diff --git a/objects.html b/objects.html index 1fdd4ae..f6c7383 100755 --- a/objects.html +++ b/objects.html @@ -459,6 +459,7 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
origin
-url
type
text
The link where the leak is (or was) accessible at first-seen.
+Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
text
text
A description of the leak which could include the potential victim(s) or description of the leak.
--
first-seen
datetime
last-seen
datetime
When the leak has been accessible or seen for the last time.
--
type
text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
--
sensor
text
origin
url
The link where the leak is (or was) accessible at first-seen.
++
text
text
A description of the leak which could include the potential victim(s) or description of the leak.
++
last-seen
datetime
When the leak has been accessible or seen for the last time.
++
text
+text
Free text value to attach to the file
++
software
text
Name of antivirus software
+
text
-text
Free text value to attach to the file
--
datetime
datetime
text
cookie-name
text
A description of the cookie.
+Name of the cookie (if splitted)
+
cookie-name
+text
text
Name of the cookie (if splitted)
+A description of the cookie.
+
card-security-code
+text
Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
++
version
text
cc-number
cc-number
credit-card number as encoded on the card.
--
name
text
Name of the card owner.
--
expiration
datetime
card-security-code
cc-number
cc-number
credit-card number as encoded on the card.
++
name
text
Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
+Name of the card owner.
@@ -905,36 +906,6 @@ ddos is a MISP object available in JSON format at
last-seen
datetime
End of the attack
--
text
text
Description of the DDoS
--
ip-dst
ip-dst
Destination ID (victim)
--
total-pps
counter
protocol
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
--
total-bps
counter
Bits per second
--
first-seen
datetime
Beginning of the attack
--
dst-port
port
ip-src
ip-src
protocol
text
IP address originating the attack
+Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
++
ip-dst
ip-dst
Destination ID (victim)
++
first-seen
datetime
Beginning of the attack
total-bps
counter
Bits per second
++
ip-src
ip-src
IP address originating the attack
++
text
text
Description of the DDoS
++
last-seen
datetime
End of the attack
++
ip
-ip-dst
domain
domain
IP Address
+Domain name
domain
domain
ip
ip-dst
Domain name
+IP Address
@@ -1141,26 +1142,6 @@ elf is a MISP object available in JSON format at
text
text
Free text value to attach to the ELF
--
number-sections
counter
Number of sections
--
os_abi
text
text
text
Free text value to attach to the ELF
++
number-sections
counter
Number of sections
++
ssdeep
-ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha384
sha384
md5
md5
type
text
[Insecure] MD5 hash (128 bits)
+Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
name
text
Name of the section
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
@@ -1269,28 +1300,8 @@ elf-section is a MISP object available in JSON format at
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
sha256
sha256
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
entropy
+float
Entropy of the whole section
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
sha512/224
sha512/224
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
text
text
name
text
ssdeep
ssdeep
Name of the section
--
entropy
float
Entropy of the whole section
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
+Fuzzy hash using context triggered piecewise hashes (CTPH)
@@ -1417,40 +1418,20 @@ email is a MISP object available in JSON format at
mime-boundary
email-mime-boundary
send-date
datetime
MIME Boundary
+Date the email has been sent
+
x-mailer
email-x-mailer
to
email-dst
X-Mailer generally tells the program that was used to draft and send the original email
--
from-display-name
email-src-display-name
Display name of the sender
--
to-display-name
email-dst-display-name
Display name of the receiver
+Destination email address
@@ -1477,16 +1458,6 @@ email is a MISP object available in JSON format at
reply-to
email-reply-to
Email address the reply will be sent to
--
subject
email-subject
send-date
datetime
Date the email has been sent
--
thread-index
email-thread-index
cc
email-dst
x-mailer
email-x-mailer
Carbon copy
