MISP Objects to STIX1 mapping
MISP Objects are containers of single MISP attributes that are grouped together to highlight their meaning in a real use case scenario. For instance, if you want to share a report with suspicious files, without object templates you would end up with a list of file names, hashes, and other attributes that are all mixed together, making the differentiation of each file difficult. In this case with the file object template, we simply group together all the attributes which belong to each file. The list of currently supported templates is available here.
As we can see in the detailed Events mapping documentation, objects within their event are exported in different STIX 2.1 objects embedded in a STIX Bundle. Those objects’ references are also embedded within the report object_refs field.
For the rest of this documentation, we will then, in order to keep the content clear enough and to skip the irrelevant part, consider the followings:
- MISP Objects are exported as Indicator or Observed Data object in most of the cases, depending on the
to_idsflag:- If any
to_idsflag is set in an object attribute, the object is exported as an Indicator. - If no
to_idsflag is set, the object is exported as an Observed Data - Some objects are not exported either as Indicator nor as Observed Data.
- If any
Current mapping
- Script object where state is “Malicious”
- MISP
{ "name": "script", "meta-category": "misc", "description": "Object describing a computer program written to be run in a special run-time environment.", "uuid": "ce12c406-cf09-457b-875a-41ab75d6dc4d", "Attribute": [ { "uuid": "96345096-72a6-5992-a946-81484f0767ad", "object_relation": "language", "value": "Python", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "651562ec-3894-5c5f-9b6a-470a5e71b4a8", "object_relation": "comment", "value": "A script that infects command line shells", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "5987f8ea-b667-5a26-931a-c627a5abf54b", "object_relation": "filename", "value": "infected.py", "type": "filename", "to_ids": true, "category": "Payload delivery" }, { "uuid": "5ee4de31-07ed-5365-b97c-763333ad2e3e", "object_relation": "script", "value": "print('You are infected')", "type": "text", "to_ids": false, "category": "Other" }, { "data": "cHJpbnQoJ1lvdSBhcmUgaW5mZWN0ZWQnKQo=", "uuid": "5987f8ea-b667-5a26-931a-c627a5abf54b", "object_relation": "script-as-attachment", "value": "infected.py", "type": "attachment", "to_ids": false, "category": "External analysis" }, { "uuid": "e678029a-fa49-5fb4-b181-088295697c0f", "object_relation": "state", "value": "Malicious", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
{ "type": "malware", "spec_version": "2.1", "id": "malware--ce12c406-cf09-457b-875a-41ab75d6dc4d", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "infected.py", "description": "A script that infects command line shells", "is_family": false, "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "implementation_languages": [ "Python" ], "labels": [ "misp:name=\"script\"", "misp:meta-category=\"misc\"" ], "x_misp_script": "print('You are infected')", "x_misp_script_as_attachment": { "value": "infected.py", "data": "cHJpbnQoJ1lvdSBhcmUgaW5mZWN0ZWQnKQo=" }, "x_misp_state": "Malicious" }
- MISP
- Script object where state is not “Malicious”
- MISP
{ "name": "script", "meta-category": "misc", "description": "Object describing a computer program written to be run in a special run-time environment.", "uuid": "9d14bdd1-5d32-4b4d-bd50-fd3a9d1c1c04", "Attribute": [ { "uuid": "96345096-72a6-5992-a946-81484f0767ad", "object_relation": "language", "value": "Python", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "c9bd2c1f-52b4-5bb1-be28-095adb856ef4", "object_relation": "comment", "value": "A peaceful script", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "f7d945a4-a742-57d1-8f0e-6e5039839759", "object_relation": "filename", "value": "hello.py", "type": "filename", "to_ids": true, "category": "Payload delivery" }, { "uuid": "d64d07f5-0250-5b9c-a1f6-6dd5a497df37", "object_relation": "script", "value": "print('Hello World')", "type": "text", "to_ids": false, "category": "Other" }, { "data": "cHJpbnQoJ0hlbGxvIFdvcmxkJykK", "uuid": "f7d945a4-a742-57d1-8f0e-6e5039839759", "object_relation": "script-as-attachment", "value": "hello.py", "type": "attachment", "to_ids": false, "category": "External analysis" }, { "uuid": "ed658799-955d-504e-a35d-aa0a31290f23", "object_relation": "state", "value": "Harmless", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
{ "type": "tool", "spec_version": "2.1", "id": "tool--9d14bdd1-5d32-4b4d-bd50-fd3a9d1c1c04", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "hello.py", "description": "A peaceful script", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"script\"", "misp:meta-category=\"misc\"" ], "x_misp_language": "Python", "x_misp_script": "print('Hello World')", "x_misp_script_as_attachment": { "value": "hello.py", "data": "cHJpbnQoJ0hlbGxvIFdvcmxkJykK" }, "x_misp_state": "Harmless" }
- MISP
- android-app
- MISP
{ "name": "android-app", "meta-category": "file", "description": "Indicators related to an Android app", "uuid": "02782ed5-b27f-4abc-8bae-efebe13a46dd", "Attribute": [ { "uuid": "964623e7-46ba-53d1-be15-0372b8e4ccdb", "object_relation": "name", "value": "Facebook", "type": "text", "to_ids": true, "category": "Other" }, { "uuid": "967f2a4a-b58b-501f-b1f8-a32cb7119c42", "object_relation": "certificate", "value": "c3a94cdf5ad4d71fd60c16ba8801529c78e7398f", "type": "sha1", "to_ids": true, "category": "Payload delivery" }, { "uuid": "dfe29d95-b46e-5ec1-862f-3ed33925675d", "object_relation": "domain", "value": "facebook.com", "type": "domain", "to_ids": true, "category": "Network activity" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--02782ed5-b27f-4abc-8bae-efebe13a46dd", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "software--02782ed5-b27f-4abc-8bae-efebe13a46dd" ], "labels": [ "misp:name=\"android-app\"", "misp:meta-category=\"file\"" ] }, { "type": "software", "spec_version": "2.1", "id": "software--02782ed5-b27f-4abc-8bae-efebe13a46dd", "name": "Facebook", "x_misp_certificate": "c3a94cdf5ad4d71fd60c16ba8801529c78e7398f", "x_misp_domain": "facebook.com" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--02782ed5-b27f-4abc-8bae-efebe13a46dd", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[software:name = 'Facebook' AND software:x_misp_certificate = 'c3a94cdf5ad4d71fd60c16ba8801529c78e7398f' AND software:x_misp_domain = 'facebook.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"android-app\"", "misp:meta-category=\"file\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--49a00cf0-36aa-5d38-91dd-42dd5bbb09ae", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--02782ed5-b27f-4abc-8bae-efebe13a46dd", "target_ref": "observed-data--02782ed5-b27f-4abc-8bae-efebe13a46dd" } ]
- MISP
- annotation
- MISP
[ { "name": "annotation", "meta-category": "misc", "description": "An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.", "uuid": "eb6592bb-675c-48f3-9272-157141196b93", "ObjectReference": [ { "uuid": "a63aa9a3-0ea5-57ed-85dc-6f304612a97a", "object_uuid": "eb6592bb-675c-48f3-9272-157141196b93", "referenced_uuid": "5ac337df-e078-4e99-8b17-02550a00020f", "relationship_type": "annotates" } ], "Attribute": [ { "uuid": "7380c2cb-3a29-54a5-8ae8-2e66a2c9cf62", "object_relation": "text", "value": "Google public DNS", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "a67c24ba-191c-518c-ad25-0a18379e568d", "object_relation": "type", "value": "Executive Summary", "type": "text", "to_ids": false, "category": "Other" }, { "data": "OC44LjguOCBpcyB0aGUgR29[...]WRkcmVzc2VzIChJUHY0KS4K", "uuid": "acdac1c9-cd83-5d27-8d08-92c61ec853e6", "object_relation": "attachment", "value": "annotation.attachment", "type": "attachment", "to_ids": false, "category": "External analysis" } ], "timestamp": "1603642920" }, { "name": "domain-ip", "meta-category": "network", "description": "A domain and IP address seen as a tuple", "uuid": "5ac337df-e078-4e99-8b17-02550a00020f", "Attribute": [ { "uuid": "91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "object_relation": "domain", "value": "circl.lu", "type": "domain", "category": "Network activity", "to_ids": true }, { "uuid": "518b4bcb-a86b-4783-9457-391d548b605b", "object_relation": "ip", "value": "149.13.33.14", "type": "ip-dst", "category": "Network activity", "to_ids": true } ], "timestamp": "1603642920" } ] - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ac337df-e078-4e99-8b17-02550a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "domain-name--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f" ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "value": "149.13.33.14" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "value": "circl.lu", "resolves_to_refs": [ "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ac337df-e078-4e99-8b17-02550a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[domain-name:value = 'circl.lu' AND domain-name:resolves_to_refs[*].value = '149.13.33.14']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"" ] }, { "type": "note", "spec_version": "2.1", "id": "note--eb6592bb-675c-48f3-9272-157141196b93", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "content": "Google public DNS", "object_refs": [ "indicator--5ac337df-e078-4e99-8b17-02550a00020f", "observed-data--5ac337df-e078-4e99-8b17-02550a00020f" ], "labels": [ "misp:name=\"annotation\"", "misp:meta-category=\"misc\"" ], "x_misp_attachment": { "value": "annotation.attachment", "data": "OC44LjguOCBpcyB0aGUgR29[...]WRkcmVzc2VzIChJUHY0KS4K" }, "x_misp_type": "Executive Summary" }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--74f723bb-92e6-5f35-9041-324978af36e2", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5ac337df-e078-4e99-8b17-02550a00020f", "target_ref": "observed-data--5ac337df-e078-4e99-8b17-02550a00020f" } ]
- MISP
- asn
- MISP
{ "name": "asn", "meta-category": "network", "description": "Autonomous system object describing an autonomous system", "uuid": "5b23c82b-6508-4bdc-b580-045b0a00020f", "Attribute": [ { "uuid": "ef92192f-89db-559e-af51-c3cc9891085b", "object_relation": "asn", "value": "66642", "type": "AS", "to_ids": true, "category": "Network activity" }, { "uuid": "e97a2a4a-90a9-59c9-9b01-ce6e6eae31a4", "object_relation": "description", "value": "AS name", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "2178808c-6979-5a88-913a-11058808dc02", "object_relation": "subnet-announced", "value": "1.2.3.4", "type": "ip-src", "to_ids": false, "category": "Network activity" }, { "uuid": "e5052de7-e1b9-5dcc-974f-0cc610f67ac5", "object_relation": "subnet-announced", "value": "8.8.8.8", "type": "ip-src", "to_ids": false, "category": "Network activity" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5b23c82b-6508-4bdc-b580-045b0a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "autonomous-system--5b23c82b-6508-4bdc-b580-045b0a00020f" ], "labels": [ "misp:name=\"asn\"", "misp:meta-category=\"network\"" ] }, { "type": "autonomous-system", "spec_version": "2.1", "id": "autonomous-system--5b23c82b-6508-4bdc-b580-045b0a00020f", "number": 66642, "name": "AS name", "x_misp_subnet_announced": [ "1.2.3.4", "8.8.8.8" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b23c82b-6508-4bdc-b580-045b0a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[autonomous-system:number = '66642']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"asn\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--6b121871-cb57-5fbb-8ff7-9c8b4be5afd3", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5b23c82b-6508-4bdc-b580-045b0a00020f", "target_ref": "observed-data--5b23c82b-6508-4bdc-b580-045b0a00020f" } ]
- MISP
- attack-pattern
- MISP
{ "name": "attack-pattern", "meta-category": "vulnerability", "description": "Attack pattern describing a common attack pattern enumeration and classification.", "uuid": "7205da54-70de-4fa7-9b34-e14e63fe6787", "Attribute": [ { "uuid": "86a9f068-3983-550d-b51f-016f55ebd0e4", "object_relation": "id", "value": "9", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "374a4144-9177-5091-a0fb-b39e90fdfc43", "object_relation": "name", "value": "Buffer Overflow in Local Command-Line Utilities", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "09c16a20-6349-5d15-a5ba-e87ccd988939", "object_relation": "summary", "value": "This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "9f229dca-478a-5a16-8b6b-b1057cc676aa", "object_relation": "related-weakness", "value": "CWE-118", "type": "weakness", "to_ids": false, "category": "External analysis" }, { "uuid": "cb771d17-91e7-59de-bb1f-a16116bf8469", "object_relation": "related-weakness", "value": "CWE-120", "type": "weakness", "to_ids": false, "category": "External analysis" }, { "uuid": "986ffde7-90ca-5242-938c-a732e6bc2b08", "object_relation": "prerequisites", "value": "The target hosst exposes a command-line utility to the user. The command-line utility exposed by the target host has a buffer overflow vulnerability that can be exploited.", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "d6c1163d-7fb0-5bcb-b2e7-0dac541ccea4", "object_relation": "solutions", "value": "Carefully review the service's implementation before making it available to users.", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
{ "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--7205da54-70de-4fa7-9b34-e14e63fe6787", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Buffer Overflow in Local Command-Line Utilities", "description": "This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "vulnerability" } ], "labels": [ "misp:name=\"attack-pattern\"", "misp:meta-category=\"vulnerability\"" ], "external_references": [ { "source_name": "capec", "external_id": "CAPEC-9" } ], "x_misp_prerequisites": "The target hosst exposes a command-line utility to the user. The command-line utility exposed by the target host has a buffer overflow vulnerability that can be exploited.", "x_misp_related_weakness": [ "CWE-118", "CWE-120" ], "x_misp_solutions": "Carefully review the service's implementation before making it available to users." }
- MISP
- course-of-action
- MISP
{ "name": "course-of-action", "meta-category": "misc", "description": "An object describing a specific measure taken to prevent or respond to an attack.", "uuid": "5d514ff9-ac30-4fb5-b9e7-3eb4a964451a", "Attribute": [ { "uuid": "d07476b9-cdf8-5f8f-827b-6def0e49685a", "object_relation": "name", "value": "Block traffic to PIVY C2 Server (10.10.10.10)", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "986f06b3-fd1f-588d-9055-473df5efcd1b", "object_relation": "description", "value": "Block communication between the PIVY agents and the C2 Server", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "f7b89e1a-7694-5594-af46-be0e0b41cfe3", "object_relation": "type", "value": "Perimeter Blocking", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "986f06b3-fd1f-588d-9055-473df5efcd1b", "object_relation": "objective", "value": "Block communication between the PIVY agents and the C2 Server", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "aee3418b-cc9d-5cf3-a082-d2e818457727", "object_relation": "stage", "value": "Response", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "60352409-e630-5807-a44a-ad0b0a6ebfba", "object_relation": "cost", "value": "Low", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "60352409-e630-5807-a44a-ad0b0a6ebfba", "object_relation": "impact", "value": "Low", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "0a6f980b-52b9-5b0a-9bb3-f47556579498", "object_relation": "efficacy", "value": "High", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
{ "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--5d514ff9-ac30-4fb5-b9e7-3eb4a964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Block traffic to PIVY C2 Server (10.10.10.10)", "description": "Block communication between the PIVY agents and the C2 Server", "labels": [ "misp:name=\"course-of-action\"", "misp:meta-category=\"misc\"" ], "x_misp_cost": "Low", "x_misp_efficacy": "High", "x_misp_impact": "Low", "x_misp_objective": "Block communication between the PIVY agents and the C2 Server", "x_misp_stage": "Response", "x_misp_type": "Perimeter Blocking" }
- MISP
- cpe-asset
- MISP
{ "name": "cpe-asset", "meta-category": "misc", "description": "An asset which can be defined by a CPE.", "uuid": "3f53a829-6307-4006-b7a2-ff53dace4159", "Attribute": [ { "uuid": "3605adaa-4213-5092-9bbf-0bee890e878b", "object_relation": "cpe", "value": "cpe:2.3:a:microsoft:word:2000:*:*:*:*:*:*:*", "type": "cpe", "to_ids": true, "category": "External analysis" }, { "uuid": "564cb81e-ef9c-5cd9-924d-dc106bc822d5", "object_relation": "language", "value": "ENG", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "b5ae3eef-89b8-5457-913e-25e37d4caf24", "object_relation": "product", "value": "Word", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "6794f620-7708-5617-9db4-29aaddd01e4b", "object_relation": "vendor", "value": "Microsoft", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "dbcc7eda-a019-5790-99d3-4b1a988ea554", "object_relation": "version", "value": "2002", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "96060e2c-f80f-5d61-b3e3-22cd246a6132", "object_relation": "description", "value": "Microsoft Word is a word processing software developed by Microsoft.", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--3f53a829-6307-4006-b7a2-ff53dace4159", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "software--3f53a829-6307-4006-b7a2-ff53dace4159" ], "labels": [ "misp:name=\"cpe-asset\"", "misp:meta-category=\"misc\"" ] }, { "type": "software", "spec_version": "2.1", "id": "software--3f53a829-6307-4006-b7a2-ff53dace4159", "name": "Word", "cpe": "cpe:2.3:a:microsoft:word:2000:*:*:*:*:*:*:*", "languages": [ "ENG" ], "vendor": "Microsoft", "version": "2002", "x_misp_description": "Microsoft Word is a word processing software developed by Microsoft." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3f53a829-6307-4006-b7a2-ff53dace4159", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[software:cpe = 'cpe:2.3:a:microsoft:word:2000:*:*:*:*:*:*:*']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"cpe-asset\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d0bf8e05-276f-5fbb-80a7-379c74b0cd04", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--3f53a829-6307-4006-b7a2-ff53dace4159", "target_ref": "observed-data--3f53a829-6307-4006-b7a2-ff53dace4159" } ]
