diff --git a/objects/device/definition.json b/objects/device/definition.json index 2a81682..520d3e9 100644 --- a/objects/device/definition.json +++ b/objects/device/definition.json @@ -57,6 +57,279 @@ "multiple": true, "ui-priority": 0 }, + "hits": { + "description": "Number of hits for the device", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, + "infection_type": { + "description": "Type of infection if the device is in Infected status", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "android_spams", + "android.bakdoor.prizmes", + "android.bankbot", + "android.banker.anubis", + "android.bankspy", + "android.cliaid", + "android.darksilent", + "android.fakeav", + "android.fakebank", + "android.fakedoc", + "android.fakeinst", + "android.fakemart", + "android.faketoken", + "android.fobus", + "android.fungram", + "android.geost", + "android.gopl", + "android.hiddad", + "android.hqwar", + "android.hummer", + "android.infosteal", + "android.iop", + "android.lockdroid", + "android.milipnot", + "android.nitmo", + "android.opfake", + "android.premiumtext", + "android.provar", + "android.pwstealer", + "android.rootnik", + "android.skyfin", + "android.smsbot", + "android.smssilence", + "android.smsspy", + "android.smsspy.be24", + "android.sssaaa", + "android.teleplus", + "android.uupay", + "android.voxv", + "avalanche-andromeda", + "banatrix", + "bankpatch", + "bebloh", + "bedep", + "betabot", + "bitcoinminer", + "blackbeard", + "blakamba", + "boinberg", + "buhtrap", + "caphaw", + "carberp", + "chafer", + "changeup", + "chinad", + "citadel", + "cobint", + "coinminer", + "conficker", + "cryptowall", + "cutwail", + "cycbot", + "diaminer", + "dimnie", + "dipverdle", + "dircrypt", + "dirtjumper", + "disorderstatus", + "dmsniff", + "dofoil", + "domreg", + "dorkbot", + "dorkbot-ssl", + "dresscode", + "dybalom", + "ek.fallout", + "emoted", + "emotet", + "esfury", + "expiro", + "exploitkit.fallout", + "extenbro", + "fake_cs_updater", + "fakerean", + "fallout.exploitkit", + "fast-flux", + "fast-flux-double", + "fast-flux;fast-flux-double", + "fleercivet", + "fobber", + "foxbantrix", + "foxbantrix-unknown", + "generic.malware", + "geodo", + "gonderici", + "gootkit", + "gozi", + "gspy", + "gtfobot", + "hancitor", + "harnig", + "htm5player.vast", + "ibanking", + "icedid", + "infected", + "iotreaper", + "ip-spoofer", + "ircbot", + "isfb", + "jadtre", + "jdk-update-apt", + "js.worm.bondat", + "junk-domains", + "kasidet", + "kbot", + "kelihos", + "kelihos.e", + "keylogger", + "keylogger-ftp", + "keylogger-vbklip", + "kidminer", + "kingminer", + "koobface", + "kraken", + "kronos", + "kwampirs", + "lethic", + "linux.backdoor.setag", + "linux.ngioweb", + "litemanager", + "loader", + "locky", + "loki", + "lokibot", + "luminositylink", + "lurkbanker", + "madominer", + "magecart", + "maliciouswebsites", + "malvertising.doubleclick", + "malwaretom", + "marcher", + "matrix", + "matsnu", + "menupass", + "mewsspy", + "miner.monero", + "minr", + "mirai", + "mix2", + "mkero", + "monero", + "mozi", + "muddywater", + "murofet", + "mysafeproxymonitor", + "nametrick", + "necurs", + "netsupport", + "nettraveler", + "neurevt", + "nitol", + "nivdort", + "nukebot", + "null", + "nymaim", + "nymain", + "osx.fakeflash", + "palevo", + "pawnstorm", + "phishing", + "phishing.cobalt", + "phishing.cobalt_dickens", + "phorpiex", + "pitou", + "plasma-tomas", + "ponmocup", + "pony", + "poseidon", + "powerstats", + "proxyback", + "pushdo", + "pws.pony", + "pykspa", + "qadars", + "qakbot", + "qqblack", + "qrypter.rat", + "qsnatch", + "racoon", + "ramdo", + "ramnit", + "ranbyus", + "ransom.cerber", + "ransomware", + "ransomware.shade", + "rat.vermin", + "renocide", + "revil", + "rodecap", + "sality", + "sality-p2p", + "servhelper", + "sgminer", + "shifu", + "shiz", + "sinowal", + "sisron", + "sodinokibi", + "spam", + "sphinx", + "spyeye", + "ssh-brute-force", + "ssl", + "ssl-az7", + "ssl-unknown-bot-test", + "ssl-vmzeus", + "stantinko", + "tdss", + "teleru", + "telnet-brute-force", + "tinba", + "tinba-dga", + "trickbot", + "triton", + "trojan.click3", + "trojan.fakeav", + "trojan.includer", + "trojan.win32.razy.gen", + "unknown", + "unknown-bot-test", + "valak", + "vawtrak", + "vbklip", + "verst", + "victorygate.a", + "victorygate.b", + "victorygate.c", + "virut", + "vmzeus", + "vobfus", + "volatile_cedar", + "vpnfilter_stage3", + "wannacrypt", + "wauchos", + "webminer.cdn", + "win.neurevt", + "worm.kasidet", + "worm.phorpiex", + "wowlik", + "wrokni", + "xbash", + "xmrminer", + "xpaj", + "xshellghost", + "yoddos", + "zeus", + "zeus_gameover", + "zeus_panda", + "zloader" + ] + }, "ip-address": { "description": "Device IP address", "misp-attribute": "ip-src", @@ -68,6 +341,17 @@ "misp-attribute": "text", "ui-priority": 101 }, + "status": { + "description": "Status of the device", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Infected", + "Exposed", + "Unknown", + "Clean" + ] + }, "version": { "description": "Version of the device/ OS", "disable_correlation": true, @@ -83,5 +367,5 @@ "alias" ], "uuid": "0c64b41a-e583-4f4d-ac92-d484163b9e52", - "version": 7 + "version": 9 } \ No newline at end of file