From b6f12a9f46ddf10743208b964d12b6618e2f0e11 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 9 Jun 2018 11:36:58 +0200 Subject: [PATCH] chg: new script template object Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts. Fix #101 --- README.md | 1 + objects/script/definition.json | 62 ++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 objects/script/definition.json diff --git a/README.md b/README.md index 09ce8b5..feee1c7 100644 --- a/README.md +++ b/README.md @@ -111,6 +111,7 @@ for a specific attribute. * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. +* [objects/script](objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts. * [objects/shortened-link](objects/shortened-link/definition.json) - Shortened link and its redirect target. * [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. * [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. diff --git a/objects/script/definition.json b/objects/script/definition.json new file mode 100644 index 0000000..1824f58 --- /dev/null +++ b/objects/script/definition.json @@ -0,0 +1,62 @@ +{ + "required": [ + "script" + ], + "attributes": { + "script": { + "description": "Free text of the script.", + "ui-priority": 10, + "misp-attribute": "text" + }, + "comment": { + "description": "Comment associated to the script.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "language": { + "description": "Scripting language used for the script.", + "ui-priority": 9, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "PowerShell", + "VBScript", + "Bash", + "Lua", + "JavaScript", + "AppleScript", + "AWK", + "Python", + "Perl", + "Ruby", + "Winbatch", + "AutoIt" + ] + }, + "filename": { + "description": "Filename used for the script.", + "ui-priority": 8, + "misp-attribute": "filename", + "multiple": true, + "disable_correlation": true + }, + "state": { + "misp-attribute": "text", + "ui-priority": 0, + "description": "Known state of the script.", + "multiple": true, + "disable_correlation": true, + "values_list": [ + "Malicious", + "Unknown", + "Harmless", + "Trusted" + ] + } + }, + "version": 1, + "description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.", + "meta-category": "misc", + "uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2", + "name": "script" +}