mirror of https://github.com/MISP/misp-objects
85dc07a1f4
The idea behind this object is to provide a unique form to identify network artifacts. It's a mix of different including whois, URL and domain. The need for a consolidated object comes to group correlated elements. Beyond that, I'm introducing the idea to use the correlation feature in more generic ways. Example: The value of "threat-actor-infrastructure-value" is the unique value observed on a network resource that identify it. A practical and tested example is this resources from Kaspesky. https://securelist.com/the-tetrade-brazilian-banking-malware/97779/ On this article they mention a trojan family called Javali. They recover the C2 server abusing Google Docs services. The mentioned field "threat-actor-infrastructure-value" would register the values available on this image. This item should be hard to correlate with other similar items, as this can change frequently. A way to change it is also to register a more general pattern of the data with the "threat-actor-infrastructure-pattern". I.E inicio{ "host":"<variable>", "porta":"<variable>" }fim With other investigations and registry of it on MISP, is possible to correlate this data, facilitate identification of patterns used for tracking purposes and facilitate analysis. |
||
|---|---|---|
| .. | ||
| definition.json | ||