- MISP
- credential
- MISP
{ "name": "credential", "meta-category": "misc", "description": "Credential describes one or more credential(s)", "uuid": "5b1f9378-46d4-494b-a4c1-044e0a00020f", "Attribute": [ { "uuid": "c1385bd0-ef83-5292-951e-3f08a5d1d6a6", "object_relation": "text", "value": "MISP default credentials", "type": "text", "to_ids": true, "category": "Other" }, { "uuid": "88c7168e-8bfa-571c-8452-4d03308107b8", "object_relation": "username", "value": "misp", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "3e1494e8-3bf9-5eaa-bce4-be5fe8245551", "object_relation": "password", "value": "Password1234", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "5ef7831f-c1cd-5bb2-ad98-1e57f4cce22c", "object_relation": "type", "value": "password", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "bc1eb433-4798-5aae-ad2a-ce3cb239bc79", "object_relation": "origin", "value": "malware-analysis", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "ea684d66-44f1-5fef-b3d5-3b4b32676bce", "object_relation": "format", "value": "clear-text", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "81dbf3b9-6887-52ec-a68a-4a5f13fe67d2", "object_relation": "notification", "value": "victim-notified", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5b1f9378-46d4-494b-a4c1-044e0a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "user-account--5b1f9378-46d4-494b-a4c1-044e0a00020f" ], "labels": [ "misp:name=\"credential\"", "misp:meta-category=\"misc\"" ] }, { "type": "user-account", "spec_version": "2.1", "id": "user-account--5b1f9378-46d4-494b-a4c1-044e0a00020f", "user_id": "misp", "credential": "Password1234", "x_misp_format": "clear-text", "x_misp_notification": "victim-notified", "x_misp_origin": "malware-analysis", "x_misp_text": "MISP default credentials", "x_misp_type": "password" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b1f9378-46d4-494b-a4c1-044e0a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:x_misp_text = 'MISP default credentials']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"credential\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--220ccf27-9286-5c4d-ad40-03d68317094c", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5b1f9378-46d4-494b-a4c1-044e0a00020f", "target_ref": "observed-data--5b1f9378-46d4-494b-a4c1-044e0a00020f" } ]
- MISP
- domain-ip
- MISP
{ "name": "domain-ip", "meta-category": "network", "description": "A domain and IP address seen as a tuple", "uuid": "dc624447-684a-488f-9e16-f78f717d8efd", "Attribute": [ { "uuid": "63fa4060-98d3-4768-b18d-cfbc52f2d0ff", "object_relation": "domain", "value": "circl.lu", "type": "domain", "category": "Network activity", "to_ids": true }, { "uuid": "30e94901-9247-4d28-9746-ca4c0086201c", "object_relation": "hostname", "value": "circl.lu", "type": "hostname", "to_ids": true, "category": "Network activity" }, { "uuid": "fcbaf339-615a-409c-915f-034420dc90ca", "object_relation": "ip", "value": "149.13.33.14", "type": "ip-dst", "category": "Network activity", "to_ids": true }, { "uuid": "ff192fba-c594-4eb2-8432-cd335ad6647d", "object_relation": "port", "value": "8443", "type": "port", "category": "Network activity", "to_ids": false } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--dc624447-684a-488f-9e16-f78f717d8efd", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "domain-name--dc624447-684a-488f-9e16-f78f717d8efd", "ipv4-addr--fcbaf339-615a-409c-915f-034420dc90ca" ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--dc624447-684a-488f-9e16-f78f717d8efd", "value": "circl.lu", "resolves_to_refs": [ "ipv4-addr--fcbaf339-615a-409c-915f-034420dc90ca" ], "x_misp_hostname": "circl.lu", "x_misp_port": "8443" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--fcbaf339-615a-409c-915f-034420dc90ca", "value": "149.13.33.14" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dc624447-684a-488f-9e16-f78f717d8efd", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[domain-name:value = 'circl.lu' AND domain-name:x_misp_hostname = 'circl.lu' AND domain-name:resolves_to_refs[*].value = '149.13.33.14']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0acb9b01-ce40-5a1f-8ae0-4b4af33a1ca8", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--dc624447-684a-488f-9e16-f78f717d8efd", "target_ref": "observed-data--dc624447-684a-488f-9e16-f78f717d8efd" } ]
- MISP
- domain-ip with the perfect domain & ip matching
- MISP
{ "name": "domain-ip", "meta-category": "network", "description": "A domain and IP address seen as a tuple", "uuid": "5ac337df-e078-4e99-8b17-02550a00020f", "timestamp": "1603642920", "Attribute": [ { "uuid": "a2e44443-a974-47b6-bb35-69d17b1cd243", "type": "domain", "object_relation": "domain", "value": "misp-project.org" }, { "uuid": "91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "type": "domain", "object_relation": "domain", "value": "circl.lu" }, { "uuid": "518b4bcb-a86b-4783-9457-391d548b605b", "type": "ip-dst", "object_relation": "ip", "value": "149.13.33.14" }, { "uuid": "876133b5-b5fc-449c-ba9e-e467790da8eb", "type": "ip-dst", "object_relation": "ip", "value": "185.194.93.14" } ] } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ac337df-e078-4e99-8b17-02550a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "ipv4-addr--876133b5-b5fc-449c-ba9e-e467790da8eb", "domain-name--a2e44443-a974-47b6-bb35-69d17b1cd243", "domain-name--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f" ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"False\"" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "value": "149.13.33.14" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--876133b5-b5fc-449c-ba9e-e467790da8eb", "value": "185.194.93.14" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--a2e44443-a974-47b6-bb35-69d17b1cd243", "value": "misp-project.org", "resolves_to_refs": [ "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "ipv4-addr--876133b5-b5fc-449c-ba9e-e467790da8eb" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "value": "circl.lu", "resolves_to_refs": [ "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "ipv4-addr--876133b5-b5fc-449c-ba9e-e467790da8eb" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ac337df-e078-4e99-8b17-02550a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[domain-name:value = 'circl.lu' AND domain-name:resolves_to_refs[*].value = '149.13.33.14']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"True\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0acb9b01-ce40-5a1f-8ae0-4b4af33a1ca8", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5ac337df-e078-4e99-8b17-02550a00020f", "target_ref": "observed-data--5ac337df-e078-4e99-8b17-02550a00020f" } ]
- MISP
- email
- MISP
{ "name": "email", "meta-category": "network", "description": "Email object describing an email with meta-information", "uuid": "5e396622-2a54-4c8d-b61d-159da964451a", "Attribute": [ { "uuid": "f5ec3603-e3d0-42d7-a372-14c1c137699b", "object_relation": "from", "value": "donald.duck@disney.com", "type": "email-src", "category": "Payload delivery", "to_ids": true }, { "uuid": "3766d98d-d162-44d4-bc48-9518a2e48898", "object_relation": "from-display-name", "value": "Donald Duck", "type": "email-src-display-name", "category": "Payload delivery", "to_ids": false }, { "uuid": "aebfd1b3-24bc-4da5-8e74-32cb669b8e46", "object_relation": "to", "value": "jdoe@random.org", "type": "email-dst", "category": "Payload delivery", "to_ids": true }, { "uuid": "3a93a3ef-fd04-4ce5-98f5-f53609b39b82", "object_relation": "to-display-name", "value": "John Doe", "type": "email-dst-display-name", "category": "Payload delivery", "to_ids": false }, { "uuid": "1a43d189-e5f6-4087-98df-b2cbddec2cd6", "object_relation": "cc", "value": "diana.prince@dc.us", "type": "email-dst", "category": "Payload delivery", "to_ids": true }, { "uuid": "59fc0279-427c-45a2-b8a4-678e43c6f9ad", "object_relation": "cc-display-name", "value": "Diana Prince", "type": "email-dst-display-name", "category": "Payload delivery", "to_ids": false }, { "uuid": "efde9a0a-a62a-42a8-b863-14a448e313c6", "object_relation": "cc", "value": "marie.curie@nobel.fr", "type": "email-dst", "category": "Payload delivery", "to_ids": true }, { "uuid": "bf64f806-1660-4790-8f07-b116eb41b9bc", "object_relation": "cc-display-name", "value": "Marie Curie", "type": "email-dst-display-name", "category": "Payload delivery", "to_ids": false }, { "uuid": "3b940996-f99b-4bda-b065-69b8957f688c", "object_relation": "bcc", "value": "jfk@gov.us", "type": "email-dst", "category": "Payload delivery", "to_ids": true }, { "uuid": "b824e555-8609-4389-9790-71e7f2785e1b", "object_relation": "bcc-display-name", "value": "John Fitzgerald Kennedy", "type": "email-dst-display-name", "category": "Payload delivery", "to_ids": false }, { "uuid": "f2259650-bc33-4b64-a3a8-a324aa7ea6bb", "object_relation": "reply-to", "value": "reply-to@email.test", "type": "email-reply-to", "category": "Payload delivery", "to_ids": false }, { "uuid": "90bd7dae-b78c-4025-9073-568950c780fb", "object_relation": "subject", "value": "Email test subject", "type": "email-subject", "category": "Payload delivery", "to_ids": false }, { "uuid": "2007ec09-8137-4a71-a3ce-6ef967bebacf", "object_relation": "attachment", "value": "attachment1.file", "type": "email-attachment", "category": "Payload delivery", "to_ids": true }, { "uuid": "2d35a390-ccdd-4d6b-a36d-513b05e3682a", "object_relation": "attachment", "value": "attachment2.file", "type": "email-attachment", "category": "Payload delivery", "to_ids": true }, { "uuid": "ae3206e4-024c-4988-8455-4aea83971dea", "object_relation": "x-mailer", "value": "x-mailer-test", "type": "email-x-mailer", "category": "Payload delivery", "to_ids": false }, { "uuid": "f2fc14de-8d32-4164-bf20-e48ca285ccb2", "object_relation": "user-agent", "value": "Test user agent", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "0d8b91cf-bead-42df-aa6a-a21b98f8c6f7", "object_relation": "mime-boundary", "value": "Test mime boundary", "type": "email-mime-boundary", "category": "Payload delivery", "to_ids": false }, { "uuid": "85d1fdf3-70d7-40b2-93a9-2ea2c8215fc6", "object_relation": "message-id", "value": "25", "type": "email-message-id", "category": "Payload delivery", "to_ids": false } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5e396622-2a54-4c8d-b61d-159da964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "email-message--5e396622-2a54-4c8d-b61d-159da964451a", "email-addr--f5ec3603-e3d0-42d7-a372-14c1c137699b", "email-addr--aebfd1b3-24bc-4da5-8e74-32cb669b8e46", "email-addr--1a43d189-e5f6-4087-98df-b2cbddec2cd6", "email-addr--efde9a0a-a62a-42a8-b863-14a448e313c6", "email-addr--3b940996-f99b-4bda-b065-69b8957f688c", "file--2007ec09-8137-4a71-a3ce-6ef967bebacf", "file--2d35a390-ccdd-4d6b-a36d-513b05e3682a" ], "labels": [ "misp:name=\"email\"", "misp:meta-category=\"network\"" ] }, { "type": "email-message", "spec_version": "2.1", "id": "email-message--5e396622-2a54-4c8d-b61d-159da964451a", "is_multipart": true, "from_ref": "email-addr--f5ec3603-e3d0-42d7-a372-14c1c137699b", "to_refs": [ "email-addr--aebfd1b3-24bc-4da5-8e74-32cb669b8e46" ], "cc_refs": [ "email-addr--1a43d189-e5f6-4087-98df-b2cbddec2cd6", "email-addr--efde9a0a-a62a-42a8-b863-14a448e313c6" ], "bcc_refs": [ "email-addr--3b940996-f99b-4bda-b065-69b8957f688c" ], "message_id": "25", "subject": "Email test subject", "additional_header_fields": { "Reply-To": "reply-to@email.test", "X-Mailer": "x-mailer-test" }, "body_multipart": [ { "body_raw_ref": "file--2007ec09-8137-4a71-a3ce-6ef967bebacf", "content_disposition": "attachment; filename='attachment1.file'" }, { "body_raw_ref": "file--2d35a390-ccdd-4d6b-a36d-513b05e3682a", "content_disposition": "attachment; filename='attachment2.file'" } ], "x_misp_mime_boundary": "Test mime boundary", "x_misp_user_agent": "Test user agent" }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--f5ec3603-e3d0-42d7-a372-14c1c137699b", "value": "donald.duck@disney.com", "display_name": "Donald Duck" }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--aebfd1b3-24bc-4da5-8e74-32cb669b8e46", "value": "jdoe@random.org", "display_name": "John Doe" }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--1a43d189-e5f6-4087-98df-b2cbddec2cd6", "value": "diana.prince@dc.us", "display_name": "Diana Prince" }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--efde9a0a-a62a-42a8-b863-14a448e313c6", "value": "marie.curie@nobel.fr", "display_name": "Marie Curie" }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--3b940996-f99b-4bda-b065-69b8957f688c", "value": "jfk@gov.us", "display_name": "John Fitzgerald Kennedy" }, { "type": "file", "spec_version": "2.1", "id": "file--2007ec09-8137-4a71-a3ce-6ef967bebacf", "name": "attachment1.file" }, { "type": "file", "spec_version": "2.1", "id": "file--2d35a390-ccdd-4d6b-a36d-513b05e3682a", "name": "attachment2.file" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e396622-2a54-4c8d-b61d-159da964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[email-message:to_refs[0].value = 'jdoe@random.org' AND email-message:cc_refs[0].value = 'diana.prince@dc.us' AND email-message:cc_refs[1].value = 'marie.curie@nobel.fr' AND email-message:bcc_refs[0].value = 'jfk@gov.us' AND email-message:from_ref.value = 'donald.duck@disney.com' AND email-message:body_multipart[0].body_raw_ref.name = 'attachment1.file' AND email-message:body_multipart[0].content_disposition = 'attachment' AND email-message:body_multipart[1].body_raw_ref.name = 'attachment2.file' AND email-message:body_multipart[1].content_disposition = 'attachment']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"email\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0a936557-847e-5016-ad92-c772d85cd447", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5e396622-2a54-4c8d-b61d-159da964451a", "target_ref": "observed-data--5e396622-2a54-4c8d-b61d-159da964451a" } ]
- MISP
- email with display names
- MISP
{ "name": "email", "meta-category": "network", "description": "Email object describing an email with meta-information", "uuid": "f8fa460c-9e7a-4870-bf46-fed2da3a64f8", "Attribute": [ { "uuid": "f5ec3603-e3d0-42d7-a372-14c1c137699b", "object_relation": "from", "value": "donald.duck@disney.com", "type": "email-src", "category": "Payload delivery", "to_ids": true }, { "uuid": "3766d98d-d162-44d4-bc48-9518a2e48898", "object_relation": "from-display-name", "value": "Donald Duck", "type": "email-src-display-name", "category": "Payload delivery", "to_ids": false }, { "uuid": "aebfd1b3-24bc-4da5-8e74-32cb669b8e46", "object_relation": "to", "value": "jdoe@random.org", "type": "email-dst", "category": "Payload delivery", "to_ids": true }, { "uuid": "3a93a3ef-fd04-4ce5-98f5-f53609b39b82", "object_relation": "to-display-name", "value": "John Doe", "type": "email-dst-display-name", "category": "Payload delivery", "to_ids": false }, { "uuid": "1a43d189-e5f6-4087-98df-b2cbddec2cd6", "object_relation": "cc", "value": "diana.prince@dc.us", "type": "email-dst", "category": "Payload delivery", "to_ids": true }, { "uuid": "bf64f806-1660-4790-8f07-b116eb41b9bc", "object_relation": "cc-display-name", "value": "Marie Curie", "type": "email-dst-display-name", "category": "Payload delivery", "to_ids": false }, { "uuid": "3b940996-f99b-4bda-b065-69b8957f688c", "object_relation": "bcc", "value": "jfk@gov.us", "type": "email-dst", "category": "Payload delivery", "to_ids": true }, { "uuid": "b824e555-8609-4389-9790-71e7f2785e1b", "object_relation": "bcc-display-name", "value": "John Fitzgerald Kennedy", "type": "email-dst-display-name", "category": "Payload delivery", "to_ids": false } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--f8fa460c-9e7a-4870-bf46-fed2da3a64f8", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "email-message--f8fa460c-9e7a-4870-bf46-fed2da3a64f8", "email-addr--f5ec3603-e3d0-42d7-a372-14c1c137699b", "email-addr--aebfd1b3-24bc-4da5-8e74-32cb669b8e46", "email-addr--1a43d189-e5f6-4087-98df-b2cbddec2cd6", "email-addr--3b940996-f99b-4bda-b065-69b8957f688c" ], "labels": [ "misp:name=\"email\"", "misp:meta-category=\"network\"" ] }, { "type": "email-message", "spec_version": "2.1", "id": "email-message--f8fa460c-9e7a-4870-bf46-fed2da3a64f8", "is_multipart": false, "from_ref": "email-addr--f5ec3603-e3d0-42d7-a372-14c1c137699b", "to_refs": [ "email-addr--aebfd1b3-24bc-4da5-8e74-32cb669b8e46" ], "cc_refs": [ "email-addr--1a43d189-e5f6-4087-98df-b2cbddec2cd6" ], "bcc_refs": [ "email-addr--3b940996-f99b-4bda-b065-69b8957f688c" ], "x_misp_cc_display_name": "Marie Curie" }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--f5ec3603-e3d0-42d7-a372-14c1c137699b", "value": "donald.duck@disney.com", "display_name": "Donald Duck" }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--aebfd1b3-24bc-4da5-8e74-32cb669b8e46", "value": "jdoe@random.org", "display_name": "John Doe" }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--1a43d189-e5f6-4087-98df-b2cbddec2cd6", "value": "diana.prince@dc.us" }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--3b940996-f99b-4bda-b065-69b8957f688c", "value": "jfk@gov.us", "display_name": "John Fitzgerald Kennedy" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f8fa460c-9e7a-4870-bf46-fed2da3a64f8", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[email-message:to_refs[0].value = 'jdoe@random.org' AND email-message:cc_refs[0].value = 'diana.prince@dc.us' AND email-message:bcc_refs[0].value = 'jfk@gov.us' AND email-message:from_ref.value = 'donald.duck@disney.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"email\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--885d0880-572a-57ef-9993-0d8e9f239d12", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--f8fa460c-9e7a-4870-bf46-fed2da3a64f8", "target_ref": "observed-data--f8fa460c-9e7a-4870-bf46-fed2da3a64f8" } ]
- MISP
- employee
- MISP
{ "name": "employee", "meta-category": "misc", "description": "An employee and related data points", "uuid": "685a38e1-3ca1-40ef-874d-3a04b9fb3af6", "Attribute": [ { "uuid": "c839f936-dd0d-5f1e-b8ef-dce8105f1916", "object_relation": "first-name", "value": "John", "type": "first-name", "to_ids": false, "category": "Person" }, { "uuid": "763da352-c8dd-5ce8-a3a4-5c59abb5592f", "object_relation": "last-name", "value": "Doe", "type": "last-name", "to_ids": false, "category": "Person" }, { "uuid": "5d7f5c31-3718-504c-a5d3-cf1809a24836", "object_relation": "text", "value": "John Doe is known", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "f4e5c6b7-0469-56d4-a7c6-f2544cdf8667", "object_relation": "email-address", "value": "jdoe@email.com", "type": "target-email", "to_ids": false, "category": "Targeting data" }, { "uuid": "5efa2fc1-3f6c-55d3-8dae-e8e1c367ea7c", "object_relation": "employee-type", "value": "Supervisor", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
