misp-objects/objects/malware/definition.json

168 lines
4.8 KiB
JSON

{
"attributes": {
"alias": {
"description": "Alternative name used to identify this malware or malware family.",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"architecture_execution_env": {
"description": "The processor architecture that the malware instance or family is executable on.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"alpha",
"arm",
"ia-64",
"mips",
"powerpc",
"sparc",
"x86",
"x86-64"
],
"ui-priority": 0
},
"capability": {
"description": "Any of the capabilities identified for the malware instance or family.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"accesses-remote-machines",
"anti-debugging",
"anti-disassembly",
"anti-emulation",
"anti-memory-forensics",
"anti-sandbox",
"anti-vm",
"captures-input-peripherals",
"captures-output-peripherals",
"captures-system-state-data",
"cleans-traces-of-infection",
"commits-fraud",
"communicates-with-c2",
"compromises-data-availability",
"compromises-data-integrity",
"compromises-system-availability",
"controls-local-machine",
"degrades-security-software",
"degrades-system-updates",
"determines-c2-server",
"emails-spam",
"escalates-privileges",
"evades-av",
"exfiltrates-data",
"fingerprints-host",
"hides-artifacts",
"hides-executing-code",
"infects-files",
"infects-remote-machines",
"installs-other-components",
"persists-after-system-reboot",
"prevents-artifact-access",
"prevents-artifact-deletion",
"probes-network-environment",
"self-modifies",
"steals-authentication-credentials",
"violates-system-operational-integrity"
],
"ui-priority": 0
},
"description": {
"description": "A description that provides more details and context about the malware instance or family, potentially including its purpose and its key characteristics.",
"misp-attribute": "text",
"ui-priority": 0
},
"first_seen": {
"description": "The time that the malware instance or family was first seen.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"implementation_language": {
"description": "The programming language used to implement the malware instance or family.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"applescript",
"bash",
"c",
"c++",
"c#",
"go",
"java",
"javascript",
"lua",
"objective-c",
"perl",
"php",
"powershell",
"python",
"ruby",
"scala",
"swift",
"typescript",
"visual-basic",
"x86-32",
"x86-64"
],
"ui-priority": 0
},
"is_family": {
"description": "Defines whether the object represents a malware family or a malware instance.",
"disable_correlation": true,
"misp-attribute": "boolean",
"ui-priority": 1
},
"last_seen": {
"description": "The time that the malware family or malware instance was last seen.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"malware_type": {
"description": "A set of categorizations for the malware being described.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"adware",
"backdoor",
"bot",
"bootkit",
"ddos",
"downloader",
"dropper",
"exploit-kit",
"keylogger",
"ransomware",
"remote-access-trojan",
"resource-exploitation",
"rogue-security-software",
"rootkit",
"screen-capture",
"spyware",
"trojan",
"unknown",
"virus",
"webshell",
"wiper",
"worm"
],
"ui-priority": 0
},
"name": {
"description": "A name used to identify the malware instance or family. For a malware family the name MUST be defined. If a name for a malware instance is not available, the SHA-256 hash value or sample's filename MAY be used instead.",
"misp-attribute": "text",
"ui-priority": 0
}
},
"description": "Malware is a type of TTP that represents malicious code.",
"meta-category": "misc",
"name": "malware",
"required": [
"is_family"
],
"uuid": "e5ad1d64-4b4e-44f5-9e00-88a705a67f9d",
"version": 1
}