290", + "IBM297", + "IBM420", + "IBM423", + "IBM424", + "IBM437", + "IBM500", + "IBM775", + "IBM850", + "IBM851", + "IBM852", + "IBM855", + "IBM857", + "IBM860", + "IBM861", + "IBM862", + "IBM863", + "IBM864", + "IBM865", + "IBM866", + "IBM868", + "IBM869", + "IBM870", + "IBM871", + "IBM880", + "IBM891", + "IBM903", + "IBM904", + "IBM905", + "IBM918", + "IBM-Symbols", + "IBM-Thai", + "IEC_P27-1", + "INIS", + "INIS-8", + "INIS-cyrillic", + "INVARIANT", + "ISO_10367-box", + "ISO-10646-J-1", + "ISO-10646-UCS-2", + "ISO-10646-UCS-4", + "ISO-10646-UCS-Basic", + "ISO-10646-Unicode-Latin1", + "ISO-10646-UTF-1", + "ISO-11548-1", + "ISO-2022-CN", + "ISO-2022-CN-EXT", + "ISO-2022-JP", + "ISO-2022-JP-2", + "ISO-2022-KR", + "ISO_2033-1983", + "ISO_5427", + "ISO_5427:1981", + "ISO_5428:1980", + "ISO_646.basic:1983", + "ISO_646.irv:1983", + "ISO_6937-2-25", + "ISO_6937-2-add", + "ISO-8859-10", + "ISO_8859-1:1987", + "ISO-8859-13", + "ISO-8859-14", + "ISO-8859-15", + "ISO-8859-16", + "ISO-8859-1-Windows-3.0-Latin-1", + "ISO-8859-1-Windows-3.1-Latin-1", + "ISO_8859-2:1987", + "ISO-8859-2-Windows-Latin-2", + "ISO_8859-3:1988", + "ISO_8859-4:1988", + "ISO_8859-5:1988", + "ISO_8859-6:1987", + "ISO_8859-6-E", + "ISO_8859-6-I", + "ISO_8859-7:1987", + "ISO_8859-8:1988", + "ISO_8859-8-E", + "ISO_8859-8-I", + "ISO_8859-9:1989", + "ISO-8859-9-Windows-Latin-5", + "ISO_8859-supp", + "iso-ir-90", + "ISO-Unicode-IBM-1261", + "ISO-Unicode-IBM-1264", + "ISO-Unicode-IBM-1265", + "ISO-Unicode-IBM-1268", + "ISO-Unicode-IBM-1276", + "IT", + "JIS_C6220-1969-jp", + "JIS_C6220-1969-ro", + "JIS_C6226-1978", + "JIS_C6226-1983", + "JIS_C6229-1984-a", + "JIS_C6229-1984-b", + "JIS_C6229-1984-b-add", + "JIS_C6229-1984-hand", + "JIS_C6229-1984-hand-add", + "JIS_C6229-1984-kana", + "JIS_Encoding", + "JIS_X0201", + "JIS_X0212-1990", + "JUS_I.B1.002", + "JUS_I.B1.003-mac", + "JUS_I.B1.003-serb", + "KOI7-switched", + "KOI8-R", + "KOI8-U", + "KS_C_5601-1987", + "KSC5636", + "KZ-1048", + "latin-greek", + "Latin-greek-1", + "latin-lap", + "macintosh", + "Microsoft-Publishing", + "MNEM", + "MNEMONIC", + "MSZ_7795.3", + "Name", + "NATS-DANO", + "NATS-DANO-ADD", + "NATS-SEFI", + "NATS-SEFI-ADD", + "NC_NC00-10:81", + "NF_Z_62-010", + "NF_Z_62-010_(1973)", + "NS_4551-1", + "NS_4551-2", + "OSD_EBCDIC_DF03_IRV", + "OSD_EBCDIC_DF04_1", + "OSD_EBCDIC_DF04_15", + "PC8-Danish-Norwegian", + "PC8-Turkish", + "PT", + "PT2", + "PTCP154", + "SCSU", + "SEN_850200_B", + "SEN_850200_C", + "Shift_JIS", + "T.101-G2", + "T.61-7bit", + "T.61-8bit", + "TIS-620", + "TSCII", + "UNICODE-1-1", + "UNICODE-1-1-UTF-7", + "UNKNOWN-8BIT", + "US-ASCII", + "us-dk", + "UTF-16", + "UTF-16BE", + "UTF-16LE", + "UTF-32", + "UTF-32BE", + "UTF-32LE", + "UTF-7", + "UTF-8", + "Ventura-International", + "Ventura-Math", + "Ventura-US", + "videotex-suppl", + "VIQR", + "VISCII", + "windows-1250", + "windows-1251", + "windows-1252", + "windows-1253", + "windows-1254", + "windows-1255", + "windows-1256", + "windows-1257", + "windows-1258", + "Windows-31J", + "windows-874" + ] } }, - "version": 15, + "version": 16, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From 08798f12623f5291f6743856c221a8c2c13cc778 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 14 Feb 2019 14:33:39 +0100 Subject: [PATCH 173/244] chg: [email] IP and hostname fields from extracted headers --- objects/email/definition.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/objects/email/definition.json b/objects/email/definition.json index a5099a6..fe3553e 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -3,7 +3,7 @@ "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "meta-category": "network", "description": "Email object describing an email with meta-information", - "version": 12, + "version": 13, "attributes": { "reply-to": { "description": "Email address the reply will be sent to", @@ -77,6 +77,18 @@ ], "multiple": true }, + "received-header-ip": { + "description": "Extracted IP address from parsed headers", + "misp-attribute": "ip-src", + "ui-priority": 0, + "multiple": true + }, + "received-header-hostname": { + "description": "Extracted hostname from parsed headers", + "misp-attribute": "hostname", + "ui-priority": 0, + "multiple": true + }, "x-mailer": { "description": "X-Mailer generally tells the program that was used to draft and send the original email", "misp-attribute": "email-x-mailer", From 0173504050675281cf8f6964a4875316566f6533 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 15 Feb 2019 09:46:29 +0100 Subject: [PATCH 174/244] Person object - Add a (several) role to a person --- objects/person/definition.json | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index 2c0b080..361b4eb 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -151,9 +151,25 @@ "ui-priority": 10, "misp-attribute": "attachment", "multiple": true + }, + "role": { + "description": "The role of a person.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true, + "values_list": [ + "Suspect", + "Victim", + "Defendent", + "Accused", + "Culprit", + "Accomplice", + "Witness" + ], + "disable_correlation": true } }, - "version": 7, + "version": 8, "description": "An object which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", From 18042c07497a8bf1c272783755517ca406b3ad19 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 20 Feb 2019 10:43:38 +0100 Subject: [PATCH 175/244] chg: [elf] disable correlation on file type --- objects/elf/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/elf/definition.json b/objects/elf/definition.json index 7fe59c3..34ee8c7 100644 --- a/objects/elf/definition.json +++ b/objects/elf/definition.json @@ -22,7 +22,8 @@ "RELOCATABLE" ], "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "number-sections": { "description": "Number of sections", @@ -250,7 +251,7 @@ "recommended": false } }, - "version": 4, + "version": 5, "description": "Object describing a Executable and Linkable Format", "meta-category": "file", "uuid": "fa6534ae-ad74-4ce0-8f23-15a66c82c7fa", From e26e54b54a720ce09394d9461444385821a65295 Mon Sep 17 00:00:00 2001 From: marcnil815 <33084026+marcnil815@users.noreply.github.com> Date: Thu, 21 Feb 2019 16:12:54 +0100 Subject: [PATCH 176/244] Create splunk object definition.json Adding misp-object for basic splunk search/correlation search values. --- objects/splunk/definition.json | 58 ++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 objects/splunk/definition.json diff --git a/objects/splunk/definition.json b/objects/splunk/definition.json new file mode 100644 index 0000000..c5a1ea8 --- /dev/null +++ b/objects/splunk/definition.json @@ -0,0 +1,58 @@ +{ + "version": 1, + "description": "Splunk / Splunk ES object", + "meta-category": "misc", + "uuid": "fd9b7bf8-df7b-4df9-bcd8-28591edcaab8", + "name": "splunk", + "required": ["search"], + "attributes": { + "search": { + "description": "Search / Correlation search", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "drill-down": { + "description": "Drilldown", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "multiple": true + }, + "response-action": { + "description": "Response action", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true, + "disable_correlation": true, + "sane_default": [ + "notable", + "risk" + ] + }, + "schedule": { + "description": "Schedule", + "ui-priority": 0, + "misp-attribute": "other", + "disable_correlation": true + }, + "earliest": { + "description": "Earliest time", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "latest": { + "description": "Latest time", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "description": { + "description": "Description", + "ui-priority": 0, + "misp-attribute": "comment", + "disable_correlation": true + } + } +} From 03870031db61809c5a37b17ac9048645e84ae114 Mon Sep 17 00:00:00 2001 From: marcnil815 <33084026+marcnil815@users.noreply.github.com> Date: Thu, 21 Feb 2019 19:36:07 +0100 Subject: [PATCH 177/244] jq'ed definition.json --- objects/splunk/definition.json | 100 +++++++++++++++++---------------- 1 file changed, 51 insertions(+), 49 deletions(-) diff --git a/objects/splunk/definition.json b/objects/splunk/definition.json index c5a1ea8..2ebaff4 100644 --- a/objects/splunk/definition.json +++ b/objects/splunk/definition.json @@ -4,55 +4,57 @@ "meta-category": "misc", "uuid": "fd9b7bf8-df7b-4df9-bcd8-28591edcaab8", "name": "splunk", - "required": ["search"], + "required": [ + "search" + ], "attributes": { - "search": { - "description": "Search / Correlation search", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "drill-down": { - "description": "Drilldown", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true, - "multiple": true - }, - "response-action": { - "description": "Response action", - "ui-priority": 0, - "misp-attribute": "text", - "multiple": true, - "disable_correlation": true, - "sane_default": [ - "notable", - "risk" - ] - }, - "schedule": { - "description": "Schedule", - "ui-priority": 0, - "misp-attribute": "other", - "disable_correlation": true - }, - "earliest": { - "description": "Earliest time", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "latest": { - "description": "Latest time", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "description": { - "description": "Description", - "ui-priority": 0, - "misp-attribute": "comment", - "disable_correlation": true - } + "search": { + "description": "Search / Correlation search", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "drill-down": { + "description": "Drilldown", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "multiple": true + }, + "response-action": { + "description": "Response action", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true, + "disable_correlation": true, + "sane_default": [ + "notable", + "risk" + ] + }, + "schedule": { + "description": "Schedule", + "ui-priority": 0, + "misp-attribute": "other", + "disable_correlation": true + }, + "earliest": { + "description": "Earliest time", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "latest": { + "description": "Latest time", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "description": { + "description": "Description", + "ui-priority": 0, + "misp-attribute": "comment", + "disable_correlation": true + } } } From 45f6aec0f50c3246f4a279c0afb09205856c9f51 Mon Sep 17 00:00:00 2001 From: Sascha Rommelfangen Date: Mon, 25 Feb 2019 09:29:15 +0100 Subject: [PATCH 178/244] corrected order --- objects/phishing/definition.json | 177 ++++++++++++++++--------------- 1 file changed, 93 insertions(+), 84 deletions(-) diff --git a/objects/phishing/definition.json b/objects/phishing/definition.json index 3b0c4d2..deadb3c 100644 --- a/objects/phishing/definition.json +++ b/objects/phishing/definition.json @@ -1,108 +1,117 @@ { - "requiredOneOf": [ - "url" - ], + "name": "phishing", + "uuid": "2dad6f9d-d425-4217-8fda-0b0a2d815307", + "meta-category": "network", + "description": "Phishing template to describe a phishing website and its analysis.", + "version": 5, "attributes": { - "url": { - "description": "Original url of the phishing website", - "ui-priority": 1, - "misp-attribute": "url" - }, - "hostname": { - "description": "host of the phishing website", - "ui-priority": 1, - "misp-attribute": "hostname" - }, - "phishtank-id": { - "description": "Phishtank ID of the reported phishing", - "ui-priority": 1, - "misp-attribute": "text" - }, - "phishtank-detail-url": { - "description": "Phishtank detail URL to the reported phishing", - "misp-attribute": "link", - "ui-priority": 1 - }, - "submission-time": { - "description": "When the phishing was submitted and/or reported", - "ui-priority": 0, - "misp-attribute": "datetime" - }, - "verified": { - "description": "The phishing has been verified by the team handling the phishing", - "ui-priority": 0, - "values_list": [ - "No", - "Yes" + "internal reference": { + "categories": [ + "Internal reference" ], "misp-attribute": "text", - "disable_correlation": true + "ui-priority": 1, + "description": "Internal reference such as ticket ID" }, - "verification-time": { - "description": "When the phishing was verified", + "screenshot": { + "multiple": true, + "categories": [ + "External analysis" + ], + "ui-priority": 1, + "disable_correlation": true, + "misp-attribute": "attachment", + "description": "Screenshot of phishing site" + }, + "target": { + "multiple": true, + "misp-attribute": "text", "ui-priority": 0, + "description": "Targeted organisation by the phishing" + }, + "takedown-request-to": { + "to_ids": false, + "multiple": true, + "categories": [ + "Other" + ], + "ui-priority": 1, + "disable_correlation": true, + "misp-attribute": "text", + "description": "Destination email address for take-down request" + }, + "takedown-request": { + "disable_correlation": true, "misp-attribute": "datetime", - "disable_correlation": true + "ui-priority": 0, + "description": "When the phishing was requested to be taken down" + }, + "takedown-time": { + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 0, + "description": "When the phishing was taken down" }, "online": { - "description": "If the phishing is online and operational, by default is yes", - "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text", "values_list": [ "Yes", "No" ], - "misp-attribute": "text", - "disable_correlation": true - }, - "takedown-time": { - "description": "When the phishing was taken down", "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true + "description": "If the phishing is online and operational, by default is yes" }, - "takedown-request": { - "description": "When the phishing was requested to be taken down", - "ui-priority": 0, - "misp-attribute": "datetime", - "disable_correlation": true - }, - "takedown-request-to": { - "description": "Destination email address for take-down