{ "type": "identity", "spec_version": "2.1", "id": "identity--685a38e1-3ca1-40ef-874d-3a04b9fb3af6", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "John Doe", "description": "John Doe is known", "roles": [ "Supervisor" ], "identity_class": "individual", "contact_information": "email-address: jdoe@email.com", "labels": [ "misp:name=\"employee\"", "misp:meta-category=\"misc\"" ] }
- MISP
- facebook-account
- MISP
{ "name": "facebook-account", "meta-category": "misc", "description": "Facebook account.", "uuid": "7d8ac653-b65c-42a6-8420-ddc71d65f50d", "Attribute": [ { "uuid": "c1ac19bb-59b9-5f5c-b911-a0144e5b469e", "object_relation": "account-id", "value": "1392781243", "type": "text", "to_ids": true, "category": "Other" }, { "uuid": "c63c3824-bf67-5b6b-a43b-23ab95a24d1f", "object_relation": "account-name", "value": "octocat", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "b05c3ccc-d3e8-536c-9a87-3705c2436572", "object_relation": "link", "value": "https://facebook.com/octocat", "type": "link", "to_ids": false, "category": "External analysis" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC", "uuid": "e5732826-8afd-57cd-b7f7-fc51f880ba65", "object_relation": "user-avatar", "value": "octocat.png", "type": "attachment", "to_ids": false, "category": "External analysis" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--7d8ac653-b65c-42a6-8420-ddc71d65f50d", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "user-account--7d8ac653-b65c-42a6-8420-ddc71d65f50d" ], "labels": [ "misp:name=\"facebook-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "user-account", "spec_version": "2.1", "id": "user-account--7d8ac653-b65c-42a6-8420-ddc71d65f50d", "user_id": "1392781243", "account_login": "octocat", "account_type": "facebook", "x_misp_link": "https://facebook.com/octocat", "x_misp_user_avatar": { "value": "octocat.png", "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7d8ac653-b65c-42a6-8420-ddc71d65f50d", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'facebook' AND user-account:user_id = '1392781243']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"facebook-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8fcf9b3a-1f27-5f28-a265-41f56a14feeb", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--7d8ac653-b65c-42a6-8420-ddc71d65f50d", "target_ref": "observed-data--7d8ac653-b65c-42a6-8420-ddc71d65f50d" } ]
- MISP
- file
- MISP
{ "name": "file", "meta-category": "file", "description": "File object describing a file with meta-information", "uuid": "5e384ae7-672c-4250-9cda-3b4da964451a", "Attribute": [ { "data": "UEsDBAoACQAAAAaOU1EvUbi[...]AACAAIA2QAAAB8BAAAAAA==", "uuid": "91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "object_relation": "malware-sample", "value": "oui|8764605c6f388c89096b534d33565802", "type": "malware-sample", "to_ids": true, "category": "Payload delivery", "malware_filename": "oui" }, { "uuid": "2ce0918e-020c-53a7-980d-3b6ff629f7c0", "object_relation": "filename", "value": "oui", "type": "filename", "category": "Payload delivery", "to_ids": true }, { "uuid": "366dfce6-7c95-5eb3-a4da-31a9867ab144", "object_relation": "md5", "value": "8764605c6f388c89096b534d33565802", "type": "md5", "to_ids": true, "category": "Payload delivery" }, { "uuid": "2ca2da7a-ef59-5e60-9425-4f9125289fd8", "object_relation": "sha1", "value": "46aba99aa7158e4609aaa72b50990842fd22ae86", "type": "sha1", "to_ids": true, "category": "Payload delivery" }, { "uuid": "f6e0a018-81e8-5e45-b11d-6644c11b9c41", "object_relation": "sha256", "value": "ec5aedf5ecc6bdadd4120932170d1b10f6cfa175cfda22951dfd882928ab279b", "type": "sha256", "to_ids": true, "category": "Payload delivery" }, { "uuid": "4e87fefe-f91f-54ee-b202-188cd0d6a5e2", "object_relation": "size-in-bytes", "value": "35", "type": "size-in-bytes", "to_ids": false, "category": "Other" }, { "data": "Tm9uLW1hbGljaW91cyBmaWxlCg==", "uuid": "518b4bcb-a86b-4783-9457-391d548b605b", "object_relation": "attachment", "value": "non", "type": "attachment", "to_ids": false, "category": "External analysis" }, { "uuid": "34cb1a7c-55ec-412a-8684-ba4a88d83a45", "object_relation": "path", "value": "/var/www/MISP/app/files/scripts/tmp", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "14d00e55-5085-5c9a-9a22-fc74e65bfc8e", "object_relation": "file-encoding", "value": "UTF-8", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "ef6e86be-6c9b-57d3-b1d2-12f8d223ba79", "object_relation": "creation-time", "value": "2021-10-25T16:22:00+00:00", "type": "datetime", "to_ids": false, "category": "Other" }, { "uuid": "4f5c30f7-262b-578a-9167-37423cc8c88f", "object_relation": "modification-time", "value": "2022-10-25T16:22:00+00:00", "type": "datetime", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5e384ae7-672c-4250-9cda-3b4da964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "file--5e384ae7-672c-4250-9cda-3b4da964451a", "directory--34cb1a7c-55ec-412a-8684-ba4a88d83a45", "artifact--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f" ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5e384ae7-672c-4250-9cda-3b4da964451a", "hashes": { "MD5": "8764605c6f388c89096b534d33565802", "SHA-1": "46aba99aa7158e4609aaa72b50990842fd22ae86", "SHA-256": "ec5aedf5ecc6bdadd4120932170d1b10f6cfa175cfda22951dfd882928ab279b" }, "size": 35, "name": "oui", "name_enc": "UTF-8", "ctime": "2021-10-25T16:22:00Z", "mtime": "2022-10-25T16:22:00Z", "parent_directory_ref": "directory--34cb1a7c-55ec-412a-8684-ba4a88d83a45", "content_ref": "artifact--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "x_misp_attachment": { "value": "non", "data": "Tm9uLW1hbGljaW91cyBmaWxlCg==" } }, { "type": "directory", "spec_version": "2.1", "id": "directory--34cb1a7c-55ec-412a-8684-ba4a88d83a45", "path": "/var/www/MISP/app/files/scripts/tmp" }, { "type": "artifact", "spec_version": "2.1", "id": "artifact--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "mime_type": "application/zip", "payload_bin": "UEsDBAoACQAAAAaOU1EvUbi[...]AACAAIA2QAAAB8BAAAAAA==", "hashes": { "MD5": "8764605c6f388c89096b534d33565802" }, "encryption_algorithm": "mime-type-indicated", "decryption_key": "infected", "x_misp_filename": "oui" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e384ae7-672c-4250-9cda-3b4da964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[file:hashes.MD5 = '8764605c6f388c89096b534d33565802' AND file:hashes.'SHA-1' = '46aba99aa7158e4609aaa72b50990842fd22ae86' AND file:hashes.'SHA-256' = 'ec5aedf5ecc6bdadd4120932170d1b10f6cfa175cfda22951dfd882928ab279b' AND file:name = 'oui' AND (file:content_ref.payload_bin = 'UEsDBAoACQAAAAaOU1EvUbi[...]AACAAIA2QAAAB8BAAAAAA==' AND file:content_ref.x_misp_filename = 'oui' AND file:content_ref.hashes.MD5 = '8764605c6f388c89096b534d33565802' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--84a09ac4-d222-57f1-9fab-f36595b47888", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5e384ae7-672c-4250-9cda-3b4da964451a", "target_ref": "observed-data--5e384ae7-672c-4250-9cda-3b4da964451a" } ]
- MISP
- file with references to pe & pe-section(s)
- MISP
[ { "name": "file", "meta-category": "file", "description": "File object describing a file with meta-information", "uuid": "5ac47782-e1b8-40b6-96b4-02510a00020f", "ObjectReference": [ { "uuid": "10244768-3e45-5877-9a4a-73db0339b13f", "object_uuid": "5ac47782-e1b8-40b6-96b4-02510a00020f", "referenced_uuid": "2183705f-e8d6-4c08-a820-5b56a1303bb1", "relationship_type": "includes", "Object": { "uuid": "2183705f-e8d6-4c08-a820-5b56a1303bb1", "name": "pe", "meta-category": "file" } } ], "Attribute": [ { "uuid": "2ce0918e-020c-53a7-980d-3b6ff629f7c0", "object_relation": "filename", "value": "oui", "type": "filename", "category": "Payload delivery", "to_ids": true }, { "uuid": "684da8aa-4e88-5c9b-a07c-13da628ebbee", "object_relation": "md5", "value": "b2a5abfeef9e36964281a31e17b57c97", "type": "md5", "to_ids": true, "category": "Payload delivery" }, { "uuid": "58fd435b-0581-5919-8cd8-de961acfa7b0", "object_relation": "sha1", "value": "5898fc860300e228dcd54c0b1045b5fa0dcda502", "type": "sha1", "to_ids": true, "category": "Payload delivery" }, { "uuid": "2db0135b-57a3-5117-a40a-a944905ea038", "object_relation": "sha256", "value": "3a3468fa89b2ab7cbfe5400858a8ec0066e9e8defa9a64c993b5f24210244df8", "type": "sha256", "to_ids": true, "category": "Payload delivery" }, { "uuid": "c3dc3c3c-65a3-5ef6-84f8-e368ad98ee5f", "object_relation": "size-in-bytes", "value": "1234", "type": "size-in-bytes", "to_ids": false, "category": "Other" }, { "uuid": "41d92b2b-af6a-5f15-bb0b-96a28f8d0562", "object_relation": "entropy", "value": "1.234", "type": "float", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" }, { "name": "pe", "meta-category": "file", "description": "Object describing a Portable Executable", "uuid": "2183705f-e8d6-4c08-a820-5b56a1303bb1", "ObjectReference": [ { "uuid": "f4b89dc9-35e7-5e82-9987-e1237855a124", "object_uuid": "2183705f-e8d6-4c08-a820-5b56a1303bb1", "referenced_uuid": "68bd413b-5392-4239-93a9-e574fb80af8c", "relationship_type": "includes", "Object": { "uuid": "68bd413b-5392-4239-93a9-e574fb80af8c", "name": "pe-section", "meta-category": "file" } } ], "Attribute": [ { "uuid": "9107f9a0-6e08-521d-86cb-b4e0cd05b518", "object_relation": "type", "value": "exe", "type": "text", "to_ids": true, "category": "Other" }, { "uuid": "08c311e3-3e82-5d93-9d9e-22d738376b91", "object_relation": "compilation-timestamp", "value": "2019-03-16T12:31:22+00:00", "type": "datetime", "to_ids": false, "category": "Other" }, { "uuid": "395f9d84-f46f-5af5-90dd-9cdea8b48542", "object_relation": "entrypoint-address", "value": "5369222868", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "01bcfb60-dc45-513f-86d0-8d27dd21cff5", "object_relation": "original-filename", "value": "PuTTy", "type": "filename", "to_ids": true, "category": "Payload delivery" }, { "uuid": "01bcfb60-dc45-513f-86d0-8d27dd21cff5", "object_relation": "internal-filename", "value": "PuTTy", "type": "filename", "to_ids": true, "category": "Payload delivery" }, { "uuid": "1cf025b6-9153-5cae-b4aa-1587a4882b09", "object_relation": "file-description", "value": "SSH, Telnet and Rlogin client", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "756cfe6e-02d4-50c6-a672-02bca2e12f3a", "object_relation": "file-version", "value": "Release 0.71 (with embedded help)", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "ed2c297c-ea18-5383-8d07-cf274d852f03", "object_relation": "lang-id", "value": "080904B0", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "2965f7ec-77b1-5c08-ad3a-12a77d5953b9", "object_relation": "product-name", "value": "PuTTy suite", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "88ed040b-42d1-5777-b256-b2f879fc6e7f", "object_relation": "product-version", "value": "Release 0.71", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "368768a7-74ba-518d-a3cb-7017703fbb10", "object_relation": "company-name", "value": "Simoe Tatham", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "6d317d97-d1fc-5932-805a-3327a0362d97", "object_relation": "legal-copyright", "value": "Copyright \u00a9 1997-2019 Simon Tatham.", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "f56e7b8b-d90c-51c3-bdc5-cfafd1c6b147", "object_relation": "number-sections", "value": "8", "type": "counter", "to_ids": false, "category": "Other" }, { "uuid": "ab105a26-d946-598c-b3c7-d8b0d4324135", "object_relation": "imphash", "value": "23ea835ab4b9017c74dfb023d2301c99", "type": "imphash", "to_ids": true, "category": "Payload delivery" }, { "uuid": "7002a5b8-f10a-5b37-9b81-b076a1674f36", "object_relation": "impfuzzy", "value": "192:8GMV5iqHKV+5RvUV5iqHKV+5RvAVDNNhwkCtRxwUQt63yf2y9sAkexSECI:vMVzB5R8VzB5R4XGtRxwUccc2y9scxt", "type": "impfuzzy", "to_ids": true, "category": "Payload delivery" } ], "timestamp": "1603642920" }, { "name": "pe-section", "meta-category": "file", "description": "Object describing a section of a Portable Executable", "uuid": "68bd413b-5392-4239-93a9-e574fb80af8c", "Attribute": [ { "uuid": "223c5524-6a83-5353-a3b6-1dc57f47489c", "object_relation": "name", "value": ".rsrc", "type": "text", "to_ids": true, "category": "Other" }, { "uuid": "5bf3415c-8669-5771-a189-89cca6ce7fb7", "object_relation": "size-in-bytes", "value": "305152", "type": "size-in-bytes", "to_ids": false, "category": "Other" }, { "uuid": "fbd3a70a-68b8-564a-ade7-1f6ac99b4683", "object_relation": "entropy", "value": "7.836462238824369", "type": "float", "to_ids": false, "category": "Other" }, { "uuid": "0ff8c305-0d3f-5fd8-9c2e-c2e4bf502d91", "object_relation": "md5", "value": "8a2a5fc2ce56b3b04d58539a95390600", "type": "md5", "to_ids": true, "category": "Payload delivery" }, { "uuid": "da2dfd95-68ed-562b-8a17-0139518826dd", "object_relation": "sha1", "value": "0aeb9def096e9f73e9460afe6f8783a32c7eabdf", "type": "sha1", "to_ids": true, "category": "Payload delivery" }, { "uuid": "9d0a7195-bcee-540a-8820-484d0e7d2335", "object_relation": "sha256", "value": "c6b3ac8303a72be90b0e47f69977e6f5665693d4ea0aa93e5c27b5c556c7cf9b", "type": "sha256", "to_ids": true, "category": "Payload delivery" }, { "uuid": "44cbe6c8-5394-563f-81ca-f1953b020835", "object_relation": "sha512", "value": "98fce208e6ed9612db53725fe03b73ab7cb1b487814d521c3c218273cad33891ce832c4f842c6f492d92df1e78414c82a00ddb91a1f8ec7d67325231a597a78f", "type": "sha512", "to_ids": true, "category": "Payload delivery" }, { "uuid": "89f9d673-9a25-566f-93b9-595f981bd618", "object_relation": "ssdeep", "value": "6144:BvqbV6zoA5yJJ1entjx+UJlVshhKuqMrgyNhahL2uSvhM:BvuVy5UJUtwUJ/UjHSEuSvK", "type": "ssdeep", "to_ids": true, "category": "Payload delivery" } ], "timestamp": "1603642920" } ] - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ac47782-e1b8-40b6-96b4-02510a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "file--5ac47782-e1b8-40b6-96b4-02510a00020f" ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ac47782-e1b8-40b6-96b4-02510a00020f", "hashes": { "MD5": "b2a5abfeef9e36964281a31e17b57c97", "SHA-1": "5898fc860300e228dcd54c0b1045b5fa0dcda502", "SHA-256": "3a3468fa89b2ab7cbfe5400858a8ec0066e9e8defa9a64c993b5f24210244df8" }, "size": 1234, "name": "oui", "extensions": { "windows-pebinary-ext": { "pe_type": "exe", "imphash": "23ea835ab4b9017c74dfb023d2301c99", "number_of_sections": 8, "optional_header": { "address_of_entry_point": 5369222868 }, "sections": [ { "name": ".rsrc", "size": 305152, "entropy": 7.836462238824369, "hashes": { "MD5": "8a2a5fc2ce56b3b04d58539a95390600", "SHA-1": "0aeb9def096e9f73e9460afe6f8783a32c7eabdf", "SHA-256": "c6b3ac8303a72be90b0e47f69977e6f5665693d4ea0aa93e5c27b5c556c7cf9b", "SHA-512": "98fce208e6ed9612db53725fe03b73ab7cb1b487814d521c3c218273cad33891ce832c4f842c6f492d92df1e78414c82a00ddb91a1f8ec7d67325231a597a78f", "SSDEEP": "6144:BvqbV6zoA5yJJ1entjx+UJlVshhKuqMrgyNhahL2uSvhM:BvuVy5UJUtwUJ/UjHSEuSvK" } } ], "x_misp_company_name": "Simoe Tatham", "x_misp_compilation_timestamp": "2019-03-16T12:31:22Z", "x_misp_file_description": "SSH, Telnet and Rlogin client", "x_misp_file_version": "Release 0.71 (with embedded help)", "x_misp_impfuzzy": "192:8GMV5iqHKV+5RvUV5iqHKV+5RvAVDNNhwkCtRxwUQt63yf2y9sAkexSECI:vMVzB5R8VzB5R4XGtRxwUccc2y9scxt", "x_misp_internal_filename": "PuTTy", "x_misp_lang_id": "080904B0", "x_misp_legal_copyright": "Copyright \u00a9 1997-2019 Simon Tatham.", "x_misp_original_filename": "PuTTy", "x_misp_product_name": "PuTTy suite", "x_misp_product_version": "Release 0.71" } }, "x_misp_entropy": "1.234" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ac47782-e1b8-40b6-96b4-02510a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[file:hashes.MD5 = 'b2a5abfeef9e36964281a31e17b57c97' AND file:hashes.'SHA-1' = '5898fc860300e228dcd54c0b1045b5fa0dcda502' AND file:hashes.'SHA-256' = '3a3468fa89b2ab7cbfe5400858a8ec0066e9e8defa9a64c993b5f24210244df8' AND file:name = 'oui' AND file:extensions.'windows-pebinary-ext'.imphash = '23ea835ab4b9017c74dfb023d2301c99' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.x_misp_original_filename = 'PuTTy' AND file:extensions.'windows-pebinary-ext'.x_misp_internal_filename = 'PuTTy' AND file:extensions.'windows-pebinary-ext'.x_misp_impfuzzy = '192:8GMV5iqHKV+5RvUV5iqHKV+5RvAVDNNhwkCtRxwUQt63yf2y9sAkexSECI:vMVzB5R8VzB5R4XGtRxwUccc2y9scxt' AND file:extensions.'windows-pebinary-ext'.sections[0].name = '.rsrc' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.MD5 = '8a2a5fc2ce56b3b04d58539a95390600' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.'SHA-1' = '0aeb9def096e9f73e9460afe6f8783a32c7eabdf' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.'SHA-256' = 'c6b3ac8303a72be90b0e47f69977e6f5665693d4ea0aa93e5c27b5c556c7cf9b' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.'SHA-512' = '98fce208e6ed9612db53725fe03b73ab7cb1b487814d521c3c218273cad33891ce832c4f842c6f492d92df1e78414c82a00ddb91a1f8ec7d67325231a597a78f' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.SSDEEP = '6144:BvqbV6zoA5yJJ1entjx+UJlVshhKuqMrgyNhahL2uSvhM:BvuVy5UJUtwUJ/UjHSEuSvK']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bc7a056a-872e-50a5-be2d-7edff850ea0e", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5ac47782-e1b8-40b6-96b4-02510a00020f", "target_ref": "observed-data--5ac47782-e1b8-40b6-96b4-02510a00020f" } ]
- MISP
- geolocation
- MISP