+X-Mailer generally tells the program that was used to draft and send the original email
to
email-dst
reply-to
email-reply-to
Destination email address
+Email address the reply will be sent to
++
from
email-src
Sender email address
@@ -1547,6 +1518,16 @@ email is a MISP object available in JSON format at
from-display-name
email-src-display-name
Display name of the sender
++
header
email-header
from
email-src
to-display-name
email-dst-display-name
Sender email address
+Display name of the receiver
++
cc
email-dst
Carbon copy
++
mime-boundary
email-mime-boundary
MIME Boundary
@@ -1605,36 +1606,6 @@ file is a MISP object available in JSON format at
malware-sample
malware-sample
The file itself (binary)
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
--
sha384
sha384
md5
md5
[Insecure] MD5 hash (128 bits)
--
pattern-in-file
pattern-in-file
Pattern that can be found in the file
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
mimetype
text
Mime type
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
authentihash
authentihash
mimetype
text
Mime type
++
filename
filename
Filename on disk
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
entropy
float
Entropy of the whole file
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
state
text
State of the file ['Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
size-in-bytes
size-in-bytes
Size of the file, in bytes
++
sha512/224
sha512/224
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
text
text
entropy
float
malware-sample
malware-sample
Entropy of the whole file
--
size-in-bytes
size-in-bytes
Size of the file, in bytes
--
state
text
State of the file ['Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
+The file itself (binary)
sha512
sha512
tlsh
tlsh
Secure Hash Algorithm 2 (512 bits)
+Fuzzy hash by Trend Micro: Locality Sensitive Hash
filename
filename
pattern-in-file
pattern-in-file
Filename on disk
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
+Pattern that can be found in the file
@@ -1833,16 +1834,6 @@ geolocation is a MISP object available in JSON format at
text
text
A generic description of the location.
--
longitude
float
country
text
Country.
++
first-seen
datetime
When the location was seen for the first time.
++
altitude
float
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
++
region
text
city
text
City.
++
text
text
A generic description of the location.
++
latitude
float
first-seen
datetime
When the location was seen for the first time.
--
country
text
Country.
--
altitude
float
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
--
city
text
City.
--
user-agent
-user-agent
The user agent string of the user agent
--
uri
uri
Request URI
--
proxy-user
basicauth-user
text
HTTP Proxy Username
+HTTP Basic Authentication Username
@@ -2001,20 +1982,30 @@ http-request is a MISP object available in JSON format at
basicauth-password
text
uri
uri
HTTP Basic Authentication Password
+Request URI
url
url
proxy-password
text
Full HTTP Request URL
+HTTP Proxy Password
++
cookie
text
An HTTP cookie previously sent by the server with Set-Cookie
@@ -2041,30 +2032,40 @@ http-request is a MISP object available in JSON format at
proxy-password
text
url
url
HTTP Proxy Password
+Full HTTP Request URL
text
text
user-agent
user-agent
HTTP Request comment
+The user agent string of the user agent
+
basicauth-user
proxy-user
text
HTTP Basic Authentication Username
+HTTP Proxy Username
++
basicauth-password
text
HTTP Basic Authentication Password
@@ -2081,13 +2082,13 @@ http-request is a MISP object available in JSON format at
cookie
text
text
An HTTP cookie previously sent by the server with Set-Cookie
+HTTP Request comment
+
text
-text
dst-port
port
Description of the tuple
+Destination port
++
first-seen
datetime
First time the tuple has been seen
@@ -2159,6 +2170,16 @@ ip-port is a MISP object available in JSON format at
text
text
Description of the tuple
++
last-seen
datetime
first-seen
datetime
First time the tuple has been seen
--
dst-port
port
Destination port
--
ja3-fingerprint-md5
-md5
Hash identifying source
--
ip-src
ip-src
Source IP Address
--
description
text
last-seen
datetime
ja3-fingerprint-md5
md5
Last seen of the SSL/TLS handshake
+Hash identifying source
@@ -2277,6 +2258,16 @@ ja3 is a MISP object available in JSON format at
ip-src
ip-src
Source IP Address
++
ip-dst
ip-dst
last-seen
datetime
