From b19c79561c199267027eef6fa9789be20c06cd70 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 2 Nov 2017 20:47:19 +0100
Subject: [PATCH] Objects updated
---
objects.html | 3175 +-
objects.pdf | 129001 +++++++++++++++++++++++++-----------------------
2 files changed, 68012 insertions(+), 64164 deletions(-)
diff --git a/objects.html b/objects.html
index f6c7383..8a6dd5b 100755
--- a/objects.html
+++ b/objects.html
@@ -435,6 +435,7 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
last-seen
datetime
When the leak has been accessible or seen for the last time.
++
type
text
text
text
A description of the leak which could include the potential victim(s) or description of the leak.
++
first-seen
datetime
sensor
text
The AIL sensor uuid where the leak was processed and analysed.
--
origin
url
text
sensor
text
A description of the leak which could include the potential victim(s) or description of the leak.
+The AIL sensor uuid where the leak was processed and analysed.
-
last-seen
datetime
When the leak has been accessible or seen for the last time.
-+
text
+signature
text
Free text value to attach to the file
+Name of detection signature
+
signature
-text
Name of detection signature
--
datetime
datetime
text
text
Free text value to attach to the file
++
cookie
+cookie
Full cookie
++
cookie-name
text
Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s)..
+cookie |
-cookie |
++ + | ++credential is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
username |
+text |
- Full cookie +Username related to the password(s) + |
+
+ + |
+||||||||||
password |
+text |
+
+ Password + |
+
+ + |
+||||||||||
format |
+text |
+
+ Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown'] + |
+
+ + |
+||||||||||
type |
+text |
+
+ Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown'] + |
+
+ + |
+||||||||||
text |
+text |
+
+ A description of the credential(s) + |
+
+ + |
+||||||||||
notification |
+text |
+
+ Mention of any notification(s) towards the potential owner(s) of the credential(s) ['victim-notified', 'service-notified', 'none'] + |
+
+ + |
+||||||||||
origin |
+text |
+
+ Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown'] |
@@ -798,10 +907,10 @@ credit-card is a MISP object available in JSON format at card-security-code |
-text |
+issued |
+datetime |
- Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card. +Initial date of validity or issued date. |
@@ -818,20 +927,10 @@ credit-card is a MISP object available in JSON format at expiration |
-datetime |
+comment |
+comment |
- Maximum date of validity - |
-
- - |
-
issued |
-datetime |
-
- Initial date of validity or issued date. +A description of the card. |
@@ -848,6 +947,16 @@ credit-card is a MISP object available in JSON format at card-security-code |
+text |
+
+ Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card. + |
+
+ + |
+|||||||
name |
text |
@@ -858,10 +967,10 @@ credit-card is a MISP object available in JSON format at comment |
-comment |
+expiration |
+datetime |
- A description of the card. +Maximum date of validity |
@@ -906,50 +1015,10 @@ ddos is a MISP object available in JSON format at total-pps |
-counter |
+ip-src |
+ip-src |
- Packets per second - |
-
- - |
-|
dst-port |
-port |
-
- Destination port of the attack - |
-
- - |
-||||||||||
protocol |
-text |
-
- Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP'] - |
-
- - |
-||||||||||
ip-dst |
-ip-dst |
-
- Destination ID (victim) - |
-
- - |
-||||||||||
first-seen |
-datetime |
-
- Beginning of the attack +IP address originating the attack |
@@ -966,20 +1035,40 @@ ddos is a MISP object available in JSON format at total-bps |
-counter |
+dst-port |
+port |
- Bits per second +Destination port of the attack |
|
|||||
ip-src |
-ip-src |
+first-seen |
+datetime |
- IP address originating the attack +Beginning of the attack + |
+
+ + |
+||||||||
ip-dst |
+ip-dst |
+
+ Destination ID (victim) + |
+
+ + |
+||||||||||
protocol |
+text |
+
+ Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP'] |
@@ -996,6 +1085,16 @@ ddos is a MISP object available in JSON format at total-pps |
+counter |
+
+ Packets per second + |
+
+ + |
+|||||||
last-seen |
datetime |
||||||||||||
total-bps |
+counter |
+
+ Bits per second + |
+
+ + |
+
domain
-domain
first-seen
datetime
Domain name
+First time the tuple has been seen
@@ -1064,26 +1173,6 @@ domain-ip is a MISP object available in JSON format at
text
text
A description of the tuple
--
first-seen
datetime
First time the tuple has been seen
--
last-seen
datetime
domain
domain
Domain name
++
text
text
A description of the tuple
++
entrypoint-address
-text
number-sections
counter
Address of the entry point
+Number of sections
