From 047595ddeb496a9cba294064902dd6fb5641cde7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 15 Mar 2019 14:36:12 +0100 Subject: [PATCH 01/68] chg: [person] Spanish IDs added (NIE, NIF and DNI) --- objects/person/definition.json | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index 361b4eb..220f7b3 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -140,6 +140,24 @@ "misp-attribute": "text", "multiple": true }, + "dni": { + "description": "Spanish National ID", + "ui-priority": 10, + "misp-attribute": "text", + "multiple": true + }, + "nie": { + "description": "Foreign National ID (Spain)", + "ui-priority": 10, + "misp-attribute": "text", + "multiple": true + }, + "nif": { + "description": "Tax ID Number (Spain)", + "ui-priority": 10, + "misp-attribute": "text", + "multiple": true + }, "e-mail": { "description": "Email address of the person.", "ui-priority": 10, @@ -169,7 +187,7 @@ "disable_correlation": true } }, - "version": 8, + "version": 9, "description": "An object which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", From 0c6b7b4302b58b0b1ab8371acdd3e4b988609a88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 2 Apr 2019 17:09:02 +0200 Subject: [PATCH 02/68] chg: Bump vehicle object --- objects/vehicle/definition.json | 46 ++++++++++++++++++++++++++------- 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/objects/vehicle/definition.json b/objects/vehicle/definition.json index cc302f0..c558a46 100644 --- a/objects/vehicle/definition.json +++ b/objects/vehicle/definition.json @@ -1,11 +1,15 @@ { "requiredOneOf": [ "description", - "year", "make", "model", "license-plate-number", - "vin" + "vin", + "dyno-power", + "date-first-registration", + "image-url", + "gearbox", + "indicative-value" ], "attributes": { "description": { @@ -14,12 +18,6 @@ "misp-attribute": "text", "disable_correlation": true }, - "year": { - "description": "Year of manufacturing of the vehicle", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, "make": { "description": "Manufacturer of the vehicle", "ui-priority": 0, @@ -42,9 +40,39 @@ "ui-priority": 0, "misp-attribute": "text", "multiple": true + }, + "dyno-power": { + "description": "Dyno power output", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "date-first-registration": { + "description": "Date of first registration", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "image-url": { + "description": "Image URL", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "gearbox": { + "description": "Gearbox", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "indicative-value": { + "description": "Indicative value", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true } }, - "version": 1, + "version": 2, "description": "Vehicle object template to describe a vehicle information and registration", "meta-category": "misc", "uuid": "683c076c-f695-4ff2-8efa-e98a418049f4", From a85178255ca1f362f00182842dbd0f5a0a112bf5 Mon Sep 17 00:00:00 2001 From: molley Date: Tue, 2 Apr 2019 17:28:49 +0100 Subject: [PATCH 03/68] Added issuer as one of the required fields This is often a field used on it's own to identify a malicious cert --- objects/x509/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/x509/definition.json b/objects/x509/definition.json index 106a90c..42ecb04 100644 --- a/objects/x509/definition.json +++ b/objects/x509/definition.json @@ -3,7 +3,8 @@ "x509-fingerprint-md5", "x509-fingerprint-sha1", "x509-fingerprint-sha256", - "serial-number" + "serial-number", + "issuer" ], "attributes": { "subject": { @@ -105,7 +106,7 @@ "ui-priority": 0 } }, - "version": 7, + "version": 8, "description": "x509 object describing a X.509 certificate", "meta-category": "network", "uuid": "d1ab756a-26b5-4349-9f43-765630f0911c", From 490d760a4bfb7ac9bfcc40856e0e4abcda211f8e Mon Sep 17 00:00:00 2001 From: molley Date: Tue, 2 Apr 2019 17:41:07 +0100 Subject: [PATCH 04/68] Added current-directory to required field This field will often indicate where a malicious binary is started from, therefore a good candidate for solo use --- objects/process/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/process/definition.json b/objects/process/definition.json index e0420ee..25d1add 100644 --- a/objects/process/definition.json +++ b/objects/process/definition.json @@ -3,7 +3,7 @@ "uuid": "02aeef94-ac23-455c-addb-731757ceafb5", "meta-category": "misc", "description": "Object describing a system process.", - "version": 3, + "version": 4, "attributes": { "creation-time": { "description": "Local date/time at which the process was created.", @@ -91,6 +91,7 @@ "name", "pid", "image", - "command-line" + "command-line", + "current-directory" ] } From a50986361fdab1d439a75530733606c22fe7e4be Mon Sep 17 00:00:00 2001 From: molley Date: Tue, 2 Apr 2019 18:26:00 +0100 Subject: [PATCH 05/68] Username is often utilised alongside a credential Username can often identify malicious behavior, and is usually part of the credential tuple - it can also be used to highlight common user accounts without password/api key --- objects/credential/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/credential/definition.json b/objects/credential/definition.json index 5ea36ea..0a4f7a9 100644 --- a/objects/credential/definition.json +++ b/objects/credential/definition.json @@ -1,6 +1,7 @@ { "requiredOneOf": [ - "password" + "password", + "username" ], "attributes": { "text": { @@ -67,7 +68,7 @@ ] } }, - "version": 2, + "version": 3, "description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).", "meta-category": "misc", "uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09", From 4793bf33ae54327f30b90925d1dd0b8ec3bc71c5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 2 Apr 2019 19:56:59 +0200 Subject: [PATCH 06/68] chg: [process] fix the type - fix #160 --- objects/process/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/process/definition.json b/objects/process/definition.json index 25d1add..9246a49 100644 --- a/objects/process/definition.json +++ b/objects/process/definition.json @@ -3,7 +3,7 @@ "uuid": "02aeef94-ac23-455c-addb-731757ceafb5", "meta-category": "misc", "description": "Object describing a system process.", - "version": 4, + "version": 5, "attributes": { "creation-time": { "description": "Local date/time at which the process was created.", @@ -56,7 +56,7 @@ "current-directory": { "description": "Current working directory of the process", "ui-priority": 2, - "misp-attribute": "filename", + "misp-attribute": "text", "disable_correlation": true }, "image": { From aca06cec1ffbb3a092118e15a92152c51b14b408 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 3 Apr 2019 14:05:39 +0200 Subject: [PATCH 07/68] chg: [lnk] new LNK object (Windows Shortcut) --- README.md | 1 + objects/lnk/definition.json | 279 ++++++++++++++++++++++++++++++++++++ 2 files changed, 280 insertions(+) create mode 100644 objects/lnk/definition.json diff --git a/README.md b/README.md index f1cf85f..57b2491 100644 --- a/README.md +++ b/README.md @@ -101,6 +101,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame. * [objects/ja3](objects/ja3/definition.json) - A ja3 object which describes an SSL client fingerprint in an easy to produce and shareable way. * [objects/legal-entity](objects/legal-entity/definition.json) - Object describing a legal entity, such as an organisation. +* [objects/lnk](objects/lnk/definition.json) - Object describing a Windows LNK (Windows Shortcut) file. * [objects/macho](objects/macho/definition.json) - Object describing a Mach object file format. * [objects/macho-section](objects/macho-section/definition.json) - Object describing a section of a Mach object file format. * [objects/mactime-timeline-analysis](objects/mactime-timeline-analysis/definition.json) - Mactime template, used in forensic investigations to describe the timeline of a file activity. diff --git a/objects/lnk/definition.json b/objects/lnk/definition.json new file mode 100644 index 0000000..83eca79 --- /dev/null +++ b/objects/lnk/definition.json @@ -0,0 +1,279 @@ +{ + "requiredOneOf": [ + "filename", + "ssdeep", + "md5", + "sha1", + "sha224", + "sha256", + "sha384", + "sha512", + "sha512/224", + "sha512/256" + ], + "attributes": { + "md5": { + "description": "[Insecure] MD5 hash (128 bits)", + "ui-priority": 1, + "misp-attribute": "md5", + "recommended": false + }, + "sha1": { + "description": "[Insecure] Secure Hash Algorithm 1 (160 bits)", + "ui-priority": 1, + "misp-attribute": "sha1", + "recommended": false + }, + "sha224": { + "description": "Secure Hash Algorithm 2 (224 bits)", + "ui-priority": 0, + "misp-attribute": "sha224", + "recommended": false + }, + "sha256": { + "description": "Secure Hash Algorithm 2 (256 bits)", + "ui-priority": 1, + "misp-attribute": "sha256" + }, + "sha384": { + "description": "Secure Hash Algorithm 2 (384 bits)", + "ui-priority": 0, + "misp-attribute": "sha384", + "recommended": false + }, + "sha512": { + "description": "Secure Hash Algorithm 2 (512 bits)", + "ui-priority": 1, + "misp-attribute": "sha512" + }, + "sha512/224": { + "description": "Secure Hash Algorithm 2 (224 bits)", + "ui-priority": 0, + "misp-attribute": "sha512/224", + "recommended": false + }, + "sha512/256": { + "description": "Secure Hash Algorithm 2 (256 bits)", + "ui-priority": 0, + "misp-attribute": "sha512/256", + "recommended": false + }, + "ssdeep": { + "description": "Fuzzy hash using context triggered piecewise hashes (CTPH)", + "ui-priority": 0, + "misp-attribute": "ssdeep" + }, + "size-in-bytes": { + "description": "Size of the LNK file, in bytes", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "size-in-bytes" + }, + "entropy": { + "description": "Entropy of the whole file", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "float" + }, + "pattern-in-file": { + "description": "Pattern that can be found in the file", + "categories": [ + "Artifacts dropped", + "Payload installation", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "pattern-in-file", + "multiple": true + }, + "text": { + "description": "Free text value to attach to the file", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text", + "recommended": false + }, + "malware-sample": { + "description": "The LNK file itself (binary)", + "ui-priority": 1, + "misp-attribute": "malware-sample" + }, + "filename": { + "description": "Filename on disk", + "disable_correlation": true, + "multiple": true, + "categories": [ + "Payload delivery", + "Artifacts dropped", + "Payload installation", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "filename" + }, + "path": { + "description": "Path of the LNK filename complete or partial", + "disable_correlation": true, + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "fullpath": { + "description": "Complete path of the LNK filename including the filename", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "tlsh": { + "description": "Fuzzy hash by Trend Micro: Locality Sensitive Hash", + "ui-priority": 0, + "misp-attribute": "tlsh" + }, + "state": { + "misp-attribute": "text", + "ui-priority": 0, + "description": "State of the LNK file", + "multiple": true, + "disable_correlation": true, + "values_list": [ + "Malicious", + "Harmless", + "Trusted" + ] + }, + "lnk-creation-time": { + "description": "Creation time of the LNK", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "lnk-modification-time": { + "description": "Modification time of the LNK", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "lnk-access-time": { + "description": "Access time of the LNK", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "lnk-file-size": { + "description": "Size of the target file, in bytes", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "size-in-bytes" + }, + "lnk-icon-index": { + "description": "Icon index", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-show-window-value": { + "description": "Show Window value", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-hot-key-value": { + "description": "Hot Key value", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-file-attribute-flags": { + "description": "File attribute flags", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-drive-type": { + "description": "Drive type", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-drive-serial-number": { + "description": "Drive serial number", + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-volume-label": { + "description": "Volume label", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-local-path": { + "description": "Local path", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-description": { + "description": "LNK description", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-relative-path": { + "description": "Relative path", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-working-directory": { + "description": "LNK working path", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-command-line-arguments": { + "description": "LNK command line arguments", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "machine-identifier": { + "description": "Machine identifier", + "ui-priority": 0, + "misp-attribute": "text" + }, + "droid-volume-identifier": { + "description": "Droid volume identifier", + "ui-priority": 0, + "misp-attribute": "text" + }, + "droid-file-identifier": { + "description": "Droid file identifier (UUIDv1 where MAC can be extracted)", + "ui-priority": 0, + "misp-attribute": "text" + }, + "birth-droid-volume-identifier": { + "description": "Droid volume identifier", + "ui-priority": 0, + "misp-attribute": "text" + }, + "birth-droid-file-identifier": { + "description": "Birth droid volume identifier (UUIDv1 where MAC can be extracted)", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "LNK object describing a Windows LNK binary file (aka Windows shortcut)", + "meta-category": "file", + "uuid": "ad13533e-1853-4da0-a111-33a7ce7e6c09", + "name": "lnk" +} From b4478a6c2b123763fb3ce2f6fef04916950b0384 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 5 Apr 2019 11:22:22 +0200 Subject: [PATCH 08/68] add: [tor-hiddenservice] a simple object template to describe Tor Onion Service --- objects/tor-hiddenservice/definition.json | 41 +++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 objects/tor-hiddenservice/definition.json diff --git a/objects/tor-hiddenservice/definition.json b/objects/tor-hiddenservice/definition.json new file mode 100644 index 0000000..0ff9fa5 --- /dev/null +++ b/objects/tor-hiddenservice/definition.json @@ -0,0 +1,41 @@ +{ + "requiredOneOf": [ + "address", + "first-seen", + "last-seen", + "description" + ], + "required": [ + "address" + ], + "attributes": { + "description": { + "description": "Tor onion service comment.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "address": { + "description": "onion address of the Tor node seen.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "last-seen": { + "description": "When the Tor hidden service was seen for the last time.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "first-seen": { + "description": "When the Tor hidden service was been seen for the first time.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "Tor hidden service (onion service) object.", + "meta-category": "misc", + "uuid": "cbac07d6-fbe9-43b8-8d91-d515812ce330", + "name": "tor-hiddenservice" +} From bfcfe7aae9a13db637281c8ccd10f9d89d33b593 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 5 Apr 2019 11:24:54 +0200 Subject: [PATCH 09/68] chg: [doc] tor-hiddenservices added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 57b2491..d4f4921 100644 --- a/README.md +++ b/README.md @@ -139,6 +139,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/timecode](objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence. * [objects/timesketch-timeline](objects/timesketch-timeline/definition.json) - A timesketch timeline object based on mandatory field in timesketch to describe a log entry. * [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship. +* [objects/tor-hiddenservice](objects/tor-hiddenservice/definition.json) - Tor hidden service (Onion Service) object to describe a Tor hidden service. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. * [objects/tracking-id](objects/tracking-id/definition.json) - Analytics and tracking ID such as used in Google Analytics or other analytic platform. * [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction. From 006aa1d1a2ae5cd0cb729dee8b62441400c7b904 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 7 Apr 2019 22:24:58 +0200 Subject: [PATCH 10/68] chg: [script] filename added to fix #149 --- objects/script/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/script/definition.json b/objects/script/definition.json index f95d34f..7389fa1 100644 --- a/objects/script/definition.json +++ b/objects/script/definition.json @@ -1,6 +1,7 @@ { "required": [ - "script" + "script", + "filename" ], "attributes": { "script": { @@ -55,7 +56,7 @@ ] } }, - "version": 2, + "version": 3, "description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.", "meta-category": "misc", "uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2", From c5532621b65eed485ed03e4f200a2c4fedd8c22f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 7 Apr 2019 22:28:36 +0200 Subject: [PATCH 11/68] chg: [ip-port] ip-src added to fix #149 --- objects/ip-port/definition.json | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/objects/ip-port/definition.json b/objects/ip-port/definition.json index a91ed90..b8d245a 100644 --- a/objects/ip-port/definition.json +++ b/objects/ip-port/definition.json @@ -4,7 +4,8 @@ "src-port", "domain", "hostname", - "ip" + "ip", + "ip-src" ], "attributes": { "text": { @@ -74,9 +75,19 @@ "ui-priority": 1, "misp-attribute": "ip-dst", "multiple": true + }, + "ip-src": { + "description": "source IP address", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "ip-src", + "multiple": true } }, - "version": 7, + "version": 8, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", From bfa883751ab723308dd8c5689e37cc3d918ded3f Mon Sep 17 00:00:00 2001 From: haxpak Date: Sat, 13 Apr 2019 11:00:45 +0530 Subject: [PATCH 12/68] add : relationship "creates" --- relationships/definition.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/relationships/definition.json b/relationships/definition.json index 4a9f801..873fdb1 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -934,6 +934,13 @@ "format": [ "misp" ] + }, + { + "name": "creates", + "description": "Represents an object that creates something.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", From 71419a999a361519960f6f685f79d3bdb12552a7 Mon Sep 17 00:00:00 2001 From: haxpak Date: Sat, 13 Apr 2019 11:55:38 +0530 Subject: [PATCH 13/68] new-object : Organization "Defines an organization" --- objects/organization/definition.json | 79 ++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 objects/organization/definition.json diff --git a/objects/organization/definition.json b/objects/organization/definition.json new file mode 100644 index 0000000..4d8bac1 --- /dev/null +++ b/objects/organization/definition.json @@ -0,0 +1,79 @@ +{ + "requiredOneOf": [ + "name", + "alias" + ], + "attributes": { + "name": { + "description": "Name of the organization", + "disable_correlation": false, + "ui-priority": 100, + "misp-attribute": "text" + }, + "alias": { + "description": "Alias of the organization", + "ui-priority": 99, + "misp-attribute": "text", + "multiple" : true + }, + + "type-of-organizarion" : { + "description" : "Type of the organization", + "ui-priority" : 97, + "misp-attribute" : "text" + }, + "date-of-inception": { + "description": "Date of inception of the organization", + "ui-priority": 0, + "misp-attribute": "date-of-birth" + }, + + "phone-number": { + "description": "Phone number of the organization.", + "ui-priority": 10, + "misp-attribute": "phone-number", + "multiple": true + }, + "fax-number": { + "description": "Fax number of the organization.", + "ui-priority": 10, + "misp-attribute": "phone-number", + "multiple": true + }, + "address": { + "description": "Postal address of the organization.", + "ui-priority": 10, + "misp-attribute": "text", + "multiple": true + }, + + "e-mail": { + "description": "Email address of the organization.", + "ui-priority": 10, + "misp-attribute": "email-src", + "multiple": true + }, + + "role": { + "description": "The role of a person.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true, + "values_list": [ + "Suspect", + "Victim", + "Defendent", + "Accused", + "Culprit", + "Accomplice", + "Target" + ], + "disable_correlation": true + } + }, + "version": 10, + "description": "An object which describes a person or an identity.", + "meta-category": "organization", + "uuid": "ec8f8ca1-7f82-4d79-a9d0-2254303de686", + "name": "organization" +} From 161f72678a66e48a46bc73b95b9e34a7f6ab8b25 Mon Sep 17 00:00:00 2001 From: haxpak Date: Sat, 13 Apr 2019 12:05:51 +0530 Subject: [PATCH 14/68] modified : person object "changed UI priority of the attributes" modified : report object "added attachment to report" --- objects/person/definition.json | 13 +++++++------ objects/report/definition.json | 10 ++++++++-- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index 220f7b3..59de239 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -13,17 +13,17 @@ }, "last-name": { "description": "Last name of a natural person.", - "ui-priority": 0, + "ui-priority": 100, "misp-attribute": "last-name" }, "middle-name": { "description": "Middle name of a natural person.", - "ui-priority": 0, + "ui-priority": 99, "misp-attribute": "middle-name" }, "first-name": { "description": "First name of a natural person.", - "ui-priority": 0, + "ui-priority": 98, "misp-attribute": "first-name", "disable_correlation": true }, @@ -34,13 +34,13 @@ }, "title": { "description": "Title of the natural person such as Dr. or equivalent.", - "ui-priority": 0, + "ui-priority": 101, "misp-attribute": "text", "disable_correlation": true }, "alias": { "description": "Alias name or known as.", - "ui-priority": 0, + "ui-priority": 97, "misp-attribute": "text", "multiple": true }, @@ -182,7 +182,8 @@ "Accused", "Culprit", "Accomplice", - "Witness" + "Witness", + "Target" ], "disable_correlation": true } diff --git a/objects/report/definition.json b/objects/report/definition.json index cce9d89..8b83a4d 100644 --- a/objects/report/definition.json +++ b/objects/report/definition.json @@ -5,7 +5,7 @@ "attributes": { "summary": { "description": "Free text summary of the report", - "ui-priority": 1, + "ui-priority": 100, "misp-attribute": "text", "categories": [ "Other", @@ -21,7 +21,13 @@ "Internal reference", "Other" ] - } + }, + "report-file(s)": { + "description": "Attachment(s) that is related to the report", + "ui-priority": 99, + "misp-attribute": "attachment", + "multiple": true + }, }, "version": 1, "description": "Metadata used to generate an executive level report", From 26987ca80a071037497d625437ea0fa1ae71da6d Mon Sep 17 00:00:00 2001 From: haxpak Date: Sat, 13 Apr 2019 12:11:43 +0530 Subject: [PATCH 15/68] added : meta_category "organization" #162 --- schema_objects.