Create stix pattern rules for query builder.

[Shivam-apna]

Matching a File with a SHA-256 hash

• [file:hashes.'SHA-256' = 'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f']

Matching an Email Message with a particular From Email Address and Attachment File Name Using a Regular Expression

• [email-message:from_ref.value MATCHES '.+\\@example\\.com$' AND email-message:body_multipart[*].body_raw_ref.name MATCHES '^Final Report.+\\.exe$']

Matching a File with a SHA-256 hash and a PDF MIME type

• [file:hashes.'SHA-256' = 'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f' AND file:mime_type = 'application/x-pdf']

Matching a File with SHA-256 or a MD5 hash (e.g., for the case of two different end point tools generating either an MD5 or a SHA-256), and a different File that has a different SHA-256 hash, against two different Observations

• [file:hashes.'SHA-256' = 'bf07a7fbb825fc0aae7bf4a1177b2b31fcf8a3feeaf7092761e18c859ee52a9c' OR file:hashes.MD5 = 'cead3f77f6cda6ec00f57d76c9a6879f'] AND [file:hashes.'SHA-256' = 'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f']

Matching a File with a MD5 hash, followed by (temporally) a Registry Key object that matches a value, within 5 minutes

• ([file:hashes.MD5 = '79054025255fb1a26e4bc422aef54eb4'] FOLLOWEDBY [windows-registry-key:key = 'HKEY_LOCAL_MACHINE\\foo\\bar']) WITHIN 300 SECONDS

Matching three different, but specific Unix User Accounts

• [user-account:account_type = 'unix' AND user-account:user_id = '1007' AND user-account:account_login = 'Peter'] AND [user-account:account_type = 'unix' AND user-account:user_id = '1008' AND user-account:account_login = 'Paul'] AND [user-account:account_type = 'unix' AND user-account:user_id = '1009' AND user-account:account_login = 'Mary']

Matching an Artifact object PCAP payload header

• [artifact:mime_type = 'application/vnd.tcpdump.pcap' AND artifact:payload_bin MATCHES '\\xd4\\xc3\\xb2\\xa1\\x02\\x00\\x04\\x00']

Matching a File object with a Windows file path

• [file:name = 'foo.dll' AND file:parent_directory_ref.path = 'C:\\Windows\\System32']

Matching on a Windows PE File with high section entropy

• [file:extensions.'windows-pebinary-ext'.sections[*].entropy > 7.0]

Matching on a mismatch between a File object magic number and mime type

• [file:mime_type = 'image/bmp' AND file:magic_number_hex = h'ffd8']

Matching on Network Traffic with a particular destination

• [network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.0.113.33/32']

Matching on Malware Beaconing to a Domain Name

• [network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = '[example.com](http://example.com/)'] REPEATS 5 TIMES WITHIN 1800 SECONDS

Matching on a Domain Name with IPv4 Resolution

• [domain-name:value = '[www.5z8.info](http://www.5z8.info/)' AND domain-name:resolves_to_refs[*].value = '198.51.100.1/32']

Matching on a URL

• [url:value = 'http://example.com/foo' OR url:value = 'http://example.com/bar']

Matching on an X509 Certificate

• [x509-certificate:issuer = 'CN=WEBMAIL' AND x509-certificate:serial_number = '4c:0b:1d:19:74:86:a7:66:b4:1a:bf:40:27:21:76:28']

Matching on a Windows Registry Key

• [windows-registry-key:key = 'HKEY_CURRENT_USER\\Software\\CryptoLocker\\Files' OR windows-registry-key:key = 'HKEY_CURRENT_USER\\Software\\Microsoft\\CurrentVersion\\Run\\CryptoLocker_0388']

Matching on a File with a set of properties

• [(file:name = 'pdf.exe' OR file:size = 371712) AND file:created = t'2014-01-13T07:03:17Z']

Matching on an Email Message with specific Sender and Subject

• [email-message:sender_ref.value = '[[email protected]](mailto:[email protected])' AND email-message:subject = 'Conference Info']

Matching on a Custom USB Device

• [x-usb-device:usbdrive.serial_number = '575833314133343231313937']

Matching on Two Processes Launched with a Specific Set of Command Line Arguments Within a Certain Time Window

• [process:command_line MATCHES '^.+>-add GlobalSign.cer -c -s -r localMachine Root$'] FOLLOWEDBY [process:command_line MATCHES'^.+>-add GlobalSign.cer -c -s -r localMachineTrustedPublisher$'] WITHIN 300 SECONDS

Matching on a Network Traffic IP that is part of a particular Subnet

• [network-traffic:dst_ref.value ISSUBSET '2001:0db8:dead:beef:0000:0000:0000:0000/64']

Matching on several different combinations of Malware Artifacts. Note the following pattern requires that both a file and registry key exist, or that one of two processes exist.

