From f65efaec395e4e72d79f3a28f5ddc17ea125872a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 23 Jun 2019 16:24:35 +0200 Subject: [PATCH] chg: [object-template] release 03 of the Internet-Draft (list of default templates added) --- misp-object-template-format/raw.md | 132 +++++- misp-object-template-format/raw.md.txt | 542 ++++++++++++++++++++++--- 2 files changed, 626 insertions(+), 48 deletions(-) diff --git a/misp-object-template-format/raw.md b/misp-object-template-format/raw.md index f66943f..1e08e20 100755 --- a/misp-object-template-format/raw.md +++ b/misp-object-template-format/raw.md @@ -313,7 +313,137 @@ format is represented by a JSON list containing a list of formats that the relat The MISP object template directory is publicly available [@?MISP-O] in a git repository. The repository contains an objects directory, which contains a directory per object type, containing a file named definition.json which contains the definition of the object template in the above described format. -A relationships directory is also included, containing a definition.json file which contains a list of MISP object relation definitions. There are more than 90 existing templates object documented in [@?MISP-O-DOC]. +A relationships directory is also included, containing a definition.json file which contains a list of MISP object relation definitions. There are more than 125 existing templates object documented in [@?MISP-O-DOC]. + +## Existing and public MISP object templates + +- tsk-chats - An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation. +- tsk-web-bookmark - An Object Template to add evidential bookmarks identified during a digital forensic investigation. +- tsk-web-cookie - An TSK-Autopsy Object Template to represent cookies identified during a forensic investigation. +- tsk-web-downloads - An Object Template to add web-downloads. +- tsk-web-history - An Object Template to share web history information. +- tsk-web-search-query - An Object Template to share web search query information. +- ail-leak - An information leak as defined by the AIL Analysis Information Leak framework. +- ais-info - Automated Indicator Sharing (AIS) Information Source Markings. +- android-permission - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. malware, app). +- annotation - An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes. +- anonymisation - Anonymisation object describing an anonymisation technique used to encode MISP attribute values. Reference: https://www.caida.org/tools/taxonomy/anonymization.xml. +- asn - Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. +- authenticode-signerinfo - Authenticode Signer Info. +- av-signature - Antivirus detection signature. +- bank-account - An object describing bank account information based on account description from goAML 4.0. +- bgp-hijack - Object encapsulating BGP Hijack description as specified, for example, by bgpstream.com. +- cap-alert - Common Alerting Protocol Version (CAP) alert object. +- cap-info - Common Alerting Protocol Version (CAP) info object. +- cap-resource - Common Alerting Protocol Version (CAP) resource object. +- coin-address - An address used in a cryptocurrency. +- cookie - An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. (as defined by the Mozilla foundation. +- cortex - Cortex object describing a complete cortex analysis. Observables would be attribute with a relationship from this object. +- cortex-taxonomy - Cortex object describing an Cortex Taxonomy (or mini report). +- course-of-action - An object describing a specific measure taken to prevent or respond to an attack. +- cowrie - Cowrie honeypot object template. +- credential - Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s). +- credit-card - A payment card like credit card, debit card or any similar cards which can be used for financial transactions. +- ddos - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy. +- device - An object to define a device. +- diameter-attack - Attack as seen on diameter authentication against a GSM, UMTS or LTE network. +- domain-ip - A domain and IP address seen as a tuple in a specific time frame. +- elf - Object describing a Executable and Linkable Format. +- elf-section - Object describing a section of an Executable and Linkable Format. +- email - Email object describing an email with meta-information. +- exploit-poc - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object. +- facial-composite - An object which describes a facial composite. +- fail2ban - Fail2ban event. +- file - File object describing a file with meta-information. +- forensic-case - An object template to describe a digital forensic case. +- forensic-evidence - An object template to describe a digital forensic evidence. +- geolocation - An object to describe a geographic location. +- gtp-attack - GTP