STIX 2.1 to MISP Objects mapping
MISP Objects are containers grouping related MISP attributes. When importing STIX 2.1 content, composite STIX structures (an Indicator with a multi-field pattern, or an Observed Data with referenced SCOs) are mapped to the corresponding MISP object template.
The list of currently supported MISP object templates is available here.
Current mapping
- Domain-IP object (custom case)
- STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--dc624447-684a-488f-9e16-f78f717d8efd", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "domain-name--dc624447-684a-488f-9e16-f78f717d8efd", "ipv4-addr--fcbaf339-615a-409c-915f-034420dc90ca" ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"False\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--dc624447-684a-488f-9e16-f78f717d8efd", "value": "circl.lu", "resolves_to_refs": [ "ipv4-addr--fcbaf339-615a-409c-915f-034420dc90ca" ], "x_misp_hostname": "circl.lu", "x_misp_port": "8443" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--fcbaf339-615a-409c-915f-034420dc90ca", "value": "149.13.33.14" } ] - MISP
{ "name": "domain-ip", "meta-category": "network", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "description": "A domain/hostname and IP address seen as a tuple in a specific time frame.", "template_version": "11", "uuid": "dc624447-684a-488f-9e16-f78f717d8efd", "Attribute": [ { "uuid": "8b1ca103-25f5-55fd-bdb7-acb7a47adde0", "object_relation": "domain", "value": "circl.lu", "type": "domain", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "13e41e43-27b6-56be-b938-428ad0dc2c15", "object_relation": "hostname", "value": "circl.lu", "type": "hostname", "disable_correlation": false, "to_ids": true, "category": "Network activity" }, { "uuid": "64c83027-4029-5d64-afe0-2c67665592a7", "object_relation": "port", "value": "8443", "type": "port", "category": "Network activity", "disable_correlation": false, "to_ids": false }, { "uuid": "fcbaf339-615a-409c-915f-034420dc90ca", "object_relation": "ip", "value": "149.13.33.14", "type": "ip-dst", "category": "Network activity", "disable_correlation": false, "to_ids": true } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Observed Data
- Domain-IP object (standard case)
- STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ac337df-e078-4e99-8b17-02550a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "ipv4-addr--876133b5-b5fc-449c-ba9e-e467790da8eb", "domain-name--a2e44443-a974-47b6-bb35-69d17b1cd243", "domain-name--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f" ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"", "misp:to_ids=\"False\"" ] }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "value": "149.13.33.14" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--876133b5-b5fc-449c-ba9e-e467790da8eb", "value": "185.194.93.14" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--a2e44443-a974-47b6-bb35-69d17b1cd243", "value": "misp-project.org", "resolves_to_refs": [ "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "ipv4-addr--876133b5-b5fc-449c-ba9e-e467790da8eb" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "value": "circl.lu", "resolves_to_refs": [ "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "ipv4-addr--876133b5-b5fc-449c-ba9e-e467790da8eb" ] } ] - MISP
{ "name": "domain-ip", "meta-category": "network", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "description": "A domain/hostname and IP address seen as a tuple in a specific time frame.", "template_version": "11", "uuid": "5ac337df-e078-4e99-8b17-02550a00020f", "Attribute": [ { "uuid": "a2e44443-a974-47b6-bb35-69d17b1cd243", "object_relation": "domain", "value": "misp-project.org", "type": "domain", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "518b4bcb-a86b-4783-9457-391d548b605b", "object_relation": "ip", "value": "149.13.33.14", "type": "ip-dst", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "876133b5-b5fc-449c-ba9e-e467790da8eb", "object_relation": "ip", "value": "185.194.93.14", "type": "ip-dst", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "object_relation": "domain", "value": "circl.lu", "type": "domain", "category": "Network activity", "disable_correlation": false, "to_ids": true } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Observed Data
- File object with a Windows PE binary extension
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--5ac47782-e1b8-40b6-96b4-02510a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[file:hashes.MD5 = 'b2a5abfeef9e36964281a31e17b57c97' AND file:hashes.'SHA-1' = '5898fc860300e228dcd54c0b1045b5fa0dcda502' AND file:hashes.'SHA-256' = '3a3468fa89b2ab7cbfe5400858a8ec0066e9e8defa9a64c993b5f24210244df8' AND file:name = 'oui' AND file:size = '1234' AND file:x_misp_entropy = '1.234' AND file:extensions.'windows-pebinary-ext'.imphash = '23ea835ab4b9017c74dfb023d2301c99' AND file:extensions.'windows-pebinary-ext'.number_of_sections = '8' AND file:extensions.'windows-pebinary-ext'.pe_type = 'exe' AND file:extensions.'windows-pebinary-ext'.optional_header.address_of_entry_point = '5369222868' AND file:extensions.'windows-pebinary-ext'.x_misp_compilation_timestamp = '2019-03-16T12:31:22Z' AND file:extensions.'windows-pebinary-ext'.x_misp_original_filename = 'PuTTy' AND file:extensions.'windows-pebinary-ext'.x_misp_internal_filename = 'PuTTy' AND file:extensions.'windows-pebinary-ext'.x_misp_file_description = 'SSH, Telnet and Rlogin client' AND file:extensions.'windows-pebinary-ext'.x_misp_file_version = 'Release 0.71 (with embedded help)' AND file:extensions.'windows-pebinary-ext'.x_misp_lang_id = '080904B0' AND file:extensions.'windows-pebinary-ext'.x_misp_product_name = 'PuTTy suite' AND file:extensions.'windows-pebinary-ext'.x_misp_product_version = 'Release 0.71' AND file:extensions.'windows-pebinary-ext'.x_misp_company_name = 'Simoe Tatham' AND file:extensions.'windows-pebinary-ext'.x_misp_legal_copyright = 'Copyright \u00a9 1997-2019 Simon Tatham.' AND file:extensions.'windows-pebinary-ext'.x_misp_impfuzzy = '192:8GMV5iqHKV+5RvUV5iqHKV+5RvAVDNNhwkCtRxwUQt63yf2y9sAkexSECI:vMVzB5R8VzB5R4XGtRxwUccc2y9scxt' AND file:extensions.'windows-pebinary-ext'.sections[0].entropy = '7.836462238824369' AND file:extensions.'windows-pebinary-ext'.sections[0].name = '.rsrc' AND file:extensions.'windows-pebinary-ext'.sections[0].size = '305152' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.MD5 = '8a2a5fc2ce56b3b04d58539a95390600' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.'SHA-1' = '0aeb9def096e9f73e9460afe6f8783a32c7eabdf' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.'SHA-256' = 'c6b3ac8303a72be90b0e47f69977e6f5665693d4ea0aa93e5c27b5c556c7cf9b' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.'SHA-512' = '98fce208e6ed9612db53725fe03b73ab7cb1b487814d521c3c218273cad33891ce832c4f842c6f492d92df1e78414c82a00ddb91a1f8ec7d67325231a597a78f' AND file:extensions.'windows-pebinary-ext'.sections[0].hashes.SSDEEP = '6144:BvqbV6zoA5yJJ1entjx+UJlVshhKuqMrgyNhahL2uSvhM:BvuVy5UJUtwUJ/UjHSEuSvK']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ] } - MISP
[ { "name": "file", "meta-category": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "description": "File object describing a file with meta-information", "template_version": "25", "uuid": "5ac47782-e1b8-40b6-96b4-02510a00020f", "ObjectReference": [ { "uuid": "b9b7ef90-a196-4e5f-8f7a-1c8f18a8d1a2", "object_uuid": "5ac47782-e1b8-40b6-96b4-02510a00020f", "referenced_uuid": "76ccdd74-a593-4781-87d5-1a785a7f3f12", "relationship_type": "includes" } ], "Attribute": [ { "uuid": "44c1b3ef-56fd-5eda-881f-d1d861165779", "object_relation": "md5", "value": "b2a5abfeef9e36964281a31e17b57c97", "type": "md5", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" }, { "uuid": "30ca571b-21e1-5d35-8961-23cb2a6d15b2", "object_relation": "sha1", "value": "5898fc860300e228dcd54c0b1045b5fa0dcda502", "type": "sha1", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" }, { "uuid": "511d1a95-5b49-54fa-83eb-e6239b654ea8", "object_relation": "sha256", "value": "3a3468fa89b2ab7cbfe5400858a8ec0066e9e8defa9a64c993b5f24210244df8", "type": "sha256", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" }, { "uuid": "03301da9-9267-5091-9a85-a504585d463d", "object_relation": "filename", "value": "oui", "type": "filename", "category": "Payload delivery", "disable_correlation": true, "to_ids": true }, { "uuid": "a6dee513-fe56-5554-bc11-9762396169d6", "object_relation": "size-in-bytes", "value": "1234", "type": "size-in-bytes", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "733bdd0f-4dd6-5c66-8852-2918f7b5dcd8", "object_relation": "entropy", "value": "1.234", "type": "float", "disable_correlation": true, "to_ids": true, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }, { "name": "pe", "meta-category": "file", "template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07", "description": "Object describing a Portable Executable", "template_version": "11", "uuid": "76ccdd74-a593-4781-87d5-1a785a7f3f12", "ObjectReference": [ { "uuid": "301b1be7-ab9f-4706-b179-d052a278108a", "object_uuid": "76ccdd74-a593-4781-87d5-1a785a7f3f12", "referenced_uuid": "19cff33c-75f2-4984-8302-4f9bceec3bd9", "relationship_type": "includes" } ], "Attribute": [ { "uuid": "72e1a43f-35fd-5ae4-8295-5c0e4cfca5e2", "object_relation": "entrypoint-address", "value": "5369222868", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "d35f202f-e89d-53c2-81be-6804f90c80fa", "object_relation": "imphash", "value": "23ea835ab4b9017c74dfb023d2301c99", "type": "imphash", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" }, { "uuid": "8c18a781-3f07-5b04-87f1-78cc4f967868", "object_relation": "number-sections", "value": "8", "type": "counter", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "712b242b-3b98-58b5-96da-257ce5fec952", "object_relation": "type", "value": "exe", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "becaee1f-5efb-544d-aadf-9af328dddc7e", "object_relation": "compilation-timestamp", "value": "2019-03-16T12:31:22+00:00", "type": "datetime", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "cd58298c-b13f-57d8-bb87-77a88d59de93", "object_relation": "original-filename", "value": "PuTTy", "type": "filename", "disable_correlation": true, "to_ids": true, "category": "Payload delivery" }, { "uuid": "ef65699e-cfe3-5f36-8f51-eaa6243440dd", "object_relation": "internal-filename", "value": "PuTTy", "type": "filename", "disable_correlation": true, "to_ids": true, "category": "Payload delivery" }, { "uuid": "8eb829df-c85e-5dd0-8221-1c2454ed4da6", "object_relation": "file-description", "value": "SSH, Telnet and Rlogin client", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "0c1b9cdd-5e30-5aa9-8bbc-a9c42b71f214", "object_relation": "file-version", "value": "Release 0.71 (with embedded help)", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "7979d4d9-fbec-518d-8eed-90d53e48fcc7", "object_relation": "lang-id", "value": "080904B0", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "b19d767b-ad03-5de3-8203-a57067bb1390", "object_relation": "product-name", "value": "PuTTy suite", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "a0baadcc-0329-5475-bc55-ea643bd442ce", "object_relation": "product-version", "value": "Release 0.71", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "54b0d69d-51f9-566e-ac6a-0086f8f78954", "object_relation": "company-name", "value": "Simoe Tatham", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "4c38b484-bad8-5ed5-9e63-bedba33759d4", "object_relation": "legal-copyright", "value": "Copyright \u00a9 1997-2019 Simon Tatham.", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "4445ad69-db27-56b8-9648-306456c23c16", "object_relation": "impfuzzy", "value": "192:8GMV5iqHKV+5RvUV5iqHKV+5RvAVDNNhwkCtRxwUQt63yf2y9sAkexSECI:vMVzB5R8VzB5R4XGtRxwUccc2y9scxt", "type": "impfuzzy", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }, { "name": "pe-section", "meta-category": "file", "template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a", "description": "Object describing a section of a Portable Executable", "template_version": "3", "uuid": "19cff33c-75f2-4984-8302-4f9bceec3bd9", "Attribute": [ { "uuid": "88272e26-8dc6-5fe2-bceb-ac782ffc0a0a", "object_relation": "entropy", "value": "7.836462238824369", "type": "float", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "6ae22987-c106-5388-981b-db3e62404cf2", "object_relation": "name", "value": ".rsrc", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "4385ad23-3adc-53dc-82ba-a3239b8cee22", "object_relation": "size-in-bytes", "value": "305152", "type": "size-in-bytes", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "d2de06c2-2b79-58fd-a4d6-7fada700f016", "object_relation": "md5", "value": "8a2a5fc2ce56b3b04d58539a95390600", "type": "md5", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" }, { "uuid": "9352b999-509f-586b-9708-0cc99f311373", "object_relation": "sha1", "value": "0aeb9def096e9f73e9460afe6f8783a32c7eabdf", "type": "sha1", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" }, { "uuid": "e5c9acb1-9e28-5e7c-80db-4422413a9991", "object_relation": "sha256", "value": "c6b3ac8303a72be90b0e47f69977e6f5665693d4ea0aa93e5c27b5c556c7cf9b", "type": "sha256", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" }, { "uuid": "7ecef93f-2c66-5884-bdc7-71fe0aeba836", "object_relation": "sha512", "value": "98fce208e6ed9612db53725fe03b73ab7cb1b487814d521c3c218273cad33891ce832c4f842c6f492d92df1e78414c82a00ddb91a1f8ec7d67325231a597a78f", "type": "sha512", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" }, { "uuid": "47341526-f70c-5a13-8869-0f454a236a2a", "object_relation": "ssdeep", "value": "6144:BvqbV6zoA5yJJ1entjx+UJlVshhKuqMrgyNhahL2uSvhM:BvuVy5UJUtwUJ/UjHSEuSvK", "type": "ssdeep", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } ] - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ac47782-e1b8-40b6-96b4-02510a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "file--5ac47782-e1b8-40b6-96b4-02510a00020f" ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5ac47782-e1b8-40b6-96b4-02510a00020f", "hashes": { "MD5": "b2a5abfeef9e36964281a31e17b57c97", "SHA-1": "5898fc860300e228dcd54c0b1045b5fa0dcda502", "SHA-256": "3a3468fa89b2ab7cbfe5400858a8ec0066e9e8defa9a64c993b5f24210244df8" }, "size": 1234, "name": "oui", "extensions": { "windows-pebinary-ext": { "pe_type": "exe", "imphash": "23ea835ab4b9017c74dfb023d2301c99", "number_of_sections": 8, "optional_header": { "address_of_entry_point": 5369222868 }, "sections": [ { "name": ".rsrc", "size": 305152, "entropy": 7.836462238824369, "hashes": { "MD5": "8a2a5fc2ce56b3b04d58539a95390600", "SHA-1": "0aeb9def096e9f73e9460afe6f8783a32c7eabdf", "SHA-256": "c6b3ac8303a72be90b0e47f69977e6f5665693d4ea0aa93e5c27b5c556c7cf9b", "SHA-512": "98fce208e6ed9612db53725fe03b73ab7cb1b487814d521c3c218273cad33891ce832c4f842c6f492d92df1e78414c82a00ddb91a1f8ec7d67325231a597a78f", "SSDEEP": "6144:BvqbV6zoA5yJJ1entjx+UJlVshhKuqMrgyNhahL2uSvhM:BvuVy5UJUtwUJ/UjHSEuSvK" } } ], "x_misp_company_name": "Simoe Tatham", "x_misp_compilation_timestamp": "2019-03-16T12:31:22Z", "x_misp_file_description": "SSH, Telnet and Rlogin client", "x_misp_file_version": "Release 0.71 (with embedded help)", "x_misp_impfuzzy": "192:8GMV5iqHKV+5RvUV5iqHKV+5RvAVDNNhwkCtRxwUQt63yf2y9sAkexSECI:vMVzB5R8VzB5R4XGtRxwUccc2y9scxt", "x_misp_internal_filename": "PuTTy", "x_misp_lang_id": "080904B0", "x_misp_legal_copyright": "Copyright \u00a9 1997-2019 Simon Tatham.", "x_misp_original_filename": "PuTTy", "x_misp_product_name": "PuTTy suite", "x_misp_product_version": "Release 0.71" } }, "x_misp_entropy": "1.234" } ] - MISP
[ { "name": "file", "meta-category": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "description": "File object describing a file with meta-information", "template_version": "25", "uuid": "5ac47782-e1b8-40b6-96b4-02510a00020f", "ObjectReference": [ { "uuid": "90362fd3-9350-47ce-92cb-47760be20e93", "object_uuid": "5ac47782-e1b8-40b6-96b4-02510a00020f", "referenced_uuid": "61f720bc-2fb8-5a7a-a849-4542b59048e4", "relationship_type": "includes" } ], "Attribute": [ { "uuid": "0ffc2d79-b7f5-57f2-80a9-1059c73ebae0", "object_relation": "md5", "value": "b2a5abfeef9e36964281a31e17b57c97", "type": "md5", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--5ac47782-e1b8-40b6-96b4-02510a00020f" }, { "uuid": "005ed2fd-feec-5e88-8eb1-6a9d31d3f6d8", "object_relation": "sha1", "value": "5898fc860300e228dcd54c0b1045b5fa0dcda502", "type": "sha1", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--5ac47782-e1b8-40b6-96b4-02510a00020f" }, { "uuid": "880b522b-ffdc-5f9e-b236-c454aa6df2ef", "object_relation": "sha256", "value": "3a3468fa89b2ab7cbfe5400858a8ec0066e9e8defa9a64c993b5f24210244df8", "type": "sha256", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--5ac47782-e1b8-40b6-96b4-02510a00020f" }, { "uuid": "ac6e3961-b4a8-55c5-b739-5b1f3efc9db6", "object_relation": "filename", "value": "oui", "type": "filename", "category": "Payload delivery", "disable_correlation": true, "to_ids": true, "comment": "Indicator ID: indicator--5ac47782-e1b8-40b6-96b4-02510a00020f" }, { "uuid": "24f96323-562e-537b-8f9b-98a82b04f8aa", "object_relation": "size-in-bytes", "value": "1234", "type": "size-in-bytes", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "df182c88-18c1-518b-ad77-f4e2d44a1b90", "object_relation": "entropy", "value": "1.234", "type": "float", "disable_correlation": true, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }, { "name": "pe", "meta-category": "file", "template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07", "description": "Object describing a Portable Executable", "template_version": "11", "uuid": "61f720bc-2fb8-5a7a-a849-4542b59048e4", "ObjectReference": [ { "uuid": "c6da935b-fd25-4a59-84b8-dbd041f302e6", "object_uuid": "61f720bc-2fb8-5a7a-a849-4542b59048e4", "referenced_uuid": "fb7ddfd6-13c1-5ca6-bd1e-04efa3af3247", "relationship_type": "includes" } ], "Attribute": [ { "uuid": "7dc8cde2-bc1a-5d44-b542-9f326f0d6ee7", "object_relation": "entrypoint-address", "value": "5369222868", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "cb8829f2-06a5-55eb-a957-b3a2402a5e15", "object_relation": "imphash", "value": "23ea835ab4b9017c74dfb023d2301c99", "type": "imphash", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--5ac47782-e1b8-40b6-96b4-02510a00020f" }, { "uuid": "e76d4377-21fe-5a56-a10f-b2b2519c84e4", "object_relation": "number-sections", "value": "8", "type": "counter", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "d3cc0da0-ab1c-57e9-9f2f-35a55e4be135", "object_relation": "type", "value": "exe", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other", "comment": "Indicator ID: indicator--5ac47782-e1b8-40b6-96b4-02510a00020f" }, { "uuid": "04c88329-3f78-56c7-878b-afa6b6d44a18", "object_relation": "company-name", "value": "Simoe Tatham", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "1bd33ed2-0764-55a5-8aed-bf3ae9408062", "object_relation": "compilation-timestamp", "value": "2019-03-16T12:31:22+00:00", "type": "datetime", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "8ff8236d-7a2c-52ff-8104-4732e0acdf51", "object_relation": "file-description", "value": "SSH, Telnet and Rlogin client", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "48965304-361d-538f-baa3-d6961274741a", "object_relation": "file-version", "value": "Release 0.71 (with embedded help)", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "f9c26894-4e50-5a28-bf53-8c78148a3690", "object_relation": "impfuzzy", "value": "192:8GMV5iqHKV+5RvUV5iqHKV+5RvAVDNNhwkCtRxwUQt63yf2y9sAkexSECI:vMVzB5R8VzB5R4XGtRxwUccc2y9scxt", "type": "impfuzzy", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--5ac47782-e1b8-40b6-96b4-02510a00020f" }, { "uuid": "566e4116-5228-5d42-a45a-029f0298a32a", "object_relation": "internal-filename", "value": "PuTTy", "type": "filename", "disable_correlation": true, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--5ac47782-e1b8-40b6-96b4-02510a00020f" }, { "uuid": "b363c1e5-8a0e-51e8-8160-4bb748496263", "object_relation": "lang-id", "value": "080904B0", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "a51d7d2d-565e-55a4-9065-8d4b015f36b0", "object_relation": "legal-copyright", "value": "Copyright \u00a9 1997-2019 Simon Tatham.", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "386e63e1-49fa-5293-83f8-e245e1ee3a2e", "object_relation": "original-filename", "value": "PuTTy", "type": "filename", "disable_correlation": true, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--5ac47782-e1b8-40b6-96b4-02510a00020f" }, { "uuid": "9ae9011b-b13a-5a38-91f8-6bb6820fa957", "object_relation": "product-name", "value": "PuTTy suite", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "4b286c6c-1596-5b24-af6f-f50f5d195c20", "object_relation": "product-version", "value": "Release 0.71", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }, { "name": "pe-section", "meta-category": "file", "template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a", "description": "Object describing a section of a Portable Executable", "template_version": "3", "uuid": "fb7ddfd6-13c1-5ca6-bd1e-04efa3af3247", "Attribute": [ { "uuid": "32f76b8f-f1f6-5346-8edf-372169230ce8", "object_relation": "entropy", "value": 7.836462238824369, "type": "float", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "d35b8568-7286-5273-8c10-65e8d76ae245", "object_relation": "name", "value": ".rsrc", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other", "comment": "Indicator ID: indicator--5ac47782-e1b8-40b6-96b4-02510a00020f" }, { "uuid": "9a06f844-b40e-5f92-ae29-896eee5b6cc0", "object_relation": "size-in-bytes", "value": "305152", "type": "size-in-bytes", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "08ddaeeb-e2e2-5530-9b01-5e5b9fcd2ecc", "object_relation": "md5", "value": "8a2a5fc2ce56b3b04d58539a95390600", "type": "md5", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--5ac47782-e1b8-40b6-96b4-02510a00020f" }, { "uuid": "e0a62bf4-51cb-5810-a1d9-36aa83aef1c2", "object_relation": "sha1", "value": "0aeb9def096e9f73e9460afe6f8783a32c7eabdf", "type": "sha1", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--5ac47782-e1b8-40b6-96b4-02510a00020f" }, { "uuid": "96f4eace-3ea4-5f27-97c1-1826a92af2ef", "object_relation": "sha256", "value": "c6b3ac8303a72be90b0e47f69977e6f5665693d4ea0aa93e5c27b5c556c7cf9b", "type": "sha256", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--5ac47782-e1b8-40b6-96b4-02510a00020f" }, { "uuid": "be9a0001-3296-5f23-9b0c-3b4497a8ae37", "object_relation": "sha512", "value": "98fce208e6ed9612db53725fe03b73ab7cb1b487814d521c3c218273cad33891ce832c4f842c6f492d92df1e78414c82a00ddb91a1f8ec7d67325231a597a78f", "type": "sha512", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--5ac47782-e1b8-40b6-96b4-02510a00020f" }, { "uuid": "1dfff8b7-f813-5a46-a5c9-efb0c6ed80a2", "object_relation": "ssdeep", "value": "6144:BvqbV6zoA5yJJ1entjx+UJlVshhKuqMrgyNhahL2uSvhM:BvuVy5UJUtwUJ/UjHSEuSvK", "type": "ssdeep", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--5ac47782-e1b8-40b6-96b4-02510a00020f" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } ]
- STIX - Indicator
- Script object where state is “Malicious”
- STIX - Malware
{ "type": "malware", "spec_version": "2.1", "id": "malware--ce12c406-cf09-457b-875a-41ab75d6dc4d", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "infected.py", "description": "A script that infects command line shells", "is_family": false, "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "implementation_languages": [ "Python" ], "labels": [ "misp:name=\"script\"", "misp:meta-category=\"misc\"" ], "x_misp_script": "print('You are infected')", "x_misp_script_as_attachment": { "value": "infected.py", "data": "cHJpbnQoJ1lvdSBhcmUgaW5mZWN0ZWQnKQo=" }, "x_misp_state": "Malicious" } - MISP
{ "name": "script", "meta-category": "misc", "template_uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2", "description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.", "template_version": "7", "uuid": "ce12c406-cf09-457b-875a-41ab75d6dc4d", "Attribute": [ { "uuid": "dac2edac-d547-5e50-85a4-e9452224445c", "object_relation": "filename", "value": "infected.py", "type": "filename", "disable_correlation": true, "to_ids": true, "category": "Payload delivery" }, { "uuid": "c1e87f91-0b89-58f6-bd3d-2f884b776bcb", "object_relation": "comment", "value": "A script that infects command line shells", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "61351eaf-8de4-5e32-9832-a92fa37a192a", "object_relation": "language", "value": "Python", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "2cb36b7e-1b0b-5ecf-aab8-9117fc7f02c6", "object_relation": "script", "value": "print('You are infected')", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "2ede7ee1-5d19-53d5-b9a3-0b83b625c184", "object_relation": "state", "value": "Malicious", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "data": "cHJpbnQoJ1lvdSBhcmUgaW5mZWN0ZWQnKQo=", "uuid": "aac397ed-5b76-464c-8faf-0692b14694a7", "object_relation": "script-as-attachment", "value": "infected.py", "type": "attachment", "disable_correlation": false, "to_ids": false, "category": "External analysis" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Malware
- Script object where state is not “Malicious”
- STIX - Tool
{ "type": "tool", "spec_version": "2.1", "id": "tool--9d14bdd1-5d32-4b4d-bd50-fd3a9d1c1c04", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "hello.py", "description": "A peaceful script", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"script\"", "misp:meta-category=\"misc\"" ], "x_misp_language": "Python", "x_misp_script": "print('Hello World')", "x_misp_script_as_attachment": { "value": "hello.py", "data": "cHJpbnQoJ0hlbGxvIFdvcmxkJykK" }, "x_misp_state": "Harmless" } - MISP
{ "name": "script", "meta-category": "misc", "template_uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2", "description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.", "template_version": "7", "uuid": "9d14bdd1-5d32-4b4d-bd50-fd3a9d1c1c04", "Attribute": [ { "uuid": "ca486900-87da-576d-9bd3-377404a21218", "object_relation": "filename", "value": "hello.py", "type": "filename", "disable_correlation": true, "to_ids": true, "category": "Payload delivery" }, { "uuid": "f4fc31a9-2995-5d0e-87f5-bc7aa8f0af1f", "object_relation": "comment", "value": "A peaceful script", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "551b0110-98ec-526d-97c9-fae46920b783", "object_relation": "language", "value": "Python", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "99f9b240-1e68-5f54-95ff-41791cb59846", "object_relation": "script", "value": "print('Hello World')", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "f2ccdac7-b2e8-5e65-be11-1228b55fbf11", "object_relation": "state", "value": "Harmless", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "data": "cHJpbnQoJ0hlbGxvIFdvcmxkJykK", "uuid": "4eb4c636-0f27-4d4b-af30-3b06f97ee15d", "object_relation": "script-as-attachment", "value": "hello.py", "type": "attachment", "disable_correlation": false, "to_ids": false, "category": "External analysis" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Tool