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/schema_objects.json b/schema_objects.json index 0d80fa0..57d9c4f 100644 --- a/schema_objects.json +++ b/schema_objects.json @@ -68,7 +68,8 @@ "financial", "misc", "internal", - "vulnerability" + "vulnerability", + "organization" ] }, "name": { From 23ab7351199fbdfa521a99a0fc4ef066188ebc9e Mon Sep 17 00:00:00 2001 From: haxpak Date: Sat, 13 Apr 2019 13:32:56 +0530 Subject: [PATCH 16/68] - added : attachment attribute to annotation - added : new object type device --- objects/annotation/definition.json | 8 +++- objects/device/definition.json | 61 ++++++++++++++++++++++++++++ objects/organization/definition.json | 8 ++-- 3 files changed, 72 insertions(+), 5 deletions(-) create mode 100644 objects/device/definition.json diff --git a/objects/annotation/definition.json b/objects/annotation/definition.json index d062eca..2231bbc 100644 --- a/objects/annotation/definition.json +++ b/objects/annotation/definition.json @@ -61,7 +61,13 @@ "description": "Last update of the annotation", "ui-priority": 0, "misp-attribute": "datetime" - } + }, + "attachment" : { + "description" : "An attachment to support the annotation", + "ui-priority" : 0, + "misp-attribute": "attachment", + "multiple" : true + }, }, "version": 2, "description": "An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.", diff --git a/objects/device/definition.json b/objects/device/definition.json new file mode 100644 index 0000000..dbe58ad --- /dev/null +++ b/objects/device/definition.json @@ -0,0 +1,61 @@ +{ + "requiredOneOf": [ + "name" + ], + "attributes": { + "description": { + "description": "Description of the Device", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation" : true + }, + "name" : { + "description" : "Name of the Device", + "ui-priority" : 101, + "misp-attribute" : "text", + }, + "alias" : { + "description" : "Alias of the Device", + "ui-priority" : 100, + "misp-attribute" : "text", + "multiple" : true + }, + "device-type": { + "description": "Type of the device", + "ui-priority": 99, + "misp-attribute": "text", + "disable_correlation": true, + "categories": [ + "PC", + "Mobile", + "Laptop", + "HID", + "TV", + "IoT", + "Hardware", + "Other" + ] + }, + "ip-address": { + "description": "Device IP address", + "ui-priority": 0, + "misp-attribute": "ip-src" + }, + "analysis-date": { + "description": "Date of device analysis", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "attachment" : { + "description" : "An attachment", + "ui-priority" : 0, + "misp-attribute": "attachment", + "multiple" : true + }, + }, + "version": 3, + "description": "An object to define a device", + "meta-category": "device", + "uuid": "0c64b41a-e583-4f4d-ac92-d484163b9e52", + "name": "Device" +} diff --git a/objects/organization/definition.json b/objects/organization/definition.json index 4d8bac1..b14bafc 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -55,7 +55,7 @@ }, "role": { - "description": "The role of a person.", + "description": "The role of the organization.", "ui-priority": 0, "misp-attribute": "text", "multiple": true, @@ -71,9 +71,9 @@ "disable_correlation": true } }, - "version": 10, - "description": "An object which describes a person or an identity.", + "version": 1, + "description": "An object which describes an organization.", "meta-category": "organization", - "uuid": "ec8f8ca1-7f82-4d79-a9d0-2254303de686", + "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", "name": "organization" } From df91c999e60fdc9bfb9a50003a8610648c371add Mon Sep 17 00:00:00 2001 From: haxpak Date: Sat, 13 Apr 2019 13:45:05 +0530 Subject: [PATCH 17/68] fixed typos and ran jq_all_things --- objects/annotation/definition.json | 10 +++++----- objects/device/definition.json | 30 ++++++++++++++-------------- objects/organization/definition.json | 14 +++++-------- objects/report/definition.json | 2 +- 4 files changed, 26 insertions(+), 30 deletions(-) diff --git a/objects/annotation/definition.json b/objects/annotation/definition.json index 2231bbc..cfadfc1 100644 --- a/objects/annotation/definition.json +++ b/objects/annotation/definition.json @@ -62,12 +62,12 @@ "ui-priority": 0, "misp-attribute": "datetime" }, - "attachment" : { - "description" : "An attachment to support the annotation", - "ui-priority" : 0, + "attachment": { + "description": "An attachment to support the annotation", + "ui-priority": 0, "misp-attribute": "attachment", - "multiple" : true - }, + "multiple": true + } }, "version": 2, "description": "An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.", diff --git a/objects/device/definition.json b/objects/device/definition.json index dbe58ad..50653ec 100644 --- a/objects/device/definition.json +++ b/objects/device/definition.json @@ -7,18 +7,18 @@ "description": "Description of the Device", "ui-priority": 0, "misp-attribute": "text", - "disable_correlation" : true + "disable_correlation": true }, - "name" : { - "description" : "Name of the Device", - "ui-priority" : 101, - "misp-attribute" : "text", + "name": { + "description": "Name of the Device", + "ui-priority": 101, + "misp-attribute": "text" }, - "alias" : { - "description" : "Alias of the Device", - "ui-priority" : 100, - "misp-attribute" : "text", - "multiple" : true + "alias": { + "description": "Alias of the Device", + "ui-priority": 100, + "misp-attribute": "text", + "multiple": true }, "device-type": { "description": "Type of the device", @@ -46,12 +46,12 @@ "ui-priority": 0, "misp-attribute": "datetime" }, - "attachment" : { - "description" : "An attachment", - "ui-priority" : 0, + "attachment": { + "description": "An attachment", + "ui-priority": 0, "misp-attribute": "attachment", - "multiple" : true - }, + "multiple": true + } }, "version": 3, "description": "An object to define a device", diff --git a/objects/organization/definition.json b/objects/organization/definition.json index b14bafc..923bdc2 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -14,20 +14,18 @@ "description": "Alias of the organization", "ui-priority": 99, "misp-attribute": "text", - "multiple" : true + "multiple": true }, - - "type-of-organizarion" : { - "description" : "Type of the organization", - "ui-priority" : 97, - "misp-attribute" : "text" + "type-of-organizarion": { + "description": "Type of the organization", + "ui-priority": 97, + "misp-attribute": "text" }, "date-of-inception": { "description": "Date of inception of the organization", "ui-priority": 0, "misp-attribute": "date-of-birth" }, - "phone-number": { "description": "Phone number of the organization.", "ui-priority": 10, @@ -46,14 +44,12 @@ "misp-attribute": "text", "multiple": true }, - "e-mail": { "description": "Email address of the organization.", "ui-priority": 10, "misp-attribute": "email-src", "multiple": true }, - "role": { "description": "The role of the organization.", "ui-priority": 0, diff --git a/objects/report/definition.json b/objects/report/definition.json index 8b83a4d..053677d 100644 --- a/objects/report/definition.json +++ b/objects/report/definition.json @@ -27,7 +27,7 @@ "ui-priority": 99, "misp-attribute": "attachment", "multiple": true - }, + } }, "version": 1, "description": "Metadata used to generate an executive level report", From 63fff149f0ed47019085f16cbd23bc181e2b8125 Mon Sep 17 00:00:00 2001 From: haxpak Date: Sat, 13 Apr 2019 13:49:16 +0530 Subject: [PATCH 18/68] added requiredOneOf to device definition --- objects/device/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/device/definition.json b/objects/device/definition.json index 50653ec..a25a617 100644 --- a/objects/device/definition.json +++ b/objects/device/definition.json @@ -1,6 +1,7 @@ { "requiredOneOf": [ - "name" + "name", + "alias" ], "attributes": { "description": { From 6917beee5fe85440649c7848d6d768c102c95815 Mon Sep 17 00:00:00 2001 From: haxpak Date: Sat, 13 Apr 2019 14:02:26 +0530 Subject: [PATCH 19/68] reverted device to misc category --- objects/device/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/device/definition.json b/objects/device/definition.json index a25a617..4826bdd 100644 --- a/objects/device/definition.json +++ b/objects/device/definition.json @@ -56,7 +56,7 @@ }, "version": 3, "description": "An object to define a device", - "meta-category": "device", + "meta-category": "misc", "uuid": "0c64b41a-e583-4f4d-ac92-d484163b9e52", "name": "Device" } From 9f3fb14ed548c6a5f3a664fb4823a3719d4db688 Mon Sep 17 00:00:00 2001 From: haxpak Date: Sat, 13 Apr 2019 14:57:55 +0530 Subject: [PATCH 20/68] changed organization meta category to misc --- objects/organization/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/organization/definition.json b/objects/organization/definition.json index 923bdc2..966a8f5 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -69,7 +69,7 @@ }, "version": 1, "description": "An object which describes an organization.", - "meta-category": "organization", + "meta-category": "misc", "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", "name": "organization" } From e470413f413946b400b9348d2fbe8bad95fb85b9 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 13 Apr 2019 14:59:38 +0200 Subject: [PATCH 21/68] chg: [schema] category removed --- schema_objects.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/schema_objects.json b/schema_objects.json index 57d9c4f..0d80fa0 100644 --- a/schema_objects.json +++ b/schema_objects.json @@ -68,8 +68,7 @@ "financial", "misc", "internal", - "vulnerability", - "organization" + "vulnerability" ] }, "name": { From 81924c519f2d5899023da427cc2d5f8cf29e076b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 13 Apr 2019 15:04:23 +0200 Subject: [PATCH 22/68] chg: [doc] new organization and device object added --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index d4f4921..9ebdfc4 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/cowrie](objects/cowrie/definition.json) - A cowrie object describes cowrie honeypot sessions. * [objects/credential](objects/credential/definition.json) - A credential object describes one or more credential(s) including password(s), api key(s) or decryption key(s). * [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. +* [objects/device](objects/device/definition.json) - An object to describe a device such as a computer, laptop or alike. * [objects/diameter-attack](objects/diameter-attack/definition.json) - Attack as seen on diameter authentication against a GSM, UMTS or LTE network. * [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame. * [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF). @@ -112,6 +113,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/network-connection](objects/network-connection/definition.json) - Network object describes a local or remote network connection. * [objects/network-socket](objects/network-socket/definition.json) - Object to describe a local or remote network connections based on the socket data structure. * [objects/original-imported-file](objects/original-imported-file/definition.json) - Object to describe the original files used to import data in MISP. +* [objects/organization](objects/organization/definition.json) - An object which describes an organization. * [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01). * [objects/paste](objects/paste/definition.json) - Object describing a paste or similar post from a website allowing to share privately or publicly posts. * [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object. From bb9ff86b2ff61d3977807b99d57bc271ef17417a Mon Sep 17 00:00:00 2001 From: haxpak Date: Sun, 14 Apr 2019 10:53:57 +0530 Subject: [PATCH 23/68] added MAC address to device meta category of organization changed to organization meta category of person object changed to organization new object phishing-kit --- objects/device/definition.json | 10 ++- objects/organization/definition.json | 2 +- objects/person/definition.json | 2 +- objects/phishing-kit/definition.json | 97 ++++++++++++++++++++++++++++ 4 files changed, 107 insertions(+), 4 deletions(-) create mode 100644 objects/phishing-kit/definition.json diff --git a/objects/device/definition.json b/objects/device/definition.json index 4826bdd..3a04004 100644 --- a/objects/device/definition.json +++ b/objects/device/definition.json @@ -40,7 +40,13 @@ "ip-address": { "description": "Device IP address", "ui-priority": 0, - "misp-attribute": "ip-src" + "misp-attribute": "ip-src", + "multiple" : true + }, + "MAC-address": { + "description": "Device MAC address", + "ui-priority": 0, + "misp-attribute": "text" }, "analysis-date": { "description": "Date of device analysis", @@ -54,7 +60,7 @@ "multiple": true } }, - "version": 3, + "version": 4, "description": "An object to define a device", "meta-category": "misc", "uuid": "0c64b41a-e583-4f4d-ac92-d484163b9e52", diff --git a/objects/organization/definition.json b/objects/organization/definition.json index 966a8f5..923bdc2 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -69,7 +69,7 @@ }, "version": 1, "description": "An object which describes an organization.", - "meta-category": "misc", + "meta-category": "organization", "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", "name": "organization" } diff --git a/objects/person/definition.json b/objects/person/definition.json index 59de239..2359536 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -190,7 +190,7 @@ }, "version": 9, "description": "An object which describes a person or an