attack object as seen on a GSM, UMTS or LTE network. +- http-request - A single HTTP request header. +- ilr-impact - Institut Luxembourgeois de Regulation - Impact. +- ilr-notification-incident - Institut Luxembourgeois de Regulation - Notification d'incident. +- internal-reference - Internal reference. +- interpol-notice - An object which describes a Interpol notice. +- ip-api-address - IP Address information. Useful if you are pulling your ip information from ip-api.com. +- ip-port - An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame. +- irc - An IRC object to describe an IRC server and the associated channels. +- ja3 - JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3. +- legal-entity - An object to describe a legal entity. +- lnk - LNK object describing a Windows LNK binary file (aka Windows shortcut). +- macho - Object describing a file in Mach-O format. +- macho-section - Object describing a section of a file in Mach-O format. +- mactime-timeline-analysis - Mactime template, used in forensic investigations to describe the timeline of a file activity. +- malware-config - Malware configuration recovered or extracted from a malicious binary. +- microblog - Microblog post like a Twitter tweet or a post on a Facebook wall. +- mutex - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program. +- netflow - Netflow object describes an network object based on the Netflowv5/v9 minimal definition. +- network-connection - A local or remote network connection. +- network-socket - Network socket object describes a local or remote network connections based on the socket data structure. +- misc - An object which describes an organization. +- original-imported-file - Object describing the original file used to import data in MISP. +- passive-dns - Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01. +- paste - Paste or similar post from a website allowing to share privately or publicly posts. +- pcap-metadata - Network packet capture metadata. +- pe - Object describing a Portable Executable. +- pe-section - Object describing a section of a Portable Executable. +- person - An object which describes a person or an identity. +- phishing - Phishing template to describe a phishing website and its analysis. +- phishing-kit - Object to describe a phishing-kit. +- phone - A phone or mobile phone object which describe a phone. +- process - Object describing a system process. +- python-etvx-event-log - Event log object template to share information of the activities conducted on a system. . +- r2graphity - Indicators extracted from files using radare2 and graphml. +- regexp - An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression. +- registry-key - Registry key object describing a Windows registry key with value and last-modified timestamp. +- regripper-NTUser - Regripper Object template designed to present user specific configuration details extracted from the NTUSER.dat hive. +- regripper-sam-hive-single-user - Regripper Object template designed to present user profile details extracted from the SAM hive. +- regripper-sam-hive-user-group - Regripper Object template designed to present group profile details extracted from the SAM hive. +- regripper-software-hive-BHO - Regripper Object template designed to gather information of the browser helper objects installed on the system. +- regripper-software-hive-appInit-DLLS - Regripper Object template designed to gather information of the DLL files installed on the system. +- regripper-software-hive-application-paths - Regripper Object template designed to gather information of the application paths. +- regripper-software-hive-applications-installed - Regripper Object template designed to gather information of the applications installed on the system. +- regripper-software-hive-command-shell - Regripper Object template designed to gather information of the shell commands executed on the system. +- regripper-software-hive-windows-general-info - Regripper Object template designed to gather general windows information extracted from the software-hive. +- regripper-software-hive-software-run - Regripper Object template designed to gather information of the applications set to run on the system. +- regripper-software-hive-userprofile-winlogon - Regripper Object template designed to gather user profile information when the user logs onto the system, gathered from the software hive. +- regripper-system-hive-firewall-configuration - Regripper Object template designed to present firewall configuration information extracted from the system-hive. +- regripper-system-hive-general-configuration - Regripper Object template designed to present general system properties extracted from the system-hive. +- regripper-system-hive-network-information. - Regripper object template designed to gather network information from the