- android-app
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--02782ed5-b27f-4abc-8bae-efebe13a46dd", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[software:name = 'Facebook' AND software:x_misp_certificate = 'c3a94cdf5ad4d71fd60c16ba8801529c78e7398f' AND software:x_misp_domain = 'facebook.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"android-app\"", "misp:meta-category=\"file\"" ] } - MISP
{ "name": "android-app", "meta-category": "file", "template_uuid": "92836f23-4730-4eae-82ac-9f00d5299735", "description": "Indicators related to an Android app", "template_version": "2", "uuid": "02782ed5-b27f-4abc-8bae-efebe13a46dd", "Attribute": [ { "uuid": "cbd5d1c3-f15c-58f4-95da-484d3ff06c53", "object_relation": "name", "value": "Facebook", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "3c277be5-0978-5e09-8ec9-1e0321c5434d", "object_relation": "certificate", "value": "c3a94cdf5ad4d71fd60c16ba8801529c78e7398f", "type": "sha1", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" }, { "uuid": "3b7370a1-0a85-55f3-910b-3a7fbccaf0c0", "object_relation": "domain", "value": "facebook.com", "type": "domain", "disable_correlation": false, "to_ids": true, "category": "Network activity" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--02782ed5-b27f-4abc-8bae-efebe13a46dd", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "software--02782ed5-b27f-4abc-8bae-efebe13a46dd" ], "labels": [ "misp:name=\"android-app\"", "misp:meta-category=\"file\"" ] }, { "type": "software", "spec_version": "2.1", "id": "software--02782ed5-b27f-4abc-8bae-efebe13a46dd", "name": "Facebook", "x_misp_certificate": "c3a94cdf5ad4d71fd60c16ba8801529c78e7398f", "x_misp_domain": "facebook.com" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--02782ed5-b27f-4abc-8bae-efebe13a46dd", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[software:name = 'Facebook' AND software:x_misp_certificate = 'c3a94cdf5ad4d71fd60c16ba8801529c78e7398f' AND software:x_misp_domain = 'facebook.com']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"android-app\"", "misp:meta-category=\"file\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--083173fd-5fce-4b13-b413-bf10aa781ee5", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--02782ed5-b27f-4abc-8bae-efebe13a46dd", "target_ref": "observed-data--02782ed5-b27f-4abc-8bae-efebe13a46dd" } ] - MISP
{ "name": "android-app", "meta-category": "file", "template_uuid": "92836f23-4730-4eae-82ac-9f00d5299735", "description": "Indicators related to an Android app", "template_version": "2", "uuid": "02782ed5-b27f-4abc-8bae-efebe13a46dd", "Attribute": [ { "uuid": "27bc5b4c-16e3-5535-ae7f-cef6f4ec210d", "object_relation": "name", "value": "Facebook", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other", "comment": "Indicator ID: indicator--02782ed5-b27f-4abc-8bae-efebe13a46dd" }, { "uuid": "f483da88-87c8-5b33-bd7f-d6d81aeca945", "object_relation": "certificate", "value": "c3a94cdf5ad4d71fd60c16ba8801529c78e7398f", "type": "sha1", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--02782ed5-b27f-4abc-8bae-efebe13a46dd" }, { "uuid": "dd282f72-28ae-5cb0-973d-f86e706c2028", "object_relation": "domain", "value": "facebook.com", "type": "domain", "disable_correlation": false, "to_ids": true, "category": "Network activity", "comment": "Indicator ID: indicator--02782ed5-b27f-4abc-8bae-efebe13a46dd" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- annotation
- STIX - Note
{ "type": "note", "spec_version": "2.1", "id": "note--eb6592bb-675c-48f3-9272-157141196b93", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "content": "Google public DNS", "object_refs": [ "observed-data--5ac47edc-31e4-4402-a7b6-040d0a00020f", "indicator--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f" ], "labels": [ "misp:name=\"annotation\"", "misp:meta-category=\"misc\"" ], "x_misp_attachment": { "value": "annotation.attachment", "data": "OC44LjguOCBpcyB0aGUgR29[...]WRkcmVzc2VzIChJUHY0KS4K" }, "x_misp_type": "Executive Summary" } - MISP
{ "name": "annotation", "meta-category": "misc", "template_uuid": "5d8dc046-15a1-4ca3-a09f-ed4ede7c4487", "description": "An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.", "template_version": "3", "uuid": "eb6592bb-675c-48f3-9272-157141196b93", "ObjectReference": [ { "uuid": "e62634a1-7553-4f97-9e29-952d6257739f", "object_uuid": "eb6592bb-675c-48f3-9272-157141196b93", "referenced_uuid": "5ac47edc-31e4-4402-a7b6-040d0a00020f", "relationship_type": "annotates" }, { "uuid": "5a314d41-fa3d-4dc9-8a00-21821d7648d5", "object_uuid": "eb6592bb-675c-48f3-9272-157141196b93", "referenced_uuid": "91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "relationship_type": "annotates" } ], "Attribute": [ { "uuid": "9fd2b8cc-a192-5618-a504-fada274af05f", "object_relation": "text", "value": "Google public DNS", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "data": "OC44LjguOCBpcyB0aGUgR29[...]WRkcmVzc2VzIChJUHY0KS4K", "uuid": "a7d0d60a-a387-5af6-90d6-1d7be2b304aa", "object_relation": "attachment", "value": "annotation.attachment", "type": "attachment", "disable_correlation": false, "to_ids": false, "category": "External analysis" }, { "uuid": "194d2f04-9016-5dee-b6bb-a18d1efa5857", "object_relation": "type", "value": "Executive Summary", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Note
- asn
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--5b23c82b-6508-4bdc-b580-045b0a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[autonomous-system:number = '66642' AND autonomous-system:name = 'AS name' AND autonomous-system:x_misp_subnet_announced = '1.2.3.4' AND autonomous-system:x_misp_subnet_announced = '8.8.8.8']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"asn\"", "misp:meta-category=\"network\"" ] } - MISP
{ "name": "asn", "meta-category": "network", "template_uuid": "4ec55cc6-9e49-4c64-b794-03c25c1a6587", "description": "Autonomous system object describing an autonomous system which can include one or more network operators managing an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.", "template_version": "6", "uuid": "5b23c82b-6508-4bdc-b580-045b0a00020f", "Attribute": [ { "uuid": "a704512f-866c-508c-a17d-5b92d7cda8c7", "object_relation": "asn", "value": "AS66642", "type": "AS", "disable_correlation": false, "to_ids": true, "category": "Network activity" }, { "uuid": "8326c3ae-927d-53e0-a7fc-9b1448aef3c5", "object_relation": "description", "value": "AS name", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "1d96b729-0143-5425-b33c-610a6080658f", "object_relation": "subnet-announced", "value": "1.2.3.4", "type": "ip-src", "disable_correlation": false, "to_ids": true, "category": "Network activity" }, { "uuid": "46eb4961-c0d4-5854-97f6-ee0b3a38af38", "object_relation": "subnet-announced", "value": "8.8.8.8", "type": "ip-src", "disable_correlation": false, "to_ids": true, "category": "Network activity" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5b23c82b-6508-4bdc-b580-045b0a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "autonomous-system--5b23c82b-6508-4bdc-b580-045b0a00020f" ], "labels": [ "misp:name=\"asn\"", "misp:meta-category=\"network\"" ] }, { "type": "autonomous-system", "spec_version": "2.1", "id": "autonomous-system--5b23c82b-6508-4bdc-b580-045b0a00020f", "number": 66642, "name": "AS name", "x_misp_subnet_announced": [ "1.2.3.4", "8.8.8.8" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b23c82b-6508-4bdc-b580-045b0a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[autonomous-system:number = '66642']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"asn\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--36414951-fe93-4021-8234-9d7fae390de9", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5b23c82b-6508-4bdc-b580-045b0a00020f", "target_ref": "observed-data--5b23c82b-6508-4bdc-b580-045b0a00020f" } ] - MISP
{ "name": "asn", "meta-category": "network", "template_uuid": "4ec55cc6-9e49-4c64-b794-03c25c1a6587", "description": "Autonomous system object describing an autonomous system which can include one or more network operators managing an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.", "template_version": "6", "uuid": "5b23c82b-6508-4bdc-b580-045b0a00020f", "Attribute": [ { "uuid": "83135d94-00ae-5874-8d5d-93d95b694ee8", "object_relation": "asn", "value": "66642", "type": "AS", "disable_correlation": false, "to_ids": true, "category": "Network activity", "comment": "Indicator ID: indicator--5b23c82b-6508-4bdc-b580-045b0a00020f" }, { "uuid": "2481f0b5-49b5-5d41-ae69-0101cd702f94", "object_relation": "description", "value": "AS name", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "3fc36c97-2d3a-596e-b020-d9a133fb69b4", "object_relation": "subnet-announced", "value": "1.2.3.4", "type": "ip-src", "disable_correlation": false, "to_ids": false, "category": "Network activity" }, { "uuid": "973f6578-1e9c-560d-bf48-49ea0344c5e4", "object_relation": "subnet-announced", "value": "8.8.8.8", "type": "ip-src", "disable_correlation": false, "to_ids": false, "category": "Network activity" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- attack-pattern
- STIX - Attack Pattern
{ "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--7205da54-70de-4fa7-9b34-e14e63fe6787", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Buffer Overflow in Local Command-Line Utilities", "description": "This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "vulnerability" } ], "labels": [ "misp:name=\"attack-pattern\"", "misp:meta-category=\"vulnerability\"" ], "external_references": [ { "source_name": "capec", "external_id": "CAPEC-9" } ], "x_misp_prerequisites": "The target hosst exposes a command-line utility to the user. The command-line utility exposed by the target host has a buffer overflow vulnerability that can be exploited.", "x_misp_related_weakness": [ "CWE-118", "CWE-120" ], "x_misp_solutions": "Carefully review the service\\'s implementation before making it available to users." } - MISP
{ "name": "attack-pattern", "meta-category": "vulnerability", "template_uuid": "35928348-56be-4d7f-9752-a80927936351", "description": "Attack pattern describing a common attack pattern enumeration and classification.", "template_version": "1", "uuid": "7205da54-70de-4fa7-9b34-e14e63fe6787", "Attribute": [ { "uuid": "d3312bd3-e750-5b9e-a2a7-bd7ebd5eb59d", "object_relation": "summary", "value": "This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "415f2b3b-fdee-51ca-b5da-d85ecea5cc46", "object_relation": "name", "value": "Buffer Overflow in Local Command-Line Utilities", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "53de7a0f-4916-5c6a-9581-2aeaecd276d2", "object_relation": "prerequisites", "value": "The target hosst exposes a command-line utility to the user. The command-line utility exposed by the target host has a buffer overflow vulnerability that can be exploited.", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "e2a337e0-70ac-5317-9964-f948412b1b16", "object_relation": "related-weakness", "value": "CWE-118", "type": "weakness", "disable_correlation": false, "to_ids": false, "category": "External analysis" }, { "uuid": "949c6ea0-f59b-5f00-981e-d9f5c7958303", "object_relation": "related-weakness", "value": "CWE-120", "type": "weakness", "disable_correlation": false, "to_ids": false, "category": "External analysis" }, { "uuid": "ff8ee95e-ef69-5b42-b0cf-5e39ff800a14", "object_relation": "solutions", "value": "Carefully review the service\\'s implementation before making it available to users.", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "f2a5a101-28ba-4632-a804-28d56525620c", "object_relation": "id", "value": "9", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Attack Pattern
- course-of-action
- STIX - Course of Action
{ "type": "course-of-action", "spec_version": "2.1", "id": "course-of-action--5d514ff9-ac30-4fb5-b9e7-3eb4a964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Block traffic to PIVY C2 Server (10.10.10.10)", "description": "Block communication between the PIVY agents and the C2 Server", "labels": [ "misp:name=\"course-of-action\"", "misp:meta-category=\"misc\"" ], "x_misp_cost": "Low", "x_misp_efficacy": "High", "x_misp_impact": "Low", "x_misp_objective": "Block communication between the PIVY agents and the C2 Server", "x_misp_stage": "Response", "x_misp_type": "Perimeter Blocking" } - MISP
{ "name": "course-of-action", "meta-category": "misc", "template_uuid": "3d1c2c06-68a9-4394-8c8d-258d115f796f", "description": "An object describing a specific measure taken to prevent or respond to an attack.", "template_version": "1", "uuid": "5d514ff9-ac30-4fb5-b9e7-3eb4a964451a", "Attribute": [ { "uuid": "d94001f7-c370-5f65-8a32-bed6b9e3497e", "object_relation": "name", "value": "Block traffic to PIVY C2 Server (10.10.10.10)", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "133554fe-a933-5b98-99d0-2525f0890b95", "object_relation": "description", "value": "Block communication between the PIVY agents and the C2 Server", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "f8273792-0420-508a-8100-477cfe344928", "object_relation": "cost", "value": "Low", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "02f98a6d-60dc-59c2-a505-d5ed0c332c2c", "object_relation": "efficacy", "value": "High", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "3816cef5-fdb9-58b0-b4da-795917e23fdb", "object_relation": "impact", "value": "Low", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "2d74de51-1c2c-531b-89ed-19aab006430b", "object_relation": "objective", "value": "Block communication between the PIVY agents and the C2 Server", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "9cd3cb8e-4a55-58eb-9caa-868695035970", "object_relation": "stage", "value": "Response", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "ca21bcf8-a932-5cfd-93ec-82aad971aec9", "object_relation": "type", "value": "Perimeter Blocking", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Course of Action
- cpe-asset
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--3f53a829-6307-4006-b7a2-ff53dace4159", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[software:cpe = 'cpe:2.3:a:microsoft:word:2000:*:*:*:*:*:*:*' AND software:languages = 'ENG' AND software:name = 'Word' AND software:vendor = 'Microsoft' AND software:version = '2002' AND software:x_misp_description = 'Microsoft Word is a word processing software developed by Microsoft.']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"cpe-asset\"", "misp:meta-category=\"misc\"" ] } - MISP
{ "name": "cpe-asset", "meta-category": "misc", "template_uuid": "8ea002c4-172d-45ae-8d91-1cdea825e6a9", "description": "An asset which can be defined by a CPE. This can be a generic asset. CPE is a structured naming scheme for information technology systems, software, and packages.", "template_version": "1", "uuid": "3f53a829-6307-4006-b7a2-ff53dace4159", "Attribute": [ { "uuid": "0a94f3d6-1fa9-5927-bc76-302a37d9530e", "object_relation": "cpe", "value": "cpe:2.3:a:microsoft:word:2000:*:*:*:*:*:*:*", "type": "cpe", "disable_correlation": false, "to_ids": true, "category": "External analysis" }, { "uuid": "a735d0eb-d82b-5219-be4c-043748a3bddc", "object_relation": "language", "value": "ENG", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "60cdef19-ff6e-51ef-91aa-94b8ccc6c23c", "object_relation": "product", "value": "Word", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "3f88396a-6024-50fa-86d9-476931b4bb5a", "object_relation": "vendor", "value": "Microsoft", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "b0c697a9-09cb-5f2d-a8c3-8da5a3cc8716", "object_relation": "version", "value": "2002", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "2e6f8b95-3bb1-50b2-ae22-6b83004aa8db", "object_relation": "description", "value": "Microsoft Word is a word processing software developed by Microsoft.", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--3f53a829-6307-4006-b7a2-ff53dace4159", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "software--3f53a829-6307-4006-b7a2-ff53dace4159" ], "labels": [ "misp:name=\"cpe-asset\"", "misp:meta-category=\"misc\"" ] }, { "type": "software", "spec_version": "2.1", "id": "software--3f53a829-6307-4006-b7a2-ff53dace4159", "name": "Word", "cpe": "cpe:2.3:a:microsoft:word:2000:*:*:*:*:*:*:*", "languages": [ "ENG" ], "vendor": "Microsoft", "version": "2002", "x_misp_description": "Microsoft Word is a word processing software developed by Microsoft." }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--3f53a829-6307-4006-b7a2-ff53dace4159", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[software:cpe = 'cpe:2.3:a:microsoft:word:2000:*:*:*:*:*:*:*']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"cpe-asset\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ea9e373b-57f1-46bd-9b65-aa845865817b", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--3f53a829-6307-4006-b7a2-ff53dace4159", "target_ref": "observed-data--3f53a829-6307-4006-b7a2-ff53dace4159" } ] - MISP
{ "name": "cpe-asset", "meta-category": "misc", "template_uuid": "8ea002c4-172d-45ae-8d91-1cdea825e6a9", "description": "An asset which can be defined by a CPE. This can be a generic asset. CPE is a structured naming scheme for information technology systems, software, and packages.", "template_version": "1", "uuid": "3f53a829-6307-4006-b7a2-ff53dace4159", "Attribute": [ { "uuid": "4160b135-52d4-5953-b747-71e431d07286", "object_relation": "cpe", "value": "cpe:2.3:a:microsoft:word:2000:*:*:*:*:*:*:*", "type": "cpe", "disable_correlation": false, "to_ids": true, "category": "External analysis", "comment": "Indicator ID: indicator--3f53a829-6307-4006-b7a2-ff53dace4159" }, { "uuid": "dec0bc31-e616-5d3b-8e55-72b62edd5514", "object_relation": "language", "value": "ENG", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "ffe10ee3-7554-5fad-aa53-cae849ba2d88", "object_relation": "product", "value": "Word", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "1e66db4c-c87f-5d39-ae2f-33e2e6a2d308", "object_relation": "vendor", "value": "Microsoft", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "ea6e93e3-1006-5e5c-9cc4-438dc1a72e51", "object_relation": "version", "value": "2002", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "5e596341-ed28-5fc6-bbaf-9fbf23c69050", "object_relation": "description", "value": "Microsoft Word is a word processing software developed by Microsoft.", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- credential
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--5b1f9378-46d4-494b-a4c1-044e0a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:user_id = 'misp' AND user-account:credential = 'Password1234' AND user-account:x_misp_text = 'MISP default credentials' AND user-account:x_misp_type = 'password' AND user-account:x_misp_origin = 'malware-analysis' AND user-account:x_misp_format = 'clear-text' AND user-account:x_misp_notification = 'victim-notified']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"credential\"", "misp:meta-category=\"misc\"" ] } - MISP
{ "name": "credential", "meta-category": "misc", "template_uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09", "description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).", "template_version": "5", "uuid": "5b1f9378-46d4-494b-a4c1-044e0a00020f", "Attribute": [ { "uuid": "c73664a1-7ca5-5457-8ab1-537ec9bf249f", "object_relation": "username", "value": "misp", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "2f031cb8-56b0-5bda-aa1a-7504af7e4095", "object_relation": "password", "value": "Password1234", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "49ee2117-830f-53b7-b3ef-96744306f742", "object_relation": "text", "value": "MISP default credentials", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "2c935b07-71d2-5bf3-b3e4-634c2572f7c9", "object_relation": "type", "value": "password", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "a7e1cad5-e8c1-5cd9-864b-217550e1da1f", "object_relation": "origin", "value": "malware-analysis", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "7a03f077-eca5-570d-89d0-1e96fd9600fe", "object_relation": "format", "value": "clear-text", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "a2d352a9-52b0-5c06-9ed8-d9aff6bd1441", "object_relation": "notification", "value": "victim-notified", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5b1f9378-46d4-494b-a4c1-044e0a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "user-account--5b1f9378-46d4-494b-a4c1-044e0a00020f" ], "labels": [ "misp:name=\"credential\"", "misp:meta-category=\"misc\"" ] }, { "type": "user-account", "spec_version": "2.1", "id": "user-account--5b1f9378-46d4-494b-a4c1-044e0a00020f", "user_id": "misp", "credential": "Password1234", "x_misp_format": "clear-text", "x_misp_notification": "victim-notified", "x_misp_origin": "malware-analysis", "x_misp_text": "MISP default credentials", "x_misp_type": "password" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5b1f9378-46d4-494b-a4c1-044e0a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:x_misp_text = 'MISP default credentials']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"credential\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--49fd4899-8273-4e23-9e70-d92c507fb3bf", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5b1f9378-46d4-494b-a4c1-044e0a00020f", "target_ref": "observed-data--5b1f9378-46d4-494b-a4c1-044e0a00020f" } ] - MISP
{ "name": "credential", "meta-category": "misc", "template_uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09", "description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).", "template_version": "5", "uuid": "5b1f9378-46d4-494b-a4c1-044e0a00020f", "Attribute": [ { "uuid": "c76c35db-fc5e-5e76-8e6d-e8d38dbd8bfe", "object_relation": "username", "value": "misp", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "f29756b5-c6a3-53e4-8be5-5d0ceb16c8f5", "object_relation": "password", "value": "Password1234", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "1e6f7457-5e23-52ff-bee5-b03cbf49c444", "object_relation": "format", "value": "clear-text", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "27148a4d-26fe-52d3-90d7-869919c90b79", "object_relation": "notification", "value": "victim-notified", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "5d8770cc-6c2d-5976-b816-e026e9be4963", "object_relation": "origin", "value": "malware-analysis", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "2af354aa-d2e9-5398-ac08-d6984fdc3c0a", "object_relation": "text", "value": "MISP default credentials", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other", "comment": "Indicator ID: indicator--5b1f9378-46d4-494b-a4c1-044e0a00020f" }, { "uuid": "49cb96ba-a48e-55ee-9cfe-fa6b8d3e9033", "object_relation": "type", "value": "password", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- domain-ip
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--dc624447-684a-488f-9e16-f78f717d8efd", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[domain-name:value = 'circl.lu' AND domain-name:x_misp_hostname = 'circl.lu' AND domain-name:resolves_to_refs[*].value = '149.13.33.14' AND domain-name:x_misp_port = '8443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"" ] } - MISP
{ "name": "domain-ip", "meta-category": "network", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "description": "A domain/hostname and IP address seen as a tuple in a specific time frame.", "template_version": "11", "uuid": "dc624447-684a-488f-9e16-f78f717d8efd", "Attribute": [ { "uuid": "dc05d335-bb06-5fdd-9017-bf58f04fb76f", "object_relation": "domain", "value": "circl.lu", "type": "domain", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "95f79729-7e86-535a-9e69-40461b5c4e0f", "object_relation": "hostname", "value": "circl.lu", "type": "hostname", "disable_correlation": false, "to_ids": true, "category": "Network activity" }, { "uuid": "d7f3d92c-82cc-599a-b4cd-e3321c78c630", "object_relation": "ip", "value": "149.13.33.14", "type": "ip-dst", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "04c94fea-7463-5f4a-8d2d-ad3ca7ba69c3", "object_relation": "port", "value": "8443", "type": "port", "category": "Network activity", "disable_correlation": false, "to_ids": true } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--dc624447-684a-488f-9e16-f78f717d8efd", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "domain-name--dc624447-684a-488f-9e16-f78f717d8efd", "ipv4-addr--fcbaf339-615a-409c-915f-034420dc90ca" ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"" ] }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--dc624447-684a-488f-9e16-f78f717d8efd", "value": "circl.lu", "resolves_to_refs": [ "ipv4-addr--fcbaf339-615a-409c-915f-034420dc90ca" ], "x_misp_hostname": "circl.lu", "x_misp_port": "8443" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--fcbaf339-615a-409c-915f-034420dc90ca", "value": "149.13.33.14" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--dc624447-684a-488f-9e16-f78f717d8efd", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[domain-name:value = 'circl.lu' AND domain-name:x_misp_hostname = 'circl.lu' AND domain-name:resolves_to_refs[*].value = '149.13.33.14']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"domain-ip\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--5d2dcfac-c0c1-418c-af91-028b8776bdee", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--dc624447-684a-488f-9e16-f78f717d8efd", "target_ref": "observed-data--dc624447-684a-488f-9e16-f78f717d8efd" } ] - MISP