request", - "misp-attribute": "text", - "disable_correlation": true, + "url": { + "misp-attribute": "url", "ui-priority": 1, - "categories": [ - "Other" - ], + "description": "Original URL of the phishing website" + }, + "url-redirect": { "multiple": true, - "to_ids": false - }, - "target": { - "description": "Targeted organisation by the phishing", - "ui-priority": 0, - "misp-attribute": "text" - }, - "screenshot": { - "description": "Screenshot of phishing site", - "misp-attribute": "attachment", - "disable_correlation": true, + "misp-attribute": "url", "ui-priority": 1, - "categories": [ - "External analysis" - ] + "description": "Redirect URL of the phishing website" }, - "internal reference": { - "description": "Internal reference such as ticket ID", + "hostname": { + "multiple": true, + "misp-attribute": "hostname", "ui-priority": 1, + "description": "host of the phishing website" + }, + "phishtank-id": { "misp-attribute": "text", - "categories": [ - "Internal reference" - ] + "ui-priority": 1, + "description": "Phishtank ID of the reported phishing" + }, + "phishtank-detail-url": { + "ui-priority": 1, + "misp-attribute": "link", + "description": "Phishtank detail URL to the reported phishing" + }, + "submission-time": { + "misp-attribute": "datetime", + "ui-priority": 0, + "description": "When the phishing was submitted and/or reported" + }, + "verified": { + "disable_correlation": true, + "misp-attribute": "text", + "values_list": [ + "No", + "Yes" + ], + "ui-priority": 0, + "description": "The phishing has been verified by the team handling the phishing" + }, + "verification-time": { + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 0, + "description": "When the phishing was verified" } }, - "version": 4, - "description": "Phishing template to describe a phishing website and its analysis.", - "meta-category": "network", - "uuid": "2dad6f9d-d425-4217-8fda-0b0a2d815307", - "name": "phishing" + "requiredOneOf": [ + "url" + ] } From ec2851d4eb1c3fb3d91d64d9b786d7e7fe9674a9 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 26 Feb 2019 13:57:31 +0100 Subject: [PATCH 179/244] add ilr-impact object --- objects/ilr-impact/definition.json | 40 ++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 objects/ilr-impact/definition.json diff --git a/objects/ilr-impact/definition.json b/objects/ilr-impact/definition.json new file mode 100644 index 0000000..3be0c73 --- /dev/null +++ b/objects/ilr-impact/definition.json @@ -0,0 +1,40 @@ +{ + "required": [ + "service" + ], + "attributes": { + "service": { + "misp-attribute": "text", + "ui-priority": 0, + "description": "Service impacte par l'incident", + "disable_correlation": true, + "multiple": true, + "sane_default": [ + "Telephonie fixe", + "Acces Internet fixe", + "Telephonie mobile", + "Acces Internet mobile" + ] + }, + "Nombre d'utilisateurs touches": { + "description": "Nombre d’utilisateurs touches par l'incident", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Pourcentage d'utilisateurs touches": { + "description": "Pourcentage d'utilisateurs du service touches par l'incident", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Durée": { + "description": "Durée de l'incident en hh : mm", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Institut Luxembourgeois de Régulation - Impact", + "meta-category": "misc", + "uuid": "b995af48-39b2-11e9-b2ab-b77adfee75d1", + "name": "ilr-impact" +} From bc05eca2b676800848582a461611ea22a2bda69d Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 26 Feb 2019 14:05:01 +0100 Subject: [PATCH 180/244] disable correlations on ilr-impact attributes --- objects/ilr-impact/definition.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/objects/ilr-impact/definition.json b/objects/ilr-impact/definition.json index 3be0c73..ec35a1f 100644 --- a/objects/ilr-impact/definition.json +++ b/objects/ilr-impact/definition.json @@ -19,16 +19,19 @@ "Nombre d'utilisateurs touches": { "description": "Nombre d’utilisateurs touches par l'incident", "ui-priority": 0, + "disable_correlation": true, "misp-attribute": "text" }, "Pourcentage d'utilisateurs touches": { "description": "Pourcentage d'utilisateurs du service touches par l'incident", "ui-priority": 0, + "disable_correlation": true, "misp-attribute": "text" }, "Durée": { "description": "Durée de l'incident en hh : mm", "ui-priority": 0, + "disable_correlation": true, "misp-attribute": "text" } }, From bd9970b1c95ccdc746da3f8cb54f66428e714891 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 26 Feb 2019 14:26:29 +0100 Subject: [PATCH 181/244] fix lr-impact attributes names --- objects/ilr-impact/definition.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/objects/ilr-impact/definition.json b/objects/ilr-impact/definition.json index ec35a1f..1fc8d16 100644 --- a/objects/ilr-impact/definition.json +++ b/objects/ilr-impact/definition.json @@ -16,20 +16,20 @@ "Acces Internet mobile" ] }, - "Nombre d'utilisateurs touches": { + "nombre-utilisateurs-touches": { "description": "Nombre d’utilisateurs touches par l'incident", "ui-priority": 0, "disable_correlation": true, "misp-attribute": "text" }, - "Pourcentage d'utilisateurs touches": { + "pourcentage-utilisateurs-touches": { "description": "Pourcentage d'utilisateurs du service touches par l'incident", "ui-priority": 0, "disable_correlation": true, "misp-attribute": "text" }, - "Durée": { - "description": "Durée de l'incident en hh : mm", + "duree": { + "description": "Duree de l'incident en hh : mm", "ui-priority": 0, "disable_correlation": true, "misp-attribute": "text" From 41dd46986965eb77bc38affd6124e599b9023519 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 26 Feb 2019 15:51:20 +0100 Subject: [PATCH 182/244] add ilr-notification-incident object --- .../ilr-notification-incident/definition.json | 139 ++++++++++++++++++ 1 file changed, 139 insertions(+) create mode 100644 objects/ilr-notification-incident/definition.json diff --git a/objects/ilr-notification-incident/definition.json b/objects/ilr-notification-incident/definition.json new file mode 100644 index 0000000..6115209 --- /dev/null +++ b/objects/ilr-notification-incident/definition.json @@ -0,0 +1,139 @@ +{ + "attributes": { + "Nom entreprise": { + "description": "Nom de l’entreprise notifiee", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "date-incident": { + "description": "Date/heure de la detection de l’incident:", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "date-pre-notification": { + "description": "Date de la pre-notification", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "impact-servicesw-urgence": { + "description": "Services d’urgences impactés ?", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text", + "values_list": [ + "Oui", + "Non" + ] + }, + "description-probleme-services-urgence": { + "description": "Description du problème sur les services d’urgences impactes", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "delimitation-geographique": { + "description": "Delimitation geographique", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text", + "values_list": [ + "Nationale", + "Regionale" + ] + }, + "zone-impactee": { + "description": "zones/communes/villes impactees ", + "disable_correlation": true, + "ui-priority": 0, + "multiple": true, + "misp-attribute": "text" + }, + "details-service": { + "description": "Details relatifs au service concerne et à l’impact de l’incident", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "cause-initiale-incident": { + "description": "Cause initiale de l'incident", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text", + "values_list": [ + "rreur humaine", + "Défaut système 'hardware', 'software', 'procédures'", + "Attaque malveillante", + "Défaut d’une partie tierce ou externe", + "Catastrophe naturelle" + ] + }, + "autres-informations": { + "description": "Autres informations concernant la nature de l’incident notamment la liste des actifs affectés et les causes subséquentes éventuelles, déclenchées par la cause initiale ", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "description-incident": { + "description": "Description générale de l’incident", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "traitement-incident": { + "description": "Traitement de l’incident et actions effectuées en ordre chronologique", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "actions-posterieur": { + "description": "Actions posterieures de l’incident pour minimiser le risque ", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "interconnections-affectees": { + "description": "Interconnections nationales et/ou internationales affectees", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "actions-corrective": { + "description": "Actions correctives à long terme", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "remarques": { + "description": "Remarque(s), notamment les experiences gagnees et les leçons tirees de l’incident", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "nom-contact-incident": { + "description": "Nom de la personne de contact en rapport avec l’incident", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "telephone-contact-incident": { + "description": "Telephone de la personne de contact en rapport avec l’incident", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "email-contact-incident": { + "description": "Email de la personne de contact en rapport avec l’incident", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Institut Luxembourgeois de Régulation - Notification d'incident", + "meta-category": "misc", + "uuid": "b8ade604-39b2-11e9-b753-1fd28d3b612c", + "name": "ilr-notification-incident" +} From 96751b2af729ee67f67d92271e7ed84ef1b8b795 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 26 Feb 2019 15:57:58 +0100 Subject: [PATCH 183/244] remove accent from ilrobjects --- objects/ilr-impact/definition.json | 2 +- .../ilr-notification-incident/definition.json | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/objects/ilr-impact/definition.json b/objects/ilr-impact/definition.json index 1fc8d16..4529a06 100644 --- a/objects/ilr-impact/definition.json +++ b/objects/ilr-impact/definition.json @@ -36,7 +36,7 @@ } }, "version": 1, - "description": "Institut Luxembourgeois de Régulation - Impact", + "description": "Institut Luxembourgeois de Regulation - Impact", "meta-category": "misc", "uuid": "b995af48-39b2-11e9-b2ab-b77adfee75d1", "name": "ilr-impact" diff --git a/objects/ilr-notification-incident/definition.json b/objects/ilr-notification-incident/definition.json index 6115209..51d5843 100644 --- a/objects/ilr-notification-incident/definition.json +++ b/objects/ilr-notification-incident/definition.json @@ -19,7 +19,7 @@ "misp-attribute": "text" }, "impact-servicesw-urgence": { - "description": "Services d’urgences impactés ?", + "description": "Services d’urgences impactes ?", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text", @@ -29,7 +29,7 @@ ] }, "description-probleme-services-urgence": { - "description": "Description du problème sur les services d’urgences impactes", + "description": "Description du probleme sur les services d’urgences impactes", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" @@ -64,26 +64,26 @@ "misp-attribute": "text", "values_list": [ "rreur humaine", - "Défaut système 'hardware', 'software', 'procédures'", + "Defaut systeme 'hardware', 'software', 'procedures'", "Attaque malveillante", - "Défaut d’une partie tierce ou externe", + "Defaut d’une partie tierce ou externe", "Catastrophe naturelle" ] }, "autres-informations": { - "description": "Autres informations concernant la nature de l’incident notamment la liste des actifs affectés et les causes subséquentes éventuelles, déclenchées par la cause initiale ", + "description": "Autres informations concernant la nature de l’incident notamment la liste des actifs affectes et les causes subsequentes eventuelles, declenches par la cause initiale ", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" }, "description-incident": { - "description": "Description générale de l’incident", + "description": "Description generale de l’incident", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" }, "traitement-incident": { - "description": "Traitement de l’incident et actions effectuées en ordre chronologique", + "description": "Traitement de l’incident et actions effectuees en ordre chronologique", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" @@ -132,7 +132,7 @@ } }, "version": 1, - "description": "Institut Luxembourgeois de Régulation - Notification d'incident", + "description": "Institut Luxembourgeois de Regulation - Notification d'incident", "meta-category": "misc", "uuid": "b8ade604-39b2-11e9-b753-1fd28d3b612c", "name": "ilr-notification-incident" From 55f5716b5def6e3a6860ad05834561d136bf6c23 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 26 Feb 2019 16:00:23 +0100 Subject: [PATCH 184/244] remove accent from ilr objects - bis --- objects/ilr-notification-incident/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/ilr-notification-incident/definition.json b/objects/ilr-notification-incident/definition.json index 51d5843..1dde3d2 100644 --- a/objects/ilr-notification-incident/definition.json +++ b/objects/ilr-notification-incident/definition.json @@ -52,7 +52,7 @@ "misp-attribute": "text" }, "details-service": { - "description": "Details relatifs au service concerne et à l’impact de l’incident", + "description": "Details relatifs au service concerne et a l’impact de l’incident", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" @@ -101,7 +101,7 @@ "misp-attribute": "text" }, "actions-corrective": { - "description": "Actions correctives à long terme", + "description": "Actions correctives a long terme", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" From 59f8621fe2d24851c808d8c6869e37a1c88b85b0 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 12 Mar 2019 17:21:52 +0100 Subject: [PATCH 185/244] add: New relationship "retrieved-from" --- relationships/definition.