{ "name": "geolocation", "meta-category": "misc", "description": "An object to describe a geographic location.", "uuid": "6a10dac8-71ac-4d9b-8269-1e9c73ea4d8f", "Attribute": [ { "uuid": "8ee3b4ca-9717-5e9b-a362-6502e8ce304a", "object_relation": "address", "value": "9800 Savage Rd. Suite 6272", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "bf852908-1808-53be-92bd-51316706cd60", "object_relation": "zipcode", "value": "MD 20755", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "7f1ce5fd-21a6-5ab6-982c-f76f288b1939", "object_relation": "city", "value": "Fort Meade", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "2f37c96f-c3c2-501d-aad1-3789703259ce", "object_relation": "country", "value": "USA", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "bf8931c2-ce22-53dd-977e-d9ac6b16c054", "object_relation": "countrycode", "value": "US", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "3098a7fc-8121-5a38-a55d-ae1e7e439605", "object_relation": "region", "value": "northern-america", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "25b74439-b760-5fbf-9c0a-a77748e2921c", "object_relation": "latitude", "value": "39.108889", "type": "float", "to_ids": false, "category": "Other" }, { "uuid": "65696787-9398-5517-bcc7-2ff277bad620", "object_relation": "longitude", "value": "-76.771389", "type": "float", "to_ids": false, "category": "Other" }, { "uuid": "ad982c8b-74de-5ff5-a934-3f1724098de5", "object_relation": "accuracy-radius", "value": "1", "type": "float", "to_ids": false, "category": "Other" }, { "uuid": "5ed07192-5acc-5bba-96d6-9286662ad7f8", "object_relation": "altitude", "value": "55", "type": "float", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
{ "type": "location", "spec_version": "2.1", "id": "location--6a10dac8-71ac-4d9b-8269-1e9c73ea4d8f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "latitude": 39.108889, "longitude": -76.771389, "precision": 1000.0, "region": "northern-america", "country": "US", "city": "Fort Meade", "street_address": "9800 Savage Rd. Suite 6272", "postal_code": "MD 20755", "labels": [ "misp:name=\"geolocation\"", "misp:meta-category=\"misc\"" ], "x_misp_altitude": "55", "x_misp_country": "USA" }
- MISP
- github-user
- MISP
{ "name": "github-user", "meta-category": "misc", "description": "GitHub user", "uuid": "5177abbd-c437-4acb-9173-eee371ad24da", "Attribute": [ { "uuid": "ad982c8b-74de-5ff5-a934-3f1724098de5", "object_relation": "id", "value": "1", "type": "text", "to_ids": true, "category": "Other" }, { "uuid": "c63c3824-bf67-5b6b-a43b-23ab95a24d1f", "object_relation": "username", "value": "octocat", "type": "github-username", "to_ids": false, "category": "Social network" }, { "uuid": "71f35ee1-dc3f-5648-a5d5-315c6a32600e", "object_relation": "user-fullname", "value": "Octo Cat", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "14a8a58c-7d05-5774-b744-9cc299818b94", "object_relation": "organisation", "value": "GitHub", "type": "github-organisation", "to_ids": false, "category": "Social network" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC", "uuid": "e5732826-8afd-57cd-b7f7-fc51f880ba65", "object_relation": "profile-image", "value": "octocat.png", "type": "attachment", "to_ids": false, "category": "External analysis" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5177abbd-c437-4acb-9173-eee371ad24da", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "user-account--5177abbd-c437-4acb-9173-eee371ad24da" ], "labels": [ "misp:name=\"github-user\"", "misp:meta-category=\"misc\"" ] }, { "type": "user-account", "spec_version": "2.1", "id": "user-account--5177abbd-c437-4acb-9173-eee371ad24da", "user_id": "1", "account_login": "octocat", "account_type": "github", "display_name": "Octo Cat", "x_misp_organisation": "GitHub", "x_misp_profile_image": { "value": "octocat.png", "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5177abbd-c437-4acb-9173-eee371ad24da", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'github' AND user-account:user_id = '1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"github-user\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--736ecf93-5d5a-552c-9d0f-bb3df9390b04", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5177abbd-c437-4acb-9173-eee371ad24da", "target_ref": "observed-data--5177abbd-c437-4acb-9173-eee371ad24da" } ]
- MISP
- gitlab-user
- MISP
{ "name": "gitlab-user", "meta-category": "misc", "description": "GitLab user. Gitlab.com user or self-hosted GitLab instance", "uuid": "20a39ad0-e8e1-4917-9fb8-40fecc4d0e7b", "Attribute": [ { "uuid": "0a709d2e-74b8-5a4c-87fe-b958f6b676f8", "object_relation": "id", "value": "1234567890", "type": "text", "to_ids": true, "category": "Other" }, { "uuid": "13186da5-8291-5aa2-8c65-33e69ba49302", "object_relation": "name", "value": "John Doe", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "069d0826-0190-592c-b181-9e904c571a19", "object_relation": "username", "value": "j0hnd0e", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--20a39ad0-e8e1-4917-9fb8-40fecc4d0e7b", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "user-account--20a39ad0-e8e1-4917-9fb8-40fecc4d0e7b" ], "labels": [ "misp:name=\"gitlab-user\"", "misp:meta-category=\"misc\"" ] }, { "type": "user-account", "spec_version": "2.1", "id": "user-account--20a39ad0-e8e1-4917-9fb8-40fecc4d0e7b", "user_id": "1234567890", "account_login": "j0hnd0e", "account_type": "gitlab", "display_name": "John Doe" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--20a39ad0-e8e1-4917-9fb8-40fecc4d0e7b", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'gitlab' AND user-account:user_id = '1234567890']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"gitlab-user\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f1f2fa84-d954-5ea5-a79c-ab531b7b2289", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--20a39ad0-e8e1-4917-9fb8-40fecc4d0e7b", "target_ref": "observed-data--20a39ad0-e8e1-4917-9fb8-40fecc4d0e7b" } ]
- MISP
- http-request
- MISP
{ "name": "http-request", "meta-category": "network", "description": "A single HTTP request header", "uuid": "cfdb71ed-889f-4646-a388-43d936e1e3b9", "Attribute": [ { "uuid": "91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "object_relation": "ip-src", "value": "8.8.8.8", "type": "ip-src", "category": "Network activity", "to_ids": true }, { "uuid": "d6f0e3b7-fa5d-4443-aea7-7b60b343bde7", "object_relation": "ip-dst", "value": "149.13.33.14", "type": "ip-dst", "category": "Network activity", "to_ids": true }, { "uuid": "34cb1a7c-55ec-412a-8684-ba4a88d83a45", "object_relation": "host", "value": "circl.lu", "type": "hostname", "category": "Network activity", "to_ids": true }, { "uuid": "f3a7de4c-6aa0-5670-afae-09c03122a37f", "object_relation": "method", "value": "POST", "type": "http-method", "category": "Network activity", "to_ids": false }, { "uuid": "d563345b-9bfb-5724-ae3c-cb9cd7549b03", "object_relation": "user-agent", "value": "Mozilla Firefox", "type": "user-agent", "category": "Network activity", "to_ids": false }, { "uuid": "6491c90c-b659-5e33-93b8-b8d5a48b0683", "object_relation": "uri", "value": "/projects/internships/", "type": "uri", "category": "Network activity", "to_ids": true }, { "uuid": "c45d717c-4ec9-52cd-9751-c29e95d842ba", "object_relation": "url", "value": "http://circl.lu/projects/internships/", "type": "url", "category": "Network activity", "to_ids": true }, { "uuid": "c3852273-981e-55a4-87cd-3a6ddd2f27dc", "object_relation": "content-type", "value": "JSON", "type": "text", "category": "Network activity", "to_ids": false } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--cfdb71ed-889f-4646-a388-43d936e1e3b9", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "network-traffic--cfdb71ed-889f-4646-a388-43d936e1e3b9", "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "ipv4-addr--d6f0e3b7-fa5d-4443-aea7-7b60b343bde7", "domain-name--34cb1a7c-55ec-412a-8684-ba4a88d83a45" ], "labels": [ "misp:name=\"http-request\"", "misp:meta-category=\"network\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--cfdb71ed-889f-4646-a388-43d936e1e3b9", "src_ref": "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "dst_ref": "ipv4-addr--d6f0e3b7-fa5d-4443-aea7-7b60b343bde7", "protocols": [ "tcp", "http" ], "extensions": { "http-request-ext": { "request_method": "POST", "request_value": "/projects/internships/", "request_header": { "Content-Type": "JSON", "User-Agent": "Mozilla Firefox" } } }, "x_misp_url": "http://circl.lu/projects/internships/" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "value": "8.8.8.8" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--d6f0e3b7-fa5d-4443-aea7-7b60b343bde7", "value": "149.13.33.14" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--34cb1a7c-55ec-412a-8684-ba4a88d83a45", "value": "circl.lu", "resolves_to_refs": [ "ipv4-addr--d6f0e3b7-fa5d-4443-aea7-7b60b343bde7" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cfdb71ed-889f-4646-a388-43d936e1e3b9", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[(network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '8.8.8.8') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '149.13.33.14') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'circl.lu') AND network-traffic:extensions.'http-request-ext'.request_value = '/projects/internships/' AND network-traffic:extensions.'http-request-ext'.request_value = 'http://circl.lu/projects/internships/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"http-request\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ebea2f94-85c1-5d84-a4bd-4f7ca8ab1daa", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--cfdb71ed-889f-4646-a388-43d936e1e3b9", "target_ref": "observed-data--cfdb71ed-889f-4646-a388-43d936e1e3b9" } ]
- MISP
- identity
- MISP
{ "name": "identity", "meta-category": "misc", "description": "Identities can represent actual individuals, organizations, or groups as well as classes of individuals, organizations, systems or groups.", "uuid": "a54e32af-5569-4949-b1fe-ad75054cde45", "Attribute": [ { "uuid": "13186da5-8291-5aa2-8c65-33e69ba49302", "object_relation": "name", "value": "John Doe", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "fb28923e-66cb-5874-922e-20d61ba23c5d", "object_relation": "contact_information", "value": "email-address: jdoe@email.com / phone-number: 0123456789", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "88dca187-3769-5b65-8ed2-c9c35c5a17e6", "object_relation": "description", "value": "Unknown person", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "4e3c432e-f2c6-5ade-b697-93ed04debf99", "object_relation": "identity_class", "value": "individual", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "b587f53f-b1f5-596c-9aba-8e3f237ce5b5", "object_relation": "roles", "value": "Placeholder name", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
{ "type": "identity", "spec_version": "2.1", "id": "identity--a54e32af-5569-4949-b1fe-ad75054cde45", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "John Doe", "description": "Unknown person", "roles": [ "Placeholder name" ], "identity_class": "individual", "contact_information": "email-address: jdoe@email.com / phone-number: 0123456789", "labels": [ "misp:name=\"identity\"", "misp:meta-category=\"misc\"" ] }
- MISP
- image
- MISP
{ "name": "image", "meta-category": "file", "description": "Object describing an image file.", "uuid": "939b2f03-c487-4f62-a90e-cab7acfee294", "Attribute": [ { "data": "iVBORw0KGgoAAAANSUhEUgA[...]gEefQAAAABJRU5ErkJggg==", "uuid": "91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "object_relation": "attachment", "value": "STIX.png", "type": "attachment", "to_ids": true, "category": "External analysis" }, { "uuid": "3fded30a-57dd-5de6-995b-f47bc371185f", "object_relation": "filename", "value": "STIX.png", "type": "filename", "to_ids": true, "category": "Payload delivery" }, { "uuid": "d85eeb1a-f4a2-4b9f-a367-d84f9a7e6303", "object_relation": "url", "value": "https://oasis-open.github.io/cti-documentation/img/STIX.png", "type": "url", "to_ids": true, "category": "Network activity" }, { "uuid": "039c6ee4-fc8a-51e8-a0b0-27df517e7358", "object_relation": "image-text", "value": "STIX", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--939b2f03-c487-4f62-a90e-cab7acfee294", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "file--939b2f03-c487-4f62-a90e-cab7acfee294", "artifact--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f" ], "labels": [ "misp:name=\"image\"", "misp:meta-category=\"file\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--939b2f03-c487-4f62-a90e-cab7acfee294", "name": "STIX.png", "content_ref": "artifact--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "x_misp_image_text": "STIX" }, { "type": "artifact", "spec_version": "2.1", "id": "artifact--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "mime_type": "image/png", "payload_bin": "iVBORw0KGgoAAAANSUhEUgA[...]gEefQAAAABJRU5ErkJggg==", "x_misp_filename": "STIX.png", "x_misp_url": "https://oasis-open.github.io/cti-documentation/img/STIX.png" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--939b2f03-c487-4f62-a90e-cab7acfee294", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[file:name = 'STIX.png' AND file:content_ref.payload_bin = 'iVBORw0KGgoAAAANSUhEUgA[...]gEefQAAAABJRU5ErkJggg==' AND file:content_ref.mime_type = 'image/png' AND file:content_ref.x_misp_filename = 'STIX.png' AND file:content_ref.url = 'https://oasis-open.github.io/cti-documentation/img/STIX.png']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"image\"", "misp:meta-category=\"file\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--76ad9b09-f2b7-55da-b0fc-56fd9eef58ce", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--939b2f03-c487-4f62-a90e-cab7acfee294", "target_ref": "observed-data--939b2f03-c487-4f62-a90e-cab7acfee294" } ]
- MISP
- intrusion-set
- MISP
{ "name": "intrusion-set", "meta-category": "misc", "description": "An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization", "uuid": "79a012ce-9eac-4249-9e7c-fadddfb6e93d", "Attribute": [ { "uuid": "6f1b8f41-adc1-53bc-a3ea-1d51168bb601", "object_relation": "name", "value": "Bobcat Breakin", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "0c528fd2-6c4e-5bbd-a30a-fb789fc313ea", "object_relation": "description", "value": "Incidents usually feature a shared TTP of a bobcat being released within the building containing network access, scaring users to leave their computers without locking them first.", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "63d5b763-8bbb-5eec-b3e4-65bd8a9011ea", "object_relation": "aliases", "value": "Zookeeper", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "062031a7-4077-597c-868e-50d19a2fa30b", "object_relation": "goals", "value": "acquisition-theft", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "9372c331-c663-5e10-ad40-057f09ad3602", "object_relation": "goals", "value": "harassment", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "7ffcdef6-f0fa-5809-8324-abbf1fec7cc6", "object_relation": "goals", "value": "damage", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "2453d333-f34a-504d-85c1-ac4fe4322a65", "object_relation": "resource_level", "value": "organization", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "5d3dc324-665c-5f4d-877c-0d7150dd7774", "object_relation": "primary-motivation", "value": "organizational gain", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "6a7ae7f7-5951-50b0-8a27-c938cc37b21f", "object_relation": "secondary-motivation", "value": "personal gain", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "5d6cd0f2-a7ca-5fab-89e2-417cfc78ee8d", "object_relation": "first_seen", "value": "2016-04-06T20:03:48+00:00", "type": "datetime", "to_ids": false, "category": "Other" }, { "uuid": "ea687979-fc72-5438-92a9-8eee9ce6e9fb", "object_relation": "last_seen", "value": "2017-05-15T21:05:06+00:00", "type": "datetime", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
{ "type": "intrusion-set", "spec_version": "2.1", "id": "intrusion-set--79a012ce-9eac-4249-9e7c-fadddfb6e93d", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Bobcat Breakin", "description": "Incidents usually feature a shared TTP of a bobcat being released within the building containing network access, scaring users to leave their computers without locking them first.", "aliases": [ "Zookeeper" ], "first_seen": "2016-04-06T20:03:48Z", "last_seen": "2017-05-15T21:05:06Z", "goals": [ "acquisition-theft", "harassment", "damage" ], "resource_level": "organization", "primary_motivation": "organizational gain", "secondary_motivations": [ "personal gain" ], "labels": [ "misp:name=\"intrusion-set\"", "misp:meta-category=\"misc\"" ] }
- MISP
- ip-port
- MISP
{ "name": "ip-port", "meta-category": "network", "description": "An IP address (or domain) and a port", "uuid": "5ac47edc-31e4-4402-a7b6-040d0a00020f", "Attribute": [ { "uuid": "91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "object_relation": "ip", "value": "149.13.33.14", "type": "ip-dst", "category": "Network activity", "to_ids": true }, { "uuid": "518b4bcb-a86b-4783-9457-391d548b605b", "object_relation": "dst-port", "value": "443", "type": "port", "category": "Network activity", "to_ids": false }, { "uuid": "34cb1a7c-55ec-412a-8684-ba4a88d83a45", "object_relation": "domain", "value": "circl.lu", "type": "domain", "category": "Network activity", "to_ids": true }, { "uuid": "94a2b00f-bec3-4f8a-bea4-e4ccf0de776f", "object_relation": "first-seen", "value": "2020-10-25T16:22:00+00:00", "type": "datetime", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ac47edc-31e4-4402-a7b6-040d0a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "network-traffic--5ac47edc-31e4-4402-a7b6-040d0a00020f", "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f" ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5ac47edc-31e4-4402-a7b6-040d0a00020f", "start": "2020-10-25T16:22:00Z", "dst_ref": "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "dst_port": 443, "protocols": [ "ipv4" ], "x_misp_domain": "circl.lu" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "value": "149.13.33.14" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ac47edc-31e4-4402-a7b6-040d0a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '149.13.33.14') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'circl.lu')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--fe702a84-9baf-56af-8f52-f16b46f7d8df", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5ac47edc-31e4-4402-a7b6-040d0a00020f", "target_ref": "observed-data--5ac47edc-31e4-4402-a7b6-040d0a00020f" } ]
- MISP
- legal-entity
- MISP