{ "name": "domain-ip", "meta-category": "network", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "description": "A domain/hostname and IP address seen as a tuple in a specific time frame.", "template_version": "11", "uuid": "dc624447-684a-488f-9e16-f78f717d8efd", "Attribute": [ { "uuid": "8b1ca103-25f5-55fd-bdb7-acb7a47adde0", "object_relation": "domain", "value": "circl.lu", "type": "domain", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "13e41e43-27b6-56be-b938-428ad0dc2c15", "object_relation": "hostname", "value": "circl.lu", "type": "hostname", "disable_correlation": false, "to_ids": true, "category": "Network activity" }, { "uuid": "64c83027-4029-5d64-afe0-2c67665592a7", "object_relation": "port", "value": "8443", "type": "port", "category": "Network activity", "disable_correlation": false, "to_ids": false }, { "uuid": "fcbaf339-615a-409c-915f-034420dc90ca", "object_relation": "ip", "value": "149.13.33.14", "type": "ip-dst", "category": "Network activity", "disable_correlation": false, "to_ids": true } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- email
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--5e396622-2a54-4c8d-b61d-159da964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[email-message:to_refs[0].value = 'jdoe@random.org' AND email-message:to_refs[0].display_name = 'John Doe' AND email-message:cc_refs[0].value = 'diana.prince@dc.us' AND email-message:cc_refs[0].display_name = 'Diana Prince' AND email-message:cc_refs[1].value = 'marie.curie@nobel.fr' AND email-message:cc_refs[1].display_name = 'Marie Curie' AND email-message:bcc_refs[0].value = 'jfk@gov.us' AND email-message:bcc_refs[0].display_name = 'John Fitzgerald Kennedy' AND email-message:from_ref.value = 'donald.duck@disney.com' AND email-message:from_ref.display_name = 'Donald Duck' AND email-message:message_id = '25' AND email-message:additional_header_fields.reply_to = 'reply-to@email.test' AND email-message:subject = 'Email test subject' AND email-message:additional_header_fields.x_mailer = 'x-mailer-test' AND email-message:body_multipart[0].body_raw_ref.name = 'attachment1.file' AND email-message:body_multipart[0].content_disposition = 'attachment' AND email-message:body_multipart[1].body_raw_ref.name = 'attachment2.file' AND email-message:body_multipart[1].content_disposition = 'attachment' AND email-message:x_misp_user_agent = 'Test user agent' AND email-message:x_misp_mime_boundary = 'Test mime boundary']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"email\"", "misp:meta-category=\"network\"" ] } - MISP
{ "name": "email", "meta-category": "network", "template_uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "description": "Email object describing an email with meta-information", "template_version": "19", "uuid": "5e396622-2a54-4c8d-b61d-159da964451a", "Attribute": [ { "uuid": "624dd773-3928-5de0-8f26-2e476cbf4da0", "object_relation": "to", "value": "jdoe@random.org", "type": "email-dst", "category": "Payload delivery", "disable_correlation": true, "to_ids": true }, { "uuid": "52130ffb-1055-595c-9790-ebb6b30cac35", "object_relation": "to-display-name", "value": "John Doe", "type": "email-dst-display-name", "category": "Payload delivery", "disable_correlation": false, "to_ids": true }, { "uuid": "efc5afc1-0143-545e-b631-0a6a2018b8bd", "object_relation": "cc", "value": "diana.prince@dc.us", "type": "email-dst", "category": "Payload delivery", "disable_correlation": true, "to_ids": true }, { "uuid": "2483d6a2-6bc9-5f7c-aeb5-d09704b0091d", "object_relation": "cc-display-name", "value": "Diana Prince", "type": "email-dst-display-name", "category": "Payload delivery", "disable_correlation": false, "to_ids": true }, { "uuid": "7d3a8959-f201-5657-9229-0cb79b359f62", "object_relation": "cc", "value": "marie.curie@nobel.fr", "type": "email-dst", "category": "Payload delivery", "disable_correlation": true, "to_ids": true }, { "uuid": "9fed8f41-64e6-5e32-9521-d0c5a0a03447", "object_relation": "cc-display-name", "value": "Marie Curie", "type": "email-dst-display-name", "category": "Payload delivery", "disable_correlation": false, "to_ids": true }, { "uuid": "7ab14f48-2d13-5958-8b32-bfc1271ec1a0", "object_relation": "bcc", "value": "jfk@gov.us", "type": "email-dst", "category": "Payload delivery", "disable_correlation": true, "to_ids": true }, { "uuid": "6a7d9c63-ef86-5a08-b348-f44325311ac6", "object_relation": "bcc-display-name", "value": "John Fitzgerald Kennedy", "type": "email-dst-display-name", "category": "Payload delivery", "disable_correlation": false, "to_ids": true }, { "uuid": "930e9750-f8e3-5bad-9b94-278a65778533", "object_relation": "from", "value": "donald.duck@disney.com", "type": "email-src", "category": "Payload delivery", "disable_correlation": false, "to_ids": true }, { "uuid": "4e065da5-2f42-574e-a0c0-839f49d06afc", "object_relation": "from-display-name", "value": "Donald Duck", "type": "email-src-display-name", "category": "Payload delivery", "disable_correlation": false, "to_ids": true }, { "uuid": "cea0c916-c69b-5e0d-93fd-52d99c3b326c", "object_relation": "message-id", "value": "25", "type": "email-message-id", "category": "Payload delivery", "disable_correlation": true, "to_ids": true }, { "uuid": "6f3c2d02-083f-54e3-927b-9697c05ae5f3", "object_relation": "reply-to", "value": "reply-to@email.test", "type": "email-reply-to", "category": "Payload delivery", "disable_correlation": false, "to_ids": true }, { "uuid": "ba54f9e0-02c4-5126-8fb8-200cd0b2d7e3", "object_relation": "subject", "value": "Email test subject", "type": "email-subject", "category": "Payload delivery", "disable_correlation": false, "to_ids": true }, { "uuid": "dbf964ca-09aa-5d86-93e5-e8c280a1301b", "object_relation": "x-mailer", "value": "x-mailer-test", "type": "email-x-mailer", "category": "Payload delivery", "disable_correlation": true, "to_ids": true }, { "uuid": "2ae62ac4-20d7-571e-9e32-5b33fe725fd1", "object_relation": "user-agent", "value": "Test user agent", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "3f1d6ddc-1154-59c6-a2a4-5eb6aff4c590", "object_relation": "mime-boundary", "value": "Test mime boundary", "type": "email-mime-boundary", "category": "Payload delivery", "disable_correlation": true, "to_ids": true }, { "uuid": "f97e6d67-0ca8-5c15-b6cf-d06781ce15a5", "object_relation": "attachment", "value": "attachment1.file", "type": "attachment", "category": "Payload delivery", "disable_correlation": false, "to_ids": true }, { "uuid": "375280c8-5132-56dd-9f2f-1e4e2fa868e2", "object_relation": "attachment", "value": "attachment2.file", "type": "attachment", "category": "Payload delivery", "disable_correlation": false, "to_ids": true } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5e396622-2a54-4c8d-b61d-159da964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "email-message--5e396622-2a54-4c8d-b61d-159da964451a", "email-addr--f5ec3603-e3d0-42d7-a372-14c1c137699b", "email-addr--aebfd1b3-24bc-4da5-8e74-32cb669b8e46", "email-addr--1a43d189-e5f6-4087-98df-b2cbddec2cd6", "email-addr--efde9a0a-a62a-42a8-b863-14a448e313c6", "email-addr--3b940996-f99b-4bda-b065-69b8957f688c", "file--2007ec09-8137-4a71-a3ce-6ef967bebacf", "file--2d35a390-ccdd-4d6b-a36d-513b05e3682a" ], "labels": [ "misp:name=\"email\"", "misp:meta-category=\"network\"" ] }, { "type": "email-message", "spec_version": "2.1", "id": "email-message--5e396622-2a54-4c8d-b61d-159da964451a", "is_multipart": true, "from_ref": "email-addr--f5ec3603-e3d0-42d7-a372-14c1c137699b", "to_refs": [ "email-addr--aebfd1b3-24bc-4da5-8e74-32cb669b8e46" ], "cc_refs": [ "email-addr--1a43d189-e5f6-4087-98df-b2cbddec2cd6", "email-addr--efde9a0a-a62a-42a8-b863-14a448e313c6" ], "bcc_refs": [ "email-addr--3b940996-f99b-4bda-b065-69b8957f688c" ], "message_id": "25", "subject": "Email test subject", "additional_header_fields": { "Reply-To": "reply-to@email.test", "X-Mailer": "x-mailer-test" }, "body_multipart": [ { "body_raw_ref": "file--2007ec09-8137-4a71-a3ce-6ef967bebacf", "content_disposition": "attachment; filename='attachment1.file'" }, { "body_raw_ref": "file--2d35a390-ccdd-4d6b-a36d-513b05e3682a", "content_disposition": "attachment; filename='attachment2.file'" } ], "x_misp_mime_boundary": "Test mime boundary", "x_misp_user_agent": "Test user agent" }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--f5ec3603-e3d0-42d7-a372-14c1c137699b", "value": "donald.duck@disney.com", "display_name": "Donald Duck" }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--aebfd1b3-24bc-4da5-8e74-32cb669b8e46", "value": "jdoe@random.org", "display_name": "John Doe" }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--1a43d189-e5f6-4087-98df-b2cbddec2cd6", "value": "diana.prince@dc.us", "display_name": "Diana Prince" }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--efde9a0a-a62a-42a8-b863-14a448e313c6", "value": "marie.curie@nobel.fr", "display_name": "Marie Curie" }, { "type": "email-addr", "spec_version": "2.1", "id": "email-addr--3b940996-f99b-4bda-b065-69b8957f688c", "value": "jfk@gov.us", "display_name": "John Fitzgerald Kennedy" }, { "type": "file", "spec_version": "2.1", "id": "file--2007ec09-8137-4a71-a3ce-6ef967bebacf", "name": "attachment1.file" }, { "type": "file", "spec_version": "2.1", "id": "file--2d35a390-ccdd-4d6b-a36d-513b05e3682a", "name": "attachment2.file" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e396622-2a54-4c8d-b61d-159da964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[email-message:to_refs[0].value = 'jdoe@random.org' AND email-message:cc_refs[0].value = 'diana.prince@dc.us' AND email-message:cc_refs[1].value = 'marie.curie@nobel.fr' AND email-message:bcc_refs[0].value = 'jfk@gov.us' AND email-message:from_ref.value = 'donald.duck@disney.com' AND email-message:body_multipart[0].body_raw_ref.name = 'attachment1.file' AND email-message:body_multipart[0].content_disposition = 'attachment' AND email-message:body_multipart[1].body_raw_ref.name = 'attachment2.file' AND email-message:body_multipart[1].content_disposition = 'attachment']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"email\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--dd033127-0059-4994-9c1d-5a9b3830fcd9", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5e396622-2a54-4c8d-b61d-159da964451a", "target_ref": "observed-data--5e396622-2a54-4c8d-b61d-159da964451a" } ] - MISP
{ "name": "email", "meta-category": "network", "template_uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "description": "Email object describing an email with meta-information", "template_version": "19", "uuid": "5e396622-2a54-4c8d-b61d-159da964451a", "Attribute": [ { "uuid": "212c4c21-8951-5e72-b364-1ad344c3ae59", "object_relation": "from", "value": "donald.duck@disney.com", "type": "email-src", "category": "Payload delivery", "disable_correlation": false, "to_ids": true, "comment": "Indicator ID: indicator--5e396622-2a54-4c8d-b61d-159da964451a" }, { "uuid": "7844c964-a695-5687-8ab3-7fe929ce91aa", "object_relation": "from-display-name", "value": "Donald Duck", "type": "email-src-display-name", "category": "Payload delivery", "disable_correlation": false, "to_ids": false }, { "uuid": "6485b772-5173-5b83-ad7b-bf7c3c3e397a", "object_relation": "to", "value": "jdoe@random.org", "type": "email-dst", "category": "Payload delivery", "disable_correlation": true, "to_ids": true, "comment": "Indicator ID: indicator--5e396622-2a54-4c8d-b61d-159da964451a" }, { "uuid": "22687ea7-3d7b-56e4-83aa-da0f91b5a51c", "object_relation": "to-display-name", "value": "John Doe", "type": "email-dst-display-name", "category": "Payload delivery", "disable_correlation": false, "to_ids": false }, { "uuid": "26dc2435-b297-5ab8-b78a-ec8cad3f5e5d", "object_relation": "cc", "value": "diana.prince@dc.us", "type": "email-dst", "category": "Payload delivery", "disable_correlation": true, "to_ids": true, "comment": "Indicator ID: indicator--5e396622-2a54-4c8d-b61d-159da964451a" }, { "uuid": "23de13fd-1ac8-5d0d-8696-0227bf61376d", "object_relation": "cc-display-name", "value": "Diana Prince", "type": "email-dst-display-name", "category": "Payload delivery", "disable_correlation": false, "to_ids": false }, { "uuid": "3920cc9c-d4ee-52ec-8fb2-0db2147181c9", "object_relation": "cc", "value": "marie.curie@nobel.fr", "type": "email-dst", "category": "Payload delivery", "disable_correlation": true, "to_ids": true, "comment": "Indicator ID: indicator--5e396622-2a54-4c8d-b61d-159da964451a" }, { "uuid": "f8996ce5-555f-5945-a4dc-c95e57228979", "object_relation": "cc-display-name", "value": "Marie Curie", "type": "email-dst-display-name", "category": "Payload delivery", "disable_correlation": false, "to_ids": false }, { "uuid": "b3e02857-2364-50a2-85ca-64126deac750", "object_relation": "bcc", "value": "jfk@gov.us", "type": "email-dst", "category": "Payload delivery", "disable_correlation": true, "to_ids": true, "comment": "Indicator ID: indicator--5e396622-2a54-4c8d-b61d-159da964451a" }, { "uuid": "d1b0c462-e221-528e-a963-30d3c5d10b7d", "object_relation": "bcc-display-name", "value": "John Fitzgerald Kennedy", "type": "email-dst-display-name", "category": "Payload delivery", "disable_correlation": false, "to_ids": false }, { "uuid": "893b27f4-78a7-5e51-a730-6f94ea6af5b5", "object_relation": "message-id", "value": "25", "type": "email-message-id", "category": "Payload delivery", "disable_correlation": true, "to_ids": false }, { "uuid": "a09bb45d-1cd0-5787-bc48-3017aab4c2a8", "object_relation": "subject", "value": "Email test subject", "type": "email-subject", "category": "Payload delivery", "disable_correlation": false, "to_ids": false }, { "uuid": "bb694d01-c09f-5870-afb3-a9d5f7ba180a", "object_relation": "mime-boundary", "value": "Test mime boundary", "type": "email-mime-boundary", "category": "Payload delivery", "disable_correlation": true, "to_ids": false }, { "uuid": "a5a5a314-c29e-543a-9180-62c0bef8d04e", "object_relation": "user-agent", "value": "Test user agent", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "66d04a88-0f13-537a-8c5f-0d065d291887", "object_relation": "reply-to", "value": "reply-to@email.test", "type": "email-reply-to", "category": "Payload delivery", "disable_correlation": false, "to_ids": false }, { "uuid": "ae4f6a9b-7994-51b8-a9bb-acae9357a8ba", "object_relation": "x-mailer", "value": "x-mailer-test", "type": "email-x-mailer", "category": "Payload delivery", "disable_correlation": true, "to_ids": false }, { "uuid": "2007ec09-8137-4a71-a3ce-6ef967bebacf", "object_relation": "attachment", "value": "attachment1.file", "type": "email-attachment", "category": "Payload delivery", "disable_correlation": false, "to_ids": true }, { "uuid": "2d35a390-ccdd-4d6b-a36d-513b05e3682a", "object_relation": "attachment", "value": "attachment2.file", "type": "email-attachment", "category": "Payload delivery", "disable_correlation": false, "to_ids": true } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- employee
- STIX - Identity
{ "type": "identity", "spec_version": "2.1", "id": "identity--685a38e1-3ca1-40ef-874d-3a04b9fb3af6", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "John Doe", "description": "John Doe is known", "roles": [ "Supervisor" ], "identity_class": "individual", "contact_information": "email-address: jdoe@email.com", "labels": [ "misp:name=\"employee\"", "misp:meta-category=\"misc\"" ] } - MISP
{ "name": "employee", "meta-category": "misc", "template_uuid": "443b2f15-d7c9-4d3d-bfd2-38f099753e83", "description": "An employee and related data points", "template_version": "1", "uuid": "685a38e1-3ca1-40ef-874d-3a04b9fb3af6", "Attribute": [ { "uuid": "0f506bcb-328b-5ea7-940e-fc4bab7f45b5", "object_relation": "full-name", "value": "John Doe", "type": "full-name", "disable_correlation": true, "to_ids": false, "category": "Person" }, { "uuid": "a75f25af-7585-5df8-9bfa-0b6d28b92d0a", "object_relation": "text", "value": "John Doe is known", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "422d0c1e-70ee-54f7-b94c-0ec55b04842d", "object_relation": "employee-type", "value": "Supervisor", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "43580786-af0f-57d0-8410-eab84cf872e7", "object_relation": "email-address", "value": "jdoe@email.com", "type": "target-email", "disable_correlation": false, "to_ids": false, "category": "Targeting data" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Identity
- facebook-account
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--7d8ac653-b65c-42a6-8420-ddc71d65f50d", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'facebook' AND user-account:user_id = '1392781243' AND user-account:account_login = 'octocat' AND user-account:x_misp_link = 'https://facebook.com/octocat' AND user-account:x_misp_user_avatar.data = 'iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC' AND user-account:x_misp_user_avatar.value = 'octocat.png']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"facebook-account\"", "misp:meta-category=\"misc\"" ] } - MISP
{ "name": "facebook-account", "meta-category": "misc", "template_uuid": "b9862b95-7d78-4938-a2b5-13e45c60f25a", "description": "Facebook account.", "template_version": "1", "uuid": "7d8ac653-b65c-42a6-8420-ddc71d65f50d", "Attribute": [ { "uuid": "98b5a53f-03c7-50e5-b62f-f66550aba859", "object_relation": "account-id", "value": "1392781243", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "db0b9d42-38fa-5ef2-b138-46c7acd32ae9", "object_relation": "account-name", "value": "octocat", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "b081b078-7554-575a-8f11-5d37c4f8e7f7", "object_relation": "link", "value": "https://facebook.com/octocat", "type": "link", "disable_correlation": false, "to_ids": true, "category": "External analysis" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC", "uuid": "20ae5885-1b2f-51af-8651-9d01080324fd", "object_relation": "user-avatar", "value": "octocat.png", "type": "attachment", "disable_correlation": false, "to_ids": true, "category": "External analysis" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--7d8ac653-b65c-42a6-8420-ddc71d65f50d", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "user-account--7d8ac653-b65c-42a6-8420-ddc71d65f50d" ], "labels": [ "misp:name=\"facebook-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "user-account", "spec_version": "2.1", "id": "user-account--7d8ac653-b65c-42a6-8420-ddc71d65f50d", "user_id": "1392781243", "account_login": "octocat", "account_type": "facebook", "x_misp_link": "https://facebook.com/octocat", "x_misp_user_avatar": { "value": "octocat.png", "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7d8ac653-b65c-42a6-8420-ddc71d65f50d", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'facebook' AND user-account:user_id = '1392781243']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"facebook-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7db8539b-3a18-4ba3-9fac-d38d3aa03bdd", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--7d8ac653-b65c-42a6-8420-ddc71d65f50d", "target_ref": "observed-data--7d8ac653-b65c-42a6-8420-ddc71d65f50d" } ] - MISP
{ "name": "facebook-account", "meta-category": "misc", "template_uuid": "b9862b95-7d78-4938-a2b5-13e45c60f25a", "description": "Facebook account.", "template_version": "1", "uuid": "7d8ac653-b65c-42a6-8420-ddc71d65f50d", "Attribute": [ { "uuid": "effca8d7-ab53-53ea-9736-d575b42a23cb", "object_relation": "account-id", "value": "1392781243", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other", "comment": "Indicator ID: indicator--7d8ac653-b65c-42a6-8420-ddc71d65f50d" }, { "uuid": "c774adbc-7a97-5c5c-aeee-ceb11785eca8", "object_relation": "account-name", "value": "octocat", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "fb75c5cb-1fce-5b1d-811c-261eea65a57f", "object_relation": "link", "value": "https://facebook.com/octocat", "type": "link", "disable_correlation": false, "to_ids": false, "category": "External analysis" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC", "uuid": "25baee2a-215e-5261-90f4-16d270ddc066", "object_relation": "user-avatar", "value": "octocat.png", "type": "attachment", "disable_correlation": false, "to_ids": false, "category": "External analysis" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- file
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--5e384ae7-672c-4250-9cda-3b4da964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[file:hashes.MD5 = '8764605c6f388c89096b534d33565802' AND file:hashes.'SHA-1' = '46aba99aa7158e4609aaa72b50990842fd22ae86' AND file:hashes.'SHA-256' = 'ec5aedf5ecc6bdadd4120932170d1b10f6cfa175cfda22951dfd882928ab279b' AND file:name = 'oui' AND file:name_enc = 'UTF-8' AND file:size = '35' AND file:parent_directory_ref.path = '/var/www/MISP/app/files/scripts/tmp' AND (file:content_ref.payload_bin = 'UEsDBAoACQAAAAaOU1EvUbi[...]AACAAIA2QAAAB8BAAAAAA==' AND file:content_ref.x_misp_filename = 'oui' AND file:content_ref.hashes.MD5 = '8764605c6f388c89096b534d33565802' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected') AND (file:content_ref.payload_bin = 'Tm9uLW1hbGljaW91cyBmaWxlCg==' AND file:content_ref.x_misp_filename = 'non')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ] } - MISP
{ "name": "file", "meta-category": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "description": "File object describing a file with meta-information", "template_version": "25", "uuid": "5e384ae7-672c-4250-9cda-3b4da964451a", "Attribute": [ { "uuid": "b35e4661-524c-5f93-b50c-9b06d8771ecd", "object_relation": "md5", "value": "8764605c6f388c89096b534d33565802", "type": "md5", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" }, { "uuid": "3658f8d6-a658-5bf7-a5c3-7f96ac89fc65", "object_relation": "sha1", "value": "46aba99aa7158e4609aaa72b50990842fd22ae86", "type": "sha1", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" }, { "uuid": "913515d1-4580-5b19-93aa-5b66c54c6e23", "object_relation": "sha256", "value": "ec5aedf5ecc6bdadd4120932170d1b10f6cfa175cfda22951dfd882928ab279b", "type": "sha256", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" }, { "uuid": "ec60937d-4962-57a7-ba8e-5eed49a4da82", "object_relation": "filename", "value": "oui", "type": "filename", "category": "Payload delivery", "disable_correlation": true, "to_ids": true }, { "uuid": "d386bb36-fa15-5b93-b290-0bc27ff1c796", "object_relation": "file-encoding", "value": "UTF-8", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "cc05c743-7a13-5385-87b5-e8462122882b", "object_relation": "size-in-bytes", "value": "35", "type": "size-in-bytes", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "b183e93e-9f17-5748-be0c-adb2a6b69280", "object_relation": "path", "value": "/var/www/MISP/app/files/scripts/tmp", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "data": "UEsDBAoACQAAAAaOU1EvUbi[...]AACAAIA2QAAAB8BAAAAAA==", "uuid": "cc3d8019-98d8-59d1-b7da-4f2d44fd58b2", "object_relation": "malware-sample", "value": "oui|8764605c6f388c89096b534d33565802", "type": "malware-sample", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "malware_filename": "oui" }, { "data": "Tm9uLW1hbGljaW91cyBmaWxlCg==", "uuid": "066ce28b-245e-553b-b4e7-df9e6e4a6eae", "object_relation": "attachment", "value": "non", "type": "attachment", "disable_correlation": false, "to_ids": true, "category": "External analysis" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5e384ae7-672c-4250-9cda-3b4da964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "file--5e384ae7-672c-4250-9cda-3b4da964451a", "directory--34cb1a7c-55ec-412a-8684-ba4a88d83a45", "artifact--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f" ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--5e384ae7-672c-4250-9cda-3b4da964451a", "hashes": { "MD5": "8764605c6f388c89096b534d33565802", "SHA-1": "46aba99aa7158e4609aaa72b50990842fd22ae86", "SHA-256": "ec5aedf5ecc6bdadd4120932170d1b10f6cfa175cfda22951dfd882928ab279b" }, "size": 35, "name": "oui", "name_enc": "UTF-8", "ctime": "2021-10-25T16:22:00Z", "mtime": "2022-10-25T16:22:00Z", "parent_directory_ref": "directory--34cb1a7c-55ec-412a-8684-ba4a88d83a45", "content_ref": "artifact--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "x_misp_attachment": { "value": "non", "data": "Tm9uLW1hbGljaW91cyBmaWxlCg==" } }, { "type": "directory", "spec_version": "2.1", "id": "directory--34cb1a7c-55ec-412a-8684-ba4a88d83a45", "path": "/var/www/MISP/app/files/scripts/tmp" }, { "type": "artifact", "spec_version": "2.1", "id": "artifact--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "mime_type": "application/zip", "payload_bin": "UEsDBAoACQAAAAaOU1EvUbi[...]AACAAIA2QAAAB8BAAAAAA==", "hashes": { "MD5": "8764605c6f388c89096b534d33565802" }, "encryption_algorithm": "mime-type-indicated", "decryption_key": "infected", "x_misp_filename": "oui" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e384ae7-672c-4250-9cda-3b4da964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[file:hashes.MD5 = '8764605c6f388c89096b534d33565802' AND file:hashes.'SHA-1' = '46aba99aa7158e4609aaa72b50990842fd22ae86' AND file:hashes.'SHA-256' = 'ec5aedf5ecc6bdadd4120932170d1b10f6cfa175cfda22951dfd882928ab279b' AND file:name = 'oui' AND (file:content_ref.payload_bin = 'UEsDBAoACQAAAAaOU1EvUbiwLwAAACMAAAAgABwAODc2NDYwNWM2ZjM4OGM4OTA5NmI1MzRkMzM1NjU4MDJVVAkAAzu1jV87tY1fdXgLAAEEIQAAAAQhAAAAUxIrDdj2V8dHuHoKPVDwAeOqqY3shFf5CKvJ/TZg7iNXlXSgxTaWwMnb6fESF/RQSwcIL1G4sC8AAAAjAAAAUEsDBAoACQAAAAaOU1FAAezaDwAAAAMAAAAtABwAODc2NDYwNWM2ZjM4OGM4OTA5NmI1MzRkMzM1NjU4MDIuZmlsZW5hbWUudHh0VVQJAAM7tY1fO7WNX3V4CwABBCEAAAAEIQAAAI7lFn9K1EsuznCkFF9PRFBLBwhAAezaDwAAAAMAAABQSwECHgMKAAkAAAAGjlNRL1G4sC8AAAAjAAAAIAAYAAAAAAABAAAApIEAAAAAODc2NDYwNWM2ZjM4OGM4OTA5NmI1MzRkMzM1NjU4MDJVVAUAAzu1jV91eAsAAQQhAAAABCEAAABQSwECHgMKAAkAAAAGjlNRQAHs2g8AAAADAAAALQAYAAAAAAABAAAApIGZAAAAODc2NDYwNWM2ZjM4OGM4OTA5NmI1MzRkMzM1NjU4MDIuZmlsZW5hbWUudHh0VVQFAAM7tY1fdXgLAAEEIQAAAAQhAAAAUEsFBgAAAAACAAIA2QAAAB8BAAAAAA==' AND file:content_ref.x_misp_filename = 'oui' AND file:content_ref.hashes.MD5 = '8764605c6f388c89096b534d33565802' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"file\"", "misp:meta-category=\"file\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f9626c9a-ad6f-4351-9553-0a3dbffc46d6", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5e384ae7-672c-4250-9cda-3b4da964451a", "target_ref": "observed-data--5e384ae7-672c-4250-9cda-3b4da964451a" } ] - MISP
