diff --git a/objects.html b/objects.html index 26aa911..e586879 100755 --- a/objects.html +++ b/objects.html @@ -440,6 +440,7 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
last-seen
+original-date
datetime
When the leak has been accessible or seen for the last time.
--
text
text
A description of the leak which could include the potential victim(s) or description of the leak.
+When the information available in the leak was created. It’s usually before the first-seen.
@@ -585,26 +576,6 @@ ail-leak is a MISP object available in JSON format at
original-date
datetime
When the information available in the leak was created. It’s usually before the first-seen.
--
origin
url
The link where the leak is (or was) accessible at first-seen.
--
type
text
text
text
A description of the leak which could include the potential victim(s) or description of the leak.
++
origin
link
The link where the leak is (or was) accessible at first-seen.
++
last-seen
datetime
When the leak has been accessible or seen for the last time.
++
sensor
text
Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike..
++ + | ++asn is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +
---|---|---|---|
subnet-announced |
+text |
+
+ Subnet announced + |
+
+ + |
+
first-seen |
+datetime |
+
+ First time the ASN was seen + |
+
+ + |
+
import |
+text |
+
+ The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format + |
+
+ + |
+
export |
+text |
+
+ The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format + |
+
+ + |
+
asn |
+as |
+
+ Autonomous System Number + |
+
+ + |
+
mp-export |
+text |
+
+ This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format + |
+
+ + |
+
description |
+text |
+
+ Description of the autonomous system + |
+
+ + |
+
last-seen |
+datetime |
+
+ Last time the ASN was seen + |
+
+ + |
+
country |
+text |
+
+ Country code of the main location of the autonomous system + |
+
+ + |
+
mp-import |
+text |
+
+ The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format + |
+
+ + |
+
software
text
Name of antivirus software
++
signature
text
software
text
Name of antivirus software
--
text
-text
A description of the cookie.
--
cookie-value
text
type
cookie-name
text
Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing']
+Name of the cookie (if splitted)
cookie-name
text
text
Name of the cookie (if splitted)
+A description of the cookie.
++
type
text
Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing']
@@ -829,10 +968,10 @@ credential is a MISP object available in JSON format at
origin
password
text
Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown']
+Password
@@ -849,26 +988,6 @@ credential is a MISP object available in JSON format at
username
text
Username related to the password(s)
--
password
text
Password
--
notification
text
text
text
A description of the credential(s)
++
origin
text
Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown']
++
format
text
text
username
text
A description of the credential(s)
+Username related to the password(s)
+
comment
-comment
version
text
A description of the card.
+Version of the card.
@@ -957,20 +1096,20 @@ credit-card is a MISP object available in JSON format at
name
text
expiration
datetime
Name of the card owner.
+Maximum date of validity
expiration
datetime
name
text
Maximum date of validity
+Name of the card owner.
@@ -987,10 +1126,10 @@ credit-card is a MISP object available in JSON format at
version
text
comment
comment
Version of the card.
+A description of the card.