@@ -1162,16 +1271,6 @@ elf is a MISP object available in JSON format at
arch
text
Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
--
text
text
number-sections
counter
entrypoint-address
text
Number of sections
+Address of the entry point
arch
text
Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
++
sha384
-sha384
Secure Hash Algorithm 2 (384 bits)
--
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
name
text
Name of the section
--
sha1
sha1
flag
text
sha384
sha384
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
entropy
float
Entropy of the whole section
--
md5
md5
[Insecure] MD5 hash (128 bits)
+Secure Hash Algorithm 2 (384 bits)
@@ -1340,6 +1369,26 @@ elf-section is a MISP object available in JSON format at
entropy
float
Entropy of the whole section
++
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
++
sha512/224
sha512/224
sha224
sha224
sha512/256
sha512/256
Secure Hash Algorithm 2 (224 bits)
+Secure Hash Algorithm 2 (256 bits)
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
flag
text
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
@@ -1370,6 +1449,16 @@ elf-section is a MISP object available in JSON format at
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
ssdeep
ssdeep
name
text
Name of the section
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
send-date
-datetime
mime-boundary
email-mime-boundary
Date the email has been sent
--
to
email-dst
Destination email address
--
message-id
email-message-id
Message ID
--
return-path
text
Message return path
--
subject
email-subject
Subject
--
thread-index
email-thread-index
Identifies a particular conversation thread
--
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
+MIME Boundary
@@ -1498,30 +1547,20 @@ email is a MISP object available in JSON format at
from
email-src
to-display-name
email-dst-display-name
Sender email address
+Display name of the receiver
attachment
email-attachment
thread-index
email-thread-index
Attachment
--
from-display-name
email-src-display-name
Display name of the sender
+Identifies a particular conversation thread
@@ -1538,16 +1577,56 @@ email is a MISP object available in JSON format at
to-display-name
email-dst-display-name
from
email-src
Display name of the receiver
+Sender email address
subject
email-subject
Subject
++
message-id
email-message-id
Message ID
++
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
++
send-date
datetime
Date the email has been sent
++
cc
email-dst
mime-boundary
email-mime-boundary
return-path
text
MIME Boundary
+Message return path
++
to
email-dst
Destination email address
++
from-display-name
email-src-display-name
Display name of the sender
++
attachment
email-attachment
Attachment
@@ -1606,36 +1715,16 @@ file is a MISP object available in JSON format at
sha384
sha384
sha1
sha1
Secure Hash Algorithm 2 (384 bits)
+[Insecure] Secure Hash Algorithm 1 (160 bits)
authentihash
authentihash
Authenticode executable signature hash
--
mimetype
text
Mime type
--
filename
filename
sha256
sha256
sha384
sha384
Secure Hash Algorithm 2 (256 bits)
+Secure Hash Algorithm 2 (384 bits)
sha512
sha512
sha512/224
sha512/224
Secure Hash Algorithm 2 (512 bits)
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
+Secure Hash Algorithm 2 (224 bits)
@@ -1686,43 +1765,13 @@ file is a MISP object available in JSON format at
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
state
mimetype
text
State of the file ['Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
+Mime type
-
md5
md5
[Insecure] MD5 hash (128 bits)
-+
sha512/224
-sha512/224
sha512/256
sha512/256
Secure Hash Algorithm 2 (224 bits)
+Secure Hash Algorithm 2 (256 bits)
@@ -1756,6 +1805,16 @@ file is a MISP object available in JSON format at
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
text
text
malware-sample
malware-sample
pattern-in-file
pattern-in-file
The file itself (binary)
+Pattern that can be found in the file
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
@@ -1786,10 +1855,50 @@ file is a MISP object available in JSON format at
pattern-in-file
pattern-in-file
ssdeep
ssdeep
Pattern that can be found in the file
+Fuzzy hash using context triggered piecewise hashes (CTPH)
++
malware-sample
malware-sample
The file itself (binary)
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
state
text
State of the file ['Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
++
authentihash
authentihash
Authenticode executable signature hash
@@ -1834,30 +1943,30 @@ geolocation is a MISP object available in JSON format at
longitude
latitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
+The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
country
city
text
Country.