identity.", - "meta-category": "misc", + "meta-category": "organization", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", "name": "person" } diff --git a/objects/phishing-kit/definition.json b/objects/phishing-kit/definition.json new file mode 100644 index 0000000..7ac2e42 --- /dev/null +++ b/objects/phishing-kit/definition.json @@ -0,0 +1,97 @@ + +{ + "name": "phishing-kit", + "uuid": "e08eea9b-5776-4014-9b0e-a821ee890143", + "meta-category": "network", + "description": "Oject to describe a phishing-kit.", + "version": 1, + "attributes": { + "internal reference": { + "categories": [ + "Internal reference" + ], + "misp-attribute": "text", + "ui-priority": 1, + "description": "Internal reference such as ticket ID" + }, + "date-found": { + "multiple": true, + "misp-attribute": "datetime", + "ui-priority": 0, + "description": "Date when the phishing kit was found", + "to_ids" : false, + "disable_correlation" : true + }, + "reference-link": { + "to_ids": false, + "multiple": true, + "ui-priority": 1, + "misp-attribute": "link", + "description": "Link where the Phishing Kit was observed" + }, + "threat-actor-email" : { + "description" : "Email of the Threat Actor", + "multiple" : true, + "ui-priority" : 0, + "misp-attribute" : "email-src" + }, + "email-type" : { + "description" : "Type of the Email", + "multiple" : false, + "ui-priority" : 0, + "misp-attribute" : "text", + "disable_correlation" : true + }, + "kit-mailer" : { + "description" : "Mailer Kit Used", + "multiple" : true, + "ui-priority" : 0, + "misp-attribute" : "text", + "disable_correlation" : true + }, + "target" :{ + "description" : "What was targeted using this phishing kit", + "multiple" : true, + "ui-priority" : 1, + "misp-attribute" : "text" + }, + "phishing-domain" : { + "description" : "Domain used for Phishing", + "multiple" : true, + "ui-priority" : 1, + "misp-attribute" : "url" + }, + "online": { + "disable_correlation": true, + "misp-attribute": "text", + "values_list": [ + "Yes", + "No" + ], + "ui-priority": 0, + "description": "If the phishing kit is online and operational, by default is yes" + }, + "kit-url": { + "misp-attribute": "url", + "ui-priority": 1, + "description": "URL of Phishing Kit" + }, + "threat-actor" : { + "description" : "Identified threat actor", + "ui-priority" : 0, + "multiple" : true, + "misp-attribute" : "text" + }, + "kit-name" : { + "description" : "Name of the Phishing Kit", + "ui-priority" : 10, + "misp-attribute" : "text" + } + }, + "requiredOneOf": [ + "kit-url", + "reference-link", + "kit-name", + "kit-hash" + ] +} From b24336499ad58f6f115efb6bd1ecc1ed653facc4 Mon Sep 17 00:00:00 2001 From: haxpak Date: Sun, 14 Apr 2019 11:04:57 +0530 Subject: [PATCH 24/68] modified: objects/device/definition.json modified: objects/phishing-kit/definition.json --- objects/device/definition.json | 4 +- objects/phishing-kit/definition.json | 81 ++++++++++++++-------------- 2 files changed, 42 insertions(+), 43 deletions(-) diff --git a/objects/device/definition.json b/objects/device/definition.json index 3a04004..f467fe3 100644 --- a/objects/device/definition.json +++ b/objects/device/definition.json @@ -41,7 +41,7 @@ "description": "Device IP address", "ui-priority": 0, "misp-attribute": "ip-src", - "multiple" : true + "multiple": true }, "MAC-address": { "description": "Device MAC address", @@ -60,7 +60,7 @@ "multiple": true } }, - "version": 4, + "version": 5, "description": "An object to define a device", "meta-category": "misc", "uuid": "0c64b41a-e583-4f4d-ac92-d484163b9e52", diff --git a/objects/phishing-kit/definition.json b/objects/phishing-kit/definition.json index 7ac2e42..6364636 100644 --- a/objects/phishing-kit/definition.json +++ b/objects/phishing-kit/definition.json @@ -1,10 +1,9 @@ - { "name": "phishing-kit", - "uuid": "e08eea9b-5776-4014-9b0e-a821ee890143", + "uuid": "f452c16b-12fa-4f87-84a2-15a9e8ca6e7c", "meta-category": "network", "description": "Oject to describe a phishing-kit.", - "version": 1, + "version": 2, "attributes": { "internal reference": { "categories": [ @@ -19,8 +18,8 @@ "misp-attribute": "datetime", "ui-priority": 0, "description": "Date when the phishing kit was found", - "to_ids" : false, - "disable_correlation" : true + "to_ids": false, + "disable_correlation": true }, "reference-link": { "to_ids": false, @@ -29,37 +28,37 @@ "misp-attribute": "link", "description": "Link where the Phishing Kit was observed" }, - "threat-actor-email" : { - "description" : "Email of the Threat Actor", - "multiple" : true, - "ui-priority" : 0, - "misp-attribute" : "email-src" + "threat-actor-email": { + "description": "Email of the Threat Actor", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "email-src" }, - "email-type" : { - "description" : "Type of the Email", - "multiple" : false, - "ui-priority" : 0, - "misp-attribute" : "text", - "disable_correlation" : true + "email-type": { + "description": "Type of the Email", + "multiple": false, + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true }, - "kit-mailer" : { - "description" : "Mailer Kit Used", - "multiple" : true, - "ui-priority" : 0, - "misp-attribute" : "text", - "disable_correlation" : true + "kit-mailer": { + "description": "Mailer Kit Used", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true }, - "target" :{ - "description" : "What was targeted using this phishing kit", - "multiple" : true, - "ui-priority" : 1, - "misp-attribute" : "text" + "target": { + "description": "What was targeted using this phishing kit", + "multiple": true, + "ui-priority": 1, + "misp-attribute": "text" }, - "phishing-domain" : { - "description" : "Domain used for Phishing", - "multiple" : true, - "ui-priority" : 1, - "misp-attribute" : "url" + "phishing-domain": { + "description": "Domain used for Phishing", + "multiple": true, + "ui-priority": 1, + "misp-attribute": "url" }, "online": { "disable_correlation": true, @@ -76,16 +75,16 @@ "ui-priority": 1, "description": "URL of Phishing Kit" }, - "threat-actor" : { - "description" : "Identified threat actor", - "ui-priority" : 0, - "multiple" : true, - "misp-attribute" : "text" + "threat-actor": { + "description": "Identified threat actor", + "ui-priority": 0, + "multiple": true, + "misp-attribute": "text" }, - "kit-name" : { - "description" : "Name of the Phishing Kit", - "ui-priority" : 10, - "misp-attribute" : "text" + "kit-name": { + "description": "Name of the Phishing Kit", + "ui-priority": 10, + "misp-attribute": "text" } }, "requiredOneOf": [ From 8fe63dfccc46276b0602426e1598241a401f091a Mon Sep 17 00:00:00 2001 From: haxpak Date: Sun, 14 Apr 2019 11:14:35 +0530 Subject: [PATCH 25/68] modified: relationships/definition.json --- relationships/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index 873fdb1..0c1a8a2 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -939,7 +939,8 @@ "name": "creates", "description": "Represents an object that creates something.", "format": [ - "misp" + "misp", + "haxpak" ] } ], From 4f1745a09581628be0e2447e7b0b3b655a85bd18 Mon Sep 17 00:00:00 2001 From: haxpak Date: Sun, 14 Apr 2019 11:26:12 +0530 Subject: [PATCH 26/68] added meta category organization --- objects/organization/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/organization/definition.json b/objects/organization/definition.json index 923bdc2..ed0f4f8 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -71,5 +71,5 @@ "description": "An object which describes an organization.", "meta-category": "organization", "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", - "name": "organization" + "name": "misc" } From 2053c17fa4a36287ca05cee45158f2807a8df3c4 Mon Sep 17 00:00:00 2001 From: haxpak Date: Sun, 14 Apr 2019 11:27:29 +0530 Subject: [PATCH 27/68] corrected typo --- objects/person/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index 2359536..59de239 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -190,7 +190,7 @@ }, "version": 9, "description": "An object which describes a person or an identity.", - "meta-category": "organization", + "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", "name": "person" } From 836bd04a75f0ec33b0f9a207b2ac4b8193f932cd Mon Sep 17 00:00:00 2001 From: haxpak Date: Sun, 14 Apr 2019 11:32:55 +0530 Subject: [PATCH 28/68] meta category for organization changed back to misc since schema_objects.json does not recognize organization as a meta category --- objects/organization/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/organization/definition.json b/objects/organization/definition.json index ed0f4f8..f575479 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -69,7 +69,7 @@ }, "version": 1, "description": "An object which describes an organization.", - "meta-category": "organization", + "meta-category": "misc", "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", "name": "misc" } From 3cef676f34088bc61089f98d349a5299f727d14f Mon Sep 17 00:00:00 2001 From: haxpak Date: Mon, 15 Apr 2019 10:29:09 +0530 Subject: [PATCH 29/68] added OS, version, dns-name attribute to device changed misp-attribute of mac-address from text to mac-address --- objects/device/definition.json | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/objects/device/definition.json b/objects/device/definition.json index 4826bdd..9ed3013 100644 --- a/objects/device/definition.json +++ b/objects/device/definition.json @@ -37,10 +37,35 @@ "Other" ] }, + "OS" : { + "description" : "OS of the device", + "ui-priority" : 98, + "misp-attribute" : "text", + "disable_correlation" : true, + "multiple" : true + }, + "version" : { + "description" : "Version of the device/ OS", + "ui-priority" : 97, + "misp-attribute" : "text", + "disable_correlation" : true + }, "ip-address": { "description": "Device IP address", "ui-priority": 0, - "misp-attribute": "ip-src" + "misp-attribute": "ip-src", + "multiple": true + }, + "dns-name": { + "description": "Device DNS Name", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "MAC-address": { + "description": "Device MAC address", + "ui-priority": 0, + "misp-attribute": "mac-address" }, "analysis-date": { "description": "Date of device analysis", @@ -54,7 +79,7 @@ "multiple": true } }, - "version": 3, + "version": 6, "description": "An object to define a device", "meta-category": "misc", "uuid": "0c64b41a-e583-4f4d-ac92-d484163b9e52", From 9f4e7737a100b01417ff887fe604aebd2f284ec3 Mon Sep 17 00:00:00 2001 From: haxpak Date: Mon, 15 Apr 2019 10:33:08 +0530 Subject: [PATCH 30/68] added attribute DNS name to device object changed MAC address misp attribute to mac-address --- objects/device/definition.json | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/objects/device/definition.json b/objects/device/definition.json index 9ed3013..729f908 100644 --- a/objects/device/definition.json +++ b/objects/device/definition.json @@ -37,18 +37,18 @@ "Other" ] }, - "OS" : { - "description" : "OS of the device", - "ui-priority" : 98, - "misp-attribute" : "text", - "disable_correlation" : true, - "multiple" : true + "OS": { + "description": "OS of the device", + "ui-priority": 98, + "misp-attribute": "text", + "disable_correlation": true, + "multiple": true }, - "version" : { - "description" : "Version of the device/ OS", - "ui-priority" : 97, - "misp-attribute" : "text", - "disable_correlation" : true + "version": { + "description": "Version of the device/ OS", + "ui-priority": 97, + "misp-attribute": "text", + "disable_correlation": true }, "ip-address": { "description": "Device IP address", From 89b8e10fbe5991da74937fd6eb7488e708b1603e Mon Sep 17 00:00:00 2001 From: haxpak Date: Mon, 15 Apr 2019 17:41:39 +0530 Subject: [PATCH 31/68] added option "Further Analysis Required" to attribute stage --- objects/course-of-action/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/course-of-action/definition.json b/objects/course-of-action/definition.json index ee5b157..b2099e0 100644 --- a/objects/course-of-action/definition.json +++ b/objects/course-of-action/definition.json @@ -53,7 +53,8 @@ "disable_correlation": true, "sane_default": [ "Remedy", - "Response" + "Response", + "Further Analysis Required" ] }, "cost": { From 2d6522887df976fe7a00f105491b5695549274a9 Mon Sep 17 00:00:00 2001 From: haxpak Date: Mon, 15 Apr 2019 18:00:21 +0530 Subject: [PATCH 32/68] added relationship "executes" --- relationships/definition.