system-hive. +- regripper-system-hive-services-drivers - Regripper Object template designed to gather information regarding the services/drivers from the system-hive. +- report - Metadata used to generate an executive level report. +- research-scanner - Information related to known scanning activity (e.g. from research projects). +- rogue-dns - Rogue DNS as defined by CERT.br. +- rtir - RTIR - Request Tracker for Incident Response. +- sandbox-report - Sandbox report. +- sb-signature - Sandbox detection signature. +- script - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts. +- shell-commands - Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands. +- short-message-service - Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply. +- shortened-link - Shortened link and its redirect target. +- splunk - Splunk / Splunk ES object. +- ss7-attack - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. +- ssh-authorized-keys - An object to store ssh authorized keys file. +- stix2-pattern - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. +- suricata - An object describing one or more Suricata rule(s) along with version and contextual information. +- target-system - Description about an targeted system, this could potentially be a compromissed internal system. +- threatgrid-report - ThreatGrid report. +- timecode - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence. +- timesketch-timeline - A timesketch timeline object based on mandatory field in timesketch to describe a log entry. +- timesketch_message - A timesketch message entry. +- timestamp - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship. +- tor-hiddenservice - Tor hidden service (onion service) object. +- tor-node - Tor node (which protects your privacy on the internet by hiding the connection between users Internet address and the services used by the users) description which are part of the Tor network at a time. +- tracking-id - Analytics and tracking ID such as used in Google Analytics or other analytic platform. +- transaction - An object to describe a financial transaction. +- url - url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata. +- vehicle - Vehicle object template to describe a vehicle information and registration. +- victim - Victim object describes the target of an attack or abuse. +- virustotal-report - VirusTotal report. +- vulnerability - Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware. +- whois - Whois records information for a domain name or an IP address. +- x509 - x509 object describing a X.509 certificate. +- yabin - yabin.py generates Yara rules from function prologs, for matching and hunting binaries. ref: https://github.com/AlienVault-OTX/yabin. +- yara - An object describing a YARA rule along with its version. # Acknowledgements diff --git a/misp-object-template-format/raw.md.txt b/misp-object-template-format/raw.md.txt index c9aed45..9e8aa98 100755 --- a/misp-object-template-format/raw.md.txt +++ b/misp-object-template-format/raw.md.txt @@ -27,7 +27,7 @@ Status of This Memo Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- - Drafts is at http://datatracker.ietf.org/drafts/current/. + Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any @@ -43,7 +43,7 @@ Copyright Notice This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents - (http://trustee.ietf.org/license-info) in effect on the date of + (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must @@ -69,11 +69,12 @@ Table of Contents 2.1.3. Sample Object Template object . . . . . . . . . . . . 6 2.1.4. Object Relationships . . . . . . . . . . . . . . . . 9 3. Directory . . . . . . . . . . . . . . . . . . . . . . . . . . 10 - 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 - 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 - 5.1. Normative References . . . . . . . . . . . . . . . . . . 10 - 5.2. Informative References . . . . . . . . . . . . . . . . . 10 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 + 3.1. Existing and public MISP object templates . . . . . . . . 10 + 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 + 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 + 5.1. Normative References . . . . . . . . . . . . . . . . . . 18 + 5.2. Informative References . . . . . . . . . . . . . . . . . 