{ "name": "file", "meta-category": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "description": "File object describing a file with meta-information", "template_version": "25", "uuid": "5e384ae7-672c-4250-9cda-3b4da964451a", "Attribute": [ { "uuid": "4d61a9f5-3e53-5970-8dbd-57876b383992", "object_relation": "md5", "value": "8764605c6f388c89096b534d33565802", "type": "md5", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--5e384ae7-672c-4250-9cda-3b4da964451a" }, { "uuid": "31877d35-5c1a-5925-bd53-fd44614b0d46", "object_relation": "sha1", "value": "46aba99aa7158e4609aaa72b50990842fd22ae86", "type": "sha1", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--5e384ae7-672c-4250-9cda-3b4da964451a" }, { "uuid": "e948e5d4-a19c-514a-a7be-47de47368cce", "object_relation": "sha256", "value": "ec5aedf5ecc6bdadd4120932170d1b10f6cfa175cfda22951dfd882928ab279b", "type": "sha256", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--5e384ae7-672c-4250-9cda-3b4da964451a" }, { "uuid": "061c77f6-64db-58dd-acff-3b0482940ff4", "object_relation": "creation-time", "value": "2021-10-25T16:22:00+00:00", "type": "datetime", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "dd099fd6-4b00-5055-8d6b-4ad227b369a1", "object_relation": "modification-time", "value": "2022-10-25T16:22:00+00:00", "type": "datetime", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "c4af11a1-451a-52c6-8e49-ed17d6523dd6", "object_relation": "filename", "value": "oui", "type": "filename", "category": "Payload delivery", "disable_correlation": true, "to_ids": true, "comment": "Indicator ID: indicator--5e384ae7-672c-4250-9cda-3b4da964451a" }, { "uuid": "7089b717-9054-5f01-8e54-08ccc9fcbb24", "object_relation": "file-encoding", "value": "UTF-8", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "b6d9a949-2c6a-550c-92a6-3685c3f69c35", "object_relation": "size-in-bytes", "value": "35", "type": "size-in-bytes", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "data": "Tm9uLW1hbGljaW91cyBmaWxlCg==", "uuid": "1a4fb5ab-7870-51b3-af59-55096bb23d85", "object_relation": "attachment", "value": "non", "type": "attachment", "disable_correlation": false, "to_ids": false, "category": "External analysis" }, { "uuid": "34cb1a7c-55ec-412a-8684-ba4a88d83a45", "object_relation": "path", "value": "/var/www/MISP/app/files/scripts/tmp", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "data": "UEsDBAoACQAAAAaOU1EvUbi[...]AACAAIA2QAAAB8BAAAAAA==", "uuid": "e668d25a-e269-5c1f-b3f4-2ca7cd08c106", "object_relation": "malware-sample", "value": "oui|8764605c6f388c89096b534d33565802", "type": "malware-sample", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "malware_filename": "oui" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- geolocation
- STIX - Location
{ "type": "location", "spec_version": "2.1", "id": "location--6a10dac8-71ac-4d9b-8269-1e9c73ea4d8f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "latitude": 39.108889, "longitude": -76.771389, "precision": 1000.0, "region": "northern-america", "country": "US", "city": "Fort Meade", "street_address": "9800 Savage Rd. Suite 6272", "postal_code": "MD 20755", "labels": [ "misp:name=\"geolocation\"", "misp:meta-category=\"misc\"" ], "x_misp_altitude": "55", "x_misp_country": "USA" } - MISP
{ "name": "geolocation", "meta-category": "misc", "template_uuid": "cd6f2238-ba55-4888-82c4-104e6e1acf21", "description": "An object to describe a geographic location.", "template_version": "8", "uuid": "6a10dac8-71ac-4d9b-8269-1e9c73ea4d8f", "Attribute": [ { "uuid": "7425b38b-6547-5611-989f-f42b8aa5513b", "object_relation": "city", "value": "Fort Meade", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "2a1868aa-0bdf-500a-b307-97ae8851d5c1", "object_relation": "countrycode", "value": "US", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "f35fd35f-d6bc-5ea2-9010-0e440b0a7dc9", "object_relation": "latitude", "value": 39.108889, "type": "float", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "5cf04214-f8cb-530a-a83a-04340a7fd595", "object_relation": "longitude", "value": -76.771389, "type": "float", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "a7270cc9-37e9-5384-9991-fc684ff3db9c", "object_relation": "zipcode", "value": "MD 20755", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "f1da18ba-5d1f-50e4-81b6-a2b719281d6e", "object_relation": "region", "value": "northern-america", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "cc6f47f4-e45f-54e7-bf9d-476c333064c1", "object_relation": "address", "value": "9800 Savage Rd. Suite 6272", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "912fe722-dd21-5b61-afe5-f7575faf3a05", "object_relation": "altitude", "value": "55", "type": "float", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "b09f7ec3-7318-5675-a841-405cb9307110", "object_relation": "country", "value": "USA", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "85d80c4d-5511-4d73-8e60-e66c69e259a3", "object_relation": "accuracy-radius", "value": 1.0, "type": "float", "disable_correlation": true, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Location
- github-user
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--5177abbd-c437-4acb-9173-eee371ad24da", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'github' AND user-account:user_id = '1' AND user-account:display_name = 'Octo Cat' AND user-account:account_login = 'octocat' AND user-account:x_misp_organisation = 'GitHub' AND user-account:x_misp_profile_image.data = 'iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC' AND user-account:x_misp_profile_image.value = 'octocat.png']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"github-user\"", "misp:meta-category=\"misc\"" ] } - MISP
{ "name": "github-user", "meta-category": "misc", "template_uuid": "4329b5e6-8e6a-4b55-8fd1-9033782017d4", "description": "GitHub user", "template_version": "3", "uuid": "5177abbd-c437-4acb-9173-eee371ad24da", "Attribute": [ { "uuid": "597c0499-57a5-5d47-b37d-493ce3357161", "object_relation": "id", "value": "1", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "c3c9f49e-04e5-5706-9f88-6515a4e2d7f2", "object_relation": "user-fullname", "value": "Octo Cat", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "a8fc644e-afcd-5a1c-b7c5-cf3c7ceeb1fc", "object_relation": "username", "value": "octocat", "type": "github-username", "disable_correlation": false, "to_ids": true, "category": "Social network" }, { "uuid": "99a397e4-9c95-52c4-9a21-6523e757fe3a", "object_relation": "organisation", "value": "GitHub", "type": "github-organisation", "disable_correlation": false, "to_ids": true, "category": "Social network" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC", "uuid": "277d6971-1f8c-5a31-ac71-f1d26ab931e3", "object_relation": "profile-image", "value": "octocat.png", "type": "attachment", "disable_correlation": false, "to_ids": true, "category": "External analysis" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5177abbd-c437-4acb-9173-eee371ad24da", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "user-account--5177abbd-c437-4acb-9173-eee371ad24da" ], "labels": [ "misp:name=\"github-user\"", "misp:meta-category=\"misc\"" ] }, { "type": "user-account", "spec_version": "2.1", "id": "user-account--5177abbd-c437-4acb-9173-eee371ad24da", "user_id": "1", "account_login": "octocat", "account_type": "github", "display_name": "Octo Cat", "x_misp_organisation": "GitHub", "x_misp_profile_image": { "value": "octocat.png", "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5177abbd-c437-4acb-9173-eee371ad24da", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'github' AND user-account:user_id = '1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"github-user\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d88cf4b1-e4ed-46c6-9a2d-af8bafda3e8a", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5177abbd-c437-4acb-9173-eee371ad24da", "target_ref": "observed-data--5177abbd-c437-4acb-9173-eee371ad24da" } ] - MISP
{ "name": "github-user", "meta-category": "misc", "template_uuid": "4329b5e6-8e6a-4b55-8fd1-9033782017d4", "description": "GitHub user", "template_version": "3", "uuid": "5177abbd-c437-4acb-9173-eee371ad24da", "Attribute": [ { "uuid": "656b6cce-6c75-558d-a90f-7e1574e49efb", "object_relation": "id", "value": "1", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other", "comment": "Indicator ID: indicator--5177abbd-c437-4acb-9173-eee371ad24da" }, { "uuid": "b0c23243-e0bc-595d-8bb2-1b99e2ea146e", "object_relation": "username", "value": "octocat", "type": "github-username", "disable_correlation": false, "to_ids": false, "category": "Social network" }, { "uuid": "5ff06a20-f6cc-5260-9d31-279dd534ba38", "object_relation": "user-fullname", "value": "Octo Cat", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "7972c7eb-8475-50a4-9bb4-6672e8cf8ca0", "object_relation": "organisation", "value": "GitHub", "type": "github-organisation", "disable_correlation": false, "to_ids": false, "category": "Social network" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC", "uuid": "90494b59-5adb-53db-b572-09838b1fe2c2", "object_relation": "profile-image", "value": "octocat.png", "type": "attachment", "disable_correlation": false, "to_ids": false, "category": "External analysis" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- gitlab-user
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--20a39ad0-e8e1-4917-9fb8-40fecc4d0e7b", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'gitlab' AND user-account:user_id = '1234567890' AND user-account:display_name = 'John Doe' AND user-account:account_login = 'j0hnd0e']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"gitlab-user\"", "misp:meta-category=\"misc\"" ] } - MISP
{ "name": "gitlab-user", "meta-category": "misc", "template_uuid": "39ef3197-08f5-445f-b3b6-9d4d8604071c", "description": "GitLab user. Gitlab.com user or self-hosted GitLab instance", "template_version": "1", "uuid": "20a39ad0-e8e1-4917-9fb8-40fecc4d0e7b", "Attribute": [ { "uuid": "0cfd7d88-6f04-5600-af49-da7ff9a0961a", "object_relation": "id", "value": "1234567890", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "5be3b88a-bf49-5cc8-95db-7ae931eba994", "object_relation": "name", "value": "John Doe", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "0d48bd6a-4cd9-5590-8ff0-c41f438e0afc", "object_relation": "username", "value": "j0hnd0e", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--20a39ad0-e8e1-4917-9fb8-40fecc4d0e7b", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "user-account--20a39ad0-e8e1-4917-9fb8-40fecc4d0e7b" ], "labels": [ "misp:name=\"gitlab-user\"", "misp:meta-category=\"misc\"" ] }, { "type": "user-account", "spec_version": "2.1", "id": "user-account--20a39ad0-e8e1-4917-9fb8-40fecc4d0e7b", "user_id": "1234567890", "account_login": "j0hnd0e", "account_type": "gitlab", "display_name": "John Doe" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--20a39ad0-e8e1-4917-9fb8-40fecc4d0e7b", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'gitlab' AND user-account:user_id = '1234567890']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"gitlab-user\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--746d942a-8a4a-482c-8bb2-88137bb9ef72", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--20a39ad0-e8e1-4917-9fb8-40fecc4d0e7b", "target_ref": "observed-data--20a39ad0-e8e1-4917-9fb8-40fecc4d0e7b" } ] - MISP
{ "name": "gitlab-user", "meta-category": "misc", "template_uuid": "39ef3197-08f5-445f-b3b6-9d4d8604071c", "description": "GitLab user. Gitlab.com user or self-hosted GitLab instance", "template_version": "1", "uuid": "20a39ad0-e8e1-4917-9fb8-40fecc4d0e7b", "Attribute": [ { "uuid": "7bc3afa2-fbb2-5c9e-a714-7cdab44a4074", "object_relation": "id", "value": "1234567890", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other", "comment": "Indicator ID: indicator--20a39ad0-e8e1-4917-9fb8-40fecc4d0e7b" }, { "uuid": "caa344ed-6f9a-5673-a715-f6b2fac52bf0", "object_relation": "name", "value": "John Doe", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "f5d93f9f-50c6-5fbc-891d-d3cf8140e4d9", "object_relation": "username", "value": "j0hnd0e", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- http-request
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--cfdb71ed-889f-4646-a388-43d936e1e3b9", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[(network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '8.8.8.8') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '149.13.33.14') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'circl.lu') AND network-traffic:extensions.'http-request-ext'.request_method = 'POST' AND network-traffic:extensions.'http-request-ext'.request_value = '/projects/internships/' AND network-traffic:extensions.'http-request-ext'.request_value = 'http://circl.lu/projects/internships/' AND network-traffic:extensions.'http-request-ext'.request_header.'Content-Type' = 'JSON' AND network-traffic:extensions.'http-request-ext'.request_header.'User-Agent' = 'Mozilla Firefox']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"http-request\"", "misp:meta-category=\"network\"" ] } - MISP
{ "name": "http-request", "meta-category": "network", "template_uuid": "b4a8d163-8110-4239-bfcf-e08f3a9fdf7b", "description": "A single HTTP request header", "template_version": "4", "uuid": "cfdb71ed-889f-4646-a388-43d936e1e3b9", "Attribute": [ { "uuid": "67584aa7-7f8c-5221-a583-b3d1494f83be", "object_relation": "ip-src", "value": "8.8.8.8')", "type": "ip-src", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "abad100c-35cd-539c-98c5-31c7761ffcec", "object_relation": "ip-dst", "value": "149.13.33.14')", "type": "ip-dst", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "682ebd1e-beb4-566e-9cd1-814ef158afde", "object_relation": "host", "value": "circl.lu')", "type": "hostname", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "a50b9f45-e3a5-5b30-b523-02ea20adf63b", "object_relation": "method", "value": "POST", "type": "http-method", "category": "Network activity", "disable_correlation": true, "to_ids": true }, { "uuid": "ceb148f0-a780-5c72-ad93-6b8c2c1788f4", "object_relation": "content-type", "value": "JSON", "type": "other", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "49d54462-4bb0-508b-8182-23f320ab555c", "object_relation": "user-agent", "value": "Mozilla Firefox", "type": "text", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "77b0a826-2691-5622-9f74-ee812069e0e8", "object_relation": "uri", "value": "/projects/internships/", "type": "uri", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "0ad68eda-5f2f-5e33-8c6a-f743d80fe43a", "object_relation": "url", "value": "http://circl.lu/projects/internships/", "type": "url", "category": "Network activity", "disable_correlation": false, "to_ids": true } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--cfdb71ed-889f-4646-a388-43d936e1e3b9", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "network-traffic--cfdb71ed-889f-4646-a388-43d936e1e3b9", "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "ipv4-addr--d6f0e3b7-fa5d-4443-aea7-7b60b343bde7", "domain-name--34cb1a7c-55ec-412a-8684-ba4a88d83a45" ], "labels": [ "misp:name=\"http-request\"", "misp:meta-category=\"network\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--cfdb71ed-889f-4646-a388-43d936e1e3b9", "src_ref": "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "dst_ref": "ipv4-addr--d6f0e3b7-fa5d-4443-aea7-7b60b343bde7", "protocols": [ "tcp", "http" ], "extensions": { "http-request-ext": { "request_method": "POST", "request_value": "/projects/internships/", "request_header": { "Content-Type": "JSON", "User-Agent": "Mozilla Firefox" } } }, "x_misp_url": "http://circl.lu/projects/internships/" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "value": "8.8.8.8" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--d6f0e3b7-fa5d-4443-aea7-7b60b343bde7", "value": "149.13.33.14" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--34cb1a7c-55ec-412a-8684-ba4a88d83a45", "value": "circl.lu", "resolves_to_refs": [ "ipv4-addr--d6f0e3b7-fa5d-4443-aea7-7b60b343bde7" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cfdb71ed-889f-4646-a388-43d936e1e3b9", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[(network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '8.8.8.8') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '149.13.33.14') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'circl.lu') AND network-traffic:extensions.'http-request-ext'.request_value = '/projects/internships/' AND network-traffic:extensions.'http-request-ext'.request_value = 'http://circl.lu/projects/internships/']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"http-request\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--3071c6a2-fdb1-453c-b603-e4d6b9017ccc", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--cfdb71ed-889f-4646-a388-43d936e1e3b9", "target_ref": "observed-data--cfdb71ed-889f-4646-a388-43d936e1e3b9" } ] - MISP
{ "name": "http-request", "meta-category": "network", "template_uuid": "b4a8d163-8110-4239-bfcf-e08f3a9fdf7b", "description": "A single HTTP request header", "template_version": "4", "uuid": "cfdb71ed-889f-4646-a388-43d936e1e3b9", "Attribute": [ { "uuid": "461bafec-57df-5f11-8bf4-5faafc7a93d7", "object_relation": "url", "value": "http://circl.lu/projects/internships/", "type": "url", "category": "Network activity", "disable_correlation": false, "to_ids": true, "comment": "Indicator ID: indicator--cfdb71ed-889f-4646-a388-43d936e1e3b9" }, { "uuid": "a2e52578-d2fe-50ec-9687-fa2c6d57dcd6", "object_relation": "ip-src", "value": "8.8.8.8", "type": "ip-src", "category": "Network activity", "disable_correlation": false, "to_ids": true, "comment": "Indicator ID: indicator--cfdb71ed-889f-4646-a388-43d936e1e3b9" }, { "uuid": "62dd8cd3-3374-5a18-b041-4e0d3e06d568", "object_relation": "ip-dst", "value": "149.13.33.14", "type": "ip-dst", "category": "Network activity", "disable_correlation": false, "to_ids": true, "comment": "Indicator ID: indicator--cfdb71ed-889f-4646-a388-43d936e1e3b9" }, { "uuid": "57c294c0-6d10-5982-b2bd-b42c768556b3", "object_relation": "method", "value": "POST", "type": "http-method", "category": "Network activity", "disable_correlation": true, "to_ids": false }, { "uuid": "320bb5be-3126-55a4-b896-ceb8db51cbae", "object_relation": "uri", "value": "/projects/internships/", "type": "uri", "category": "Network activity", "disable_correlation": false, "to_ids": true, "comment": "Indicator ID: indicator--cfdb71ed-889f-4646-a388-43d936e1e3b9" }, { "uuid": "7263a7a5-d088-58d4-9469-a561c9b3ef55", "object_relation": "content-type", "value": "JSON", "type": "other", "category": "Network activity", "disable_correlation": false, "to_ids": false }, { "uuid": "264cf2d8-6e45-59e1-b3e3-55e420f72dd4", "object_relation": "user-agent", "value": "Mozilla Firefox", "type": "text", "category": "Network activity", "disable_correlation": false, "to_ids": false }, { "uuid": "d13bc10d-70a9-50ba-bfc1-21e02a0a8c46", "object_relation": "host", "value": "circl.lu", "type": "hostname", "category": "Network activity", "disable_correlation": false, "to_ids": true, "comment": "Indicator ID: indicator--cfdb71ed-889f-4646-a388-43d936e1e3b9" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- identity
- STIX - Identity
{ "type": "identity", "spec_version": "2.1", "id": "identity--a54e32af-5569-4949-b1fe-ad75054cde45", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "John Doe", "description": "Unknown person", "roles": [ "Placeholder name" ], "identity_class": "individual", "contact_information": "email-address: jdoe@email.com / phone-number: 0123456789", "labels": [ "misp:name=\"identity\"", "misp:meta-category=\"misc\"" ] } - MISP
{ "name": "identity", "meta-category": "misc", "template_uuid": "ae85b960-b507-4de2-a32c-9cfb8f25f990", "description": "Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. (ref. STIX 2.1 - 4.5)", "template_version": "1", "uuid": "a54e32af-5569-4949-b1fe-ad75054cde45", "Attribute": [ { "uuid": "eaa3fe67-77e8-58ec-90f0-8f40b31b4a05", "object_relation": "name", "value": "John Doe", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "03f24069-b2ff-5828-ba0f-c795bcbe7ef9", "object_relation": "description", "value": "Unknown person", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "a334b10a-1159-5e5c-83fc-e3b00a67171c", "object_relation": "contact_information", "value": "email-address: jdoe@email.com / phone-number: 0123456789", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "3000cd84-c0fd-5e59-8a27-a841494114f0", "object_relation": "identity_class", "value": "individual", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "8775cf24-eb87-56b2-8d1c-5043ed889887", "object_relation": "roles", "value": "Placeholder name", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Identity
- image
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--939b2f03-c487-4f62-a90e-cab7acfee294", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[file:name = 'STIX.png' AND file:content_ref.payload_bin = 'iVBORw0KGgoAAAANSUhEUgA[...]gEefQAAAABJRU5ErkJggg==' AND file:content_ref.mime_type = 'image/png' AND file:content_ref.x_misp_filename = 'STIX.png' AND file:content_ref.url = 'https://oasis-open.github.io/cti-documentation/img/STIX.png' AND file:x_misp_image_text = 'STIX']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"image\"", "misp:meta-category=\"file\"" ] } - MISP
{ "name": "image", "meta-category": "file", "template_uuid": "ca78ec03-3321-4ed3-9840-9bfd52b91d82", "description": "Object describing an image file.", "template_version": "1", "uuid": "939b2f03-c487-4f62-a90e-cab7acfee294", "Attribute": [ { "uuid": "53e828f6-5bdd-59fe-bca3-a2c571329038", "object_relation": "filename", "value": "STIX.png", "type": "filename", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" }, { "uuid": "4dc1120a-3c5e-58ba-bab7-ea6ec292e3d6", "object_relation": "url", "value": "https://oasis-open.github.io/cti-documentation/img/STIX.png", "type": "url", "disable_correlation": false, "to_ids": true, "category": "Network activity" }, { "uuid": "e7d51bc2-dcdc-55e4-9c53-60570afa5285", "object_relation": "image-text", "value": "STIX", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]gEefQAAAABJRU5ErkJggg==", "uuid": "74072606-0509-568b-9f1d-b5ece084d18b", "object_relation": "attachment", "value": "STIX.png", "type": "attachment", "disable_correlation": false, "to_ids": true, "category": "External analysis" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--939b2f03-c487-4f62-a90e-cab7acfee294", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "file--939b2f03-c487-4f62-a90e-cab7acfee294", "artifact--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f" ], "labels": [ "misp:name=\"image\"", "misp:meta-category=\"file\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--939b2f03-c487-4f62-a90e-cab7acfee294", "name": "STIX.png", "content_ref": "artifact--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "x_misp_image_text": "STIX" }, { "type": "artifact", "spec_version": "2.1", "id": "artifact--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "mime_type": "image/png", "payload_bin": "iVBORw0KGgoAAAANSUhEUgA[...]gEefQAAAABJRU5ErkJggg==", "x_misp_filename": "STIX.png", "x_misp_url": "https://oasis-open.github.io/cti-documentation/img/STIX.png" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--939b2f03-c487-4f62-a90e-cab7acfee294", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[file:name = 'STIX.png' AND file:content_ref.payload_bin = 'iVBORw0KGgoAAAANSUhEUgAAAFoAAAAkCAYAAAAJgC2zAAAABHNCSVQICAgIfAhkiAAAABl0RVh0U29mdHdhcmUAZ25vbWUtc2NyZWVuc2hvdO8Dvz4AAAv8SURBVGiB7ZtrcJRVmsd/5+17dxI6IZGRZCEJsGasEAZBAsECNIoFFHgpyNSohUGlYJgECMLiyN0BRDKMMkFdhQK5RAvFVFAHFze6Sml5QWGDoYiELSWEAUkg6XQunb68z35IpiV0OibBjGDNv+r90H3Oc57n/N9znss53UpEBEB0Hb3ZgyD8C1cPhUKzWVGaBoARwPvVUZr+8lc8JysQXf9ZDfylQDMYsAwZjH3RfMwjhqO8pV+L+7cPYRz+G8xTJ6Pstp/bxl8EpKkZ79sH8B/9XyL37kG55+aKfvESkXu2o8zmn9u+XxTE68X90CNofWPQ/GXHMU3M/BfJvQBlNmOamIn/WBlGAjrKZOpUQERwuVycOHGCkydPcu7cOdxuN0opoqKiiI+P56abbiIlJQWHw4FSKmQMn8+Hz+f7ySZhtVrRNI1AIEBLS0tIu6ZpWCwWlFKISGsfXcco7YO9TykMRiMmk6lDu6F1/h6PByXSTl7a5I1GI0op/H4/ZrMZEcFoNAK0cuv1tgbDcBARSktLeemllzhw4ABnzpxBpOOsRNM0kpOTueeee5g7dy6DBw8OtrW0tDB16lROnTrVmbpuYc6cOSxZsoTHHnuMjz76KKTdaDSye/du0tPTqaurY/LkyTReuMB25w0kmVp3r44wv66GUg2efvpppk2bFkK21+tl4cKF/PfBgyyLjGaq1RFs291Yz18bXdx3333k5uby4YcfEhMTg8lkYtKkSe0Nqh0zQZpf2S1Xwuv1yqZNmyQyMlJofXldfmJiYqSwsFB0XRcRkYaGBomNje32OJ09s2bNEp/PJ7fcckvYPm+++aaIiOi6Lps2bRKllEyy2uV8/CC5mDBYLiYMlkM3/JvYlZJ+/frJ2bNn23Gg67rs3LlTABlltsrf45ODckd+NVD6aQZxOp1y7Ngxcblc8u6778rLL78sBw8eDI7R/MpuqR05Vjok2u/3y5o1a8RgMPSYCJPJJDt27LgmiBYRcbvdkp6eLhrI9ph+UtNGdk38IPljVIwAkpWVFVwcIiJVVVWSkJAgDqWk5IaEIMnn4wfJNJtDlFKyceNG0XVdAoGAeDweaWpqEo/HE0K0FrLngC+//JK1a9cSCAQ6au4SfD4fOTk5VFRU9HiMnxIREREUFBRgj4hgeV0N5/XWuSmlmBfhJNVo5o033uCdd94BIBAIsHjxYqqqqlgQGc1vTJbgWPua3LzT3Mj48ePJyclBKRWMCTabDYvFEqI/hGgRoaCgoNPAFRkZyeDBgxk4cCCmTgJpY2Mj27Zt6zobvYyRI0eSl5fH3/UAf3JdJNAWb+yaxsboOIwi5ObmUltbS3FxMa+//jrDTBZ+H+EM+u4LAT8b6i9hczhYv349NlvX6o4Qopuamvj444/DCtx5552Ul5dTWlpKWVkZR44cYcSIEWH77927F13XMRgMXTKoq+jJeEopli5dyrBhw3ijyc1/NTcG20aZrfwhwsnp06eZMWMGCxYswKQL652x2NvK6IAIq+suUhXws3jxYkaPHt1l3SFZh8fjobq6OqzAHXfcQf/+/YOfU1NTyc/PZ+bMmR3uAqfTidFo5NVXX6WysjKkvbi4mP3794fVt3r1agYOHBjy/dixY8PKdAaHw8Fzzz3H3XffzWrXRTIsNqINBpRSPB4VQ1FzA++//z4A8yL6kG62BmXfa25kX7ObESNG8Pjjj4dNBzvElcGwpqZGbDZb2AAzYMAAKSoqEq/X2y46NzQ0iNvtDnmam5tDMprLUVhYGFaX0WiUCxcuhJXtTjC8MpvIy8sTQB5xREn1ZVlIUWx/0UB+bTTLd/2Tgt9/c2OiDDAYxWKxyKFDhzqd0+UIGwwtFguxsbFhX0xlZSXTp0/n5ptvZt68eezfv59z585ht9uJiIgIeaxWa9ixfi4opVi1ahUpKSnsbKznUEtzsG2cxcYsRxTrnLFEaq3uSRfhz/W1VAb8zJ07t0e7KYRoh8NBRkZGp0K6rnPq1ClefPFF7r33XpKTk0lPT2fNmjV89tlnV5Wt/LPQp08f8vPzUUYjy+pqaGo7tVRKsdYZxzjLD0Hu45ZmXml0kZKSwsqVK9G0DpO1ThEioZRi0aJFnWYTV6KlpYXDhw+zevVqxo4dS2pqKq+99lrYKvJawZQpU3j44Ycp93vJr78UtNesVND/uvQAS+qqUWYzBQUFxMTE9EhXh69m5MiRLFu2rEcD6rpOeXk5DzzwANnZ2R2eQ1wrUEqxYcMG4uPjeaGhjlJfe1tFhC3uOk75fWRlZZGZmdljXR0SrWkaK1asYMeOHcTFxfV48F27drFgwYJremX37duX22+/HT9Q2FjfzlaPCPua3ADcf//93csyrkBYZ6NpGtnZ2XzzzTcUFBQwZsyY4IlUd7Bt2za++uqrHhvY2ygrK2Pfvn3EahpLomLakWnTNP4Y1eoqnnnmmavanT/q1aOjo8nJyeGTTz7h5MmT7Ny5k+zsbBISErpEfCAQYNeuXT02sDfh8XiYPXs2LR4PG5xxxGmhRdB99kgmWe188cUXbNmypce7s8vhUylFUlISM2fOZMeOHXz77bccPXqUp556ql0B0xGOHz/eI+N6G5s3b+bzzz/nbqude2wRwdV8xu/D20aoSSnWOeOIVoq1a9dy4sSJHukKWZIVFRVs3bq1wxTN6XSSl5dHREQERqOR1NRUUlNTyc7OZty4cXz33XcdKmlqauqRcb2J8vJyNm7cSLTSWNsnFq2NZK8Iv7/0PdNsEcyOdKKAAQYjK6L6sqiumoULF/LWW291uz4IIfrw4cPk5+eHFYiLi2POnDntfFl8fDwJCQlhiY6KiuqWUb0Nr9dLbm4uly5d4i/OOBKNP6SyL7vr+NTr4bjPy51WO8kmM0opfuuIpKi5gZKSEvbs2cOjjz7areAYQvRtt92G1WrF4/F0KLB06VJcLheZmZk4nU6qq6spLCzk008/DaskNTW1ywb1NkSEbdu28cEHH3CHxcbvHFHtXMZG9yWUUtSLzhN11RTG9sekFBalsb5PLFOqz7JixQoyMzNJSkrqst4QHx0fH8/EiRPDCtTX1/PEE09w6623MmTIEDIyMnj++efDVoMGg4Hp06d32aDexunTp1m1ahUOEf7kjMXcRnJAhLzaCzSKsG7dOiZMmMAHLc3sbnQFZX9tMvMfUdF8f/48eXl53boDDSHaYDCwcuXKLp+z/hjuuusuRo0a9ZOMdbXw+1uPN2tqalgUGcNNxh9u/l9rrOd/WpqZMGECS5YsYfPmzdgdDv5cX8tZfyuhSilmOfow0mTh7bffZu/evV3W3WHWMXz4cJ599tkObwq6g6SkJF544YWf/Cy6pygsLKS4uJgMs5XZEX2CLuO038dq10Xsdjtbt27FaDQydOhQVq1axfd6gGV1NfjbshCrprHeGYdNhOXLl1NVVdUl3WErw9mzZ7Nr1y5uvPHGHk1q/PjxlJSUdMuP9SbOnDnDk08+iVnXWeeMxXbZYf5TrhpqRWfZsmUMGjQIaF29OTk5ZGRkcMDTSHFbhQgw3GxhXtslwfLly/H7/T+qP2zFoWkaWVlZpKens337doqKiigvL+90UKfTyejRo3nwwQeZMWNGl3ZEYmIiaWlpHfr4fv36derCNE1j9OjRHVZsJpOJxMTE4OeSkhKio6N55FfxpEY6gdbVfMTXwv85rcwcMYK8vLz2laHNRkFBAfPnz6fI3cBk5w3YlUIBf9CTKKu7wLFjx6isrCQ5ObnTearaMRPEOudRrA8/1GnH5uZmKioqKC8v5+zZs7hcLnRdx263ExcXR2JiIikpKfTv379baY+IoIf5YeU/Lj17Kn+5y/pHPyXC5dbpbbZqmhbWbl3XEZEeyXp27sGz5T8xYtAQ749HT5vNRlpaGmlpaT/atztQSl2VD++qfLh+XdEc7mV3RVa8PjCb0YxDU/G9V4Jcw8eZ1yukpQXfeyUYhw1Feb8uE3fWQxjThmKeMgl1DV49XY8Qjwfv397Ff+xrIl/fgxIR8R4tpenZAlpOViDXwTXU9QBlMGD59yHY83IxDx/WSjS0/bXC0wLX8CH9dQWl0KyW4F8r/h8rVFb3pgEefQAAAABJRU5ErkJggg==' AND file:content_ref.mime_type = 'image/png' AND file:content_ref.x_misp_filename = 'STIX.png' AND file:content_ref.url = 'https://oasis-open.github.io/cti-documentation/img/STIX.png']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"image\"", "misp:meta-category=\"file\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d90dbb2f-9511-43c1-86e4-80d4cf7c5b57", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--939b2f03-c487-4f62-a90e-cab7acfee294", "target_ref": "observed-data--939b2f03-c487-4f62-a90e-cab7acfee294" } ] - MISP