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/relationships/definition.json b/relationships/definition.json index 6b12f4a..4a9f801 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -222,6 +222,13 @@ "stix-2.0" ] }, + { + "name": "retrieved-from", + "description": "This relationship describes an object retrieved from the target object.", + "format": [ + "misp" + ] + }, { "name": "authored-by", "description": "This relationship describes the author of a specific object.", From 047595ddeb496a9cba294064902dd6fb5641cde7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 15 Mar 2019 14:36:12 +0100 Subject: [PATCH 186/244] chg: [person] Spanish IDs added (NIE, NIF and DNI) --- objects/person/definition.json | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index 361b4eb..220f7b3 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -140,6 +140,24 @@ "misp-attribute": "text", "multiple": true }, + "dni": { + "description": "Spanish National ID", + "ui-priority": 10, + "misp-attribute": "text", + "multiple": true + }, + "nie": { + "description": "Foreign National ID (Spain)", + "ui-priority": 10, + "misp-attribute": "text", + "multiple": true + }, + "nif": { + "description": "Tax ID Number (Spain)", + "ui-priority": 10, + "misp-attribute": "text", + "multiple": true + }, "e-mail": { "description": "Email address of the person.", "ui-priority": 10, @@ -169,7 +187,7 @@ "disable_correlation": true } }, - "version": 8, + "version": 9, "description": "An object which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", From 0c6b7b4302b58b0b1ab8371acdd3e4b988609a88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 2 Apr 2019 17:09:02 +0200 Subject: [PATCH 187/244] chg: Bump vehicle object --- objects/vehicle/definition.json | 46 ++++++++++++++++++++++++++------- 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/objects/vehicle/definition.json b/objects/vehicle/definition.json index cc302f0..c558a46 100644 --- a/objects/vehicle/definition.json +++ b/objects/vehicle/definition.json @@ -1,11 +1,15 @@ { "requiredOneOf": [ "description", - "year", "make", "model", "license-plate-number", - "vin" + "vin", + "dyno-power", + "date-first-registration", + "image-url", + "gearbox", + "indicative-value" ], "attributes": { "description": { @@ -14,12 +18,6 @@ "misp-attribute": "text", "disable_correlation": true }, - "year": { - "description": "Year of manufacturing of the vehicle", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, "make": { "description": "Manufacturer of the vehicle", "ui-priority": 0, @@ -42,9 +40,39 @@ "ui-priority": 0, "misp-attribute": "text", "multiple": true + }, + "dyno-power": { + "description": "Dyno power output", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "date-first-registration": { + "description": "Date of first registration", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "image-url": { + "description": "Image URL", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "gearbox": { + "description": "Gearbox", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "indicative-value": { + "description": "Indicative value", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true } }, - "version": 1, + "version": 2, "description": "Vehicle object template to describe a vehicle information and registration", "meta-category": "misc", "uuid": "683c076c-f695-4ff2-8efa-e98a418049f4", From a85178255ca1f362f00182842dbd0f5a0a112bf5 Mon Sep 17 00:00:00 2001 From: molley Date: Tue, 2 Apr 2019 17:28:49 +0100 Subject: [PATCH 188/244] Added issuer as one of the required fields This is often a field used on it's own to identify a malicious cert --- objects/x509/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/x509/definition.json b/objects/x509/definition.json index 106a90c..42ecb04 100644 --- a/objects/x509/definition.json +++ b/objects/x509/definition.json @@ -3,7 +3,8 @@ "x509-fingerprint-md5", "x509-fingerprint-sha1", "x509-fingerprint-sha256", - "serial-number" + "serial-number", + "issuer" ], "attributes": { "subject": { @@ -105,7 +106,7 @@ "ui-priority": 0 } }, - "version": 7, + "version": 8, "description": "x509 object describing a X.509 certificate", "meta-category": "network", "uuid": "d1ab756a-26b5-4349-9f43-765630f0911c", From 490d760a4bfb7ac9bfcc40856e0e4abcda211f8e Mon Sep 17 00:00:00 2001 From: molley Date: Tue, 2 Apr 2019 17:41:07 +0100 Subject: [PATCH 189/244] Added current-directory to required field This field will often indicate where a malicious binary is started from, therefore a good candidate for solo use --- objects/process/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/process/definition.json b/objects/process/definition.json index e0420ee..25d1add 100644 --- a/objects/process/definition.json +++ b/objects/process/definition.json @@ -3,7 +3,7 @@ "uuid": "02aeef94-ac23-455c-addb-731757ceafb5", "meta-category": "misc", "description": "Object describing a system process.", - "version": 3, + "version": 4, "attributes": { "creation-time": { "description": "Local date/time at which the process was created.", @@ -91,6 +91,7 @@ "name", "pid", "image", - "command-line" + "command-line", + "current-directory" ] } From a50986361fdab1d439a75530733606c22fe7e4be Mon Sep 17 00:00:00 2001 From: molley Date: Tue, 2 Apr 2019 18:26:00 +0100 Subject: [PATCH 190/244] Username is often utilised alongside a credential Username can often identify malicious behavior, and is usually part of the credential tuple - it can also be used to highlight common user accounts without password/api key --- objects/credential/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/credential/definition.json b/objects/credential/definition.json index 5ea36ea..0a4f7a9 100644 --- a/objects/credential/definition.json +++ b/objects/credential/definition.json @@ -1,6 +1,7 @@ { "requiredOneOf": [ - "password" + "password", + "username" ], "attributes": { "text": { @@ -67,7 +68,7 @@ ] } }, - "version": 2, + "version": 3, "description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).", "meta-category": "misc", "uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09", From 4793bf33ae54327f30b90925d1dd0b8ec3bc71c5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 2 Apr 2019 19:56:59 +0200 Subject: [PATCH 191/244] chg: [process] fix the type - fix #160 --- objects/process/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/process/definition.json b/objects/process/definition.json index 25d1add..9246a49 100644 --- a/objects/process/definition.json +++ b/objects/process/definition.json @@ -3,7 +3,7 @@ "uuid": "02aeef94-ac23-455c-addb-731757ceafb5", "meta-category": "misc", "description": "Object describing a system process.", - "version": 4, + "version": 5, "attributes": { "creation-time": { "description": "Local date/time at which the process was created.", @@ -56,7 +56,7 @@ "current-directory": { "description": "Current working directory of the process", "ui-priority": 2, - "misp-attribute": "filename", + "misp-attribute": "text", "disable_correlation": true }, "image": { From aca06cec1ffbb3a092118e15a92152c51b14b408 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 3 Apr 2019 14:05:39 +0200 Subject: [PATCH 192/244] chg: [lnk] new LNK object (Windows Shortcut) --- README.md | 1 + objects/lnk/definition.json | 279 ++++++++++++++++++++++++++++++++++++ 2 files changed, 280 insertions(+) create mode 100644 objects/lnk/definition.json diff --git a/README.md b/README.md index f1cf85f..57b2491 100644 --- a/README.md +++ b/README.md @@ -101,6 +101,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame. * [objects/ja3](objects/ja3/definition.json) - A ja3 object which describes an SSL client fingerprint in an easy to produce and shareable way. * [objects/legal-entity](objects/legal-entity/definition.json) - Object describing a legal entity, such as an organisation. +* [objects/lnk](objects/lnk/definition.json) - Object describing a Windows LNK (Windows Shortcut) file. * [objects/macho](objects/macho/definition.json) - Object describing a Mach object file format. * [objects/macho-section](objects/macho-section/definition.json) - Object describing a section of a Mach object file format. * [objects/mactime-timeline-analysis](objects/mactime-timeline-analysis/definition.json) - Mactime template, used in forensic investigations to describe the timeline of a file activity. diff --git a/objects/lnk/definition.json b/objects/lnk/definition.json new file mode 100644 index 0000000..83eca79 --- /dev/null +++ b/objects/lnk/definition.json @@ -0,0 +1,279 @@ +{ + "requiredOneOf": [ + "filename", + "ssdeep", + "md5", + "sha1", + "sha224", + "sha256", + "sha384", + "sha512", + "sha512/224", + "sha512/256" + ], + "attributes": { + "md5": { + "description": "[Insecure] MD5 hash (128 bits)", + "ui-priority": 1, + "misp-attribute": "md5", + "recommended": false + }, + "sha1": { + "description": "[Insecure] Secure Hash Algorithm 1 (160 bits)", + "ui-priority": 1, + "misp-attribute": "sha1", + "recommended": false + }, + "sha224": { + "description": "Secure Hash Algorithm 2 (224 bits)", + "ui-priority": 0, + "misp-attribute": "sha224", + "recommended": false + }, + "sha256": { + "description": "Secure Hash Algorithm 2 (256 bits)", + "ui-priority": 1, + "misp-attribute": "sha256" + }, + "sha384": { + "description": "Secure Hash Algorithm 2 (384 bits)", + "ui-priority": 0, + "misp-attribute": "sha384", + "recommended": false + }, + "sha512": { + "description": "Secure Hash Algorithm 2 (512 bits)", + "ui-priority": 1, + "misp-attribute": "sha512" + }, + "sha512/224": { + "description": "Secure Hash Algorithm 2 (224 bits)", + "ui-priority": 0, + "misp-attribute": "sha512/224", + "recommended": false + }, + "sha512/256": { + "description": "Secure Hash Algorithm 2 (256 bits)", + "ui-priority": 0, + "misp-attribute": "sha512/256", + "recommended": false + }, + "ssdeep": { + "description": "Fuzzy hash using context triggered piecewise hashes (CTPH)", + "ui-priority": 0, + "misp-attribute": "ssdeep" + }, + "size-in-bytes": { + "description": "Size of the LNK file, in bytes", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "size-in-bytes" + }, + "entropy": { + "description": "Entropy of the whole file", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "float" + }, + "pattern-in-file": { + "description": "Pattern that can be found in the file", + "categories": [ + "Artifacts dropped", + "Payload installation", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "pattern-in-file", + "multiple": true + }, + "text": { + "description": "Free text value to attach to the file", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text", + "recommended": false + }, + "malware-sample": { + "description": "The LNK file itself (binary)", + "ui-priority": 1, + "misp-attribute": "malware-sample" + }, + "filename": { + "description": "Filename on disk", + "disable_correlation": true, + "multiple": true, + "categories": [ + "Payload delivery", + "Artifacts dropped", + "Payload installation", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "filename" + }, + "path": { + "description": "Path of the LNK filename complete or partial", + "disable_correlation": true, + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "fullpath": { + "description": "Complete path of the LNK filename including the filename", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "tlsh": { + "description": "Fuzzy hash by Trend Micro: Locality Sensitive Hash", + "ui-priority": 0, + "misp-attribute": "tlsh" + }, + "state": { + "misp-attribute": "text", + "ui-priority": 0, + "description": "State of the LNK file", + "multiple": true, + "disable_correlation": true, + "values_list": [ + "Malicious", + "Harmless", + "Trusted" + ] + }, + "lnk-creation-time": { + "description": "Creation time of the LNK", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "lnk-modification-time": { + "description": "Modification time of the LNK", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "lnk-access-time": { + "description": "Access time of the LNK", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "lnk-file-size": { + "description": "Size of the target file, in bytes", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "size-in-bytes" + }, + "lnk-icon-index": { + "description": "Icon index", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-show-window-value": { + "description": "Show Window value", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-hot-key-value": { + "description": "Hot Key value", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-file-attribute-flags": { + "description": "File attribute flags", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-drive-type": { + "description": "Drive type", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-drive-serial-number": { + "description": "Drive serial number", + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-volume-label": { + "description": "Volume label", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-local-path": { + "description": "Local path", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-description": { + "description": "LNK description", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-relative-path": { + "description": "Relative path", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-working-directory": { + "description": "LNK working path", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-command-line-arguments": { + "description": "LNK command line arguments", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "machine-identifier": { + "description": "Machine identifier", + "ui-priority": 0, + "misp-attribute": "text" + }, + "droid-volume-identifier": { + "description": "Droid volume identifier", + "ui-priority": 0, + "misp-attribute": "text" + }, + "droid-file-identifier": { + "description": "Droid file identifier (UUIDv1 where MAC can be extracted)", + "ui-priority": 0, + "misp-attribute": "text" + }, + "birth-droid-volume-identifier": { + "description": "Droid volume identifier", + "ui-priority": 0, + "misp-attribute": "text" + }, + "birth-droid-file-identifier": { + "description": "Birth droid volume identifier (UUIDv1 where MAC can be extracted)", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "LNK object describing a Windows LNK binary file (aka Windows shortcut)", + "meta-category": "file", + "uuid": "ad13533e-1853-4da0-a111-33a7ce7e6c09", + "name": "lnk" +} From b4478a6c2b123763fb3ce2f6fef04916950b0384 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 5 Apr 2019 11:22:22 +0200 Subject: [PATCH 193/244] add: [tor-hiddenservice] a simple object template to describe Tor Onion Service --- objects/tor-hiddenservice/definition.json | 41 +++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 objects/tor-hiddenservice/definition.json diff --git a/objects/tor-hiddenservice/definition.json b/objects/tor-hiddenservice/definition.json new file mode 100644 index 0000000..0ff9fa5 --- /dev/null +++ b/objects/tor-hiddenservice/definition.json @@ -0,0 +1,41 @@ +{ + "requiredOneOf": [ + "address", + "first-seen", + "last-seen", + "description" + ], + "required": [ + "address" + ], + "attributes": { + "description": { + "description": "Tor onion service comment.