• ([file:name = 'foo.dll'] AND [windows-registry-key:key = 'HKEY_LOCAL_MACHINE\\foo\\bar']) OR [process:image_ref.name = 'fooproc' OR process:image_ref.name = 'procfoo']

STIX-Patterning-Quick-Reference-Card (1).pdf

• Create a mechanism for queryBuilder output into result queries format.

[wildone]

Title (Key) - Value

Grouping - Plugins?

• And
• Or
• FOLLOWEDBY

Operators ?

• =
• MATCHES

Type of group ? Decorate Group output with characters

• [] - Observation Expresion
• () - Stix pattern expression

Convention
T - Title
K - Key
O - Operator
V - Value
F - Value format to output

Investigate - Qualifier Groups

?? Top Group ( ... ) WITHIN ${V} SECONDS
T: Withing Seconds
K: WITHIN
O:
V: 300
F: WITHIN ${V} SECONDS

?? Top Group REPEATS ${V} TIMES
T: Repeat Times
K: REPEATS
O:
V: 300
F: REPEATS ${V} TIMES

T: File Object Magic Number
K: file:magic_number_hex
O: =
V: ffd8
F: h'${V}'

Easy Patterns

T: File Hash
K: file:hashes.'SHA-256'
O: =
V: aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f

T: Email Domain
K: email-message:from_ref.value
O: MATCHES
V:

T: Email Attachements Name
K: email-message:body_multipart[*].body_raw_ref.name
O: MATCHES
V: ^Final Report.+\.exe$

T: File Type
K: file:mime_type
O: =
V: application/x-pdf

T: File Hash
K: file:hashes.MD5
O: =
V: cead3f77f6cda6ec00f57d76c9a6879f

T: File Hash
K: file:hashes.MD5
O: =
V: cead3f77f6cda6ec00f57d76c9a6879f

T: File Hash
K: file:hashes.MD5
O: FOLLOWEDBY
V: cead3f77f6cda6ec00f57d76c9a6879f

T: Windows Registry Key
K: windows-registry-key:key
O: =
V: HKEY_LOCAL_MACHINE\foo\bar

T: User Account - Account Type
K: user-account:account_type
O: =
V: unix

T: User Account - User Id
K: user-account:user_id
O: =
V: 1007

T: User Account - Account Login
K: user-account:account_login
O: =
V: Peter

T: Artifact - Payload Bin
K: artifact:payload_bin
O: MATCHES
V: \xd4\xc3\xb2\xa1\x02\x00\x04\x00

T: File Name
K: file:name
O: =
V: foo.dll

T: File Path
K: file:parent_directory_ref.path
O: =
V: C:\Windows\System32

T: Windows File Entropy
K: file:extensions.'windows-pebinary-ext'.sections[*].entropy
O: >
V: 7.0

T: Network Traffic Type
K: network-traffic:dst_ref.type
O: =
V: ipv4-addr / domain-name

T: Network Traffic Destination
K: network-traffic:dst_ref.value
O: =
V: 203.0.113.33/32 / example.com

T: Domain Name
K: domain-name:value
O: =
V: www.5z8.info

T: Domain DNS
K: domain-name:resolves_to_refs[*].value
O: =
V: 198.51.100.1/32

T: Url
K: url:value
O: =
V: http://example.com/foo

T: Certificate Issuer
K: x509-certificate:issuer
O: =
V: CN=WEBMAIL

T: Certificate Number
K: x509-certificate:serial_number
O: =
V: 4c:0b:1d:19:74:86:a7:66:b4:1a:bf:40:27:21:76:28

T: File Created Date
K: file:created
O: =
V: 2014-01-13T07:03:17Z
F: t'${V}'

T: Email Sender
K: email-message:sender_ref.value
O: =
V: [email protected]

T: Email Subject
K: email-message:subject
O: =
V: Conference Info

T: USB Serial
K: x-usb-device:usbdrive.serial_number
O: =
V: 575833314133343231313937

T: Process
K: process:command_line
O: MATCHES
V: ^.+>-add GlobalSign.cer -c -s -r localMachine Root$

T: Certain Time Window
K: process:command_line
O: MATCHES
V: ^.+>-add GlobalSign.cer -c -s -r localMachineTrustedPublisher$

T: Network Traffic
K: [network-traffic:dst_ref.value
O: ISSUBSET
V: 2001:0db8:dead:beef:0000:0000:0000:0000/64

T: Malware Artifacts
K: file:name
O:
V: foo.dll

T: Registry Key
K: [windows-registry-key:key
O:
V: HKEY_LOCAL_MACHINE\foo\bar

T: Malware Artifacts
K: process:image_ref.name
O:
V: fooproc

T: File Type
K: process:image_ref.name
O:
V: procfoo