{ "name": "image", "meta-category": "file", "template_uuid": "ca78ec03-3321-4ed3-9840-9bfd52b91d82", "description": "Object describing an image file.", "template_version": "1", "uuid": "939b2f03-c487-4f62-a90e-cab7acfee294", "Attribute": [ { "uuid": "2a46c89d-bbf8-5627-aa2e-466733701e17", "object_relation": "filename", "value": "STIX.png", "type": "filename", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--939b2f03-c487-4f62-a90e-cab7acfee294" }, { "uuid": "fc33fd27-a5ca-5d06-8ba6-cd9f1f91631d", "object_relation": "image-text", "value": "STIX", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]gEefQAAAABJRU5ErkJggg==", "uuid": "d6a4b040-dbcc-5166-a451-187759b95da9", "object_relation": "attachment", "value": "STIX.png", "type": "attachment", "disable_correlation": false, "to_ids": true, "category": "External analysis", "comment": "Indicator ID: indicator--939b2f03-c487-4f62-a90e-cab7acfee294" }, { "uuid": "958e2620-a436-505b-acb3-76cdf6cb1745", "object_relation": "url", "value": "https://oasis-open.github.io/cti-documentation/img/STIX.png", "type": "url", "disable_correlation": false, "to_ids": true, "category": "Network activity" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- ip-port
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--5ac47edc-31e4-4402-a7b6-040d0a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '149.13.33.14') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'circl.lu') AND network-traffic:dst_port = '443' AND network-traffic:start = '2020-10-25T16:22:00Z']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"" ] } - MISP
{ "name": "ip-port", "meta-category": "network", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "10", "uuid": "5ac47edc-31e4-4402-a7b6-040d0a00020f", "Attribute": [ { "uuid": "01c6d806-f7d1-5823-8362-82f5ca495d51", "object_relation": "ip-dst", "value": "149.13.33.14", "type": "ip-dst", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "a0205f6c-f3e3-5057-87ea-ef7126fe830c", "object_relation": "domain", "value": "circl.lu", "type": "domain", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "8ebf6fe5-67dd-539c-8e61-09a1f9114da3", "object_relation": "dst-port", "value": "443", "type": "port", "category": "Network activity", "disable_correlation": true, "to_ids": true }, { "uuid": "fd060659-5bc9-5900-a33f-373a11aeb707", "object_relation": "first-seen", "value": "2020-10-25T16:22:00+00:00", "type": "datetime", "disable_correlation": true, "to_ids": true, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ac47edc-31e4-4402-a7b6-040d0a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "network-traffic--5ac47edc-31e4-4402-a7b6-040d0a00020f", "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f" ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5ac47edc-31e4-4402-a7b6-040d0a00020f", "start": "2020-10-25T16:22:00Z", "dst_ref": "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "dst_port": 443, "protocols": [ "ipv4" ], "x_misp_domain": "circl.lu" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "value": "149.13.33.14" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ac47edc-31e4-4402-a7b6-040d0a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '149.13.33.14') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'circl.lu')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"ip-port\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--37dd31ee-24a7-4a7c-9704-aecef00e7082", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5ac47edc-31e4-4402-a7b6-040d0a00020f", "target_ref": "observed-data--5ac47edc-31e4-4402-a7b6-040d0a00020f" } ] - MISP
{ "name": "ip-port", "meta-category": "network", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "template_version": "10", "uuid": "5ac47edc-31e4-4402-a7b6-040d0a00020f", "Attribute": [ { "uuid": "91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "object_relation": "ip-dst", "value": "149.13.33.14", "type": "ip-dst", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "8094ef2a-e5bd-5cab-b5fa-0b1473e57025", "object_relation": "dst-port", "value": "443", "type": "port", "category": "Network activity", "disable_correlation": true, "to_ids": false }, { "uuid": "99f8b118-1813-5bf9-a019-fbf3e0b272ad", "object_relation": "first-seen", "value": "2020-10-25T16:22:00+00:00", "type": "datetime", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "0f8d8de8-9520-577e-a814-d32276d72986", "object_relation": "domain", "value": "circl.lu", "type": "domain", "category": "Network activity", "disable_correlation": false, "to_ids": true, "comment": "Indicator ID: indicator--5ac47edc-31e4-4402-a7b6-040d0a00020f" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- legal-entity
- STIX - Identity
{ "type": "identity", "spec_version": "2.1", "id": "identity--0d55ba1f-c3ff-4b91-8a09-8713576e178b", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Umbrella Corporation", "description": "The Umbrella Corporation is an international pharmaceutical company.", "identity_class": "organization", "sectors": [ "Pharmaceutical" ], "contact_information": "phone-number: 1234567890 / website: https://umbrella.org", "labels": [ "misp:name=\"legal-entity\"", "misp:meta-category=\"misc\"" ], "x_misp_logo": { "value": "umbrella_logo", "data": "iVBORw0KGgoAAAANSUhEUgA[...]DAbmag+AAAAAElFTkSuQmCC" }, "x_misp_registration_number": "11223344556677889900" } - MISP
{ "name": "legal-entity", "meta-category": "misc", "template_uuid": "14f5688f-d89c-469f-9878-c48bf6c41c65", "description": "An object to describe a legal entity.", "template_version": "2", "uuid": "0d55ba1f-c3ff-4b91-8a09-8713576e178b", "Attribute": [ { "uuid": "a2d8819a-cea1-59c8-b0db-0ebe3a532a36", "object_relation": "name", "value": "Umbrella Corporation", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "ab12682f-43ba-5d88-a58c-fb83c989e09a", "object_relation": "text", "value": "The Umbrella Corporation is an international pharmaceutical company.", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "9dbfd009-3a94-5db7-b8fe-325025db83ec", "object_relation": "business", "value": "Pharmaceutical", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "2db7e411-e40e-5ada-86b1-0477446cebb8", "object_relation": "registration-number", "value": "11223344556677889900", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "0697eb7d-e314-5047-970b-d36ed2061aaa", "object_relation": "phone-number", "value": "1234567890", "type": "phone-number", "disable_correlation": false, "to_ids": false, "category": "Person" }, { "uuid": "e8869a1f-7a8d-572b-9539-e9fa1c5639cf", "object_relation": "website", "value": "https://umbrella.org", "type": "link", "disable_correlation": false, "to_ids": false, "category": "External analysis" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]DAbmag+AAAAAElFTkSuQmCC", "uuid": "df270bb6-d3e2-5f65-ad02-2003d642a03b", "object_relation": "logo", "value": "umbrella_logo", "type": "attachment", "disable_correlation": false, "to_ids": false, "category": "External analysis" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Identity
- lnk
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--153ef8d5-9182-45ec-bf1c-5819932b9ab7", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[file:atime = '2021-01-01T00:00:00Z' AND file:ctime = '2017-10-01T08:00:00Z' AND file:mtime = '2020-10-25T16:22:00Z' AND file:name = 'oui' AND file:parent_directory_ref.path = '/var/www/MISP/app/files/scripts/tmp' AND file:hashes.MD5 = '8764605c6f388c89096b534d33565802' AND file:hashes.'SHA-1' = '46aba99aa7158e4609aaa72b50990842fd22ae86' AND file:hashes.'SHA-256' = 'ec5aedf5ecc6bdadd4120932170d1b10f6cfa175cfda22951dfd882928ab279b' AND (file:content_ref.payload_bin = 'UEsDBAoACQAAAAaOU1EvUbi[...]AACAAIA2QAAAB8BAAAAAA==' AND file:content_ref.x_misp_filename = 'oui' AND file:content_ref.hashes.MD5 = '8764605c6f388c89096b534d33565802' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected') AND file:size = '35']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"lnk\"", "misp:meta-category=\"file\"" ] } - MISP
{ "name": "lnk", "meta-category": "file", "template_uuid": "ad13533e-1853-4da0-a111-33a7ce7e6c09", "description": "LNK object describing a Windows LNK binary file (aka Windows shortcut)", "template_version": "2", "uuid": "153ef8d5-9182-45ec-bf1c-5819932b9ab7", "Attribute": [ { "uuid": "d506ddf9-a270-5520-90b2-891c71b0834b", "object_relation": "lnk-access-time", "value": "2021-01-01T00:00:00+00:00", "type": "datetime", "category": "Other", "disable_correlation": true, "to_ids": true }, { "uuid": "1a67972c-279b-5ab4-b47d-3af31b99123e", "object_relation": "lnk-creation-time", "value": "2017-10-01T08:00:00+00:00", "type": "datetime", "category": "Other", "disable_correlation": true, "to_ids": true }, { "uuid": "853523d9-5471-5af6-99dc-0c41948aacc7", "object_relation": "lnk-modification-time", "value": "2020-10-25T16:22:00+00:00", "type": "datetime", "category": "Other", "disable_correlation": true, "to_ids": true }, { "uuid": "acd16f25-8e6f-5997-ada1-03d4519f61fc", "object_relation": "filename", "value": "oui", "type": "filename", "category": "Payload delivery", "disable_correlation": true, "to_ids": true }, { "uuid": "d8bbe57e-61a2-59bb-bb66-e43bdba0afb5", "object_relation": "path", "value": "/var/www/MISP/app/files/scripts/tmp", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "5fae2a7f-21c9-5edd-9524-0f4154ca3008", "object_relation": "md5", "value": "8764605c6f388c89096b534d33565802", "type": "md5", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" }, { "uuid": "063dfd50-bf74-592e-8c6a-db33d1e2e275", "object_relation": "sha1", "value": "46aba99aa7158e4609aaa72b50990842fd22ae86", "type": "sha1", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" }, { "uuid": "baba05b4-db02-5768-84d3-59fa67811dd3", "object_relation": "sha256", "value": "ec5aedf5ecc6bdadd4120932170d1b10f6cfa175cfda22951dfd882928ab279b", "type": "sha256", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" }, { "uuid": "5e52c808-5968-5f55-83a7-e2463a8ed3eb", "object_relation": "size-in-bytes", "value": "35", "type": "size-in-bytes", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "data": "UEsDBAoACQAAAAaOU1EvUbi[...]AACAAIA2QAAAB8BAAAAAA==", "uuid": "e515028c-3c56-5753-83ae-4205e67900a7", "object_relation": "malware-sample", "value": "oui|8764605c6f388c89096b534d33565802", "type": "malware-sample", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "malware_filename": "oui" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--153ef8d5-9182-45ec-bf1c-5819932b9ab7", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "file--153ef8d5-9182-45ec-bf1c-5819932b9ab7", "directory--34cb1a7c-55ec-412a-8684-ba4a88d83a45", "artifact--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f" ], "labels": [ "misp:name=\"lnk\"", "misp:meta-category=\"file\"" ] }, { "type": "file", "spec_version": "2.1", "id": "file--153ef8d5-9182-45ec-bf1c-5819932b9ab7", "hashes": { "MD5": "8764605c6f388c89096b534d33565802", "SHA-1": "46aba99aa7158e4609aaa72b50990842fd22ae86", "SHA-256": "ec5aedf5ecc6bdadd4120932170d1b10f6cfa175cfda22951dfd882928ab279b" }, "size": 35, "name": "oui", "ctime": "2017-10-01T08:00:00Z", "mtime": "2020-10-25T16:22:00Z", "atime": "2021-01-01T00:00:00Z", "parent_directory_ref": "directory--34cb1a7c-55ec-412a-8684-ba4a88d83a45", "content_ref": "artifact--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f" }, { "type": "directory", "spec_version": "2.1", "id": "directory--34cb1a7c-55ec-412a-8684-ba4a88d83a45", "path": "/var/www/MISP/app/files/scripts/tmp" }, { "type": "artifact", "spec_version": "2.1", "id": "artifact--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "mime_type": "application/zip", "payload_bin": "UEsDBAoACQAAAAaOU1EvUbi[...]AACAAIA2QAAAB8BAAAAAA==", "hashes": { "MD5": "8764605c6f388c89096b534d33565802" }, "encryption_algorithm": "mime-type-indicated", "decryption_key": "infected", "x_misp_filename": "oui" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--153ef8d5-9182-45ec-bf1c-5819932b9ab7", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[file:name = 'oui' AND file:hashes.MD5 = '8764605c6f388c89096b534d33565802' AND file:hashes.'SHA-1' = '46aba99aa7158e4609aaa72b50990842fd22ae86' AND file:hashes.'SHA-256' = 'ec5aedf5ecc6bdadd4120932170d1b10f6cfa175cfda22951dfd882928ab279b' AND (file:content_ref.payload_bin = 'UEsDBAoACQAAAAaOU1EvUbiwLwAAACMAAAAgABwAODc2NDYwNWM2ZjM4OGM4OTA5NmI1MzRkMzM1NjU4MDJVVAkAAzu1jV87tY1fdXgLAAEEIQAAAAQhAAAAUxIrDdj2V8dHuHoKPVDwAeOqqY3shFf5CKvJ/TZg7iNXlXSgxTaWwMnb6fESF/RQSwcIL1G4sC8AAAAjAAAAUEsDBAoACQAAAAaOU1FAAezaDwAAAAMAAAAtABwAODc2NDYwNWM2ZjM4OGM4OTA5NmI1MzRkMzM1NjU4MDIuZmlsZW5hbWUudHh0VVQJAAM7tY1fO7WNX3V4CwABBCEAAAAEIQAAAI7lFn9K1EsuznCkFF9PRFBLBwhAAezaDwAAAAMAAABQSwECHgMKAAkAAAAGjlNRL1G4sC8AAAAjAAAAIAAYAAAAAAABAAAApIEAAAAAODc2NDYwNWM2ZjM4OGM4OTA5NmI1MzRkMzM1NjU4MDJVVAUAAzu1jV91eAsAAQQhAAAABCEAAABQSwECHgMKAAkAAAAGjlNRQAHs2g8AAAADAAAALQAYAAAAAAABAAAApIGZAAAAODc2NDYwNWM2ZjM4OGM4OTA5NmI1MzRkMzM1NjU4MDIuZmlsZW5hbWUudHh0VVQFAAM7tY1fdXgLAAEEIQAAAAQhAAAAUEsFBgAAAAACAAIA2QAAAB8BAAAAAA==' AND file:content_ref.x_misp_filename = 'oui' AND file:content_ref.hashes.MD5 = '8764605c6f388c89096b534d33565802' AND file:content_ref.mime_type = 'application/zip' AND file:content_ref.encryption_algorithm = 'mime-type-indicated' AND file:content_ref.decryption_key = 'infected')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"lnk\"", "misp:meta-category=\"file\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--07f16a3d-81c4-5672-bfee-35849cabd11d", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--153ef8d5-9182-45ec-bf1c-5819932b9ab7", "target_ref": "observed-data--153ef8d5-9182-45ec-bf1c-5819932b9ab7" } ] - MISP
{ "name": "lnk", "meta-category": "file", "template_uuid": "ad13533e-1853-4da0-a111-33a7ce7e6c09", "description": "LNK object describing a Windows LNK binary file (aka Windows shortcut)", "template_version": "2", "uuid": "153ef8d5-9182-45ec-bf1c-5819932b9ab7", "Attribute": [ { "uuid": "a402e926-251d-5fdf-b1b9-f52de978f71f", "object_relation": "md5", "value": "8764605c6f388c89096b534d33565802", "type": "md5", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--153ef8d5-9182-45ec-bf1c-5819932b9ab7" }, { "uuid": "b84655a3-4c6c-5117-aa3f-8f4923717605", "object_relation": "sha1", "value": "46aba99aa7158e4609aaa72b50990842fd22ae86", "type": "sha1", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--153ef8d5-9182-45ec-bf1c-5819932b9ab7" }, { "uuid": "9037f2f1-b76c-5868-be7c-5404352158a2", "object_relation": "sha256", "value": "ec5aedf5ecc6bdadd4120932170d1b10f6cfa175cfda22951dfd882928ab279b", "type": "sha256", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--153ef8d5-9182-45ec-bf1c-5819932b9ab7" }, { "uuid": "a50f1eb2-c080-5f6c-93b7-a3ac470d8d04", "object_relation": "filename", "value": "oui", "type": "filename", "category": "Payload delivery", "disable_correlation": true, "to_ids": true, "comment": "Indicator ID: indicator--153ef8d5-9182-45ec-bf1c-5819932b9ab7" }, { "uuid": "e71ca7b5-d8d7-59b5-981f-0e9fd90a8868", "object_relation": "lnk-access-time", "value": "2021-01-01T00:00:00+00:00", "type": "datetime", "category": "Other", "disable_correlation": true, "to_ids": false }, { "uuid": "b51e1a32-d75c-5cb3-9791-fdc78d77c61d", "object_relation": "lnk-creation-time", "value": "2017-10-01T08:00:00+00:00", "type": "datetime", "category": "Other", "disable_correlation": true, "to_ids": false }, { "uuid": "272870bb-7235-59f3-a7bb-f42f285aede8", "object_relation": "lnk-modification-time", "value": "2020-10-25T16:22:00+00:00", "type": "datetime", "category": "Other", "disable_correlation": true, "to_ids": false }, { "uuid": "3cc7eeda-83e3-5a2a-b0ba-a2465756f126", "object_relation": "size-in-bytes", "value": "35", "type": "size-in-bytes", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "34cb1a7c-55ec-412a-8684-ba4a88d83a45", "object_relation": "path", "value": "/var/www/MISP/app/files/scripts/tmp", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "data": "UEsDBAoACQAAAAaOU1EvUbi[...]AACAAIA2QAAAB8BAAAAAA==", "uuid": "91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "object_relation": "malware-sample", "value": "oui|8764605c6f388c89096b534d33565802", "type": "malware-sample", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "malware_filename": "oui" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- mutex
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--b0f55591-6a63-4fbd-a169-064e64738d95", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[mutex:name = 'MutexTest' AND mutex:x_misp_description = 'Test mutex on unix' AND mutex:x_misp_operating_system = 'Unix']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"mutex\"", "misp:meta-category=\"misc\"" ] } - MISP
{ "name": "mutex", "meta-category": "misc", "template_uuid": "9f5c1a68-2021-4faa-b409-61c899c86466", "description": "Object to describe mutual exclusion locks (mutex) as seen in memory or computer program", "template_version": "1", "uuid": "b0f55591-6a63-4fbd-a169-064e64738d95", "Attribute": [ { "uuid": "be26e004-c24b-5442-b5cc-60ab727a793c", "object_relation": "name", "value": "MutexTest", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "e9782429-79aa-54b0-b916-cb6aa4b461b7", "object_relation": "description", "value": "Test mutex on unix", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "727f5d18-9b97-5ac6-9923-d965b0b63652", "object_relation": "operating-system", "value": "Unix", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--b0f55591-6a63-4fbd-a169-064e64738d95", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "mutex--b0f55591-6a63-4fbd-a169-064e64738d95" ], "labels": [ "misp:name=\"mutex\"", "misp:meta-category=\"misc\"" ] }, { "type": "mutex", "spec_version": "2.1", "id": "mutex--b0f55591-6a63-4fbd-a169-064e64738d95", "name": "MutexTest", "x_misp_description": "Test mutex on unix", "x_misp_operating_system": "Unix" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b0f55591-6a63-4fbd-a169-064e64738d95", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[mutex:name = 'MutexTest']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"mutex\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--20389086-0cc2-45d4-b7a9-f4d367e49dc5", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--b0f55591-6a63-4fbd-a169-064e64738d95", "target_ref": "observed-data--b0f55591-6a63-4fbd-a169-064e64738d95" } ] - MISP
{ "name": "mutex", "meta-category": "misc", "template_uuid": "9f5c1a68-2021-4faa-b409-61c899c86466", "description": "Object to describe mutual exclusion locks (mutex) as seen in memory or computer program", "template_version": "1", "uuid": "b0f55591-6a63-4fbd-a169-064e64738d95", "Attribute": [ { "uuid": "7655fb29-3eba-54d7-9ac7-da4839a0dea8", "object_relation": "name", "value": "MutexTest", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other", "comment": "Indicator ID: indicator--b0f55591-6a63-4fbd-a169-064e64738d95" }, { "uuid": "42bd750f-662b-5847-bf7d-db7a8e6f31c7", "object_relation": "description", "value": "Test mutex on unix", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "3b366798-6249-5027-b08a-182b8df27969", "object_relation": "operating-system", "value": "Unix", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- netflow
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--419eb5a9-d232-4aa1-864e-2f4d7270a8f9", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[(network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '1.2.3.4' AND network-traffic:src_ref.belongs_to_refs[0].number = '1234') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.6.7.8' AND network-traffic:dst_ref.belongs_to_refs[0].number = '5678') AND network-traffic:protocols[0] = 'ip' AND network-traffic:src_port = '80' AND network-traffic:dst_port = '8080' AND network-traffic:start = '2020-10-25T16:22:00Z' AND network-traffic:extensions.'tcp-ext'.src_flags_hex = '00000002']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"netflow\"", "misp:meta-category=\"network\"" ] } - MISP
{ "name": "netflow", "meta-category": "network", "template_uuid": "bf148c58-3e7e-414e-8de8-5d96379ca77e", "description": "Netflow object describes an network object based on the Netflowv5/v9 minimal definition", "template_version": "2", "uuid": "419eb5a9-d232-4aa1-864e-2f4d7270a8f9", "Attribute": [ { "uuid": "672091c0-f03e-5fb3-a597-560ef83b2586", "object_relation": "ip-src", "value": "1.2.3.4", "type": "ip-src", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "62e173c3-3018-5ed5-bb4e-61297bbb4d76", "object_relation": "src-as", "value": "1234", "type": "AS", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "f3b80e48-d91d-59bd-beed-f924bf9c39b7", "object_relation": "ip-dst", "value": "5.6.7.8", "type": "ip-dst", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "342ecfc5-2805-5b1d-a543-589bff2850b5", "object_relation": "dst-as", "value": "5678", "type": "AS", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "c2a3a4f3-1866-5cd3-94f9-66239716d1e3", "object_relation": "protocol", "value": "IP", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "807a874d-25e5-5ecd-909a-55016211cedf", "object_relation": "src-port", "value": "80", "type": "port", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "437e3b02-9606-5bb8-b863-cf42eb15d7ba", "object_relation": "dst-port", "value": "8080", "type": "port", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "f840a285-6e8b-555a-af64-bdd63ead0576", "object_relation": "first-packet-seen", "value": "2020-10-25T16:22:00+00:00", "type": "datetime", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "0c44150a-7095-5bde-ab10-0fbd35ad064f", "object_relation": "tcp-flags", "value": "00000002", "type": "text", "category": "Network activity", "disable_correlation": true, "to_ids": true } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--419eb5a9-d232-4aa1-864e-2f4d7270a8f9", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "network-traffic--419eb5a9-d232-4aa1-864e-2f4d7270a8f9", "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "autonomous-system--53a12da9-4b66-4809-b0b4-e9de3172e7a0", "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "autonomous-system--f2259650-bc33-4b64-a3a8-a324aa7ea6bb" ], "labels": [ "misp:name=\"netflow\"", "misp:meta-category=\"network\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--419eb5a9-d232-4aa1-864e-2f4d7270a8f9", "start": "2020-10-25T16:22:00Z", "src_ref": "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "dst_ref": "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "src_port": 80, "dst_port": 8080, "protocols": [ "ip", "tcp" ], "extensions": { "tcp-ext": { "src_flags_hex": "00000002" } } }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "value": "1.2.3.4", "belongs_to_refs": [ "autonomous-system--53a12da9-4b66-4809-b0b4-e9de3172e7a0" ] }, { "type": "autonomous-system", "spec_version": "2.1", "id": "autonomous-system--53a12da9-4b66-4809-b0b4-e9de3172e7a0", "number": 1234 }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "value": "5.6.7.8", "belongs_to_refs": [ "autonomous-system--f2259650-bc33-4b64-a3a8-a324aa7ea6bb" ] }, { "type": "autonomous-system", "spec_version": "2.1", "id": "autonomous-system--f2259650-bc33-4b64-a3a8-a324aa7ea6bb", "number": 5678 }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--419eb5a9-d232-4aa1-864e-2f4d7270a8f9", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[(network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '1.2.3.4') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.6.7.8')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"netflow\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b0d20387-14e3-40ae-a170-58db0dd99bc6", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--419eb5a9-d232-4aa1-864e-2f4d7270a8f9", "target_ref": "observed-data--419eb5a9-d232-4aa1-864e-2f4d7270a8f9" } ] - MISP
{ "name": "netflow", "meta-category": "network", "template_uuid": "bf148c58-3e7e-414e-8de8-5d96379ca77e", "description": "Netflow object describes an network object based on the Netflowv5/v9 minimal definition", "template_version": "2", "uuid": "419eb5a9-d232-4aa1-864e-2f4d7270a8f9", "Attribute": [ { "uuid": "436c8d77-3184-5b5f-868c-56a4e7be014b", "object_relation": "ip-src", "value": "1.2.3.4", "type": "ip-src", "category": "Network activity", "disable_correlation": false, "to_ids": true, "comment": "Indicator ID: indicator--419eb5a9-d232-4aa1-864e-2f4d7270a8f9" }, { "uuid": "1f50c403-3692-5931-8718-4637cf1cb51d", "object_relation": "src-as", "value": "AS1234", "type": "AS", "category": "Network activity", "disable_correlation": false, "to_ids": false }, { "uuid": "64616439-4dc3-5f23-a3ea-cda54c9b8cb6", "object_relation": "ip-dst", "value": "5.6.7.8", "type": "ip-dst", "category": "Network activity", "disable_correlation": false, "to_ids": true, "comment": "Indicator ID: indicator--419eb5a9-d232-4aa1-864e-2f4d7270a8f9" }, { "uuid": "cdf4d7fe-e639-5651-947a-698a838515e4", "object_relation": "dst-as", "value": "AS5678", "type": "AS", "category": "Network activity", "disable_correlation": false, "to_ids": false }, { "uuid": "15cd696b-1370-5f93-87d7-7c9434a1b138", "object_relation": "dst-port", "value": "8080", "type": "port", "category": "Network activity", "disable_correlation": false, "to_ids": false }, { "uuid": "7d952b54-1cca-5329-a889-77f07fcc8484", "object_relation": "src-port", "value": "80", "type": "port", "category": "Network activity", "disable_correlation": false, "to_ids": false }, { "uuid": "c6d90467-82e9-50e5-a209-a3fe884ce9dd", "object_relation": "first-packet-seen", "value": "2020-10-25T16:22:00+00:00", "type": "datetime", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "edb19c5b-7b18-53c1-b0f9-d2479d24f843", "object_relation": "tcp-flags", "value": "00000002", "type": "text", "category": "Network activity", "disable_correlation": true, "to_ids": false }, { "uuid": "8df2ce3d-57ec-54e1-aaf8-42512782b133", "object_relation": "protocol", "value": "IP", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- network-connection