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "address": { + "description": "onion address of the Tor node seen.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "last-seen": { + "description": "When the Tor hidden service was seen for the last time.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "first-seen": { + "description": "When the Tor hidden service was been seen for the first time.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "Tor hidden service (onion service) object.", + "meta-category": "misc", + "uuid": "cbac07d6-fbe9-43b8-8d91-d515812ce330", + "name": "tor-hiddenservice" +} From bfcfe7aae9a13db637281c8ccd10f9d89d33b593 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 5 Apr 2019 11:24:54 +0200 Subject: [PATCH 194/244] chg: [doc] tor-hiddenservices added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 57b2491..d4f4921 100644 --- a/README.md +++ b/README.md @@ -139,6 +139,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/timecode](objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence. * [objects/timesketch-timeline](objects/timesketch-timeline/definition.json) - A timesketch timeline object based on mandatory field in timesketch to describe a log entry. * [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship. +* [objects/tor-hiddenservice](objects/tor-hiddenservice/definition.json) - Tor hidden service (Onion Service) object to describe a Tor hidden service. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. * [objects/tracking-id](objects/tracking-id/definition.json) - Analytics and tracking ID such as used in Google Analytics or other analytic platform. * [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction. From 006aa1d1a2ae5cd0cb729dee8b62441400c7b904 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 7 Apr 2019 22:24:58 +0200 Subject: [PATCH 195/244] chg: [script] filename added to fix #149 --- objects/script/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/script/definition.json b/objects/script/definition.json index f95d34f..7389fa1 100644 --- a/objects/script/definition.json +++ b/objects/script/definition.json @@ -1,6 +1,7 @@ { "required": [ - "script" + "script", + "filename" ], "attributes": { "script": { @@ -55,7 +56,7 @@ ] } }, - "version": 2, + "version": 3, "description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.", "meta-category": "misc", "uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2", From c5532621b65eed485ed03e4f200a2c4fedd8c22f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 7 Apr 2019 22:28:36 +0200 Subject: [PATCH 196/244] chg: [ip-port] ip-src added to fix #149 --- objects/ip-port/definition.json | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/objects/ip-port/definition.json b/objects/ip-port/definition.json index a91ed90..b8d245a 100644 --- a/objects/ip-port/definition.json +++ b/objects/ip-port/definition.json @@ -4,7 +4,8 @@ "src-port", "domain", "hostname", - "ip" + "ip", + "ip-src" ], "attributes": { "text": { @@ -74,9 +75,19 @@ "ui-priority": 1, "misp-attribute": "ip-dst", "multiple": true + }, + "ip-src": { + "description": "source IP address", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "ip-src", + "multiple": true } }, - "version": 7, + "version": 8, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", From bfa883751ab723308dd8c5689e37cc3d918ded3f Mon Sep 17 00:00:00 2001 From: haxpak Date: Sat, 13 Apr 2019 11:00:45 +0530 Subject: [PATCH 197/244] add : relationship "creates" --- relationships/definition.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/relationships/definition.json b/relationships/definition.json index 4a9f801..873fdb1 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -934,6 +934,13 @@ "format": [ "misp" ] + }, + { + "name": "creates", + "description": "Represents an object that creates something.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", From 71419a999a361519960f6f685f79d3bdb12552a7 Mon Sep 17 00:00:00 2001 From: haxpak Date: Sat, 13 Apr 2019 11:55:38 +0530 Subject: [PATCH 198/244] new-object : Organization "Defines an organization" --- objects/organization/definition.json | 79 ++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 objects/organization/definition.json diff --git a/objects/organization/definition.json b/objects/organization/definition.json new file mode 100644 index 0000000..4d8bac1 --- /dev/null +++ b/objects/organization/definition.json @@ -0,0 +1,79 @@ +{ + "requiredOneOf": [ + "name", + "alias" + ], + "attributes": { + "name": { + "description": "Name of the organization", + "disable_correlation": false, + "ui-priority": 100, + "misp-attribute": "text" + }, + "alias": { + "description": "Alias of the organization", + "ui-priority": 99, + "misp-attribute": "text", + "multiple" : true + }, + + "type-of-organizarion" : { + "description" : "Type of the organization", + "ui-priority" : 97, + "misp-attribute" : "text" + }, + "date-of-inception": { + "description": "Date of inception of the organization", + "ui-priority": 0, + "misp-attribute": "date-of-birth" + }, + + "phone-number": { + "description": "Phone number of the organization.", + "ui-priority": 10, + "misp-attribute": "phone-number", + "multiple": true + }, + "fax-number": { + "description": "Fax number of the organization.", + "ui-priority": 10, + "misp-attribute": "phone-number", + "multiple": true + }, + "address": { + "description": "Postal address of the organization.", + "ui-priority": 10, + "misp-attribute": "text", + "multiple": true + }, + + "e-mail": { + "description": "Email address of the organization.", + "ui-priority": 10, + "misp-attribute": "email-src", + "multiple": true + }, + + "role": { + "description": "The role of a person.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true, + "values_list": [ + "Suspect", + "Victim", + "Defendent", + "Accused", + "Culprit", + "Accomplice", + "Target" + ], + "disable_correlation": true + } + }, + "version": 10, + "description": "An object which describes a person or an identity.", + "meta-category": "organization", + "uuid": "ec8f8ca1-7f82-4d79-a9d0-2254303de686", + "name": "organization" +} From 161f72678a66e48a46bc73b95b9e34a7f6ab8b25 Mon Sep 17 00:00:00 2001 From: haxpak Date: Sat, 13 Apr 2019 12:05:51 +0530 Subject: [PATCH 199/244] modified : person object "changed UI priority of the attributes" modified : report object "added attachment to report" --- objects/person/definition.json | 13 +++++++------ objects/report/definition.json | 10 ++++++++-- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index 220f7b3..59de239 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -13,17 +13,17 @@ }, "last-name": { "description": "Last name of a natural person.", - "ui-priority": 0, + "ui-priority": 100, "misp-attribute": "last-name" }, "middle-name": { "description": "Middle name of a natural person.", - "ui-priority": 0, + "ui-priority": 99, "misp-attribute": "middle-name" }, "first-name": { "description": "First name of a natural person.", - "ui-priority": 0, + "ui-priority": 98, "misp-attribute": "first-name", "disable_correlation": true }, @@ -34,13 +34,13 @@ }, "title": { "description": "Title of the natural person such as Dr. or equivalent.", - "ui-priority": 0, + "ui-priority": 101, "misp-attribute": "text", "disable_correlation": true }, "alias": { "description": "Alias name or known as.", - "ui-priority": 0, + "ui-priority": 97, "misp-attribute": "text", "multiple": true }, @@ -182,7 +182,8 @@ "Accused", "Culprit", "Accomplice", - "Witness" + "Witness", + "Target" ], "disable_correlation": true } diff --git a/objects/report/definition.json b/objects/report/definition.json index cce9d89..8b83a4d 100644 --- a/objects/report/definition.json +++ b/objects/report/definition.json @@ -5,7 +5,7 @@ "attributes": { "summary": { "description": "Free text summary of the report", - "ui-priority": 1, + "ui-priority": 100, "misp-attribute": "text", "categories": [ "Other", @@ -21,7 +21,13 @@ "Internal reference", "Other" ] - } + }, + "report-file(s)": { + "description": "Attachment(s) that is related to the report", + "ui-priority": 99, + "misp-attribute": "attachment", + "multiple": true + }, }, "version": 1, "description": "Metadata used to generate an executive level report", From 26987ca80a071037497d625437ea0fa1ae71da6d Mon Sep 17 00:00:00 2001 From: haxpak Date: Sat, 13 Apr 2019 12:11:43 +0530 Subject: [PATCH 200/244] added : meta_category "organization" #162 --- schema_objects.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/schema_objects.json b/schema_objects.json index 0d80fa0..57d9c4f 100644 --- a/schema_objects.json +++ b/schema_objects.json @@ -68,7 +68,8 @@ "financial", "misc", "internal", - "vulnerability" + "vulnerability", + "organization" ] }, "name": { From 23ab7351199fbdfa521a99a0fc4ef066188ebc9e Mon Sep 17 00:00:00 2001 From: haxpak Date: Sat, 13 Apr 2019 13:32:56 +0530 Subject: [PATCH 201/244] - added : attachment attribute to annotation - added : new object type device --- objects/annotation/definition.json | 8 +++- objects/device/definition.json | 61 ++++++++++++++++++++++++++++ objects/organization/definition.json | 8 ++-- 3 files changed, 72 insertions(+), 5 deletions(-) create mode 100644 objects/device/definition.json diff --git a/objects/annotation/definition.json b/objects/annotation/definition.json index d062eca..2231bbc 100644 --- a/objects/annotation/definition.json +++ b/objects/annotation/definition.json @@ -61,7 +61,13 @@ "description": "Last update of the annotation", "ui-priority": 0, "misp-attribute": "datetime" - } + }, + "attachment" : { + "description" : "An attachment to support the annotation", + "ui-priority" : 0, + "misp-attribute": "attachment", + "multiple" : true + }, }, "version": 2, "description": "An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.", diff --git a/objects/device/definition.json b/objects/device/definition.json new file mode 100644 index 0000000..dbe58ad --- /dev/null +++ b/objects/device/definition.json @@ -0,0 +1,61 @@ +{ + "requiredOneOf": [ + "name" + ], + "attributes": { + "description": { + "description": "Description of the Device", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation" : true + }, + "name" : { + "description" : "Name of the Device", + "ui-priority" : 101, + "misp-attribute" : "text", + }, + "alias" : { + "description" : "Alias of the Device", + "ui-priority" : 100, + "misp-attribute" : "text", + "multiple" : true + }, + "device-type": { + "description": "Type of the device", + "ui-priority": 99, + "misp-attribute": "text", + "disable_correlation": true, + "categories": [ + "PC", + "Mobile", + "Laptop", + "HID", + "TV", + "IoT", + "Hardware", + "Other" + ] + }, + "ip-address": { + "description": "Device IP address", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "analysis-date": { + "description": "Date of device analysis", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "attachment" : { + "description" : "An attachment", + "ui-priority" : 0, + "misp-attribute": "attachment", + "multiple" : true + }, + }, + "version": 3, + "description": "An object to define a device", + "meta-category": "device", + "uuid": "0c64b41a-e583-4f4d-ac92-d484163b9e52", + "name": "Device" +} diff --git a/objects/organization/definition.json b/objects/organization/definition.json index 4d8bac1..b14bafc 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -55,7 +55,7 @@ }, "role": { - "description": "The role of a person.", + "description": "The role of the organization.", "ui-priority": 0, "misp-attribute": "text", "multiple": true, @@ -71,9 +71,9 @@ "disable_correlation": true } }, - "version": 10, - "description": "An object which describes a person or an identity.", + "version": 1, + "description": "An object which describes an organization.", "meta-category": "organization", - "uuid": "ec8f8ca1-7f82-4d79-a9d0-2254303de686", + "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", "name": "organization" } From df91c999e60fdc9bfb9a50003a8610648c371add Mon Sep 17 00:00:00 2001 From: haxpak Date: Sat, 13 Apr 2019 13:45:05 +0530 Subject: [PATCH 202/244] fixed typos and ran jq_all_things --- objects/annotation/definition.json | 10 +++++----- objects/device/definition.json | 30 ++++++++++++++-------------- objects/organization/definition.json | 14 +++++-------- objects/report/definition.json | 2 +- 4 files changed, 26 insertions(+), 30 deletions(-) diff --git a/objects/annotation/definition.json b/objects/annotation/definition.json index 2231bbc..cfadfc1 100644 --- a/objects/annotation/definition.json +++ b/objects/annotation/definition.json @@ -62,12 +62,12 @@ "ui-priority": 0, "misp-attribute": "datetime" }, - "attachment" : { - "description" : "An attachment to support the annotation", - "ui-priority" : 0, + "attachment": { + "description": "An attachment to support the annotation", + "ui-priority": 0, "misp-attribute": "attachment", - "multiple" : true - }, + "multiple": true + } }, "version": 2, "description": "An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.", diff --git a/objects/device/definition.json b/objects/device/definition.json index dbe58ad..50653ec 100644 --- a/objects/device/definition.json +++ b/objects/device/definition.json @@ -7,18 +7,18 @@ "description": "Description of the Device", "ui-priority": 0, "misp-attribute": "text", - "disable_correlation" : true + "disable_correlation": true }, - "name" : { - "description" : "Name of the Device", - "ui-priority" : 101, - "misp-attribute" : "text", + "name": { + "description": "Name of the Device", + "ui-priority": 101, + "misp-attribute": "text" }, - "alias" : { - "description" : "Alias of the Device", - "ui-priority" : 100, - "misp-attribute" : "text", - "multiple" : true + "alias": { + "description": "Alias of the Device", + "ui-priority": 100, + "misp-attribute": "text", + "multiple": true }, "device-type": { "description": "Type of the device", @@ -46,12 +46,12 @@ "ui-priority": 0, "misp-attribute": "datetime" }, - "attachment" : { - "description" : "An attachment", - "ui-priority" : 0, + "attachment": { + "description": "An attachment", + "ui-priority": 0, "misp-attribute": "attachment", - "multiple" : true - }, + "multiple": true + } }, "version": 3, "description": "An object to define a device", diff --git a/objects/organization/definition.json b/objects/organization/definition.json index b14bafc..923bdc2 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -14,20 +14,18 @@ "description": "Alias of the organization", "ui-priority": 99, "misp-attribute": "text", - "multiple" : true + "multiple": true }, - - "type-of-organizarion" : { - "description" : "Type of the organization", - "ui-priority" : 97, - "misp-attribute" : "text" + "type-of-organizarion": { + "description": "Type of the organization", + "ui-priority": 97, + "misp-attribute": "text" }, "date-of-inception": { "description": "Date of inception of the organization", "ui-priority": 0, "misp-attribute": "date-of-birth" }, - "phone-number": { "description": "Phone number of the organization.", "ui-priority": 10, @@ -46,14 +44,12 @@ "misp-attribute": "text", "multiple": true }, - "e-mail": { "description": "Email address of the organization.", "ui-priority": 10, "misp-attribute": "email-src", "multiple": true }, - "role": { "description": "The role of the organization.", "ui-priority": 0, diff --git a/objects/report/definition.json b/objects/report/definition.json index 8b83a4d..053677d 100644 --- a/objects/report/definition.json +++ b/objects/report/definition.json @@ -27,7 +27,7 @@ "ui-priority": 99, "misp-attribute": "attachment", "multiple": true - }, + } }, "version": 1, "description": "Metadata used to generate an executive level report", From 63fff149f0ed47019085f16cbd23bc181e2b8125 Mon Sep 17 00:00:00 2001 From: haxpak Date: Sat, 13 Apr 2019 13:49:16 +0530 Subject: [PATCH 203/244] added requiredOneOf to device definition --- objects/device/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/device/definition.json b/objects/device/definition.json index 50653ec..a25a617 100644 --- a/objects/device/definition.json +++ b/objects/device/definition.json @@ -1,6 +1,7 @@ { "requiredOneOf": [ - "name" + "name", + "alias" ], "attributes": { "description": { From 6917beee5fe85440649c7848d6d768c102c95815 Mon Sep 17 00:00:00 2001 From: haxpak Date: Sat, 13 Apr 2019 14:02:26 +0530 Subject: [PATCH 204/244] reverted device to misc category --- objects/device/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/device/definition.json b/objects/device/definition.json index a25a617..4826bdd 100644 --- a/objects/device/definition.json +++ b/objects/device/definition.json @@ -56,7 +56,7 @@ }, "version": 3, "description": "An object to define a device", - "meta-category": "device", + "meta-category": "misc", "uuid": "0c64b41a-e583-4f4d-ac92-d484163b9e52", "name": "Device" } From 9f3fb14ed548c6a5f3a664fb4823a3719d4db688 Mon Sep 17 00:00:00 2001 From: haxpak Date: Sat, 13 Apr 2019 14:57:55 +0530 Subject: [PATCH 205/244] changed organization meta category to misc --- objects/organization/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/organization/definition.json b/objects/organization/definition.json index 923bdc2..966a8f5 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -69,7 +69,7 @@ }, "version": 1, "description": "An object which describes an organization.", - "meta-category": "organization", + "meta-category": "misc", "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", "name": "organization" } From e470413f413946b400b9348d2fbe8bad95fb85b9 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 13 Apr 2019 14:59:38 +0200 Subject: [PATCH 206/244] chg: [schema] category removed --- schema_objects.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/schema_objects.json b/schema_objects.json index 57d9c4f..0d80fa0 100644 --- a/schema_objects.json +++ b/schema_objects.json @@ -68,8 +68,7 @@ "financial", "misc", "internal", - "vulnerability", - "organization" + "vulnerability" ] }, "name": { From 81924c519f2d5899023da427cc2d5f8cf29e076b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 13 Apr 2019 15:04:23 +0200 Subject: [PATCH 207/244] chg: [doc] new organization and device object added --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index d4f4921..9ebdfc4 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/cowrie](objects/cowrie/definition.json) - A cowrie object describes cowrie honeypot sessions. * [objects/credential](objects/credential/definition.json) - A credential object describes one or more credential(s) including password(s), api key(s) or decryption key(s). * [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. +* [objects/device](objects/device/definition.json) - An object to describe a device such as a computer, laptop or alike. * [objects/diameter-attack](objects/diameter-attack/definition.json) - Attack as seen on diameter authentication against a GSM, UMTS or LTE network. * [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame. * [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF). @@ -112,6 +113,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/network-connection](objects/network-connection/definition.json) - Network object describes a local or remote network connection. * [objects/network-socket](objects/network-socket/definition.json) - Object to describe a local or remote network connections based on the socket data structure. * [objects/original-imported-file](objects/original-imported-file/definition.json) - Object to describe the original files used to import data in MISP. +* [objects/organization](objects/organization/definition.json) - An object which describes an organization. * [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01). * [objects/paste](objects/paste/definition.json) - Object describing a paste or similar post from a website allowing to share privately or publicly posts. * [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object. From bb9ff86b2ff61d3977807b99d57bc271ef17417a Mon Sep 17 00:00:00 2001 From: haxpak Date: Sun, 14 Apr 2019 10:53:57 +0530 Subject: [PATCH 208/244] added MAC address to device meta category of organization changed to organization meta category of person object changed to organization new object phishing-kit --- objects/device/definition.json | 10 ++- objects/organization/definition.json | 2 +- objects/person/definition.json | 2 +- objects/phishing-kit/definition.json | 97 ++++++++++++++++++++++++++++ 4 files changed, 107 insertions(+), 4 deletions(-) create mode 100644 objects/phishing-kit/definition.json diff --git a/objects/device/definition.json b/objects/device/definition.json index 4826bdd..3a04004 100644 --- a/objects/device/definition.json +++ b/objects/device/definition.json @@ -40,7 +40,13 @@ "ip-address": { "description": "Device IP address", "ui-priority": 0, - "misp-attribute": "ip-src" + "misp-attribute": "ip-src", + "multiple" : true + }, + "MAC-address": { + "description": "Device MAC address", + "ui-priority": 0, + "misp-attribute": "text" }, "analysis-date": { "description": "Date of device analysis", @@ -54,7 +60,7 @@ "multiple": true } }, - "version": 3, + "version": 4, "description": "An object to define a device", "meta-category": "misc", "uuid": "0c64b41a-e583-4f4d-ac92-d484163b9e52", diff --git a/objects/organization/definition.json b/objects/organization/definition.json index 966a8f5..923bdc2 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -69,7 +69,7 @@ }, "version": 1, "description": "An object which describes an organization.", - "meta-category": "misc", + "meta-category": "organization", "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", "name": "organization" } diff --git a/objects/person/definition.json b/objects/person/definition.json index 59de239..2359536 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -190,7 +190,7 @@ }, "version": 9, "description": "An object which describes a person or an identity.", - "meta-category": "misc", + "meta-category": "organization", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", "name": "person" } diff --git a/objects/phishing-kit/definition.json b/objects/phishing-kit/definition.json new file mode 100644 index 0000000..7ac2e42 --- /dev/null +++ b/objects/phishing-kit/definition.json @@ -0,0 +1,97 @@ + +{ + "name": "phishing-kit", + "uuid": "e08eea9b-5776-4014-9b0e-a821ee890143", + "meta-category": "network", + "description": "Oject to describe a phishing-kit.", + "version": 1, + "attributes": { + "internal reference": { + "categories": [ + "Internal reference" + ], + "misp-attribute": "text", + "ui-priority": 1, + "description": "Internal reference such as ticket ID" + }, + "date-found": { + "multiple": true, + "misp-attribute": "datetime", + "ui-priority": 0, + "description": "Date when the phishing kit was found", + "to_ids" : false, + "disable_correlation" : true + }, + "reference-link": { + "to_ids": false, + "multiple": true, + "ui-priority": 1, + "misp-attribute": "link", + "description": "Link where the Phishing Kit was observed" + }, + "threat-actor-email" : { + "description" : "Email of the Threat Actor", + "multiple" : true, + "ui-priority" : 0, + "misp-attribute" : "email-src" + }, + "email-type" : { + "description" : "Type of the Email", + "multiple" : false, + "ui-priority" : 0, + "misp-attribute" : "text", + "disable_correlation" : true + }, + "kit-mailer" : { + "description" : "Mailer Kit Used", + "multiple" : true, + "ui-priority" : 0, + "misp-attribute" : "text", + "disable_correlation" : true + }, + "target" :{ + "description" : "What was targeted using this phishing kit", + "multiple" : true, + "ui-priority" : 1, + "misp-attribute" : "text" + }, + "phishing-domain" : { + "description" : "Domain used for Phishing", + "multiple" : true, + "ui-priority" : 1, + "misp-attribute" : "url" + }, + "online": { + "disable_correlation": true, + "misp-attribute": "text", + "values_list": [ + "Yes", + "No" + ], + "ui-priority": 0, + "description": "If the phishing kit is online and operational, by default is yes" + }, + "kit-url": { + "misp-attribute": "url", + "ui-priority": 1, + "description": "URL of Phishing Kit" + }, + "threat-actor" : { + "description" : "Identified threat actor", + "ui-priority" : 0, + "multiple" : true, + "misp-attribute" : "text" + }, + "kit-name" : { + "description" : "Name of the Phishing Kit", + "ui-priority" : 10, + "misp-attribute" : "text" + } + }, + "requiredOneOf": [ + "kit-url", + "reference-link", + "kit-name", + "kit-hash" + ] +} From b24336499ad58f6f115efb6bd1ecc1ed653facc4 Mon Sep 17 00:00:00 2001 From: haxpak Date: Sun, 14 Apr 2019 11:04:57 +0530 Subject: [PATCH 209/244] modified: objects/device/definition.json modified: objects/phishing-kit/definition.json --- objects/device/definition.json | 4 +- objects/phishing-kit/definition.json | 81 ++++++++++++++-------------- 2 files changed, 42 insertions(+), 43 deletions(-) diff --git a/objects/device/definition.json b/objects/device/definition.json index 3a04004..f467fe3 100644 --- a/objects/device/definition.json +++ b/objects/device/definition.json @@ -41,7 +41,7 @@ "description": "Device IP address", "ui-priority": 0, "misp-attribute": "ip-src", - "multiple" : true + "multiple": true }, "MAC-address": { "description": "Device MAC address", @@ -60,7 +60,7 @@ "multiple": true } }, - "version": 4, + "version": 5, "description": "An object to define a device", "meta-category": "misc", "uuid": "0c64b41a-e583-4f4d-ac92-d484163b9e52", diff --git a/objects/phishing-kit/definition.json b/objects/phishing-kit/definition.json index 7ac2e42..6364636 100644 --- a/objects/phishing-kit/definition.json +++ b/objects/phishing-kit/definition.json @@ -1,10 +1,9 @@ - { "name": "phishing-kit", - "uuid": "e08eea9b-5776-4014-9b0e-a821ee890143", + "uuid": "f452c16b-12fa-4f87-84a2-15a9e8ca6e7c", "meta-category": "network", "description": "Oject to describe a phishing-kit.", - "version": 1, + "version": 2, "attributes": { "internal reference": { "categories": [ @@ -19,8 +18,8 @@ "misp-attribute": "datetime", "ui-priority": 0, "description": "Date when the phishing kit was