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index 873fdb1..d028c66 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1,5 +1,5 @@ { - "version": 14, + "version": 15, "values": [ { "name": "derived-from", @@ -10,6 +10,11 @@ "alfred" ] }, + { + "name" : "executes", + "description" : "This relationship describes an object which executes another object", + "format" : [ "misp" ] + }, { "name": "duplicate-of", "description": "The referenced source and target objects are semantically duplicates of each other.", From befa47d2c53ce45df655515a6c99dc0cdced63c2 Mon Sep 17 00:00:00 2001 From: haxpak Date: Mon, 15 Apr 2019 18:04:44 +0530 Subject: [PATCH 33/68] [added] relationship 'executes' : Describes a an object that executes another object --- relationships/definition.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index d028c66..3d9dc87 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -11,9 +11,11 @@ ] }, { - "name" : "executes", - "description" : "This relationship describes an object which executes another object", - "format" : [ "misp" ] + "name": "executes", + "description": "This relationship describes an object which executes another object", + "format": [ + "misp" + ] }, { "name": "duplicate-of", From 4066da31e4a7201a9319b8bd9da82b8c40122338 Mon Sep 17 00:00:00 2001 From: haxpak Date: Tue, 16 Apr 2019 08:31:43 +0530 Subject: [PATCH 34/68] changed device type drop down from category to sane_default --- objects/device/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/device/definition.json b/objects/device/definition.json index 4826bdd..5d7ba0e 100644 --- a/objects/device/definition.json +++ b/objects/device/definition.json @@ -26,7 +26,7 @@ "ui-priority": 99, "misp-attribute": "text", "disable_correlation": true, - "categories": [ + "sane_default": [ "PC", "Mobile", "Laptop", From 371ffe77fb74f40d8d52e86de90c1034e0083618 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Thu, 18 Apr 2019 11:13:03 +0200 Subject: [PATCH 35/68] chg: Allow to create a file object with a non-malicious file. Fix #175 #176 --- objects/file/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 7c79f77..85b79c9 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -16,6 +16,7 @@ "pattern-in-file", "x509-fingerprint-sha1", "malware-sample", + "attachment", "path", "fullpath" ], @@ -112,6 +113,11 @@ "ui-priority": 1, "misp-attribute": "malware-sample" }, + "attachment": { + "description": "A non-malicious file.", + "ui-priority": 1, + "misp-attribute": "attachment" + }, "filename": { "description": "Filename on disk", "disable_correlation": true, @@ -436,7 +442,7 @@ ] } }, - "version": 16, + "version": 17, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From bb7e8f27f817d3b32e28250541700cbc95ef16a7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 21 Apr 2019 15:51:57 +0200 Subject: [PATCH 36/68] chg: [tools] remove trailing dot if presents --- tools/adoc_objects.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tools/adoc_objects.py b/tools/adoc_objects.py index c75e282..0b77c40 100755 --- a/tools/adoc_objects.py +++ b/tools/adoc_objects.py @@ -3,7 +3,7 @@ # # # A simple converter of MISP objects to asciidoctor format -# Copyright (C) 2017-2018 Alexandre Dulaunoy +# Copyright (C) 2017-2019 Alexandre Dulaunoy # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as @@ -73,12 +73,14 @@ def asciidoc(content=False, adoc=None, t='title',title=''): if t == 'title': output = '== ' + content elif t == 'info': + content = content.rstrip('\.') output = "\n{}.\n\n{} {} {}{}/definition.json[*this location*] {}.\n".format(content, 'NOTE: ', title, 'is a MISP object available in JSON format at https://github.com/MISP/misp-objects/blob/master/objects/',title.lower(),' The JSON format can be freely reused in your application or automatically enabled in https://www.github.com/MISP/MISP[MISP]') elif t == 'author': output = '\nauthors:: {}\n'.format(' - '.join(content)) elif t == 'value': output = '=== ' + content elif t == 'description': + content = content.rstrip('\.') output = '\n{}\n'.format(content) elif t == 'attributes': #output = '\n{}\n'.format From 3dcb1725aea7e65ac7cb4cac41c86c1dabad0236 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 21 Apr 2019 15:52:57 +0200 Subject: [PATCH 37/68] chg: [phishing-kit] small typo fixed in the description --- objects/phishing-kit/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/phishing-kit/definition.json b/objects/phishing-kit/definition.json index 6364636..0da5baa 100644 --- a/objects/phishing-kit/definition.json +++ b/objects/phishing-kit/definition.json @@ -2,8 +2,8 @@ "name": "phishing-kit", "uuid": "f452c16b-12fa-4f87-84a2-15a9e8ca6e7c", "meta-category": "network", - "description": "Oject to describe a phishing-kit.", - "version": 2, + "description": "Object to describe a phishing-kit.", + "version": 3, "attributes": { "internal reference": { "categories": [ From 025a9a93232222df02119c0b96ccdd9adf3a2afa Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 21 Apr 2019 15:56:23 +0200 Subject: [PATCH 38/68] chg: [doc] phishing-kit object added to the list --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 9ebdfc4..1e1e4e1 100644 --- a/README.md +++ b/README.md @@ -120,6 +120,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/pe-section](objects/pe-section/definition.json) - Portable Executable (PE) object - section description. * [objects/person](objects/person/definition.json) - A person object which describes a person or an identity. * [objects/phishing](objects/phishing/definition.json) - Phishing template to describe a phishing website and its analysis. +* [objects/phishing-kit](objects/phishing-kit/definition.json) - Object to describe a phishing kit. * [objects/phone](objects/phone/definition.json) - A phone or mobile phone object. * [objects/process](objects/process/definition.json) - A process object. * [objects/regexp](objects/regexp/definition.json) - An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression. From b656cc532d1656da8aa12b695fe0322f2d16c0fd Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 21 Apr 2019 15:57:07 +0200 Subject: [PATCH 39/68] chg: [device] name of an object must be lowercase --- objects/device/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/device/definition.json b/objects/device/definition.json index bab949e..d9f05d5 100644 --- a/objects/device/definition.json +++ b/objects/device/definition.json @@ -79,9 +79,9 @@ "multiple": true } }, - "version": 6, + "version": 7, "description": "An object to define a device", "meta-category": "misc", "uuid": "0c64b41a-e583-4f4d-ac92-d484163b9e52", - "name": "Device" + "name": "device" } From 1966d4d5f0ed81d0b67b87ff5a4012a1b00f83ec Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 27 Apr 2019 10:28:50 +0200 Subject: [PATCH 40/68] add: [irc] IRC object to describe an IRC server with associated IRC channels --- objects/irc/definition.json | 68 +++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 objects/irc/definition.json diff --git a/objects/irc/definition.json b/objects/irc/definition.json new file mode 100644 index 0000000..030a656 --- /dev/null +++ b/objects/irc/definition.json @@ -0,0 +1,68 @@ +{ + "requiredOneOf": [ + "ip", + "hostname" + ], + "attributes": { + "text": { + "description": "Description of the IRC server", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-seen": { + "description": "Last time the IRC server with the associated channels has been seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "first-seen": { + "description": "First time the IRC server with the associated channels has been seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "dst-port": { + "description": "Destination port to reach the IRC server", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "port", + "disable_correlation": true, + "multiple": true + }, + "channel": { + "description": "IRC channel associated to the IRC server", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "hostname": { + "description": "Hostname of the IRC server", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "hostname", + "multiple": true + }, + "ip": { + "description": "IP address of the IRC server", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "ip-dst", + "multiple": true + } + }, + "version": 1, + "description": "An IRC object to describe an IRC server and the associated channels.", + "meta-category": "network", + "uuid": "4bbbc004-c344-4b20-8672-b41102177fc7", + "name": "irc" +} From 0f6fdee7f32ce9f57a344323564bc5e6f60bfc8f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 27 Apr 2019 10:32:10 +0200 Subject: [PATCH 41/68] chg: [irc] add nickname used for associated IRC server and channel(s) --- objects/irc/definition.json | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/objects/irc/definition.json b/objects/irc/definition.json index 030a656..a371761 100644 --- a/objects/irc/definition.json +++ b/objects/irc/definition.json @@ -1,7 +1,9 @@ { "requiredOneOf": [ "ip", - "hostname" + "hostname", + "channel", + "nickname" ], "attributes": { "text": { @@ -39,6 +41,12 @@ "misp-attribute": "text", "multiple": true }, + "nickname": { + "description": "IRC nickname used to connect to the associated IRC server and channels", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, "hostname": { "description": "Hostname of the IRC server", "categories": [ @@ -60,7 +68,7 @@ "multiple": true } }, - "version": 1, + "version": 2, "description": "An IRC object to describe an IRC server and the associated channels.", "meta-category": "network", "uuid": "4bbbc004-c344-4b20-8672-b41102177fc7", From baae683771af5c57051216d2589435b8f8b67008 Mon Sep 17 00:00:00 2001 From: mday Date: Tue, 30 Apr 2019 12:18:08 -0500 Subject: [PATCH 42/68] update the definition files of various object types so that the `required` and `requiredOneOf` lists no longer specify attributes that do not exist in the objects. --- objects/file/definition.json | 2 +- objects/mactime-timeline-analysis/definition.json | 4 ++-- objects/original-imported-file/definition.json | 2 +- objects/phishing-kit/definition.json | 3 +-- objects/python-etvx-event-log/definition.json | 2 +- 5 files changed, 6 insertions(+), 7 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 85b79c9..944834c 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -14,7 +14,7 @@ "sha512/256", "tlsh", "pattern-in-file", - "x509-fingerprint-sha1", + "certificate", "malware-sample", "attachment", "path", diff --git a/objects/mactime-timeline-analysis/definition.json b/objects/mactime-timeline-analysis/definition.json index a8f32e9..cb20d2b 100644 --- a/objects/mactime-timeline-analysis/definition.json +++ b/objects/mactime-timeline-analysis/definition.json @@ -1,7 +1,7 @@ { "requiredOneOf": [ - "filepath", - "file_activity", + "file-path", + "activityType", "datetime" ], "attributes": { diff --git a/objects/original-imported-file/definition.json b/objects/original-imported-file/definition.json index 5bd93ff..6436924 100644 --- a/objects/original-imported-file/definition.json +++ b/objects/original-imported-file/definition.json @@ -1,7 +1,7 @@ { "requiredOneOf": [ "imported-sample", - "type" + "format" ], "attributes": { "imported-sample": { diff --git a/objects/phishing-kit/definition.json b/objects/phishing-kit/definition.json index 0da5baa..2112d20 100644 --- a/objects/phishing-kit/definition.json +++ b/objects/phishing-kit/definition.json @@ -90,7 +90,6 @@ "requiredOneOf": [ "kit-url", "reference-link", - "kit-name", - "kit-hash" + "kit-name" ] } diff --git a/objects/python-etvx-event-log/definition.json b/objects/python-etvx-event-log/definition.json index 2c50d9a..a2f9a7b 100644 --- a/objects/python-etvx-event-log/definition.json +++ b/objects/python-etvx-event-log/definition.json @@ -1,7 +1,7 @@ { "required": [ "source", - "type", + "event-type", "name" ], "attributes": { From 71b4e71ab11bcca32a8e7dc9e2a287ae2c9dd267 Mon Sep 17 00:00:00 2001 From: mday Date: Wed, 1 May 2019 14:11:30 -0500 Subject: [PATCH 43/68] update the misp-attribute to specify a valid value instead of an empty string --- .../regripper-system-hive-general-configuration/definition.json | 2 +- objects/regripper-system-hive-service-drivers/definition.