mirror of https://github.com/MISP/misp-objects
Compare commits
31 Commits
922dcc6996
...
5ae8125610
Author | SHA1 | Date |
---|---|---|
Karen Yousefi | 5ae8125610 | |
Alexandre Dulaunoy | c83372377e | |
Christophe Vandeplas | 28328aa53d | |
Alexandre Dulaunoy | 3a2c160630 | |
Alexandre Dulaunoy | 4393a483fe | |
Alexandre Dulaunoy | 2061c353fe | |
Alexandre Dulaunoy | 42b48439da | |
Alexandre Dulaunoy | 8aea824bbe | |
Alexandre Dulaunoy | 9f98d15a6f | |
Alexandre Dulaunoy | f3724ad19b | |
Alexandre Dulaunoy | 7f95d3290a | |
Alexandre Dulaunoy | 3d78e17c4b | |
Delta-Sierra | b1588baa0e | |
Delta-Sierra | d099a893c1 | |
Delta-Sierra | 1cf333f020 | |
Alexandre Dulaunoy | 16b354c04c | |
Alexandre Dulaunoy | 9f7cabf25c | |
menewol | 93b43a3191 | |
Alexandre Dulaunoy | 1abf2bf705 | |
Alexandre Dulaunoy | a2063078e5 | |
Alexandre Dulaunoy | 37fe188830 | |
Alexandre Dulaunoy | a176a663d0 | |
Delta-Sierra | b65199716f | |
David Cruciani | b10d4680bc | |
David Cruciani | 051605763e | |
Delta-Sierra | 845a48a7a4 | |
Delta-Sierra | d371245037 | |
Alexandre Dulaunoy | 96492b9c93 | |
Jeroen Pinoy | 4e31ad218e | |
Karen Yousefi | 21775dbecc | |
Karen Yousefi | 4a2a337926 |
|
@ -115,6 +115,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
|
|||
- [objects/annotation](https://github.com/MISP/misp-objects/blob/main/objects/annotation/definition.json) - An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.
|
||||
- [objects/anonymisation](https://github.com/MISP/misp-objects/blob/main/objects/anonymisation/definition.json) - Anonymisation object describing an anonymisation technique used to encode MISP attribute values. Reference: https://www.caida.org/tools/taxonomy/anonymization.xml.
|
||||
- [objects/apivoid-email-verification](https://github.com/MISP/misp-objects/blob/main/objects/apivoid-email-verification/definition.json) - Apivoid email verification API result. Reference: https://www.apivoid.com/api/email-verify/.
|
||||
- [objects/apk](https://github.com/MISP/misp-objects/blob/main/objects/apk/definition.json) - Apk object describing a file with meta-information.
|
||||
- [objects/artifact](https://github.com/MISP/misp-objects/blob/main/objects/artifact/definition.json) - The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. From STIX 2.1 (6.1).
|
||||
- [objects/asn](https://github.com/MISP/misp-objects/blob/main/objects/asn/definition.json) - Autonomous system object describing an autonomous system which can include one or more network operators managing an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.
|
||||
- [objects/attack-pattern](https://github.com/MISP/misp-objects/blob/main/objects/attack-pattern/definition.json) - Attack pattern describing a common attack pattern enumeration and classification.
|
||||
|
@ -153,7 +154,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
|
|||
- [objects/credential](https://github.com/MISP/misp-objects/blob/main/objects/credential/definition.json) - Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).
|
||||
- [objects/credit-card](https://github.com/MISP/misp-objects/blob/main/objects/credit-card/definition.json) - A payment card like credit card, debit card or any similar cards which can be used for financial transactions.
|
||||
- [objects/crowdsec-ip-context](https://github.com/MISP/misp-objects/blob/main/objects/crowdsec-ip-context/definition.json) - CrowdSec Threat Intelligence - IP CTI search.
|
||||
- [objects/crowdstrike-report](https://github.com/MISP/misp-objects/blob/main/objects/crowdstrike-report/definition.json) - An Object Template to encode an Crowdstrike detection report.
|
||||
- [objects/crowdstrike-report](https://github.com/MISP/misp-objects/blob/main/objects/crowdstrike-report/definition.json) - An Object Template to encode an Crowdstrike detection report.
|
||||
- [objects/crypto-material](https://github.com/MISP/misp-objects/blob/main/objects/crypto-material/definition.json) - Cryptographic materials such as public or/and private keys.
|
||||
- [objects/cryptocurrency-transaction](https://github.com/MISP/misp-objects/blob/main/objects/cryptocurrency-transaction/definition.json) - An object to describe a cryptocurrency transaction.
|
||||
- [objects/cs-beacon-config](https://github.com/MISP/misp-objects/blob/main/objects/cs-beacon-config/definition.json) - Cobalt Strike Beacon Config.
|
||||
|
@ -169,7 +170,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
|
|||
- [objects/dns-record](https://github.com/MISP/misp-objects/blob/main/objects/dns-record/definition.json) - A set of DNS records observed for a specific domain.
|
||||
- [objects/domain-crawled](https://github.com/MISP/misp-objects/blob/main/objects/domain-crawled/definition.json) - A domain crawled over time.
|
||||
- [objects/domain-ip](https://github.com/MISP/misp-objects/blob/main/objects/domain-ip/definition.json) - A domain/hostname and IP address seen as a tuple in a specific time frame.
|
||||
- [objects/edr-report](https://github.com/MISP/misp-objects/blob/main/objects/edr-report/definition.json) - An Object Template to encode an EDR detection report.
|
||||
- [objects/edr-report](https://github.com/MISP/misp-objects/blob/main/objects/edr-report/definition.json) - An Object Template to encode an EDR detection report.
|
||||
- [objects/elf](https://github.com/MISP/misp-objects/blob/main/objects/elf/definition.json) - Object describing a Executable and Linkable Format.
|
||||
- [objects/elf-section](https://github.com/MISP/misp-objects/blob/main/objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format.
|
||||
- [objects/email](https://github.com/MISP/misp-objects/blob/main/objects/email/definition.json) - Email object describing an email with meta-information.
|
||||
|
@ -190,6 +191,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
|
|||
- [objects/file](https://github.com/MISP/misp-objects/blob/main/objects/file/definition.json) - File object describing a file with meta-information.
|
||||
- [objects/flowintel-cm-case](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-case/definition.json) - A case as defined by flowintel-cm.
|
||||
- [objects/flowintel-cm-task](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-task/definition.json) - A task as defined by flowintel-cm.
|
||||
- [objects/flowintel-cm-task-note](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-task-note/definition.json) - A task's note as defined by flowintel-cm.
|
||||
- [objects/forensic-case](https://github.com/MISP/misp-objects/blob/main/objects/forensic-case/definition.json) - An object template to describe a digital forensic case.
|
||||
- [objects/forensic-evidence](https://github.com/MISP/misp-objects/blob/main/objects/forensic-evidence/definition.json) - An object template to describe a digital forensic evidence.
|
||||
- [objects/forged-document](https://github.com/MISP/misp-objects/blob/main/objects/forged-document/definition.json) - Object describing a forged document.
|
||||
|
@ -336,7 +338,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
|
|||
- [objects/query](https://github.com/MISP/misp-objects/blob/main/objects/query/definition.json) - An object describing a query, along with its format.
|
||||
- [objects/r2graphity](https://github.com/MISP/misp-objects/blob/main/objects/r2graphity/definition.json) - Indicators extracted from files using radare2 and graphml.
|
||||
- [objects/ransom-negotiation](https://github.com/MISP/misp-objects/blob/main/objects/ransom-negotiation/definition.json) - An object to describe ransom negotiations, as seen in ransomware incidents.
|
||||
- [objects/ransomware-group-post](https://github.com/MISP/misp-objects/blob/main/objects/ransomware-group-post/definition.json) - Ransomware group post as monitored by ransomlook.io.
|
||||
- [objects/ransomware-group-post](https://github.com/MISP/misp-objects/blob/main/objects/ransomware-group-post/definition.json) - Ransomware group post as monitored by ransomlook.io or others.
|
||||
- [objects/reddit-account](https://github.com/MISP/misp-objects/blob/main/objects/reddit-account/definition.json) - Reddit account.
|
||||
- [objects/reddit-comment](https://github.com/MISP/misp-objects/blob/main/objects/reddit-comment/definition.json) - A Reddit post comment.
|
||||
- [objects/reddit-post](https://github.com/MISP/misp-objects/blob/main/objects/reddit-post/definition.json) - A Reddit post.
|
||||
|
|
|
@ -0,0 +1,188 @@
|
|||
{
|
||||
"attributes": {
|
||||
"malware-sample": {
|
||||
"description": "The file itself (binary)",
|
||||
"misp-attribute": "malware-sample",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"filename": {
|
||||
"categories": [
|
||||
"Payload delivery",
|
||||
"Artifacts dropped",
|
||||
"Payload installation",
|
||||
"External analysis"
|
||||
],
|
||||
"description": "Filename on disk",
|
||||
"misp-attribute": "filename",
|
||||
"multiple": true,
|
||||
"ui-priority": 1
|
||||
},
|
||||
"md5": {
|
||||
"description": "[Insecure] MD5 hash (128 bits)",
|
||||
"misp-attribute": "md5",
|
||||
"recommended": false,
|
||||
"ui-priority": 1
|
||||
},
|
||||
"sha256": {
|
||||
"description": "Secure Hash Algorithm 2 (256 bits)",
|
||||
"misp-attribute": "sha256",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"sha1": {
|
||||
"description": "[Insecure] Secure Hash Algorithm 1 (160 bits)",
|
||||
"misp-attribute": "sha1",
|
||||
"recommended": false,
|
||||
"ui-priority": 1
|
||||
},
|
||||
"ssdeep": {
|
||||
"description": "Fuzzy hash using context triggered piecewise hashes (CTPH)",
|
||||
"misp-attribute": "ssdeep",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"tlsh": {
|
||||
"description": "Fuzzy hash by Trend Micro: Locality Sensitive Hash",
|
||||
"misp-attribute": "tlsh",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"sha224": {
|
||||
"description": "Secure Hash Algorithm 2 (224 bits)",
|
||||
"misp-attribute": "sha224",
|
||||
"recommended": false,
|
||||
"ui-priority": 1
|
||||
},
|
||||
"sha384": {
|
||||
"description": "Secure Hash Algorithm 2 (384 bits)",
|
||||
"misp-attribute": "sha384",
|
||||
"recommended": false,
|
||||
"ui-priority": 1
|
||||
},
|
||||
"sha512": {
|
||||
"description": "Secure Hash Algorithm 2 (512 bits)",
|
||||
"misp-attribute": "sha512",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"size-in-bytes": {
|
||||
"description": "Size of the file, in bytes",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "size-in-bytes",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"state": {
|
||||
"description": "State of the file",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"multiple": true,
|
||||
"ui-priority": 1,
|
||||
"values_list": [
|
||||
"Malicious",
|
||||
"Harmless",
|
||||
"Signed",
|
||||
"Revoked",
|
||||
"Expired",
|
||||
"Trusted"
|
||||
]
|
||||
},
|
||||
"package-name": {
|
||||
"description": "The package name of an Android app",
|
||||
"misp-attribute": "text",
|
||||
"recommended": true,
|
||||
"ui-priority": 1
|
||||
},
|
||||
"sha3-224": {
|
||||
"description": "Secure Hash Algorithm 3 (224 bits)",
|
||||
"misp-attribute": "sha3-224",
|
||||
"recommended": false,
|
||||
"ui-priority": 0
|
||||
},
|
||||
"sha3-256": {
|
||||
"description": "Secure Hash Algorithm 3 (256 bits)",
|
||||
"misp-attribute": "sha3-256",
|
||||
"recommended": false,
|
||||
"ui-priority": 0
|
||||
},
|
||||
"sha3-384": {
|
||||
"description": "Secure Hash Algorithm 3 (384 bits)",
|
||||
"misp-attribute": "sha3-384",
|
||||
"recommended": false,
|
||||
"ui-priority": 0
|
||||
},
|
||||
"sha3-512": {
|
||||
"description": "Secure Hash Algorithm 3 (512 bits)",
|
||||
"misp-attribute": "sha3-512",
|
||||
"recommended": false,
|
||||
"ui-priority": 0
|
||||
},
|
||||
"sha512/224": {
|
||||
"description": "Secure Hash Algorithm 2 (224 bits)",
|
||||
"misp-attribute": "sha512/224",
|
||||
"recommended": false,
|
||||
"ui-priority": 0
|
||||
},
|
||||
"sha512/256": {
|
||||
"description": "Secure Hash Algorithm 2 (256 bits)",
|
||||
"misp-attribute": "sha512/256",
|
||||
"recommended": false,
|
||||
"ui-priority": 0
|
||||
},
|
||||
"mimetype": {
|
||||
"description": "Mime type",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "mime-type",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"url": {
|
||||
"categories": [
|
||||
"Payload delivery"
|
||||
],
|
||||
"description": "Malware delivery url",
|
||||
"misp-attribute": "url",
|
||||
"multiple": true,
|
||||
"ui-priority": 1
|
||||
},
|
||||
"vhash": {
|
||||
"description": "vhash by VirusTotal",
|
||||
"misp-attribute": "vhash",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"access-time": {
|
||||
"description": "The last time the file was accessed",
|
||||
"misp-attribute": "datetime",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"creation-time": {
|
||||
"description": "Creation time of the file",
|
||||
"misp-attribute": "datetime",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"modification-time": {
|
||||
"description": "Last time the file was modified",
|
||||
"misp-attribute": "datetime",
|
||||
"ui-priority": 0
|
||||
}
|
||||
},
|
||||
"description": "Apk object describing a file with meta-information",
|
||||
"meta-category": "file",
|
||||
"name": "apk",
|
||||
"requiredOneOf": [
|
||||
"filename",
|
||||
"size-in-bytes",
|
||||
"ssdeep",
|
||||
"md5",
|
||||
"sha1",
|
||||
"sha224",
|
||||
"sha256",
|
||||
"sha384",
|
||||
"sha512",
|
||||
"sha512/224",
|
||||
"sha512/256",
|
||||
"sha3-224",
|
||||
"sha3-256",
|
||||
"sha3-384",
|
||||
"sha3-512",
|
||||
"tlsh",
|
||||
"malware-sample",
|
||||
"url"
|
||||
],
|
||||
"uuid": "501bf5cf-28e0-4a5a-8056-e811c6447cfa",
|
||||
"version": 2
|
||||
}
|
|
@ -1,11 +1,43 @@
|
|||
{
|
||||
"attributes": {
|
||||
"architecture": {
|
||||
"description": "Hardware architecture of the sample",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"asn": {
|
||||
"description": "Originating ASN for the CS Beacon Config",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "AS",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"beacon-host": {
|
||||
"description": "Beacon host IP",
|
||||
"misp-attribute": "ip-dst",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"beacon-type": {
|
||||
"description": "Beacon type used",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"binary-md5": {
|
||||
"description": "MD5 of the binary delivered",
|
||||
"misp-attribute": "md5",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"binary-sha1": {
|
||||
"description": "SHA1 of the binary delivered",
|
||||
"misp-attribute": "sha1",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"binary-sha256": {
|
||||
"description": "SHA256 of the binary delivered",
|
||||
"misp-attribute": "sha256",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"c2": {
|
||||
"categories": [
|
||||
"Network activity"
|
||||
|
@ -21,12 +53,67 @@
|
|||
"misp-attribute": "text",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"config-md5": {
|
||||
"description": "MD5 of the configuration",
|
||||
"misp-attribute": "md5",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"config-sha1": {
|
||||
"description": "SHA1 of the configuration",
|
||||
"misp-attribute": "sha1",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"config-sha256": {
|
||||
"description": "SHA256 of the configuration",
|
||||
"misp-attribute": "sha256",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"content-length": {
|
||||
"description": "Content length of the payload",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "size-in-bytes",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"content-type": {
|
||||
"description": "Content/type received",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"encoded-data": {
|
||||
"description": "Encoded payload data in Base64",
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"encoded-length": {
|
||||
"description": "Length of the encoded data",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "size-in-bytes",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"geo": {
|
||||
"description": "Country location of the CS Beacon Config",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"http": {
|
||||
"description": "HTTP protocol used",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"http-code": {
|
||||
"description": "HTTP return code",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "integer",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"http-url": {
|
||||
"description": "HTTP url path of the beacon",
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"ip": {
|
||||
"description": "IP of the C2",
|
||||
"misp-attribute": "ip-dst",
|
||||
|
@ -55,7 +142,7 @@
|
|||
"ui-priority": 1
|
||||
},
|
||||
"naics": {
|
||||
"description": "North American Industry Classification System Code",
|
||||
"description": "North American Industry Classification System Code (NAICS)",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"multiple": true,
|
||||
|
@ -112,5 +199,5 @@
|
|||
"watermark"
|
||||
],
|
||||
"uuid": "d17355ef-ca1f-4b5a-86cd-65d877991f54",
|
||||
"version": 4
|
||||
"version": 6
|
||||
}
|
|
@ -42,6 +42,12 @@
|
|||
"misp-attribute": "datetime",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"notes": {
|
||||
"description": "Notes of the case",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"origin-url": {
|
||||
"description": "Origin of the case",
|
||||
"disable_correlation": true,
|
||||
|
@ -86,5 +92,5 @@
|
|||
"meta-category": "misc",
|
||||
"name": "flowintel-cm-case",
|
||||
"uuid": "19df57c7-b315-4fd2-84e5-d81ab221425e",
|
||||
"version": 2
|
||||
"version": 3
|
||||
}
|
|
@ -0,0 +1,35 @@
|
|||
{
|
||||
"attributes": {
|
||||
"note": {
|
||||
"description": "Notes of the task",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"multiple": true,
|
||||
"ui-priority": 0
|
||||
},
|
||||
"note-uuid": {
|
||||
"description": "UUID of the note",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 2
|
||||
},
|
||||
"origin-url": {
|
||||
"description": "Origin of the task",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "url",
|
||||
"to_ids": false,
|
||||
"ui-priority": 1
|
||||
},
|
||||
"task-uuid": {
|
||||
"description": "UUID of the parent task",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 2
|
||||
}
|
||||
},
|
||||
"description": "A task's note as defined by flowintel-cm.",
|
||||
"meta-category": "misc",
|
||||
"name": "flowintel-cm-task-note",
|
||||
"uuid": "2c6f6aba-48b6-482f-a810-81934d29be9a",
|
||||
"version": 1
|
||||
}
|
|
@ -37,12 +37,6 @@
|
|||
"misp-attribute": "datetime",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"notes": {
|
||||
"description": "Notes of the task",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"origin-url": {
|
||||
"description": "Origin of the task",
|
||||
"disable_correlation": true,
|
||||
|
@ -88,5 +82,5 @@
|
|||
"meta-category": "misc",
|
||||
"name": "flowintel-cm-task",
|
||||
"uuid": "2f525f6e-d3f2-4cb9-9ca0-f1160d99397d",
|
||||
"version": 3
|
||||
"version": 4
|
||||
}
|
|
@ -22,7 +22,8 @@
|
|||
"Discord",
|
||||
"Mumble",
|
||||
"Jabber",
|
||||
"Twitter"
|
||||
"Twitter",
|
||||
"Mattermost"
|
||||
],
|
||||
"ui-priority": 1
|
||||
},
|
||||
|
|
|
@ -1,7 +1,26 @@
|
|||
{
|
||||
"attributes": {
|
||||
"actor-geo-stats-30d": {
|
||||
"description": "Count of how many other victims were publicly leaked by the same ransomware actor in the country of the victim during the past 30 days",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"actor-total-stats-30d": {
|
||||
"description": "Count of how many other victims were publicly leaked by the same ransomware actor worldwide during the past 30 days",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"date": {
|
||||
"description": "Last update of the post as seen on the ransomware group blog. Different than the first/last seen from the crawling.",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "datetime",
|
||||
"ui-priority": 0
|
||||
},
|
||||
"date-published": {
|
||||
"description": "Initial published date of the post on the ransomware group blog.",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "datetime",
|
||||
"ui-priority": 0
|
||||
},
|
||||
|
@ -10,25 +29,73 @@
|
|||
"misp-attribute": "text",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"entity-name": {
|
||||
"description": "Entity name of the victim referenced in the post of the ransomware group.",
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"geo": {
|
||||
"description": "Geographic (main) location of the victim referenced in the post of the ransomware group.",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"leak-site-url": {
|
||||
"description": "Link to the post.",
|
||||
"misp-attribute": "link",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"link": {
|
||||
"description": "Original URL location of the post.",
|
||||
"misp-attribute": "link",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"ransomware-group": {
|
||||
"description": "Ransomware group where the post is mentioned.",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"sector": {
|
||||
"description": "Sector (main) of the victim referenced in the post of the ransomware group.",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"severity": {
|
||||
"description": "Severity of the post mentioned.",
|
||||
"disable_correlation": true,
|
||||
"misp-attribute": "text",
|
||||
"sane_default": [
|
||||
"critical",
|
||||
"high",
|
||||
"medium",
|
||||
"low",
|
||||
"info"
|
||||
],
|
||||
"ui-priority": 1
|
||||
},
|
||||
"title": {
|
||||
"description": "Title of blog post.",
|
||||
"misp-attribute": "text",
|
||||
"ui-priority": 1
|
||||
},
|
||||
"website": {
|
||||
"description": "Website of the victim referenced in the post of the ransomware group.",
|
||||
"misp-attribute": "link",
|
||||
"ui-priority": 1
|
||||
}
|
||||
},
|
||||
"description": "Ransomware group post as monitored by ransomlook.io",
|
||||
"description": "Ransomware group post as monitored by ransomlook.io or others",
|
||||
"meta-category": "misc",
|
||||
"name": "ransomware-group-post",
|
||||
"requiredOneOf": [
|
||||
"title",
|
||||
"description",
|
||||
"link"
|
||||
"link",
|
||||
"website",
|
||||
"leak-site-url"
|
||||
],
|
||||
"uuid": "52a0e179-4942-41e6-90f5-7db856fd6f39",
|
||||
"version": 1
|
||||
"version": 4
|
||||
}
|
|
@ -2,7 +2,8 @@
|
|||
"attributes": {
|
||||
"data": {
|
||||
"categories": [
|
||||
"Persistence mechanism"
|
||||
"Persistence mechanism",
|
||||
"Artifacts dropped"
|
||||
],
|
||||
"description": "Data stored in the registry key",
|
||||
"misp-attribute": "text",
|
||||
|
@ -10,7 +11,8 @@
|
|||
},
|
||||
"data-type": {
|
||||
"categories": [
|
||||
"Persistence mechanism"
|
||||
"Persistence mechanism",
|
||||
"Artifacts dropped"
|
||||
],
|
||||
"description": "Registry value type",
|
||||
"disable_correlation": true,
|
||||
|
@ -35,7 +37,8 @@
|
|||
},
|
||||
"hive": {
|
||||
"categories": [
|
||||
"Persistence mechanism"
|
||||
"Persistence mechanism",
|
||||
"Artifacts dropped"
|
||||
],
|
||||
"description": "Hive used to store the registry key (file on disk)",
|
||||
"disable_correlation": true,
|
||||
|
@ -44,7 +47,8 @@
|
|||
},
|
||||
"key": {
|
||||
"categories": [