@@ -1045,10 +1184,30 @@ ddos is a MISP object available in JSON format at
dst-port
port
ip-src
ip-src
Destination port of the attack
+IP address originating the attack
++
ip-dst
ip-dst
Destination ID (victim)
++
protocol
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
@@ -1065,10 +1224,30 @@ ddos is a MISP object available in JSON format at
protocol
total-pps
counter
Packets per second
++
dst-port
port
Destination port of the attack
++
text
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
+Description of the DDoS
@@ -1095,36 +1274,6 @@ ddos is a MISP object available in JSON format at
ip-src
ip-src
IP address originating the attack
--
total-pps
counter
Packets per second
--
ip-dst
ip-dst
Destination ID (victim)
--
last-seen
datetime
text
text
Description of the DDoS
--
ip
-ip-dst
IP Address
--
last-seen
first-seen
datetime
Last time the tuple has been seen
+First time the tuple has been seen
@@ -1213,10 +1342,10 @@ domain-ip is a MISP object available in JSON format at
first-seen
last-seen
datetime
First time the tuple has been seen
+Last time the tuple has been seen
ip
ip-dst
IP Address
++
entrypoint-address
+text
text
Address of the entry point
+Free text value to attach to the ELF
type
text
Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']
++
arch
text
text
os_abi
text
Free text value to attach to the ELF
+Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
++
entrypoint-address
text
Address of the entry point
os_abi
text
Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
--
type
text
Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']
--
sha512/256
-sha512/256
Secure Hash Algorithm 2 (256 bits)
--
text
text
Free text value to attach to the section
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
--
sha256
sha256
flag
text
sha512
sha512
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
+Secure Hash Algorithm 2 (512 bits)
@@ -1479,10 +1548,10 @@ elf-section is a MISP object available in JSON format at
entropy
float
size-in-bytes
size-in-bytes
Entropy of the whole section
+Size of the section, in bytes
@@ -1499,16 +1568,86 @@ elf-section is a MISP object available in JSON format at
sha512
sha512
sha512/224
sha512/224
Secure Hash Algorithm 2 (512 bits)
+Secure Hash Algorithm 2 (224 bits)
flag
text
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
++
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
text
text
Free text value to attach to the section
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
entropy
float
Entropy of the whole section
++
md5
md5
message-id
email-message-id
Message ID
--
send-date
datetime
Date the email has been sent
--
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
--
subject
email-subject
Subject
--
attachment
email-attachment
Attachment
--
to
email-dst
header
email-header
Full headers
--
mime-boundary
email-mime-boundary
MIME Boundary
--
thread-index
email-thread-index
Identifies a particular conversation thread
--
reply-to
email-reply-to
Email address the reply will be sent to
--
to-display-name
email-dst-display-name
from-display-name
email-src-display-name
reply-to
email-reply-to
Display name of the sender
+Email address the reply will be sent to
++
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
@@ -1687,6 +1746,16 @@ email is a MISP object available in JSON format at
attachment
email-attachment
Attachment
++
cc
email-dst
message-id
email-message-id
Message ID
++
mime-boundary
email-mime-boundary
MIME Boundary
++
send-date
datetime
Date the email has been sent
++
header
email-header
Full headers
++
return-path
text
screenshot
attachment
Screenshot of email
++
subject
email-subject
Subject
++
from-display-name
email-src-display-name
Display name of the sender
++
thread-index
email-thread-index
Identifies a particular conversation thread
++
filename
+filename
Filename on disk
++
sha384
sha384
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
text
text
Free text value to attach to the file
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
size-in-bytes
size-in-bytes
Size of the file, in bytes
--
mimetype
text
Mime type
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
sha256
sha256
sha1
sha1
md5
md5
[Insecure] Secure Hash Algorithm 1 (160 bits)
+[Insecure] MD5 hash (128 bits)
pattern-in-file
pattern-in-file
size-in-bytes
size-in-bytes
Pattern that can be found in the file
--
malware-sample
malware-sample
The file itself (binary)
--
state
text
State of the file ['Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
--
filename
filename
Filename on disk
--
entropy
float
Entropy of the whole file
+Size of the file, in bytes
@@ -1905,10 +1964,30 @@ file is a MISP object available in JSON format at
authentihash
authentihash
mimetype
text
Authenticode executable signature hash
+Mime type
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
pattern-in-file
pattern-in-file
Pattern that can be found in the file
@@ -1925,10 +2004,80 @@ file is a MISP object available in JSON format at
md5
md5
state
text
[Insecure] MD5 hash (128 bits)
+State of the file ['Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
++
authentihash
authentihash
Authenticode executable signature hash
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
text
text
Free text value to attach to the file
++
malware-sample
malware-sample
The file itself (binary)
++
entropy
float
Entropy of the whole file
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
@@ -1973,36 +2122,16 @@ geolocation is a MISP object available in JSON format at
last-seen
datetime
When the location was seen for the last time.
--
region
city
text
Region.
+City.
text
text
A generic description of the location.
--
first-seen
datetime
city
region
text
City.
+Region.
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
--
country
text
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
++
text
text
A generic description of the location.
++
last-seen
datetime
When the location was seen for the last time.