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--5afacc53-c0b0-4825-a6ee-03c80a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[(network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '1.2.3.4') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.6.7.8') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'circl.lu') AND network-traffic:dst_port = '8080' AND network-traffic:src_port = '8080' AND network-traffic:protocols[0] = 'ip' AND network-traffic:protocols[1] = 'tcp' AND network-traffic:protocols[2] = 'http']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"network-connection\"", "misp:meta-category=\"network\"" ] } - MISP
{ "name": "network-connection", "meta-category": "network", "template_uuid": "af16764b-f8e5-4603-9de1-de34d272f80b", "description": "A local or remote network connection.", "template_version": "7", "uuid": "5afacc53-c0b0-4825-a6ee-03c80a00020f", "Attribute": [ { "uuid": "e77922de-44a6-4232-8452-996f840d8356", "object_relation": "ip-src", "value": "1.2.3.4", "type": "ip-src", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "e75222a0-635b-4cd6-9a06-ce8a3790e17d", "object_relation": "ip-dst", "value": "5.6.7.8", "type": "ip-dst", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "f642f6df-d498-40ab-b080-a9e9f9e67473", "object_relation": "hostname-dst", "value": "circl.lu", "type": "hostname", "disable_correlation": false, "to_ids": true, "category": "Network activity" }, { "uuid": "409fcaa7-ae60-5fe8-b19a-69aecee39024", "object_relation": "dst-port", "value": "8080", "type": "port", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "571d7bad-0bc0-5f92-b21d-145c371e5875", "object_relation": "src-port", "value": "8080", "type": "port", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "c5a82917-ef5a-4b1f-b97f-ad16fe8a990b", "object_relation": "layer3-protocol", "value": "IP", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "007cb3ce-7e85-40ae-9064-2099abbeab5c", "object_relation": "layer4-protocol", "value": "TCP", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "a0f2b540-ea92-42c3-95d9-ab6246fa7084", "object_relation": "layer7-protocol", "value": "HTTP", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5afacc53-c0b0-4825-a6ee-03c80a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "network-traffic--5afacc53-c0b0-4825-a6ee-03c80a00020f", "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b" ], "labels": [ "misp:name=\"network-connection\"", "misp:meta-category=\"network\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5afacc53-c0b0-4825-a6ee-03c80a00020f", "src_ref": "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "dst_ref": "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "src_port": 8080, "dst_port": 8080, "protocols": [ "ip", "tcp", "http" ], "x_misp_hostname_dst": "circl.lu" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "value": "1.2.3.4" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "value": "5.6.7.8" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5afacc53-c0b0-4825-a6ee-03c80a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[(network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '1.2.3.4') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.6.7.8') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'circl.lu')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"network-connection\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--7a706d93-4c0b-4084-bbee-552515ffac59", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5afacc53-c0b0-4825-a6ee-03c80a00020f", "target_ref": "observed-data--5afacc53-c0b0-4825-a6ee-03c80a00020f" } ] - MISP
{ "name": "network-connection", "meta-category": "network", "template_uuid": "af16764b-f8e5-4603-9de1-de34d272f80b", "description": "A local or remote network connection.", "template_version": "7", "uuid": "5afacc53-c0b0-4825-a6ee-03c80a00020f", "Attribute": [ { "uuid": "d30b9cd3-9a8b-5020-8352-33de1ba81c4f", "object_relation": "src-port", "value": "8080", "type": "port", "category": "Network activity", "disable_correlation": false, "to_ids": false }, { "uuid": "0967b620-4ae0-5592-9e82-4acbb15da747", "object_relation": "dst-port", "value": "8080", "type": "port", "category": "Network activity", "disable_correlation": false, "to_ids": false }, { "uuid": "5fede62e-2b56-501b-823e-9d49cf258019", "object_relation": "hostname-dst", "value": "circl.lu", "type": "hostname", "disable_correlation": false, "to_ids": true, "category": "Network activity", "comment": "Indicator ID: indicator--5afacc53-c0b0-4825-a6ee-03c80a00020f" }, { "uuid": "c7d0df69-b6f2-531c-9a73-7da09f116783", "object_relation": "ip-src", "value": "1.2.3.4", "type": "ip-src", "category": "Network activity", "disable_correlation": false, "to_ids": true, "comment": "Indicator ID: indicator--5afacc53-c0b0-4825-a6ee-03c80a00020f" }, { "uuid": "14b51f05-62a2-5e35-911d-4351c0967d36", "object_relation": "ip-dst", "value": "5.6.7.8", "type": "ip-dst", "category": "Network activity", "disable_correlation": false, "to_ids": true, "comment": "Indicator ID: indicator--5afacc53-c0b0-4825-a6ee-03c80a00020f" }, { "uuid": "2d05d7cb-e53a-55c3-96df-beb18a0b89b8", "object_relation": "layer3-protocol", "value": "IP", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "87c1c088-69c7-5a1b-b11a-692e5cb98e0f", "object_relation": "layer4-protocol", "value": "TCP", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "a3f11d6c-afd5-5f45-8769-e7b23f3061a5", "object_relation": "layer7-protocol", "value": "HTTP", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- network-socket
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--5afb3223-0988-4ef1-a920-02070a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[(network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '1.2.3.4') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.6.7.8') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'circl.lu') AND network-traffic:dst_port = '8080' AND network-traffic:src_port = '8080' AND network-traffic:protocols[0] = 'tcp' AND network-traffic:extensions.'socket-ext'.address_family = 'AF_INET' AND network-traffic:extensions.'socket-ext'.socket_type = 'SOCK_RAW' AND network-traffic:extensions.'socket-ext'.is_listening = true AND network-traffic:x_misp_domain_family = 'PF_INET']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"network-socket\"", "misp:meta-category=\"network\"" ] } - MISP
{ "name": "network-socket", "meta-category": "network", "template_uuid": "48bbfd72-ef8e-4649-b14d-41b4b5a0eba2", "description": "Network socket object describes a local or remote network connections based on the socket data structure.", "template_version": "4", "uuid": "5afb3223-0988-4ef1-a920-02070a00020f", "Attribute": [ { "uuid": "c34aa8c7-aba5-4846-8630-f387a45f1db9", "object_relation": "ip-src", "value": "1.2.3.4", "type": "ip-src", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "fc3282ce-da01-433e-bb0d-53c6e02a4465", "object_relation": "ip-dst", "value": "5.6.7.8", "type": "ip-dst", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "d004b83f-31ff-4455-8772-da55f05941e0", "object_relation": "hostname-dst", "value": "circl.lu", "type": "hostname", "disable_correlation": false, "to_ids": true, "category": "Network activity" }, { "uuid": "924b5a77-fef5-5212-b72e-ca4f1bc499b4", "object_relation": "dst-port", "value": "8080", "type": "port", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "860b4d8f-a159-537d-aa78-fd4ce69c8648", "object_relation": "src-port", "value": "8080", "type": "port", "category": "Network activity", "disable_correlation": false, "to_ids": true }, { "uuid": "823b0604-a800-5d20-910d-01377aca2994", "object_relation": "protocol", "value": "TCP", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "a594c074-f54f-583d-aa9f-cb621336bd23", "object_relation": "address-family", "value": "AF_INET", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "861d4ede-721b-54bb-ab65-a47fb552b744", "object_relation": "socket-type", "value": "SOCK_RAW", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "c17d2582-7c65-58a8-874c-c4ad6e906257", "object_relation": "state", "value": "listening", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "7ca3eeed-899d-5bde-8392-4b2e3851c608", "object_relation": "domain-family", "value": "PF_INET", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5afb3223-0988-4ef1-a920-02070a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "network-traffic--5afb3223-0988-4ef1-a920-02070a00020f", "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b" ], "labels": [ "misp:name=\"network-socket\"", "misp:meta-category=\"network\"" ] }, { "type": "network-traffic", "spec_version": "2.1", "id": "network-traffic--5afb3223-0988-4ef1-a920-02070a00020f", "src_ref": "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "dst_ref": "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "src_port": 8080, "dst_port": 8080, "protocols": [ "tcp" ], "extensions": { "socket-ext": { "address_family": "AF_INET", "is_listening": true, "socket_type": "SOCK_RAW" } }, "x_misp_domain_family": "PF_INET", "x_misp_hostname_dst": "circl.lu" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--91ae0a21-c7ae-4c7f-b84b-b84a7ce53d1f", "value": "1.2.3.4" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--518b4bcb-a86b-4783-9457-391d548b605b", "value": "5.6.7.8" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5afb3223-0988-4ef1-a920-02070a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[(network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '1.2.3.4') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '5.6.7.8') AND (network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'circl.lu')]", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"network-socket\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bc5e3b34-b274-4ef7-b082-ee286c87ce84", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5afb3223-0988-4ef1-a920-02070a00020f", "target_ref": "observed-data--5afb3223-0988-4ef1-a920-02070a00020f" } ] - MISP
{ "name": "network-socket", "meta-category": "network", "template_uuid": "48bbfd72-ef8e-4649-b14d-41b4b5a0eba2", "description": "Network socket object describes a local or remote network connections based on the socket data structure.", "template_version": "4", "uuid": "5afb3223-0988-4ef1-a920-02070a00020f", "Attribute": [ { "uuid": "f1e18240-2274-5717-a7f2-5f01e76fdff1", "object_relation": "src-port", "value": "8080", "type": "port", "category": "Network activity", "disable_correlation": false, "to_ids": false }, { "uuid": "26605071-f1b7-55c1-849f-8980bb7ec304", "object_relation": "dst-port", "value": "8080", "type": "port", "category": "Network activity", "disable_correlation": false, "to_ids": false }, { "uuid": "ba4ddbef-d17f-5872-b63f-4c5f4e989311", "object_relation": "domain-family", "value": "PF_INET", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "2a939220-e444-5cf5-8bc8-b84dc2c4376e", "object_relation": "hostname-dst", "value": "circl.lu", "type": "hostname", "disable_correlation": false, "to_ids": true, "category": "Network activity", "comment": "Indicator ID: indicator--5afb3223-0988-4ef1-a920-02070a00020f" }, { "uuid": "d3c4732b-8538-527d-981d-d898c3d57b87", "object_relation": "ip-src", "value": "1.2.3.4", "type": "ip-src", "category": "Network activity", "disable_correlation": false, "to_ids": true, "comment": "Indicator ID: indicator--5afb3223-0988-4ef1-a920-02070a00020f" }, { "uuid": "6639d3d1-5342-5ccb-b18d-3beac729a954", "object_relation": "ip-dst", "value": "5.6.7.8", "type": "ip-dst", "category": "Network activity", "disable_correlation": false, "to_ids": true, "comment": "Indicator ID: indicator--5afb3223-0988-4ef1-a920-02070a00020f" }, { "uuid": "3b1ada76-385d-5c06-a7f4-796e35fecd20", "object_relation": "protocol", "value": "TCP", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "1fa51a8f-bc28-51bf-b59d-979697d8f76b", "object_relation": "address-family", "value": "AF_INET", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "1891ef6d-22e5-5879-9749-2e62c8d0c788", "object_relation": "socket-type", "value": "SOCK_RAW", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "262cb017-fc8c-59a4-b9fc-0a3a3f1e1472", "object_relation": "state", "value": "listening", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- news-agency
- STIX - Identity
{ "type": "identity", "spec_version": "2.1", "id": "identity--d17e31ce-5a7a-4713-bdff-49d89548c259", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Agence France-Presse", "identity_class": "organization", "contact_information": "address: 13 place de la Bourse, 75002 Paris; Southern Railway Building, 1500 K Street, NW, Suite 600 / e-mail: contact@afp.fr; contact@afp.us / phone-number: (33)0140414646; (1)2024140600", "labels": [ "misp:name=\"news-agency\"", "misp:meta-category=\"misc\"" ], "x_misp_attachment": { "value": "AFP_logo.png", "data": "iVBORw0KGgoAAAANSUhEUgA[...]OkjUAAAAABJRU5ErkJggg==" }, "x_misp_link": "https://www.afp.com/" } - MISP
{ "name": "news-agency", "meta-category": "misc", "template_uuid": "92b3f7fd-c4bc-42af-a73b-033ace439622", "description": "News agencies compile news and disseminate news in bulk.", "template_version": "2", "uuid": "d17e31ce-5a7a-4713-bdff-49d89548c259", "Attribute": [ { "uuid": "877aeaee-a0c0-54ad-8fdc-f4ec659af913", "object_relation": "name", "value": "Agence France-Presse", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "771c5a1c-043c-52dc-8101-1a284408aa66", "object_relation": "address", "value": "13 place de la Bourse, 75002 Paris; Southern Railway Building, 1500 K Street, NW, Suite 600", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "73feac85-c3d6-5c05-948f-70ba81d646c8", "object_relation": "e-mail", "value": "contact@afp.fr; contact@afp.us", "type": "email-src", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" }, { "uuid": "2718f5a7-d8fc-5e4f-9ad2-48fd78e65ca4", "object_relation": "phone-number", "value": "(33)0140414646; (1)2024140600", "type": "phone-number", "disable_correlation": false, "to_ids": false, "category": "Person" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]OkjUAAAAABJRU5ErkJggg==", "uuid": "33f4e49c-5c88-5cbc-8e99-d8f2c77ad16a", "object_relation": "attachment", "value": "AFP_logo.png", "type": "attachment", "disable_correlation": false, "to_ids": false, "category": "External analysis" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Identity
- nova-rule
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--cb44774d-ce45-411b-b6fb-9f0278edd25c", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "MultimodalInjection", "pattern": "rule MultimodalInjection\n{\n meta:\n description = \"Detects multimodal prompt injection attempts\"\n author = \"@fr0gger_\"\n version = \"1.0\"\n category = \"suspicious_patterns/cross_modal\"\n reference = \"LLM01:2025 Prompt Injection\"\n uuid = \"520b23d8-54c0-4ade-b8a7-cdc1a90c0def\"\n date = \"2026-02-21\"\n severity = \"high\"\n\n keywords:\n $image_process = /process (this|the) image|analyze (this|the) image|look at (this|the) image/i\n $hidden_content = /hidden (text|content|message|instruction)/i\n $watermark = /watermark|embedded text|text in image/i\n $multimodal = /multimodal|cross-modal|multiple formats/i\n\n semantics:\n $hidden_in_media = \"instructions hidden in the image\" (0.4)\n $cross_modal_attack = \"combine text and image instructions\" (0.4)\n\n llm:\n $image_injection = \"Does this prompt involve processing images that might contain hidden instructions or malicious content?\" (0.3)\n\n condition:\n (keywords.$image_process and (keywords.$hidden_content or keywords.$watermark)) or\n keywords.$multimodal or\n semantics.$hidden_in_media or\n semantics.$cross_modal_attack or\n llm.$image_injection\n}", "pattern_type": "nova", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "detection" } ], "labels": [ "misp:name=\"nova-rule\"", "misp:meta-category=\"detection\"" ] } - MISP
{ "name": "nova-rule", "meta-category": "detection", "template_uuid": "3c4669ee-c659-40c7-93ea-d4149bded584", "description": "NOVA prompt detection rule metadata and logic for a single NOVA rule.", "template_version": "1", "uuid": "cb44774d-ce45-411b-b6fb-9f0278edd25c", "Attribute": [ { "uuid": "434b5d93-9769-5171-be4c-be4ce2c7f70e", "object_relation": "raw-rule", "value": "rule MultimodalInjection\n{\n meta:\n description = \"Detects multimodal prompt injection attempts\"\n author = \"@fr0gger_\"\n version = \"1.0\"\n category = \"suspicious_patterns/cross_modal\"\n reference = \"LLM01:2025 Prompt Injection\"\n uuid = \"520b23d8-54c0-4ade-b8a7-cdc1a90c0def\"\n date = \"2026-02-21\"\n severity = \"high\"\n\n keywords:\n $image_process = /process (this|the) image|analyze (this|the) image|look at (this|the) image/i\n $hidden_content = /hidden (text|content|message|instruction)/i\n $watermark = /watermark|embedded text|text in image/i\n $multimodal = /multimodal|cross-modal|multiple formats/i\n\n semantics:\n $hidden_in_media = \"instructions hidden in the image\" (0.4)\n $cross_modal_attack = \"combine text and image instructions\" (0.4)\n\n llm:\n $image_injection = \"Does this prompt involve processing images that might contain hidden instructions or malicious content?\" (0.3)\n\n condition:\n (keywords.$image_process and (keywords.$hidden_content or keywords.$watermark)) or\n keywords.$multimodal or\n semantics.$hidden_in_media or\n semantics.$cross_modal_attack or\n llm.$image_injection\n}", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "864ca22c-f3ef-583d-992a-d6f21845dfb5", "object_relation": "rule-name", "value": "MultimodalInjection", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- organization
- STIX - Identity
{ "type": "identity", "spec_version": "2.1", "id": "identity--fe85995c-189d-4c20-9d0e-dfc03e72000b", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Computer Incident Response Center of Luxembourg", "description": "The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to gather, review, report and respond to computer security threats and incidents.", "roles": [ "national CERT" ], "identity_class": "organization", "contact_information": "address: 16, bd d'Avranches, L-1160 Luxembourg / e-mail: info@circl.lu / phone-number: (+352) 247 88444", "labels": [ "misp:name=\"organization\"", "misp:meta-category=\"misc\"" ], "x_misp_alias": "CIRCL" } - MISP
{ "name": "organization", "meta-category": "misc", "template_uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", "description": "An object which describes an organization.", "template_version": "9", "uuid": "fe85995c-189d-4c20-9d0e-dfc03e72000b", "Attribute": [ { "uuid": "15e74a74-f9b1-5cc9-a24f-9a8dde5c7703", "object_relation": "name", "value": "Computer Incident Response Center of Luxembourg", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "5ac6a21d-528f-5043-aa1e-54fdc9cedd6a", "object_relation": "description", "value": "The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to gather, review, report and respond to computer security threats and incidents.", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "0b673754-be52-5391-ba34-9eeb4dd3bffb", "object_relation": "role", "value": "national CERT", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "53455556-07ea-5057-9526-9ed8299ff1e5", "object_relation": "alias", "value": "CIRCL", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "0d3f7bc4-9e03-5ef5-a22b-203c3b1da987", "object_relation": "address", "value": "16, bd d'Avranches, L-1160 Luxembourg", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "18992415-7d7e-5e24-a30f-77e13bf9b74f", "object_relation": "e-mail", "value": "info@circl.lu", "type": "email-src", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" }, { "uuid": "9ad94399-9690-54fb-bce8-5211457a6ad3", "object_relation": "phone-number", "value": "(+352) 247 88444", "type": "phone-number", "disable_correlation": false, "to_ids": false, "category": "Person" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Identity
- owasp-crs-rule
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--3b80a1ad-f1f6-4565-bdbd-909d5bc93048", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "CRS Rule 901500", "pattern": "SecRule TX:detection_paranoia_level \"@lt %{tx.blocking_paranoia_level}\" \"id:901500, phase:1, deny, status:500, t:none, log, msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting', tag:'OWASP_CRS', ver:'OWASP_CRS/4.26.0-dev'\"", "pattern_type": "crs", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"owasp-crs-rule\"", "misp:meta-category=\"network\"" ] } - MISP
{ "name": "owasp-crs-rule", "meta-category": "network", "template_uuid": "8f0a7d9a-7b5d-4d6e-9d7b-2b2d9d9d1001", "description": "OWASP Core Rule Set (CRS) rule metadata for a WAF detection rule.", "template_version": "1", "uuid": "3b80a1ad-f1f6-4565-bdbd-909d5bc93048", "Attribute": [ { "uuid": "b853fd67-ee79-52b4-9ff8-4b53bbd9110c", "object_relation": "raw-rule", "value": "SecRule TX:detection_paranoia_level \"@lt %{tx.blocking_paranoia_level}\" \"id:901500, phase:1, deny, status:500, t:none, log, msg:'Detection paranoia level configured is lower than the paranoia level itself. This is illegal. Blocking request. Aborting', tag:'OWASP_CRS', ver:'OWASP_CRS/4.26.0-dev'\"", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "b85f27c3-8b88-5cbc-b690-3cbc6b299d1d", "object_relation": "rule-id", "value": "CRS Rule 901500", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- parler-account
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--7b0698a0-209a-4da0-a5c5-cfc4734f3af2", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'parler' AND user-account:user_id = '42' AND user-account:account_login = 'ParlerOctocat' AND user-account:x_misp_human = 'False' AND user-account:x_misp_profile_photo.data = 'iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC' AND user-account:x_misp_profile_photo.value = 'octocat.png']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"parler-account\"", "misp:meta-category=\"misc\"" ] } - MISP
{ "name": "parler-account", "meta-category": "misc", "template_uuid": "8d5ba58e-cac3-46a6-9d1f-cf236f7e95c9", "description": "Parler account.", "template_version": "2", "uuid": "7b0698a0-209a-4da0-a5c5-cfc4734f3af2", "Attribute": [ { "uuid": "fe759da1-f1cd-5ff6-9c91-d7a11ecd2039", "object_relation": "account-id", "value": "42", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "1d55a742-ca6e-5212-a755-cd9d864592ab", "object_relation": "account-name", "value": "ParlerOctocat", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "4de31cee-bb94-583c-b5aa-b447f0051987", "object_relation": "human", "value": "False", "type": "boolean", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC", "uuid": "67b6f79b-e0c4-5207-85cd-c31799df4593", "object_relation": "profile-photo", "value": "octocat.png", "type": "attachment", "disable_correlation": false, "to_ids": true, "category": "External analysis" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--7b0698a0-209a-4da0-a5c5-cfc4734f3af2", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "user-account--7b0698a0-209a-4da0-a5c5-cfc4734f3af2" ], "labels": [ "misp:name=\"parler-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "user-account", "spec_version": "2.1", "id": "user-account--7b0698a0-209a-4da0-a5c5-cfc4734f3af2", "user_id": "42", "account_login": "ParlerOctocat", "account_type": "parler", "x_misp_human": false, "x_misp_profile_photo": { "value": "octocat.png", "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7b0698a0-209a-4da0-a5c5-cfc4734f3af2", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'parler' AND user-account:user_id = '42']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"parler-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--2bb5818f-2e44-43a2-b0de-1d69516b48cb", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--7b0698a0-209a-4da0-a5c5-cfc4734f3af2", "target_ref": "observed-data--7b0698a0-209a-4da0-a5c5-cfc4734f3af2" } ] - MISP
{ "name": "parler-account", "meta-category": "misc", "template_uuid": "8d5ba58e-cac3-46a6-9d1f-cf236f7e95c9", "description": "Parler account.", "template_version": "2", "uuid": "7b0698a0-209a-4da0-a5c5-cfc4734f3af2", "Attribute": [ { "uuid": "337a46e6-053b-5dd2-8a23-e3f68a35088e", "object_relation": "account-id", "value": "42", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other", "comment": "Indicator ID: indicator--7b0698a0-209a-4da0-a5c5-cfc4734f3af2" }, { "uuid": "20d5f807-5598-54b1-bb0f-4a6b17488a6f", "object_relation": "account-name", "value": "ParlerOctocat", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "3eac24f8-f470-571f-84c9-a9ae683f4d68", "object_relation": "human", "value": false, "type": "boolean", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC", "uuid": "43c5df71-c482-5838-a947-3cd29bee5174", "object_relation": "profile-photo", "value": "octocat.png", "type": "attachment", "disable_correlation": false, "to_ids": false, "category": "External analysis" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- person
- STIX - Identity
{ "type": "identity", "spec_version": "2.1", "id": "identity--868037d5-d804-4f1d-8016-f296361f9c68", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "John Smith", "roles": [ "Guru" ], "identity_class": "individual", "contact_information": "phone-number: 0123456789", "labels": [ "misp:name=\"person\"", "misp:meta-category=\"misc\"" ], "x_misp_nationality": "USA", "x_misp_passport_number": "ABA9875413" } - MISP
{ "name": "person", "meta-category": "misc", "template_uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", "description": "An object which describes a person or an identity.", "template_version": "21", "uuid": "868037d5-d804-4f1d-8016-f296361f9c68", "Attribute": [ { "uuid": "195846df-429c-58a7-8cc6-3fcbbfea1830", "object_relation": "full-name", "value": "John Smith", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "225788e5-7344-5f07-8418-438ea2821138", "object_relation": "role", "value": "Guru", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "509f364c-fb73-5de2-8048-25b0f594a2a2", "object_relation": "nationality", "value": "USA", "type": "nationality", "disable_correlation": true, "to_ids": false, "category": "Person" }, { "uuid": "57418b1b-6e31-585f-9a15-5d09d5508d67", "object_relation": "passport-number", "value": "ABA9875413", "type": "passport-number", "disable_correlation": false, "to_ids": false, "category": "Person" }, { "uuid": "a8220475-f947-5a31-9acd-d7494c4a401a", "object_relation": "phone-number", "value": "0123456789", "type": "phone-number", "disable_correlation": false, "to_ids": false, "category": "Person" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Identity