found", - "to_ids" : false, - "disable_correlation" : true + "to_ids": false, + "disable_correlation": true }, "reference-link": { "to_ids": false, @@ -29,37 +28,37 @@ "misp-attribute": "link", "description": "Link where the Phishing Kit was observed" }, - "threat-actor-email" : { - "description" : "Email of the Threat Actor", - "multiple" : true, - "ui-priority" : 0, - "misp-attribute" : "email-src" + "threat-actor-email": { + "description": "Email of the Threat Actor", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "email-src" }, - "email-type" : { - "description" : "Type of the Email", - "multiple" : false, - "ui-priority" : 0, - "misp-attribute" : "text", - "disable_correlation" : true + "email-type": { + "description": "Type of the Email", + "multiple": false, + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true }, - "kit-mailer" : { - "description" : "Mailer Kit Used", - "multiple" : true, - "ui-priority" : 0, - "misp-attribute" : "text", - "disable_correlation" : true + "kit-mailer": { + "description": "Mailer Kit Used", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true }, - "target" :{ - "description" : "What was targeted using this phishing kit", - "multiple" : true, - "ui-priority" : 1, - "misp-attribute" : "text" + "target": { + "description": "What was targeted using this phishing kit", + "multiple": true, + "ui-priority": 1, + "misp-attribute": "text" }, - "phishing-domain" : { - "description" : "Domain used for Phishing", - "multiple" : true, - "ui-priority" : 1, - "misp-attribute" : "url" + "phishing-domain": { + "description": "Domain used for Phishing", + "multiple": true, + "ui-priority": 1, + "misp-attribute": "url" }, "online": { "disable_correlation": true, @@ -76,16 +75,16 @@ "ui-priority": 1, "description": "URL of Phishing Kit" }, - "threat-actor" : { - "description" : "Identified threat actor", - "ui-priority" : 0, - "multiple" : true, - "misp-attribute" : "text" + "threat-actor": { + "description": "Identified threat actor", + "ui-priority": 0, + "multiple": true, + "misp-attribute": "text" }, - "kit-name" : { - "description" : "Name of the Phishing Kit", - "ui-priority" : 10, - "misp-attribute" : "text" + "kit-name": { + "description": "Name of the Phishing Kit", + "ui-priority": 10, + "misp-attribute": "text" } }, "requiredOneOf": [ From 8fe63dfccc46276b0602426e1598241a401f091a Mon Sep 17 00:00:00 2001 From: haxpak Date: Sun, 14 Apr 2019 11:14:35 +0530 Subject: [PATCH 210/244] modified: relationships/definition.json --- relationships/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index 873fdb1..0c1a8a2 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -939,7 +939,8 @@ "name": "creates", "description": "Represents an object that creates something.", "format": [ - "misp" + "misp", + "haxpak" ] } ], From 4f1745a09581628be0e2447e7b0b3b655a85bd18 Mon Sep 17 00:00:00 2001 From: haxpak Date: Sun, 14 Apr 2019 11:26:12 +0530 Subject: [PATCH 211/244] added meta category organization --- objects/organization/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/organization/definition.json b/objects/organization/definition.json index 923bdc2..ed0f4f8 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -71,5 +71,5 @@ "description": "An object which describes an organization.", "meta-category": "organization", "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", - "name": "organization" + "name": "misc" } From 2053c17fa4a36287ca05cee45158f2807a8df3c4 Mon Sep 17 00:00:00 2001 From: haxpak Date: Sun, 14 Apr 2019 11:27:29 +0530 Subject: [PATCH 212/244] corrected typo --- objects/person/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index 2359536..59de239 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -190,7 +190,7 @@ }, "version": 9, "description": "An object which describes a person or an identity.", - "meta-category": "organization", + "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", "name": "person" } From 836bd04a75f0ec33b0f9a207b2ac4b8193f932cd Mon Sep 17 00:00:00 2001 From: haxpak Date: Sun, 14 Apr 2019 11:32:55 +0530 Subject: [PATCH 213/244] meta category for organization changed back to misc since schema_objects.json does not recognize organization as a meta category --- objects/organization/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/organization/definition.json b/objects/organization/definition.json index ed0f4f8..f575479 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -69,7 +69,7 @@ }, "version": 1, "description": "An object which describes an organization.", - "meta-category": "organization", + "meta-category": "misc", "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", "name": "misc" } From 3cef676f34088bc61089f98d349a5299f727d14f Mon Sep 17 00:00:00 2001 From: haxpak Date: Mon, 15 Apr 2019 10:29:09 +0530 Subject: [PATCH 214/244] added OS, version, dns-name attribute to device changed misp-attribute of mac-address from text to mac-address --- objects/device/definition.json | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/objects/device/definition.json b/objects/device/definition.json index 4826bdd..9ed3013 100644 --- a/objects/device/definition.json +++ b/objects/device/definition.json @@ -37,10 +37,35 @@ "Other" ] }, + "OS" : { + "description" : "OS of the device", + "ui-priority" : 98, + "misp-attribute" : "text", + "disable_correlation" : true, + "multiple" : true + }, + "version" : { + "description" : "Version of the device/ OS", + "ui-priority" : 97, + "misp-attribute" : "text", + "disable_correlation" : true + }, "ip-address": { "description": "Device IP address", "ui-priority": 0, - "misp-attribute": "ip-src" + "misp-attribute": "ip-src", + "multiple": true + }, + "dns-name": { + "description": "Device DNS Name", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "MAC-address": { + "description": "Device MAC address", + "ui-priority": 0, + "misp-attribute": "mac-address" }, "analysis-date": { "description": "Date of device analysis", @@ -54,7 +79,7 @@ "multiple": true } }, - "version": 3, + "version": 6, "description": "An object to define a device", "meta-category": "misc", "uuid": "0c64b41a-e583-4f4d-ac92-d484163b9e52", From 9f4e7737a100b01417ff887fe604aebd2f284ec3 Mon Sep 17 00:00:00 2001 From: haxpak Date: Mon, 15 Apr 2019 10:33:08 +0530 Subject: [PATCH 215/244] added attribute DNS name to device object changed MAC address misp attribute to mac-address --- objects/device/definition.json | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/objects/device/definition.json b/objects/device/definition.json index 9ed3013..729f908 100644 --- a/objects/device/definition.json +++ b/objects/device/definition.json @@ -37,18 +37,18 @@ "Other" ] }, - "OS" : { - "description" : "OS of the device", - "ui-priority" : 98, - "misp-attribute" : "text", - "disable_correlation" : true, - "multiple" : true + "OS": { + "description": "OS of the device", + "ui-priority": 98, + "misp-attribute": "text", + "disable_correlation": true, + "multiple": true }, - "version" : { - "description" : "Version of the device/ OS", - "ui-priority" : 97, - "misp-attribute" : "text", - "disable_correlation" : true + "version": { + "description": "Version of the device/ OS", + "ui-priority": 97, + "misp-attribute": "text", + "disable_correlation": true }, "ip-address": { "description": "Device IP address", From 89b8e10fbe5991da74937fd6eb7488e708b1603e Mon Sep 17 00:00:00 2001 From: haxpak Date: Mon, 15 Apr 2019 17:41:39 +0530 Subject: [PATCH 216/244] added option "Further Analysis Required" to attribute stage --- objects/course-of-action/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/course-of-action/definition.json b/objects/course-of-action/definition.json index ee5b157..b2099e0 100644 --- a/objects/course-of-action/definition.json +++ b/objects/course-of-action/definition.json @@ -53,7 +53,8 @@ "disable_correlation": true, "sane_default": [ "Remedy", - "Response" + "Response", + "Further Analysis Required" ] }, "cost": { From 2d6522887df976fe7a00f105491b5695549274a9 Mon Sep 17 00:00:00 2001 From: haxpak Date: Mon, 15 Apr 2019 18:00:21 +0530 Subject: [PATCH 217/244] added relationship "executes" --- relationships/definition.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index 873fdb1..d028c66 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1,5 +1,5 @@ { - "version": 14, + "version": 15, "values": [ { "name": "derived-from", @@ -10,6 +10,11 @@ "alfred" ] }, + { + "name" : "executes", + "description" : "This relationship describes an object which executes another object", + "format" : [ "misp" ] + }, { "name": "duplicate-of", "description": "The referenced source and target objects are semantically duplicates of each other.", From befa47d2c53ce45df655515a6c99dc0cdced63c2 Mon Sep 17 00:00:00 2001 From: haxpak Date: Mon, 15 Apr 2019 18:04:44 +0530 Subject: [PATCH 218/244] [added] relationship 'executes' : Describes a an object that executes another object --- relationships/definition.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index d028c66..3d9dc87 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -11,9 +11,11 @@ ] }, { - "name" : "executes", - "description" : "This relationship describes an object which executes another object", - "format" : [ "misp" ] + "name": "executes", + "description": "This relationship describes an object which executes another object", + "format": [ + "misp" + ] }, { "name": "duplicate-of", From 4066da31e4a7201a9319b8bd9da82b8c40122338 Mon Sep 17 00:00:00 2001 From: haxpak Date: Tue, 16 Apr 2019 08:31:43 +0530 Subject: [PATCH 219/244] changed device type drop down from category to sane_default --- objects/device/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/device/definition.json b/objects/device/definition.json index 4826bdd..5d7ba0e 100644 --- a/objects/device/definition.json +++ b/objects/device/definition.json @@ -26,7 +26,7 @@ "ui-priority": 99, "misp-attribute": "text", "disable_correlation": true, - "categories": [ + "sane_default": [ "PC", "Mobile", "Laptop", From 371ffe77fb74f40d8d52e86de90c1034e0083618 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Thu, 18 Apr 2019 11:13:03 +0200 Subject: [PATCH 220/244] chg: Allow to create a file object with a non-malicious file. Fix #175 #176 --- objects/file/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 7c79f77..85b79c9 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -16,6 +16,7 @@ "pattern-in-file", "x509-fingerprint-sha1", "malware-sample", + "attachment", "path", "fullpath" ], @@ -112,6 +113,11 @@ "ui-priority": 1, "misp-attribute": "malware-sample" }, + "attachment": { + "description": "A non-malicious file.", + "ui-priority": 1, + "misp-attribute": "attachment" + }, "filename": { "description": "Filename on disk", "disable_correlation": true, @@ -436,7 +442,7 @@ ] } }, - "version": 16, + "version": 17, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From bb7e8f27f817d3b32e28250541700cbc95ef16a7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 21 Apr 2019 15:51:57 +0200 Subject: [PATCH 221/244] chg: [tools] remove trailing dot if presents --- tools/adoc_objects.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tools/adoc_objects.py b/tools/adoc_objects.py index c75e282..0b77c40 100755 --- a/tools/adoc_objects.py +++ b/tools/adoc_objects.py @@ -3,7 +3,7 @@ # # # A simple converter of MISP objects to asciidoctor format -# Copyright (C) 2017-2018 Alexandre Dulaunoy +# Copyright (C) 2017-2019 Alexandre Dulaunoy # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as @@ -73,12 +73,14 @@ def asciidoc(content=False, adoc=None, t='title',title=''): if t == 'title': output = '== ' + content elif t == 'info': + content = content.rstrip('\.') output = "\n{}.\n\n{} {} {}{}/definition.json[*this location*] {}.\n".format(content, 'NOTE: ', title, 'is a MISP object available in JSON format at https://github.com/MISP/misp-objects/blob/master/objects/',title.lower(),' The JSON format can be freely reused in your application or automatically enabled in https://www.github.com/MISP/MISP[MISP]') elif t == 'author': output = '\nauthors:: {}\n'.format(' - '.join(content)) elif t == 'value': output = '=== ' + content elif t == 'description': + content = content.rstrip('\.') output = '\n{}\n'.format(content) elif t == 'attributes': #output = '\n{}\n'.format From 3dcb1725aea7e65ac7cb4cac41c86c1dabad0236 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 21 Apr 2019 15:52:57 +0200 Subject: [PATCH 222/244] chg: [phishing-kit] small typo fixed in the description --- objects/phishing-kit/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/phishing-kit/definition.json b/objects/phishing-kit/definition.json index 6364636..0da5baa 100644 --- a/objects/phishing-kit/definition.json +++ b/objects/phishing-kit/definition.json @@ -2,8 +2,8 @@ "name": "phishing-kit", "uuid": "f452c16b-12fa-4f87-84a2-15a9e8ca6e7c", "meta-category": "network", - "description": "Oject to describe a phishing-kit.", - "version": 2, + "description": "Object to describe a phishing-kit.", + "version": 3, "attributes": { "internal reference": { "categories": [ From 025a9a93232222df02119c0b96ccdd9adf3a2afa Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 21 Apr 2019 15:56:23 +0200 Subject: [PATCH 223/244] chg: [doc] phishing-kit object added to the list --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 9ebdfc4..1e1e4e1 100644 --- a/README.md +++ b/README.md @@ -120,6 +120,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/pe-section](objects/pe-section/definition.json) - Portable Executable (PE) object - section description. * [objects/person](objects/person/definition.json) - A person object which describes a person or an identity. * [objects/phishing](objects/phishing/definition.json) - Phishing template to describe a phishing website and its analysis. +* [objects/phishing-kit](objects/phishing-kit/definition.json) - Object