{ "name": "legal-entity", "meta-category": "misc", "description": "An object to describe a legal entity.", "uuid": "0d55ba1f-c3ff-4b91-8a09-8713576e178b", "Attribute": [ { "uuid": "b43404e0-c7e8-5fd9-9981-e45de957f255", "object_relation": "name", "value": "Umbrella Corporation", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "61e7577c-ccc8-51f5-8d51-cfa53c2db004", "object_relation": "text", "value": "The Umbrella Corporation is an international pharmaceutical company.", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "6987d4a0-109b-5777-ac2e-f97f5a3f0b16", "object_relation": "business", "value": "Pharmaceutical", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "0a709d2e-74b8-5a4c-87fe-b958f6b676f8", "object_relation": "phone-number", "value": "1234567890", "type": "phone-number", "to_ids": false, "category": "Person" }, { "uuid": "b4b30611-5bb0-5803-8b9e-d22114b29a59", "object_relation": "website", "value": "https://umbrella.org", "type": "link", "to_ids": false, "category": "External analysis" }, { "uuid": "3f4829cd-1913-5be3-bc0c-a50abb0df423", "object_relation": "registration-number", "value": "11223344556677889900", "type": "text", "to_ids": false, "category": "Other" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]DAbmag+AAAAAElFTkSuQmCC", "uuid": "5eae2726-eb9a-5980-b9d7-2b1fb9cfb07e", "object_relation": "logo", "value": "umbrella_logo", "type": "attachment", "to_ids": false, "category": "External analysis" } ], "timestamp": "1603642920" } - STIX
{ "type": "identity", "spec_version": "2.1", "id": "identity--0d55ba1f-c3ff-4b91-8a09-8713576e178b", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Umbrella Corporation", "description": "The Umbrella Corporation is an international pharmaceutical company.", "identity_class": "organization", "sectors": [ "Pharmaceutical" ], "contact_information": "phone-number: 1234567890 / website: https://umbrella.org", "labels": [ "misp:name=\"legal-entity\"", "misp:meta-category=\"misc\"" ], "x_misp_logo": { "value": "umbrella_logo", "data": "iVBORw0KGgoAAAANSUhEUgA[...]DAbmag+AAAAAElFTkSuQmCC" }, "x_misp_registration_number": "11223344556677889900" }
- MISP
- lnk
- MISP
{ "name": "lnk", "meta-category": "file", "description": "LNK object describing a Windows LNK binary file (aka Windows shortcut)", "uuid": "153ef8d5-9182-45ec-bf1c-5819932b9ab7", "Attribute": [ { "uuid": "2ce0918e-020c-53a7-980d-3b6ff629f7c0", "object_relation": "filename", "value": "oui", "type": "filename", "category": "Payload delivery", "to_ids": true }, { "uuid": "34cb1a7c-55ec-412a-8684-ba4a88d83a45", "object_relation": "fullpath", "value": "/var/www/MISP/app/files/scripts/tmp", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "366dfce6-7c95-5eb3-a4da-31a9867ab144", "object_relation": "md5", "value": "8764605c6f388c89096b534d33565802", "type": "md5", "to_ids": true, "category": "Payload delivery" }, { "uuid": "2ca2da7a-ef59-5e60-9425-4f9125289fd8", "object_relation": "sha1", "value": "46aba99aa7158e4609aaa72b50990842fd22ae86", "type": "sha1", "to_ids": true, "category": "Payload delivery" }, { "uuid": "f6e0a018-81e8-5e45-b11d-6644c11b9c41", "object_relation": "sha256", "value": "ec5aedf5ecc6bdadd4120932170d1b10f6cfa175cfda22951dfd882928ab279b", "type": "sha256", "to_ids": true, "category": "Payload delivery" }, { "data": "UEsDBAoACQAAAAaOU1EvUbi[...]AACAAIA2QAAAB8BAAAAAA==", "uuid": "91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "object_relation": "malware-sample", "value": "oui|8764605c6f388c89096b534d33565802", "type": "malware-sample", "to_ids": true, "category": "Payload delivery", "malware_filename": "oui" }, { "uuid": "4e87fefe-f91f-54ee-b202-188cd0d6a5e2", "object_relation": "size-in-bytes", "value": "35", "type": "size-in-bytes", "to_ids": false, "category": "Other" }, { "uuid": "d0be6ec4-44e7-5953-9998-3ad0ece285ca", "object_relation": "lnk-creation-time", "value": "2017-10-01T08:00:00+00:00", "type": "datetime", "category": "Other", "to_ids": false }, { "uuid": "f0cdf620-0734-5715-ae7f-e77b069987d9", "object_relation": "lnk-modification-time", "value": "2020-10-25T16:22:00+00:00", "type": "datetime", "category": "Other", "to_ids": false }, { "uuid": "def00e72-650c-5ba1-8ae9-44b0b2cf7907", "object_relation": "lnk-access-time", "value": "2021-01-01T00:00:00+00:00", "type": "datetime", "category": "Other", "to_ids": false } ], "timestamp": "1603642920", "descrption": "LNK object describing a Windows LNK binary file (aka Windows shortcut)" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--153ef8d5-9182-45ec-bf1c-5819932b9ab7", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "file--153ef8d5-9182-45ec-bf1c-5819932b9ab7", "directory--34cb1a7c-55ec-412a-8684-ba4a88d83a45", "artifact--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f" ], "labels": [ "misp:name=\"lnk\"", "misp:meta-category=\"file\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--153ef8d5-9182-45ec-bf1c-5819932b9ab7", "hashes": { "MD5": "8764605c6f388c89096b534d33565802", "SHA-1": "46aba99aa7158e4609aaa72b50990842fd22ae86", "SHA-256": "ec5aedf5ecc6bdadd4120932170d1b10f6cfa175cfda22951dfd882928ab279b" }, "size": 35, "name": "oui", "ctime": "2017-10-01T08:00:00Z", "mtime": "2020-10-25T16:22:00Z", "atime": "2021-01-01T00:00:00Z", "parent_directory_ref": "directory--34cb1a7c-55ec-412a-8684-ba4a88d83a45", "content_ref": "artifact--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f" }, { "type": "directory", "spec_version": "2.1", "id": "directory--34cb1a7c-55ec-412a-8684-ba4a88d83a45", "path": "/var/www/MISP/app/files/scripts/tmp" }, { "type": "artifact", "spec_version": "2.1", "id": "artifact--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "mime_type": "application/zip", "payload_bin": "UEsDBAoACQAAAAaOU1EvUbi[...]AACAAIA2QAAAB8BAAAAAA==", "hashes": { "MD5": "8764605c6f388c89096b534d33565802" }, "encryption_algorithm": "mime-type-indicated", "decryption_key": "infected", "x_misp_filename": "oui" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--153ef8d5-9182-45ec-bf1c-5819932b9ab7", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[file:name = 'oui' AND file:hashes.MD5 = '8764605c6f388c89096b534d33565802' AND file:hashes.'SHA-1' = '46aba99aa7158e4609aaa72b50990842fd22ae86' AND file:hashes.'SHA-256' = 'ec5aedf5ecc6bdadd4120932170d1b10f6cfa175cfda22951dfd882928ab279b' AND (file:content_ref.payload_bin = 'UEsDBAoACQAAAAaOU1EvUbi[...]AACAAIA2QAAAB8BAAAAAA==' AND file:content_ref.x_misp_filename = 'oui' AND file:content_ref.hashes.MD5 = '8764605c6f388c89096b534d33565802' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"lnk\"", "misp:meta-category=\"file\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--07f16a3d-81c4-5672-bfee-35849cabd11d", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--153ef8d5-9182-45ec-bf1c-5819932b9ab7", "target_ref": "observed-data--153ef8d5-9182-45ec-bf1c-5819932b9ab7" } ]
- MISP
- mutex
- MISP
{ "name": "mutex", "meta-category": "misc", "description": "Object to describe mutual exclusion locks (mutex) as seen in memory or computer program", "uuid": "b0f55591-6a63-4fbd-a169-064e64738d95", "Attribute": [ { "uuid": "9b8ed587-34b5-5082-b31d-f06e95c0ae61", "object_relation": "name", "value": "MutexTest", "type": "text", "to_ids": true, "category": "Other" }, { "uuid": "5f8f2a95-fb55-5d8b-be26-a486700ce89e", "object_relation": "description", "value": "Test mutex on unix", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "58094f12-25ab-504c-b6ca-5ace52216cf5", "object_relation": "operating-system", "value": "Unix", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--b0f55591-6a63-4fbd-a169-064e64738d95", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "mutex--b0f55591-6a63-4fbd-a169-064e64738d95" ], "labels": [ "misp:name=\"mutex\"", "misp:meta-category=\"misc\"" ] }, { "type": "mutex", "spec_version": "2.1", "id": "mutex--b0f55591-6a63-4fbd-a169-064e64738d95", "name": "MutexTest", "x_misp_description": "Test mutex on unix", "x_misp_operating_system": "Unix" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b0f55591-6a63-4fbd-a169-064e64738d95", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[mutex:name = 'MutexTest']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"mutex\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bf518690-a15d-5479-bbd4-b2b7401a314b", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--b0f55591-6a63-4fbd-a169-064e64738d95", "target_ref": "observed-data--b0f55591-6a63-4fbd-a169-064e64738d95" } ]
- MISP
- netflow
- MISP
{ "name": "netflow", "meta-category": "network", "description": "Netflow object describes an network object based on the Netflowv5/v9 minimal definition", "uuid": "419eb5a9-d232-4aa1-864e-2f4d7270a8f9", "Attribute": [ { "uuid": "91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "object_relation": "ip-src", "value": "1.2.3.4", "type": "ip-src", "category": "Network activity", "to_ids": true }, { "uuid": "518b4bcb-a86b-4783-9457-391d548b605b", "object_relation": "ip-dst", "value": "5.6.7.8", "type": "ip-dst", "category": "Network activity", "to_ids": true }, { "uuid": "53a12da9-4b66-4809-b0b4-e9de3172e7a0", "object_relation": "src-as", "value": "1234", "type": "AS", "category": "Network activity", "to_ids": false }, { "uuid": "f2259650-bc33-4b64-a3a8-a324aa7ea6bb", "object_relation": "dst-as", "value": "5678", "type": "AS", "category": "Network activity", "to_ids": false }, { "uuid": "a94c6f3e-1224-5099-bcae-83fdef51c336", "object_relation": "src-port", "value": "80", "type": "port", "category": "Network activity", "to_ids": false }, { "uuid": "bde9f5c7-68b4-58d9-b612-ee729aa54518", "object_relation": "dst-port", "value": "8080", "type": "port", "category": "Network activity", "to_ids": false }, { "uuid": "f7a3090a-de52-51fd-95e9-d4cd3bef522d", "object_relation": "protocol", "value": "IP", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "f0cdf620-0734-5715-ae7f-e77b069987d9", "object_relation": "first-packet-seen", "value": "2020-10-25T16:22:00+00:00", "type": "datetime", "to_ids": false, "category": "Other" }, { "uuid": "a3cfd8f2-1f80-54f4-adb1-13757bd2c080", "object_relation": "tcp-flags", "value": "00000002", "type": "text", "category": "Network activity", "to_ids": false } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--419eb5a9-d232-4aa1-864e-2f4d7270a8f9", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "network-traffic--419eb5a9-d232-4aa1-864e-2f4d7270a8f9", "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "autonomous-system--53a12da9-4b66-4809-b0b4-e9de3172e7a0", "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "autonomous-system--f2259650-bc33-4b64-a3a8-a324aa7ea6bb" ], "labels": [ "misp:name=\"netflow\"", "misp:meta-category=\"network\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--419eb5a9-d232-4aa1-864e-2f4d7270a8f9", "start": "2020-10-25T16:22:00Z", "src_ref": "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "dst_ref": "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "src_port": 80, "dst_port": 8080, "protocols": [ "tcp", "ip" ], "extensions": { "tcp-ext": { "src_flags_hex": "00000002" } } }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "value": "1.2.3.4", "belongs_to_refs": [ "autonomous-system--53a12da9-4b66-4809-b0b4-e9de3172e7a0" ] }, { "type": "autonomous-system", "spec_version": "2.1", "id": "autonomous-system--53a12da9-4b66-4809-b0b4-e9de3172e7a0", "number": 1234 }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "value": "5.6.7.8", "belongs_to_refs": [ "autonomous-system--f2259650-bc33-4b64-a3a8-a324aa7ea6bb" ] }, { "type": "autonomous-system", "spec_version": "2.1", "id": "autonomous-system--f2259650-bc33-4b64-a3a8-a324aa7ea6bb", "number": 5678 }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--419eb5a9-d232-4aa1-864e-2f4d7270a8f9", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[(network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '1.2.3.4') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.6.7.8')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"netflow\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4a74e43e-9a68-5b6f-9005-158c2acfc4c0", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--419eb5a9-d232-4aa1-864e-2f4d7270a8f9", "target_ref": "observed-data--419eb5a9-d232-4aa1-864e-2f4d7270a8f9" } ]
- MISP
- network-connection
- MISP
{ "name": "network-connection", "meta-category": "network", "description": "A local or remote network connection", "uuid": "5afacc53-c0b0-4825-a6ee-03c80a00020f", "Attribute": [ { "uuid": "91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "object_relation": "ip-src", "value": "1.2.3.4", "type": "ip-src", "category": "Network activity", "to_ids": true }, { "uuid": "518b4bcb-a86b-4783-9457-391d548b605b", "object_relation": "ip-dst", "value": "5.6.7.8", "type": "ip-dst", "category": "Network activity", "to_ids": true }, { "uuid": "34cb1a7c-55ec-412a-8684-ba4a88d83a45", "object_relation": "src-port", "value": "8080", "type": "port", "category": "Network activity", "to_ids": false }, { "uuid": "94a2b00f-bec3-4f8a-bea4-e4ccf0de776f", "object_relation": "dst-port", "value": "8080", "type": "port", "category": "Network activity", "to_ids": false }, { "uuid": "f2259650-bc33-4b64-a3a8-a324aa7ea6bb", "object_relation": "hostname-dst", "value": "circl.lu", "type": "hostname", "to_ids": true, "category": "Network activity" }, { "uuid": "e072dfbb-c6fd-4312-8201-d140575536c4", "object_relation": "layer3-protocol", "value": "IP", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "5acce519-b670-4cb2-af19-9c6d7b6f256c", "object_relation": "layer4-protocol", "value": "TCP", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "53a12da9-4b66-4809-b0b4-e9de3172e7a0", "object_relation": "layer7-protocol", "value": "HTTP", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5afacc53-c0b0-4825-a6ee-03c80a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "network-traffic--5afacc53-c0b0-4825-a6ee-03c80a00020f", "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b" ], "labels": [ "misp:name=\"network-connection\"", "misp:meta-category=\"network\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5afacc53-c0b0-4825-a6ee-03c80a00020f", "src_ref": "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "dst_ref": "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "src_port": 8080, "dst_port": 8080, "protocols": [ "ip", "tcp", "http" ], "x_misp_hostname_dst": "circl.lu" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "value": "1.2.3.4" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "value": "5.6.7.8" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5afacc53-c0b0-4825-a6ee-03c80a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[(network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '1.2.3.4') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.6.7.8') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'circl.lu')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"network-connection\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--808a7355-d235-5530-bbe6-989b3a7fe1d1", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5afacc53-c0b0-4825-a6ee-03c80a00020f", "target_ref": "observed-data--5afacc53-c0b0-4825-a6ee-03c80a00020f" } ]
- MISP
- network-socket
- MISP
{ "name": "network-socket", "meta-category": "network", "description": "Network socket object describes a local or remote network connections based on the socket data structure", "uuid": "5afb3223-0988-4ef1-a920-02070a00020f", "Attribute": [ { "uuid": "91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "object_relation": "ip-src", "value": "1.2.3.4", "type": "ip-src", "category": "Network activity", "to_ids": true }, { "uuid": "518b4bcb-a86b-4783-9457-391d548b605b", "object_relation": "ip-dst", "value": "5.6.7.8", "type": "ip-dst", "category": "Network activity", "to_ids": true }, { "uuid": "34cb1a7c-55ec-412a-8684-ba4a88d83a45", "object_relation": "src-port", "value": "8080", "type": "port", "category": "Network activity", "to_ids": false }, { "uuid": "94a2b00f-bec3-4f8a-bea4-e4ccf0de776f", "object_relation": "dst-port", "value": "8080", "type": "port", "category": "Network activity", "to_ids": false }, { "uuid": "f2259650-bc33-4b64-a3a8-a324aa7ea6bb", "object_relation": "hostname-dst", "value": "circl.lu", "type": "hostname", "to_ids": true, "category": "Network activity" }, { "uuid": "e072dfbb-c6fd-4312-8201-d140575536c4", "object_relation": "address-family", "value": "AF_INET", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "5acce519-b670-4cb2-af19-9c6d7b6f256c", "object_relation": "domain-family", "value": "PF_INET", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "a79ac2c8-c8c6-4a93-9f11-71a217ef3107", "object_relation": "socket-type", "value": "SOCK_RAW", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "53a12da9-4b66-4809-b0b4-e9de3172e7a0", "object_relation": "state", "value": "listening", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "2f057cc4-b70b-4305-9442-638dbb807a5c", "object_relation": "protocol", "value": "TCP", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5afb3223-0988-4ef1-a920-02070a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "network-traffic--5afb3223-0988-4ef1-a920-02070a00020f", "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b" ], "labels": [ "misp:name=\"network-socket\"", "misp:meta-category=\"network\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5afb3223-0988-4ef1-a920-02070a00020f", "src_ref": "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "dst_ref": "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "src_port": 8080, "dst_port": 8080, "protocols": [ "tcp" ], "extensions": { "socket-ext": { "address_family": "AF_INET", "is_listening": true, "socket_type": "SOCK_RAW" } }, "x_misp_domain_family": "PF_INET", "x_misp_hostname_dst": "circl.lu" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "value": "1.2.3.4" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "value": "5.6.7.8" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5afb3223-0988-4ef1-a920-02070a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[(network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '1.2.3.4') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.6.7.8') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'circl.lu')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"network-socket\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--17ee379b-2ee8-54d0-b79f-3462fc161a7a", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5afb3223-0988-4ef1-a920-02070a00020f", "target_ref": "observed-data--5afb3223-0988-4ef1-a920-02070a00020f" } ]
- MISP
- news-agency
- MISP
