add new objects for spearphishing-link and spearphishing-attachment intel

2022-05-20 11:49:15 -05:00 · 2022-05-20 11:49:15 -05:00 · c62a113fec
parent a922f29b46
commit c62a113fec
2 changed files with 152 additions and 0 deletions
--- a/objects/spearphishing-attachment/definition.json
+++ b/objects/spearphishing-attachment/definition.json
@ -0,0 +1,103 @@
+{
+  "attributes": {
+    "artifact-dropped-md5": {
+      "description": "The MD5 of an additional file that was either extracted from or downloaded by the attachment.",
+      "misp-attribute": "md5",
+      "ui-priority": 1
+    },
+    "artifact-dropped-name": {
+      "description": "Name of an additional file that was either extracted from or downloaded by the attachment.",
+      "misp-attribute": "filename",
+      "ui-priority": 0
+    },
+    "artifact-dropped-sha1": {
+      "description": "The SHA1 of an additional file that was either extracted from or downloaded by the attachment.",
+      "misp-attribute": "sha1",
+      "ui-priority": 1
+    },
+    "artifact-dropped-sha256": {
+      "description": "The SHA256 of an additional file that was either extracted from or downloaded by the attachment.",
+      "misp-attribute": "sha256",
+      "ui-priority": 1
+    },
+    "attachment-md5": {
+      "description": "The MD5 of the file that was attached to the e-mail itself.",
+      "misp-attribute": "md5",
+      "ui-priority": 1
+    },
+    "attachment-name": {
+      "description": "The name of the file that was attached to the e-mail itself.",
+      "misp-attribute": "filename",
+      "ui-priority": 0
+    },
+    "attachment-sha1": {
+      "description": "The SHA1 of the file that was attached to the e-mail itself.",
+      "misp-attribute": "sha1",
+      "ui-priority": 1
+    },
+    "attachment-sha256": {
+      "description": "The SHA256 of the file that was attached to the e-mail itself.",
+      "misp-attribute": "sha256",
+      "ui-priority": 1
+    },
+    "c2-domain": {
+      "description": "Command and control domain detected during analysis.",
+      "misp-attribute": "domain",
+      "ui-priority": 1
+    },
+    "c2-ip": {
+      "description": "Command and control IP address detected during analysis.",
+      "misp-attribute": "ip-dst",
+      "ui-priority": 1
+    },
+    "c2-url": {
+      "description": "Command and control URL detected during analysis.",
+      "misp-attribute": "url",
+      "ui-priority": 1
+    },
+    "email-sender": {
+      "description": "The source address from which the e-mail was sent.",
+      "misp-attribute": "email-src",
+      "ui-priority": 1
+    },
+    "malicious-url": {
+      "description": "Malicious URL that downloaded additional malware.",
+      "misp-attribute": "url",
+      "ui-priority": 1
+    },
+    "research-links": {
+      "description": "A link to an external analysis (VirusTotal, urlscan, etc.).",
+      "misp-attribute": "link",
+      "ui-priority": 0
+    },
+    "sender-ip": {
+      "description": "The source IP from which the e-mail was sent.",
+      "misp-attribute": "ip-src",
+      "ui-priority": 1
+    },
+    "subject": {
+      "description": "The subject line of the e-mail.",
+      "misp-attribute": "email-subject",
+      "ui-priority": 1
+    },
+    "supporting-evidence": {
+      "description": "Description of the spearphish e-mail.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    }
+  },
+  "description": "Spearphishing Attachment",
+  "meta-category": "network",
+  "name": "spearphishing-attachment",
+  "required": [
+    "email-sender",
+    "subject"
+  ],
+  "requiredOneOf": [
+    "attachment-md5",
+    "attachment-sha1",
+    "attachment-sha256"
+  ],
+  "uuid": "5dfcd9a9-d10c-48ae-9ba4-13c2428a994a",
+  "version": 20220520
+}
--- a/objects/spearphishing-link/definition.json
+++ b/objects/spearphishing-link/definition.json
@ -0,0 +1,49 @@
+{
+  "attributes": {
+    "email-sender": {
+      "description": "The source address from which the e-mail was sent.",
+      "misp-attribute": "email-src",
+      "ui-priority": 1
+    },
+    "embedded-link": {
+      "description": "The malicious URL in the e-mail body.",
+      "misp-attribute": "url",
+      "ui-priority": 1
+    },
+    "redirect-url": {
+      "description": "The redirect URL, if any, from the malicious embedded link.",
+      "misp-attribute": "url",
+      "ui-priority": 0
+    },
+    "research-links": {
+      "description": "A link to an external analysis (VirusTotal, urlscan, etc.).",
+      "misp-attribute": "link",
+      "ui-priority": 0
+    },
+    "sender-ip": {
+      "description": "The source IP from which the e-mail was sent.",
+      "misp-attribute": "ip-src",
+      "ui-priority": 1
+    },
+    "subject": {
+      "description": "The subject line of the e-mail.",
+      "misp-attribute": "email-subject",
+      "ui-priority": 1
+    },
+    "supporting-evidence": {
+      "description": "Description of the spearphish e-mail.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    }
+  },
+  "description": "Spearphishing Link",
+  "meta-category": "network",
+  "name": "spearphishing-link",
+  "required": [
+    "email-sender",
+    "subject",
+    "embedded-link"
+  ],
+  "uuid": "4e758e53-6c84-47b0-a19b-362f587059e2",
+  "version": 20220520
+}