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/regripper-system-hive-general-configuration/definition.json b/objects/regripper-system-hive-general-configuration/definition.json index b2fe81b..85b9192 100644 --- a/objects/regripper-system-hive-general-configuration/definition.json +++ b/objects/regripper-system-hive-general-configuration/definition.json @@ -77,7 +77,7 @@ "comment": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "", + "misp-attribute": "text", "disable_correlation": true } }, diff --git a/objects/regripper-system-hive-service-drivers/definition.json b/objects/regripper-system-hive-service-drivers/definition.json index b5dcaf5..cbd0fec 100644 --- a/objects/regripper-system-hive-service-drivers/definition.json +++ b/objects/regripper-system-hive-service-drivers/definition.json @@ -86,7 +86,7 @@ "comment": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "", + "misp-attribute": "text", "disable_correlation": true } }, From e76e492894fbe260f9f67a8b72447b93f0e36196 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 1 May 2019 21:32:14 +0200 Subject: [PATCH 44/68] chg: [regripper] version updated --- .../regripper-system-hive-general-configuration/definition.json | 2 +- objects/regripper-system-hive-service-drivers/definition.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/regripper-system-hive-general-configuration/definition.json b/objects/regripper-system-hive-general-configuration/definition.json index 85b9192..2851077 100644 --- a/objects/regripper-system-hive-general-configuration/definition.json +++ b/objects/regripper-system-hive-general-configuration/definition.json @@ -81,7 +81,7 @@ "disable_correlation": true } }, - "version": 1, + "version": 2, "description": "Regripper Object template designed to present general system properties extracted from the system-hive.", "meta-category": "misc", "uuid": "5ac85401-cbf1-4d05-a85e-1784546881e4", diff --git a/objects/regripper-system-hive-service-drivers/definition.json b/objects/regripper-system-hive-service-drivers/definition.json index cbd0fec..38a560a 100644 --- a/objects/regripper-system-hive-service-drivers/definition.json +++ b/objects/regripper-system-hive-service-drivers/definition.json @@ -90,7 +90,7 @@ "disable_correlation": true } }, - "version": 1, + "version": 2, "description": "Regripper Object template designed to gather information regarding the services/drivers from the system-hive.", "meta-category": "misc", "uuid": "78cdae45-2061-4b49-b1d6-71f562094a73", From f2e8195d505cb0a87a6e87f95d394df5e1acbed7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Fri, 3 May 2019 11:18:58 +0200 Subject: [PATCH 45/68] new: Add offset, virtual_address and virtual_size to the pe section object Related to https://github.com/MISP/PyMISP/issues/388 --- objects/pe-section/definition.json | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/objects/pe-section/definition.json b/objects/pe-section/definition.json index 3d1d792..2ef4c3c 100644 --- a/objects/pe-section/definition.json +++ b/objects/pe-section/definition.json @@ -88,6 +88,24 @@ "ui-priority": 1, "misp-attribute": "size-in-bytes" }, + "offset": { + "description": "Section’s offset", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "hex" + }, + "virtual_address": { + "description": "Section’s virtual address", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "hex" + }, + "virtual_size": { + "description": "Section’s virtual size", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "size-in-bytes" + }, "text": { "description": "Free text value to attach to the section", "disable_correlation": true, @@ -106,7 +124,7 @@ "misp-attribute": "text" } }, - "version": 2, + "version": 3, "description": "Object describing a section of a Portable Executable", "meta-category": "file", "uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a", From 424900b02d2559f029ac40280ada764ae9840d26 Mon Sep 17 00:00:00 2001 From: ater49 Date: Fri, 3 May 2019 22:08:44 +0200 Subject: [PATCH 46/68] Adding registration-date to domain-ip --- objects/domain-ip/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/domain-ip/definition.json b/objects/domain-ip/definition.json index 7cd4d8a..3f3f6e6 100644 --- a/objects/domain-ip/definition.json +++ b/objects/domain-ip/definition.json @@ -23,6 +23,12 @@ "ui-priority": 0, "misp-attribute": "datetime" }, + "registration_date": { + "description": "Registration date of domain", + "disable_correlation": false, + "ui-priority": 0, + "misp-attribute": "datetime" + }, "domain": { "description": "Domain name", "categories": [ @@ -43,7 +49,7 @@ "multiple": true } }, - "version": 5, + "version": 6, "description": "A domain and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", From a2bec8571bd1bc3be66e81002cc935a065850be2 Mon Sep 17 00:00:00 2001 From: ater49 Date: Fri, 3 May 2019 22:12:08 +0200 Subject: [PATCH 47/68] Correcting "_" to "-" in fields name --- objects/domain-ip/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/domain-ip/definition.json b/objects/domain-ip/definition.json index 3f3f6e6..6fc5ace 100644 --- a/objects/domain-ip/definition.json +++ b/objects/domain-ip/definition.json @@ -23,7 +23,7 @@ "ui-priority": 0, "misp-attribute": "datetime" }, - "registration_date": { + "registration-date": { "description": "Registration date of domain", "disable_correlation": false, "ui-priority": 0, From cce77727d6544ee44c9a2bd64bb69cd9dfaf5c7b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 5 May 2019 12:31:41 +0200 Subject: [PATCH 48/68] chg: [x509] improve X.509 certificate description to match required ones from LIEF (as discussed in #180). --- objects/x509/definition.json | 35 +++++++++++++++++++++++++---------- 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/objects/x509/definition.json b/objects/x509/definition.json index 42ecb04..2822cd3 100644 --- a/objects/x509/definition.json +++ b/objects/x509/definition.json @@ -15,12 +15,14 @@ "pubkey-info-algorithm": { "description": "Algorithm of the public key", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "pubkey-info-size": { "description": "Length of the public key (in bits)", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "pubkey-info-exponent": { "description": "Exponent of the public key", @@ -60,24 +62,27 @@ "misp-attribute": "text" }, "text": { - "description": "Free text description of hte certificate", + "description": "Free text description of the certificate", "ui-priority": 1, "misp-attribute": "text" }, "validity-not-before": { "description": "Certificate invalid before that date", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "validity-not-after": { "description": "Certificate invalid after that date", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "issuer": { "description": "Issuer of the certificate", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "serial-number": { "description": "Serial number of the certificate", @@ -87,26 +92,36 @@ "version": { "description": "Version of the certificate", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "self_signed": { "description": "Self-signed certificate", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "is_ca": { "description": "CA certificate", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "dns_names": { "description": "DNS names", "multiple": true, "misp-attribute": "text", "ui-priority": 0 + }, + "signature_algorithm": { + "description": "Signature algorithm", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": ["SHA1_WITH_RSA_ENCRYPTION","SHA256_WITH_RSA_ENCRYPTION"] } }, - "version": 8, + "version": 9, "description": "x509 object describing a X.509 certificate", "meta-category": "network", "uuid": "d1ab756a-26b5-4349-9f43-765630f0911c", From 8f951e84502eecdaf404a0fa6a557220f0ecb0ee Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 5 May 2019 12:33:59 +0200 Subject: [PATCH 49/68] chg: [jq] jq all the things(tm) --- objects/x509/definition.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/objects/x509/definition.json b/objects/x509/definition.json index 2822cd3..cf9fe39 100644 --- a/objects/x509/definition.json +++ b/objects/x509/definition.json @@ -118,7 +118,10 @@ "misp-attribute": "text", "ui-priority": 0, "disable_correlation": true, - "sane_default": ["SHA1_WITH_RSA_ENCRYPTION","SHA256_WITH_RSA_ENCRYPTION"] + "sane_default": [ + "SHA1_WITH_RSA_ENCRYPTION", + "SHA256_WITH_RSA_ENCRYPTION" + ] } }, "version": 9, From 230122493cf66881eb89c9e6aa393df808dad50e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 6 May 2019 07:10:33 +0200 Subject: [PATCH 50/68] chg: [authenticode-signerinfo] first version --- .../authenticode-signerinfo/definition.json | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 objects/authenticode-signerinfo/definition.json diff --git a/objects/authenticode-signerinfo/definition.json b/objects/authenticode-signerinfo/definition.json new file mode 100644 index 0000000..7010ce9 --- /dev/null +++ b/objects/authenticode-signerinfo/definition.json @@ -0,0 +1,62 @@ +{ + "requiredOneOf": [ + "url", + "program-name" + ], + "attributes": { + "text": { + "description": "Free text description of the signer info", + "ui-priority": 1, + "misp-attribute": "text" + }, + "issuer": { + "description": "Issuer of the certificate", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "version": { + "description": "Version of the certificate", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "url": { + "description": "Url", + "multiple": true, + "misp-attribute": "url", + "ui-priority": 0 + }, + "content-type": { + "description": "Content type", + "misp-attribute": "text", + "ui-priority": 0 + }, + "program-name": { + "description": "Program name", + "misp-attribute": "text", + "ui-priority": 0 + }, + "digest_algorithm": { + "description": "Digest algorithm", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "signature_algorithm": { + "description": "Signature algorithm", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "SHA1_WITH_RSA_ENCRYPTION", + "SHA256_WITH_RSA_ENCRYPTION" + ] + } + }, + "version": 1, + "description": "Authenticode Signer Info", + "meta-category": "file", + "uuid": "965cb0aa-baf1-4cc6-9070-68f5c1698c1e", + "name": "authenticode-signerinfo" +} From 53e67b013122d658ff0f07e94ba34db81f69277b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 6 May 2019 07:17:11 +0200 Subject: [PATCH 51/68] chg: [authenticode] signerinfo template added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1e1e4e1..4736e4b 100644 --- a/README.md +++ b/README.md @@ -70,6 +70,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/ais-info](objects/ais-info/definition.json) - Object describing Automated Indicator Sharing (AIS) information source markings. * [objects/android-permission](objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. file). * [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. +* [objects/authenticode-signerinfo](objects/authenticode-signerinfo/definition.json) - Authenticode signer info. * [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature. * [objects/bank-account](objects/bank-account/definition.json) - Object describing bank account information based on account description from goAML 4.0. * [objects/bgp-hijack](objects/bgp-hijack/definition.json) - Object encapsulating BGP Hijack description as specified, for example, by bgpstream.com From e066df4e6d1e6a8d09f40a463cadb9fa84ca5722 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 9 May 2019 17:35:14 +0200 Subject: [PATCH 52/68] chg: [microblog] state field added to describe if the tweet is malicious or just OSINT. --- objects/microblog/definition.