From dbb7214bb67a92a7f8feba2c9e5e3fad0d40f3f6 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Tue, 6 Feb 2018 16:18:05 +0100
Subject: [PATCH] fix: new objects added
---
objects.html | 4709 +-
objects.pdf | 171938 ++++++++++++++++++++++++------------------------
2 files changed, 89020 insertions(+), 87627 deletions(-)
diff --git a/objects.html b/objects.html
index fb2258b..d9e3fd4 100755
--- a/objects.html
+++ b/objects.html
@@ -461,6 +461,7 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
last-seen
datetime
When the leak has been accessible or seen for the last time.
--
type
text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
--
first-seen
datetime
When the leak has been accessible or seen for the first time.
--
text
text
origin
text
The link where the leak is (or was) accessible at first-seen.
--
sensor
text
The AIL sensor uuid where the leak was processed and analysed.
--
duplicate_number
counter
raw-data
attachment
Raw data as received by the AIL sensor compressed and encoded in Base64.
++
origin
text
The link where the leak is (or was) accessible at first-seen.
++
last-seen
datetime
When the leak has been accessible or seen for the last time.
++
type
text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
++
original-date
datetime
raw-data
attachment
first-seen
datetime
Raw data as received by the AIL sensor compressed and encoded in Base64.
+When the leak has been accessible or seen for the first time.
sensor
text
The AIL sensor uuid where the leak was processed and analysed.
++
permission
-text
comment
comment
Android permission ['ACCESS_CHECKIN_PROPERTIES', 'ACCESS_COARSE_LOCATION', 'ACCESS_FINE_LOCATION', 'ACCESS_LOCATION_EXTRA_COMMANDS', 'ACCESS_NETWORK_STATE', 'ACCESS_NOTIFICATION_POLICY', 'ACCESS_WIFI_STATE', 'ACCOUNT_MANAGER', 'ADD_VOICEMAIL', 'ANSWER_PHONE_CALLS', 'BATTERY_STATS', 'BIND_ACCESSIBILITY_SERVICE', 'BIND_APPWIDGET', 'BIND_AUTOFILL_SERVICE', 'BIND_CARRIER_MESSAGING_SERVICE', 'BIND_CHOOSER_TARGET_SERVICE', 'BIND_CONDITION_PROVIDER_SERVICE', 'BIND_DEVICE_ADMIN', 'BIND_DREAM_SERVICE', 'BIND_INCALL_SERVICE', 'BIND_INPUT_METHOD', 'BIND_MIDI_DEVICE_SERVICE', 'BIND_NFC_SERVICE', 'BIND_NOTIFICATION_LISTENER_SERVICE', 'BIND_PRINT_SERVICE', 'BIND_QUICK_SETTINGS_TILE', 'BIND_REMOTEVIEWS', 'BIND_SCREENING_SERVICE', 'BIND_TELECOM_CONNECTION_SERVICE', 'BIND_TEXT_SERVICE', 'BIND_TV_INPUT', 'BIND_VISUAL_VOICEMAIL_SERVICE', 'BIND_VOICE_INTERACTION', 'BIND_VPN_SERVICE', 'BIND_VR_LISTENER_SERVICE', 'BIND_WALLPAPER', 'BLUETOOTH', 'BLUETOOTH_ADMIN', 'BLUETOOTH_PRIVILEGED', 'BODY_SENSORS', 'BROADCAST_PACKAGE_REMOVED', 'BROADCAST_SMS', 'BROADCAST_STICKY', 'BROADCAST_WAP_PUSH', 'CALL_PHONE', 'CALL_PRIVILEGED', 'CAMERA', 'CAPTURE_AUDIO_OUTPUT', 'CAPTURE_SECURE_VIDEO_OUTPUT', 'CAPTURE_VIDEO_OUTPUT', 'CHANGE_COMPONENT_ENABLED_STATE', 'CHANGE_CONFIGURATION', 'CHANGE_NETWORK_STATE', 'CHANGE_WIFI_MULTICAST_STATE', 'CHANGE_WIFI_STATE', 'CLEAR_APP_CACHE', 'CONTROL_LOCATION_UPDATES', 'DELETE_CACHE_FILES', 'DELETE_PACKAGES', 'DIAGNOSTIC', 'DISABLE_KEYGUARD', 'DUMP', 'EXPAND_STATUS_BAR', 'FACTORY_TEST', 'GET_ACCOUNTS', 'GET_ACCOUNTS_PRIVILEGED', 'GET_PACKAGE_SIZE', 'GET_TASKS', 'GLOBAL_SEARCH', 'INSTALL_LOCATION_PROVIDER', 'INSTALL_PACKAGES', 'INSTALL_SHORTCUT', 'INSTANT_APP_FOREGROUND_SERVICE', 'INTERNET', 'KILL_BACKGROUND_PROCESSES', 'LOCATION_HARDWARE', 'MANAGE_DOCUMENTS', 'MANAGE_OWN_CALLS', 'MASTER_CLEAR', 'MEDIA_CONTENT_CONTROL', 'MODIFY_AUDIO_SETTINGS', 'MODIFY_PHONE_STATE', 'MOUNT_FORMAT_FILESYSTEMS', 'MOUNT_UNMOUNT_FILESYSTEMS', 'NFC', 'PACKAGE_USAGE_STATS', 'PERSISTENT_ACTIVITY', 'PROCESS_OUTGOING_CALLS', 'READ_CALENDAR', 'READ_CALL_LOG', 'READ_CONTACTS', 'READ_EXTERNAL_STORAGE', 'READ_FRAME_BUFFER', 'READ_INPUT_STATE', 'READ_LOGS', 'READ_PHONE_NUMBERS', 'READ_PHONE_STATE', 'READ_SMS', 'READ_SYNC_SETTINGS', 'READ_SYNC_STATS', 'READ_VOICEMAIL', 'REBOOT', 'RECEIVE_BOOT_COMPLETED', 'RECEIVE_MMS', 'RECEIVE_SMS', 'RECEIVE_WAP_PUSH', 'RECORD_AUDIO', 'REORDER_TASKS', 'REQUEST_COMPANION_RUN_IN_BACKGROUND', 'REQUEST_COMPANION_USE_DATA_IN_BACKGROUND', 'REQUEST_DELETE_PACKAGES', 'REQUEST_IGNORE_BATTERY_OPTIMIZATIONS', 'REQUEST_INSTALL_PACKAGES', 'RESTART_PACKAGES', 'SEND_RESPOND_VIA_MESSAGE', 'SEND_SMS', 'SET_ALARM', 'SET_ALWAYS_FINISH', 'SET_ANIMATION_SCALE', 'SET_DEBUG_APP', 'SET_PREFERRED_APPLICATIONS', 'SET_PROCESS_LIMIT', 'SET_TIME', 'SET_TIME_ZONE', 'SET_WALLPAPER', 'SET_WALLPAPER_HINTS', 'SIGNAL_PERSISTENT_PROCESSES', 'STATUS_BAR', 'SYSTEM_ALERT_WINDOW', 'TRANSMIT_IR', 'UNINSTALL_SHORTCUT', 'UPDATE_DEVICE_STATS', 'USE_FINGERPRINT', 'USE_SIP', 'VIBRATE', 'WAKE_LOCK', 'WRITE_APN_SETTINGS', 'WRITE_CALENDAR', 'WRITE_CALL_LOG', 'WRITE_CONTACTS', 'WRITE_EXTERNAL_STORAGE', 'WRITE_GSERVICES', 'WRITE_SECURE_SETTINGS', 'WRITE_SETTINGS', 'WRITE_SYNC_SETTINGS', 'WRITE_VOICEMAIL']
+Comment about the set of android permission(s)
comment
comment
permission
text
Comment about the set of android permission(s)
