MISP is not only a software but also a series of data models created by the MISP community. MISP includes a simple and practical information sharing format expressed in JSON that can be used with MISP software or by any other software.
***Internal reference**: Reference used by the publishing party (e.g. ticket number)
***Targeting data**: Targeting information to include recipient email, infected machines, department, and or locations.
***Antivirus detection**: List of anti-virus vendors detecting the malware or information on detection performance (e.g. 13/43 or 67%). Attachment with list of detection or link to VirusTotal could be placed here as well.
***Payload delivery**: Information about the way the malware payload is initially delivered, for example information about the email or web-site, vulnerability used, originating IP etc. Malware sample itself should be attached here.
***Artifacts dropped**: Any artifact (files, registry keys etc.) dropped by the malware or other modifications to the system
***Payload installation**: Location where the payload was placed in the system and the way it was installed. For example, a filename|md5 type attribute can be added here like this: c:\windows\system32\malicious.exe|41d8cd98f00b204e9800998ecf8427e.
***Persistence mechanism**: Mechanisms used by the malware to start at boot. This could be a registry key, legitimate driver modification, LNK file in startup
***Network activity**: Information about network traffic generated by the malware
***Payload type**: Information about the final payload(s). Can contain a function of the payload, e.g. keylogger, RAT, or a name if identified, such as Poison Ivy.
***Attribution**: Identification of the group, organisation, or country behind the attack
***External analysis**: Any other result from additional analysis of the malware like tools output Examples: pdf-parser output, automated sandbox analysis, reverse engineering report.
***Financial fraud**: Financial Fraud indicators, for example: IBAN Numbers, BIC codes, Credit card numbers, etc.
***Other**: Attributes that are not part of any other category
### Types
***md5**: You are encouraged to use filename|md5 instead. A checksum in md5 format, only use this if you don't know the correct filename
***sha1**: You are encouraged to use filename|sha1 instead. A checksum in sha1 format, only use this if you don't know the correct filename
***sha256**: You are encouraged to use filename|sha256 instead. A checksum in sha256 format, only use this if you don't know the correct filename
***filename**: Filename
***pdb**: Microsoft Program database (PDB) path information
***filename!md5**: A filename and an md5 hash separated by a | (no spaces)
***filename!sha1**: A filename and an sha1 hash separated by a | (no spaces)
***filename!sha256**: A filename and an sha256 hash separated by a | (no spaces)
***ip-src**: A source IP address of the attacker
***ip-dst**: A destination IP address of the attacker or C&C server. Also set the IDS flag on when this IP is hardcoded in malware
***hostname**: A full host/dnsname of an attacker. Also set the IDS flag on when this hostname is hardcoded in malware
***domain**: A domain name used in the malware. Use this instead of hostname when the upper domain is important or can be used to create links between events.