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/objects/microblog/definition.json b/objects/microblog/definition.json index 847fceb..877226b 100644 --- a/objects/microblog/definition.json +++ b/objects/microblog/definition.json @@ -29,6 +29,17 @@ "Other" ] }, + "state": { + "misp-attribute": "text", + "ui-priority": 0, + "description": "State of the microblog post", + "disable_correlation": true, + "values_list": [ + "Informative", + "Malicious", + "Unknown" + ] + }, "username": { "description": "Username who posted the microblog post (without the @ prefix)", "ui-priority": 0, @@ -62,7 +73,7 @@ "misp-attribute": "text" } }, - "version": 5, + "version": 6, "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.", "meta-category": "misc", "uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60", From d922d3eaa5848f3601275e7083ec0e66d8a3701c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 16 May 2019 15:08:43 +0200 Subject: [PATCH 53/68] chg: [person] Gender unknown added This has been added when investigation is ongoing and alias is know but gender is unknown discovered during Enforce training. topic:enforce --- objects/person/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index 59de239..2a0befe 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -63,7 +63,8 @@ "Male", "Female", "Other", - "Prefer not to say" + "Prefer not to say", + "Unknown" ], "disable_correlation": true }, @@ -188,7 +189,7 @@ "disable_correlation": true } }, - "version": 9, + "version": 10, "description": "An object which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", From be7e37200a4c4110e76b739c8e746222d2c77772 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 19 May 2019 17:47:51 +0200 Subject: [PATCH 54/68] add: [ssh-authorized-keys] object to add elements from SSH authorized keys (and do correlation for fun-and-profit(tm)) --- objects/ssh-authorized-keys/definition.json | 72 +++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 objects/ssh-authorized-keys/definition.json diff --git a/objects/ssh-authorized-keys/definition.json b/objects/ssh-authorized-keys/definition.json new file mode 100644 index 0000000..3e6f047 --- /dev/null +++ b/objects/ssh-authorized-keys/definition.json @@ -0,0 +1,72 @@ +{ + "requiredOneOf": [ + "ip", + "hostname", + "full-line", + "key" + ], + "attributes": { + "text": { + "description": "A description of the ssh authorized keys", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text", + "recommended": false + }, + "last-seen": { + "description": "Last time the ssh authorized keys file has been seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "first-seen": { + "description": "First time the ssh authorized keys file has been seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "full-line": { + "description": "One full-line of the authorized key file", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "key": { + "description": "Public key in base64 as found in the authorized key file", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "key-id": { + "description": "Key-id and option part of the public key line", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "hostname": { + "description": "hostname", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "hostname", + "multiple": true + }, + "ip": { + "description": "IP Address", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "ip-dst", + "multiple": true + } + }, + "version": 1, + "description": "An object to store ssh authorized keys file.", + "meta-category": "network", + "uuid": "d1db3e4d-c932-4d8b-a915-4cff088cb678", + "name": "ssh-authorized-keys" +} From 816f38c61ee3d68d1872a107bcca0646668f532e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 19 May 2019 17:54:50 +0200 Subject: [PATCH 55/68] chg: [doc] ssh-authorized-keys object template added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 4736e4b..91c2fc0 100644 --- a/README.md +++ b/README.md @@ -137,6 +137,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/short-message-service](objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message(s). * [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. * [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. +* [objects/ssh-authorized-keys](objects/ssh-authorized-keys/definition.json) - SSH authorized keys object to store keys and option from SSH authorized_keys file. * [objects/suricata](objects/suricata/definition.json) - Suricata rule with context. * [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromised internal system. * [objects/threatgrid-report](objects/threatgrid-report/definition.json) - A threatgrid report object. From a1b2db8fd12f0fd23ff0555780fc474979f7406f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 23 May 2019 11:24:05 +0200 Subject: [PATCH 56/68] chg: [script] requiredOneOf for script or filename Malicious scripts can be received without having a filename. --- objects/script/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/script/definition.json b/objects/script/definition.json index 7389fa1..c7eb0f6 100644 --- a/objects/script/definition.json +++ b/objects/script/definition.json @@ -1,5 +1,5 @@ { - "required": [ + "requiredOneOf": [ "script", "filename" ], @@ -56,7 +56,7 @@ ] } }, - "version": 3, + "version": 4, "description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.", "meta-category": "misc", "uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2", From 48c64c52fcc5e3f43b7a29af94c78bcf14bc5cc6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 1 Jun 2019 10:04:46 +0200 Subject: [PATCH 57/68] new: [shell-commands] Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands. --- objects/shell-commands/definition.json | 62 ++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 objects/shell-commands/definition.json diff --git a/objects/shell-commands/definition.json b/objects/shell-commands/definition.json new file mode 100644 index 0000000..37160ea --- /dev/null +++ b/objects/shell-commands/definition.json @@ -0,0 +1,62 @@ +{ + "requiredOneOf": [ + "shell-command" + ], + "attributes": { + "script": { + "description": "Free text of the script if available which executed the shell commands.", + "ui-priority": 10, + "misp-attribute": "text" + }, + "comment": { + "description": "Comment associated to the shell commands executed.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "language": { + "description": "Scripting language used for the shell commands executed.", + "ui-priority": 9, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "PowerShell", + "VBScript", + "Bash", + "Lua", + "JavaScript", + "AppleScript", + "AWK", + "Python", + "Perl", + "Ruby", + "Winbatch", + "AutoIt", + "PHP" + ] + }, + "shell-command": { + "description": "", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "state": { + "misp-attribute": "text", + "ui-priority": 0, + "description": "Known state of the script.", + "multiple": true, + "disable_correlation": true, + "values_list": [ + "Malicious", + "Unknown", + "Harmless", + "Trusted" + ] + } + }, + "version": 1, + "description": "Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.", + "meta-category": "misc", + "uuid": "fee65efa-eb64-4516-8611-1db76c589f79", + "name": "script" +} From a9b5c4136ffa601ebc89bfed83dc710e17b9ecb8 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 1 Jun 2019 10:06:00 +0200 Subject: [PATCH 58/68] chg: [doc] shell-commands object added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 91c2fc0..1cb0714 100644 --- a/README.md +++ b/README.md @@ -133,6 +133,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. * [objects/script](objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts. +* [objects/shell-commands](objects/shell-commands/definition.json) - Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands. * [objects/shortened-link](objects/shortened-link/definition.json) - Shortened link and its redirect target. * [objects/short-message-service](objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message(s). * [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. From e7bb12af7daa0d771dd558bf7707610d7e9b46ed Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 1 Jun 2019 10:13:06 +0200 Subject: [PATCH 59/68] chg: [shell-commands] fix typo in object name --- objects/shell-commands/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/shell-commands/definition.json b/objects/shell-commands/definition.json index 37160ea..8600073 100644 --- a/objects/shell-commands/definition.json +++ b/objects/shell-commands/definition.json @@ -58,5 +58,5 @@ "description": "Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.", "meta-category": "misc", "uuid": "fee65efa-eb64-4516-8611-1db76c589f79", - "name": "script" + "name": "shell-commands" } From 7a01bff00f9eb25fdd2fcfe49034dfb6134fb363 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 1 Jun 2019 11:17:33 +0200 Subject: [PATCH 60/68] chg: [relationships] screenshot-of added to the list of default relationships --- relationships/definition.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/relationships/definition.json b/relationships/definition.json index 29c470f..9668cc6 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -949,6 +949,13 @@ "misp", "haxpak" ] + }, + { + "name": "screenshot-of", + "description": "Represents an object being the screenshot of something.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", From 41a6d596ff2ca0605e719e8af054efb7d06dce06 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 18 Jun 2019 17:38:45 +0200 Subject: [PATCH 61/68] chg: [rogue-dns] new object template expressing rogue dns Thanks to CERT.br for the contribution --- objects/rogue-dns/definition.json | 46 +++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 objects/rogue-dns/definition.json diff --git a/objects/rogue-dns/definition.json b/objects/rogue-dns/definition.json new file mode 100644 index 0000000..3e6e4a9 --- /dev/null +++ b/objects/rogue-dns/definition.json @@ -0,0 +1,46 @@ +{ + "required": [ + "rogue-dns" + ], + "attributes": { + "timestamp": { + "description": "Last time that the rogue DNS value was seen.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "rogue-dns": { + "description": "IP address of the rogue DNS", + "ui-priority": 0, + "misp-attribute": "ip-dst" + }, + "status": { + "description": "How many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "ROGUE DNS", + "Unknown" + ], + "disable_correlation": true + }, + "hijacked-domain": { + "description": "Domain/hostname hijacked by the the rogue DNS", + "categories": [ + "Network activity" + ], + "ui-priority": 1, + "misp-attribute": "hostname" + }, + "phishing-ip": { + "description": "Resource records returns by the rogue DNS", + "ui-priority": 1, + "misp-attribute": "ip-dst" + } + }, + "version": 1, + "description": "Rogue DNS as defined by CERT.br", + "meta-category": "network", + "uuid": "b7e7859b-6872-4fd2-ac49-f66ccb904505", + "name": "rogue-dns" +} From e2f12cebd61423c349e2455e1acb648bc10f83ac Mon Sep 17 00:00:00 2001 From: ater49 Date: Tue, 18 Jun 2019 21:45:42 +0200 Subject: [PATCH 62/68] Adding IIN and bank_name --- objects/credit-card/definition.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/objects/credit-card/definition.json b/objects/credit-card/definition.json index 0be416f..2a2e36b 100644 --- a/objects/credit-card/definition.json +++ b/objects/credit-card/definition.json @@ -3,6 +3,16 @@ "cc-number" ], "attributes": { + "iin": { + "description": "International Issuer Number (First eight digits of the credit card number", + "ui-priority": 0, + "misp-attribute": "text" + }, + "bank_name": { + "description": "Name of the bank which have issued the card", + "ui-priority": 0, + "misp-attribute": "text" + }, "version": { "description": "Version of the card.", "ui-priority": 0, @@ -39,7 +49,7 @@ "misp-attribute": "cc-number" } }, - "version": 2, + "version": 3, "description": "A payment card like credit card, debit card or any similar cards which can be used for financial transactions.", "meta-category": "financial", "uuid": "2b9c57aa-daba-4330-a738-56f18743b0c7", From c3618fcf5288496a6af079ab73a772e66b5dce87 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 2 Jul 2019 10:19:54 +0200 Subject: [PATCH 63/68] new: [imsi-catcher] object based on the output format of IMSI-catcher open source tools The object has been created to show the flexibility of the object template during the PassTheSalt 2019 conference and the D4 presentation. --- objects/imsi-catcher/definition.json | 89 ++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 objects/imsi-catcher/definition.json diff --git a/objects/imsi-catcher/definition.json b/objects/imsi-catcher/definition.json new file mode 100644 index 0000000..061ebc5 --- /dev/null +++ b/objects/imsi-catcher/definition.json @@ -0,0 +1,89 @@ +{ + "requiredOneOf": [ + "text", + "first-seen", + "imsi" + ], + "attributes": { + "imsi": { + "description": "A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "tmsi-1": { + "description": "Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "tmsi-2": { + "description": "Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "country": { + "description": "Country where the IMSI is registered.