++
latitude
float
proxy-password
text
HTTP Proxy Password
--
cookie
text
An HTTP cookie previously sent by the server with Set-Cookie
--
user-agent
user-agent
The user agent string of the user agent
--
proxy-user
text
HTTP Proxy Username
--
host
hostname
The domain name of the server
--
referer
referer
This is the address of the previous web page from which a link to the currently requested page was followed
--
method
http-method
content-type
other
proxy-user
text
The MIME type of the body of the request
--
url
url
Full HTTP Request URL
+HTTP Proxy Username
@@ -2201,10 +2280,40 @@ http-request is a MISP object available in JSON format at
uri
uri
host
hostname
Request URI
+The domain name of the server
++
cookie
text
An HTTP cookie previously sent by the server with Set-Cookie
++
url
url
Full HTTP Request URL
++
basicauth-password
text
HTTP Basic Authentication Password
@@ -2221,10 +2330,50 @@ http-request is a MISP object available in JSON format at
basicauth-password
proxy-password
text
HTTP Basic Authentication Password
+HTTP Proxy Password
++
referer
referer
This is the address of the previous web page from which a link to the currently requested page was followed
++
user-agent
user-agent
The user agent string of the user agent
++
content-type
other
The MIME type of the body of the request
++
uri
uri
Request URI
@@ -2269,26 +2418,6 @@ ip-port is a MISP object available in JSON format at
dst-port
port
Destination port
--
last-seen
datetime
Last time the tuple has been seen
--
first-seen
datetime
dst-port
port
Destination port
++
text
text
last-seen
datetime
Last time the tuple has been seen
++
ip
ip-dst
ja3-fingerprint-md5
md5
Hash identifying source
--
first-seen
datetime
First seen of the SSL/TLS handshake
--
ip-src
ip-src
last-seen
datetime
Last seen of the SSL/TLS handshake
--
ip-dst
ip-dst
ja3-fingerprint-md5
md5
Hash identifying source
++
first-seen
datetime
First seen of the SSL/TLS handshake
++
last-seen
datetime
Last seen of the SSL/TLS handshake
++
text
+text
Free text value to attach to the Mach-O file
++
entrypoint-address
text
name
text
Binary’s name
++
number-sections
counter
name
text
Binary’s name
--
text
text
Free text value to attach to the Mach-O file
--
sha512/256
-sha512/256
Secure Hash Algorithm 2 (256 bits)
--
text
text
Free text value to attach to the section
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
sha256
sha256
sha1
sha1
sha512
sha512
[Insecure] Secure Hash Algorithm 1 (160 bits)
+Secure Hash Algorithm 2 (512 bits)
@@ -2643,10 +2742,10 @@ macho-section is a MISP object available in JSON format at
entropy
float
size-in-bytes
size-in-bytes
Entropy of the whole section
+Size of the section, in bytes
@@ -2663,16 +2762,66 @@ macho-section is a MISP object available in JSON format at
sha512
sha512
sha512/224
sha512/224
Secure Hash Algorithm 2 (512 bits)
+Secure Hash Algorithm 2 (224 bits)
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
text
text
Free text value to attach to the section
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
entropy
float
Entropy of the whole section
++
md5
md5
modification-date
datetime
Last update of the microblog post
--
post
username-quoted
text
Raw post
+Username who are quoted into the microblog post
@@ -2751,30 +2890,10 @@ microblog is a MISP object available in JSON format at
username
text
Username who posted the microblog post
--
username-quoted
text
Username who are quoted into the microblog post
--
creation-date
modification-date
datetime
Initial creation of the microblog post
+Last update of the microblog post
@@ -2791,20 +2910,50 @@ microblog is a MISP object available in JSON format at
removal-date
datetime
link
url
When the microblog post was removed
+Link into the microblog post
link
url
creation-date
datetime
Link into the microblog post
+Initial creation of the microblog post
++
post
text
Raw post
++
username
text
Username who posted the microblog post
++
removal-date
datetime
When the microblog post was removed
@@ -2849,126 +2998,6 @@ netflow is a MISP object available in JSON format at
src-as
AS
Source AS number for this flow
--
last-packet-seen
datetime
Last packet seen in this flow
--
first-packet-seen
datetime
First packet seen in this flow
--
direction
text
Direction of this flow ['Ingress', 'Egress']
--
packet-count
counter
Packets counted in this flow
--
src-port
port
Source port of the netflow
--
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
--
dst-port
port
Destination port of the netflow
--
flow-count
counter
Flows counted in this flow
--
protocol
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
--
ip-protocol-number
size-in-bytes
IP protocol number of this flow
--
ip_version
counter
IP version of this flow
--
ip-src
ip-src
dst-as
AS
Destination AS number for this flow
++
ip-dst
ip-dst
ip-protocol-number
size-in-bytes
IP protocol number of this flow
++
protocol
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
++
flow-count
counter
Flows counted in this flow
++
dst-port
port
Destination port of the netflow
++
packet-count
counter
Packets counted in this flow
++
src-as
AS
Source AS number for this flow
++
first-packet-seen
datetime
First packet seen in this flow
++
ip_version
counter
IP version of this flow
++
last-packet-seen
datetime
Last packet seen in this flow
++
tcp-flags
text
dst-as
AS
src-port
port
Destination AS number for this flow
+Source port of the netflow
direction
text
Direction of this flow ['Ingress', 'Egress']
++
byte-count
counter
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
++
bailiwick
+rdata
text
Best estimate of the apex of the zone where this data is authoritative
--
sensor_id
text
Sensor information where the record was seen
--
origin
text
Origin of the Passive DNS response
--
count
counter
How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers
--
zone_time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
--
time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
--
time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
--
zone_time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
+Resource records of the queried resource
@@ -3147,20 +3226,40 @@ passive-dns is a MISP object available in JSON format at
text
text
zone_time_first
datetime
+
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
rdata
count
counter
How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers
++
origin
text
Resource records of the queried resource
+Origin of the Passive DNS response
++
zone_time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
bailiwick
text
Best estimate of the apex of the zone where this data is authoritative
++
text
text
+
+
sensor_id
text
Sensor information where the record was seen
++
time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
++
time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
++
title
-text
Title of the paste or post.
--
paste
text
first-seen
datetime
When the paste has been accessible or seen for the first time.
++
url
url
last-seen
datetime
title
text
When the paste has been accessible or seen for the last time.
+Title of the paste or post.
+
first-seen
+last-seen
datetime
When the paste has been accessible or seen for the first time.
+When the paste has been accessible or seen for the last time.
@@ -3313,13 +3462,23 @@ pe is a MISP object available in JSON format at
entrypoint-address
text
imphash
imphash
Address of the entry point
+Hash (md5) calculated from the import table
+
+
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
+
original-filename
-filename
OriginalFilename in the resources
--
text
lang-id
text
Free text value to attach to the PE
+Lang ID in the resources
@@ -3363,80 +3512,30 @@ pe is a MISP object available in JSON format at
product-name
entrypoint-address
text
ProductName in the resources
+Address of the entry point
impfuzzy
impfuzzy
number-sections
counter
Fuzzy Hash (ssdeep) calculated from the import table
--
file-description
text
FileDescription in the resources
+Number of sections
lang-id
text
internal-filename
filename
Lang ID in the resources
--
legal-copyright
text
LegalCopyright in the resources
--
imphash
imphash
Hash (md5) calculated from the import table
--
product-version
text
ProductVersion in the resources
--
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
+InternalFilename in the resources
@@ -3453,10 +3552,20 @@ pe is a MISP object available in JSON format at
number-sections
counter
legal-copyright
text
Number of sections
+LegalCopyright in the resources
++
product-version
text
ProductVersion in the resources
@@ -3483,15 +3592,55 @@ pe is a MISP object available in JSON format at
internal-filename
filename
file-description
text
InternalFilename in the resources
+FileDescription in the resources
++
text
text
Free text value to attach to the PE
++
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
original-filename
filename
OriginalFilename in the resources
++
product-name
text
ProductName in the resources
++
sha512/256
-sha512/256
Secure Hash Algorithm 2 (256 bits)
--
text
text
Free text value to attach to the section
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
sha256
sha256
sha1
sha1
sha512
sha512
[Insecure] Secure Hash Algorithm 1 (160 bits)
+Secure Hash Algorithm 2 (512 bits)
@@ -3621,20 +3720,10 @@ pe-section is a MISP object available in JSON format at
characteristic
text
size-in-bytes
size-in-bytes
Characteristic of the section ['read', 'write', 'executable']
--
entropy
float
Entropy of the whole section
+Size of the section, in bytes
@@ -3651,10 +3740,70 @@ pe-section is a MISP object available in JSON format at
sha512
sha512
sha512/224
sha512/224
Secure Hash Algorithm 2 (512 bits)
+Secure Hash Algorithm 2 (224 bits)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
text
text
Free text value to attach to the section
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
entropy
float
Entropy of the whole section
++
characteristic
text
Characteristic of the section ['read', 'write', 'executable']
@@ -3709,40 +3858,20 @@ person is a MISP object available in JSON format at
date-of-birth
date-of-birth
first-name
first-name
Date of birth of a natural person (in YYYY-MM-DD format).
+First name of a natural person.
place-of-birth
place-of-birth
passport-expiration
passport-expiration
Place of birth of a natural person.
--
passport-number
passport-number
The passport number of a natural person.
--
nationality
nationality
The nationality of a natural person.
+The expiration date of a passport.
@@ -3759,6 +3888,16 @@ person is a MISP object available in JSON format at
place-of-birth
place-of-birth
Place of birth of a natural person.
++
last-name
last-name
nationality
nationality
The nationality of a natural person.
++
date-of-birth
date-of-birth
Date of birth of a natural person (in YYYY-MM-DD format).
++
redress-number
redress-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
++
middle-name
middle-name
first-name
first-name
text
text
First name of a natural person.
+A description of the person or identity.
+
text
-text
passport-number
passport-number
A description of the person or identity.
--
passport-expiration
passport-expiration
The expiration date of a passport.
--
redress-number
redress-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
+The passport number of a natural person.
@@ -3867,26 +4016,6 @@ phone is a MISP object available in JSON format at
last-seen
datetime
When the phone has been accessible or seen for the last time.
--
text
text
A description of the phone.
--
first-seen
datetime
guti
text
last-seen
datetime
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
+When the phone has been accessible or seen for the last time.
-
tmsi
text
Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
--
imei
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
-+
gummei
-text
Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
--
serial-number
text
imei
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
++
guti
text
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
++
imsi
text
gummei
text
Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
++
text
text
A description of the phone.
++
tmsi
text
Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
++
local-references
+counter
Amount of API calls inside a code section
++
callback-average
counter
create-thread
counter
Amount of calls to CreateThread
--
total-api
counter
Total amount of API calls
--
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
--
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
--
total-functions
counter
Total amount of functions in the file.
--
dangling-strings
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
--
miss-api
counter
Amount of API call reference that does not resolve to a function offset
--
r2-commit-version
text
Radare2 commit ID used to generate this object
--
text
text
Description of the r2graphity object
--
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
--
not-referenced-strings
counter
Amount of not referenced strings
--
referenced-strings
counter
memory-allocations
callback-largest
counter
Amount of memory allocations
+Largest callback
local-references
total-functions
counter
Amount of API calls inside a code section
+Total amount of functions in the file.