18 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 1. Introduction @@ -108,7 +109,6 @@ Table of Contents - Dulaunoy & Iklody Expires October 12, 2018 [Page 2] Internet-Draft MISP object template format April 2018 @@ -123,13 +123,15 @@ Internet-Draft MISP object template format April 2018 MISP object templates themselves consist of a name (MUST), a meta- category (MUST) and a description (SHOULD). They are identified by a - uuid (MUST) and a version (MUST). The list of requirements when it - comes to the contained MISP object template elements is defined in - the requirements field (OPTIONAL). + uuid (MUST) and a version (MUST). For any updates or transfer of the + same object reference. UUID version 4 is RECOMMENDED when assigning + it to a new object reference. The list of requirements when it comes + to the contained MISP object template elements is defined in the + requirements field (OPTIONAL). - MISP object template elements consist of an object_relation (MUST) a - type (MUST) an object_template_id (SHOULD) a ui_priority (SHOULD) a - list of categories (MAY), a list of sane_default values (MAY) or a + MISP object template elements consist of an object_relation (MUST), a + type (MUST), an object_template_id (SHOULD), a ui_priority (SHOULD), + a list of categories (MAY), a list of sane_default values (MAY) or a values_list (MAY). 2.1. Overview @@ -157,10 +159,8 @@ Internet-Draft MISP object template format April 2018 be created based on the given template. The requiredOneOf field MAY be present. -2.1.1.3. required - required is represented as a JSON list and contains a list of - attribute relationships of which all must be present in the object to + @@ -170,6 +170,10 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 3] Internet-Draft MISP object template format April 2018 +2.1.1.3. required + + required is represented as a JSON list and contains a list of + attribute relationships of which all must be present in the object to be created based on the given template. The required field MAY be present. @@ -195,7 +199,7 @@ Internet-Draft MISP object template format April 2018 list of options but can be created on the fly. meta-category is represented as a JSON string. meta-category MUST be - present + present. 2.1.1.7. name @@ -212,11 +216,7 @@ Internet-Draft MISP object template format April 2018 attributes is represented as a JSON list. attributes MUST be present. -2.1.2.1. description - description is represented as a JSON string and contains the - description of the given attribute in the context of the object with - the given relationship. The description field MUST be present. @@ -226,6 +226,12 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 4] Internet-Draft MISP object template format April 2018 +2.1.2.1. description + + description is represented as a JSON string and contains the + description of the given attribute in the context of the object with + the given relationship. The description field MUST be present. + 2.1.2.2. ui-priority ui-priority is represented by a numeric values in JSON string format @@ -268,12 +274,6 @@ Internet-Draft MISP object template format April 2018 The multiple field MAY be present. -2.1.2.7. sane_default - - sane_default is represented by a JSON list containing one or several - recommended/sane values for an attribute. sane_default is mutually - exclusive with values_list. - @@ -282,6 +282,12 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 5] Internet-Draft MISP object template format April 2018 +2.1.2.7. sane_default + + sane_default is represented by a JSON list containing one or several + recommended/sane values for an attribute. sane_default is mutually + exclusive with values_list. + The sane_default field MAY be present. 2.1.2.8. values_list @@ -313,12 +319,6 @@ Internet-Draft MISP object template format April 2018 - - - - - - @@ -522,7 +522,453 @@ Internet-Draft MISP object template format April 2018 A relationships directory is also included, containing a definition.json file which contains a list of MISP object relation - definitions + definitions. There are more than 125 existing templates object + documented in [MISP-O-DOC]. + +3.1. Existing and public MISP object templates + + o tsk-chats - An Object Template to gather information from + evidential or interesting exchange of messages identified during a + digital forensic investigation. + + o tsk-web-bookmark - An Object Template to add evidential bookmarks + identified during a digital forensic investigation. + + o tsk-web-cookie - An TSK-Autopsy Object Template to represent + cookies identified during a forensic investigation. + + o tsk-web-downloads - An Object Template to add web-downloads. + + o tsk-web-history - An Object Template to share web history + information. + + o tsk-web-search-query - An Object Template to share web search + query information. + + o ail-leak - An information leak as defined by the AIL Analysis + Information Leak framework. + + o ais-info - Automated Indicator Sharing (AIS) Information Source + Markings. + + o android-permission - A set of android permissions - one or more + permission(s) which can be linked to other objects (e.g. malware, + app). + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 10] + +Internet-Draft MISP object template format April 2018 + + + o annotation - An annotation object allowing analysts to add + annotations, comments, executive