misp-objects/objects/file/definition.json

521 lines
13 KiB
JSON

{
"attributes": {
"access-time": {
"description": "The last time the file was accessed",
"misp-attribute": "datetime",
"ui-priority": 0
},
"attachment": {
"description": "A non-malicious file.",
"misp-attribute": "attachment",
"ui-priority": 1
},
"authentihash": {
"description": "Authenticode executable signature hash",
"misp-attribute": "authentihash",
"recommended": false,
"ui-priority": 0
},
"certificate": {
"description": "Certificate value if the binary is signed with another authentication scheme than authenticode",
"misp-attribute": "x509-fingerprint-sha1",
"ui-priority": 0
},
"compilation-timestamp": {
"description": "Compilation timestamp",
"misp-attribute": "datetime",
"ui-priority": 0
},
"creation-time": {
"description": "Creation time of the file",
"misp-attribute": "datetime",
"ui-priority": 0
},
"dom-hash": {
"description": "Dom-hash of the file",
"misp-attribute": "dom-hash",
"ui-priority": 0
},
"entropy": {
"description": "Entropy of the whole file",
"disable_correlation": true,
"misp-attribute": "float",
"ui-priority": 1
},
"file-encoding": {
"description": "Encoding format of the file",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Adobe-Standard-Encoding",
"Adobe-Symbol-Encoding",
"Amiga-1251",
"ANSI_X3.110-1983",
"ASMO_449",
"Big5",
"Big5-HKSCS",
"BOCU-1",
"BRF",
"BS_4730",
"BS_viewdata",
"CESU-8",
"CP50220",
"CP51932",
"CSA_Z243.4-1985-1",
"CSA_Z243.4-1985-2",
"CSA_Z243.4-1985-gr",
"CSN_369103",
"DEC-MCS",
"DIN_66003",
"dk-us",
"DS_2089",
"EBCDIC-AT-DE",
"EBCDIC-AT-DE-A",
"EBCDIC-CA-FR",
"EBCDIC-DK-NO",
"EBCDIC-DK-NO-A",
"EBCDIC-ES",
"EBCDIC-ES-A",
"EBCDIC-ES-S",
"EBCDIC-FI-SE",
"EBCDIC-FI-SE-A",
"EBCDIC-FR",
"EBCDIC-IT",
"EBCDIC-PT",
"EBCDIC-UK",
"EBCDIC-US",
"ECMA-cyrillic",
"ES",
"ES2",
"EUC-KR",
"Extended_UNIX_Code_Fixed_Width_for_Japanese",
"Extended_UNIX_Code_Packed_Format_for_Japanese",
"GB18030",
"GB_1988-80",
"GB2312",
"GB_2312-80",
"GBK",
"GOST_19768-74",
"greek7",
"greek7-old",
"greek-ccitt",
"HP-DeskTop",
"HP-Legal",
"HP-Math8",
"HP-Pi-font",
"hp-roman8",
"HZ-GB-2312",
"IBM00858",
"IBM00924",
"IBM01140",
"IBM01141",
"IBM01142",
"IBM01143",
"IBM01144",
"IBM01145",
"IBM01146",
"IBM01147",
"IBM01148",
"IBM01149",
"IBM037",
"IBM038",
"IBM1026",
"IBM1047",
"IBM273",
"IBM274",
"IBM275",
"IBM277",
"IBM278",
"IBM280",
"IBM281",
"IBM284",
"IBM285",
"IBM290",
"IBM297",
"IBM420",
"IBM423",
"IBM424",
"IBM437",
"IBM500",
"IBM775",
"IBM850",
"IBM851",
"IBM852",
"IBM855",
"IBM857",
"IBM860",
"IBM861",
"IBM862",
"IBM863",
"IBM864",
"IBM865",
"IBM866",
"IBM868",
"IBM869",
"IBM870",
"IBM871",
"IBM880",
"IBM891",
"IBM903",
"IBM904",
"IBM905",
"IBM918",
"IBM-Symbols",
"IBM-Thai",
"IEC_P27-1",
"INIS",
"INIS-8",
"INIS-cyrillic",
"INVARIANT",
"ISO_10367-box",
"ISO-10646-J-1",
"ISO-10646-UCS-2",
"ISO-10646-UCS-4",
"ISO-10646-UCS-Basic",
"ISO-10646-Unicode-Latin1",
"ISO-10646-UTF-1",
"ISO-11548-1",
"ISO-2022-CN",
"ISO-2022-CN-EXT",
"ISO-2022-JP",
"ISO-2022-JP-2",
"ISO-2022-KR",
"ISO_2033-1983",
"ISO_5427",
"ISO_5427:1981",
"ISO_5428:1980",
"ISO_646.basic:1983",
"ISO_646.irv:1983",
