From 5c830087a095337d4b408836031b1f1ac4aebdcc Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Tue, 25 Jul 2023 15:24:39 +0200 Subject: [PATCH 1/4] add: [malware-analysis] New object template to describe a static or dynamic analysis performed on a malware instance or family --- objects/malware-analysis/definition.json | 79 ++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 objects/malware-analysis/definition.json diff --git a/objects/malware-analysis/definition.json b/objects/malware-analysis/definition.json new file mode 100644 index 00000000..1d158ced --- /dev/null +++ b/objects/malware-analysis/definition.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "analysis_definition_version": { + "description": "The version of the analysis definitions used by the analysis tool.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "analysis_engine_version": { + "description": "The version of the analysis engine or product that was used to perform the analysis.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "configuration_version": { + "description": "The named configuration of additional product configuration parameters for this analysis run.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "end_time": { + "description": "The date and time that the malware analysis ended.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "module": { + "description": "The specific analysis module that was used and configured in the product during this analysis run.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "product": { + "description": "The name of the analysis engine or product that was used.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "result": { + "description": "The classification result as determined by the scanner or tool analysis process.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "benign", + "malicious", + "suspicious", + "unknown" + ], + "ui-priority": 0 + }, + "result_name": { + "description": "The classification result or name assigned to the malware instance by the scanner tool.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "start_time": { + "description": "The date and time that the malware analysis was initiated.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "submitted_time": { + "description": "The date and time that the malware was first submitted for scanning or analysis.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "version": { + "description": "The version of the analysis product that was used to perform the analysis.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family.", + "meta-category": "misc", + "name": "malware-analysis", + "required": [ + "product" + ], + "uuid": "8229ee82-7218-4ff5-9eac-57961a6f0288", + "version": 1 +} \ No newline at end of file From 9486bbbab1884c37a800377a8673959c1c7de11c Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Tue, 25 Jul 2023 16:30:00 +0200 Subject: [PATCH 2/4] add: [malware] New object template to describe a malware --- objects/malware/definition.json | 168 ++++++++++++++++++++++++++++++++ 1 file changed, 168 insertions(+) create mode 100644 objects/malware/definition.json diff --git a/objects/malware/definition.json b/objects/malware/definition.json new file mode 100644 index 00000000..89162d09 --- /dev/null +++ b/objects/malware/definition.json @@ -0,0 +1,168 @@ +{ + "attributes": { + "alias": { + "description": "Alternative name used to identify this malware or malware family.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "architecture_execution_env": { + "description": "The processor architecture that the malware instance or family is executable on.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "alpha", + "arm", + "ia-64", + "mips", + "powerpc", + "sparc", + "x86", + "x86-64" + ], + "ui-priority": 0 + }, + "capability": { + "description": "Any of the capabilities identified for the malware instance or family.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "accesses-remote-machines", + "anti-debugging", + "anti-disassembly", + "anti-emulation", + "anti-memory-forensics", + "anti-sandbox", + "anti-vm", + "captures-input-peripherals", + "captures-output-peripherals", + "captures-system-state-data", + "cleans-traces-of-infection", + "commits-fraud", + "communicates-with-c2", + "compromises-data-availability", + "compromises-data-integrity", + "compromises-system-availability", + "controls-local-machine", + "degrades-security-software", + "degrades-system-updates", + "determines-c2-server", + "emails-spam", + "escalates-privileges", + "evades-av", + "exfiltrates-data", + "fingerprints-host", + "hides-artifacts", + "hides-executing-code", + "infects-files", + "infects-remote-machines", + "installs-other-components", + "persists-after-system-reboot", + "prevents-artifact-access", + "prevents-artifact-deletion", + "probes-network-environment", + "self-modifies", + "steals-authentication-credentials", + "violates-system-operational-integrity" + ], + "ui-priority": 0 + }, + "description": { + "description": "A description that provides more details and context about the malware instance or family, potentially including its purpose and its key characteristics.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "first_seen": { + "description": "The time that the malware instance or family was first seen.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "implementation_language": { + "description": "The programming language used to implement the malware instance or family.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "applescript", + "bash", + "c", + "c++", + "c#", + "go", + "java", + "javascript", + "lua", + "objective-c", + "perl", + "php", + "powershell", + "python", + "ruby", + "scala", + "swift", + "typescript", + "visual-basic", + "x86-32", + "x86-64" + ], + "ui-priority": 0 + }, + "is_family": { + "description": "Defines whether the object represents a malware family or a malware instance.", + "disable_correlation": true, + "misp-attribute": "bool", + "ui-priority": 1 + }, + "last_seen": { + "description": "The time that the malware family or malware instance was last seen.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "malware_type": { + "description": "A set of categorizations for the malware being described.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "adware", + "backdoor", + "bot", + "bootkit", + "ddos", + "downloader", + "dropper", + "exploit-kit", + "keylogger", + "ransomware", + "remote-access-trojan", + "resource-exploitation", + "rogue-security-software", + "rootkit", + "screen-capture", + "spyware", + "trojan", + "unknown", + "virus", + "webshell", + "wiper", + "worm" + ], + "ui-priority": 0 + }, + "name": { + "description": "A name used to identify the malware instance or family. For a malware family the name MUST be defined. If a name for a malware instance is not available, the SHA-256 hash value or sample's filename MAY be used instead.", + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "Malware is a type of TTP that represents malicious code.", + "meta-category": "misc", + "name": "malware", + "required": [ + "is_family" + ], + "uuid": "e5ad1d64-4b4e-44f5-9e00-88a705a67f9d", + "version": 1 +} \ No newline at end of file From b87cafc35e4fea4b342de708a754c5f272631b00 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 10 Aug 2023 11:39:44 +0200 Subject: [PATCH 3/4] fix: [malware] Fixed `is_family` attribute type --- objects/malware/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/malware/definition.json b/objects/malware/definition.json index 89162d09..69e3f739 100644 --- a/objects/malware/definition.json +++ b/objects/malware/definition.json @@ -112,7 +112,7 @@ "is_family": { "description": "Defines whether the object represents a malware family or a malware instance.", "disable_correlation": true, - "misp-attribute": "bool", + "misp-attribute": "boolean", "ui-priority": 1 }, "last_seen": { From c784a4a6e4f841097bbb89625f49dd0b2fd5b1f2 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Wed, 16 Aug 2023 22:27:37 +0200 Subject: [PATCH 4/4] add: [readme] Added `malware` and `malware-analysis` to the list of available object templates, with a small description for each --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 437d6b73..f5a90ab1 100644 --- a/README.md +++ b/README.md @@ -271,6 +271,8 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/macho](https://github.com/MISP/misp-objects/blob/main/objects/macho/definition.json) - Object describing a file in Mach-O format. - [objects/macho-section](https://github.com/MISP/misp-objects/blob/main/objects/macho-section/definition.json) - Object describing a section of a file in Mach-O format. - [objects/mactime-timeline-analysis](https://github.com/MISP/misp-objects/blob/main/objects/mactime-timeline-analysis/definition.json) - Mactime template, used in forensic investigations to describe the timeline of a file activity. +- [objects/malware](https://github.com/MISP/misp-objects/blob/main/objects/malware/definition.json) - Malware object to describe a malware instance. From STIX 2.1, +- [objects/malware-analysis](https://github.com/MISP/misp-objects/blob/main/objects/malware-analysis/definition.json) - Malware analysis object to capture the metadata and results of a particular static or dynamic analysis performed on a malware instance or family. From STIX 2.1 - [objects/malware-config](https://github.com/MISP/misp-objects/blob/main/objects/malware-config/definition.json) - Malware configuration recovered or extracted from a malicious binary. - [objects/meme-image](https://github.com/MISP/misp-objects/blob/main/objects/meme-image/definition.json) - Object describing a meme (image). - [objects/microblog](https://github.com/MISP/misp-objects/blob/main/objects/microblog/definition.json) - Microblog post like a Twitter tweet or a post on a Facebook wall.