MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #8 from Delta-Sierra/master 

Update misp-galaxy-format
pull/10/head
Alexandre Dulaunoy 2018-03-02 16:40:21 +01:00 committed by GitHub
parent 5de0df35be 760bb1c54c
commit 434d73130f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 94 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
misp-galaxy-format/raw.md Executable file → Normal file
View File

@ -96,17 +96,103 @@ Meta contains a list of custom defined JSON key value pairs. Users **SHOULD** re
properties is used to provide clusters with additional properties. Properties are represented as an array containing one or more strings ans **MAY** be present.
complexity, effectiveness, impact, possible_issues **MAY** be used to give further information in preventive-measure galaxy. complexity is represented by an enumerated value from a fixed vocabulary and **SHALL** be present. effectiveness is represented by an enumerated value from a fixed vocabulary and **SHALL** be present. impact is represented by an enumerated value from a fixed vocabulary and **SHALL** be present. possible_issues is represented as a string and **SHOULD** be present.
country, motive **MAY** be used to give further information in threat-actor galaxy. country is represented as a string and **SHOULD** be present. motive is represented as a string and **SHOULD** be present.
colour fields MAY be used at predicates or values level to set a specify colour that MAY be used by the implementation. The colour field is described as an RGB colour fill in hexadecimal representation.
encryption, extensions, ransomnotes **MAY** be used to give further information in ransomware galaxy. encryption is represented as a string and **SHALL** be present. extensions is represented as an array containing one or more strings and **SHALL** be present. ransomnotes is represented as an array containing one or more strings ans **SHALL** be present.
derivated_from, refs, synonyms **SHALL** be used to give further informations. refs is represented as an containing one or ore string and **SHALL** be present. synonyms is represented as an containing one or ore string and **SHALL** be present. derivated_from is represented as an containing one or ore string and **SHALL** be present.
date, status **MAY** be used to give time information about an cluster. date is represented as a string describing a time or period and **SHALL** be present. status is represented as a string describing the current status of the clusters. It **MAY** also describe a time or period and **SHALL** be present.
derivated_from, refs, synonyms **SHALL** be used to give further informations. refs is represented as an containing one or ore string and **SHALL** be present. synonyms is represented as an containing one or ore string and **SHALL** be present. derivated_from is represented as an containing one or ore string and **SHALL** be present.
colour fields MAY be used at predicates or values level to set a specify colour that MAY be used by the implementation. The colour field is described as an RGB colour fill in hexadecimal representation.
complexity, effectiveness, impact, possible_issues **MAY** be used to give further information in preventive-measure galaxy. complexity is represented by an enumerated value from a fixed vocabulary and **SHALL** be present. effectiveness is represented by an enumerated value from a fixed vocabulary and **SHALL** be present. impact is represented by an enumerated value from a fixed vocabulary and **SHALL** be present. possible_issues is represented as a string and **SHOULD** be present.
Example use of the complexity, effectiveness, impact, possible_issues fields in the preventive-measure galaxy:
~~~~
{
"meta": {
"refs": [
"http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html"
],
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Administrative VBS scripts on Workstations"
},
"value": "Disable WSH",
"description": "Disable Windows Script Host",
"uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f"
}
~~~~
country, motive **MAY** be used to give further information in threat-actor galaxy. country is represented as a string and **SHOULD** be present. motive is represented as a string and **SHOULD** be present.
Example use of the country, motive fields in the threat-actor galaxy:
~~~~
{
"meta": {
"country": "CN",
"synonyms": [
"APT14",
"APT 14",
"QAZTeam",
"ALUMINUM"
],
"refs": [
"http://www.crowdstrike.com/blog/whois-anchor-panda/"
],
"motive": "Espionage"
},
"value": "Anchor Panda",
"description": "PLA Navy",
"uuid": "c82c904f-b3b4-40a2-bf0d-008912953104"
}
~~~~
encryption, extensions, ransomnotes **MAY** be used to give further information in ransomware galaxy. encryption is represented as a string and **SHALL** be present. extensions is represented as an array containing one or more strings and **SHALL** be present. ransomnotes is represented as an array containing one or more strings ans **SHALL** be present.
Example use of the encryption, extensions, ransomnotes fields in the ransomware galaxy:
~~~~
{
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/",
"https://id-ransomware.blogspot.co.il/2017/03/revenge-ransomware.html"
],
"ransomnotes": [
"https://2.bp.blogspot.com/-KkPVDxjy8tk/WM7LtYHmuAI/AAAAAAAAEUw/kDJghaq-j1AZuqjzqk2Fkxpp4yr9Yeb5wCLcB/s1600/revenge-note-2.jpg",
"===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail.",
"# !!!HELP_FILE!!! #.txt"
],
"encryption": "AES-256 + RSA-1024",
"extensions": [
".REVENGE"
],
"date": "March 2017"
},
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoMix / CryptFile2 Variant",
"value": "Revenge Ransomware",
"uuid": "987d36d5-6ba8-484d-9e0b-7324cc886b0e"
}
~~~~
source-uuid, target-uuid **SHALL** be used to describe relationships. source-uuid and target-uuid represent the Universally Unique IDentifier (UUID) [@!RFC4122] of the value reference. source-uuid and target-uuid **MUST** be preserved.
Example use of the source-uuid, target-uuid fields in the mitre-entreprise-attack-relationship galaxy:
~~~~
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78"
},
"uuid": "cfc7da70-d7c5-4508-8f50-1c3107269633",
"value": "menuPass uses EvilGrab"
}
~~~~
# Acknowledgements
@ -155,4 +241,3 @@ of open standards in threat intelligence sharing.
{backmatter}