MISP
diff --git a/‎README.md‎
Lines changed: 5 additions & 0 deletions b/‎README.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎objects/ADS/definition.json‎
Lines changed: 7 additions & 1 deletion b/‎objects/ADS/definition.json‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎objects/attacker-infra/definition.json‎
Lines changed: 327 additions & 0 deletions b/‎objects/attacker-infra/definition.json‎
Lines changed: 327 additions & 0 deletions
@@ -119,6 +119,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/asn](https://github.com/MISP/misp-objects/blob/main/objects/asn/definition.json) - Autonomous system object describing an autonomous system which can include one or more network operators managing an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.
 - [objects/attack-pattern](https://github.com/MISP/misp-objects/blob/main/objects/attack-pattern/definition.json) - Attack pattern describing a common attack pattern enumeration and classification.
 - [objects/attack-step](https://github.com/MISP/misp-objects/blob/main/objects/attack-step/definition.json) - An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.
+- [objects/attacker-infra](https://github.com/MISP/misp-objects/blob/main/objects/attacker-infra/definition.json) - Attacker Infrastructure.
 - [objects/authentication-failure-report](https://github.com/MISP/misp-objects/blob/main/objects/authentication-failure-report/definition.json) - Authentication Failure Report.
 - [objects/authenticode-signerinfo](https://github.com/MISP/misp-objects/blob/main/objects/authenticode-signerinfo/definition.json) - Authenticode Signer Info.
 - [objects/av-signature](https://github.com/MISP/misp-objects/blob/main/objects/av-signature/definition.json) - Antivirus detection signature.
@@ -162,6 +163,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/dark-pattern-item](https://github.com/MISP/misp-objects/blob/main/objects/dark-pattern-item/definition.json) - An Item whose User Interface implements a dark pattern.
 - [objects/ddos](https://github.com/MISP/misp-objects/blob/main/objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy or using the type field.
 - [objects/ddos-claim](https://github.com/MISP/misp-objects/blob/main/objects/ddos-claim/definition.json) - DDoS-claim object describes a current claim of DDoS activity.
+- [objects/ddos-config](https://github.com/MISP/misp-objects/blob/main/objects/ddos-config/definition.json) - DDoS-claim object describes a current claim of DDoS activity.
 - [objects/device](https://github.com/MISP/misp-objects/blob/main/objects/device/definition.json) - An object to define a device.
 - [objects/diameter-attack](https://github.com/MISP/misp-objects/blob/main/objects/diameter-attack/definition.json) - Attack as seen on the diameter signaling protocol supporting LTE networks.
 - [objects/diamond-event](https://github.com/MISP/misp-objects/blob/main/objects/diamond-event/definition.json) - A diamond model event object consisting of the four diamond features advesary, infrastructure, capability and victim, several meta-features and ioc attributes.
@@ -254,6 +256,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/github-user](https://github.com/MISP/misp-objects/blob/main/objects/github-user/definition.json) - GitHub user.
 - [objects/gitlab-user](https://github.com/MISP/misp-objects/blob/main/objects/gitlab-user/definition.json) - GitLab user. Gitlab.com user or self-hosted GitLab instance.
 - [objects/google-safe-browsing](https://github.com/MISP/misp-objects/blob/main/objects/google-safe-browsing/definition.json) - Google Safe checks a URL against Google's constantly updated list of unsafe web resources.
+- [objects/google-threat-intelligence-report](https://github.com/MISP/misp-objects/blob/main/objects/google-threat-intelligence-report/definition.json) - Google Threat Intelligence report that provides an assessment (verdict, severity and scoring) and combined information from VirusTotal and Mandiant.
 - [objects/greynoise-ip](https://github.com/MISP/misp-objects/blob/main/objects/greynoise-ip/definition.json) - GreyNoise IP Information.
 - [objects/gtp-attack](https://github.com/MISP/misp-objects/blob/main/objects/gtp-attack/definition.json) - GTP attack object as attack as seen on the GTP signaling protocol supporting GPRS/LTE networks.
 - [objects/hashlookup](https://github.com/MISP/misp-objects/blob/main/objects/hashlookup/definition.json) - hashlookup object as described on hashlookup services from circl.lu - https://www.circl.lu/services/hashlookup.