|
||||
"Persistence mechanism"
|
||||
"Persistence mechanism",
|
||||
"Artifacts dropped"
|
||||
],
|
||||
"description": "Full key path",
|
||||
"misp-attribute": "regkey",
|
||||
|
@ -60,7 +64,8 @@
|
|||
},
|
||||
"name": {
|
||||
"categories": [
|
||||
"Persistence mechanism"
|
||||
"Persistence mechanism",
|
||||
"Artifacts dropped"
|
||||
],
|
||||
"description": "Name of the registry key",
|
||||
"misp-attribute": "text",
|
||||
|
@ -98,5 +103,5 @@
|
|||
"data"
|
||||
],
|
||||
"uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5",
|
||||
"version": 4
|
||||
"version": 5
|
||||
}
|
|
@ -36,6 +36,22 @@
|
|||
"name": "shared-by",
|
||||
"opposite": "shares"
|
||||
},
|
||||
{
|
||||
"description": "This relationship describes an object which publishes another object.",
|
||||
"format": [
|
||||
"misp"
|
||||
],
|
||||
"name": "publishes",
|
||||
"opposite": "published-by"
|
||||
},
|
||||
{
|
||||
"description": "This relationship describes an object which was published by another object.",
|
||||
"format": [
|
||||
"misp"
|
||||
],
|
||||
"name": "published-by",
|
||||
"opposite": "publishes"
|
||||
},
|
||||
{
|
||||
"description": "The referenced source and target objects are semantically duplicates of each other.",
|
||||
"format": [
|
||||
|
@ -1764,7 +1780,101 @@
|
|||
],
|
||||
"name": "is-acquired-by",
|
||||
"opposite": "acquires"
|
||||
},
|
||||
{
|
||||
"description": "The source object supports the target object.",
|
||||
"format": [
|
||||
"misp"
|
||||
],
|
||||
"name": "supports",
|
||||
"opposite": "supported-by"
|
||||
},
|
||||
{
|
||||
"description": "The source object is supported by the target object.",
|
||||
"format": [
|
||||
"misp"
|
||||
],
|
||||
"name": "supported-by",
|
||||
"opposite": "supports"
|
||||
},
|
||||
{
|
||||
"description": "The source object sponsors the target object.",
|
||||
"format": [
|
||||
"misp"
|
||||
],
|
||||
"name": "sponsors",
|
||||
"opposite": "sponsored-by"
|
||||
},
|
||||
{
|
||||
"description": "The source object is sponsored by the target object.",
|
||||
"format": [
|
||||
"misp"
|
||||
],
|
||||
"name": "sponsored-by",
|
||||
"opposite": "sponsors"
|
||||
},
|
||||
{
|
||||
"description": "The source object operates from the target object.",
|
||||
"format": [
|
||||
"misp"
|
||||
],
|
||||
"name": "operates-from"
|
||||
},
|
||||
{
|
||||
"description": "The source object deploys the target object.",
|
||||
"format": [
|
||||
"misp"
|
||||
],
|
||||
"name": "deploys",
|
||||
"opposite": "is-deployed-by"
|
||||
},
|
||||
{
|
||||
"description": "The source object is deployed by the target object.",
|
||||
"format": [
|
||||
"misp"
|
||||
],
|
||||
"name": "is-deployed-by",
|
||||
"opposite": "deploys"
|
||||
},
|
||||
{
|
||||
"description": "The source object interacts with the target object.",
|
||||
"format": [
|
||||
"misp"
|
||||
],
|
||||
"name": "interacts-with"
|
||||
},
|
||||
{
|
||||
"description": "The source object injects the target object.",
|
||||
"format": [
|
||||
"misp"
|
||||
],
|
||||
"name": "injects",
|
||||
"opposite": "is-injected-by"
|
||||
},
|
||||
{
|
||||
"description": "The source object is injected by the target object.",
|
||||
"format": [
|
||||
"misp"
|
||||
],
|
||||
"name": "is-injected-by",
|
||||
"opposite": "injects"
|
||||
},
|
||||
{
|
||||
"description": "The source object interviews the target object.",
|
||||
"format": [
|
||||
"misp"
|
||||
],
|
||||
"name": "interviews",
|
||||
"opposite": "is-interviewed-by"
|
||||
},
|
||||
{
|
||||
"description": "The source object is interviewed by the target object.",
|
||||
"format": [
|
||||
"misp"
|
||||
],
|
||||
"name": "is-interviewed-by",
|
||||
"opposite": "interviews"
|
||||
}
|
||||
],
|
||||
"version": 43
|
||||
"version": 48
|
||||
}
|
Loading…
Reference in New Issue