Last seen of the SSL/TLS handshake
++
ssdeep
-ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha384
sha384
md5
md5
[Insecure] MD5 hash (128 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
sha256
sha256
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
name
text
Name of the section
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
entropy
float
Entropy of the whole section
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
sha512/224
sha512/224
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
text
text
name
text
ssdeep
ssdeep
Name of the section
--
entropy
float
Entropy of the whole section
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
+Fuzzy hash using context triggered piecewise hashes (CTPH)
@@ -2581,10 +2582,10 @@ microblog is a MISP object available in JSON format at
removal-date
datetime
link
url
When the microblog post was removed
+Link into the microblog post
@@ -2601,20 +2602,20 @@ microblog is a MISP object available in JSON format at
modification-date
datetime
type
text
Last update of the microblog post
+Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
username
text
modification-date
datetime
Username who posted the microblog post
+Last update of the microblog post
@@ -2641,20 +2642,20 @@ microblog is a MISP object available in JSON format at
link
url
removal-date
datetime
Link into the microblog post
+When the microblog post was removed
type
username
text
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
+Username who posted the microblog post
@@ -2709,106 +2710,6 @@ netflow is a MISP object available in JSON format at
src-as
AS
Source AS number for this flow
--
ip_version
counter
IP version of this flow
--
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
--
ip-protocol-number
size-in-bytes
IP protocol number of this flow
--
protocol
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
--
dst-port
port
Destination port of the netflow
--
ip-dst
ip-dst
IP address destination of the netflow
--
tcp-flags
text
TCP flags of the flow
--
direction
text
Direction of this flow ['Ingress', 'Egress']
--
dst-as
AS
Destination AS number for this flow
--
byte-count
counter
packet-count
counter
direction
text
Packets counted in this flow
+Direction of this flow ['Ingress', 'Egress']
flow-count
protocol
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
++
ip-protocol-number
size-in-bytes
IP protocol number of this flow
++
src-port
port
Source port of the netflow
++
packet-count
counter
Flows counted in this flow
+Packets counted in this flow
@@ -2859,6 +2790,26 @@ netflow is a MISP object available in JSON format at
dst-port
port
Destination port of the netflow
++
flow-count
counter
Flows counted in this flow
++
ip-src
ip-src
src-port
port
ip-dst
ip-dst
Source port of the netflow
+IP address destination of the netflow
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
++
tcp-flags
text
TCP flags of the flow
++
src-as
AS
Source AS number for this flow
++
dst-as
AS
Destination AS number for this flow
++
ip_version
counter
IP version of this flow
++
count
+counter
How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers
++
rrtype
text
count
counter
sensor_id
text
How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers
+Sensor information where the record was seen
++
rrname
text
Resource Record name of the queried resource
++
origin
text
Origin of the Passive DNS response
++
bailiwick
text
Best estimate of the apex of the zone where this data is authoritative
@@ -2957,66 +2998,6 @@ passive-dns is a MISP object available in JSON format at
zone_time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
--
origin
text
Origin of the Passive DNS response
--
rrname
text
Resource Record name of the queried resource
--
text
text
-
-
sensor_id
text
Sensor information where the record was seen
--
bailiwick
text
Best estimate of the apex of the zone where this data is authoritative
--
time_first
datetime
text
text
+
+
zone_time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
++
time_last
datetime
origin
text
Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']
--
paste
text
last-seen
datetime
When the paste has been accessible or seen for the last time.
--
first-seen
datetime
origin
text
Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']
++
last-seen
datetime
When the paste has been accessible or seen for the last time.