{ "name": "news-agency", "meta-category": "misc", "description": "News agencies compile news and disseminate news in bulk.", "uuid": "d17e31ce-5a7a-4713-bdff-49d89548c259", "Attribute": [ { "uuid": "d16bc7f1-4da2-5292-b4b4-7b5633a2dafc", "object_relation": "name", "value": "Agence France-Presse", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "3d93ed8a-611b-5f26-85ea-46120fa15c47", "object_relation": "address", "value": "13 place de la Bourse, 75002 Paris", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "b93faf0b-bd83-5b92-9595-a9baf705b95a", "object_relation": "e-mail", "value": "contact@afp.fr", "type": "email-src", "to_ids": true, "category": "Payload delivery" }, { "uuid": "2764f4fe-4c02-541f-8109-4bdb84a5284b", "object_relation": "phone-number", "value": "330140414646", "type": "phone-number", "to_ids": false, "category": "Person" }, { "uuid": "630f2ca8-9dd2-5747-ac8b-0b44fac3bca7", "object_relation": "address", "value": "Southern Railway Building, 1500 K Street, NW, Suite 600", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "331ecd80-9d0b-516f-9296-e713ab807eab", "object_relation": "e-mail", "value": "contact@afp.us", "type": "email-src", "to_ids": true, "category": "Payload delivery" }, { "uuid": "dd0f3896-5eaf-526e-b5af-3ba648c41c2b", "object_relation": "phone-number", "value": "12024140600", "type": "phone-number", "to_ids": false, "category": "Person" }, { "uuid": "45cf7411-7f66-5302-a12e-90f87bf75f3c", "object_relation": "link", "value": "https://www.afp.com/", "type": "link", "to_ids": false, "category": "External analysis" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]OkjUAAAAABJRU5ErkJggg==", "uuid": "1e2e95a2-7dcc-5c2f-b744-2d8ccd55ec50", "object_relation": "attachment", "value": "AFP_logo.png", "type": "attachment", "to_ids": false, "category": "External analysis" } ], "timestamp": "1603642920" } - STIX
{ "type": "identity", "spec_version": "2.1", "id": "identity--d17e31ce-5a7a-4713-bdff-49d89548c259", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Agence France-Presse", "identity_class": "organization", "contact_information": "address: 13 place de la Bourse, 75002 Paris; Southern Railway Building, 1500 K Street, NW, Suite 600 / e-mail: contact@afp.fr; contact@afp.us / phone-number: 330140414646; 12024140600 / link: https://www.afp.com/", "labels": [ "misp:name=\"news-agency\"", "misp:meta-category=\"misc\"" ], "x_misp_attachment": { "value": "AFP_logo.png", "data": "iVBORw0KGgoAAAANSUhEUgA[...]OkjUAAAAABJRU5ErkJggg==" } }
- MISP
- nova-rule
- MISP
{ "name": "nova-rule", "meta-category": "detection", "description": "NOVA prompt detection rule metadata and logic for a single NOVA rule.", "uuid": "cb44774d-ce45-411b-b6fb-9f0278edd25c", "Attribute": [ { "uuid": "426a7d82-4f15-4411-b9ff-6ced24df09bf", "object_relation": "raw-rule", "value": "rule MultimodalInjection\n{\n meta:\n description = \"Detects multimodal prompt injection attempts\"\n author = \"@fr0gger_\"\n version = \"1.0\"\n category = \"suspicious_patterns/cross_modal\"\n reference = \"LLM01:2025 Prompt Injection\"\n uuid = \"520b23d8-54c0-4ade-b8a7-cdc1a90c0def\"\n date = \"2026-02-21\"\n severity = \"high\"\n\n keywords:\n $image_process = /process (this|the) image|analyze (this|the) image|look at (this|the) image/i\n $hidden_content = /hidden (text|content|message|instruction)/i\n $watermark = /watermark|embedded text|text in image/i\n $multimodal = /multimodal|cross-modal|multiple formats/i\n\n semantics:\n $hidden_in_media = \"instructions hidden in the image\" (0.4)\n $cross_modal_attack = \"combine text and image instructions\" (0.4)\n\n llm:\n $image_injection = \"Does this prompt involve processing images that might contain hidden instructions or malicious content?\" (0.3)\n\n condition:\n (keywords.$image_process and (keywords.$hidden_content or keywords.$watermark)) or\n keywords.$multimodal or\n semantics.$hidden_in_media or\n semantics.$cross_modal_attack or\n llm.$image_injection\n}", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "45a97c82-f65d-465e-a005-8b2155fe801e", "object_relation": "rule-name", "value": "MultimodalInjection", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--cb44774d-ce45-411b-b6fb-9f0278edd25c", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "MultimodalInjection", "pattern": "rule MultimodalInjection\n{\n meta:\n description = \"Detects multimodal prompt injection attempts\"\n author = \"@fr0gger_\"\n version = \"1.0\"\n category = \"suspicious_patterns/cross_modal\"\n reference = \"LLM01:2025 Prompt Injection\"\n uuid = \"520b23d8-54c0-4ade-b8a7-cdc1a90c0def\"\n date = \"2026-02-21\"\n severity = \"high\"\n\n keywords:\n $image_process = /process (this|the) image|analyze (this|the) image|look at (this|the) image/i\n $hidden_content = /hidden (text|content|message|instruction)/i\n $watermark = /watermark|embedded text|text in image/i\n $multimodal = /multimodal|cross-modal|multiple formats/i\n\n semantics:\n $hidden_in_media = \"instructions hidden in the image\" (0.4)\n $cross_modal_attack = \"combine text and image instructions\" (0.4)\n\n llm:\n $image_injection = \"Does this prompt involve processing images that might contain hidden instructions or malicious content?\" (0.3)\n\n condition:\n (keywords.$image_process and (keywords.$hidden_content or keywords.$watermark)) or\n keywords.$multimodal or\n semantics.$hidden_in_media or\n semantics.$cross_modal_attack or\n llm.$image_injection\n}", "pattern_type": "nova", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "detection" } ], "labels": [ "misp:name=\"nova-rule\"", "misp:meta-category=\"detection\"" ] }
- MISP
- organization
- MISP
{ "name": "organization", "meta-category": "misc", "description": "An object which describes an organization.", "uuid": "fe85995c-189d-4c20-9d0e-dfc03e72000b", "Attribute": [ { "uuid": "5ee4f522-1449-50a8-9045-ef1608684e11", "object_relation": "name", "value": "Computer Incident Response Center of Luxembourg", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "fbb18eff-0679-5e31-b395-eb168068285a", "object_relation": "description", "value": "The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to gather, review, report and respond to computer security threats and incidents.", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "c7149d20-5242-5301-b293-f3dc7f5df871", "object_relation": "address", "value": "16, bd d'Avranches, L-1160 Luxembourg", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "ace71601-7a2b-5bca-a55d-f457d20404ed", "object_relation": "e-mail", "value": "info@circl.lu", "type": "email-src", "to_ids": true, "category": "Payload delivery" }, { "uuid": "89821e00-fae0-53e2-9c7f-aec02b4dceeb", "object_relation": "phone-number", "value": "+35224788444", "type": "phone-number", "to_ids": false, "category": "Person" }, { "uuid": "5ef6a782-3593-5f7e-9897-e87728196e1a", "object_relation": "role", "value": "national CERT", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "598703d1-2901-551a-bfec-554df8ecec79", "object_relation": "alias", "value": "CIRCL", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
{ "type": "identity", "spec_version": "2.1", "id": "identity--fe85995c-189d-4c20-9d0e-dfc03e72000b", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Computer Incident Response Center of Luxembourg", "description": "The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to gather, review, report and respond to computer security threats and incidents.", "roles": [ "national CERT" ], "identity_class": "organization", "contact_information": "address: 16, bd d'Avranches, L-1160 Luxembourg / e-mail: info@circl.lu / phone-number: +35224788444", "labels": [ "misp:name=\"organization\"", "misp:meta-category=\"misc\"" ], "x_misp_alias": "CIRCL" }
- MISP
- owasp-crs-rule
- MISP
{ "name": "owasp-crs-rule", "meta-category": "network", "description": "OWASP Core Rule Set (CRS) rule metadata for a WAF detection rule.", "uuid": "3b80a1ad-f1f6-4565-bdbd-909d5bc93048", "Attribute": [ { "uuid": "a70883d8-0bc9-4ed5-a91a-e4b40601e0d0", "object_relation": "rule-id", "value": "CRS Rule 901500", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "a87681ff-fc0d-42a8-99a4-53981017641c", "object_relation": "raw-rule", "value": "SecRule TX:detection_paranoia_level \"@lt %{tx.blocking_paranoia_level}\" \"id:901500, phase:1, deny, status:500, t:none, log, msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting', tag:'OWASP_CRS', ver:'OWASP_CRS/4.26.0-dev'\"", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--3b80a1ad-f1f6-4565-bdbd-909d5bc93048", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "CRS Rule 901500", "pattern": "SecRule TX:detection_paranoia_level \"@lt %{tx.blocking_paranoia_level}\" \"id:901500, phase:1, deny, status:500, t:none, log, msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting', tag:'OWASP_CRS', ver:'OWASP_CRS/4.26.0-dev'\"", "pattern_type": "crs", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"owasp-crs-rule\"", "misp:meta-category=\"network\"" ] }
- MISP
- parler-account
- MISP
{ "name": "parler-account", "meta-category": "misc", "description": "Parler account.", "uuid": "7b0698a0-209a-4da0-a5c5-cfc4734f3af2", "Attribute": [ { "uuid": "6ca3ce1a-96e1-55a7-8897-d3cddb6c5191", "object_relation": "account-id", "value": "42", "type": "text", "to_ids": true, "category": "Other" }, { "uuid": "56eacc04-265c-5e1d-b45a-422e24aced04", "object_relation": "account-name", "value": "ParlerOctocat", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "7741e019-6c71-5a75-9deb-23126ab338cf", "object_relation": "human", "value": false, "type": "boolean", "to_ids": false, "category": "Other" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC", "uuid": "e5732826-8afd-57cd-b7f7-fc51f880ba65", "object_relation": "profile-photo", "value": "octocat.png", "type": "attachment", "to_ids": false, "category": "External analysis" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--7b0698a0-209a-4da0-a5c5-cfc4734f3af2", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "user-account--7b0698a0-209a-4da0-a5c5-cfc4734f3af2" ], "labels": [ "misp:name=\"parler-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "user-account", "spec_version": "2.1", "id": "user-account--7b0698a0-209a-4da0-a5c5-cfc4734f3af2", "user_id": "42", "account_login": "ParlerOctocat", "account_type": "parler", "x_misp_human": false, "x_misp_profile_photo": { "value": "octocat.png", "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7b0698a0-209a-4da0-a5c5-cfc4734f3af2", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'parler' AND user-account:user_id = '42']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"parler-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ba5f302f-42da-5e3a-b7b4-19b878ba22b0", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--7b0698a0-209a-4da0-a5c5-cfc4734f3af2", "target_ref": "observed-data--7b0698a0-209a-4da0-a5c5-cfc4734f3af2" } ]
- MISP
- pe & pe-sections
- MISP
[ { "name": "pe", "meta-category": "file", "description": "Object describing a Portable Executable", "uuid": "2183705f-e8d6-4c08-a820-5b56a1303bb1", "ObjectReference": [ { "uuid": "f4b89dc9-35e7-5e82-9987-e1237855a124", "object_uuid": "2183705f-e8d6-4c08-a820-5b56a1303bb1", "referenced_uuid": "68bd413b-5392-4239-93a9-e574fb80af8c", "relationship_type": "includes", "Object": { "uuid": "68bd413b-5392-4239-93a9-e574fb80af8c", "name": "pe-section", "meta-category": "file" } } ], "Attribute": [ { "uuid": "9107f9a0-6e08-521d-86cb-b4e0cd05b518", "object_relation": "type", "value": "exe", "type": "text", "to_ids": true, "category": "Other" }, { "uuid": "08c311e3-3e82-5d93-9d9e-22d738376b91", "object_relation": "compilation-timestamp", "value": "2019-03-16T12:31:22+00:00", "type": "datetime", "to_ids": false, "category": "Other" }, { "uuid": "395f9d84-f46f-5af5-90dd-9cdea8b48542", "object_relation": "entrypoint-address", "value": "5369222868", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "01bcfb60-dc45-513f-86d0-8d27dd21cff5", "object_relation": "original-filename", "value": "PuTTy", "type": "filename", "to_ids": true, "category": "Payload delivery" }, { "uuid": "01bcfb60-dc45-513f-86d0-8d27dd21cff5", "object_relation": "internal-filename", "value": "PuTTy", "type": "filename", "to_ids": true, "category": "Payload delivery" }, { "uuid": "1cf025b6-9153-5cae-b4aa-1587a4882b09", "object_relation": "file-description", "value": "SSH, Telnet and Rlogin client", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "756cfe6e-02d4-50c6-a672-02bca2e12f3a", "object_relation": "file-version", "value": "Release 0.71 (with embedded help)", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "ed2c297c-ea18-5383-8d07-cf274d852f03", "object_relation": "lang-id", "value": "080904B0", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "2965f7ec-77b1-5c08-ad3a-12a77d5953b9", "object_relation": "product-name", "value": "PuTTy suite", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "88ed040b-42d1-5777-b256-b2f879fc6e7f", "object_relation": "product-version", "value": "Release 0.71", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "368768a7-74ba-518d-a3cb-7017703fbb10", "object_relation": "company-name", "value": "Simoe Tatham", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "6d317d97-d1fc-5932-805a-3327a0362d97", "object_relation": "legal-copyright", "value": "Copyright \u00a9 1997-2019 Simon Tatham.", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "f56e7b8b-d90c-51c3-bdc5-cfafd1c6b147", "object_relation": "number-sections", "value": "8", "type": "counter", "to_ids": false, "category": "Other" }, { "uuid": "ab105a26-d946-598c-b3c7-d8b0d4324135", "object_relation": "imphash", "value": "23ea835ab4b9017c74dfb023d2301c99", "type": "imphash", "to_ids": true, "category": "Payload delivery" }, { "uuid": "7002a5b8-f10a-5b37-9b81-b076a1674f36", "object_relation": "impfuzzy", "value": "192:8GMV5iqHKV+5RvUV5iqHKV+5RvAVDNNhwkCtRxwUQt63yf2y9sAkexSECI:vMVzB5R8VzB5R4XGtRxwUccc2y9scxt", "type": "impfuzzy", "to_ids": true, "category": "Payload delivery" } ], "timestamp": "1603642920" }, { "name": "pe-section", "meta-category": "file", "description": "Object describing a section of a Portable Executable", "uuid": "68bd413b-5392-4239-93a9-e574fb80af8c", "Attribute": [ { "uuid": "223c5524-6a83-5353-a3b6-1dc57f47489c", "object_relation": "name", "value": ".rsrc", "type": "text", "to_ids": true, "category": "Other" }, { "uuid": "5bf3415c-8669-5771-a189-89cca6ce7fb7", "object_relation": "size-in-bytes", "value": "305152", "type": "size-in-bytes", "to_ids": false, "category": "Other" }, { "uuid": "fbd3a70a-68b8-564a-ade7-1f6ac99b4683", "object_relation": "entropy", "value": "7.836462238824369", "type": "float", "to_ids": false, "category": "Other" }, { "uuid": "0ff8c305-0d3f-5fd8-9c2e-c2e4bf502d91", "object_relation": "md5", "value": "8a2a5fc2ce56b3b04d58539a95390600", "type": "md5", "to_ids": true, "category": "Payload delivery" }, { "uuid": "da2dfd95-68ed-562b-8a17-0139518826dd", "object_relation": "sha1", "value": "0aeb9def096e9f73e9460afe6f8783a32c7eabdf", "type": "sha1", "to_ids": true, "category": "Payload delivery" }, { "uuid": "9d0a7195-bcee-540a-8820-484d0e7d2335", "object_relation": "sha256", "value": "c6b3ac8303a72be90b0e47f69977e6f5665693d4ea0aa93e5c27b5c556c7cf9b", "type": "sha256", "to_ids": true, "category": "Payload delivery" }, { "uuid": "44cbe6c8-5394-563f-81ca-f1953b020835", "object_relation": "sha512", "value": "98fce208e6ed9612db53725fe03b73ab7cb1b487814d521c3c218273cad33891ce832c4f842c6f492d92df1e78414c82a00ddb91a1f8ec7d67325231a597a78f", "type": "sha512", "to_ids": true, "category": "Payload delivery" }, { "uuid": "89f9d673-9a25-566f-93b9-595f981bd618", "object_relation": "ssdeep", "value": "6144:BvqbV6zoA5yJJ1entjx+UJlVshhKuqMrgyNhahL2uSvhM:BvuVy5UJUtwUJ/UjHSEuSvK", "type": "ssdeep", "to_ids": true, "category": "Payload delivery" } ], "timestamp": "1603642920" } ] - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--2183705f-e8d6-4c08-a820-5b56a1303bb1", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "file--2183705f-e8d6-4c08-a820-5b56a1303bb1" ], "labels": [ "misp:name=\"pe\"", "misp:meta-category=\"file\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--2183705f-e8d6-4c08-a820-5b56a1303bb1", "name": "PuTTy", "extensions": { "windows-pebinary-ext": { "pe_type": "exe", "imphash": "23ea835ab4b9017c74dfb023d2301c99", "number_of_sections": 8, "optional_header": { "address_of_entry_point": 5369222868 }, "sections": [ { "name": ".rsrc", "size": 305152, "entropy": 7.836462238824369, "hashes": { "MD5": "8a2a5fc2ce56b3b04d58539a95390600", "SHA-1": "0aeb9def096e9f73e9460afe6f8783a32c7eabdf", "SHA-256": "c6b3ac8303a72be90b0e47f69977e6f5665693d4ea0aa93e5c27b5c556c7cf9b", "SHA-512": "98fce208e6ed9612db53725fe03b73ab7cb1b487814d521c3c218273cad33891ce832c4f842c6f492d92df1e78414c82a00ddb91a1f8ec7d67325231a597a78f", "SSDEEP": "6144:BvqbV6zoA5yJJ1entjx+UJlVshhKuqMrgyNhahL2uSvhM:BvuVy5UJUtwUJ/UjHSEuSvK" } } ], "x_misp_company_name": "Simoe Tatham", "x_misp_compilation_timestamp": "2019-03-16T12:31:22Z", "x_misp_file_description": "SSH, Telnet and Rlogin client", "x_misp_file_version": "Release 0.71 (with embedded help)", "x_misp_impfuzzy": "192:8GMV5iqHKV+5RvUV5iqHKV+5RvAVDNNhwkCtRxwUQt63yf2y9sAkexSECI:vMVzB5R8VzB5R4XGtRxwUccc2y9scxt", "x_misp_internal_filename": "PuTTy", "x_misp_lang_id": "080904B0", "x_misp_legal_copyright": "Copyright \u00a9 1997-2019 Simon Tatham.", "x_misp_original_filename": "PuTTy", "x_misp_product_name": "PuTTy suite", "x_misp_product_version": "Release 0.71" } } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2183705f-e8d6-4c08-a820-5b56a1303bb1", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[file:extensions.'windows-pebinary-ext'.imphash = '23ea835ab4b9017c74dfb023d2301c99' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.x_misp_original_filename = 'PuTTy' AND file:extensions.'windows-pebinary-ext'.x_misp_internal_filename = 'PuTTy' AND file:extensions.'windows-pebinary-ext'.x_misp_impfuzzy = '192:8GMV5iqHKV+5RvUV5iqHKV+5RvAVDNNhwkCtRxwUQt63yf2y9sAkexSECI:vMVzB5R8VzB5R4XGtRxwUccc2y9scxt' AND file:extensions.'windows-pebinary-ext'.sections[0].name = '.rsrc' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.MD5 = '8a2a5fc2ce56b3b04d58539a95390600' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.'SHA-1' = '0aeb9def096e9f73e9460afe6f8783a32c7eabdf' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.'SHA-256' = 'c6b3ac8303a72be90b0e47f69977e6f5665693d4ea0aa93e5c27b5c556c7cf9b' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.'SHA-512' = '98fce208e6ed9612db53725fe03b73ab7cb1b487814d521c3c218273cad33891ce832c4f842c6f492d92df1e78414c82a00ddb91a1f8ec7d67325231a597a78f' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.SSDEEP = '6144:BvqbV6zoA5yJJ1entjx+UJlVshhKuqMrgyNhahL2uSvhM:BvuVy5UJUtwUJ/UjHSEuSvK']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"pe\"", "misp:meta-category=\"file\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--be646f8d-799c-54db-96df-75403f9969f4", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--2183705f-e8d6-4c08-a820-5b56a1303bb1", "target_ref": "observed-data--2183705f-e8d6-4c08-a820-5b56a1303bb1" } ]