to describe a phishing kit. * [objects/phone](objects/phone/definition.json) - A phone or mobile phone object. * [objects/process](objects/process/definition.json) - A process object. * [objects/regexp](objects/regexp/definition.json) - An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression. From b656cc532d1656da8aa12b695fe0322f2d16c0fd Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 21 Apr 2019 15:57:07 +0200 Subject: [PATCH 224/244] chg: [device] name of an object must be lowercase --- objects/device/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/device/definition.json b/objects/device/definition.json index bab949e..d9f05d5 100644 --- a/objects/device/definition.json +++ b/objects/device/definition.json @@ -79,9 +79,9 @@ "multiple": true } }, - "version": 6, + "version": 7, "description": "An object to define a device", "meta-category": "misc", "uuid": "0c64b41a-e583-4f4d-ac92-d484163b9e52", - "name": "Device" + "name": "device" } From 1966d4d5f0ed81d0b67b87ff5a4012a1b00f83ec Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 27 Apr 2019 10:28:50 +0200 Subject: [PATCH 225/244] add: [irc] IRC object to describe an IRC server with associated IRC channels --- objects/irc/definition.json | 68 +++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 objects/irc/definition.json diff --git a/objects/irc/definition.json b/objects/irc/definition.json new file mode 100644 index 0000000..030a656 --- /dev/null +++ b/objects/irc/definition.json @@ -0,0 +1,68 @@ +{ + "requiredOneOf": [ + "ip", + "hostname" + ], + "attributes": { + "text": { + "description": "Description of the IRC server", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-seen": { + "description": "Last time the IRC server with the associated channels has been seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "first-seen": { + "description": "First time the IRC server with the associated channels has been seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "dst-port": { + "description": "Destination port to reach the IRC server", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "port", + "disable_correlation": true, + "multiple": true + }, + "channel": { + "description": "IRC channel associated to the IRC server", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "hostname": { + "description": "Hostname of the IRC server", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "hostname", + "multiple": true + }, + "ip": { + "description": "IP address of the IRC server", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "ip-dst", + "multiple": true + } + }, + "version": 1, + "description": "An IRC object to describe an IRC server and the associated channels.", + "meta-category": "network", + "uuid": "4bbbc004-c344-4b20-8672-b41102177fc7", + "name": "irc" +} From 0f6fdee7f32ce9f57a344323564bc5e6f60bfc8f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 27 Apr 2019 10:32:10 +0200 Subject: [PATCH 226/244] chg: [irc] add nickname used for associated IRC server and channel(s) --- objects/irc/definition.json | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/objects/irc/definition.json b/objects/irc/definition.json index 030a656..a371761 100644 --- a/objects/irc/definition.json +++ b/objects/irc/definition.json @@ -1,7 +1,9 @@ { "requiredOneOf": [ "ip", - "hostname" + "hostname", + "channel", + "nickname" ], "attributes": { "text": { @@ -39,6 +41,12 @@ "misp-attribute": "text", "multiple": true }, + "nickname": { + "description": "IRC nickname used to connect to the associated IRC server and channels", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, "hostname": { "description": "Hostname of the IRC server", "categories": [ @@ -60,7 +68,7 @@ "multiple": true } }, - "version": 1, + "version": 2, "description": "An IRC object to describe an IRC server and the associated channels.", "meta-category": "network", "uuid": "4bbbc004-c344-4b20-8672-b41102177fc7", From baae683771af5c57051216d2589435b8f8b67008 Mon Sep 17 00:00:00 2001 From: mday Date: Tue, 30 Apr 2019 12:18:08 -0500 Subject: [PATCH 227/244] update the definition files of various object types so that the `required` and `requiredOneOf` lists no longer specify attributes that do not exist in the objects. --- objects/file/definition.json | 2 +- objects/mactime-timeline-analysis/definition.json | 4 ++-- objects/original-imported-file/definition.json | 2 +- objects/phishing-kit/definition.json | 3 +-- objects/python-etvx-event-log/definition.json | 2 +- 5 files changed, 6 insertions(+), 7 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 85b79c9..944834c 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -14,7 +14,7 @@ "sha512/256", "tlsh", "pattern-in-file", - "x509-fingerprint-sha1", + "certificate", "malware-sample", "attachment", "path", diff --git a/objects/mactime-timeline-analysis/definition.json b/objects/mactime-timeline-analysis/definition.json index a8f32e9..cb20d2b 100644 --- a/objects/mactime-timeline-analysis/definition.json +++ b/objects/mactime-timeline-analysis/definition.json @@ -1,7 +1,7 @@ { "requiredOneOf": [ - "filepath", - "file_activity", + "file-path", + "activityType", "datetime" ], "attributes": { diff --git a/objects/original-imported-file/definition.json b/objects/original-imported-file/definition.json index 5bd93ff..6436924 100644 --- a/objects/original-imported-file/definition.json +++ b/objects/original-imported-file/definition.json @@ -1,7 +1,7 @@ { "requiredOneOf": [ "imported-sample", - "type" + "format" ], "attributes": { "imported-sample": { diff --git a/objects/phishing-kit/definition.json b/objects/phishing-kit/definition.json index 0da5baa..2112d20 100644 --- a/objects/phishing-kit/definition.json +++ b/objects/phishing-kit/definition.json @@ -90,7 +90,6 @@ "requiredOneOf": [ "kit-url", "reference-link", - "kit-name", - "kit-hash" + "kit-name" ] } diff --git a/objects/python-etvx-event-log/definition.json b/objects/python-etvx-event-log/definition.json index 2c50d9a..a2f9a7b 100644 --- a/objects/python-etvx-event-log/definition.json +++ b/objects/python-etvx-event-log/definition.json @@ -1,7 +1,7 @@ { "required": [ "source", - "type", + "event-type", "name" ], "attributes": { From 71b4e71ab11bcca32a8e7dc9e2a287ae2c9dd267 Mon Sep 17 00:00:00 2001 From: mday Date: Wed, 1 May 2019 14:11:30 -0500 Subject: [PATCH 228/244] update the misp-attribute to specify a valid value instead of an empty string --- .../regripper-system-hive-general-configuration/definition.json | 2 +- objects/regripper-system-hive-service-drivers/definition.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/regripper-system-hive-general-configuration/definition.json b/objects/regripper-system-hive-general-configuration/definition.json index b2fe81b..85b9192 100644 --- a/objects/regripper-system-hive-general-configuration/definition.json +++ b/objects/regripper-system-hive-general-configuration/definition.json @@ -77,7 +77,7 @@ "comment": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "", + "misp-attribute": "text", "disable_correlation": true } }, diff --git a/objects/regripper-system-hive-service-drivers/definition.json b/objects/regripper-system-hive-service-drivers/definition.json index b5dcaf5..cbd0fec 100644 --- a/objects/regripper-system-hive-service-drivers/definition.json +++ b/objects/regripper-system-hive-service-drivers/definition.json @@ -86,7 +86,7 @@ "comment": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "", + "misp-attribute": "text", "disable_correlation": true } }, From e76e492894fbe260f9f67a8b72447b93f0e36196 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 1 May 2019 21:32:14 +0200 Subject: [PATCH 229/244] chg: [regripper] version updated --- .../regripper-system-hive-general-configuration/definition.json | 2 +- objects/regripper-system-hive-service-drivers/definition.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/regripper-system-hive-general-configuration/definition.json b/objects/regripper-system-hive-general-configuration/definition.json index 85b9192..2851077 100644 --- a/objects/regripper-system-hive-general-configuration/definition.json +++ b/objects/regripper-system-hive-general-configuration/definition.json @@ -81,7 +81,7 @@ "disable_correlation": true } }, - "version": 1, + "version": 2, "description": "Regripper Object template designed to present general system properties extracted from the system-hive.", "meta-category": "misc", "uuid": "5ac85401-cbf1-4d05-a85e-1784546881e4", diff --git a/objects/regripper-system-hive-service-drivers/definition.json b/objects/regripper-system-hive-service-drivers/definition.json index cbd0fec..38a560a 100644 --- a/objects/regripper-system-hive-service-drivers/definition.json +++ b/objects/regripper-system-hive-service-drivers/definition.json @@ -90,7 +90,7 @@ "disable_correlation": true } }, - "version": 1, + "version": 2, "description": "Regripper Object template designed to gather information regarding the services/drivers from the system-hive.", "meta-category": "misc", "uuid": "78cdae45-2061-4b49-b1d6-71f562094a73", From f2e8195d505cb0a87a6e87f95d394df5e1acbed7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Fri, 3 May 2019 11:18:58 +0200 Subject: [PATCH 230/244] new: Add offset, virtual_address and virtual_size to the pe section object Related to https://github.com/MISP/PyMISP/issues/388 --- objects/pe-section/definition.json | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/objects/pe-section/definition.json b/objects/pe-section/definition.json index 3d1d792..2ef4c3c 100644 --- a/objects/pe-section/definition.json +++ b/objects/pe-section/definition.json @@ -88,6 +88,24 @@ "ui-priority": 1, "misp-attribute": "size-in-bytes" }, + "offset": { + "description": "Section’s offset", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "hex" + }, + "virtual_address": { + "description": "Section’s virtual address", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "hex" + }, + "virtual_size": { + "description": "Section’s virtual size", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "size-in-bytes" + }, "text": { "description": "Free text value to attach to the section", "disable_correlation": true, @@ -106,7 +124,7 @@ "misp-attribute": "text" } }, - "version": 2, + "version": 3, "description": "Object describing a section of a Portable Executable", "meta-category": "file", "uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a", From cce77727d6544ee44c9a2bd64bb69cd9dfaf5c7b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 5 May 2019 12:31:41 +0200 Subject: [PATCH 231/244] chg: [x509] improve X.509 certificate description to match required ones from LIEF (as discussed in #180). --- objects/x509/definition.json | 35 +++++++++++++++++++++++++---------- 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/objects/x509/definition.json b/objects/x509/definition.json index 42ecb04..2822cd3 100644 --- a/objects/x509/definition.json +++ b/objects/x509/definition.json @@ -15,12 +15,14 @@ "pubkey-info-algorithm": { "description": "Algorithm of the public key", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "pubkey-info-size": { "description": "Length of the public key (in bits)", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "pubkey-info-exponent": { "description": "Exponent of the public key", @@ -60,24 +62,27 @@ "misp-attribute": "text" }, "text": { - "description": "Free text description of hte certificate", + "description": "Free text description of the certificate", "ui-priority": 1, "misp-attribute": "text" }, "validity-not-before": { "description": "Certificate invalid before that date", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "validity-not-after": { "description": "Certificate invalid after that date", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "issuer": { "description": "Issuer of the certificate", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "serial-number": { "description": "Serial number of the certificate", @@ -87,26 +92,36 @@ "version": { "description": "Version of the certificate", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "self_signed": { "description": "Self-signed certificate", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "is_ca": { "description": "CA certificate", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "dns_names": { "description": "DNS names", "multiple": true, "misp-attribute": "text", "ui-priority": 0 + }, + "signature_algorithm": { + "description": "Signature algorithm", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": ["SHA1_WITH_RSA_ENCRYPTION","SHA256_WITH_RSA_ENCRYPTION"] } }, - "version": 8, + "version": 9, "description": "x509 object describing a X.509 certificate", "meta-category": "network", "uuid": "d1ab756a-26b5-4349-9f43-765630f0911c", From 8f951e84502eecdaf404a0fa6a557220f0ecb0ee Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 5 May 2019 12:33:59 +0200 Subject: [PATCH 232/244] chg: [jq] jq all the things(tm) --- objects/x509/definition.