+City.
first-seen
last-seen
datetime
When the location was seen for the first time.
+When the location was seen for the last time.
@@ -1874,20 +1983,10 @@ geolocation is a MISP object available in JSON format at
region
country
text
Region.
--
city
text
City.
+Country.
@@ -1904,20 +2003,30 @@ geolocation is a MISP object available in JSON format at
latitude
float
first-seen
datetime
The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
+When the location was seen for the first time.
last-seen
datetime
region
text
When the location was seen for the last time.
+Region.
++
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
@@ -1962,26 +2071,6 @@ http-request is a MISP object available in JSON format at
basicauth-user
text
HTTP Basic Authentication Username
--
content-type
other
The MIME type of the body of the request
--
uri
uri
proxy-password
text
HTTP Proxy Password
--
cookie
text
An HTTP cookie previously sent by the server with Set-Cookie
--
referer
referer
This is the address of the previous web page from which a link to the currently requested page was followed
--
host
hostname
url
url
content-type
other
Full HTTP Request URL
--
user-agent
user-agent
The user agent string of the user agent
+The MIME type of the body of the request
@@ -2062,10 +2111,30 @@ http-request is a MISP object available in JSON format at
basicauth-password
referer
referer
This is the address of the previous web page from which a link to the currently requested page was followed
++
cookie
text
HTTP Basic Authentication Password
+An HTTP cookie previously sent by the server with Set-Cookie
++
basicauth-user
text
HTTP Basic Authentication Username
user-agent
user-agent
The user agent string of the user agent
++
url
url
Full HTTP Request URL
++
proxy-password
text
HTTP Proxy Password
++
basicauth-password
text
HTTP Basic Authentication Password
++
ip
+ip-dst
IP Address
++
last-seen
datetime
Last time the tuple has been seen
++
dst-port
port
src-port
port
Source port
--
ip
ip-dst
IP Address
--
text
text
last-seen
datetime
src-port
port
Last time the tuple has been seen
+Source port
@@ -2228,6 +2337,16 @@ ja3 is a MISP object available in JSON format at
ip-src
ip-src
Source IP Address
++
description
text
ip-src
ip-src
Source IP Address
--
ip-dst
ip-dst
text
text
Free text value to attach to the Mach-O file
--
type
text
Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']
--
number-sections
counter
type
text
Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']
++
text
text
Free text value to attach to the Mach-O file
++
sha384
-sha384
Secure Hash Algorithm 2 (384 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
name
text
Name of the section
--
sha1
sha1
sha512/256
sha512/256
sha384
sha384
Secure Hash Algorithm 2 (256 bits)
--
entropy
float
Entropy of the whole section
--
md5
md5
[Insecure] MD5 hash (128 bits)
+Secure Hash Algorithm 2 (384 bits)
@@ -2504,6 +2553,16 @@ macho-section is a MISP object available in JSON format at
entropy
float
Entropy of the whole section
++
sha512/224
sha512/224
sha224
sha224
sha512/256
sha512/256
Secure Hash Algorithm 2 (224 bits)
+Secure Hash Algorithm 2 (256 bits)
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
@@ -2534,6 +2613,16 @@ macho-section is a MISP object available in JSON format at
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
ssdeep