get-proc-address
counter
ratio-string
float
Amount of calls to GetProcAddress
+Ratio: amount of referenced strings per kilobyte of code section
callbacks
dangling-strings
counter
Amount of callbacks (functions started as thread)
+Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
@@ -4185,20 +4234,20 @@ r2graphity is a MISP object available in JSON format at
gml
attachment
shortest-path-to-create-thread
counter
Graph export in G>raph Modelling Language format
+Shortest path to the first time the binary calls CreateThread
callback-largest
counter
text
text
Largest callback
+Description of the r2graphity object
@@ -4215,6 +4264,56 @@ r2graphity is a MISP object available in JSON format at
get-proc-address
counter
Amount of calls to GetProcAddress
++
total-api
counter
Total amount of API calls
++
gml
attachment
Graph export in G>raph Modelling Language format
++
memory-allocations
counter
Amount of memory allocations
++
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
++
ratio-functions
float
r2-commit-version
text
Radare2 commit ID used to generate this object
++
callbacks
counter
Amount of callbacks (functions started as thread)
++
miss-api
counter
Amount of API call reference that does not resolve to a function offset
++
not-referenced-strings
counter
Amount of not referenced strings
++
create-thread
counter
Amount of calls to CreateThread
++
regexp
+text
regexp
++
comment
comment
regexp
text
regexp
--
name
-reg-name
data
reg-data
Name of the registry key
+Data stored in the registry key
last-modified
datetime
hive
reg-hive
Last time the registry key has been modified
+Hive used to store the registry key (file on disk)
++
name
reg-name
Name of the registry key
@@ -4361,10 +4520,10 @@ registry-key is a MISP object available in JSON format at
data
reg-data
last-modified
datetime
Data stored in the registry key
+Last time the registry key has been modified
hive
reg-hive
Hive used to store the registry key (file on disk)
--
case-number
+summary
text
Case number
+Free text summary of the report
summary
case-number
text
Free text summary of the report
+Case number
@@ -4487,26 +4636,6 @@ rtir is a MISP object available in JSON format at
status
text
Status of the RTIR ticket ['new', 'open', 'stalled', 'resolved', 'rejected', 'deleted']
--
ip
ip-dst
IPs automatically extracted from the RTIR ticket
--
constituency
text
subject
status
text
Subject of the RTIR ticket
+Status of the RTIR ticket ['new', 'open', 'stalled', 'resolved', 'rejected', 'deleted']
@@ -4537,20 +4666,40 @@ rtir is a MISP object available in JSON format at
queue
classification
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
+Classification of the RTIR ticket
classification
subject
text
Classification of the RTIR ticket
+Subject of the RTIR ticket
++
ip
ip-dst
IPs automatically extracted from the RTIR ticket
++
queue
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
@@ -4595,56 +4744,6 @@ tor-node is a MISP object available in JSON format at
address
ip-src
IP address of the Tor node seen.
--
version_line
text
versioning information reported by the node.
--
fingerprint
text
router’s fingerprint.
--
last-seen
datetime
When the Tor node designed by the IP address has been seen for the last time.
--
description
text
Tor node description.
--
flags
text
address
ip-src
IP address of the Tor node seen.
++
first-seen
datetime
version
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
++
nickname
text
router’s nickname.
++
published
datetime
nickname
fingerprint
text
router’s nickname.
+router’s fingerprint.
++
document
text
Raw document from the consensus.
++
description
text
Tor node description.
++
version_line
text
versioning information reported by the node.
@@ -4695,25 +4854,15 @@ tor-node is a MISP object available in JSON format at
document
text
last-seen
datetime
Raw document from the consensus.
+When the Tor node designed by the IP address has been seen for the last time.
version
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
--
last-seen
-datetime
Last time this URL has been seen
--
query_string
fragment
text
Query (after path, preceded by '?')
--
credential
text
Credential (username, password)
--
scheme
text
Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
--
port
port
Port number
--
resource_path
text
Path (between hostname:port and query)
--
host
hostname
Full hostname
--
subdomain
text
Subdomain
--
tld
text
Top-Level Domain
+Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
@@ -4853,20 +4922,10 @@ url is a MISP object available in JSON format at
url
url
Full URL
--
text
resource_path
text
Description of the URL
+Path (between hostname:port and query)
@@ -4883,10 +4942,40 @@ url is a MISP object available in JSON format at
fragment
host
hostname
Full hostname
++
scheme
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
+Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
++
credential
text
Credential (username, password)
++
url
url
Full URL
subdomain
text
Subdomain
++
query_string
text
Query (after path, preceded by '?')