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/objects/x509/definition.json b/objects/x509/definition.json index 2822cd3..cf9fe39 100644 --- a/objects/x509/definition.json +++ b/objects/x509/definition.json @@ -118,7 +118,10 @@ "misp-attribute": "text", "ui-priority": 0, "disable_correlation": true, - "sane_default": ["SHA1_WITH_RSA_ENCRYPTION","SHA256_WITH_RSA_ENCRYPTION"] + "sane_default": [ + "SHA1_WITH_RSA_ENCRYPTION", + "SHA256_WITH_RSA_ENCRYPTION" + ] } }, "version": 9, From 230122493cf66881eb89c9e6aa393df808dad50e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 6 May 2019 07:10:33 +0200 Subject: [PATCH 233/244] chg: [authenticode-signerinfo] first version --- .../authenticode-signerinfo/definition.json | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 objects/authenticode-signerinfo/definition.json diff --git a/objects/authenticode-signerinfo/definition.json b/objects/authenticode-signerinfo/definition.json new file mode 100644 index 0000000..7010ce9 --- /dev/null +++ b/objects/authenticode-signerinfo/definition.json @@ -0,0 +1,62 @@ +{ + "requiredOneOf": [ + "url", + "program-name" + ], + "attributes": { + "text": { + "description": "Free text description of the signer info", + "ui-priority": 1, + "misp-attribute": "text" + }, + "issuer": { + "description": "Issuer of the certificate", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "version": { + "description": "Version of the certificate", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "url": { + "description": "Url", + "multiple": true, + "misp-attribute": "url", + "ui-priority": 0 + }, + "content-type": { + "description": "Content type", + "misp-attribute": "text", + "ui-priority": 0 + }, + "program-name": { + "description": "Program name", + "misp-attribute": "text", + "ui-priority": 0 + }, + "digest_algorithm": { + "description": "Digest algorithm", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "signature_algorithm": { + "description": "Signature algorithm", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "SHA1_WITH_RSA_ENCRYPTION", + "SHA256_WITH_RSA_ENCRYPTION" + ] + } + }, + "version": 1, + "description": "Authenticode Signer Info", + "meta-category": "file", + "uuid": "965cb0aa-baf1-4cc6-9070-68f5c1698c1e", + "name": "authenticode-signerinfo" +} From 53e67b013122d658ff0f07e94ba34db81f69277b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 6 May 2019 07:17:11 +0200 Subject: [PATCH 234/244] chg: [authenticode] signerinfo template added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1e1e4e1..4736e4b 100644 --- a/README.md +++ b/README.md @@ -70,6 +70,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/ais-info](objects/ais-info/definition.json) - Object describing Automated Indicator Sharing (AIS) information source markings. * [objects/android-permission](objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. file). * [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. +* [objects/authenticode-signerinfo](objects/authenticode-signerinfo/definition.json) - Authenticode signer info. * [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature. * [objects/bank-account](objects/bank-account/definition.json) - Object describing bank account information based on account description from goAML 4.0. * [objects/bgp-hijack](objects/bgp-hijack/definition.json) - Object encapsulating BGP Hijack description as specified, for example, by bgpstream.com From e066df4e6d1e6a8d09f40a463cadb9fa84ca5722 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 9 May 2019 17:35:14 +0200 Subject: [PATCH 235/244] chg: [microblog] state field added to describe if the tweet is malicious or just OSINT. --- objects/microblog/definition.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/objects/microblog/definition.json b/objects/microblog/definition.json index 847fceb..877226b 100644 --- a/objects/microblog/definition.json +++ b/objects/microblog/definition.json @@ -29,6 +29,17 @@ "Other" ] }, + "state": { + "misp-attribute": "text", + "ui-priority": 0, + "description": "State of the microblog post", + "disable_correlation": true, + "values_list": [ + "Informative", + "Malicious", + "Unknown" + ] + }, "username": { "description": "Username who posted the microblog post (without the @ prefix)", "ui-priority": 0, @@ -62,7 +73,7 @@ "misp-attribute": "text" } }, - "version": 5, + "version": 6, "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.", "meta-category": "misc", "uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60", From d922d3eaa5848f3601275e7083ec0e66d8a3701c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 16 May 2019 15:08:43 +0200 Subject: [PATCH 236/244] chg: [person] Gender unknown added This has been added when investigation is ongoing and alias is know but gender is unknown discovered during Enforce training. topic:enforce --- objects/person/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index 59de239..2a0befe 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -63,7 +63,8 @@ "Male", "Female", "Other", - "Prefer not to say" + "Prefer not to say", + "Unknown" ], "disable_correlation": true }, @@ -188,7 +189,7 @@ "disable_correlation": true } }, - "version": 9, + "version": 10, "description": "An object which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", From be7e37200a4c4110e76b739c8e746222d2c77772 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 19 May 2019 17:47:51 +0200 Subject: [PATCH 237/244] add: [ssh-authorized-keys] object to add elements from SSH authorized keys (and do correlation for fun-and-profit(tm)) --- objects/ssh-authorized-keys/definition.json | 72 +++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 objects/ssh-authorized-keys/definition.json diff --git a/objects/ssh-authorized-keys/definition.json b/objects/ssh-authorized-keys/definition.json new file mode 100644 index 0000000..3e6f047 --- /dev/null +++ b/objects/ssh-authorized-keys/definition.json @@ -0,0 +1,72 @@ +{ + "requiredOneOf": [ + "ip", + "hostname", + "full-line", + "key" + ], + "attributes": { + "text": { + "description": "A description of the ssh authorized keys", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text", + "recommended": false + }, + "last-seen": { + "description": "Last time the ssh authorized keys file has been seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "first-seen": { + "description": "First time the ssh authorized keys file has been seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "full-line": { + "description": "One full-line of the authorized key file", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "key": { + "description": "Public key in base64 as found in the authorized key file", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "key-id": { + "description": "Key-id and option part of the public key line", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "hostname": { + "description": "hostname", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "hostname", + "multiple": true + }, + "ip": { + "description": "IP Address", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "ip-dst", + "multiple": true + } + }, + "version": 1, + "description": "An object to store ssh authorized keys file.", + "meta-category": "network", + "uuid": "d1db3e4d-c932-4d8b-a915-4cff088cb678", + "name": "ssh-authorized-keys" +} From 816f38c61ee3d68d1872a107bcca0646668f532e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 19 May 2019 17:54:50 +0200 Subject: [PATCH 238/244] chg: [doc] ssh-authorized-keys object template added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 4736e4b..91c2fc0 100644 --- a/README.md +++ b/README.md @@ -137,6 +137,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/short-message-service](objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message(s). * [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. * [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. +* [objects/ssh-authorized-keys](objects/ssh-authorized-keys/definition.json) - SSH authorized keys object to store keys and option from SSH authorized_keys file. * [objects/suricata](objects/suricata/definition.json) - Suricata rule with context. * [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromised internal system. * [objects/threatgrid-report](objects/threatgrid-report/definition.json) - A threatgrid report object. From a1b2db8fd12f0fd23ff0555780fc474979f7406f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 23 May 2019 11:24:05 +0200 Subject: [PATCH 239/244] chg: [script] requiredOneOf for script or filename Malicious scripts can be received without having a filename. --- objects/script/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/script/definition.json b/objects/script/definition.json index 7389fa1..c7eb0f6 100644 --- a/objects/script/definition.json +++ b/objects/script/definition.json @@ -1,5 +1,5 @@ { - "required": [ + "requiredOneOf": [ "script", "filename" ], @@ -56,7 +56,7 @@ ] } }, - "version": 3, + "version": 4, "description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.", "meta-category": "misc", "uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2", From 48c64c52fcc5e3f43b7a29af94c78bcf14bc5cc6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 1 Jun 2019 10:04:46 +0200 Subject: [PATCH 240/244] new: [shell-commands] Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands. --- objects/shell-commands/definition.json | 62 ++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 objects/shell-commands/definition.json diff --git a/objects/shell-commands/definition.json b/objects/shell-commands/definition.json new file mode 100644 index 0000000..37160ea --- /dev/null +++ b/objects/shell-commands/definition.json @@ -0,0 +1,62 @@ +{ + "requiredOneOf": [ + "shell-command" + ], + "attributes": { + "script": { + "description": "Free text of the script if available which executed the shell commands.", + "ui-priority": 10, + "misp-attribute": "text" + }, + "comment": { + "description": "Comment associated to the shell commands executed.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "language": { + "description": "Scripting language used for the shell commands executed.", + "ui-priority": 9, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "PowerShell", + "VBScript", + "Bash", + "Lua", + "JavaScript", + "AppleScript", + "AWK", + "Python", + "Perl", + "Ruby", + "Winbatch", + "AutoIt", + "PHP" + ] + }, + "shell-command": { + "description": "", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "state": { + "misp-attribute": "text", + "ui-priority": 0, + "description": "Known state of the script.", + "multiple": true, + "disable_correlation": true, + "values_list": [ + "Malicious", + "Unknown", + "Harmless", + "Trusted" + ] + } + }, + "version": 1, + "description": "Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.", + "meta-category": "misc", + "uuid": "fee65efa-eb64-4516-8611-1db76c589f79", + "name": "script" +} From a9b5c4136ffa601ebc89bfed83dc710e17b9ecb8 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 1 Jun 2019 10:06:00 +0200 Subject: [PATCH 241/244] chg: [doc] shell-commands object added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 91c2fc0..1cb0714 100644 --- a/README.md +++ b/README.md @@ -133,6 +133,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. * [objects/script](objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts. +* [objects/shell-commands](objects/shell-commands/definition.json) - Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands. * [objects/shortened-link](objects/shortened-link/definition.json) - Shortened link and its redirect target. * [objects/short-message-service](objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message(s). * [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. From e7bb12af7daa0d771dd558bf7707610d7e9b46ed Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 1 Jun 2019 10:13:06 +0200 Subject: [PATCH 242/244] chg: [shell-commands] fix typo in object name --- objects/shell-commands/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/shell-commands/definition.json b/objects/shell-commands/definition.json index 37160ea..8600073 100644 --- a/objects/shell-commands/definition.json +++ b/objects/shell-commands/definition.json @@ -58,5 +58,5 @@ "description": "Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.", "meta-category": "misc", "uuid": "fee65efa-eb64-4516-8611-1db76c589f79", - "name": "script" + "name": "shell-commands" } From 7a01bff00f9eb25fdd2fcfe49034dfb6134fb363 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 1 Jun 2019 11:17:33 +0200 Subject: [PATCH 243/244] chg: [relationships] screenshot-of added to the list of default relationships --- relationships/definition.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/relationships/definition.json b/relationships/definition.json index 29c470f..9668cc6 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -949,6 +949,13 @@ "misp", "haxpak" ] + }, + { + "name": "screenshot-of", + "description": "Represents an object being the screenshot of something.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", From 41a6d596ff2ca0605e719e8af054efb7d06dce06 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 18 Jun 2019 17:38:45 +0200 Subject: [PATCH 244/244] chg: [rogue-dns] new object template expressing rogue dns Thanks to CERT.br for the contribution --- objects/rogue-dns/definition.json | 46 +++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 objects/rogue-dns/definition.json diff --git a/objects/rogue-dns/definition.json b/objects/rogue-dns/definition.json new file mode 100644 index 0000000..3e6e4a9 --- /dev/null +++ b/objects/rogue-dns/definition.json @@ -0,0 +1,46 @@ +{ + "required": [ + "rogue-dns" + ], + "attributes": { + "timestamp": { + "description": "Last time that the rogue DNS value was seen.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "rogue-dns": { + "description": "IP address of the rogue DNS", + "ui-priority": 0, + "misp-attribute": "ip-dst" + }, + "status": { + "description": "How many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "ROGUE DNS", + "Unknown" + ], + "disable_correlation": true + }, + "hijacked-domain": { + "description": "Domain/hostname hijacked by the the rogue DNS", + "categories": [ + "Network activity" + ], + "ui-priority": 1, + "misp-attribute": "hostname" + }, + "phishing-ip": { + "description": "Resource records returns by the rogue DNS", + "ui-priority": 1, + "misp-attribute": "ip-dst" + } + }, + "version": 1, + "description": "Rogue DNS as defined by CERT.br", + "meta-category": "network", + "uuid": "b7e7859b-6872-4fd2-ac49-f66ccb904505", + "name": "rogue-dns" +}