"ISO_6937-2-25",
"ISO_6937-2-add",
"ISO-8859-10",
"ISO_8859-1:1987",
"ISO-8859-13",
"ISO-8859-14",
"ISO-8859-15",
"ISO-8859-16",
"ISO-8859-1-Windows-3.0-Latin-1",
"ISO-8859-1-Windows-3.1-Latin-1",
"ISO_8859-2:1987",
"ISO-8859-2-Windows-Latin-2",
"ISO_8859-3:1988",
"ISO_8859-4:1988",
"ISO_8859-5:1988",
"ISO_8859-6:1987",
"ISO_8859-6-E",
"ISO_8859-6-I",
"ISO_8859-7:1987",
"ISO_8859-8:1988",
"ISO_8859-8-E",
"ISO_8859-8-I",
"ISO_8859-9:1989",
"ISO-8859-9-Windows-Latin-5",
"ISO_8859-supp",
"iso-ir-90",
"ISO-Unicode-IBM-1261",
"ISO-Unicode-IBM-1264",
"ISO-Unicode-IBM-1265",
"ISO-Unicode-IBM-1268",
"ISO-Unicode-IBM-1276",
"IT",
"JIS_C6220-1969-jp",
"JIS_C6220-1969-ro",
"JIS_C6226-1978",
"JIS_C6226-1983",
"JIS_C6229-1984-a",
"JIS_C6229-1984-b",
"JIS_C6229-1984-b-add",
"JIS_C6229-1984-hand",
"JIS_C6229-1984-hand-add",
"JIS_C6229-1984-kana",
"JIS_Encoding",
"JIS_X0201",
"JIS_X0212-1990",
"JUS_I.B1.002",
"JUS_I.B1.003-mac",
"JUS_I.B1.003-serb",
"KOI7-switched",
"KOI8-R",
"KOI8-U",
"KS_C_5601-1987",
"KSC5636",
"KZ-1048",
"latin-greek",
"Latin-greek-1",
"latin-lap",
"macintosh",
"Microsoft-Publishing",
"MNEM",
"MNEMONIC",
"MSZ_7795.3",
"Name",
"NATS-DANO",
"NATS-DANO-ADD",
"NATS-SEFI",
"NATS-SEFI-ADD",
"NC_NC00-10:81",
"NF_Z_62-010",
"NF_Z_62-010_(1973)",
"NS_4551-1",
"NS_4551-2",
"OSD_EBCDIC_DF03_IRV",
"OSD_EBCDIC_DF04_1",
"OSD_EBCDIC_DF04_15",
"PC8-Danish-Norwegian",
"PC8-Turkish",
"PT",
"PT2",
"PTCP154",
"SCSU",
"SEN_850200_B",
"SEN_850200_C",
"Shift_JIS",
"T.101-G2",
"T.61-7bit",
"T.61-8bit",
"TIS-620",
"TSCII",
"UNICODE-1-1",
"UNICODE-1-1-UTF-7",
"UNKNOWN-8BIT",
"US-ASCII",
"us-dk",
"UTF-16",
"UTF-16BE",
"UTF-16LE",
"UTF-32",
"UTF-32BE",
"UTF-32LE",
"UTF-7",
"UTF-8",
"Ventura-International",
"Ventura-Math",
"Ventura-US",
"videotex-suppl",
"VIQR",
"VISCII",
"windows-1250",
"windows-1251",
"windows-1252",
"windows-1253",
"windows-1254",
"windows-1255",
"windows-1256",
"windows-1257",
"windows-1258",
"Windows-31J",
"windows-874"
],
"ui-priority": 0
},
"filename": {
"categories": [
"Payload delivery",
"Artifacts dropped",
"Payload installation",
"External analysis"
],
"description": "Filename on disk",
"disable_correlation": true,
"misp-attribute": "filename",
"multiple": true,
"ui-priority": 1
},
"fullpath": {
"description": "Complete path of the filename including the filename",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"imphash": {
"description": "Hash (md5) calculated from the PE import table",
"misp-attribute": "imphash",
"ui-priority": 0
},
"malware-sample": {
"description": "The file itself (binary)",
"misp-attribute": "malware-sample",
"ui-priority": 1
},
"md5": {
"description": "[Insecure] MD5 hash (128 bits)",
"misp-attribute": "md5",
"recommended": false,
"ui-priority": 1
},
"mimetype": {
"description": "Mime type",
"disable_correlation": true,
"misp-attribute": "mime-type",
"ui-priority": 0
},
"modification-time": {
"description": "Last time the file was modified",
"misp-attribute": "datetime",
"ui-priority": 0
},
"path": {
"description": "Path of the filename complete or partial",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"pattern-in-file": {