+Android permission ['ACCESS_CHECKIN_PROPERTIES', 'ACCESS_COARSE_LOCATION', 'ACCESS_FINE_LOCATION', 'ACCESS_LOCATION_EXTRA_COMMANDS', 'ACCESS_NETWORK_STATE', 'ACCESS_NOTIFICATION_POLICY', 'ACCESS_WIFI_STATE', 'ACCOUNT_MANAGER', 'ADD_VOICEMAIL', 'ANSWER_PHONE_CALLS', 'BATTERY_STATS', 'BIND_ACCESSIBILITY_SERVICE', 'BIND_APPWIDGET', 'BIND_AUTOFILL_SERVICE', 'BIND_CARRIER_MESSAGING_SERVICE', 'BIND_CHOOSER_TARGET_SERVICE', 'BIND_CONDITION_PROVIDER_SERVICE', 'BIND_DEVICE_ADMIN', 'BIND_DREAM_SERVICE', 'BIND_INCALL_SERVICE', 'BIND_INPUT_METHOD', 'BIND_MIDI_DEVICE_SERVICE', 'BIND_NFC_SERVICE', 'BIND_NOTIFICATION_LISTENER_SERVICE', 'BIND_PRINT_SERVICE', 'BIND_QUICK_SETTINGS_TILE', 'BIND_REMOTEVIEWS', 'BIND_SCREENING_SERVICE', 'BIND_TELECOM_CONNECTION_SERVICE', 'BIND_TEXT_SERVICE', 'BIND_TV_INPUT', 'BIND_VISUAL_VOICEMAIL_SERVICE', 'BIND_VOICE_INTERACTION', 'BIND_VPN_SERVICE', 'BIND_VR_LISTENER_SERVICE', 'BIND_WALLPAPER', 'BLUETOOTH', 'BLUETOOTH_ADMIN', 'BLUETOOTH_PRIVILEGED', 'BODY_SENSORS', 'BROADCAST_PACKAGE_REMOVED', 'BROADCAST_SMS', 'BROADCAST_STICKY', 'BROADCAST_WAP_PUSH', 'CALL_PHONE', 'CALL_PRIVILEGED', 'CAMERA', 'CAPTURE_AUDIO_OUTPUT', 'CAPTURE_SECURE_VIDEO_OUTPUT', 'CAPTURE_VIDEO_OUTPUT', 'CHANGE_COMPONENT_ENABLED_STATE', 'CHANGE_CONFIGURATION', 'CHANGE_NETWORK_STATE', 'CHANGE_WIFI_MULTICAST_STATE', 'CHANGE_WIFI_STATE', 'CLEAR_APP_CACHE', 'CONTROL_LOCATION_UPDATES', 'DELETE_CACHE_FILES', 'DELETE_PACKAGES', 'DIAGNOSTIC', 'DISABLE_KEYGUARD', 'DUMP', 'EXPAND_STATUS_BAR', 'FACTORY_TEST', 'GET_ACCOUNTS', 'GET_ACCOUNTS_PRIVILEGED', 'GET_PACKAGE_SIZE', 'GET_TASKS', 'GLOBAL_SEARCH', 'INSTALL_LOCATION_PROVIDER', 'INSTALL_PACKAGES', 'INSTALL_SHORTCUT', 'INSTANT_APP_FOREGROUND_SERVICE', 'INTERNET', 'KILL_BACKGROUND_PROCESSES', 'LOCATION_HARDWARE', 'MANAGE_DOCUMENTS', 'MANAGE_OWN_CALLS', 'MASTER_CLEAR', 'MEDIA_CONTENT_CONTROL', 'MODIFY_AUDIO_SETTINGS', 'MODIFY_PHONE_STATE', 'MOUNT_FORMAT_FILESYSTEMS', 'MOUNT_UNMOUNT_FILESYSTEMS', 'NFC', 'PACKAGE_USAGE_STATS', 'PERSISTENT_ACTIVITY', 'PROCESS_OUTGOING_CALLS', 'READ_CALENDAR', 'READ_CALL_LOG', 'READ_CONTACTS', 'READ_EXTERNAL_STORAGE', 'READ_FRAME_BUFFER', 'READ_INPUT_STATE', 'READ_LOGS', 'READ_PHONE_NUMBERS', 'READ_PHONE_STATE', 'READ_SMS', 'READ_SYNC_SETTINGS', 'READ_SYNC_STATS', 'READ_VOICEMAIL', 'REBOOT', 'RECEIVE_BOOT_COMPLETED', 'RECEIVE_MMS', 'RECEIVE_SMS', 'RECEIVE_WAP_PUSH', 'RECORD_AUDIO', 'REORDER_TASKS', 'REQUEST_COMPANION_RUN_IN_BACKGROUND', 'REQUEST_COMPANION_USE_DATA_IN_BACKGROUND', 'REQUEST_DELETE_PACKAGES', 'REQUEST_IGNORE_BATTERY_OPTIMIZATIONS', 'REQUEST_INSTALL_PACKAGES', 'RESTART_PACKAGES', 'SEND_RESPOND_VIA_MESSAGE', 'SEND_SMS', 'SET_ALARM', 'SET_ALWAYS_FINISH', 'SET_ANIMATION_SCALE', 'SET_DEBUG_APP', 'SET_PREFERRED_APPLICATIONS', 'SET_PROCESS_LIMIT', 'SET_TIME', 'SET_TIME_ZONE', 'SET_WALLPAPER', 'SET_WALLPAPER_HINTS', 'SIGNAL_PERSISTENT_PROCESSES', 'STATUS_BAR', 'SYSTEM_ALERT_WINDOW', 'TRANSMIT_IR', 'UNINSTALL_SHORTCUT', 'UPDATE_DEVICE_STATS', 'USE_FINGERPRINT', 'USE_SIP', 'VIBRATE', 'WAKE_LOCK', 'WRITE_APN_SETTINGS', 'WRITE_CALENDAR', 'WRITE_CALL_LOG', 'WRITE_CONTACTS', 'WRITE_EXTERNAL_STORAGE', 'WRITE_GSERVICES', 'WRITE_SECURE_SETTINGS', 'WRITE_SETTINGS', 'WRITE_SYNC_SETTINGS', 'WRITE_VOICEMAIL']
@@ -763,10 +764,10 @@ annotation is a MISP object available in JSON format at
ref
link
text
text
Reference(s) to the annotation
+Raw text of the annotation
@@ -783,23 +784,13 @@ annotation is a MISP object available in JSON format at
text
format
text
Raw text of the annotation
+Format of the annotation ['text', 'markdown', 'asciidoctor', 'MultiMarkdown', 'GFM', 'pandoc', 'Fountain', 'CommonWork', 'kramdown-rfc2629', 'rfc7328', 'Extra']
-
modification-date
datetime
Last update of the annotation
-+
format
-text
ref
link
Format of the annotation ['text', 'markdown', 'asciidoctor', 'MultiMarkdown', 'GFM', 'pandoc', 'Fountain', 'CommonWork', 'kramdown-rfc2629', 'rfc7328', 'Extra']
+Reference(s) to the annotation
+
+
modification-date
datetime
Last update of the annotation
+
export
-text
The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
--
import
text
The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
--
description
text
mp-export
export
text
This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
--
subnet-announced
ip-src
Subnet announced
+The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
@@ -921,20 +892,20 @@ asn is a MISP object available in JSON format at
asn
AS
first-seen
datetime
Autonomous System Number
+First time the ASN was seen
+
country
import
text
Country code of the main location of the autonomous system
+The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
@@ -951,13 +922,43 @@ asn is a MISP object available in JSON format at
first-seen
datetime
mp-export
text
First time the ASN was seen
+This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
+
+
country
text
Country code of the main location of the autonomous system
++
subnet-announced
ip-src
Subnet announced
++
asn
AS
Autonomous System Number
+
text
+text
Free text value to attach to the file
++
software
text
Name of antivirus software
++
datetime
datetime
software
text
Name of antivirus software
--
text
text
Free text value to attach to the file
--
non-banking-institution
+boolean
A flag to define if this account belong to a non-banking organisation. If set to true, it’s a non-banking organisation.
++
swift
bic
SWIFT or BIC as defined in ISO 9362.
++
balance
text
The balance of the account after the suspicious transaction was processed.
++
beneficiary-comment
text
Comment about the final beneficiary.
++
beneficiary
text
Final beneficiary of the bank account.
++
personal-account-type
text
Account type. ['A - Business', 'B - Personal Current', 'C - Savings', 'D - Trust Account', 'E - Trading Account', 'O - Other']
++
account
bank-account-nr
Account number
++
date-balance
datetime
When the balance was reported.
++
opened
datetime
When the account was opened.
++
client-_number
text
Client number as seen by the bank.
++
account-name
text
A field to freely describe the bank account details.
++
text
text
A description of the bank account.
++
iban
iban
IBAN of the bank account.
++
comments
text
report-code
text
Report code of the bank account. ['CTR Cash Transaction Report', 'STR Suspicious Transaction Report', 'EFT Electronic Funds Transfer', 'IFT International Funds Transfer', 'TFR Terror Financing Report', 'BCR Border Cash Report', 'UTR Unusual Transaction Report', 'AIF Additional Information File – Can be used for example to get full disclosure of transactions of an account for a period of time without reporting it as a CTR.', 'IRI Incoming Request for Information – International', 'ORI Outgoing Request for Information – International', 'IRD Incoming Request for Information – Domestic', 'ORD Outgoing Request for Information – Domestic']
--
personal-account-type
text
Account type. ['A - Business', 'B - Personal Current', 'C - Savings', 'D - Trust Account', 'E - Trading Account', 'O - Other']
--
opened
datetime
When the account was opened.
--
swift
bic
SWIFT or BIC as defined in ISO 9362.
--
client-_number
text
Client number as seen by the bank.
--
balance
text
The balance of the account after the suspicious transaction was processed.
--
branch
text
Branch code or name
--
account-name
text
A field to freely describe the bank account details.
--
account
bank-account-nr
Account number
--
beneficiary
text
Final beneficiary of the bank account.
--
text
text
A description of the bank account.
--
currency-code
text
beneficiary-comment
report-code
text
Comment about the final beneficiary.
+Report code of the bank account. ['CTR Cash Transaction Report', 'STR Suspicious Transaction Report', 'EFT Electronic Funds Transfer', 'IFT International Funds Transfer', 'TFR Terror Financing Report', 'BCR Border Cash Report', 'UTR Unusual Transaction Report', 'AIF Additional Information File – Can be used for example to get full disclosure of transactions of an account for a period of time without reporting it as a CTR.', 'IRI Incoming Request for Information – International', 'ORI Outgoing Request for Information – International', 'IRD Incoming Request for Information – Domestic', 'ORD Outgoing Request for Information – Domestic']
@@ -1247,35 +1268,15 @@ bank-account is a MISP object available in JSON format at
non-banking-institution
boolean
branch
text
A flag to define if this account belong to a non-banking organisation. If set to true, it’s a non-banking organisation.
+Branch code or name
date-balance
datetime
When the balance was reported.
--
iban
iban
IBAN of the bank account.
--
last-seen
-datetime
symbol
text
Last time this payment destination address has been seen
+The (uppercase) symbol of the cryptocurrency used. Symbol should be from https://coinmarketcap.com/all/views/all/ ['BTC', 'ETH', 'BCH', 'XRP', 'MIOTA', 'DASH', 'BTG', 'LTC', 'ADA', 'XMR', 'ETC', 'NEO', 'NEM', 'EOS', 'XLM', 'BCC', 'LSK', 'OMG', 'QTUM', 'ZEC', 'USDT', 'HSR', 'STRAT', 'WAVES', 'PPT']
symbol
text
address
btc
The (uppercase) symbol of the cryptocurrency used. Symbol should be from https://coinmarketcap.com/all/views/all/ ['BTC', 'ETH', 'BCH', 'XRP', 'MIOTA', 'DASH', 'BTG', 'LTC', 'ADA', 'XMR', 'ETC', 'NEO', 'NEM', 'EOS', 'XLM', 'BCC', 'LSK', 'OMG', 'QTUM', 'ZEC', 'USDT', 'HSR', 'STRAT', 'WAVES', 'PPT']
+Address used as a payment destination in a cryptocurrency
++
first-seen
datetime
First time this payment destination address has been seen
@@ -1345,25 +1356,15 @@ coin-address is a MISP object available in JSON format at
first-seen
last-seen
datetime
First time this payment destination address has been seen
+Last time this payment destination address has been seen
address
btc
Address used as a payment destination in a cryptocurrency
--
cookie-name
+type
text
Name of the cookie (if splitted)
+Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing']
@@ -1423,6 +1424,16 @@ cookie is a MISP object available in JSON format at
cookie-name
text
Name of the cookie (if splitted)
++
text
text
type
text
Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing']
--
password
-text
Password
--
notification
text
Mention of any notification(s) towards the potential owner(s) of the credential(s) ['victim-notified', 'service-notified', 'none']
--
text
text
origin
format
text
Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown']
+Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']
type
origin
text
Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
+Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown']
@@ -1551,10 +1532,30 @@ credential is a MISP object available in JSON format at
format
type
text
Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']
+Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
++
notification
text
Mention of any notification(s) towards the potential owner(s) of the credential(s) ['victim-notified', 'service-notified', 'none']
++
password
text
Password
@@ -1599,26 +1600,6 @@ credit-card is a MISP object available in JSON format at
version
text
Version of the card.
--
cc-number
cc-number
credit-card number as encoded on the card.
--
expiration
datetime
name
card-security-code
text
Name of the card owner.
+Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
@@ -1649,10 +1630,30 @@ credit-card is a MISP object available in JSON format at
card-security-code
version
text
Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
+Version of the card.
++
name
text
Name of the card owner.
++
cc-number
cc-number
credit-card number as encoded on the card.
@@ -1707,26 +1708,6 @@ ddos is a MISP object available in JSON format at
ip-src
ip-src
IP address originating the attack
--
total-bps
counter
Bits per second
--
text
text
total-pps
counter
dst-port
port
Packets per second
+Destination port of the attack
dst-port
port
domain-dst
domain
Destination port of the attack
+Destination domain (victim)
++
ip-src
ip-src
IP address originating the attack
@@ -1787,10 +1778,10 @@ ddos is a MISP object available in JSON format at
domain-dst
domain
total-pps
counter
Destination domain (victim)
+Packets per second
total-bps
counter
Bits per second
++
Origin-Host
-text
Origin-Host.
--
Username
text
Username (in this case, usually the IMSI).
--
ApplicationId
text
IdrFlags
text
IDR-Flags.
