From 3c9ef124d2780fbfea387fca1dd52e58a0ff6a94 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 12 Oct 2017 22:12:52 +0200
Subject: [PATCH] Objects updated
---
objects.html | 2751 ++--
objects.pdf | 33296 ++++++++++++++++++++++++++-----------------------
2 files changed, 18874 insertions(+), 17173 deletions(-)
diff --git a/objects.html b/objects.html
index 90ee80c..212d197 100755
--- a/objects.html
+++ b/objects.html
@@ -457,6 +457,7 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
first-seen
datetime
text
text
sensor
+text
+
+
original-date
datetime
first-seen
datetime
+
+
origin
url
sensor
text
-
-
text
text
-
-
cookie-name
-text
-
-
cookie-value
text
-
-
cookie
cookie
cookie-name
text
+
+
cookie-value
text
+
+
version
+text
+
+
comment
comment
version
cc-number
cc-number
+
+
name
text
cc-number
cc-number
-
-
name
text
-
-
src-port
+port
+
+
dst-port
port
+
+
ip-dst
ip-dst
+
+
text
text
+
+
first-seen
datetime
ip-src
ip-src
+
+
last-seen
datetime
+
+
total-bps
counter
ip-src
ip-src
-
-
src-port
port
-
-
ip-dst
ip-dst
-
-
dst-port
port
-
-
protocol
text
last-seen
datetime
-
-
text
text
-
-
domain
-domain
last-seen
datetime
+
+
text
text
domain
+domain
+
+
ip
ip-dst
last-seen
datetime
-
-
text
text
-
-
os_abi
-text
Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
--
text
text
os_abi
text
Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
++
number-sections
counter
sha512/224
sha512/224
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
++
sha384
sha384
+
+
sha224
sha224
sha1
-sha1
-
-
sha256
sha256
-
-
size-in-bytes
size-in-bytes
-
-
flag
text
md5
md5
-
-
text
text
-
-
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
--
ssdeep
ssdeep
sha1
sha1
sha384
-sha384
size-in-bytes
size-in-bytes
+
+
text
text
+
+
sha512/224
sha512/224
sha224
-sha224
-
-
name
text
md5
md5
+
+
ssdeep
ssdeep
+
+
sha256
sha256
+
+
reply-to
-email-reply-to
from-display-name
email-src-display-name
subject
-email-subject
-
-
message-id
email-message-id
cc
email-dst
to-display-name
-email-dst-display-name
-
-
return-path
text
header
email-header
message-id
email-message-id
cc
+to-display-name
email-dst-display-name
+
+
subject
email-subject
+
+
mime-boundary
email-mime-boundary
+
+
to
email-dst
@@ -1425,8 +1436,8 @@ email is a MISP object available in JSON format at
from
email-src
x-mailer
email-x-mailer
to
-email-dst
header
email-header
from-display-name
-email-src-display-name
reply-to
email-reply-to
x-mailer
-email-x-mailer
-
-
mime-boundary
email-mime-boundary
from
email-src
sha512/224
-sha512/224
authentihash
authentihash
+
+
sha384
sha384
+
+
sha224
sha224
sha256
-sha256
-
-
sha1
sha1
-
-
filename
filename
-
-
size-in-bytes
size-in-bytes
-
-
pattern-in-file
pattern-in-file
-
-
malware-sample
malware-sample
-
-
md5
md5
-
-
text
text
-
-
mimetype
text
authentihash
authentihash
filename
filename
ssdeep
-ssdeep
pattern-in-file
pattern-in-file
sha512
-sha512
-
-
sha384
sha384
malware-sample
malware-sample
sha1
+sha1
+
+
sha512
sha512
+
+
text
text
+
+
sha512/224
sha512/224
+
+
sha512/256
sha512/256
sha224
sha224
md5
md5
sha256
sha256
+
+
ssdeep
ssdeep
+
+
size-in-bytes
size-in-bytes
+
+
longitude
+float
+
+
country
text
+
+
text
text
+
+
first-seen
datetime
longitude
altitude
float
+
last-seen
datetime
+
altitude
-float
-
-
city
text
country
text
-
-
last-seen
datetime
-
-
text
text
-
-
proxy-user
-text
user-agent
user-agent
referer
+referer
+
+
basicauth-password
text
host
hostname
-
-
user-agent
user-agent
-
-
proxy-password
text
-
-
text
text
-
-
uri
uri
-
-
cookie
text
-
-
basicauth-user
text
referer
referer
proxy-user
text
cookie
+text
+
+
host
hostname
+
+
text
text
+
+
proxy-password
text
+
+
method
http-method
uri
uri
+
+
first-seen
-datetime
-
-
ip
ip-dst
-
-
src-port
port
text
text
+
+
first-seen
datetime
+
+
last-seen
datetime
text
text
ip
ip-dst
ip-dst
+ip-dst
+
+
first-seen
datetime
ip-dst
ip-dst
-
-
description
text
text
text
-
-
name
text
entrypoint-address
number-sections
counter
+
+
text
text
@@ -2273,8 +2274,8 @@ macho is a MISP object available in JSON format at
number-sections
counter
entrypoint-address
text
sha512/224
-sha512/224
sha384
sha384
+
+
sha224
sha224
sha256
-sha256
sha512
sha512
md5
-md5
-
-
text
text
ssdeep
ssdeep
-
-
sha512
sha512
-
-
sha384
sha384
sha512/224
sha512/224
sha224
-sha224
-
-
name
text
md5
md5
+
+
ssdeep
ssdeep
+
+
sha256
sha256
+
+
link
-url
-
-
removal-date
datetime
-
-
post
text
-
-
creation-date
datetime
username-quoted
text
link
url
removal-date
+datetime
+
+
username