++
pehash
-pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
--
product-name
text
ProductName in the resources
--
compilation-timestamp
datetime
Compilation timestamp defined in the PE header
--
product-version
text
ProductVersion in the resources
--
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
--
company-name
text
CompanyName in the resources
--
legal-copyright
text
LegalCopyright in the resources
--
entrypoint-address
text
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
++
file-version
text
FileVersion in the resources
++
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
++
compilation-timestamp
datetime
Compilation timestamp defined in the PE header
++
number-sections
counter
Number of sections
++
company-name
text
CompanyName in the resources
++
product-version
text
ProductVersion in the resources
++
original-filename
filename
OriginalFilename in the resources
++
product-name
text
ProductName in the resources
++
file-description
text
FileDescription in the resources
++
legal-copyright
text
LegalCopyright in the resources
++
imphash
imphash
Hash (md5) calculated from the import table
++
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
++
text
text
original-filename
filename
pehash
pehash
OriginalFilename in the resources
+Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
number-sections
counter
Number of sections
--
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
--
file-description
text
FileDescription in the resources
--
imphash
imphash
Hash (md5) calculated from the import table
--
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
--
file-version
text
FileVersion in the resources
--
ssdeep
-ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha384
sha384
md5
md5
[Insecure] MD5 hash (128 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
sha256
sha256
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
name
text
Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
entropy
float
Entropy of the whole section
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
characteristic
text
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
text
text
name
text
ssdeep
ssdeep
Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
--
entropy
float
Entropy of the whole section
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
+Fuzzy hash using context triggered piecewise hashes (CTPH)
@@ -3569,40 +3570,10 @@ person is a MISP object available in JSON format at
middle-name
middle-name
place-of-birth
place-of-birth
Middle name of a natural person
--
nationality
nationality
The nationality of a natural person.
--
last-name
last-name
Last name of a natural person.
--
redress-number
redress-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
+Place of birth of a natural person.
@@ -3619,40 +3590,20 @@ person is a MISP object available in JSON format at
first-name
first-name
last-name
last-name
First name of a natural person.
+Last name of a natural person.
text
text
nationality
nationality
A description of the person or identity.
--
passport-expiration
passport-expiration
The expiration date of a passport.
--
gender
gender
The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
+The nationality of a natural person.
@@ -3679,15 +3630,65 @@ person is a MISP object available in JSON format at
place-of-birth
place-of-birth
gender
gender
Place of birth of a natural person.
+The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
middle-name
middle-name
Middle name of a natural person
++
first-name
first-name
First name of a natural person.
++
redress-number
redress-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
++
passport-expiration
passport-expiration
The expiration date of a passport.
++
text
text
A description of the person or identity.
++
tmsi
+text
Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
++
imei
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
++
serial-number
text
Serial Number.
++
imsi
text
last-seen
first-seen
datetime
When the phone has been accessible or seen for the last time.
+When the phone has been accessible or seen for the first time.
text
text
A description of the phone.
--
guti
text
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
--
msisdn
text
imei
text
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
--
first-seen
datetime
When the phone has been accessible or seen for the first time.
+A description of the phone.
tmsi
guti
text
Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
+Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
serial-number
text
last-seen
datetime
Serial Number.
+When the phone has been accessible or seen for the last time.
+
get-proc-address
+counter
Amount of calls to GetProcAddress
++
memory-allocations
counter
referenced-strings
counter
Amount of referenced strings
--
ratio-functions
float
Ratio: amount of functions per kilobyte of code section
--
total-api
counter
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
--
not-referenced-strings
counter
Amount of not referenced strings
--
dangling-strings
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
--
text
text
Description of the r2graphity object
--
create-thread
counter
Amount of calls to CreateThread
--
total-functions
counter
Total amount of functions in the file.