--
Destination-Realm
text
Destination-Realm.
--
category
text
Category. ['Cat0', 'Cat1', 'Cat2', 'Cat3', 'CatSMS']
--
Destination-Host
text
Destination-Host.
--
SessionId
text
Session-ID.
--
text
text
A description of the attack seen.
--
Origin-Realm
text
Origin-Realm.
--
CmdCode
text
Origin-Host
text
Origin-Host.
++
IdrFlags
text
IDR-Flags.
++
SessionId
text
Session-ID.
++
Username
text
Username (in this case, usually the IMSI).
++
first-seen
datetime
category
text
Category. ['Cat0', 'Cat1', 'Cat2', 'Cat3', 'CatSMS']
++
text
text
A description of the attack seen.
++
Destination-Realm
text
Destination-Realm.
++
Origin-Realm
text
Origin-Realm.
++
Destination-Host
text
Destination-Host.
++
ip
-ip-dst
IP Address
--
last-seen
datetime
Last time the tuple has been seen
--
first-seen
datetime
First time the tuple has been seen
--
text
text
first-seen
datetime
First time the tuple has been seen
++
ip
ip-dst
IP Address
++
last-seen
datetime
Last time the tuple has been seen
++
os_abi
+arch
text
Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
+Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
@@ -2121,10 +2122,10 @@ elf is a MISP object available in JSON format at
number-sections
counter
os_abi
text
Number of sections
+Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
@@ -2141,20 +2142,20 @@ elf is a MISP object available in JSON format at
arch
entrypoint-address
text
Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
+Address of the entry point
entrypoint-address
text
number-sections
counter
Address of the entry point
+Number of sections
@@ -2209,10 +2210,20 @@ elf-section is a MISP object available in JSON format at
sha512/256
sha512/256
text
text
Secure Hash Algorithm 2 (256 bits)
+Free text value to attach to the section
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
@@ -2229,40 +2240,10 @@ elf-section is a MISP object available in JSON format at
size-in-bytes
size-in-bytes
sha384
sha384
Size of the section, in bytes
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
name
text
Name of the section
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
+Secure Hash Algorithm 2 (384 bits)
@@ -2289,6 +2270,26 @@ elf-section is a MISP object available in JSON format at
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
type
text
entropy
float
sha512/256
sha512/256
Entropy of the whole section
--
text
text
Free text value to attach to the section
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
+Secure Hash Algorithm 2 (256 bits)
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
name
text
Name of the section
++
entropy
float
Entropy of the whole section
++
attachment
-email-attachment
message-id
email-message-id
Attachment
--
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
--
to-display-name
email-dst-display-name
Display name of the receiver
--
return-path
text
Message return path
--
mime-boundary
email-mime-boundary
MIME Boundary
--
reply-to
email-reply-to
Email address the reply will be sent to
--
send-date
datetime
Date the email has been sent
--
header
email-header
Full headers
--
to
email-dst
Destination email address
+Message ID
@@ -2487,50 +2408,50 @@ email is a MISP object available in JSON format at
email-body
email-body
x-mailer
email-x-mailer
Body of the email
+X-Mailer generally tells the program that was used to draft and send the original email
cc
to
email-dst
Carbon copy
+Destination email address
message-id
email-message-id
mime-boundary
email-mime-boundary
Message ID
+MIME Boundary
screenshot
attachment
subject
email-subject
Screenshot of email
+Subject
thread-index
email-thread-index
header
email-header
Identifies a particular conversation thread
+Full headers
@@ -2547,10 +2468,90 @@ email is a MISP object available in JSON format at
subject
email-subject
screenshot
attachment
Subject
+Screenshot of email
++
reply-to
email-reply-to
Email address the reply will be sent to
++
thread-index
email-thread-index
Identifies a particular conversation thread
++
return-path
text
Message return path
++
to-display-name
email-dst-display-name
Display name of the receiver
++
cc
email-dst
Carbon copy
++
send-date
datetime
Date the email has been sent
++
attachment
email-attachment
Attachment
++
email-body
email-body
Body of the email
@@ -2595,6 +2596,16 @@ file is a MISP object available in JSON format at
pattern-in-file
pattern-in-file
Pattern that can be found in the file
++
tlsh
tlsh
certificate
x509-fingerprint-sha1
Certificate value if the binary is signed with another authentication scheme than authenticode
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
size-in-bytes
size-in-bytes
Size of the file, in bytes
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
malware-sample
malware-sample
authentihash
authentihash
Authenticode executable signature hash
--
pattern-in-file
pattern-in-file
Pattern that can be found in the file
--
mimetype
text
text
Mime type
+Free text value to attach to the file
@@ -2705,6 +2646,36 @@ file is a MISP object available in JSON format at
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
mimetype
text
Mime type
++
sha512/224
sha512/224
entropy
float
sha256
sha256
Entropy of the whole file
+Secure Hash Algorithm 2 (256 bits)
++
size-in-bytes
size-in-bytes
Size of the file, in bytes
text
text
authentihash
authentihash
Free text value to attach to the file
+Authenticode executable signature hash
+
+
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
+
sha384
-sha384
certificate
x509-fingerprint-sha1
Secure Hash Algorithm 2 (384 bits)
+Certificate value if the binary is signed with another authentication scheme than authenticode
sha1
sha1
entropy
float
[Insecure] Secure Hash Algorithm 1 (160 bits)
+Entropy of the whole file
+
last-seen
-datetime
text
text
When the location was seen for the last time.
+A generic description of the location.
@@ -2853,16 +2854,6 @@ geolocation is a MISP object available in JSON format at
text
text
A generic description of the location.
--
region
text
altitude
float
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
--
longitude
float
last-seen
datetime
When the location was seen for the last time.
++
address
text
Address.
++
zipcode
text
Zip Code.
++
city
text
altitude
float
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
++
GtpImei
+GtpInterface
text
GTP IMEI (International Mobile Equipment Identity).
+GTP interface. ['S5', 'S11', 'S10', 'S8', 'Gn', 'Gp']
+
+
first-seen
datetime
When the attack has been seen for the first time.
+
GtpMessageType
+ipSrc
ip-src
IP source address.
++
PortDest
text
GTP defines a set of messages between two associated GSNs or an SGSN and an RNC. Message type is described as a decimal value.
+Destination port.
@@ -3001,6 +3042,26 @@ gtp-attack is a MISP object available in JSON format at
GtpImei
text
GTP IMEI (International Mobile Equipment Identity).
++
text
text
A description of the GTP attack.
++
GtpImsi
text
PortDest
text
Destination port.
--
GtpInterface
text
GTP interface. ['S5', 'S11', 'S10', 'S8', 'Gn', 'Gp']
--
first-seen
datetime
When the attack has been seen for the first time.
--
text
text
A description of the GTP attack.
--
ipDest
ip-dst
ipSrc
ip-src
GtpMessageType
text
IP source address.
+GTP defines a set of messages between two associated GSNs or an SGSN and an RNC. Message type is described as a decimal value.
+
url
-url
method
http-method
Full HTTP Request URL
+HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
-
basicauth-password
text
HTTP Basic Authentication Password
--
user-agent
user-agent
The user agent string of the user agent
--
referer
referer
This is the address of the previous web page from which a link to the currently requested page was followed
-+
proxy-password
+text
HTTP Proxy Password
++
cookie
text
url
url
Full HTTP Request URL
++
host
hostname
The domain name of the server
++
proxy-user
text
HTTP Proxy Username
++
content-type
other
referer
referer
This is the address of the previous web page from which a link to the currently requested page was followed
++
basicauth-password
text
HTTP Basic Authentication Password
++
user-agent
user-agent
The user agent string of the user agent
++
uri
uri
method
http-method
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
--
host
hostname
The domain name of the server
--
proxy-user
text
HTTP Proxy Username
--
proxy-password
text
HTTP Proxy Password
--
last-seen
-datetime
Last time the tuple has been seen
--
text
text
ip
ip-dst
src-port
port
IP Address
+Source port
@@ -3337,16 +3348,6 @@ ip-port is a MISP object available in JSON format at
src-port
port
Source port
--
first-seen
datetime
last-seen
datetime
Last time the tuple has been seen
++
domain
domain
ip
ip-dst
IP Address
++
ip-src
-ip-src
Source IP Address
--
description
text
ip-dst
ip-dst
ip-src
ip-src
Destination IP address
+Source IP Address
@@ -3445,6 +3456,26 @@ ja3 is a MISP object available in JSON format at
first-seen
datetime
First seen of the SSL/TLS handshake
++
ip-dst
ip-dst
Destination IP address
++
last-seen
datetime
An object to describe a legal entity..
+first-seen |
-datetime |
++ + | ++legal-entity is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +
---|---|---|---|
text |
+text |
- First seen of the SSL/TLS handshake +A description of the entity. |
|
commercial-name |
+text |
+
+ Commercial name of an entity. + |
+
+ + |
+
phone-number |
+phone-number |
+
+ Phone number of an entity. + |
+
+ + |
+
business |
+text |
+
+ Business area of an entity. + |
+
+ + |
+
name |
+text |
+
+ Name of an entity. + |
+
+ + |
+
registration-number |
+text |
+
+ Registration number of an entity in the relevant authority. + |
+
+ + |
+
legal-form |
+text |
+
+ Legal form of an entity. + |
+
+ + |
+
name
-text
Binary’s name
--
entrypoint-address
text
name
text
Binary’s name
++
number-sections
counter
sha512/256
sha512/256
text
text
Secure Hash Algorithm 2 (256 bits)
+Free text value to attach to the section
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
@@ -3611,40 +3750,10 @@ macho-section is a MISP object available in JSON format at
size-in-bytes
size-in-bytes
sha384
sha384
Size of the section, in bytes
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
name
text
Name of the section
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
+Secure Hash Algorithm 2 (384 bits)
@@ -3671,40 +3780,30 @@ macho-section is a MISP object available in JSON format at
entropy
float
sha256
sha256
Entropy of the whole section
--
text
text
Free text value to attach to the section
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
+Secure Hash Algorithm 2 (256 bits)
sha384
sha384
size-in-bytes
size-in-bytes
Secure Hash Algorithm 2 (384 bits)
+Size of the section, in bytes
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
name
text
Name of the section
++
entropy
float
Entropy of the whole section
++
removal-date
-datetime
post
text
When the microblog post was removed
--
modification-date
datetime
Last update of the microblog post
--
url
url
Original URL location of the microblog post
+Raw post
@@ -3809,10 +3918,10 @@ microblog is a MISP object available in JSON format at
link
url
username
text
Link into the microblog post
+Username who posted the microblog post
@@ -3829,20 +3938,40 @@ microblog is a MISP object available in JSON format at
username
text
modification-date
datetime
Username who posted the microblog post
+Last update of the microblog post
post
text
url
url
Raw post
+Original URL location of the microblog post
++
link
url
Link into the microblog post
++
removal-date
datetime
When the microblog post was removed
@@ -3897,20 +4026,20 @@ mutex is a MISP object available in JSON format at
name
operating-system
text
name of the mutex
+Operating system where the mutex has been seen ['Windows', 'Unix']
operating-system
name
text
Operating system where the mutex has been seen ['Windows', 'Unix']
+name of the mutex
@@ -3955,6 +4084,86 @@ netflow is a MISP object available in JSON format at
byte-count
counter
Bytes counted in this flow
++
src-as
AS
Source AS number for this flow
++
flow-count
counter
Flows counted in this flow
++
ip-src
ip-src
IP address source of the netflow
++
first-packet-seen
datetime
First packet seen in this flow
++
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
++
tcp-flags
text
TCP flags of the flow
++
last-packet-seen
datetime
Last packet seen in this flow
++
direction
text
first-packet-seen
datetime
dst-port
port
First packet seen in this flow
+Destination port of the netflow
ip-dst
ip-dst
IP address destination of the netflow
++
src-port
port
Source port of the netflow
++
ip_version
counter
IP version of this flow
++
ip-protocol-number
size-in-bytes
byte-count
counter
Bytes counted in this flow
--
dst-port
port
Destination port of the netflow
--
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
--
ip_version
counter
IP version of this flow
--
dst-as
AS
ip-src
ip-src
IP address source of the netflow
--
src-port
port
Source port of the netflow
--
flow-count
counter
Flows counted in this flow
--
last-packet-seen
datetime
Last packet seen in this flow
--
tcp-flags
text
TCP flags of the flow
--
ip-dst
ip-dst
IP address destination of the netflow
--
src-as
AS
Source AS number for this flow
--
sensor_id
-text
Sensor information where the record was seen
--
time_last
zone_time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
+Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import.
@@ -4193,16 +4312,6 @@ passive-dns is a MISP object available in JSON format at
origin
text
Origin of the Passive DNS response
--
time_first
datetime
zone_time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import.
--
bailiwick
text
rrname
text
time_last
datetime
Resource Record name of the queried resource.
--
rdata
text
Resource records of the queried resource
--
text
text
Description of the passive DNS record.
+Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
@@ -4273,6 +4352,26 @@ passive-dns is a MISP object available in JSON format at
rrname
text
Resource Record name of the queried resource.
++
text
text
Description of the passive DNS record.
++
count
counter
origin
text
Origin of the Passive DNS response
++
rdata
text
Resource records of the queried resource
++
sensor_id
text
Sensor information where the record was seen
++
paste
+title
text
Raw text of the paste or post
--
last-seen
datetime
When the paste has been accessible or seen for the last time.
--
url
url
Link to the original source of the paste or post.
+Title of the paste or post.
@@ -4361,6 +4470,26 @@ paste is a MISP object available in JSON format at
last-seen
datetime
When the paste has been accessible or seen for the last time.
++
paste
text
Raw text of the paste or post
++
first-seen
datetime
title
text
url
url
Title of the paste or post.
+Link to the original source of the paste or post.
@@ -4419,16 +4548,46 @@ pe is a MISP object available in JSON format at
original-filename
filename
entrypoint-section-at-position
text
OriginalFilename in the resources
+Name of the section and position of the section in the PE
file-version
text
FileVersion in the resources
++
number-sections
counter
Number of sections
++
compilation-timestamp
datetime
Compilation timestamp defined in the PE header
++
file-description
text
internal-filename
filename
InternalFilename in the resources
--
pehash
pehash
file-version
text
original-filename
filename
FileVersion in the resources
+OriginalFilename in the resources
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
--
product-name
text
ProductName in the resources
--
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
--
entrypoint-address
text
Address of the entry point
--
lang-id
text
Lang ID in the resources
--
compilation-timestamp
datetime
Compilation timestamp defined in the PE header
--
product-version
text
number-sections
counter
product-name
text
Number of sections
+ProductName in the resources
++
lang-id
text
Lang ID in the resources
++
imphash
imphash
Hash (md5) calculated from the import table
++
company-name
text
CompanyName in the resources
++
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
++
entrypoint-address
text
Address of the entry point
++
internal-filename
filename
InternalFilename in the resources
@@ -4569,16 +4718,6 @@ pe is a MISP object available in JSON format at
imphash
imphash
Hash (md5) calculated from the import table
--
legal-copyright
text
company-name
text
CompanyName in the resources
--
sha512/256
-sha512/256
text
text
Secure Hash Algorithm 2 (256 bits)
+Free text value to attach to the section
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
@@ -4657,50 +4796,10 @@ pe-section is a MISP object available in JSON format at
size-in-bytes
size-in-bytes
sha384
sha384
Size of the section, in bytes
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
name
text
Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
--
characteristic
text
Characteristic of the section ['read', 'write', 'executable']
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
+Secure Hash Algorithm 2 (384 bits)
@@ -4727,40 +4826,30 @@ pe-section is a MISP object available in JSON format at
entropy
float
sha256
sha256
Entropy of the whole section
--
text
text
Free text value to attach to the section
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
+Secure Hash Algorithm 2 (256 bits)
sha384
sha384
size-in-bytes
size-in-bytes
Secure Hash Algorithm 2 (384 bits)
+Size of the section, in bytes
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
name
text
Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
++
characteristic
text
Characteristic of the section ['read', 'write', 'executable']
++
entropy
float
Entropy of the whole section
++
An person which describes a person or an identity..
+An object which describes a person or an identity..
first-name |
-
- First name of a natural person. - |
-
- - |
-
-||||||||||
passport-number |
passport-number |
@@ -4835,96 +4954,6 @@ person is a MISP object available in JSON format at nationality |
-nationality |
-
- The nationality of a natural person. - |
-
- - |
-|||||||
alias |
-text |
-
- Alias name or known as. - |
-
- - |
-|||||||||
passport-expiration |
-passport-expiration |
-
- The expiration date of a passport. - |
-
- - |
-|||||||||
redress-number |
-redress-number |
-
- The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems. - |
-
- - |
-|||||||||
passport-country |
-passport-country |
-
- The country in which the passport was issued. - |
-
- - |
-|||||||||
title |
-text |
-
- Title of the natural person such as Dr. or equivalent. - |
-
- - |
-|||||||||
gender |
-gender |
-
- The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say'] - |
-
- - |
-|||||||||
date-of-birth |
-date-of-birth |
-
- Date of birth of a natural person (in YYYY-MM-DD format). - |
-
- - |
-|||||||||
place-of-birth |
-place-of-birth |
-
- Place of birth of a natural person. - |
-
- - |
-|||||||||
middle-name |
middle-name |
@@ -4935,10 +4964,20 @@ person is a MISP object available in JSON format at text |
+social-security-number |
text |
- A description of the person or identity. +Social security number + |
+
+ + |
+||||||
title |
+text |
+
+ Title of the natural person such as Dr. or equivalent. |
@@ -4965,10 +5004,110 @@ person is a MISP object available in JSON format at social-security-number |
+nationality |
+nationality |
+
+ The nationality of a natural person. + |
+
+ + |
+|||||
identity-card-number |
+identity-card-number |
+
+ The identity card number of a natural person. + |
+
+ + |
+|||||||||
first-name |
+first-name |
+
+ First name of a natural person. + |
+
+ + |
+|||||||||
text |
text |
- Social security number +A description of the person or identity. + |
+
+ + |
+|||||||||
gender |
+gender |
+
+ The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say'] + |
+
+ + |
+|||||||||
passport-expiration |
+passport-expiration |
+
+ The expiration date of a passport. + |
+
+ + |
+|||||||||
date-of-birth |
+date-of-birth |
+
+ Date of birth of a natural person (in YYYY-MM-DD format). + |
+
+ + |
+|||||||||
place-of-birth |
+place-of-birth |
+
+ Place of birth of a natural person. + |
+
+ + |
+|||||||||
passport-country |
+passport-country |
+
+ The country in which the passport was issued. + |
+
+ + |
+|||||||||
alias |
+text |
+
+ Alias name or known as. + |
+
+ + |
+|||||||||
redress-number |
+redress-number |
+
+ The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems. |
@@ -5013,30 +5152,20 @@ phone is a MISP object available in JSON format at tmsi |
+serial-number |
text |
- Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated. +Serial Number. |
|
|||||
last-seen |
-datetime |
-
- When the phone has been accessible or seen for the last time. - |
-
- - |
-|||||||||
gummei |
+imei |
text |
- Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI). +International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones. |
@@ -5063,20 +5192,10 @@ phone is a MISP object available in JSON format at serial-number |
+tmsi |
text |
- Serial Number. - |
-
- - |
-||||
imei |
-text |
-
- International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones. +Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated. |
@@ -5103,6 +5222,26 @@ phone is a MISP object available in JSON format at last-seen |
+datetime |
+
+ When the phone has been accessible or seen for the last time. + |
+
+ + |
+||||||
gummei |
+text |
+
+ Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI). + |
+
+ + |
+|||||||||
guti |
text |
@@ -5151,40 +5290,20 @@ r2graphity is a MISP object available in JSON format at refsglobalvar |
+not-referenced-strings |
counter |
- Amount of API calls outside of code section (glob var, dynamic API) +Amount of not referenced strings |
|
||||||
get-proc-address |
+callbacks |
counter |
- Amount of calls to GetProcAddress - |
-
- - |
-||||||||
total-functions |
-counter |
-
- Total amount of functions in the file. - |
-
- - |
-|||||||||
ratio-string |
-float |
-
- Ratio: amount of referenced strings per kilobyte of code section +Amount of callbacks (functions started as thread) |
@@ -5201,10 +5320,10 @@ r2graphity is a MISP object available in JSON format at local-references |
+get-proc-address |
counter |
- Amount of API calls inside a code section +Amount of calls to GetProcAddress |
@@ -5221,50 +5340,20 @@ r2graphity is a MISP object available in JSON format at callback-largest |
-counter |
+r2-commit-version |
+text |
- Largest callback +Radare2 commit ID used to generate this object |
|
create-thread |
+shortest-path-to-create-thread |
counter |
- Amount of calls to CreateThread - |
-
- - |
-||||||||
miss-api |
-counter |
-
- Amount of API call reference that does not resolve to a function offset - |
-
- - |
-|||||||||
not-referenced-strings |
-counter |
-
- Amount of not referenced strings - |
-
- - |
-|||||||||
callback-average |
-counter |
-
- Average size of a callback +Shortest path to the first time the binary calls CreateThread |
@@ -5281,6 +5370,26 @@ r2graphity is a MISP object available in JSON format at local-references |
+counter |
+
+ Amount of API calls inside a code section + |
+
+ + |
+||||||
callback-largest |
+counter |
+
+ Largest callback + |
+
+ + |
+|||||||||
memory-allocations |
counter |
@@ -5291,10 +5400,10 @@ r2graphity is a MISP object available in JSON format at referenced-strings |
+total-functions |
counter |
- Amount of referenced strings +Total amount of functions in the file. |
@@ -5311,6 +5420,16 @@ r2graphity is a MISP object available in JSON format at referenced-strings |
+counter |
+
+ Amount of referenced strings + |
+
+ + |
+|||
total-api |
counter |
@@ -5321,10 +5440,40 @@ r2graphity is a MISP object available in JSON format at shortest-path-to-create-thread |
+ratio-string |
+float |
+
+ Ratio: amount of referenced strings per kilobyte of code section + |
+
+ + |
+||||||
refsglobalvar |
counter |
- Shortest path to the first time the binary calls CreateThread +Amount of API calls outside of code section (glob var, dynamic API) + |
+
+ + |
+|||||||||
miss-api |
+counter |
+
+ Amount of API call reference that does not resolve to a function offset + |
+
+ + |
+|||||||||
callback-average |
+counter |
+
+ Average size of a callback |
@@ -5351,20 +5500,10 @@ r2graphity is a MISP object available in JSON format at callbacks |
+create-thread |
counter |
- Amount of callbacks (functions started as thread) - |
-
- - |
-|||||
r2-commit-version |
-text |
-
- Radare2 commit ID used to generate this object +Amount of calls to CreateThread |
@@ -5409,26 +5548,6 @@ regexp is a MISP object available in JSON format at regexp |
-text |
-
- regexp - |
-
- - |
-||||||
comment |
-comment |
-
- A description of the regular expression. - |
-
- - |
-|||||||||
type |
text |
|||||||||||
regexp |
+text |
+
+ regexp + |
+
+ + |
+|||||||||
comment |
+comment |
+
+ A description of the regular expression. + |
+
+ + |
+
hive
+data-type
text
Hive used to store the registry key (file on disk)
+Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
key
regkey
Full key path
--
last-modified
datetime
Last time the registry key has been modified
--
data-type
root-keys
text
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
+Root key of the Windows registry (extracted from the key) ['HKCC', 'HKCR', 'HKCU', 'HKDD', 'HKEY_CLASSES_ROOT', 'HKEY_CURRENT_CONFIG', 'HKEY_CURRENT_USER', 'HKEY_DYN_DATA', 'HKEY_LOCAL_MACHINE', 'HKEY_PERFORMANCE_DATA', 'HKEY_USERS', 'HKLM', 'HKPD', 'HKU']
@@ -5537,13 +5656,13 @@ registry-key is a MISP object available in JSON format at
root-keys
text
key
regkey
Root key of the Windows registry (extracted from the key) ['HKCC', 'HKCR', 'HKCU', 'HKDD', 'HKEY_CLASSES_ROOT', 'HKEY_CURRENT_CONFIG', 'HKEY_CURRENT_USER', 'HKEY_DYN_DATA', 'HKEY_LOCAL_MACHINE', 'HKEY_PERFORMANCE_DATA', 'HKEY_USERS', 'HKLM', 'HKPD', 'HKU']
+Full key path
+
last-modified
datetime
Last time the registry key has been modified
++
hive
text
Hive used to store the registry key (file on disk)
++
case-number
+summary
text
Case number
+Free text summary of the report
summary
case-number
text
Free text summary of the report
+Case number
@@ -5663,6 +5802,16 @@ rtir is a MISP object available in JSON format at
classification
text
Classification of the RTIR ticket
++
constituency
text
queue
subject
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
+Subject of the RTIR ticket
@@ -5693,6 +5842,16 @@ rtir is a MISP object available in JSON format at
queue
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
++
ticket-number
text
classification
text
Classification of the RTIR ticket
--
subject
text
Subject of the RTIR ticket
--
results
+text
Freetext result values
++
saas-sandbox
text
on-premise-sandbox
text
The on-premise sandbox used ['cuckoo', 'symantec-cas-on-premise', 'bluecoat-maa', 'trendmicro-deep-discovery-analyzer', 'fireeye-ax', 'vmray', 'joe-sandbox-on-premise']
--
permalink
link
Permalink reference
--
raw-report
text
Raw report from sandbox
--
web-sandbox
text
A web sandbox where results are publicly available via an URL ['malwr', 'hybrid-analysis']
--
sandbox-type
text
The type of sandbox used ['on-premise', 'web', 'saas']
--
score
text
results
web-sandbox
text
Freetext result values
+A web sandbox where results are publicly available via an URL ['malwr', 'hybrid-analysis']
++
permalink
link
Permalink reference
++
sandbox-type
text
The type of sandbox used ['on-premise', 'web', 'saas']
++
raw-report
text
Raw report from sandbox
++
on-premise-sandbox
text
The on-premise sandbox used ['cuckoo', 'symantec-cas-on-premise', 'bluecoat-maa', 'trendmicro-deep-discovery-analyzer', 'fireeye-ax', 'vmray', 'joe-sandbox-on-premise']
@@ -5879,6 +6018,26 @@ sb-signature is a MISP object available in JSON format at
text
text
Additional signature description
++
software
text
Name of Sandbox software
++
datetime
datetime
software
text
Name of Sandbox software
--
text
text
Additional signature description
--
SccpCgPC
+MapMsisdn
text
Signaling Connection Control Part (SCCP) CgPC - Phone number.
+MAP MSISDN. Phone number.
MapSmsTP-PID
MapGsmscfGT
text
MAP SMS TP-PID.
--
SccpCdGT
text
Signaling Connection Control Part (SCCP) CdGT - Phone number.
+MAP GSMSCF GT. Phone number.
MapUssdCoding
text
MAP USSD Content.
--
SccpCgSSN
text
text
MapSmsTypeNumber
text
A description of the attack seen via SS7 logging.
+MAP SMS TypeNumber.
MapSmsText
MapUssdCoding
text
MAP SMS Text. Important indicators in SMS text.
--
MapOpCode
text
MAP operation codes - Decimal value between 0-99.
+MAP USSD Content.
SccpCgGT
MapMscGT
text
Signaling Connection Control Part (SCCP) CgGT - Phone number.
+MAP MSC GT. Phone number.
@@ -6057,16 +6166,6 @@ ss7-attack is a MISP object available in JSON format at
MapSmscGT
text
MAP SMSC. Phone number.
--
Category
text
first-seen
datetime
When the attack has been seen for the first time.
--
MapVersion
SccpCgPC
text
Map version. ['1', '2', '3']
--
SccpCdPC
text
Signaling Connection Control Part (SCCP) CdPC - Phone number.
--
SccpCdSSN
text
Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
--
MapSmsTP-OA
text
MAP SMS TP-OA. Phone number.
--
MapMsisdn
text
MAP MSISDN. Phone number.
--
MapUssdContent
text
MAP USSD Content.
--
MapGmlc
text
MAP GMLC. Phone number.
+Signaling Connection Control Part (SCCP) CgPC - Phone number.
@@ -6167,26 +6196,86 @@ ss7-attack is a MISP object available in JSON format at
MapMscGT
MapUssdContent
text
MAP MSC GT. Phone number.
+MAP USSD Content.
MapSmsTypeNumber
SccpCdPC
text
MAP SMS TypeNumber.
+Signaling Connection Control Part (SCCP) CdPC - Phone number.
++
MapGmlc
text
MAP GMLC. Phone number.
++
MapSmsTP-DCS
text
MAP SMS TP-DCS.
SccpCdSSN
text
Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
++
MapSmscGT
text
MAP SMSC. Phone number.
++
first-seen
datetime
When the attack has been seen for the first time.
++
MapSmsText
text
MAP SMS Text. Important indicators in SMS text.
++
MapApplicationContext
text
MapGsmscfGT
text
text
MAP GSMSCF GT. Phone number.
+A description of the attack seen via SS7 logging.
++
SccpCgGT
text
Signaling Connection Control Part (SCCP) CgGT - Phone number.
MapSmsTP-DCS
MapSmsTP-OA
text
MAP SMS TP-DCS.
+MAP SMS TP-OA. Phone number.
++
MapSmsTP-PID
text
MAP SMS TP-PID.
++
MapOpCode
text
MAP operation codes - Decimal value between 0-99.
++
SccpCdGT
text
Signaling Connection Control Part (SCCP) CdGT - Phone number.
++
MapVersion
text
Map version. ['1', '2', '3']
@@ -6313,40 +6452,10 @@ tor-node is a MISP object available in JSON format at
description
flags
text
Tor node description.
--
published
datetime
router’s publication time. This can be different from first-seen and last-seen.
--
fingerprint
text
router’s fingerprint.
--
address
ip-src
IP address of the Tor node seen.
+list of flag associated with the node.
@@ -6363,20 +6472,70 @@ tor-node is a MISP object available in JSON format at
nickname
version
text
router’s nickname.
+parsed version of tor, this is None if the relay’s using a new versioning scheme.
flags
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
++
address
ip-src
IP address of the Tor node seen.
++
published
datetime
router’s publication time. This can be different from first-seen and last-seen.
++
description
text
list of flag associated with the node.
+Tor node description.
++
text
text
Tor node comment.
++
nickname
text
router’s nickname.
@@ -6393,40 +6552,20 @@ tor-node is a MISP object available in JSON format at
version
version_line
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
+versioning information reported by the node.
text
fingerprint
text
Tor node comment.
--
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
--
version_line
text
versioning information reported by the node.
+router’s fingerprint.
@@ -6471,36 +6610,6 @@ url is a MISP object available in JSON format at
subdomain
text
Subdomain
--
url
url
Full URL
--
last-seen
datetime
Last time this URL has been seen
--
scheme
text
fragment
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
++
query_string
text
Query (after path, preceded by '?')
++
port
port
domain_without_tld
first-seen
datetime
First time this URL has been seen
++
subdomain
text
Domain without Top-Level Domain
+Subdomain
++
domain
domain
Full domain
@@ -6541,20 +6690,10 @@ url is a MISP object available in JSON format at
text
text
url
url
Description of the URL
--
fragment
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
+Full URL
@@ -6581,6 +6720,26 @@ url is a MISP object available in JSON format at
text
text
Description of the URL
++
domain_without_tld
text
Domain without Top-Level Domain
++
host
hostname
query_string
text
Query (after path, preceded by '?')
--
domain
domain
Full domain
--
first-seen
last-seen
datetime
First time this URL has been seen
+Last time this URL has been seen
@@ -6669,56 +6808,6 @@ victim is a MISP object available in JSON format at
target-email
The email address(es) of the user targeted.
--
user
target-user
The username(s) of the user targeted.
--
regions
target-location
The list of regions or locations from the victim targeted. ISO 3166 should be used.
--
sectors
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial services', 'government national', 'government regional', 'government local', 'government public services', 'healthcare', 'hospitality leisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non profit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
--
node
target-machine
Name(s) of node that was targeted.
--
external
target-external
ip-address
ip-dst
target-email
IP address(es) of the node targeted.
+The email address(es) of the user targeted.
name
target-org
classification
text
The name of the department(s) or organisation(s) targeted.
+The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
++
node
target-machine
Name(s) of node that was targeted.
@@ -6759,13 +6858,53 @@ victim is a MISP object available in JSON format at
classification
text
name
target-org
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
+The name of the department(s) or organisation(s) targeted.
+
+
regions
target-location
The list of regions or locations from the victim targeted. ISO 3166 should be used.
++
ip-address
ip-dst
IP address(es) of the node targeted.
++
sectors
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial services', 'government national', 'government regional', 'government local', 'government public services', 'healthcare', 'hospitality leisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non profit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
++
user
target-user
The username(s) of the user targeted.
+
first-submission
-datetime
First Submission
--
detection-ratio
text
last-submission
datetime
Last Submission
--
permalink
link
last-submission
datetime
Last Submission
++
first-submission
datetime
First Submission
++
created
-datetime
First time when the vulnerability was discovered
--
modified
datetime
Last modification date
--
summary
text
text
Summary of the vulnerability
+Description of the vulnerability
@@ -6935,16 +7054,36 @@ vulnerability is a MISP object available in JSON format at
text
state
text
Description of the vulnerability
+State of the vulnerability. A vulnerability can have multiple states depending of the current actions performed. ['Published', 'Embargo', 'Reviewed', 'Vulnerability ID Assigned', 'Reported', 'Fixed']
++
summary
text
Summary of the vulnerability
created
datetime
First time when the vulnerability was discovered
++
id
vulnerability
published
datetime
Initial publication date
--
references
link
state
text
modified
datetime
State of the vulnerability. A vulnerability can have multiple states depending of the current actions performed. ['Published', 'Embargo', 'Reviewed', 'Vulnerability ID Assigned', 'Reported', 'Fixed']
+Last modification date
++
published
datetime
Initial publication date
@@ -7023,26 +7162,16 @@ whois is a MISP object available in JSON format at
modification-date
datetime
text
text
Last update of the whois entry
+Full whois entry
registrant-email
whois-registrant-email
Registrant email address
--
creation-date
datetime
text
text
registrant-org
whois-registrant-org
Full whois entry
+Registrant organisation
++
nameserver
hostname
Nameserver
@@ -7073,20 +7212,10 @@ whois is a MISP object available in JSON format at
registrant-org
whois-registrant-org
registrant-phone
whois-registrant-phone
Registrant organisation
--
registrant-name
whois-registrant-name
Registrant name
+Registrant phone number
@@ -7103,26 +7232,16 @@ whois is a MISP object available in JSON format at
nameserver
hostname
modification-date
datetime
Nameserver
+Last update of the whois entry
registrant-phone
whois-registrant-phone
Registrant phone number
--
registrar
whois-registrar
registrant-email
whois-registrant-email
Registrant email address
++
registrant-name
whois-registrant-name
Registrant name
++
issuer
-text
x509-fingerprint-md5
x509-fingerprint-md5
Issuer of the certificate
--
validity-not-before
datetime
Certificate invalid before that date
--
validity-not-after
datetime
Certificate invalid after that date
--
pubkey-info-exponent
text
Exponent of the public key
--
x509-fingerprint-sha1
x509-fingerprint-sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
serial-number
text
Serial number of the certificate
+[Insecure] MD5 hash (128 bits)
@@ -7241,20 +7330,10 @@ x509 is a MISP object available in JSON format at
pubkey-info-algorithm
text
validity-not-after
datetime
Algorithm of the public key
--
raw-base64
text
Raw certificate base64 encoded
+Certificate invalid after that date
@@ -7271,10 +7350,10 @@ x509 is a MISP object available in JSON format at
text
subject
text
Free text description of hte certificate
+Subject of the certificate
@@ -7291,20 +7370,40 @@ x509 is a MISP object available in JSON format at
x509-fingerprint-md5
x509-fingerprint-md5
serial-number
text
[Insecure] MD5 hash (128 bits)
+Serial number of the certificate
subject
validity-not-before
datetime
Certificate invalid before that date
++
pubkey-info-exponent
text
Subject of the certificate
+Exponent of the public key
++
text
text
Free text description of hte certificate
pubkey-info-algorithm
text
Algorithm of the public key
++
issuer
text
Issuer of the certificate
++
raw-base64
text
Raw certificate base64 encoded
++
x509-fingerprint-sha1
x509-fingerprint-sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
yara-hunt
+yara
Wide yara rule generated from -yh.
++
whitelist
comment
version
comment
yabin.py and regex.txt version used for the generation of the yara rules.
--
yara
yara
yara-hunt
yara
version
comment
Wide yara rule generated from -yh.
+yabin.py and regex.txt version used for the generation of the yara rules.
+