- MISP
- person
- MISP
{ "name": "person", "meta-category": "misc", "description": "An object which describes a person or an identity.", "uuid": "868037d5-d804-4f1d-8016-f296361f9c68", "Attribute": [ { "uuid": "37c42710-aaf7-4f10-956b-f8eb7adffb81", "object_relation": "first-name", "value": "John", "type": "first-name", "to_ids": false, "category": "Person" }, { "uuid": "05583483-4d7f-496a-aa1b-279d484b5966", "object_relation": "last-name", "value": "Smith", "type": "last-name", "to_ids": false, "category": "Person" }, { "uuid": "a4e174fc-f341-432f-beb3-27b99ec22541", "object_relation": "nationality", "value": "USA", "type": "nationality", "to_ids": false, "category": "Person" }, { "uuid": "f6f12b78-5f96-4c64-9462-2e881d70cd4a", "object_relation": "passport-number", "value": "ABA9875413", "type": "passport-number", "to_ids": false, "category": "Person" }, { "uuid": "6c0a87f4-54a3-401a-a37f-13b2996d4d37", "object_relation": "phone-number", "value": "0123456789", "type": "phone-number", "to_ids": false, "category": "Person" }, { "uuid": "6a464f2f-1ae0-4810-ab67-378e2489b8c0", "object_relation": "role", "value": "Guru", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
{ "type": "identity", "spec_version": "2.1", "id": "identity--868037d5-d804-4f1d-8016-f296361f9c68", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "John Smith", "roles": [ "Guru" ], "identity_class": "individual", "contact_information": "phone-number: 0123456789", "labels": [ "misp:name=\"person\"", "misp:meta-category=\"misc\"" ], "x_misp_nationality": "USA", "x_misp_passport_number": "ABA9875413" }
- MISP
- process
- MISP
{ "name": "process", "meta-category": "misc", "description": "Object describing a system process.", "uuid": "5e39776a-b284-40b3-8079-22fea964451a", "Attribute": [ { "uuid": "91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "object_relation": "pid", "value": "2510", "type": "text", "to_ids": true, "category": "Other" }, { "uuid": "518b4bcb-a86b-4783-9457-391d548b605b", "object_relation": "child-pid", "value": "1401", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "34cb1a7c-55ec-412a-8684-ba4a88d83a45", "object_relation": "parent-pid", "value": "2107", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "94a2b00f-bec3-4f8a-bea4-e4ccf0de776f", "object_relation": "name", "value": "TestProcess", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "f2259650-bc33-4b64-a3a8-a324aa7ea6bb", "object_relation": "image", "value": "test_process.exe", "type": "filename", "to_ids": true, "category": "Payload delivery" }, { "uuid": "d01ef2c6-3154-4f8a-a3dc-9de1f34dd5d0", "object_relation": "parent-image", "value": "parent_process.exe", "type": "filename", "to_ids": true, "category": "Payload delivery" }, { "uuid": "e072dfbb-c6fd-4312-8201-d140575536c4", "object_relation": "port", "value": "1234", "type": "port", "to_ids": false, "category": "Network activity" }, { "uuid": "cee48d41-5e2f-560f-ab7d-99eb47f072fd", "object_relation": "hidden", "value": true, "type": "boolean", "to_ids": false, "category": "Other" }, { "uuid": "d85eeb1a-f4a2-4b9f-a367-d84f9a7e6303", "object_relation": "parent-command-line", "value": "grep -nrG iglocska /home/viktor/friends.txt", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "0251692e-6bb8-4de5-9e94-4dfa2834b032", "object_relation": "parent-process-name", "value": "Friends_From_H", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5e39776a-b284-40b3-8079-22fea964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "process--5e39776a-b284-40b3-8079-22fea964451a", "file--d01ef2c6-3154-4f8a-a3dc-9de1f34dd5d0", "process--34cb1a7c-55ec-412a-8684-ba4a88d83a45", "process--518b4bcb-a86b-4783-9457-391d548b605b", "file--f2259650-bc33-4b64-a3a8-a324aa7ea6bb" ], "labels": [ "misp:name=\"process\"", "misp:meta-category=\"misc\"" ] }, { "type": "process", "spec_version": "2.1", "id": "process--5e39776a-b284-40b3-8079-22fea964451a", "is_hidden": true, "pid": 2510, "image_ref": "file--f2259650-bc33-4b64-a3a8-a324aa7ea6bb", "parent_ref": "process--34cb1a7c-55ec-412a-8684-ba4a88d83a45", "child_refs": [ "process--518b4bcb-a86b-4783-9457-391d548b605b" ], "x_misp_name": "TestProcess", "x_misp_port": "1234" }, { "type": "file", "spec_version": "2.1", "id": "file--d01ef2c6-3154-4f8a-a3dc-9de1f34dd5d0", "name": "parent_process.exe" }, { "type": "process", "spec_version": "2.1", "id": "process--34cb1a7c-55ec-412a-8684-ba4a88d83a45", "pid": 2107, "command_line": "grep -nrG iglocska /home/viktor/friends.txt", "image_ref": "file--d01ef2c6-3154-4f8a-a3dc-9de1f34dd5d0", "x_misp_process_name": "Friends_From_H" }, { "type": "process", "spec_version": "2.1", "id": "process--518b4bcb-a86b-4783-9457-391d548b605b", "pid": 1401 }, { "type": "file", "spec_version": "2.1", "id": "file--f2259650-bc33-4b64-a3a8-a324aa7ea6bb", "name": "test_process.exe" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e39776a-b284-40b3-8079-22fea964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[process:pid = '2510' AND process:image_ref.name = 'test_process.exe' AND process:parent_ref.image_ref.name = 'parent_process.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"process\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--4d73e2f2-8274-5360-89b3-ce45d6335fef", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5e39776a-b284-40b3-8079-22fea964451a", "target_ref": "observed-data--5e39776a-b284-40b3-8079-22fea964451a" } ]
- MISP
- reddit-account
- MISP
{ "name": "reddit-account", "meta-category": "misc", "description": "Reddit account.", "uuid": "43d3eff0-fabc-4663-9493-fad3a1eed0d5", "Attribute": [ { "uuid": "7da08965-8208-5dc6-9418-56eb94825405", "object_relation": "account-id", "value": "666", "type": "text", "to_ids": true, "category": "Other" }, { "uuid": "ee2afb34-5192-5110-8627-3b8372159014", "object_relation": "account-name", "value": "RedditOctocat", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "5b6f1330-2d0e-5551-ad51-6977db5118fd", "object_relation": "description", "value": "Reddit account of the OctoCat", "type": "text", "to_ids": false, "category": "Other" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC", "uuid": "e5732826-8afd-57cd-b7f7-fc51f880ba65", "object_relation": "account-avatar", "value": "octocat.png", "type": "attachment", "to_ids": false, "category": "External analysis" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--43d3eff0-fabc-4663-9493-fad3a1eed0d5", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "user-account--43d3eff0-fabc-4663-9493-fad3a1eed0d5" ], "labels": [ "misp:name=\"reddit-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "user-account", "spec_version": "2.1", "id": "user-account--43d3eff0-fabc-4663-9493-fad3a1eed0d5", "user_id": "666", "account_login": "RedditOctocat", "account_type": "reddit", "x_misp_account_avatar": { "value": "octocat.png", "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC" }, "x_misp_description": "Reddit account of the OctoCat" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--43d3eff0-fabc-4663-9493-fad3a1eed0d5", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'reddit' AND user-account:user_id = '666']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"reddit-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--76d9748e-2b95-502d-a0c5-5d6885f75905", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--43d3eff0-fabc-4663-9493-fad3a1eed0d5", "target_ref": "observed-data--43d3eff0-fabc-4663-9493-fad3a1eed0d5" } ]
- MISP
- registry-key
- MISP
{ "name": "registry-key", "meta-category": "file", "description": "Registry key object describing a Windows registry key", "uuid": "5ac3379c-3e74-44ba-9160-04120a00020f", "Attribute": [ { "uuid": "cd4eb1a9-c425-5ffa-b9e5-77c38ec08ab6", "object_relation": "key", "value": "hkey_local_machine\\system\\bar\\foo", "type": "regkey", "category": "Persistence mechanism", "to_ids": true }, { "uuid": "59517e1a-09fa-5156-9d75-698f25122a15", "object_relation": "hive", "value": "hklm", "type": "text", "category": "Persistence mechanism", "to_ids": false }, { "uuid": "71f0aa82-31da-5bde-857e-e6dc26fb2eaa", "object_relation": "name", "value": "RegistryName", "type": "text", "category": "Persistence mechanism", "to_ids": false }, { "uuid": "35d52958-e168-5b67-b506-660c11378d00", "object_relation": "data", "value": "%DATA%\\qwertyuiop", "type": "text", "category": "Persistence mechanism", "to_ids": false }, { "uuid": "ddd4cf94-32e2-5c47-9dcd-51e10baea333", "object_relation": "data-type", "value": "REG_SZ", "type": "text", "category": "Persistence mechanism", "to_ids": false }, { "uuid": "f0cdf620-0734-5715-ae7f-e77b069987d9", "object_relation": "last-modified", "value": "2020-10-25T16:22:00+00:00", "type": "datetime", "category": "Other", "to_ids": false } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ac3379c-3e74-44ba-9160-04120a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "windows-registry-key--5ac3379c-3e74-44ba-9160-04120a00020f" ], "labels": [ "misp:name=\"registry-key\"", "misp:meta-category=\"file\"" ] }, { "type": "windows-registry-key", "spec_version": "2.1", "id": "windows-registry-key--5ac3379c-3e74-44ba-9160-04120a00020f", "key": "hkey_local_machine\\system\\bar\\foo", "values": [ { "name": "RegistryName", "data": "%DATA%\\qwertyuiop", "data_type": "REG_SZ" } ], "modified_time": "2020-10-25T16:22:00Z", "x_misp_hive": "hklm" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ac3379c-3e74-44ba-9160-04120a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[windows-registry-key:key = 'hkey_local_machine\\\\system\\\\bar\\\\foo']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"registry-key\"", "misp:meta-category=\"file\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9b3ea668-d313-53c7-8e7f-57c14b4b0f01", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5ac3379c-3e74-44ba-9160-04120a00020f", "target_ref": "observed-data--5ac3379c-3e74-44ba-9160-04120a00020f" } ]
- MISP
- sigma
- MISP
{ "name": "sigma", "meta-category": "misc", "description": "An object describing a Sigma rule (or a Sigma rule name).", "uuid": "c8c418e3-b61c-4d40-a1fc-b10cec6585d7", "Attribute": [ { "uuid": "e002d49e-c3ea-5784-a9ca-1816fcdc9682", "object_relation": "sigma", "value": "title: Ps.exe Renamed SysInternals Tool description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report reference: https://www.us-cert.gov/ncas/alerts/TA17-293A author: Florian Roth date: 2017/10/22 logsource: product: windows service: sysmon detection: selection: EventID: 1 CommandLine: 'ps.exe -accepteula' condition: selection falsepositives: - Renamed SysInternals tool level: high", "type": "sigma", "to_ids": true, "category": "Payload installation" }, { "uuid": "657fa17f-da3d-5630-a961-b3fd35f4abf9", "object_relation": "context", "value": "disk", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "e5161731-5ec8-5a84-bb56-59f7f3afe522", "object_relation": "reference", "value": "https://www.us-cert.gov/ncas/alerts/TA17-293A", "type": "link", "to_ids": false, "category": "External analysis" }, { "uuid": "1214fef3-723f-5bde-92a7-66447a8f49ce", "object_relation": "sigma-rule-name", "value": "Ps.exe", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "91e260d7-213d-5aa2-85c0-e1a902707c8c", "object_relation": "comment", "value": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A", "type": "comment", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--c8c418e3-b61c-4d40-a1fc-b10cec6585d7", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Ps.exe", "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A", "pattern": "title: Ps.exe Renamed SysInternals Tool description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report reference: https://www.us-cert.gov/ncas/alerts/TA17-293A author: Florian Roth date: 2017/10/22 logsource: product: windows service: sysmon detection: selection: EventID: 1 CommandLine: 'ps.exe -accepteula' condition: selection falsepositives: - Renamed SysInternals tool level: high", "pattern_type": "sigma", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"sigma\"", "misp:meta-category=\"misc\"" ], "external_references": [ { "source_name": "url", "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A" } ], "x_misp_context": "disk" }
- MISP
- suricata
- MISP
{ "name": "suricata", "meta-category": "network", "description": "An object describing a suricata rule", "uuid": "efc15547-4fe9-4188-aa71-b688e1bfa59c", "Attribute": [ { "uuid": "ec2bcad8-a900-57b8-a3ec-4c04ee471b83", "object_relation": "suricata", "value": "alert http any 443 -> 8.8.8.8 any", "type": "suricata", "to_ids": true, "category": "Network activity" }, { "uuid": "cdc92f5a-62f1-5bd1-a8bb-c2a0b0288cd6", "object_relation": "version", "value": "3.1.6", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "9fd47be3-1a47-5247-b693-45d1112e7bf5", "object_relation": "comment", "value": "To rule them all", "type": "comment", "to_ids": false, "category": "Other" }, { "uuid": "79601377-2d61-5a55-942d-2e839d822779", "object_relation": "ref", "value": "https://suricata.readthedocs.io/en/suricata-6.0.4/index.html", "type": "link", "to_ids": false, "category": "External analysis" } ], "timestamp": "1603642920" } - STIX
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--efc15547-4fe9-4188-aa71-b688e1bfa59c", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "description": "To rule them all", "pattern": "alert http any 443 -> 8.8.8.8 any", "pattern_type": "suricata", "pattern_version": "3.1.6", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"suricata\"", "misp:meta-category=\"network\"" ], "external_references": [ { "source_name": "url", "url": "https://suricata.readthedocs.io/en/suricata-6.0.4/index.html" } ] }
- MISP
- telegram-account
- MISP
{ "name": "telegram-account", "meta-category": "misc", "description": "Information related to a telegram account", "uuid": "7ecc4537-89cd-4f17-8027-6e0f70710c53", "Attribute": [ { "uuid": "0a709d2e-74b8-5a4c-87fe-b958f6b676f8", "object_relation": "id", "value": "1234567890", "type": "text", "to_ids": true, "category": "Other" }, { "uuid": "95d488b2-9b3e-5d9d-b9e0-a52d515a2f11", "object_relation": "username", "value": "T3l3gr4mUs3r", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "944dcea8-10a0-5894-90fb-2413167ec67c", "object_relation": "phone", "value": "0112233445", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "616c5129-6a07-5e24-9e17-ee21277564fc", "object_relation": "phone", "value": "0556677889", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--7ecc4537-89cd-4f17-8027-6e0f70710c53", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "user-account--7ecc4537-89cd-4f17-8027-6e0f70710c53" ], "labels": [ "misp:name=\"telegram-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "user-account", "spec_version": "2.1", "id": "user-account--7ecc4537-89cd-4f17-8027-6e0f70710c53", "user_id": "1234567890", "account_login": "T3l3gr4mUs3r", "account_type": "telegram", "x_misp_phone": [ "0112233445", "0556677889" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7ecc4537-89cd-4f17-8027-6e0f70710c53", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'telegram' AND user-account:user_id = '1234567890']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"telegram-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3b182b94-4054-52f3-9d8f-55e7de1a71fc", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--7ecc4537-89cd-4f17-8027-6e0f70710c53", "target_ref": "observed-data--7ecc4537-89cd-4f17-8027-6e0f70710c53" } ]
- MISP
- twitter-account
- MISP
{ "name": "twitter-account", "meta-category": "misc", "description": "Twitter account.", "uuid": "6baef273-d2c3-4ef1-8a93-d2cf552e7bfb", "Attribute": [ { "uuid": "34b1fa29-c3a5-5d49-bf9b-9de40cea1e7a", "object_relation": "id", "value": "1357111317", "type": "text", "to_ids": true, "category": "Other" }, { "uuid": "c63c3824-bf67-5b6b-a43b-23ab95a24d1f", "object_relation": "name", "value": "octocat", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "71f35ee1-dc3f-5648-a5d5-315c6a32600e", "object_relation": "displayed-name", "value": "Octo Cat", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "7da08965-8208-5dc6-9418-56eb94825405", "object_relation": "followers", "value": "666", "type": "text", "to_ids": false, "category": "Other" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC", "uuid": "e5732826-8afd-57cd-b7f7-fc51f880ba65", "object_relation": "profile-image", "value": "octocat.png", "type": "attachment", "to_ids": false, "category": "External analysis" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--6baef273-d2c3-4ef1-8a93-d2cf552e7bfb", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "user-account--6baef273-d2c3-4ef1-8a93-d2cf552e7bfb" ], "labels": [ "misp:name=\"twitter-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "user-account", "spec_version": "2.1", "id": "user-account--6baef273-d2c3-4ef1-8a93-d2cf552e7bfb", "user_id": "1357111317", "account_login": "octocat", "account_type": "twitter", "display_name": "Octo Cat", "x_misp_followers": "666", "x_misp_profile_image": { "value": "octocat.png", "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6baef273-d2c3-4ef1-8a93-d2cf552e7bfb", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'twitter' AND user-account:user_id = '1357111317']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"twitter-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7ab13a4c-ded9-5d4d-97ab-55ca22c13078", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--6baef273-d2c3-4ef1-8a93-d2cf552e7bfb", "target_ref": "observed-data--6baef273-d2c3-4ef1-8a93-d2cf552e7bfb" } ]
- MISP
- url
- MISP