--
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
--
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
--
callbacks
counter
Amount of callbacks (functions started as thread)
--
r2-commit-version
text
get-proc-address
counter
Amount of calls to GetProcAddress
--
callback-average
counter
Average size of a callback
--
gml
attachment
Graph export in G>raph Modelling Language format
--
miss-api
counter
local-references
counter
text
text
Amount of API calls inside a code section
+Description of the r2graphity object
++
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
@@ -4065,6 +3946,76 @@ r2graphity is a MISP object available in JSON format at
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
++
dangling-strings
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
++
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
++
create-thread
counter
Amount of calls to CreateThread
++
referenced-strings
counter
Amount of referenced strings
++
gml
attachment
Graph export in G>raph Modelling Language format
++
not-referenced-strings
counter
Amount of not referenced strings
++
refsglobalvar
counter
ratio-string
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
++
callback-average
counter
Average size of a callback
++
callbacks
counter
Amount of callbacks (functions started as thread)
++
total-functions
counter
Total amount of functions in the file.
++
ratio-functions
float
Ratio: amount of referenced strings per kilobyte of code section
+Ratio: amount of functions per kilobyte of code section
++
local-references
counter
Amount of API calls inside a code section
@@ -4133,16 +4134,6 @@ regexp is a MISP object available in JSON format at
regexp-type
text
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
--
comment
comment
regexp-type
text
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
++
key
-reg-key
hive
reg-hive
Full key path
+Hive used to store the registry key (file on disk)
++
data-type
reg-datatype
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
@@ -4211,20 +4222,10 @@ registry-key is a MISP object available in JSON format at
data
reg-data
key
reg-key
Data stored in the registry key
--
hive
reg-hive
Hive used to store the registry key (file on disk)
+Full key path
@@ -4241,10 +4242,68 @@ registry-key is a MISP object available in JSON format at
data-type
reg-datatype
data
reg-data
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
+Data stored in the registry key
++
Metadata used to generate an executive level report.
++ + | ++report is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +|||
---|---|---|---|---|---|---|
case-number |
+text |
+
+ Case number + |
+
+ + |
+|||
summary |
+text |
+
+ Free text summary of the report |
@@ -4289,6 +4348,16 @@ rtir is a MISP object available in JSON format at constituency |
+text |
+
+ Constituency of the RTIR ticket + |
+
+ + |
+
subject |
text |
@@ -4299,6 +4368,26 @@ rtir is a MISP object available in JSON format at ticket-number |
+text |
+
+ ticket-number of the RTIR ticket + |
+
+ + |
+|
classification |
+text |
+
+ Classification of the RTIR ticket + |
+
+ + |
+|||
status |
text |
@@ -4319,36 +4408,6 @@ rtir is a MISP object available in JSON format at classification |
-text |
-
- Classification of the RTIR ticket - |
-
- - |
-|
ticket-number |
-text |
-
- ticket-number of the RTIR ticket - |
-
- - |
-|||
constituency |
-text |
-
- Constituency of the RTIR ticket - |
-
- - |
-|||
queue |
text |
@@ -4397,26 +4456,16 @@ tor-node is a MISP object available in JSON format at version |
+nickname |
text |
- parsed version of tor, this is None if the relay’s using a new versioning scheme. +router’s nickname. |
|
published |
-datetime |
-
- router’s publication time. This can be different from first-seen and last-seen. - |
-
- - |
-|||
version_line |
text |
@@ -4427,26 +4476,6 @@ tor-node is a MISP object available in JSON format at description |
-text |
-
- Tor node description. - |
-
- - |
-|
last-seen |
-datetime |
-
- When the Tor node designed by the IP address has been seen for the last time. - |
-
- - |
-|||
first-seen |
datetime |
@@ -4457,46 +4486,6 @@ tor-node is a MISP object available in JSON format at fingerprint |
-text |
-
- router’s fingerprint. - |
-
- - |
-|
nickname |
-text |
-
- router’s nickname. - |
-
- - |
-|||
flags |
-text |
-
- list of flag associated with the node. - |
-
- - |
-|||
text |
-text |
-
- Tor node comment. - |
-
- - |
-|||
document |