summary to a MISP event, objects + or attributes. + + o anonymisation - Anonymisation object describing an anonymisation + technique used to encode MISP attribute values. Reference: + . + + o asn - Autonomous system object describing an autonomous system + which can include one or more network operators management an + entity (e.g. ISP) along with their routing policy, routing + prefixes or alike. + + o authenticode-signerinfo - Authenticode Signer Info. + + o av-signature - Antivirus detection signature. + + o bank-account - An object describing bank account information based + on account description from goAML 4.0. + + o bgp-hijack - Object encapsulating BGP Hijack description as + specified, for example, by bgpstream.com. + + o cap-alert - Common Alerting Protocol Version (CAP) alert object. + + o cap-info - Common Alerting Protocol Version (CAP) info object. + + o cap-resource - Common Alerting Protocol Version (CAP) resource + object. + + o coin-address - An address used in a cryptocurrency. + + o cookie - An HTTP cookie (web cookie, browser cookie) is a small + piece of data that a server sends to the user's web browser. The + browser may store it and send it back with the next request to the + same server. Typically, it's used to tell if two requests came + from the same browser -- keeping a user logged-in, for example. + It remembers stateful information for the stateless HTTP protocol. + (as defined by the Mozilla foundation. + + o cortex - Cortex object describing a complete cortex analysis. + Observables would be attribute with a relationship from this + object. + + o cortex-taxonomy - Cortex object describing an Cortex Taxonomy (or + mini report). + + + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 11] + +Internet-Draft MISP object template format April 2018 + + + o course-of-action - An object describing a specific measure taken + to prevent or respond to an attack. + + o cowrie - Cowrie honeypot object template. + + o credential - Credential describes one or more credential(s) + including password(s), api key(s) or decryption key(s). + + o credit-card - A payment card like credit card, debit card or any + similar cards which can be used for financial transactions. + + o ddos - DDoS object describes a current DDoS activity from a + specific or/and to a specific target. Type of DDoS can be + attached to the object as a taxonomy. + + o device - An object to define a device. + + o diameter-attack - Attack as seen on diameter authentication + against a GSM, UMTS or LTE network. + + o domain-ip - A domain and IP address seen as a tuple in a specific + time frame. + + o elf - Object describing a Executable and Linkable Format. + + o elf-section - Object describing a section of an Executable and + Linkable Format. + + o email - Email object describing an email with meta-information. + + o exploit-poc - Exploit-poc object describing a proof of concept or + exploit of a vulnerability. This object has often a relationship + with a vulnerability object. + + o facial-composite - An object which describes a facial composite. + + o fail2ban - Fail2ban event. + + o file - File object describing a file with meta-information. + + o forensic-case - An object template to describe a digital forensic + case. + + o forensic-evidence - An object template to describe a digital + forensic evidence. + + o geolocation - An object to describe a geographic location. + + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 12] + +Internet-Draft MISP object template format April 2018 + + + o gtp-attack - GTP attack object as seen on a GSM, UMTS or LTE + network. + + o http-request - A single HTTP request header. + + o ilr-impact - Institut Luxembourgeois de Regulation - Impact. + + o ilr-notification-incident - Institut Luxembourgeois de Regulation + - Notification d'incident. + + o internal-reference - Internal reference. + + o interpol-notice - An object which describes a Interpol notice. + + o ip-api-address - IP Address information. Useful if you are + pulling your ip information from ip-api.com. + + o ip-port - An IP address (or domain or hostname) and a port seen as + a tuple (or as a triple) in a specific time frame. + + o irc - An IRC object to describe an IRC server and the associated + channels. + + o ja3 - JA3 is a new technique for creating SSL client fingerprints + that are easy to produce and can be easily shared for threat + intelligence. Fingerprints are composed of Client Hello packet; + SSL Version, Accepted Ciphers, List of Extensions, Elliptic + Curves, and Elliptic Curve Formats. + . + + o legal-entity - An object to describe a legal entity. + + o lnk - LNK object describing a Windows LNK binary file (aka Windows + shortcut). + + o macho - Object describing a file in Mach-O format. + + o macho-section - Object describing a section of a file in