{ "name": "url", "meta-category": "network", "description": "url object describes an url along with its normalized field", "uuid": "5ac347ca-dac4-4562-9775-04120a00020f", "Attribute": [ { "uuid": "91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "object_relation": "url", "value": "https://www.circl.lu/team", "type": "url", "to_ids": true, "category": "Network activity" }, { "uuid": "518b4bcb-a86b-4783-9457-391d548b605b", "object_relation": "domain", "value": "circl.lu", "type": "domain", "to_ids": true, "category": "Network activity" }, { "uuid": "34cb1a7c-55ec-412a-8684-ba4a88d83a45", "object_relation": "host", "value": "www.circl.lu", "type": "hostname", "to_ids": true, "category": "Network activity" }, { "uuid": "94a2b00f-bec3-4f8a-bea4-e4ccf0de776f", "object_relation": "ip", "value": "149.13.33.14", "type": "ip-dst", "to_ids": true, "category": "Network activity" }, { "uuid": "f2259650-bc33-4b64-a3a8-a324aa7ea6bb", "object_relation": "port", "value": "443", "type": "port", "to_ids": false, "category": "Network activity" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ac347ca-dac4-4562-9775-04120a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "url--5ac347ca-dac4-4562-9775-04120a00020f" ], "labels": [ "misp:name=\"url\"", "misp:meta-category=\"network\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5ac347ca-dac4-4562-9775-04120a00020f", "value": "https://www.circl.lu/team", "x_misp_domain": "circl.lu", "x_misp_host": "www.circl.lu", "x_misp_ip": "149.13.33.14", "x_misp_port": "443" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ac347ca-dac4-4562-9775-04120a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[url:value = 'https://www.circl.lu/team' AND url:x_misp_domain = 'circl.lu' AND url:x_misp_host = 'www.circl.lu' AND url:x_misp_ip = '149.13.33.14']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"url\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--e2b8fa6f-ff8b-5cf9-a54a-0d3980a01bf0", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5ac347ca-dac4-4562-9775-04120a00020f", "target_ref": "observed-data--5ac347ca-dac4-4562-9775-04120a00020f" } ]
- MISP
- user-account
- MISP
{ "name": "user-account", "meta-category": "misc", "description": "Object describing an user account", "uuid": "5d234f25-539c-4d12-bf93-2c46a964451a", "Attribute": [ { "uuid": "094e0e91-be31-5636-a810-378abba68920", "object_relation": "username", "value": "iglocska", "type": "text", "to_ids": true, "category": "Other" }, { "uuid": "094e0e91-be31-5636-a810-378abba68920", "object_relation": "user-id", "value": "iglocska", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "65944111-0210-5120-ad9d-a549000fb2fe", "object_relation": "display-name", "value": "Code Monkey", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "cdf7ce76-d853-5efb-a347-c18eab3d10d3", "object_relation": "password", "value": "P4ssw0rd1234!", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "3842e68d-64d6-5dbf-a74e-a4868f534ae3", "object_relation": "group", "value": "viktor-fan", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "f1bde07a-952d-542a-9a8e-b0ad5277f6a0", "object_relation": "group", "value": "donald-fan", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "fec25895-4077-526b-91f6-83ea7021bcea", "object_relation": "group-id", "value": "2004", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "bf267593-7a3b-5b69-be6c-c1c985be0642", "object_relation": "home_dir", "value": "/home/iglocska", "type": "text", "to_ids": false, "category": "Other" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC", "uuid": "e5732826-8afd-57cd-b7f7-fc51f880ba65", "object_relation": "user-avatar", "value": "octocat.png", "type": "attachment", "to_ids": false, "category": "External analysis" }, { "uuid": "a5077f66-1622-5b00-928a-b6cc210dc010", "object_relation": "account-type", "value": "unix", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "f0cdf620-0734-5715-ae7f-e77b069987d9", "object_relation": "password_last_changed", "value": "2020-10-25T16:22:00+00:00", "type": "datetime", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5d234f25-539c-4d12-bf93-2c46a964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "user-account--5d234f25-539c-4d12-bf93-2c46a964451a" ], "labels": [ "misp:name=\"user-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "user-account", "spec_version": "2.1", "id": "user-account--5d234f25-539c-4d12-bf93-2c46a964451a", "user_id": "iglocska", "credential": "P4ssw0rd1234!", "account_login": "iglocska", "account_type": "unix", "display_name": "Code Monkey", "credential_last_changed": "2020-10-25T16:22:00Z", "extensions": { "unix-account-ext": { "gid": 2004, "groups": [ "viktor-fan", "donald-fan" ], "home_dir": "/home/iglocska" } }, "x_misp_user_avatar": { "value": "octocat.png", "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d234f25-539c-4d12-bf93-2c46a964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_login = 'iglocska']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"user-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a9308038-fb86-5937-9105-f98016ca85bf", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5d234f25-539c-4d12-bf93-2c46a964451a", "target_ref": "observed-data--5d234f25-539c-4d12-bf93-2c46a964451a" } ]
- MISP
- vulnerability
- MISP
{ "name": "vulnerability", "meta-category": "vulnerability", "description": "Vulnerability object describing a common vulnerability", "uuid": "5e579975-e9cc-46c6-a6ad-1611a964451a", "Attribute": [ { "uuid": "99ced965-870a-5303-accf-e2b9f643821e", "object_relation": "id", "value": "CVE-2017-11774", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "2d881382-13d8-56a5-8e25-fea692839e92", "object_relation": "cvss-score", "value": "6.8", "type": "float", "to_ids": false, "category": "Other" }, { "uuid": "0c317e43-dc9d-54f7-91d7-6da76f6c68fb", "object_relation": "summary", "value": "Microsoft Outlook allow an attacker to execute arbitrary commands", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "e0b5f671-8912-5e9c-8067-1b3afc2bf721", "object_relation": "created", "value": "2017-10-13T07:29:00+00:00", "type": "datetime", "to_ids": false, "category": "Other" }, { "uuid": "e0b5f671-8912-5e9c-8067-1b3afc2bf721", "object_relation": "published", "value": "2017-10-13T07:29:00+00:00", "type": "datetime", "to_ids": false, "category": "Other" }, { "uuid": "f6e1c408-32c3-512d-b6b2-5ab0e08ac830", "object_relation": "references", "value": "http://www.securityfocus.com/bid/101098", "type": "link", "to_ids": false, "category": "External analysis" }, { "uuid": "ef019343-1b99-5c1c-8280-a00ce24d6920", "object_relation": "references", "value": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11774", "type": "link", "to_ids": false, "category": "External analysis" } ], "timestamp": "1603642920" } - STIX
{ "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5e579975-e9cc-46c6-a6ad-1611a964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "CVE-2017-11774", "description": "Microsoft Outlook allow an attacker to execute arbitrary commands", "labels": [ "misp:name=\"vulnerability\"", "misp:meta-category=\"vulnerability\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2017-11774" }, { "source_name": "url", "url": "http://www.securityfocus.com/bid/101098" }, { "source_name": "url", "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11774" } ], "x_misp_created": "2017-10-13T07:29:00Z", "x_misp_cvss_score": "6.8", "x_misp_published": "2017-10-13T07:29:00Z" }
- MISP
- wazuh-rule
- MISP
{ "name": "wazuh-rule", "uuid": "a86a1736-90fc-48fa-8e72-8735cac0e14a", "Attribute": [ { "uuid": "50ccd990-9627-481c-bf4f-89dd97408b6e", "object_relation": "wazuh-rule", "value": "<rule id=\"200996\" level=\"12\">\n <decoded_as>json</decoded_as>\n <field name=\"cluster.name\">\\.+</field>\n <field name=\"level\">^ERROR$</field>\n <description>Wazuh-Indexer Cluster Logs - Level: ERROR</description>\n <options>no_full_log</options>\n </rule>", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "9189aefe-3f83-48e8-abae-ea7cd8ea5867", "object_relation": "rule-id", "value": "Wazuh-Indexer Cluster Logs - Level: ERROR", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920", "meta-category": "misc", "description": "An object describing a Wazuh XML rule using common fields from the official Wazuh rule syntax." } - STIX
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--a86a1736-90fc-48fa-8e72-8735cac0e14a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Wazuh-Indexer Cluster Logs - Level: ERROR", "pattern": "<rule id=\"200996\" level=\"12\">\n <decoded_as>json</decoded_as>\n <field name=\"cluster.name\">\\.+</field>\n <field name=\"level\">^ERROR$</field>\n <description>Wazuh-Indexer Cluster Logs - Level: ERROR</description>\n <options>no_full_log</options>\n </rule>", "pattern_type": "wazuh", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"wazuh-rule\"", "misp:meta-category=\"misc\"" ] }
- MISP
- x509
- MISP
{ "name": "x509", "meta-category": "network", "description": "x509 object describing a X.509 certificate", "uuid": "5ac3444e-145c-4749-8467-02550a00020f", "Attribute": [ { "uuid": "2b03497e-d862-5800-92cd-eee20765217f", "object_relation": "issuer", "value": "Issuer Name", "type": "text", "to_ids": true, "category": "Other" }, { "uuid": "fc58784f-6ed1-54e3-ae78-a7555e337ef0", "object_relation": "pem", "value": "RawCertificateInPEMFormat", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "7cc9c461-e255-521d-8dbf-5ef5181fbc73", "object_relation": "pubkey-info-algorithm", "value": "PublicKeyAlgorithm", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "3ce725b2-35f0-5a8c-936f-a09972444f5e", "object_relation": "pubkey-info-exponent", "value": "2", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "c50d0487-b437-5ec8-aa75-6415635fc872", "object_relation": "pubkey-info-modulus", "value": "C5", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "0a709d2e-74b8-5a4c-87fe-b958f6b676f8", "object_relation": "serial-number", "value": "1234567890", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "3d14e295-12ab-5abf-bca5-cbee2174fe47", "object_relation": "signature_algorithm", "value": "SHA1_WITH_RSA_ENCRYPTION", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "7ec1b525-1e9d-5d45-8086-689e8e7bc3bc", "object_relation": "subject", "value": "CertificateSubject", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "41ba5dbd-ef3c-5d9c-b097-a9f3745d4753", "object_relation": "validity-not-before", "value": "2020-01-01T00:00:00+00:00", "type": "datetime", "to_ids": false, "category": "Other" }, { "uuid": "def00e72-650c-5ba1-8ae9-44b0b2cf7907", "object_relation": "validity-not-after", "value": "2021-01-01T00:00:00+00:00", "type": "datetime", "to_ids": false, "category": "Other" }, { "uuid": "ad982c8b-74de-5ff5-a934-3f1724098de5", "object_relation": "version", "value": "1", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "684da8aa-4e88-5c9b-a07c-13da628ebbee", "object_relation": "x509-fingerprint-md5", "value": "b2a5abfeef9e36964281a31e17b57c97", "type": "x509-fingerprint-md5", "to_ids": true, "category": "Network activity" }, { "uuid": "58fd435b-0581-5919-8cd8-de961acfa7b0", "object_relation": "x509-fingerprint-sha1", "value": "5898fc860300e228dcd54c0b1045b5fa0dcda502", "type": "x509-fingerprint-sha1", "to_ids": true, "category": "Network activity" } ], "timestamp": "1603642920" } - STIX
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ac3444e-145c-4749-8467-02550a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "x509-certificate--5ac3444e-145c-4749-8467-02550a00020f" ], "labels": [ "misp:name=\"x509\"", "misp:meta-category=\"network\"" ] }, { "type": "x509-certificate", "spec_version": "2.1", "id": "x509-certificate--5ac3444e-145c-4749-8467-02550a00020f", "hashes": { "MD5": "b2a5abfeef9e36964281a31e17b57c97", "SHA-1": "5898fc860300e228dcd54c0b1045b5fa0dcda502" }, "version": "1", "serial_number": "1234567890", "signature_algorithm": "SHA1_WITH_RSA_ENCRYPTION", "issuer": "Issuer Name", "validity_not_before": "2020-01-01T00:00:00Z", "validity_not_after": "2021-01-01T00:00:00Z", "subject": "CertificateSubject", "subject_public_key_algorithm": "PublicKeyAlgorithm", "subject_public_key_modulus": "C5", "subject_public_key_exponent": 2, "x_misp_pem": "RawCertificateInPEMFormat" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ac3444e-145c-4749-8467-02550a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[x509-certificate:hashes.MD5 = 'b2a5abfeef9e36964281a31e17b57c97' AND x509-certificate:hashes.'SHA-1' = '5898fc860300e228dcd54c0b1045b5fa0dcda502' AND x509-certificate:issuer = 'Issuer Name']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"x509\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--afaf82e1-57d1-5dc8-bf1b-817333005aa4", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5ac3444e-145c-4749-8467-02550a00020f", "target_ref": "observed-data--5ac3444e-145c-4749-8467-02550a00020f" } ]
- MISP
- yara
- MISP
{ "name": "yara", "meta-category": "misc", "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "uuid": "cafdd27e-c3e2-4f7a-88b4-4c1c98f18be7", "Attribute": [ { "uuid": "b7074b21-9e97-5867-84b9-4df1438b8f0c", "object_relation": "yara", "value": "rule torcryptomining { meta: description = \"Tor miner - broken UPX magic string\" strings: $upx_erase = {(00 FF 99 41|DF DD 30 33)} condition: $upx_erase at 236 }", "type": "yara", "to_ids": true, "category": "Payload installation" }, { "uuid": "d86f032d-66ad-5206-952f-ed033e9d57e3", "object_relation": "version", "value": "4.1.0", "type": "text", "to_ids": false, "category": "Other" }, { "uuid": "9fd47be3-1a47-5247-b693-45d1112e7bf5", "object_relation": "comment", "value": "To rule them all", "type": "comment", "to_ids": false, "category": "Other" }, { "uuid": "3e968a51-2909-517c-a526-d8c0055b948c", "object_relation": "yara-rule-name", "value": "Ultimate rule", "type": "text", "to_ids": false, "category": "Other" } ], "timestamp": "1603642920" } - STIX
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--cafdd27e-c3e2-4f7a-88b4-4c1c98f18be7", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Ultimate rule", "description": "To rule them all", "pattern": "rule torcryptomining { meta: description = \"Tor miner - broken UPX magic string\" strings: $upx_erase = {(00 FF 99 41|DF DD 30 33)} condition: $upx_erase at 236 }", "pattern_type": "yara", "pattern_version": "4.1.0", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"yara\"", "misp:meta-category=\"misc\"" ] }
- MISP
Unmapped object names
Not all the MISP objects are mapped and exported as know STIX 2.1 objects.
Those unmapped objects are then exported as STIX Custom objects. Here are some examples:
- bank-account
- MISP
{ "name": "bank-account", "meta-category": "financial", "description": "An object describing bank account information based on account description from goAML 4.0", "uuid": "695e7924-2518-4054-9cea-f82853d37410", "timestamp": "1603642920", "Attribute": [ { "type": "iban", "object_relation": "iban", "value": "LU1234567890ABCDEF1234567890", "to_ids": true }, { "type": "bic", "object_relation": "swift", "value": "CTBKLUPP" }, { "type": "bank-account-nr", "object_relation": "account", "value": "1234567890" }, { "type": "text", "object_relation": "institution-name", "value": "Central Bank" }, { "type": "text", "object_relation": "account-name", "value": "John Smith's bank account" }, { "type": "text", "object_relation": "beneficiary", "value": "John Smith" }, { "type": "text", "object_relation": "currency-code", "value": "EUR" } ] } - STIX
{ "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--695e7924-2518-4054-9cea-f82853d37410", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "labels": [ "misp:category=\"financial\"", "misp:name=\"bank-account\"" ], "x_misp_attributes": [ { "object_relation": "iban", "to_ids": true, "type": "iban", "value": "LU1234567890ABCDEF1234567890" }, { "object_relation": "swift", "type": "bic", "value": "CTBKLUPP" }, { "object_relation": "account", "type": "bank-account-nr", "value": "1234567890" }, { "object_relation": "institution-name", "type": "text", "value": "Central Bank" }, { "object_relation": "account-name", "type": "text", "value": "John Smith's bank account" }, { "object_relation": "beneficiary", "type": "text", "value": "John Smith" }, { "object_relation": "currency-code", "type": "text", "value": "EUR" } ], "x_misp_meta_category": "financial", "x_misp_name": "bank-account" }
- MISP
- btc-wallet
- MISP
{ "name": "btc-wallet", "meta-category": "financial", "description": "An object to describe a Bitcoin wallet.", "uuid": "6f7509f1-f324-4acc-bf06-bbe726ab8fc7", "timestamp": "1603642920", "Attribute": [ { "type": "btc", "object_relation": "wallet-address", "value": "1E38kt7ryhbRXUzbam6iQ6sd93VHUUdjEE", "to_ids": true }, { "type": "float", "object_relation": "balance_BTC", "value": "2.25036953" }, { "type": "float", "object_relation": "BTC_received", "value": "3.35036953" }, { "type": "float", "object_relation": "BTC_sent", "value": "1.1" } ] } - STIX
{ "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--6f7509f1-f324-4acc-bf06-bbe726ab8fc7", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "labels": [ "misp:category=\"financial\"", "misp:name=\"btc-wallet\"" ], "x_misp_attributes": [ { "object_relation": "wallet-address", "to_ids": true, "type": "btc", "value": "1E38kt7ryhbRXUzbam6iQ6sd93VHUUdjEE" }, { "object_relation": "balance_BTC", "type": "float", "value": "2.25036953" }, { "object_relation": "BTC_received", "type": "float", "value": "3.35036953" }, { "object_relation": "BTC_sent", "type": "float", "value": "1.1" } ], "x_misp_meta_category": "financial", "x_misp_name": "btc-wallet" }
- MISP
- person
- MISP
{ "name": "person", "meta-category": "misc", "description": "An object which describes a person or an identity.", "uuid": "868037d5-d804-4f1d-8016-f296361f9c68", "timestamp": "1603642920", "Attribute": [ { "type": "first-name", "object_relation": "first-name", "value": "John" }, { "type": "last-name", "object_relation": "last-name", "value": "Smith" }, { "type": "nationality", "object_relation": "nationality", "value": "USA" }, { "type": "passport-number", "object_relation": "passport-number", "value": "ABA9875413" }, { "type": "phone-number", "object_relation": "phone-number", "value": "0123456789" } ] } - STIX
{ "type": "x-misp-object", "spec_version": "2.1", "id": "x-misp-object--868037d5-d804-4f1d-8016-f296361f9c68", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "labels": [ "misp:category=\"misc\"", "misp:name=\"person\"" ], "x_misp_attributes": [ { "object_relation": "first-name", "type": "first-name", "value": "John" }, { "object_relation": "last-name", "type": "last-name", "value": "Smith" }, { "object_relation": "nationality", "type": "nationality", "value": "USA" }, { "object_relation": "passport-number", "type": "passport-number", "value": "ABA9875413" }, { "object_relation": "phone-number", "type": "phone-number", "value": "0123456789" } ], "x_misp_meta_category": "misc", "x_misp_name": "person" }
- MISP
The other detailed mappings
For more detailed mappings, click on one of the link below: