From 262e2bee9031e893edcfdac699d65bb9d0442f8d Mon Sep 17 00:00:00 2001 From: th3r3d Date: Mon, 12 Dec 2022 19:01:23 +0100 Subject: [PATCH 1/4] Created definition for ADS For ADS framework - create --- objects/ADS/definition.json | 81 +++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 objects/ADS/definition.json diff --git a/objects/ADS/definition.json b/objects/ADS/definition.json new file mode 100644 index 0000000..a37afdd --- /dev/null +++ b/objects/ADS/definition.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "additional_resources": { + "description": "Any other internal, external, or technical references that may be useful for understanding the ADS.", + "misp-attribute": "url", + "multiple": true, + "ui-priority": 2 + }, + "blind_spots_and_assumptions": { + "description": "Recognized issues, assumptions, and areas where an ADS may not fire.", + "misp-attribute": "text", + "ui-priority": 7 + }, + "categorization": { + "description": "Provides a mapping of the ADS to the relevant entry in the Att&CK.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10 + }, + "date": { + "description": "Enter date, when ADS has been created or edited.", + "misp-attribute": "datetime", + "ui-priority": 12 + }, + "false_positives": { + "description": "Known instances of an ADS misfiring due to a misconfiguration, idiosyncrasy in the environment, or other non-malicious scenario.", + "misp-attribute": "text", + "ui-priority": 6 + }, + "goal": { + "description": "Short, plaintext description of the type of behavior the ADS is supposed to detect.", + "misp-attribute": "text", + "ui-priority": 11 + }, + "priority": { + "description": "Describes the various alerting levels that an ADS may be tagged with.", + "misp-attribute": "text", + "ui-priority": 4 + }, + "responses": { + "description": "General response steps in the event that this alert fired.", + "misp-attribute": "text", + "ui-priority": 3 + }, + "sigma_rule": { + "description": "Rule in SIGMA format.", + "misp-attribute": "sigma", + "ui-priority": 1 + }, + "strategy_abstract": { + "description": "High-level walkthrough of how the ADS functions.", + "misp-attribute": "text", + "ui-priority": 9 + }, + "technical_context": { + "description": "Detailed information and background needed for a responder to understand all components of the alert. ", + "misp-attribute": "text", + "ui-priority": 8 + }, + "validation": { + "description": "lists the steps required to generate a representative true positive event which triggers this alert.", + "misp-attribute": "text", + "ui-priority": 5 + }, + "acd-element": { + "description": "lists the steps required to generate a representative true positive event which triggers this alert.", + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "An object defining ADS - Alerting and Detection Strategy by PALANTIR. Can be used for detection engineering.", + "meta-category": "misc", + "name": "ADS", + "required": [ + "date", + "goal", + "categorization" + ], + "uuid": "07a7f4cf-e738-47ad-b045-34c3b382f3b4", + "version": 1 +} From 5ff1dff7b0fcaedb8f026e19805f9f4b2b224b5f Mon Sep 17 00:00:00 2001 From: th3r3d Date: Mon, 12 Dec 2022 19:02:23 +0100 Subject: [PATCH 2/4] Create definition in groups Inspired by threat actor group cards --- objects/groups/definition.json | 68 ++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 objects/groups/definition.json diff --git a/objects/groups/definition.json b/objects/groups/definition.json new file mode 100644 index 0000000..a9aa6b4 --- /dev/null +++ b/objects/groups/definition.json @@ -0,0 +1,68 @@ +{ + "attributes": { + "names": { + "description": "Names or nicknames for group.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "country": { + "description": "Country of group - group location where it operates from.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "sponsor": { + "description": "Sponsor of group ie. country, state, criminal ring, cartel etc..", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 2 + }, + "motivation": { + "description": "Motivation behind group ie. espionage, ransomware, other criminal activity, hacktivism . . .", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 3 + }, + "description": { + "description": "Description of group activities or TTP used for group actions.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": false, + "ui-priority": 4 + }, + "observed": { + "description": "What sector is this group active at? Government, telecommunication etc and country of activity.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 5 + }, + "tools used": { + "description": "What known tools are used by group.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 6 + }, + "more informations": { + "description": "List more informations by url - reports, group links etc..", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 7 + } + }, + "description": "Adversary group cards inspired by ThaiCERT", + "meta-category": "misc", + "name": "Group Cards", + "required": [ + "name" + ], + "uuid": "f42db88d-1889-4c2f-a903-971cf8e65174", + "version": 1 +} From 56c6b9148c71d9474c7fd819b907521c4a434fc6 Mon Sep 17 00:00:00 2001 From: th3r3d Date: Mon, 12 Dec 2022 19:03:29 +0100 Subject: [PATCH 3/4] Create definition Faked persnona template inspired by MITRE --- objects/persnona/definition.json | 103 +++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 objects/persnona/definition.json diff --git a/objects/persnona/definition.json b/objects/persnona/definition.json new file mode 100644 index 0000000..475f153 --- /dev/null +++ b/objects/persnona/definition.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "photo": { + "description": "Photo of PersNOna, url where is photo uploaded or website of fake profile as LinkedIn etc.", + "disable_correlation": false, + "misp-attribute": "url", + "multiple": false, + "ui-priority": 0 + }, + "name": { + "description": "Name - full name of PersNOna.", + "disable_correlation": false, + "misp-attribute": "full-name", + "multiple": true, + "ui-priority": 1 + }, + "alias": { + "description": "Aliases or Nicknames of fake PesNOna on differenet media.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "background": { + "description": "Background of operation, PersNOna or actions, which needs to be explain to other party in case of share of this profile.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 2 + }, + "location": { + "description": "Location, where PersNOna is right now at home, home town, county, country etc.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 3 + }, + "responsi": { + "description": "Responsibilities of PersNOna, who this PersNOna communicates with, what should discuss and how far.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 4 + }, + "goals": { + "description": "Goals of creating of this PersNOna.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 5 + }, + "critical_tasks": { + "description": "Critical Tasks or tasks which this PersNOna has to accomplish.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 6 + }, + "actions": { + "description": "Actions by this PersNOna or engagement with adversary or relateda party.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 7 + }, + "questions": { + "description": "Questions, which have to be answered by this profile goal.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 8 + }, + "oppportunities": { + "description": "Opportunities for another development, introducing another PersNOna etc.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 9 + }, + "conversations": { + "description": "Conversations with targets", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10 + }, + "media": { + "description": "Media where is PersNOna active ie. facebook, telegram etc.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10 + } + }, + "description": "Fake persona with tasks", + "meta-category": "misc", + "name": "Deception PersNOna", + "required": [ + "name" + ], + "uuid": "a80828dc-07bf-4d5c-ab82-8160ee5bdd6d", + "version": 1 +} From b9c512a71b24fcc3c1dcbfc9a98b278f24f894b3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 15 Dec 2022 14:39:52 +0100 Subject: [PATCH 4/4] fix: [jq] JSON fixed --- objects/ADS/definition.json | 12 ++-- objects/groups/definition.json | 58 ++++++++++---------- objects/persnona/definition.json | 94 ++++++++++++++++---------------- 3 files changed, 82 insertions(+), 82 deletions(-) diff --git a/objects/ADS/definition.json b/objects/ADS/definition.json index a37afdd..2d23077 100644 --- a/objects/ADS/definition.json +++ b/objects/ADS/definition.json @@ -1,5 +1,10 @@ { "attributes": { + "acd-element": { + "description": "lists the steps required to generate a representative true positive event which triggers this alert.", + "misp-attribute": "text", + "ui-priority": 0 + }, "additional_resources": { "description": "Any other internal, external, or technical references that may be useful for understanding the ADS.", "misp-attribute": "url", @@ -61,11 +66,6 @@ "description": "lists the steps required to generate a representative true positive event which triggers this alert.", "misp-attribute": "text", "ui-priority": 5 - }, - "acd-element": { - "description": "lists the steps required to generate a representative true positive event which triggers this alert.", - "misp-attribute": "text", - "ui-priority": 0 } }, "description": "An object defining ADS - Alerting and Detection Strategy by PALANTIR. Can be used for detection engineering.", @@ -78,4 +78,4 @@ ], "uuid": "07a7f4cf-e738-47ad-b045-34c3b382f3b4", "version": 1 -} +} \ No newline at end of file diff --git a/objects/groups/definition.json b/objects/groups/definition.json index a9aa6b4..68f1fd0 100644 --- a/objects/groups/definition.json +++ b/objects/groups/definition.json @@ -1,12 +1,5 @@ { "attributes": { - "names": { - "description": "Names or nicknames for group.", - "disable_correlation": false, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 0 - }, "country": { "description": "Country of group - group location where it operates from.", "disable_correlation": false, @@ -14,20 +7,6 @@ "multiple": true, "ui-priority": 1 }, - "sponsor": { - "description": "Sponsor of group ie. country, state, criminal ring, cartel etc..", - "disable_correlation": false, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 2 - }, - "motivation": { - "description": "Motivation behind group ie. espionage, ransomware, other criminal activity, hacktivism . . .", - "disable_correlation": false, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 3 - }, "description": { "description": "Description of group activities or TTP used for group actions.", "disable_correlation": false, @@ -35,6 +14,27 @@ "multiple": false, "ui-priority": 4 }, + "more informations": { + "description": "List more informations by url - reports, group links etc..", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 7 + }, + "motivation": { + "description": "Motivation behind group ie. espionage, ransomware, other criminal activity, hacktivism . . .", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 3 + }, + "names": { + "description": "Names or nicknames for group.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, "observed": { "description": "What sector is this group active at? Government, telecommunication etc and country of activity.", "disable_correlation": false, @@ -42,19 +42,19 @@ "multiple": true, "ui-priority": 5 }, + "sponsor": { + "description": "Sponsor of group ie. country, state, criminal ring, cartel etc..", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 2 + }, "tools used": { "description": "What known tools are used by group.", "disable_correlation": false, "misp-attribute": "text", "multiple": true, "ui-priority": 6 - }, - "more informations": { - "description": "List more informations by url - reports, group links etc..", - "disable_correlation": false, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 7 } }, "description": "Adversary group cards inspired by ThaiCERT", @@ -65,4 +65,4 @@ ], "uuid": "f42db88d-1889-4c2f-a903-971cf8e65174", "version": 1 -} +} \ No newline at end of file diff --git a/objects/persnona/definition.json b/objects/persnona/definition.json index 475f153..d3438d3 100644 --- a/objects/persnona/definition.json +++ b/objects/persnona/definition.json @@ -1,18 +1,11 @@ { "attributes": { - "photo": { - "description": "Photo of PersNOna, url where is photo uploaded or website of fake profile as LinkedIn etc.", + "actions": { + "description": "Actions by this PersNOna or engagement with adversary or relateda party.", "disable_correlation": false, - "misp-attribute": "url", - "multiple": false, - "ui-priority": 0 - }, - "name": { - "description": "Name - full name of PersNOna.", - "disable_correlation": false, - "misp-attribute": "full-name", + "misp-attribute": "text", "multiple": true, - "ui-priority": 1 + "ui-priority": 7 }, "alias": { "description": "Aliases or Nicknames of fake PesNOna on differenet media.", @@ -28,26 +21,12 @@ "multiple": true, "ui-priority": 2 }, - "location": { - "description": "Location, where PersNOna is right now at home, home town, county, country etc.", - "disable_correlation": true, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 3 - }, - "responsi": { - "description": "Responsibilities of PersNOna, who this PersNOna communicates with, what should discuss and how far.", + "conversations": { + "description": "Conversations with targets", "disable_correlation": false, "misp-attribute": "text", "multiple": true, - "ui-priority": 4 - }, - "goals": { - "description": "Goals of creating of this PersNOna.", - "disable_correlation": true, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 5 + "ui-priority": 10 }, "critical_tasks": { "description": "Critical Tasks or tasks which this PersNOna has to accomplish.", @@ -56,19 +35,33 @@ "multiple": true, "ui-priority": 6 }, - "actions": { - "description": "Actions by this PersNOna or engagement with adversary or relateda party.", - "disable_correlation": false, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 7 - }, - "questions": { - "description": "Questions, which have to be answered by this profile goal.", + "goals": { + "description": "Goals of creating of this PersNOna.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 8 + "ui-priority": 5 + }, + "location": { + "description": "Location, where PersNOna is right now at home, home town, county, country etc.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 3 + }, + "media": { + "description": "Media where is PersNOna active ie. facebook, telegram etc.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10 + }, + "name": { + "description": "Name - full name of PersNOna.", + "disable_correlation": false, + "misp-attribute": "full-name", + "multiple": true, + "ui-priority": 1 }, "oppportunities": { "description": "Opportunities for another development, introducing another PersNOna etc.", @@ -77,19 +70,26 @@ "multiple": true, "ui-priority": 9 }, - "conversations": { - "description": "Conversations with targets", + "photo": { + "description": "Photo of PersNOna, url where is photo uploaded or website of fake profile as LinkedIn etc.", "disable_correlation": false, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 10 + "misp-attribute": "url", + "multiple": false, + "ui-priority": 0 }, - "media": { - "description": "Media where is PersNOna active ie. facebook, telegram etc.", + "questions": { + "description": "Questions, which have to be answered by this profile goal.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 8 + }, + "responsi": { + "description": "Responsibilities of PersNOna, who this PersNOna communicates with, what should discuss and how far.", "disable_correlation": false, "misp-attribute": "text", "multiple": true, - "ui-priority": 10 + "ui-priority": 4 } }, "description": "Fake persona with tasks", @@ -100,4 +100,4 @@ ], "uuid": "a80828dc-07bf-4d5c-ab82-8160ee5bdd6d", "version": 1 -} +} \ No newline at end of file