- process
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--5e39776a-b284-40b3-8079-22fea964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[process:pid = '2510' AND process:image_ref.name = 'test_process.exe' AND process:parent_ref.command_line = 'grep -nrG iglocska /home/viktor/friends.txt' AND process:parent_ref.image_ref.name = 'parent_process.exe' AND process:parent_ref.pid = '2107' AND process:parent_ref.x_misp_process_name = 'Friends_From_H' AND process:child_refs[0].pid = '1401' AND process:is_hidden = 'True' AND process:x_misp_name = 'TestProcess' AND process:x_misp_port = '1234']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"process\"", "misp:meta-category=\"misc\"" ] } - MISP
{ "name": "process", "meta-category": "misc", "template_uuid": "02aeef94-ac23-455c-addb-731757ceafb5", "description": "Object describing a system process.", "template_version": "10", "uuid": "5e39776a-b284-40b3-8079-22fea964451a", "Attribute": [ { "uuid": "764805d9-84a6-522e-a27e-28ff0c4946f1", "object_relation": "pid", "value": "2510", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "84f6ce85-3cc4-592b-93df-9d9b0fc2616f", "object_relation": "image", "value": "test_process.exe", "type": "filename", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" }, { "uuid": "0d92f4b4-d3b1-5734-8484-771f8d09138b", "object_relation": "parent-command-line", "value": "grep -nrG iglocska /home/viktor/friends.txt", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "0c44df0f-fd4c-503f-a4fd-0976c8ac27ec", "object_relation": "parent-image", "value": "parent_process.exe", "type": "filename", "disable_correlation": false, "to_ids": true, "category": "Payload delivery" }, { "uuid": "909b2421-b741-5258-96d5-24a28ac5dadf", "object_relation": "parent-pid", "value": "2107", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "bd6b3b82-593e-51b1-94b6-b112d999ba5b", "object_relation": "parent-process-name", "value": "Friends_From_H", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "33ccf6db-454b-5ae6-bac0-cf41c26b9413", "object_relation": "child-pid", "value": "1401", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "b2d0a46d-9990-5126-9cf7-122f247675f2", "object_relation": "hidden", "value": "True", "type": "boolean", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "fb726ad3-a8f8-59e7-a106-836231f648ae", "object_relation": "name", "value": "TestProcess", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "3a246f02-19c1-5964-bc6e-8090723757e2", "object_relation": "port", "value": "1234", "type": "port", "disable_correlation": true, "to_ids": true, "category": "Network activity" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5e39776a-b284-40b3-8079-22fea964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "process--5e39776a-b284-40b3-8079-22fea964451a", "file--d01ef2c6-3154-4f8a-a3dc-9de1f34dd5d0", "process--34cb1a7c-55ec-412a-8684-ba4a88d83a45", "process--518b4bcb-a86b-4783-9457-391d548b605b", "file--f2259650-bc33-4b64-a3a8-a324aa7ea6bb" ], "labels": [ "misp:name=\"process\"", "misp:meta-category=\"misc\"" ] }, { "type": "process", "spec_version": "2.1", "id": "process--5e39776a-b284-40b3-8079-22fea964451a", "is_hidden": true, "pid": 2510, "image_ref": "file--f2259650-bc33-4b64-a3a8-a324aa7ea6bb", "parent_ref": "process--34cb1a7c-55ec-412a-8684-ba4a88d83a45", "child_refs": [ "process--518b4bcb-a86b-4783-9457-391d548b605b" ], "x_misp_name": "TestProcess", "x_misp_port": "1234" }, { "type": "file", "spec_version": "2.1", "id": "file--d01ef2c6-3154-4f8a-a3dc-9de1f34dd5d0", "name": "parent_process.exe" }, { "type": "process", "spec_version": "2.1", "id": "process--34cb1a7c-55ec-412a-8684-ba4a88d83a45", "pid": 2107, "command_line": "grep -nrG iglocska /home/viktor/friends.txt", "image_ref": "file--d01ef2c6-3154-4f8a-a3dc-9de1f34dd5d0", "x_misp_process_name": "Friends_From_H" }, { "type": "process", "spec_version": "2.1", "id": "process--518b4bcb-a86b-4783-9457-391d548b605b", "pid": 1401 }, { "type": "file", "spec_version": "2.1", "id": "file--f2259650-bc33-4b64-a3a8-a324aa7ea6bb", "name": "test_process.exe" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5e39776a-b284-40b3-8079-22fea964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[process:pid = '2510' AND process:image_ref.name = 'test_process.exe' AND process:parent_ref.image_ref.name = 'parent_process.exe']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"process\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--74004798-7758-4553-90fe-60cbb722dc62", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5e39776a-b284-40b3-8079-22fea964451a", "target_ref": "observed-data--5e39776a-b284-40b3-8079-22fea964451a" } ] - MISP
{ "name": "process", "meta-category": "misc", "template_uuid": "02aeef94-ac23-455c-addb-731757ceafb5", "description": "Object describing a system process.", "template_version": "10", "uuid": "5e39776a-b284-40b3-8079-22fea964451a", "Attribute": [ { "uuid": "14a78b04-1e9d-5aa8-875c-3ca6621a083d", "object_relation": "hidden", "value": true, "type": "boolean", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "25c4433d-e161-5b43-8e45-994e20698b30", "object_relation": "name", "value": "TestProcess", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "1b84bb78-f73d-57ed-9438-558a7d06ec55", "object_relation": "pid", "value": "2510", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other", "comment": "Indicator ID: indicator--5e39776a-b284-40b3-8079-22fea964451a" }, { "uuid": "2ebdde3b-2224-5836-b848-930eab48ab72", "object_relation": "port", "value": "1234", "type": "port", "disable_correlation": true, "to_ids": false, "category": "Network activity" }, { "uuid": "8642267a-6d8f-59da-acf8-08af434d53c7", "object_relation": "image", "value": "test_process.exe", "type": "filename", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--5e39776a-b284-40b3-8079-22fea964451a" }, { "uuid": "3d4dd4e0-672b-51c0-9358-8d281f12b9e4", "object_relation": "child-pid", "value": "1401", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "2bd208a4-fc87-5f26-b721-ffbb87e7d227", "object_relation": "parent-command-line", "value": "grep -nrG iglocska /home/viktor/friends.txt", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "0a0dad9c-a9b0-50b3-aaf0-7595cbe0ed8d", "object_relation": "parent-process-name", "value": "Friends_From_H", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "a85a6946-0c58-52af-bbda-76047f64a025", "object_relation": "parent-pid", "value": "2107", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "9ae15cee-1abf-58ff-b4c2-724d7d8eb9b7", "object_relation": "parent-image", "value": "parent_process.exe", "type": "filename", "disable_correlation": false, "to_ids": true, "category": "Payload delivery", "comment": "Indicator ID: indicator--5e39776a-b284-40b3-8079-22fea964451a" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- reddit-account
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--43d3eff0-fabc-4663-9493-fad3a1eed0d5", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'reddit' AND user-account:user_id = '666' AND user-account:account_login = 'RedditOctocat' AND user-account:x_misp_description = 'Reddit account of the OctoCat' AND user-account:x_misp_account_avatar.data = 'iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC' AND user-account:x_misp_account_avatar.value = 'octocat.png']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"reddit-account\"", "misp:meta-category=\"misc\"" ] } - MISP
{ "name": "reddit-account", "meta-category": "misc", "template_uuid": "6802f885-2003-494a-b234-61aadce62731", "description": "Reddit account.", "template_version": "2", "uuid": "43d3eff0-fabc-4663-9493-fad3a1eed0d5", "Attribute": [ { "uuid": "668789cc-cb72-546a-9c5d-5f5151a0fe1f", "object_relation": "account-id", "value": "666", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "0d13fa0d-08fa-5dc9-bd02-9ac360f16a07", "object_relation": "account-name", "value": "RedditOctocat", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "97308060-b7fa-5920-b4cd-35a99623db7e", "object_relation": "description", "value": "Reddit account of the OctoCat", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC", "uuid": "f2cc2a2d-cd2c-5bea-8109-e7edc25f7fa8", "object_relation": "account-avatar", "value": "octocat.png", "type": "attachment", "disable_correlation": false, "to_ids": true, "category": "External analysis" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--43d3eff0-fabc-4663-9493-fad3a1eed0d5", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "user-account--43d3eff0-fabc-4663-9493-fad3a1eed0d5" ], "labels": [ "misp:name=\"reddit-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "user-account", "spec_version": "2.1", "id": "user-account--43d3eff0-fabc-4663-9493-fad3a1eed0d5", "user_id": "666", "account_login": "RedditOctocat", "account_type": "reddit", "x_misp_account_avatar": { "value": "octocat.png", "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC" }, "x_misp_description": "Reddit account of the OctoCat" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--43d3eff0-fabc-4663-9493-fad3a1eed0d5", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'reddit' AND user-account:user_id = '666']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"reddit-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--601caace-838b-470d-b5b7-9e0bf59782e8", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--43d3eff0-fabc-4663-9493-fad3a1eed0d5", "target_ref": "observed-data--43d3eff0-fabc-4663-9493-fad3a1eed0d5" } ] - MISP
{ "name": "reddit-account", "meta-category": "misc", "template_uuid": "6802f885-2003-494a-b234-61aadce62731", "description": "Reddit account.", "template_version": "2", "uuid": "43d3eff0-fabc-4663-9493-fad3a1eed0d5", "Attribute": [ { "uuid": "2cb49eb1-2003-5685-b6af-90ef0433221c", "object_relation": "account-id", "value": "666", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other", "comment": "Indicator ID: indicator--43d3eff0-fabc-4663-9493-fad3a1eed0d5" }, { "uuid": "939807ee-6b43-555f-8cf7-f6366916c0ec", "object_relation": "account-name", "value": "RedditOctocat", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC", "uuid": "d228ed0f-b8da-5c90-af61-303e18b1ecd1", "object_relation": "account-avatar", "value": "octocat.png", "type": "attachment", "disable_correlation": false, "to_ids": false, "category": "External analysis" }, { "uuid": "e2b58cb0-5bdb-5738-af27-73a97d7b49a2", "object_relation": "description", "value": "Reddit account of the OctoCat", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- registry-key
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--5ac3379c-3e74-44ba-9160-04120a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[windows-registry-key:key = 'hkey_local_machine\\\\system\\\\bar\\\\foo' AND windows-registry-key:modified_time = '2020-10-25T16:22:00Z' AND windows-registry-key:values[0].data = '\\\\%DATA\\\\%\\\\qwertyuiop' AND windows-registry-key:values[0].data_type = 'REG_SZ' AND windows-registry-key:values[0].name = 'RegistryName' AND windows-registry-key:x_misp_hive = 'hklm']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"registry-key\"", "misp:meta-category=\"file\"" ] } - MISP
{ "name": "registry-key", "meta-category": "file", "template_uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5", "description": "Registry key object describing a Windows registry key with value and last-modified timestamp", "template_version": "5", "uuid": "5ac3379c-3e74-44ba-9160-04120a00020f", "Attribute": [ { "uuid": "14e53210-3f72-5b1c-b831-5a6793fa4feb", "object_relation": "key", "value": "hkey_local_machine\\\\system\\\\bar\\\\foo", "type": "regkey", "category": "Persistence mechanism", "disable_correlation": false, "to_ids": true }, { "uuid": "1866ec4c-def4-523b-924f-090bbd5091f9", "object_relation": "last-modified", "value": "2020-10-25T16:22:00+00:00", "type": "datetime", "category": "Other", "disable_correlation": false, "to_ids": true }, { "uuid": "bfb7a5b5-51e9-5756-a413-912f5c319385", "object_relation": "data", "value": "\\\\%DATA\\\\%\\\\qwertyuiop", "type": "text", "category": "Persistence mechanism", "disable_correlation": false, "to_ids": true }, { "uuid": "0a5a8893-f80a-5a33-a333-df79e215cf7b", "object_relation": "data-type", "value": "REG_SZ", "type": "text", "category": "Persistence mechanism", "disable_correlation": true, "to_ids": true }, { "uuid": "3e1d80ef-9c78-51e3-8c70-37bddd5f4d6c", "object_relation": "name", "value": "RegistryName", "type": "text", "category": "Persistence mechanism", "disable_correlation": false, "to_ids": true }, { "uuid": "d8f5f46d-2018-534d-8369-277509b14272", "object_relation": "hive", "value": "hklm", "type": "text", "category": "Persistence mechanism", "disable_correlation": true, "to_ids": true } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ac3379c-3e74-44ba-9160-04120a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "windows-registry-key--5ac3379c-3e74-44ba-9160-04120a00020f" ], "labels": [ "misp:name=\"registry-key\"", "misp:meta-category=\"file\"" ] }, { "type": "windows-registry-key", "spec_version": "2.1", "id": "windows-registry-key--5ac3379c-3e74-44ba-9160-04120a00020f", "key": "hkey_local_machine\\system\\bar\\foo", "values": [ { "name": "RegistryName", "data": "%DATA%\\qwertyuiop", "data_type": "REG_SZ" } ], "modified_time": "2020-10-25T16:22:00Z", "x_misp_hive": "hklm" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ac3379c-3e74-44ba-9160-04120a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[windows-registry-key:key = 'hkey_local_machine\\\\system\\\\bar\\\\foo']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "file" } ], "labels": [ "misp:name=\"registry-key\"", "misp:meta-category=\"file\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0ec23b58-fbd1-4dbb-be28-6a48d4677410", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5ac3379c-3e74-44ba-9160-04120a00020f", "target_ref": "observed-data--5ac3379c-3e74-44ba-9160-04120a00020f" } ] - MISP
{ "name": "registry-key", "meta-category": "file", "template_uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5", "description": "Registry key object describing a Windows registry key with value and last-modified timestamp", "template_version": "5", "uuid": "5ac3379c-3e74-44ba-9160-04120a00020f", "Attribute": [ { "uuid": "8f7a03ce-8999-5ebd-985f-8938c6ae6d64", "object_relation": "key", "value": "hkey_local_machine\\system\\bar\\foo", "type": "regkey", "category": "Persistence mechanism", "disable_correlation": false, "to_ids": true, "comment": "Indicator ID: indicator--5ac3379c-3e74-44ba-9160-04120a00020f" }, { "uuid": "f96dced0-7c80-58bd-9c34-e593170105b8", "object_relation": "last-modified", "value": "2020-10-25T16:22:00+00:00", "type": "datetime", "category": "Other", "disable_correlation": false, "to_ids": false }, { "uuid": "516de4d9-ed24-5b7b-90a7-7c279bffd216", "object_relation": "hive", "value": "hklm", "type": "text", "category": "Persistence mechanism", "disable_correlation": true, "to_ids": false }, { "uuid": "67e29c33-37f2-5638-bdf2-5d671bbb2aa3", "object_relation": "data", "value": "%DATA%\\qwertyuiop", "type": "text", "category": "Persistence mechanism", "disable_correlation": false, "to_ids": false }, { "uuid": "b5ff10ca-6411-5211-9b76-46cf7cceb7b9", "object_relation": "data-type", "value": "REG_SZ", "type": "text", "category": "Persistence mechanism", "disable_correlation": true, "to_ids": false }, { "uuid": "155edd0b-fe6f-5886-b648-c84a121afc6f", "object_relation": "name", "value": "RegistryName", "type": "text", "category": "Persistence mechanism", "disable_correlation": false, "to_ids": false } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- sigma
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--c8c418e3-b61c-4d40-a1fc-b10cec6585d7", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Ps.exe", "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A", "pattern": "title: Ps.exe Renamed SysInternals Tool description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report reference: https://www.us-cert.gov/ncas/alerts/TA17-293A author: Florian Roth date: 2017/10/22 logsource: product: windows service: sysmon detection: selection: EventID: 1 CommandLine: \\'ps.exe -accepteula\\' condition: selection falsepositives: - Renamed SysInternals tool level: high", "pattern_type": "sigma", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"sigma\"", "misp:meta-category=\"misc\"" ], "external_references": [ { "source_name": "url", "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A" } ], "x_misp_context": "disk" } - MISP
{ "name": "sigma", "meta-category": "misc", "template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec", "description": "An object describing a Sigma rule (or a Sigma rule name).", "template_version": "2", "uuid": "c8c418e3-b61c-4d40-a1fc-b10cec6585d7", "Attribute": [ { "uuid": "63879fb4-3b42-58e1-ad16-4748d1fbddd2", "object_relation": "sigma", "value": "title: Ps.exe Renamed SysInternals Tool description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A report reference: https://www.us-cert.gov/ncas/alerts/TA17-293A author: Florian Roth date: 2017/10/22 logsource: product: windows service: sysmon detection: selection: EventID: 1 CommandLine: \\'ps.exe -accepteula\\' condition: selection falsepositives: - Renamed SysInternals tool level: high", "type": "sigma", "disable_correlation": false, "to_ids": true, "category": "Payload installation" }, { "uuid": "bfd3b3a6-6061-550e-abf2-6cb123acedc5", "object_relation": "comment", "value": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documentied in TA17-293A", "type": "comment", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "be56cfe7-6a22-596a-9324-61d54d98cfd3", "object_relation": "sigma-rule-name", "value": "Ps.exe", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "f6a5b4cb-2bc4-54f6-a269-4e13e5c52885", "object_relation": "context", "value": "disk", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "09b6df96-d3bd-414d-9875-250042463168", "object_relation": "reference", "value": "https://www.us-cert.gov/ncas/alerts/TA17-293A", "type": "link", "disable_correlation": false, "to_ids": false, "category": "External analysis" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- suricata
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--efc15547-4fe9-4188-aa71-b688e1bfa59c", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "description": "To rule them all", "pattern": "alert http any 443 -> 8.8.8.8 any", "pattern_type": "suricata", "pattern_version": "3.1.6", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"suricata\"", "misp:meta-category=\"network\"" ], "external_references": [ { "source_name": "url", "url": "https://suricata.readthedocs.io/en/suricata-6.0.4/index.html" } ] } - MISP
{ "name": "suricata", "meta-category": "network", "template_uuid": "3c177337-fb80-405a-a6c1-1b2ddea8684a", "description": "An object describing one or more Suricata rule(s) along with version and contextual information.", "template_version": "2", "uuid": "efc15547-4fe9-4188-aa71-b688e1bfa59c", "Attribute": [ { "uuid": "6f022ca3-67c4-573b-97a0-c7c5037acb41", "object_relation": "suricata", "value": "alert http any 443 -> 8.8.8.8 any", "type": "suricata", "disable_correlation": false, "to_ids": true, "category": "Network activity" }, { "uuid": "702852e0-9331-5832-afe0-d1d87debf40a", "object_relation": "comment", "value": "To rule them all", "type": "comment", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "7baa9819-b9d5-5a4b-a293-9be560978ce8", "object_relation": "version", "value": "3.1.6", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "c60f9d6b-30fd-4ccd-9f72-b99c3b32192f", "object_relation": "ref", "value": "https://suricata.readthedocs.io/en/suricata-6.0.4/index.html", "type": "link", "disable_correlation": false, "to_ids": false, "category": "External analysis" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- telegram-account
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--7ecc4537-89cd-4f17-8027-6e0f70710c53", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'telegram' AND user-account:user_id = '1234567890' AND user-account:account_login = 'T3l3gr4mUs3r' AND user-account:x_misp_phone = '0112233445' AND user-account:x_misp_phone = '0556677889']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"telegram-account\"", "misp:meta-category=\"misc\"" ] } - MISP
{ "name": "telegram-account", "meta-category": "misc", "template_uuid": "06f02ecf-5afb-42c5-9cb0-b362e222f52c", "description": "Information related to a telegram account", "template_version": "2", "uuid": "7ecc4537-89cd-4f17-8027-6e0f70710c53", "Attribute": [ { "uuid": "32cd8708-10b8-5ba7-8884-e3f5b765dc92", "object_relation": "id", "value": "1234567890", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "99852d63-4a35-547e-9fbb-aaa238d7a780", "object_relation": "username", "value": "T3l3gr4mUs3r", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "d6d8765f-fda8-5b95-8c67-6049c3f60d79", "object_relation": "phone", "value": "0112233445", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "cef52c1b-88ba-58a4-91e8-b295e6157c50", "object_relation": "phone", "value": "0556677889", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--7ecc4537-89cd-4f17-8027-6e0f70710c53", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "user-account--7ecc4537-89cd-4f17-8027-6e0f70710c53" ], "labels": [ "misp:name=\"telegram-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "user-account", "spec_version": "2.1", "id": "user-account--7ecc4537-89cd-4f17-8027-6e0f70710c53", "user_id": "1234567890", "account_login": "T3l3gr4mUs3r", "account_type": "telegram", "x_misp_phone": [ "0112233445", "0556677889" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7ecc4537-89cd-4f17-8027-6e0f70710c53", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'telegram' AND user-account:user_id = '1234567890']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"telegram-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f8117c4c-1a27-48e2-9df4-bbce247b3783", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--7ecc4537-89cd-4f17-8027-6e0f70710c53", "target_ref": "observed-data--7ecc4537-89cd-4f17-8027-6e0f70710c53" } ] - MISP
{ "name": "telegram-account", "meta-category": "misc", "template_uuid": "06f02ecf-5afb-42c5-9cb0-b362e222f52c", "description": "Information related to a telegram account", "template_version": "2", "uuid": "7ecc4537-89cd-4f17-8027-6e0f70710c53", "Attribute": [ { "uuid": "a6ec3443-ffff-5a83-b73c-9ef3efe89dc7", "object_relation": "id", "value": "1234567890", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other", "comment": "Indicator ID: indicator--7ecc4537-89cd-4f17-8027-6e0f70710c53" }, { "uuid": "b4436251-5495-5dca-b95b-97ea1eb0150a", "object_relation": "username", "value": "T3l3gr4mUs3r", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "2bb8cbf7-ff06-5f73-8e49-fcc214d88b3b", "object_relation": "phone", "value": "0112233445", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "32b0746e-0ebc-5759-ad8c-a4eae7dd9656", "object_relation": "phone", "value": "0556677889", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- twitter-account
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--6baef273-d2c3-4ef1-8a93-d2cf552e7bfb", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'twitter' AND user-account:display_name = 'Octo Cat' AND user-account:user_id = '1357111317' AND user-account:account_login = 'octocat' AND user-account:x_misp_followers = '666' AND user-account:x_misp_profile_image.data = 'iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC' AND user-account:x_misp_profile_image.value = 'octocat.png']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"twitter-account\"", "misp:meta-category=\"misc\"" ] } - MISP
{ "name": "twitter-account", "meta-category": "misc", "template_uuid": "8066563f-881e-4f6a-9d6c-a9d15b8658bb", "description": "Twitter account.", "template_version": "7", "uuid": "6baef273-d2c3-4ef1-8a93-d2cf552e7bfb", "Attribute": [ { "uuid": "b436d36a-7801-5a91-b870-0bc6628e0b37", "object_relation": "displayed-name", "value": "Octo Cat", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "37a8073d-0951-5b6d-b7d3-bbf99f3d0171", "object_relation": "id", "value": "1357111317", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "cfcc8051-3206-5eca-b5f3-bd6960c1befb", "object_relation": "name", "value": "octocat", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "ea9b35f2-5c1a-5ba9-b70f-5c4d26bd218f", "object_relation": "followers", "value": "666", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC", "uuid": "6fc7846e-01b0-587f-bbea-7be00a41d0cf", "object_relation": "profile-image", "value": "octocat.png", "type": "attachment", "disable_correlation": false, "to_ids": true, "category": "External analysis" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--6baef273-d2c3-4ef1-8a93-d2cf552e7bfb", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "user-account--6baef273-d2c3-4ef1-8a93-d2cf552e7bfb" ], "labels": [ "misp:name=\"twitter-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "user-account", "spec_version": "2.1", "id": "user-account--6baef273-d2c3-4ef1-8a93-d2cf552e7bfb", "user_id": "1357111317", "account_login": "octocat", "account_type": "twitter", "display_name": "Octo Cat", "x_misp_followers": "666", "x_misp_profile_image": { "value": "octocat.png", "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--6baef273-d2c3-4ef1-8a93-d2cf552e7bfb", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'twitter' AND user-account:user_id = '1357111317']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"twitter-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--c24d40c6-edda-4cb4-9afe-75b63789b974", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--6baef273-d2c3-4ef1-8a93-d2cf552e7bfb", "target_ref": "observed-data--6baef273-d2c3-4ef1-8a93-d2cf552e7bfb" } ] - MISP