Mach-O + format. + + o mactime-timeline-analysis - Mactime template, used in forensic + investigations to describe the timeline of a file activity. + + o malware-config - Malware configuration recovered or extracted from + a malicious binary. + + o microblog - Microblog post like a Twitter tweet or a post on a + Facebook wall. + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 13] + +Internet-Draft MISP object template format April 2018 + + + o mutex - Object to describe mutual exclusion locks (mutex) as seen + in memory or computer program. + + o netflow - Netflow object describes an network object based on the + Netflowv5/v9 minimal definition. + + o network-connection - A local or remote network connection. + + o network-socket - Network socket object describes a local or remote + network connections based on the socket data structure. + + o misc - An object which describes an organization. + + o original-imported-file - Object describing the original file used + to import data in MISP. + + o passive-dns - Passive DNS records as expressed in draft-dulaunoy- + dnsop-passive-dns-cof-01. + + o paste - Paste or similar post from a website allowing to share + privately or publicly posts. + + o pcap-metadata - Network packet capture metadata. + + o pe - Object describing a Portable Executable. + + o pe-section - Object describing a section of a Portable Executable. + + o person - An object which describes a person or an identity. + + o phishing - Phishing template to describe a phishing website and + its analysis. + + o phishing-kit - Object to describe a phishing-kit. + + o phone - A phone or mobile phone object which describe a phone. + + o process - Object describing a system process. + + o python-etvx-event-log - Event log object template to share + information of the activities conducted on a system. . + + o r2graphity - Indicators extracted from files using radare2 and + graphml. + + o regexp - An object describing a regular expression (regex or + regexp). The object can be linked via a relationship to other + + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 14] + +Internet-Draft MISP object template format April 2018 + + + attributes or objects to describe how it can be represented as a + regular expression. + + o registry-key - Registry key object describing a Windows registry + key with value and last-modified timestamp. + + o regripper-NTUser - Regripper Object template designed to present + user specific configuration details extracted from the NTUSER.dat + hive. + + o regripper-sam-hive-single-user - Regripper Object template + designed to present user profile details extracted from the SAM + hive. + + o regripper-sam-hive-user-group - Regripper Object template designed + to present group profile details extracted from the SAM hive. + + o regripper-software-hive-BHO - Regripper Object template designed + to gather information of the browser helper objects installed on + the system. + + o regripper-software-hive-appInit-DLLS - Regripper Object template + designed to gather information of the DLL files installed on the + system. + + o regripper-software-hive-application-paths - Regripper Object + template designed to gather information of the application paths. + + o regripper-software-hive-applications-installed - Regripper Object + template designed to gather information of the applications + installed on the system. + + o regripper-software-hive-command-shell - Regripper Object template + designed to gather information of the shell commands executed on + the system. + + o regripper-software-hive-windows-general-info - Regripper Object + template designed to gather general windows information extracted + from the software-hive. + + o regripper-software-hive-software-run - Regripper Object template + designed to gather information of the applications set to run on + the system. + + o regripper-software-hive-userprofile-winlogon - Regripper Object + template designed to gather user profile information when the user + logs onto the system, gathered from the software hive. + + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 15] + +Internet-Draft MISP object template format April 2018 + + + o regripper-system-hive-firewall-configuration - Regripper Object + template designed to present firewall configuration information + extracted from the system-hive. + + o regripper-system-hive-general-configuration - Regripper Object + template designed to present general system properties extracted + from the system-hive. + + o regripper-system-hive-network-information. - Regripper object + template designed to gather network information from the system- + hive. + + o regripper-system-hive-services-drivers - Regripper Object template + designed to gather information regarding the services/drivers from + the system-hive. + + o report - Metadata used to