***domain!ip**: A domain name and its IP address (as found in DNS lookup) separated by a | (no spaces)
***email-src**: The email address (or domainname) used to send the malware.
***email-dst**: A recipient email address that is not related to your constituency.
***email-subject**: The subject of the email
***email-attachment**: File name of the email attachment.
***url**: url
***http-method**: HTTP method used by the malware (e.g. POST, GET, ...).
***user-agent**: The user-agent used by the malware in the HTTP request.
***regkey**: Registry key or value
***regkey!value**: Registry value + data separated by |
***AS**: Autonomous system
***snort**: An IDS rule in Snort rule-format. This rule will be automatically rewritten in the NIDS exports.
***pattern-in-file**: Pattern in file that identifies the malware
***pattern-in-traffic**: Pattern in network traffic that identifies the malware
***pattern-in-memory**: Pattern in memory dump that identifies the malware
***yara**: Yara signature
***vulnerability**: A reference to the vulnerability used in the exploit
***attachment**: Please upload files using the <em>Upload Attachment</em> button.
***malware-sample**: Please upload files using the <em>Upload Attachment</em> button.
***link**: Link to an external information
***comment**: Comment or description in a human language. This will not be correlated with other attributes
***text**: Name, ID or a reference
***other**: Other attribute
***named pipe**: Named pipe, use the format \.\pipe\<PipeName>
***mutex**: Mutex, use the format \BaseNamedObjects\<Mutex>
***target-external**: External Target Organizations Affected by this Attack
***btc**: Bitcoin Address
***iban**: International Bank Account Number
***bic**: Bank Identifier Code Number
***bank-account-nr**: Bank account number without any routing number
***aba-rtn**: ABA routing transit number
***bin**: Bank Identification Number
***cc-number**: Credit-Card Number
***prtn**: Premium-Rate Telephone Number
***threat-actor**: A string identifying the threat actor
***campaign-name**: Associated campaign name
***campaign-id**: Associated campaign ID
***malware-type**:
***uri**: Uniform Resource Identifier
***authentihash**: You are encouraged to use filename|authentihash instead, authenticode executable signature hash, only use this if you don't know the correct filename
***ssdeep**: You are encouraged to use filename|ssdeep instead. A checksum in the SSDeep format, only use this if you don't know the correct filename
***imphash**: You are encouraged to use filename|imphash instead. A hash created based on the imports in the sample, only use this if you don't know the correct filename
***pehash**: PEhash - a hash calculated based of certain pieces of a PE executable file
***sha224**: You are encouraged to use filename|sha224 instead. A checksum in sha224 format, only use this if you don't know the correct filename
***sha384**: You are encouraged to use filename|sha384 instead. A checksum in sha384 format, only use this if you don't know the correct filename
***sha512**: You are encouraged to use filename|sha512 instead. A checksum in sha512 format, only use this if you don't know the correct filename
***sha512/224**: You are encouraged to use filename|sha512/224 instead. A checksum in sha512/224 format, only use this if you don't know the correct filename
***sha512/256**: You are encouraged to use filename|sha512/256 instead. A checksum in sha512/256 format, only use this if you don't know the correct filename
***tlsh**: You are encouraged to use filename|tlsh instead. A checksum in the Trend Micro Locality Sensitive Hash format, only use this if you don't know the correct filename
***filename!authentihash**: A checksum in md5 format
***filename!ssdeep**: A checksum in ssdeep format
***filename!imphash**: Import hash - a hash created based on the imports in the sample.
***filename!pehash**: A filename and a PEhash separated by a pipe
***filename!sha224**: A filename and a sha-224 hash separated by a pipe
***filename!sha384**: A filename and a sha-384 hash separated by a pipe
***filename!sha512**: A filename and a sha-512 hash separated by a pipe
***filename!sha512/224**: A filename and a sha-512/224 hash separated by a pipe
***filename!sha512/256**: A filename and a sha-512/256 hash separated by a pipe
***filename!tlsh**: A filename and a Trend Micro Locality Sensitive Hash separated by a pipe
***windows-scheduled-task**: A scheduled task in windows
***windows-service-name**: A windows service name. This is the name used internally by windows. Not to be confused with the windows-service-displayname.
***windows-service-displayname**: A windows service's displayname, not to be confused with the windows-service-name. This is the name that applications will generally display as the service's name in applications.
***whois-registrant-email**: The e-mail of a domain's registrant, obtained from the WHOIS information.
***whois-registrant-phone**: The phone number of a domain's registrant, obtained from the WHOIS information.
***whois-registrant-name**: The name of a domain's registrant, obtained from the WHOIS information.
***whois-registrar**: The registrar of the domain, obtained from the WHOIS information.
***whois-creation-date**: The date of domain's creation, obtained from the WHOIS information.
***targeted-threat-index**:
***mailslot**: MailSlot interprocess communication
***pipe**: Pipeline (for named pipes use the attribute type "named pipe")
Along with the core format, [MISP taxonomies](https://www.github.com/MISP/misp-taxonomies/) provide a set of already defined classifications modeling estimative language, CSIRTs/CERTs classifications, national classifications or threat model classification. The fixed taxonomies provide a practical method to tag efficiently events and attributes within a set of MISP instances where taxonomies can be easily cherry-picked or extended to meet the local requirements of an organization or a specific sharing community. When using MISP, the MISP taxonomies are available and can be freely used based on the community practises.
- [Information Security Marking Metadata](https://github.com/MISP/misp-taxonomies/tree/master/dni-ism) from DNI (Director of National Intelligence - US)
- [Malware](https://github.com/MISP/misp-taxonomies/tree/master/malware) classification based on a SANS document
- [ms-caro-malware](https://github.com/MISP/misp-taxonomies/tree/master/ms-caro-malware) Malware Type and Platform classification based on Microsoft's implementation of the Computer Antivirus Research Organiza
- [OSINT Open Source Intelligence - Classification](https://github.com/MISP/misp-taxonomies/tree/master/osint)
- [The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.](https://github.com/MISP/misp-taxonomies/tree/master/pap)