ssdeep
name
text
Name of the section
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
post
+username
text
Raw post
+Username who posted the microblog post
++
url
url
Original URL location of the microblog post
@@ -2622,6 +2741,16 @@ microblog is a MISP object available in JSON format at
username-quoted
text
Username who are quoted into the microblog post
++
creation-date
datetime
url
url
post
text
Original URL location of the microblog post
+Raw post
username
text
Username who posted the microblog post
--
username-quoted
text
Username who are quoted into the microblog post
--
byte-count
-counter
Bytes counted in this flow
--
first-packet-seen
datetime
src-as
AS
Source AS number for this flow
++
ip_version
counter
IP version of this flow
++
direction
text
protocol
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
--
ip-protocol-number
size-in-bytes
src-port
dst-port
port
Source port of the netflow
+Destination port of the netflow
packet-count
dst-as
AS
Destination AS number for this flow
++
ip-dst
ip-dst
IP address destination of the netflow
++
byte-count
counter
Packets counted in this flow
+Bytes counted in this flow
@@ -2790,13 +2919,13 @@ netflow is a MISP object available in JSON format at
dst-port
port
tcp-flags
text
Destination port of the netflow
+TCP flags of the flow
+
ip-dst
-ip-dst
IP address destination of the netflow
--
icmp-type
text
tcp-flags
src-port
port
Source port of the netflow
++
protocol
text
TCP flags of the flow
--
src-as
AS
Source AS number for this flow
+Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
dst-as
AS
Destination AS number for this flow
--
ip_version
packet-count
counter
IP version of this flow
+Packets counted in this flow
@@ -2918,26 +3027,6 @@ passive-dns is a MISP object available in JSON format at
count
counter
How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers
--
rrtype
text
Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
--
sensor_id
text
rrname
text
Resource Record name of the queried resource
--
origin
text
Origin of the Passive DNS response
--
bailiwick
text
Best estimate of the apex of the zone where this data is authoritative
--
rdata
text
zone_time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
--
time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
--
text
origin
text
+
Origin of the Passive DNS response
@@ -3028,6 +3067,36 @@ passive-dns is a MISP object available in JSON format at
rrtype
text
Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
++
rrname
text
Resource Record name of the queried resource
++
text
text
+
+
time_last
datetime
time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
++
bailiwick
text
Best estimate of the apex of the zone where this data is authoritative
++
count
counter
How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers
++
zone_time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
++
last-seen
+datetime
When the paste has been accessible or seen for the last time.
++
url
url
Link to the original source of the paste or post.
++
paste
text
url
url
title
text
Link to the original source of the paste or post.
+Title of the paste or post.
@@ -3106,16 +3235,6 @@ paste is a MISP object available in JSON format at
title
text
Title of the paste or post.
--
origin
text
last-seen
datetime
When the paste has been accessible or seen for the last time.