"categories": [
"Artifacts dropped",
"Payload installation",
"External analysis"
],
"description": "Pattern that can be found in the file",
"misp-attribute": "pattern-in-file",
"multiple": true,
"ui-priority": 1
},
"sha1": {
"description": "[Insecure] Secure Hash Algorithm 1 (160 bits)",
"misp-attribute": "sha1",
"recommended": false,
"ui-priority": 1
},
"sha224": {
"description": "Secure Hash Algorithm 2 (224 bits)",
"misp-attribute": "sha224",
"recommended": false,
"ui-priority": 0
},
"sha256": {
"description": "Secure Hash Algorithm 2 (256 bits)",
"misp-attribute": "sha256",
"ui-priority": 1
},
"sha3-224": {
"description": "Secure Hash Algorithm 3 (224 bits)",
"misp-attribute": "sha3-224",
"recommended": false,
"ui-priority": 0
},
"sha3-256": {
"description": "Secure Hash Algorithm 3 (256 bits)",
"misp-attribute": "sha3-256",
"recommended": false,
"ui-priority": 0
},
"sha3-384": {
"description": "Secure Hash Algorithm 3 (384 bits)",
"misp-attribute": "sha3-384",
"recommended": false,
"ui-priority": 0
},
"sha3-512": {
"description": "Secure Hash Algorithm 3 (512 bits)",
"misp-attribute": "sha3-512",
"recommended": false,
"ui-priority": 0
},
"sha384": {
"description": "Secure Hash Algorithm 2 (384 bits)",
"misp-attribute": "sha384",
"recommended": false,
"ui-priority": 0
},
"sha512": {
"description": "Secure Hash Algorithm 2 (512 bits)",
"misp-attribute": "sha512",
"ui-priority": 1
},
"sha512/224": {
"description": "Secure Hash Algorithm 2 (224 bits)",
"misp-attribute": "sha512/224",
"recommended": false,
"ui-priority": 0
},
"sha512/256": {
"description": "Secure Hash Algorithm 2 (256 bits)",
"misp-attribute": "sha512/256",
"recommended": false,
"ui-priority": 0
},
"size-in-bytes": {
"description": "Size of the file, in bytes",
"disable_correlation": true,
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"ssdeep": {
"description": "Fuzzy hash using context triggered piecewise hashes (CTPH)",
"misp-attribute": "ssdeep",
"ui-priority": 0
},
"state": {
"description": "State of the file",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0,
"values_list": [
"Malicious",
"Harmless",
"Signed",
"Revoked",
"Expired",
"Trusted"
]
},
"telfhash": {
"description": "telfhash - Symbol hash for ELF files.",
"misp-attribute": "telfhash",
"ui-priority": 0
},
"text": {
"description": "Free text value to attach to the file",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"recommended": false,
"ui-priority": 1
},
"tlsh": {
"description": "Fuzzy hash by Trend Micro: Locality Sensitive Hash",
"misp-attribute": "tlsh",
"ui-priority": 0
},
"vhash": {
"description": "vhash by VirusTotal",
"misp-attribute": "vhash",
"ui-priority": 0
}
},
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"requiredOneOf": [
"filename",
"size-in-bytes",
"authentihash",
"ssdeep",
"md5",
"sha1",
"sha224",
"sha256",
"sha384",
"sha512",
"sha512/224",
"sha512/256",
"sha3-224",
"sha3-256",
"sha3-384",
"sha3-512",
"tlsh",
"telfhash",
"imphash",
"pattern-in-file",
"certificate",
"malware-sample",
"attachment",
"path",
"fullpath"
],
"uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"version": 25
}