{ "name": "twitter-account", "meta-category": "misc", "template_uuid": "8066563f-881e-4f6a-9d6c-a9d15b8658bb", "description": "Twitter account.", "template_version": "7", "uuid": "6baef273-d2c3-4ef1-8a93-d2cf552e7bfb", "Attribute": [ { "uuid": "a1b29e25-75da-5453-907f-45f9c4fcc17d", "object_relation": "id", "value": "1357111317", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other", "comment": "Indicator ID: indicator--6baef273-d2c3-4ef1-8a93-d2cf552e7bfb" }, { "uuid": "a73dc57f-0445-5c2e-91db-e926ac859de1", "object_relation": "name", "value": "octocat", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "0736a447-4106-5136-8d70-c41cb21cd383", "object_relation": "displayed-name", "value": "Octo Cat", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "40776493-27d4-553c-b12b-959736835981", "object_relation": "followers", "value": "666", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC", "uuid": "2da719e1-ec52-595f-865e-eb0e8fd53bf0", "object_relation": "profile-image", "value": "octocat.png", "type": "attachment", "disable_correlation": false, "to_ids": false, "category": "External analysis" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- url
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--5ac347ca-dac4-4562-9775-04120a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[url:value = 'https://www.circl.lu/team' AND url:x_misp_domain = 'circl.lu' AND url:x_misp_host = 'www.circl.lu' AND url:x_misp_ip = '149.13.33.14' AND url:x_misp_port = '443']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"url\"", "misp:meta-category=\"network\"" ] } - MISP
{ "name": "url", "meta-category": "network", "template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5", "description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.", "template_version": "10", "uuid": "5ac347ca-dac4-4562-9775-04120a00020f", "Attribute": [ { "uuid": "d602fb65-ee6d-5050-a42f-39ea66ec6d42", "object_relation": "url", "value": "https://www.circl.lu/team", "type": "url", "disable_correlation": false, "to_ids": true, "category": "Network activity" }, { "uuid": "d0556d25-cca8-5d06-9ed6-415318626da5", "object_relation": "domain", "value": "circl.lu", "type": "domain", "disable_correlation": false, "to_ids": true, "category": "Network activity" }, { "uuid": "9e389126-197e-5ca6-9a14-ebea8266b4d3", "object_relation": "host", "value": "www.circl.lu", "type": "hostname", "disable_correlation": false, "to_ids": true, "category": "Network activity" }, { "uuid": "94924d05-a8e1-50e7-a80e-8006acbe76d1", "object_relation": "ip", "value": "149.13.33.14", "type": "ip-dst", "disable_correlation": false, "to_ids": true, "category": "Network activity" }, { "uuid": "864ff81c-e4e1-5ce3-a4cb-32478e5b5ec4", "object_relation": "port", "value": "443", "type": "port", "disable_correlation": true, "to_ids": true, "category": "Network activity" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ac347ca-dac4-4562-9775-04120a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "url--5ac347ca-dac4-4562-9775-04120a00020f" ], "labels": [ "misp:name=\"url\"", "misp:meta-category=\"network\"" ] }, { "type": "url", "spec_version": "2.1", "id": "url--5ac347ca-dac4-4562-9775-04120a00020f", "value": "https://www.circl.lu/team", "x_misp_domain": "circl.lu", "x_misp_host": "www.circl.lu", "x_misp_ip": "149.13.33.14", "x_misp_port": "443" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ac347ca-dac4-4562-9775-04120a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[url:value = 'https://www.circl.lu/team' AND url:x_misp_domain = 'circl.lu' AND url:x_misp_host = 'www.circl.lu' AND url:x_misp_ip = '149.13.33.14']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"url\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--9c435f8e-5d9c-4f84-9650-6bb3355ae28a", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5ac347ca-dac4-4562-9775-04120a00020f", "target_ref": "observed-data--5ac347ca-dac4-4562-9775-04120a00020f" } ] - MISP
{ "name": "url", "meta-category": "network", "template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5", "description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.", "template_version": "10", "uuid": "5ac347ca-dac4-4562-9775-04120a00020f", "Attribute": [ { "uuid": "4818dd13-0d1c-549f-ae46-63b8c20a7259", "object_relation": "url", "value": "https://www.circl.lu/team", "type": "url", "disable_correlation": false, "to_ids": true, "category": "Network activity", "comment": "Indicator ID: indicator--5ac347ca-dac4-4562-9775-04120a00020f" }, { "uuid": "54214174-0ab9-591a-a366-99b0ed640ade", "object_relation": "domain", "value": "circl.lu", "type": "domain", "disable_correlation": false, "to_ids": true, "category": "Network activity", "comment": "Indicator ID: indicator--5ac347ca-dac4-4562-9775-04120a00020f" }, { "uuid": "f823cbdb-2fba-57e3-a543-eab786769996", "object_relation": "host", "value": "www.circl.lu", "type": "hostname", "disable_correlation": false, "to_ids": true, "category": "Network activity", "comment": "Indicator ID: indicator--5ac347ca-dac4-4562-9775-04120a00020f" }, { "uuid": "f77fb93e-345f-5a27-82e3-97ebe854f88d", "object_relation": "ip", "value": "149.13.33.14", "type": "ip-dst", "disable_correlation": false, "to_ids": true, "category": "Network activity", "comment": "Indicator ID: indicator--5ac347ca-dac4-4562-9775-04120a00020f" }, { "uuid": "90459245-40c9-5645-b505-fec3efb14ed3", "object_relation": "port", "value": "443", "type": "port", "disable_correlation": true, "to_ids": false, "category": "Network activity" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- user-account
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--5d234f25-539c-4d12-bf93-2c46a964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_type = 'unix' AND user-account:display_name = 'Code Monkey' AND user-account:credential = 'P4ssw0rd1234!' AND user-account:user_id = 'iglocska' AND user-account:account_login = 'iglocska' AND user-account:credential_last_changed = '2020-10-25T16:22:00Z' AND user-account:extensions.'unix-account-ext'.groups = 'viktor-fan' AND user-account:extensions.'unix-account-ext'.groups = 'donald-fan' AND user-account:extensions.'unix-account-ext'.gid = '2004' AND user-account:extensions.'unix-account-ext'.home_dir = '/home/iglocska' AND user-account:x_misp_user_avatar.data = 'iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC' AND user-account:x_misp_user_avatar.value = 'octocat.png']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"user-account\"", "misp:meta-category=\"misc\"" ] } - MISP
{ "name": "user-account", "meta-category": "misc", "template_uuid": "49606b06-22f0-4ac8-8eee-2f12ad46f3d3", "description": "User-account object, defining aspects of user identification, authentication, privileges and other relevant data points.", "template_version": "6", "uuid": "5d234f25-539c-4d12-bf93-2c46a964451a", "Attribute": [ { "uuid": "f9fdd24e-eb6e-5256-9412-913ea6b7c03a", "object_relation": "account-type", "value": "unix", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "ed08fdff-3bd0-59ef-9510-4c416255df0f", "object_relation": "display-name", "value": "Code Monkey", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "ea76463c-b9ec-5ab4-a3d3-ae7ffb3cdcc5", "object_relation": "password", "value": "P4ssw0rd1234!", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "c7756d14-7166-5722-96bc-9ec1e13358c8", "object_relation": "user-id", "value": "iglocska", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "5bc4a822-4df3-5f52-8e7f-a1ffdff67999", "object_relation": "username", "value": "iglocska", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other" }, { "uuid": "971ce27a-b1e3-55d7-b880-ae55b50a3a3a", "object_relation": "password_last_changed", "value": "2020-10-25T16:22:00+00:00", "type": "datetime", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "18fac178-2031-52ff-966b-af8c560f41fd", "object_relation": "group", "value": "viktor-fan", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "b0474a39-cc09-518e-93b7-00b2092ef2da", "object_relation": "group", "value": "donald-fan", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "6d410558-299e-599c-92f9-a7c18a18c23d", "object_relation": "group-id", "value": "2004", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "uuid": "00821411-5889-56b6-89d9-5fd8f2040a96", "object_relation": "home_dir", "value": "/home/iglocska", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC", "uuid": "38b03f0e-4b15-5a55-a2e5-190c496dca42", "object_relation": "user-avatar", "value": "octocat.png", "type": "attachment", "disable_correlation": false, "to_ids": true, "category": "External analysis" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5d234f25-539c-4d12-bf93-2c46a964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "user-account--5d234f25-539c-4d12-bf93-2c46a964451a" ], "labels": [ "misp:name=\"user-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "user-account", "spec_version": "2.1", "id": "user-account--5d234f25-539c-4d12-bf93-2c46a964451a", "user_id": "iglocska", "credential": "P4ssw0rd1234!", "account_login": "iglocska", "account_type": "unix", "display_name": "Code Monkey", "credential_last_changed": "2020-10-25T16:22:00Z", "extensions": { "unix-account-ext": { "gid": 2004, "groups": [ "viktor-fan", "donald-fan" ], "home_dir": "/home/iglocska" } }, "x_misp_user_avatar": { "value": "octocat.png", "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5d234f25-539c-4d12-bf93-2c46a964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[user-account:account_login = 'iglocska']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"user-account\"", "misp:meta-category=\"misc\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--127637c9-7a83-4e0c-8d1f-666ad1cc3fa2", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5d234f25-539c-4d12-bf93-2c46a964451a", "target_ref": "observed-data--5d234f25-539c-4d12-bf93-2c46a964451a" } ] - MISP
{ "name": "user-account", "meta-category": "misc", "template_uuid": "49606b06-22f0-4ac8-8eee-2f12ad46f3d3", "description": "User-account object, defining aspects of user identification, authentication, privileges and other relevant data points.", "template_version": "6", "uuid": "5d234f25-539c-4d12-bf93-2c46a964451a", "Attribute": [ { "uuid": "869947b7-1717-5e5d-a1a4-2a5b8d6dd295", "object_relation": "username", "value": "iglocska", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other", "comment": "Indicator ID: indicator--5d234f25-539c-4d12-bf93-2c46a964451a" }, { "uuid": "233956fa-e4f0-5da7-a0c9-4ffb34226de7", "object_relation": "account-type", "value": "unix", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "4c68354e-5d14-5f63-8761-69714dce289f", "object_relation": "password", "value": "P4ssw0rd1234!", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "2ee310d2-1d1f-5a5f-a4e5-8121612e2b53", "object_relation": "display-name", "value": "Code Monkey", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "625cc57c-f8e2-51bf-a6e4-76e43f443ba3", "object_relation": "user-id", "value": "iglocska", "type": "text", "disable_correlation": false, "to_ids": true, "category": "Other", "comment": "Indicator ID: indicator--5d234f25-539c-4d12-bf93-2c46a964451a" }, { "uuid": "9735260e-bab9-53b1-a792-f878c97db5e5", "object_relation": "password_last_changed", "value": "2020-10-25T16:22:00+00:00", "type": "datetime", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "data": "iVBORw0KGgoAAAANSUhEUgA[...]hIu9Wl1AAAAAElFTkSuQmCC", "uuid": "94629e50-0da4-5056-a826-31484a5c0410", "object_relation": "user-avatar", "value": "octocat.png", "type": "attachment", "disable_correlation": false, "to_ids": false, "category": "External analysis" }, { "uuid": "9847ea1d-5143-5ba8-807c-d3feee1fa204", "object_relation": "group-id", "value": "2004", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "57976d29-a2f4-5d41-973d-f2802236d1c5", "object_relation": "group", "value": "viktor-fan", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "fd8cf903-93a2-5c69-b46d-6e2e65bbc5ce", "object_relation": "group", "value": "donald-fan", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "2ae9c0f6-b55f-523d-a9ee-343b45021bfa", "object_relation": "home_dir", "value": "/home/iglocska", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- vulnerability
- STIX - Vulnerability
{ "type": "vulnerability", "spec_version": "2.1", "id": "vulnerability--5e579975-e9cc-46c6-a6ad-1611a964451a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "CVE-2017-11774", "description": "Microsoft Outlook allow an attacker to execute arbitrary commands", "labels": [ "misp:name=\"vulnerability\"", "misp:meta-category=\"vulnerability\"" ], "external_references": [ { "source_name": "cve", "external_id": "CVE-2017-11774" }, { "source_name": "url", "url": "http://www.securityfocus.com/bid/101098" }, { "source_name": "url", "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11774" } ], "x_misp_created": "2017-10-13T07:29:00Z", "x_misp_cvss_score": "6.8", "x_misp_published": "2017-10-13T07:29:00Z" } - MISP
{ "name": "vulnerability", "meta-category": "vulnerability", "template_uuid": "81650945-f186-437b-8945-9f31715d32da", "description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.", "template_version": "12", "uuid": "5e579975-e9cc-46c6-a6ad-1611a964451a", "Attribute": [ { "uuid": "31d5e18b-b2d9-4df1-ba7b-008f31894071", "object_relation": "id", "value": "CVE-2017-11774", "type": "vulnerability", "disable_correlation": false, "to_ids": false, "category": "External analysis" }, { "uuid": "797235f3-3644-4382-9dff-4ca0cab0d0bb", "object_relation": "references", "value": "http://www.securityfocus.com/bid/101098", "type": "link", "disable_correlation": false, "to_ids": false, "category": "External analysis" }, { "uuid": "3744be05-7e7b-44d5-9f7e-f27ee9e6b25d", "object_relation": "references", "value": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11774", "type": "link", "disable_correlation": false, "to_ids": false, "category": "External analysis" }, { "uuid": "c4c7d1ae-0172-5667-a5d0-ec281d0244db", "object_relation": "description", "value": "Microsoft Outlook allow an attacker to execute arbitrary commands", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "a09df98f-0cd5-5fbf-8b57-56fb76c47703", "object_relation": "created", "value": "2017-10-13T07:29:00+00:00", "type": "datetime", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "60e44300-7654-5821-b687-92e278e29669", "object_relation": "cvss-score", "value": "6.8", "type": "float", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "c9478a72-b17c-5b11-a0a1-b741b28d4e94", "object_relation": "published", "value": "2017-10-13T07:29:00+00:00", "type": "datetime", "disable_correlation": true, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Vulnerability
- wazuh-rule
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--a86a1736-90fc-48fa-8e72-8735cac0e14a", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Wazuh-Indexer Cluster Logs - Level: ERROR", "pattern": "<rule id=\"200996\" level=\"12\">\n <decoded_as>json</decoded_as>\n <field name=\"cluster.name\">\\.+</field>\n <field name=\"level\">^ERROR$</field>\n <description>Wazuh-Indexer Cluster Logs - Level: ERROR</description>\n <options>no_full_log</options>\n </rule>", "pattern_type": "wazuh", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"wazuh-rule\"", "misp:meta-category=\"misc\"" ] } - MISP
{ "name": "wazuh-rule", "meta-category": "misc", "template_uuid": "5150952e-4a21-4011-aa20-204b6459e657", "description": "An object describing a Wazuh XML rule using common fields from the official Wazuh rule syntax.", "template_version": "1", "uuid": "a86a1736-90fc-48fa-8e72-8735cac0e14a", "Attribute": [ { "uuid": "601dc87a-9842-52b8-b4d6-0466faa5e3c1", "object_relation": "wazuh-rule", "value": "<rule id=\"200996\" level=\"12\">\n <decoded_as>json</decoded_as>\n <field name=\"cluster.name\">\\.+</field>\n <field name=\"level\">^ERROR$</field>\n <description>Wazuh-Indexer Cluster Logs - Level: ERROR</description>\n <options>no_full_log</options>\n </rule>", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "e7d589f6-10b8-54a7-9e9c-14dc4dbc1598", "object_relation": "rule-id", "value": "Wazuh-Indexer Cluster Logs - Level: ERROR", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- x509
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--5ac3444e-145c-4749-8467-02550a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[x509-certificate:hashes.MD5 = 'b2a5abfeef9e36964281a31e17b57c97' AND x509-certificate:hashes.'SHA-1' = '5898fc860300e228dcd54c0b1045b5fa0dcda502' AND x509-certificate:issuer = 'Issuer Name' AND x509-certificate:subject_public_key_algorithm = 'PublicKeyAlgorithm' AND x509-certificate:subject_public_key_exponent = '2' AND x509-certificate:subject_public_key_modulus = 'C5' AND x509-certificate:serial_number = '1234567890' AND x509-certificate:signature_algorithm = 'SHA1_WITH_RSA_ENCRYPTION' AND x509-certificate:subject = 'CertificateSubject' AND x509-certificate:version = '1' AND x509-certificate:validity_not_after = '2021-01-01T00:00:00Z' AND x509-certificate:validity_not_before = '2020-01-01T00:00:00Z' AND x509-certificate:x_misp_pem = 'RawCertificateInPEMFormat']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"x509\"", "misp:meta-category=\"network\"" ] } - MISP
{ "name": "x509", "meta-category": "network", "template_uuid": "d1ab756a-26b5-4349-9f43-765630f0911c", "description": "x509 object describing a X.509 certificate", "template_version": "14", "uuid": "5ac3444e-145c-4749-8467-02550a00020f", "Attribute": [ { "uuid": "38fc0594-313b-45a3-93ca-9ad5b5ab77a4", "object_relation": "x509-fingerprint-md5", "value": "b2a5abfeef9e36964281a31e17b57c97", "type": "x509-fingerprint-md5", "disable_correlation": false, "to_ids": true, "category": "Network activity" }, { "uuid": "bcdcd1ce-78e8-4f84-954d-a8d8b2eda647", "object_relation": "x509-fingerprint-sha1", "value": "5898fc860300e228dcd54c0b1045b5fa0dcda502", "type": "x509-fingerprint-sha1", "disable_correlation": false, "to_ids": true, "category": "Network activity" }, { "uuid": "e1de816b-d135-477f-b8e1-a62160ad6a63", "object_relation": "issuer", "value": "Issuer Name", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "e43493e5-79fa-429e-a45f-86544665b8b1", "object_relation": "pubkey-info-algorithm", "value": "PublicKeyAlgorithm", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "7c5d52fa-d4ac-48dc-a4fc-ee307bb51d74", "object_relation": "pubkey-info-exponent", "value": "2", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "833c1dc8-b0ce-47e2-b1d4-567065ea387a", "object_relation": "pubkey-info-modulus", "value": "C5", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "56fd26ce-33f6-44e4-9287-3d37956fffe6", "object_relation": "serial-number", "value": "1234567890", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "a0702bbc-6457-4519-965f-d295027ae562", "object_relation": "signature_algorithm", "value": "SHA1_WITH_RSA_ENCRYPTION", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "a638ef9c-eac9-4bad-bd94-0118f18053c5", "object_relation": "subject", "value": "CertificateSubject", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "6771cf1d-9a9f-42f7-b5ac-b9e0513c00b3", "object_relation": "version", "value": "1", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "65e4d8fd-9435-4043-b8e9-a6a627ca9274", "object_relation": "validity-not-after", "value": "2021-01-01T00:00:00+00:00", "type": "datetime", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "6d019908-55fd-44c6-9494-71600c9ba786", "object_relation": "validity-not-before", "value": "2020-01-01T00:00:00+00:00", "type": "datetime", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "2e8bd8c2-0eb5-49ab-b895-186f6cabea8f", "object_relation": "pem", "value": "RawCertificateInPEMFormat", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" } - STIX - Observed Data
[ { "type": "observed-data", "spec_version": "2.1", "id": "observed-data--5ac3444e-145c-4749-8467-02550a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "first_observed": "2020-10-25T16:22:00Z", "last_observed": "2020-10-25T16:22:00Z", "number_observed": 1, "object_refs": [ "x509-certificate--5ac3444e-145c-4749-8467-02550a00020f" ], "labels": [ "misp:name=\"x509\"", "misp:meta-category=\"network\"" ] }, { "type": "x509-certificate", "spec_version": "2.1", "id": "x509-certificate--5ac3444e-145c-4749-8467-02550a00020f", "hashes": { "MD5": "b2a5abfeef9e36964281a31e17b57c97", "SHA-1": "5898fc860300e228dcd54c0b1045b5fa0dcda502" }, "version": "1", "serial_number": "1234567890", "signature_algorithm": "SHA1_WITH_RSA_ENCRYPTION", "issuer": "Issuer Name", "validity_not_before": "2020-01-01T00:00:00Z", "validity_not_after": "2021-01-01T00:00:00Z", "subject": "CertificateSubject", "subject_public_key_algorithm": "PublicKeyAlgorithm", "subject_public_key_modulus": "C5", "subject_public_key_exponent": 2, "x_misp_pem": "RawCertificateInPEMFormat" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--5ac3444e-145c-4749-8467-02550a00020f", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "pattern": "[x509-certificate:hashes.MD5 = 'b2a5abfeef9e36964281a31e17b57c97' AND x509-certificate:hashes.'SHA-1' = '5898fc860300e228dcd54c0b1045b5fa0dcda502' AND x509-certificate:issuer = 'Issuer Name']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "network" } ], "labels": [ "misp:name=\"x509\"", "misp:meta-category=\"network\"" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ef692888-dc5d-4f5c-85c2-b9a13f2ea85e", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "relationship_type": "based-on", "source_ref": "indicator--5ac3444e-145c-4749-8467-02550a00020f", "target_ref": "observed-data--5ac3444e-145c-4749-8467-02550a00020f" } ] - MISP
{ "name": "x509", "meta-category": "network", "template_uuid": "d1ab756a-26b5-4349-9f43-765630f0911c", "description": "x509 object describing a X.509 certificate", "template_version": "14", "uuid": "5ac3444e-145c-4749-8467-02550a00020f", "Attribute": [ { "uuid": "b06c5149-0eba-52a7-9596-c1fb78972e8b", "object_relation": "x509-fingerprint-md5", "value": "b2a5abfeef9e36964281a31e17b57c97", "type": "x509-fingerprint-md5", "disable_correlation": false, "to_ids": true, "category": "Network activity", "comment": "Indicator ID: indicator--5ac3444e-145c-4749-8467-02550a00020f" }, { "uuid": "2aef89be-a966-5a57-8fb3-df920a6b0ce1", "object_relation": "x509-fingerprint-sha1", "value": "5898fc860300e228dcd54c0b1045b5fa0dcda502", "type": "x509-fingerprint-sha1", "disable_correlation": false, "to_ids": true, "category": "Network activity", "comment": "Indicator ID: indicator--5ac3444e-145c-4749-8467-02550a00020f" }, { "uuid": "c474288b-9815-5386-8962-98cd0693356b", "object_relation": "issuer", "value": "Issuer Name", "type": "text", "disable_correlation": true, "to_ids": true, "category": "Other", "comment": "Indicator ID: indicator--5ac3444e-145c-4749-8467-02550a00020f" }, { "uuid": "eec944aa-e7c6-52fd-b5dd-088167885bc0", "object_relation": "serial-number", "value": "1234567890", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "376ff194-6879-5d02-b2e8-825c4c7135b3", "object_relation": "signature_algorithm", "value": "SHA1_WITH_RSA_ENCRYPTION", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "270e45ec-2122-5198-9c63-ab8b2e344e26", "object_relation": "subject", "value": "CertificateSubject", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "6dcff989-74ce-5023-b086-3a68bc9e9d17", "object_relation": "pubkey-info-algorithm", "value": "PublicKeyAlgorithm", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "627071bb-e5d0-59cf-b35e-9f66bea4c9ad", "object_relation": "pubkey-info-exponent", "value": "2", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "f1ffa85e-4b4d-5b28-84a9-a9f8bc072ca5", "object_relation": "pubkey-info-modulus", "value": "C5", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "112442fe-a20d-5ccf-811c-68323fe93559", "object_relation": "validity-not-after", "value": "2021-01-01T00:00:00+00:00", "type": "datetime", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "c6a490f0-9e80-5d0f-aa58-2e8c15097ef8", "object_relation": "validity-not-before", "value": "2020-01-01T00:00:00+00:00", "type": "datetime", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "1cf6145b-54a5-54c9-b87f-27d21fe1ec7f", "object_relation": "version", "value": "1", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" }, { "uuid": "87b91560-d6bd-5bd1-bd58-ef981db2469b", "object_relation": "pem", "value": "RawCertificateInPEMFormat", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator
- yara
- STIX - Indicator
{ "type": "indicator", "spec_version": "2.1", "id": "indicator--cafdd27e-c3e2-4f7a-88b4-4c1c98f18be7", "created_by_ref": "identity--a0c22599-9e58-4da4-96ac-7051603fa951", "created": "2020-10-25T16:22:00.000Z", "modified": "2020-10-25T16:22:00.000Z", "name": "Ultimate rule", "description": "To rule them all", "pattern": "rule torcryptomining { meta: description = \\\\\"Tor miner - broken UPX magic string\\\\\" strings: $upx_erase = {(00 FF 99 41|DF DD 30 33)} condition: $upx_erase at 236 }", "pattern_type": "yara", "pattern_version": "4.1.0", "valid_from": "2020-10-25T16:22:00Z", "kill_chain_phases": [ { "kill_chain_name": "misp-category", "phase_name": "misc" } ], "labels": [ "misp:name=\"yara\"", "misp:meta-category=\"misc\"" ] } - MISP
{ "name": "yara", "meta-category": "misc", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "description": "An object describing a YARA rule (or a YARA rule name), its supported YARA version, and optional test-sample hashes. Test samples are true-positive by default; set false-positive=true when needed.", "template_version": "9", "uuid": "cafdd27e-c3e2-4f7a-88b4-4c1c98f18be7", "Attribute": [ { "uuid": "d2b0f465-8ca5-551a-894c-d3ec21cd0110", "object_relation": "yara", "value": "rule torcryptomining { meta: description = \\\\\"Tor miner - broken UPX magic string\\\\\" strings: $upx_erase = {(00 FF 99 41|DF DD 30 33)} condition: $upx_erase at 236 }", "type": "yara", "disable_correlation": false, "to_ids": true, "category": "Payload installation" }, { "uuid": "0fe71d31-a6dc-5935-883b-dc28b7a615c4", "object_relation": "comment", "value": "To rule them all", "type": "comment", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "98838d45-cb33-5ddc-be36-0bc13424f606", "object_relation": "yara-rule-name", "value": "Ultimate rule", "type": "text", "disable_correlation": false, "to_ids": false, "category": "Other" }, { "uuid": "1e168799-82d3-54a0-bdb0-a01d1cb1c782", "object_relation": "version", "value": "4.1.0", "type": "text", "disable_correlation": true, "to_ids": false, "category": "Other" } ], "distribution": "5", "sharing_group_id": "0", "timestamp": "1603642920" }
- STIX - Indicator