@@ -382,6 +385,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/script](https://github.com/MISP/misp-objects/blob/main/objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.
 - [objects/security-playbook](https://github.com/MISP/misp-objects/blob/main/objects/security-playbook/definition.json) - The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows.
 - [objects/shadowserver-malware-url-report](https://github.com/MISP/misp-objects/blob/main/objects/shadowserver-malware-url-report/definition.json) - This report identifies URLs that were observed in exploitation attempts in the last 24 hours. They are assumed to contain a malware payload or serve as C2 controllers. If a payload was successfully downloaded in the last 24 hours, it’s SHA256 hash will also be published. The data is primarily sourced from honeypots (in which case they will often be IoT related), but other sources are possible. As always, you only receive information on IPs found on your network/constituency or in the case of a National CSIRT, your country. Ref: https://www.shadowserver.org/what-we-do/network-reporting/malware-url-report/.
+- [objects/shadowserver-scan-http-proxy](https://github.com/MISP/misp-objects/blob/main/objects/shadowserver-scan-http-proxy/definition.json) - This report identifies open HTTP proxy servers on multiple ports. While HTTP proxies have legitimate uses, they are also used for attacks or other forms of abuse. https://www.shadowserver.org/what-we-do/network-reporting/open-http-proxy-report/.
 - [objects/shell-commands](https://github.com/MISP/misp-objects/blob/main/objects/shell-commands/definition.json) - Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.
 - [objects/shodan-report](https://github.com/MISP/misp-objects/blob/main/objects/shodan-report/definition.json) - Shodan Report for a given IP.
 - [objects/short-message-service](https://github.com/MISP/misp-objects/blob/main/objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply.
@@ -435,6 +439,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/typosquatting-finder-result](https://github.com/MISP/misp-objects/blob/main/objects/typosquatting-finder-result/definition.json) - Typosquatting result.
 - [objects/url](https://github.com/MISP/misp-objects/blob/main/objects/url/definition.json) - url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.
 - [objects/user-account](https://github.com/MISP/misp-objects/blob/main/objects/user-account/definition.json) - User-account object, defining aspects of user identification, authentication, privileges and other relevant data points.
+- [objects/user-action](https://github.com/MISP/misp-objects/blob/main/objects/user-action/definition.json) - Represent an user action.
 - [objects/vehicle](https://github.com/MISP/misp-objects/blob/main/objects/vehicle/definition.json) - Vehicle object template to describe a vehicle information and registration.
 - [objects/victim](https://github.com/MISP/misp-objects/blob/main/objects/victim/definition.json) - Victim object describes the target of an attack or abuse.
 - [objects/virustotal-graph](https://github.com/MISP/misp-objects/blob/main/objects/virustotal-graph/definition.json) - VirusTotal graph.
 
@@ -22,6 +22,12 @@
       "multiple": true,
       "ui-priority": 10
     },
+    "categorization_others": {
+      "description": "Provides a mapping of the ADS to the relevant entry in the Att&CK if 'categorization is not sufficient'.",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 13
+    },
     "date": {
       "description": "Enter date, when ADS has been created or edited.",
       "misp-attribute": "datetime",
@@ -77,5 +83,5 @@
     "categorization"
   ],
   "uuid": "07a7f4cf-e738-47ad-b045-34c3b382f3b4",
-  "version": 1
+  "version": 2
 }
@@ -0,0 +1,327 @@
+{
+  "attributes": {
+    "architecture": {
+      "categories": [
+        "External analysis"
+      ],
+      "description": "The CPU architecture of the beacon.  Either x86 or x64",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "asn": {
+      "categories": [
+        "Network activity"
+      ],
+      "description": "ASN where the IP resides",
+      "misp-attribute": "AS",
+      "ui-priority": 0
+    },
+    "beacon_host": {
+      "categories": [
+        "External analysis"
+      ],
+      "description": "C2 of the beacon IP/hostname. (often matches the host that was scanned)",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "beacon_http_get": {
+      "categories": [
+        "External analysis"
+      ],
+      "description": "Path that the beacon uses for the GET method",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "beacon_http_post": {
+      "categories": [
+        "External analysis"
+      ],
+      "description": "Path that the beacon uses for the POST method",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "beacon_type": {
+      "categories": [
+        "External analysis"
+      ],
+      "description": "Protocol that the beacon speaks.  Usually HTTP",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "binary_md5": {
+      "categories": [
+        "Payload delivery"
+      ],
+      "description": "MD5 of the PE binary",
+      "disable_correlation": true,
+      "misp-attribute": "md5",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "binary_sha1": {
