{ "attributes": { "birth-droid-file-identifier": { "description": "Birth droid volume identifier (UUIDv1 where MAC can be extracted)", "misp-attribute": "text", "ui-priority": 0 }, "birth-droid-volume-identifier": { "description": "Droid volume identifier", "misp-attribute": "text", "ui-priority": 0 }, "droid-file-identifier": { "description": "Droid file identifier (UUIDv1 where MAC can be extracted)", "misp-attribute": "text", "ui-priority": 0 }, "droid-volume-identifier": { "description": "Droid volume identifier", "misp-attribute": "text", "ui-priority": 0 }, "entropy": { "description": "Entropy of the whole file", "disable_correlation": true, "misp-attribute": "float", "ui-priority": 1 }, "filename": { "categories": [ "Payload delivery", "Artifacts dropped", "Payload installation", "External analysis" ], "description": "Filename on disk", "disable_correlation": true, "misp-attribute": "filename", "multiple": true, "ui-priority": 1 }, "fullpath": { "description": "Complete path of the LNK filename including the filename", "misp-attribute": "text", "multiple": true, "ui-priority": 0 }, "lnk-access-time": { "categories": [ "Other" ], "description": "Access time of the LNK", "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 0 }, "lnk-command-line-arguments": { "description": "LNK command line arguments", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "lnk-creation-time": { "categories": [ "Other" ], "description": "Creation time of the LNK", "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 0 }, "lnk-description": { "description": "LNK description", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "lnk-drive-serial-number": { "description": "Drive serial number", "misp-attribute": "text", "ui-priority": 0 }, "lnk-drive-type": { "description": "Drive type", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "lnk-file-attribute-flags": { "description": "File attribute flags", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "lnk-file-size": { "description": "Size of the target file, in bytes", "disable_correlation": true, "misp-attribute": "size-in-bytes", "ui-priority": 0 }, "lnk-hot-key-value": { "description": "Hot Key value", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "lnk-icon-index": { "description": "Icon index", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "lnk-local-path": { "description": "Local path", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "lnk-modification-time": { "categories": [ "Other" ], "description": "Modification time of the LNK", "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 0 }, "lnk-relative-path": { "description": "Relative path", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "lnk-show-window-value": { "description": "Show Window value", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "lnk-volume-label": { "description": "Volume label", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "lnk-working-directory": { "description": "LNK working path", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "machine-identifier": { "description": "Machine identifier", "misp-attribute": "text", "ui-priority": 0 }, "malware-sample": { "description": "The LNK file itself (binary)", "misp-attribute": "malware-sample", "ui-priority": 1 }, "md5": { "description": "[Insecure] MD5 hash (128 bits)", "misp-attribute": "md5", "recommended": false, "ui-priority": 1 }, "path": { "description": "Path of the LNK filename complete or partial", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "ui-priority": 0 }, "pattern-in-file": { "categories": [ "Artifacts dropped", "Payload installation", "External analysis" ], "description": "Pattern that can be found in the file", "misp-attribute": "pattern-in-file", "multiple": true, "ui-priority": 1 }, "sha1": { "description": "[Insecure] Secure Hash Algorithm 1 (160 bits)", "misp-attribute": "sha1", "recommended": false, "ui-priority": 1 }, "sha224": { "description": "Secure Hash Algorithm 2 (224 bits)", "misp-attribute": "sha224", "recommended": false, "ui-priority": 0 }, "sha256": { "description": "Secure Hash Algorithm 2 (256 bits)", "misp-attribute": "sha256", "ui-priority": 1 }, "sha384": { "description": "Secure Hash Algorithm 2 (384 bits)", "misp-attribute": "sha384", "recommended": false, "ui-priority": 0 }, "sha512": { "description": "Secure Hash Algorithm 2 (512 bits)", "misp-attribute": "sha512", "ui-priority": 1 }, "sha512/224": { "description": "Secure Hash Algorithm 2 (224 bits)", "misp-attribute": "sha512/224", "recommended": false, "ui-priority": 0 }, "sha512/256": { "description": "Secure Hash Algorithm 2 (256 bits)", "misp-attribute": "sha512/256", "recommended": false, "ui-priority": 0 }, "size-in-bytes": { "description": "Size of the LNK file, in bytes", "disable_correlation": true, "misp-attribute": "size-in-bytes", "ui-priority": 0 }, "ssdeep": { "description": "Fuzzy hash using context triggered piecewise hashes (CTPH)", "misp-attribute": "ssdeep", "ui-priority": 0 }, "state": { "description": "State of the LNK file", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "ui-priority": 0, "values_list": [ "Malicious", "Harmless", "Trusted" ] }, "text": { "description": "Free text value to attach to the file", "disable_correlation": true, "misp-attribute": "text", "recommended": false, "ui-priority": 1 }, "tlsh": { "description": "Fuzzy hash by Trend Micro: Locality Sensitive Hash", "misp-attribute": "tlsh", "ui-priority": 0 } }, "description": "LNK object describing a Windows LNK binary file (aka Windows shortcut)", "meta-category": "file", "name": "lnk", "requiredOneOf": [ "filename", "ssdeep", "md5", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512/224", "sha512/256" ], "uuid": "ad13533e-1853-4da0-a111-33a7ce7e6c09", "version": 1 }