--
entrypoint-address
-text
compilation-timestamp
datetime
Address of the entry point
+Compilation timestamp defined in the PE header
+
lang-id
text
pehash
pehash
Lang ID in the resources
+Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
+
+
internal-filename
filename
InternalFilename in the resources
+
file-version
-text
FileVersion in the resources
--
entrypoint-section-at-position
text
compilation-timestamp
datetime
entrypoint-address
text
Compilation timestamp defined in the PE header
+Address of the entry point
++
imphash
imphash
Hash (md5) calculated from the import table
number-sections
counter
Number of sections
--
company-name
text
CompanyName in the resources
--
product-version
text
original-filename
filename
number-sections
counter
OriginalFilename in the resources
--
product-name
text
ProductName in the resources
--
file-description
text
FileDescription in the resources
+Number of sections
@@ -3304,16 +3383,26 @@ pe is a MISP object available in JSON format at
imphash
imphash
original-filename
filename
Hash (md5) calculated from the import table
+OriginalFilename in the resources
file-version
text
FileVersion in the resources
++
impfuzzy
impfuzzy
internal-filename
filename
company-name
text
InternalFilename in the resources
+CompanyName in the resources
+
pehash
pehash
lang-id
text
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
+Lang ID in the resources
+
+
product-name
text
ProductName in the resources
++
file-description
text
FileDescription in the resources
+
sha384
-sha384
Secure Hash Algorithm 2 (384 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
name
text
Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
--
sha1
sha1
sha512/256
sha512/256
sha384
sha384
Secure Hash Algorithm 2 (256 bits)
--
entropy
float
Entropy of the whole section
--
md5
md5
[Insecure] MD5 hash (128 bits)
+Secure Hash Algorithm 2 (384 bits)
@@ -3482,6 +3531,46 @@ pe-section is a MISP object available in JSON format at
entropy
float
Entropy of the whole section
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
characteristic
text
sha512/224
sha512/224
sha256
sha256
Secure Hash Algorithm 2 (224 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
+Secure Hash Algorithm 2 (256 bits)
@@ -3522,6 +3601,16 @@ pe-section is a MISP object available in JSON format at
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
ssdeep
ssdeep
name
text
Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
place-of-birth
-place-of-birth
gender
gender
Place of birth of a natural person.
+The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
@@ -3610,46 +3719,6 @@ person is a MISP object available in JSON format at
passport-country
passport-country
The country in which the passport was issued.
--
date-of-birth
date-of-birth
Date of birth of a natural person (in YYYY-MM-DD format).
--
gender
gender
The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
--
middle-name
middle-name
Middle name of a natural person
--
first-name
first-name
redress-number
redress-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
--
passport-expiration
passport-expiration
middle-name
middle-name
Middle name of a natural person
++
date-of-birth
date-of-birth
Date of birth of a natural person (in YYYY-MM-DD format).
++
text
text
redress-number
redress-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
++
passport-country
passport-country
The country in which the passport was issued.
++
place-of-birth
place-of-birth
Place of birth of a natural person.
++
first-seen
+datetime
When the phone has been accessible or seen for the first time.
++
tmsi
text
imei
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
--
serial-number
text
imsi
imei
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
--
first-seen
datetime
When the phone has been accessible or seen for the first time.
--
msisdn
text
MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
--
gummei
text
Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
+International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
@@ -3808,10 +3887,10 @@ phone is a MISP object available in JSON format at
guti
gummei
text
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
+Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
guti
text
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
++
msisdn
text
MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
++
imsi
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
++
referenced-strings
+counter
Amount of referenced strings
++
miss-api
counter
Amount of API call reference that does not resolve to a function offset
++
r2-commit-version
text
Radare2 commit ID used to generate this object
++
create-thread
counter
Amount of calls to CreateThread
++
callbacks
counter
Amount of callbacks (functions started as thread)
++
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
++
callback-largest
counter
Largest callback
++
text
text
Description of the r2graphity object
++
local-references
counter
Amount of API calls inside a code section
++
get-proc-address
counter
total-api
counter
Total amount of API calls
--
r2-commit-version
text
Radare2 commit ID used to generate this object
--
miss-api
counter
Amount of API call reference that does not resolve to a function offset
--
text
text
Description of the r2graphity object
--
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
--
callback-largest
counter
Largest callback
--
ratio-string
float
dangling-strings
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
--
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
--
create-thread
counter
Amount of calls to CreateThread
--
referenced-strings
counter
Amount of referenced strings
--
gml
attachment
Graph export in G>raph Modelling Language format
--
not-referenced-strings
counter
Amount of not referenced strings
--
refsglobalvar
counter
Amount of API calls outside of code section (glob var, dynamic API)
--
unknown-references
counter
not-referenced-strings
counter
Amount of not referenced strings
++
callback-average
counter
callbacks
total-api
counter
Amount of callbacks (functions started as thread)
+Total amount of API calls
total-functions
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
++
dangling-strings
counter
Total amount of functions in the file.
+Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
@@ -4076,10 +4165,30 @@ r2graphity is a MISP object available in JSON format at
local-references
refsglobalvar
counter
Amount of API calls inside a code section
+Amount of API calls outside of code section (glob var, dynamic API)
++
gml
attachment
Graph export in G>raph Modelling Language format
++
total-functions
counter
Total amount of functions in the file.
@@ -4192,16 +4301,6 @@ registry-key is a MISP object available in JSON format at
hive
reg-hive
Hive used to store the registry key (file on disk)
--
data-type
reg-datatype
name
reg-name
Name of the registry key
--
key
reg-key
hive
reg-hive
Hive used to store the registry key (file on disk)
++
name
reg-name
Name of the registry key
++
data
reg-data
case-number
summary
text
Case number
+Free text summary of the report
summary
case-number
text
Free text summary of the report
+Case number
@@ -4348,20 +4457,30 @@ rtir is a MISP object available in JSON format at
constituency
classification
text
Constituency of the RTIR ticket
+Classification of the RTIR ticket
subject
ip
ip-dst
IPs automatically extracted from the RTIR ticket
++
constituency
text
Subject of the RTIR ticket
+Constituency of the RTIR ticket
@@ -4378,10 +4497,10 @@ rtir is a MISP object available in JSON format at
classification
subject
text
Classification of the RTIR ticket
+Subject of the RTIR ticket
@@ -4398,16 +4517,6 @@ rtir is a MISP object available in JSON format at
ip
ip-dst
IPs automatically extracted from the RTIR ticket
--
queue
text
version_line
document
text
versioning information reported by the node.
--
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
+Raw document from the consensus.
document
fingerprint
text
Raw document from the consensus.
+router’s fingerprint.
++
last-seen
datetime
When the Tor node designed by the IP address has been seen for the last time.
@@ -4506,13 +4615,13 @@ tor-node is a MISP object available in JSON format at
last-seen
datetime
version
text
When the Tor node designed by the IP address has been seen for the last time.
+parsed version of tor, this is None if the relay’s using a new versioning scheme.
+
version
+version_line
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
--
address
ip-src
IP address of the Tor node seen.
--
fingerprint
text
router’s fingerprint.
+versioning information reported by the node.
@@ -4566,6 +4655,16 @@ tor-node is a MISP object available in JSON format at
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
++
flags
text
address
ip-src
IP address of the Tor node seen.
++
scheme
-text
Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
--
host
hostname
credential
fragment
text
Credential (username, password)
+Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
first-seen
scheme
text
Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
++
domain_without_tld
text
Domain without Top-Level Domain
++
last-seen
datetime
First time this URL has been seen
+Last time this URL has been seen
++
port
port
Port number
++
credential
text
Credential (username, password)
@@ -4684,20 +4823,10 @@ url is a MISP object available in JSON format at
last-seen
first-seen
datetime
Last time this URL has been seen
--
query_string
text
Query (after path, preceded by '?')
+First time this URL has been seen
@@ -4714,36 +4843,6 @@ url is a MISP object available in JSON format at
port
port
Port number
--
domain_without_tld
text
Domain without Top-Level Domain
--
fragment
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
--
tld
text
query_string
text
Query (after path, preceded by '?')
++
classification
+text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
++
description
text
roles
sectors
text
The list of roles targeted within the victim.
+The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial\xadservices', 'government\xadnational', 'government\xadregional', 'government\xadlocal', 'government\xadpublic\xadservices', 'healthcare', 'hospitality\xadleisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non\xadprofit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
@@ -4832,20 +4951,10 @@ victim is a MISP object available in JSON format at
classification
roles
text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
--
sectors
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial\xadservices', 'government\xadnational', 'government\xadregional', 'government\xadlocal', 'government\xadpublic\xadservices', 'healthcare', 'hospitality\xadleisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non\xadprofit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
+The list of roles targeted within the victim.