+      "categories": [
+        "Payload delivery"
+      ],
+      "description": "SHA1 of the PE binary",
+      "disable_correlation": true,
+      "misp-attribute": "sha1",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "binary_sha256": {
+      "categories": [
+        "Payload delivery"
+      ],
+      "description": "SHA256 of the PE binary",
+      "disable_correlation": true,
+      "misp-attribute": "sha256",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "city": {
+      "categories": [
+        "Other"
+      ],
+      "description": "City location of the IP in question",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "config_md5": {
+      "categories": [
+        "External analysis"
+      ],
+      "description": "MD5 of the config file",
+      "disable_correlation": true,
+      "misp-attribute": "md5",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "config_sha1": {
+      "categories": [
+        "External analysis"
+      ],
+      "description": "SHA1 of the config file",
+      "disable_correlation": true,
+      "misp-attribute": "sha1",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "config_sha256": {
+      "categories": [
+        "External analysis"
+      ],
+      "description": "SHA256 of the config file",
+      "disable_correlation": true,
+      "misp-attribute": "sha256",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "content_length": {
+      "categories": [
+        "Other"
+      ],
+      "description": "The length of the response body in octets",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "content_type": {
+      "categories": [
+        "Other"
+      ],
+      "description": "The MIME type of the body of the request",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "encoded_data": {
+      "categories": [
+        "Other"
+      ],
+      "description": "Base64 encoded config file",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "encoded_length": {
+      "categories": [
+        "Other"
+      ],
+      "description": "Length of the base64 decoded raw config",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "geo": {
+      "categories": [
+        "Other"
+      ],
+      "description": "Country location of the IP",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "hostname": {
+      "categories": [
+        "Network activity"
+      ],
+      "description": "Reverse DNS name of the device in question",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "hostname_source": {
+      "categories": [
+        "Other"
+      ],
+      "description": "Source of the hostname field contents",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "http": {
+      "categories": [
+        "Network activity"
+      ],
+      "description": "HTTP version in used in response, e.g HTTP/1.1",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "http_code": {
+      "categories": [
+        "Network activity"
+      ],
+      "description": "HTTP Response code: e.g., 200, 401, 404",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "http_url": {
+      "categories": [
+        "Network activity"
+      ],
+      "description": "URL used to illicit the server response",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "ip": {
+      "categories": [
+        "Network activity"
+      ],
+      "description": "IP of the of the URL",
+      "misp-attribute": "ip-src",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "license_id": {
+      "categories": [
+        "External analysis"
+      ],
+      "description": "The license number",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "naics": {
+      "categories": [
+        "Other"
+      ],
+      "description": "North American Industry Classification System Code",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "port": {
+      "categories": [
+        "Network activity"
+      ],
+      "description": "Port that the response came from",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "protocol": {
+      "categories": [
+        "Network activity"
+      ],
+      "description": "Protocol the response came in on",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "region": {
+      "categories": [
+        "Other"
+      ],
+      "description": "State / Province / Administrative region where the device in question resides",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "sector": {
+      "categories": [
+        "Other"
+      ],
+      "description": "Sector of the device in question",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "severity": {
+      "categories": [
+        "Other"
+      ],
+      "description": "Severity of the event",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "tag": {
+      "categories": [
+        "Other"
+      ],
+      "description": "Attribute tags",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "timestamp": {
+      "description": "Time that the IP was probed in UTC+0",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    }
+  },
+  "description": "Attacker Infrastructure",
+  "meta-category": "misc",
+  "name": "attacker-infra",
+  "required": [
+    "ip",
+    "port"
+  ],
+  "uuid": "0211496c-dbcf-465b-a147-3d965da016cd",
+  "version": 2
+}