++
text
text
Description of the URL
++
tld
text
Top-Level Domain
++
last-seen
datetime
Last time this URL has been seen
++
port
port
Port number
++
sectors
+text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial\xadservices', 'government\xadnational', 'government\xadregional', 'government\xadlocal', 'government\xadpublic\xadservices', 'healthcare', 'hospitality\xadleisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non\xadprofit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
++
regions
text
The list of regions or locations from the victim targeted. ISO 3166 should be used.
++
name
text
regions
text
The list of regions or locations from the victim targeted. ISO 3166 should be used.
--
classification
text
sectors
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial\xadservices', 'government\xadnational', 'government\xadregional', 'government\xadlocal', 'government\xadpublic\xadservices', 'healthcare', 'hospitality\xadleisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non\xadprofit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
--
first-submission
+last-submission
datetime
First Submission
+Last Submission
permalink
link
Permalink Reference
--
detection-ratio
text
Detection Ratio
--
community-score
text
last-submission
datetime
permalink
link
Last Submission
+Permalink Reference
first-submission
datetime
First Submission
++
detection-ratio
text
Detection Ratio
++
published
+modified
datetime
Initial publication date
+Last modification date
@@ -5147,30 +5296,20 @@ vulnerability is a MISP object available in JSON format at
id
vulnerability
Vulnerability ID (generally CVE, but not necessarely)
--
summary
text
Summary of the vulnerability
--
modified
published
datetime
Last modification date
+Initial publication date
++
vulnerable_configuration
text
The vulnerable configuration is described in CPE format
@@ -5187,10 +5326,20 @@ vulnerability is a MISP object available in JSON format at
vulnerable_configuration
summary
text
The vulnerable configuration is described in CPE format
+Summary of the vulnerability
++
id
vulnerability
Vulnerability ID (generally CVE, but not necessarely)
@@ -5235,26 +5384,6 @@ whois is a MISP object available in JSON format at
modification-date
datetime
Last update of the whois entry
--
text
text
Full whois entry
--
domain
domain
modification-date
datetime
Last update of the whois entry
++
registar
whois-registrar
registrant-name
whois-registrant-name
Registrant name
--
expiration-date
datetime
Expiration of the whois entry
--
creation-date
datetime
text
text
Full whois entry
++
registrant-name
whois-registrant-name
Registrant name
++
expiration-date
datetime
Expiration of the whois entry
++
x509-fingerprint-sha256
-sha256
Secure Hash Algorithm 2 (256 bits)
--
pubkey-info-algorithm
version
text
Algorithm of the public key
--
validity-not-before
datetime
Certificate invalid before that date
--
pubkey-info-modulus
text
Modulus of the public key
--
subject
text
Subject of the certificate
+Version of the certificate
@@ -5433,16 +5542,6 @@ x509 is a MISP object available in JSON format at
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
validity-not-after
datetime
x509-fingerprint-md5
md5
x509-fingerprint-sha256
sha256
[Insecure] MD5 hash (128 bits)
+Secure Hash Algorithm 2 (256 bits)
++
pubkey-info-algorithm
text
Algorithm of the public key
@@ -5473,20 +5582,30 @@ x509 is a MISP object available in JSON format at
pubkey-info-size
pubkey-info-exponent
text
Length of the public key (in bits)
+Exponent of the public key
pubkey-info-exponent
pubkey-info-modulus
text
Exponent of the public key
+Modulus of the public key
++
subject
text
Subject of the certificate
@@ -5503,10 +5622,40 @@ x509 is a MISP object available in JSON format at
version
pubkey-info-size
text
Version of the certificate
+Length of the public key (in bits)
++
validity-not-before
datetime
Certificate invalid before that date
++
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
x509-fingerprint-md5
md5
[Insecure] MD5 hash (128 bits)
@@ -5551,26 +5700,16 @@ yabin is a MISP object available in JSON format at
comment
version
comment
A description of Yara rule generated.
+yabin.py and regex.txt version used for the generation of the yara rules.
yara
yara
Yara rule generated from -y.
--
yara-hunt
yara
version
comment
comment
yabin.py and regex.txt version used for the generation of the yara rules.
+A description of Yara rule generated.
yara
yara
Yara rule generated from -y.
++