text |
@@ -4507,6 +4496,46 @@ tor-node is a MISP object available in JSON format at published |
+datetime |
+
+ router’s publication time. This can be different from first-seen and last-seen. + |
+
+ + |
+|
last-seen |
+datetime |
+
+ When the Tor node designed by the IP address has been seen for the last time. + |
+
+ + |
+|||
description |
+text |
+
+ Tor node description. + |
+
+ + |
+|||
version |
+text |
+
+ parsed version of tor, this is None if the relay’s using a new versioning scheme. + |
+
+ + |
+|||
address |
ip-src |
|||||
fingerprint |
+text |
+
+ router’s fingerprint. + |
+
+ + |
+|||
text |
+text |
+
+ Tor node comment. + |
+
+ + |
+|||
flags |
+text |
+
+ list of flag associated with the node. + |
+
+ + |
+
text
-text
host
hostname
Description of the URL
--
first-seen
datetime
First time this URL has been seen
--
last-seen
datetime
Last time this URL has been seen
--
domain
domain
Full domain
+Full hostname
@@ -4625,10 +4654,50 @@ url is a MISP object available in JSON format at
subdomain
first-seen
datetime
First time this URL has been seen
++
domain
domain
Full domain
++
text
text
Subdomain
+Description of the URL
++
last-seen
datetime
Last time this URL has been seen
++
query_string
text
Query (after path, preceded by '?')
@@ -4665,10 +4734,10 @@ url is a MISP object available in JSON format at
host
hostname
fragment
text
Full hostname
+Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
@@ -4685,20 +4754,10 @@ url is a MISP object available in JSON format at
fragment
subdomain
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
--
query_string
text
Query (after path, preceded by '?')
+Subdomain
@@ -4743,20 +4802,10 @@ victim is a MISP object available in JSON format at
regions
description
text
The list of regions or locations from the victim targeted. ISO 3166 should be used.
--
name
text
The name of the victim targeted. The name can be an organisation or a group of organisations.
+Description of the victim
@@ -4773,6 +4822,16 @@ victim is a MISP object available in JSON format at
regions
text
The list of regions or locations from the victim targeted. ISO 3166 should be used.
++
classification
text
description
sectors
text
Description of the victim
+The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial\xadservices', 'government\xadnational', 'government\xadregional', 'government\xadlocal', 'government\xadpublic\xadservices', 'healthcare', 'hospitality\xadleisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non\xadprofit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
sectors
name
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial\xadservices', 'government\xadnational', 'government\xadregional', 'government\xadlocal', 'government\xadpublic\xadservices', 'healthcare', 'hospitality\xadleisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non\xadprofit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
+The name of the victim targeted. The name can be an organisation or a group of organisations.
@@ -4851,20 +4910,10 @@ virustotal-report is a MISP object available in JSON format at
detection-ratio
text
first-submission
datetime
Detection Ratio
--
permalink
link
Permalink Reference
+First Submission
@@ -4881,15 +4930,25 @@ virustotal-report is a MISP object available in JSON format at
first-submission
datetime
permalink
link
First Submission
+Permalink Reference
detection-ratio
text
Detection Ratio
++
id
+vulnerability
Vulnerability ID (generally CVE, but not necessarely)
++
modified
datetime
Last modification date
++
published
datetime
id
vulnerability
references
link
Vulnerability ID (generally CVE, but not necessarely)
+External references
modified
datetime
Last modification date
--
references
link
External references
--
registrant-email
-whois-registrant-email
Registrant email address
--
text
text
Full whois entry
--
registrant-name
whois-registrant-name
Registrant name
--
creation-date
datetime
Initial creation of the whois entry
--
registar
whois-registrar
Registrar of the whois entry
--
registrant-phone
whois-registrant-phone
Registrant phone number
--
expiration-date
datetime
registrant-name
whois-registrant-name
Registrant name
++
registar
whois-registrar
Registrar of the whois entry
++
modification-date
datetime
creation-date
datetime
Initial creation of the whois entry
++
registrant-email
whois-registrant-email
Registrant email address
++
registrant-phone
whois-registrant-phone
Registrant phone number