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "brand": { + "description": "Brand associated with the IMSI registration.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "operator": { + "description": "Operator associated with the IMSI registration.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "mcc": { + "description": "MCC - Mobile Country Code", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "mnc": { + "description": "MNC - Mobile Network Code", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "lac": { + "description": "LAC - Location Area Code", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "cellid": { + "description": "CellID", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "text": { + "description": "A description of the IMSI record.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "first-seen": { + "description": "When the IMSI has been accessible or seen for the first time.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "seq": { + "description": "A sequence number for the collection", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "counter" + } + }, + "version": 1, + "description": "IMSI Catcher entry object based on the open source IMSI cather", + "meta-category": "misc", + "uuid": "a64f21b1-2f1b-4298-8243-c45db2c4aa7c", + "name": "imsi-catcher" +} From bfb325b907346940e0ac22ee274bf40d8137c570 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 5 Jul 2019 15:57:11 +0200 Subject: [PATCH 64/68] add: [ip-port] Added ip-dst attribute eeeeeeeeeeeeeeeeeeeeeee - Users can then choose between "ip" when they do not know whever it is a source or destination IP address, or "ip-src" & "ip-dst" to have more clarity about the IP address --- objects/ip-port/definition.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/objects/ip-port/definition.json b/objects/ip-port/definition.json index b8d245a..2057f88 100644 --- a/objects/ip-port/definition.json +++ b/objects/ip-port/definition.json @@ -85,6 +85,16 @@ "ui-priority": 1, "misp-attribute": "ip-src", "multiple": true + }, + "ip-dst": { + "description": "destination IP address", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "ip-dst", + "multiple": true } }, "version": 8, From d502c254cc8d763b20290c2fdbf7b8fd32ae8f2b Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 5 Jul 2019 16:11:31 +0200 Subject: [PATCH 65/68] add: [ip-port] Added ip-dst as one of the required attributes --- objects/ip-port/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/ip-port/definition.json b/objects/ip-port/definition.json index 2057f88..bb9a1f6 100644 --- a/objects/ip-port/definition.json +++ b/objects/ip-port/definition.json @@ -5,7 +5,8 @@ "domain", "hostname", "ip", - "ip-src" + "ip-src", + "ip-dst" ], "attributes": { "text": { From b96e7ed8be77c601b3b8ab70067eda3734a83dc2 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 8 Jul 2019 11:18:21 +0200 Subject: [PATCH 66/68] new: New object describing user accounts --- README.md | 1 + objects/user-account/definition.json | 136 +++++++++++++++++++++++++++ 2 files changed, 137 insertions(+) create mode 100644 objects/user-account/definition.json diff --git a/README.md b/README.md index 1cb0714..84d2692 100644 --- a/README.md +++ b/README.md @@ -150,6 +150,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/tracking-id](objects/tracking-id/definition.json) - Analytics and tracking ID such as used in Google Analytics or other analytic platform. * [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction. * [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata. +* [objects/user-account](objects/user-account/definition.json) - Object describing a user account (UNIX, Windows, etc). * [objects/vehicle](objects/vehicle/definition.json) - Vehicle object template to describe a vehicle information and registration. * [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. diff --git a/objects/user-account/definition.json b/objects/user-account/definition.json new file mode 100644 index 0000000..8719809 --- /dev/null +++ b/objects/user-account/definition.json @@ -0,0 +1,136 @@ +{ + "name": "user-account", + "uuid": "49606b06-22f0-4ac8-8eee-2f12ad46f3d3", + "meta-category": "misc", + "description": "", + "version": 1, + "requiredOneOf": [ + "password", + "username" + ], + "attributes": { + "text": { + "description": "A description of the user account.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attributes": "text" + }, + "username": { + "description": "Username related to the password.", + "ui-priority": 1, + "misp-attributes": "text" + }, + "user-id": { + "description": "Identifier of the account.", + "ui-priority": 1, + "misp-attributes": "text" + }, + "password": { + "description": "Password related to the username.", + "ui-priority": 1, + "misp-attributes": "text" + }, + "display-name": { + "description": "Display name of the account.", + "ui-priority": 1, + "misp-attributes": "text" + }, + "account-type": { + "description": "Type of the account.", + "ui-priority": 1, + "misp-attributes": "text", + "sane_default": [ + "facebook", + "ldap", + "nis", + "openid", + "radius", + "skype", + "tacacs", + "twitter", + "unix", + "windows-local", + "windows-domain" + ] + }, + "is_service_account": { + "description": "Specifies if the account is associated with a network service.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attributes": "boolean" + }, + "privileged": { + "description": "Specifies if the account has privileges such as root rights.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attributes": "boolean" + }, + "can_escalate_privs": { + "description": "Specifies if the account has the ability to escalate privileges.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attributes": "boolean" + }, + "disabled": { + "description": "Specifies if the account is desabled.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attributes": "boolean" + }, + "created": { + "description": "Creation time of the account.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attributes": "datetime" + }, + "expires": { + "description": "Expiration time of the account", + "disable_correlation": true, + "ui-priority": 1, + "misp-attributes": "datetime" + }, + "first_login": { + "description": "First time someone logged in to the account.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attributes": "datetime" + }, + "last_login": { + "description": "Last time someone logged in to the account.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attributes": "datetime" + }, + "password_last_changed": { + "description": "Last time the password has been changed.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attributes": "datetime" + }, + "group-id": { + "description": "Identifier of the primary group of the account, in case of a UNIX account.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attributes": "text" + }, + "group": { + "description": "UNIX group(s) the account is member of.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attributes": "text", + "multiple": true + }, + "home_dir": { + "description": "Home directory of the UNIX account.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attributes": "text" + }, + "shell": { + "description": "UNIX command shell of the account.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attributes": "text" + } + } +} From ddff56f52c39a4057ff66e33c42f9fbe61501606 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 8 Jul 2019 11:38:11 +0200 Subject: [PATCH 67/68] fix: TYPO --- objects/user-account/definition.json | 38 ++++++++++++++-------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/objects/user-account/definition.json b/objects/user-account/definition.json index 8719809..1060e00 100644 --- a/objects/user-account/definition.json +++ b/objects/user-account/definition.json @@ -13,32 +13,32 @@ "description": "A description of the user account.", "disable_correlation": true, "ui-priority": 1, - "misp-attributes": "text" + "misp-attribute": "text" }, "username": { "description": "Username related to the password.", "ui-priority": 1, - "misp-attributes": "text" + "misp-attribute": "text" }, "user-id": { "description": "Identifier of the account.", "ui-priority": 1, - "misp-attributes": "text" + "misp-attribute": "text" }, "password": { "description": "Password related to the username.", "ui-priority": 1, - "misp-attributes": "text" + "misp-attribute": "text" }, "display-name": { "description": "Display name of the account.", "ui-priority": 1, - "misp-attributes": "text" + "misp-attribute": "text" }, "account-type": { "description": "Type of the account.", "ui-priority": 1, - "misp-attributes": "text", + "misp-attribute": "text", "sane_default": [ "facebook", "ldap", @@ -57,80 +57,80 @@ "description": "Specifies if the account is associated with a network service.", "disable_correlation": true, "ui-priority": 1, - "misp-attributes": "boolean" + "misp-attribute": "boolean" }, "privileged": { "description": "Specifies if the account has privileges such as root rights.", "disable_correlation": true, "ui-priority": 1, - "misp-attributes": "boolean" + "misp-attribute": "boolean" }, "can_escalate_privs": { "description": "Specifies if the account has the ability to escalate privileges.", "disable_correlation": true, "ui-priority": 1, - "misp-attributes": "boolean" + "misp-attribute": "boolean" }, "disabled": { "description": "Specifies if the account is desabled.", "disable_correlation": true, "ui-priority": 1, - "misp-attributes": "boolean" + "misp-attribute": "boolean" }, "created": { "description": "Creation time of the account.", "disable_correlation": true, "ui-priority": 1, - "misp-attributes": "datetime" + "misp-attribute": "datetime" }, "expires": { "description": "Expiration time of the account", "disable_correlation": true, "ui-priority": 1, - "misp-attributes": "datetime" + "misp-attribute": "datetime" }, "first_login": { "description": "First time someone logged in to the account.", "disable_correlation": true, "ui-priority": 1, - "misp-attributes": "datetime" + "misp-attribute": "datetime" }, "last_login": { "description": "Last time someone logged in to the account.", "disable_correlation": true, "ui-priority": 1, - "misp-attributes": "datetime" + "misp-attribute": "datetime" }, "password_last_changed": { "description": "Last time the password has been changed.", "disable_correlation": true, "ui-priority": 1, - "misp-attributes": "datetime" + "misp-attribute": "datetime" }, "group-id": { "description": "Identifier of the primary group of the account, in case of a UNIX account.", "disable_correlation": true, "ui-priority": 1, - "misp-attributes": "text" + "misp-attribute": "text" }, "group": { "description": "UNIX group(s) the account is member of.", "disable_correlation": true, "ui-priority": 1, - "misp-attributes": "text", + "misp-attribute": "text", "multiple": true }, "home_dir": { "description": "Home directory of the UNIX account.", "disable_correlation": true, "ui-priority": 1, - "misp-attributes": "text" + "misp-attribute": "text" }, "shell": { "description": "UNIX command shell of the account.", "disable_correlation": true, "ui-priority": 1, - "misp-attributes": "text" + "misp-attribute": "text" } } } From 0caf4a9edcfd18bd20ad55f18c4ba3c6a9d32da6 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 9 Jul 2019 17:05:48 +0200 Subject: [PATCH 68/68] chg: Added user-id attribute as one of the required ones --- objects/user-account/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/user-account/definition.json b/objects/user-account/definition.json index 1060e00..203bb28 100644 --- a/objects/user-account/definition.json +++ b/objects/user-account/definition.json @@ -6,7 +6,8 @@ "version": 1, "requiredOneOf": [ "password", - "username" + "username", + "user-id" ], "attributes": { "text": {