generate an executive level report. + + o research-scanner - Information related to known scanning activity + (e.g. from research projects). + + o rogue-dns - Rogue DNS as defined by CERT.br. + + o rtir - RTIR - Request Tracker for Incident Response. + + o sandbox-report - Sandbox report. + + o sb-signature - Sandbox detection signature. + + o script - Object describing a computer program written to be run in + a special run-time environment. The script or shell script can be + used for malicious activities but also as support tools for threat + analysts. + + o shell-commands - Object describing a series of shell commands + executed. This object can be linked with malicious files in order + to describe a specific execution of shell commands. + + o short-message-service - Short Message Service (SMS) object + template describing one or more SMS message. Restriction of the + initial format 3GPP 23.038 GSM character set doesn't apply. + + o shortened-link - Shortened link and its redirect target. + + o splunk - Splunk / Splunk ES object. + + o ss7-attack - SS7 object of an attack seen on a GSM, UMTS or LTE + network via SS7 logging. + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 16] + +Internet-Draft MISP object template format April 2018 + + + o ssh-authorized-keys - An object to store ssh authorized keys file. + + o stix2-pattern - An object describing a STIX pattern. The object + can be linked via a relationship to other attributes or objects to + describe how it can be represented as a STIX pattern. + + o suricata - An object describing one or more Suricata rule(s) along + with version and contextual information. + + o target-system - Description about an targeted system, this could + potentially be a compromissed internal system. + + o threatgrid-report - ThreatGrid report. + + o timecode - Timecode object to describe a start of video sequence + (e.g. CCTV evidence) and the end of the video sequence. + + o timesketch-timeline - A timesketch timeline object based on + mandatory field in timesketch to describe a log entry. + + o timesketch_message - A timesketch message entry. + + o timestamp - A generic timestamp object to represent time including + first time and last time seen. Relationship will then define the + kind of time relationship. + + o tor-hiddenservice - Tor hidden service (onion service) object. + + o tor-node - Tor node (which protects your privacy on the internet + by hiding the connection between users Internet address and the + services used by the users) description which are part of the Tor + network at a time. + + o tracking-id - Analytics and tracking ID such as used in Google + Analytics or other analytic platform. + + o transaction - An object to describe a financial transaction. + + o url - url object describes an url along with its normalized field + (like extracted using faup parsing library) and its metadata. + + o vehicle - Vehicle object template to describe a vehicle + information and registration. + + o victim - Victim object describes the target of an attack or abuse. + + o virustotal-report - VirusTotal report. + + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 17] + +Internet-Draft MISP object template format April 2018 + + + o vulnerability - Vulnerability object describing a common + vulnerability enumeration which can describe published, + unpublished, under review or embargo vulnerability for software, + equipments or hardware. + + o whois - Whois records information for a domain name or an IP + address. + + o x509 - x509 object describing a X.509 certificate. + + o yabin - yabin.py generates Yara rules from function prologs, for + matching and hunting binaries. ref: . + + o yara - An object describing a YARA rule along with its version. 4. Acknowledgements @@ -535,29 +981,31 @@ Internet-Draft MISP object template format April 2018 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, - DOI 10.17487/RFC2119, March 1997, . + DOI 10.17487/RFC2119, March 1997, + . [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, - DOI 10.17487/RFC4122, July 2005, . + DOI 10.17487/RFC4122, July 2005, + . [RFC4627] Crockford, D., "The application/json Media Type for JavaScript Object Notation (JSON)", RFC 4627, - DOI 10.17487/RFC4627, July 2006, . + DOI 10.17487/RFC4627, July 2006, + . 5.2. Informative References - [MISP-O] MISP, , "MISP Objects - shared and common object - templates", . + [MISP-O] MISP, "MISP Objects - shared and common object templates", + . + + [MISP-O-DOC] + "MISP objects directory", 2018, + . - - -Dulaunoy & Iklody Expires October 12, 2018 [Page 10] +Dulaunoy & Iklody Expires October 12, 2018 [Page 18] Internet-Draft MISP object template format April 2018 @@ -613,4 +1061,4 @@ Authors' Addresses -Dulaunoy & Iklody Expires October 12, 2018 [Page 11] +Dulaunoy & Iklody Expires October 12, 2018 [Page 19]