++
text
text
Full whois entry
++
version
-text
Version of the certificate
--
raw-base64
text
Raw certificate base64 encoded
--
x509-fingerprint-sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
validity-not-after
datetime
Certificate invalid after that date
--
pubkey-info-exponent
text
pubkey-info-size
text
Length of the public key (in bits)
--
pubkey-info-algorithm
text
Algorithm of the public key
--
validity-not-before
datetime
text
text
Free text description of hte certificate
--
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
pubkey-info-modulus
text
Modulus of the public key
--
serial-number
text
validity-not-after
datetime
Certificate invalid after that date
++
pubkey-info-modulus
text
Modulus of the public key
++
version
text
Version of the certificate
++
issuer
text
pubkey-info-size
text
Length of the public key (in bits)
++
raw-base64
text
Raw certificate base64 encoded
++
pubkey-info-algorithm
text
Algorithm of the public key
++
text
text
Free text description of hte certificate
++
x509-fingerprint-sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
version
-comment
yabin.py and regex.txt version used for the generation of the yara rules.
--
yara
yara
whitelist
yara-hunt
yara
Wide yara rule generated from -yh.
++
version
comment
Whitelist name used to generate the rules.
+yabin.py and regex.txt version used for the generation of the yara rules.
@@ -5393,13 +5452,13 @@ yabin is a MISP object available in JSON format at
yara-hunt
yara
whitelist
comment
Wide yara rule generated from -yh.
+Whitelist name used to generate the rules.
+
This relationship describes an object which triggers another object.
['misp']
vulnerability-of
This relationship describes an object which is a vulnerability of another object.
['cert-eu']
works-like
This relationship describes an object which works like another object.
['cert-eu']
seller-of
This relationship describes an object which is selling another object.
['cert-eu']
seller-on
This relationship describes an object which is selling on another object.
['cert-eu']
trying-to-obtain-the-exploit
This relationship describes an object which is trying to obtain the exploit described by another object
['cert-eu']
used-by
This relationship describes an object which is used by another object.
['cert-eu']
affiliated
This relationship describes an object which is affiliated with another object.
['cert-eu']
alleged-founder-of
This relationship describes an object which is the alleged founder of another object.
['cert-eu']
attacking-other-group
This relationship describes an object which attacks another object.
['cert-eu']
belongs-to
This relationship describes an object which belongs to another object.
['cert-eu']
business-relations
This relationship describes an object which has business relations with another object.
['cert-eu']
claims-to-be-the-founder-of
This relationship describes an object which claims to be the founder of another object.
['cert-eu']
cooperates-with
This relationship describes an object which cooperates with another object.
['cert-eu']
former-member-of
This relationship describes an object which is a former member of another object.
['cert-eu']
successor-of
This relationship describes an object which is a successor of another object.
['cert-eu']
has-joined
This relationship describes an object which has joined another object.
['cert-eu']
member-of
This relationship describes an object which is a member of another object.
['cert-eu']
primary-member-of
This relationship describes an object which is a primary member of another object.
['cert-eu']
administrator-of
This relationship describes an object which is an administrator of another object.
['cert-eu']
is-in-relation-with
This relationship describes an object which is in relation with another object,
['cert-eu']
provide-support-to
This relationship describes an object which provides support to another object.
['cert-eu']
regional-branch
This relationship describes an object which is a regional branch of another object.
['cert-eu']
similar
This relationship describes an object which is similar to another object.
['cert-eu']
subgroup
This relationship describes an object which is a subgroup of another object.
['cert-eu']
suspected-link
This relationship describes an object which is suspected to be linked with another object.
['misp']
same-as
This relationship describes an object which is the same as another object.
['misp']