text
post
text
+
+
username-quoted
text
+
+
zone_time_last
-datetime
-
-
rrtype
text
Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
--
rrname
text
-
-
time_last
datetime
-
-
time_first
datetime
-
-
text
text
-
-
sensor_id
text
origin
rrname
text
+
+
count
counter
+
+
time_first
datetime
+
+
text
text
@@ -2727,8 +2698,38 @@ passive-dns is a MISP object available in JSON format at
count
counter
rrtype
text
Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
++
zone_time_last
datetime
+
+
time_last
datetime
+
+
origin
text
origin
-text
Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']
--
url
url
-
-
last-seen
datetime
url
url
+
+
origin
text
Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']
++
original-filename
+filename
+
+
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
++
entrypoint-address
text
+
+
legal-copyright
text
pehash
pehash
-
-
original-filename
internal-filename
filename
@@ -2913,16 +2934,6 @@ pe is a MISP object available in JSON format at
entrypoint-section-at-position
text
-
-
lang-id
text
product-version
text
-
-
text
text
-
-
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
--
company-name
text
imphash
imphash
pehash
pehash
product-name
+impfuzzy
impfuzzy
+
+
text
text
@@ -2993,13 +2984,13 @@ pe is a MISP object available in JSON format at
impfuzzy
impfuzzy
entrypoint-section-at-position
text
+
entrypoint-address
-text
-
-
file-description
product-name
text
@@ -3043,8 +3024,8 @@ pe is a MISP object available in JSON format at
internal-filename
filename
imphash
imphash
product-version
text
+
+
file-description
text
+
+
sha512/224
-sha512/224
sha384
sha384
+
+
sha224
sha224
sha256
-sha256
sha512
sha512
md5
-md5
-
-
text
text
ssdeep
ssdeep
-
-
sha512
sha512
-
-
sha384
sha384
sha512/224
sha512/224
sha224
-sha224
name
text
Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
++
md5
md5
+
+
ssdeep
ssdeep
name
-text
sha256
sha256
Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
+
+
passport-number
-passport-number
nationality
nationality
passport-country
-passport-country
date-of-birth
date-of-birth
+
+
first-name
first-name
+
+
place-of-birth
place-of-birth
place-of-birth
-place-of-birth
last-name
last-name
gender
+gender
The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
++
text
text
last-name
last-name
passport-country
passport-country
nationality
-nationality
-
-
first-name
first-name
-
-
gender
gender
The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
--
date-of-birth
date-of-birth
passport-number
passport-number
msisdn
+first-seen
datetime
+
+
gummei
text
+
+
text
text
+
+
serial-number
text
@@ -3447,26 +3478,6 @@ phone is a MISP object available in JSON format at
first-seen
datetime
-
-
serial-number
text
-
-
last-seen
datetime
text
guti
text
+
gummei
imsi
text
@@ -3507,17 +3518,7 @@ phone is a MISP object available in JSON format at
guti
text
-
-
imsi
msisdn
text
@@ -3565,7 +3566,7 @@ r2graphity is a MISP object available in JSON format at
referenced-strings
shortest-path-to-create-thread
counter
@@ -3575,8 +3576,8 @@ r2graphity is a MISP object available in JSON format at
r2-commit-version
text
create-thread
counter
callback-largest
+referenced-strings
counter
@@ -3605,7 +3606,27 @@ r2graphity is a MISP object available in JSON format at
miss-api
gml
attachment
+
+
dangling-strings
counter
+
+
total-functions
counter
@@ -3625,7 +3646,7 @@ r2graphity is a MISP object available in JSON format at
shortest-path-to-create-thread
local-references
counter
@@ -3635,7 +3656,67 @@ r2graphity is a MISP object available in JSON format at
create-thread
miss-api
counter
+
+
callbacks
counter
+
+
callback-average
counter
+
+
ratio-functions
float
+
+
callback-largest
counter
+
+
r2-commit-version
text
+
+
get-proc-address
counter
@@ -3665,7 +3746,7 @@ r2graphity is a MISP object available in JSON format at
callback-average
total-api
counter
@@ -3685,16 +3766,6 @@ r2graphity is a MISP object available in JSON format at
callbacks
counter
-
-
not-referenced-strings
counter
gml
attachment
-
-
get-proc-address
counter
-
-
ratio-functions
float
-
-
total-functions
counter
-
-
total-api
counter
-
-
local-references
counter
-
-
dangling-strings
counter
-
-
data-type
-reg-datatype
last-modified
datetime
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
+
hive
reg-hive
name
reg-name
last-modified
-datetime
hive
reg-hive
name
-reg-name
data-type
reg-datatype
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
++
RTIR - Request Tracker for Incident Response.