@@ -4900,16 +5009,6 @@ virustotal-report is a MISP object available in JSON format at
community-score
text
Community Score
--
first-submission
datetime
permalink
link
community-score
text
Permalink Reference
+Community Score
+
permalink
link
Permalink Reference
++
id
-vulnerability
Vulnerability ID (generally CVE, but not necessarely)
--
modified
datetime
Last modification date
--
published
datetime
Initial publication date
--
references
link
text
text
Description of the vulnerability
--
summary
text
modified
datetime
Last modification date
++
text
text
Description of the vulnerability
++
vulnerable_configuration
text
id
vulnerability
Vulnerability ID (generally CVE, but not necessarely)
++
published
datetime
Initial publication date
++
registrant-email
+whois-registrant-email
Registrant email address
++
expiration-date
datetime
registrant-name
whois-registrant-name
text
text
Registrant name
--
registar
whois-registrar
Registrar of the whois entry
+Full whois entry
@@ -5146,20 +5255,10 @@ whois is a MISP object available in JSON format at
creation-date
datetime
registar
whois-registrar
Initial creation of the whois entry
--
registrant-email
whois-registrant-email
Registrant email address
+Registrar of the whois entry
@@ -5176,10 +5275,20 @@ whois is a MISP object available in JSON format at
text
text
creation-date
datetime
Full whois entry
+Initial creation of the whois entry
++
registrant-name
whois-registrant-name
Registrant name
@@ -5224,36 +5333,6 @@ x509 is a MISP object available in JSON format at
pubkey-info-exponent
text
Exponent of the public key
--
validity-not-before
datetime
Certificate invalid before that date
--
subject
text
Subject of the certificate
--
serial-number
text
x509-fingerprint-md5
md5
[Insecure] MD5 hash (128 bits)
--
validity-not-after
datetime
Certificate invalid after that date
--
pubkey-info-modulus
text
version
text
Version of the certificate
--
issuer
text
Issuer of the certificate
--
pubkey-info-size
text
Length of the public key (in bits)
--
raw-base64
text
Raw certificate base64 encoded
--
pubkey-info-algorithm
text
text
pubkey-info-exponent
text
Free text description of hte certificate
+Exponent of the public key
++
version
text
Version of the certificate
++
subject
text
Subject of the certificate
text
text
Free text description of hte certificate
++
validity-not-after
datetime
Certificate invalid after that date
++
pubkey-info-size
text
Length of the public key (in bits)
++
x509-fingerprint-md5
md5
[Insecure] MD5 hash (128 bits)
++
raw-base64
text
Raw certificate base64 encoded
++
validity-not-before
datetime
Certificate invalid before that date
++
issuer
text
Issuer of the certificate
++
yara
-yara
Yara rule generated from -y.
--
yara-hunt
yara
yara
yara
Yara rule generated from -y.
++
This relationship describes an object which is the same as another object.
['misp']
creator-of
This relationship describes an object which is the creator of another object.
['cert-eu']
developer-of
This relationship describes an object which is a developer of another object.
['cert-eu']
uses-for-recon
This relationship describes an object which uses another object for recon.
['cert-eu']
operator-of
This relationship describes an object which is an operator of another object.
['cert-eu']
overlaps
This relationship describes an object which overlaps another object.
['cert-eu']
owner-of
This relationship describes an object which owns another object.
['cert-eu']
publishes-method-for
This relationship describes an object which publishes method for another object.
['cert-eu']
recommends-use-of
This relationship describes an object which recommends the use of another object.
['cert-eu']
released-source-code
This relationship describes an object which released source code of another object.
['cert-eu']
released
This relationship describes an object which release another object.
['cert-eu']