++ + | ++rtir is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +|||||
---|---|---|---|---|---|---|---|---|
queue |
+text |
+
+ Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports'] + |
+
+ + |
+|||||
classification |
+text |
+
+ + |
+
+ + |
+|||||
status |
+text |
+
+ Status of the RTIR ticket ['new', 'open', 'stalled', 'resolved', 'rejected', 'deleted'] + |
+
+ + |
+|||||
constituency |
+text |
+
+ + |
+
+ + |
+|||||
ticket-number |
+text |
+
+ + |
+
+ + |
+|||||
subject |
+text |
+
+ + |
+
+ + |
+|||||
ip |
+ip-dst |
|
@@ -3999,7 +4108,7 @@ tor-node is a MISP object available in JSON format at published |
datetime |
@@ -4009,6 +4118,36 @@ tor-node is a MISP object available in JSON format at nickname |
+text |
+
+ + |
+
+ + |
+
document |
+text |
+
+ + |
+
+ + |
+|||||
address |
+ip-src |
+
+ + |
+
+ + |
+|||||
version_line |
text |
@@ -4029,57 +4168,7 @@ tor-node is a MISP object available in JSON format at description |
-text |
-
- - |
-
- - |
-|||
nickname |
-text |
-
- - |
-
- - |
-|||||
last-seen |
-datetime |
-
- - |
-
- - |
-|||||
text |
-text |
-
- - |
-
- - |
-|||||
address |
-ip-src |
-
- - |
-
- - |
-|||||
published |
+first-seen |
datetime |
@@ -4099,7 +4188,7 @@ tor-node is a MISP object available in JSON format at document |
+description |
text |
|||
text |
+text |
+
+ + |
+
+ + |
+|||||
last-seen |
+datetime |
+
+ + |
+
+ + |
+
port
-port
-
-
first-seen
datetime
-
-
resource_path
text
-
-
host
hostname
-
-
tld
text
last-seen
datetime
-
-
text
text
-
-
domain
domain
subdomain
text
-
-
domain_without_tld
text
-
-
scheme
text
Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
--
url
url
-
-
credential
text
-
-
query_string
text
resource_path
text
+
+
scheme
text
Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
++
host
hostname
+
+
domain_without_tld
text
+
+
url
url
+
+
text
text
+
+
first-seen
datetime
+
+
subdomain
text
+
+
last-seen
datetime
+
+
port
port
+
+
credential
text
+
+
sectors
+name
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial\xadservices', 'government\xadnational', 'government\xadregional', 'government\xadlocal', 'government\xadpublic\xadservices', 'healthcare', 'hospitality\xadleisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non\xadprofit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
+
roles
regions
text
@@ -4375,7 +4484,7 @@ victim is a MISP object available in JSON format at
regions
roles
text
@@ -4385,10 +4494,10 @@ victim is a MISP object available in JSON format at
name
sectors
text
+
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial\xadservices', 'government\xadnational', 'government\xadregional', 'government\xadlocal', 'government\xadpublic\xadservices', 'healthcare', 'hospitality\xadleisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non\xadprofit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
@@ -4433,16 +4542,6 @@ vulnerability is a MISP object available in JSON format at
references
link
-
-
vulnerable_configuration
text
published
datetime
text
text
id
-vulnerability
-
-
summary
text
text
text
id
vulnerability
+
+
published
datetime
+
+
references
link
registar
+whois-registrar
+
+
registrant-email
whois-registrant-email
+
+
text
text
+
+
domain
domain
modification-date
datetime
+
+
registrant-phone
whois-registrant-phone
+
+
expiration-date
datetime
+
+
registrant-name
whois-registrant-name
registrant-email
whois-registrant-email
-
-
registar
whois-registrar
-
-
text
text
-
-
modification-date
datetime
-
-
expiration-date
datetime
-
-
registrant-phone
whois-registrant-phone
-
-
x509-fingerprint-md5
-md5
version
text
+
+
pubkey-info-modulus
text
subject
-text
-
-
pubkey-info-size
text
-
-
version
text
-
-
pubkey-info-algorithm
pubkey-info-exponent
text
@@ -4739,57 +4828,7 @@ x509 is a MISP object available in JSON format at
text
text
-
-
x509-fingerprint-sha1
sha1
-
-
pubkey-info-modulus
text
-
-
x509-fingerprint-sha256
sha256
-
-
pubkey-info-exponent
text
-
-
serial-number
pubkey-info-algorithm
text
text
text
+
+
serial-number
text
+
+
x509-fingerprint-sha1
sha1
+
+
subject
text
+
+
x509-fingerprint-sha256
sha256
+
+
x509-fingerprint-md5
md5
+
+
pubkey-info-size
text
+
+
yara-hunt
+comment
comment
+
+
yara
yara
@@ -4887,7 +5006,7 @@ yabin is a MISP object available in JSON format at
yara
yara-hunt
yara
comment
comment
-
-