1+ {
2+ "attributes" : {
3+ "architecture" : {
4+ "categories" : [
5+ " External analysis"
6+ ],
7+ "description" : " The CPU architecture of the beacon. Either x86 or x64"
8+ "disable_correlation" : true ,
9+ "misp-attribute" : " text"
10+ "multiple" : true ,
11+ "ui-priority" : 0
12+ },
13+ "asn" : {
14+ "categories" : [
15+ " Network activity"
16+ ],
17+ "description" : " ASN where the IP resides"
18+ "misp-attribute" : " AS"
19+ "ui-priority" : 0
20+ },
21+ "beacon_host" : {
22+ "categories" : [
23+ " External analysis"
24+ ],
25+ "description" : " C2 of the beacon IP/hostname. (often matches the host that was scanned)"
26+ "disable_correlation" : true ,
27+ "misp-attribute" : " text"
28+ "multiple" : true ,
29+ "ui-priority" : 0
30+ },
31+ "beacon_http_get" : {
32+ "categories" : [
33+ " External analysis"
34+ ],
35+ "description" : " Path that the beacon uses for the GET method"
36+ "disable_correlation" : true ,
37+ "misp-attribute" : " text"
38+ "multiple" : true ,
39+ "ui-priority" : 0
40+ },
41+ "beacon_http_post" : {
42+ "categories" : [
43+ " External analysis"
44+ ],
45+ "description" : " Path that the beacon uses for the POST method"
46+ "disable_correlation" : true ,
47+ "misp-attribute" : " text"
48+ "multiple" : true ,
49+ "ui-priority" : 0
50+ },
51+ "beacon_type" : {
52+ "categories" : [
53+ " External analysis"
54+ ],
55+ "description" : " Protocol that the beacon speaks. Usually HTTP"
56+ "disable_correlation" : true ,
57+ "misp-attribute" : " text"
58+ "multiple" : true ,
59+ "ui-priority" : 0
60+ },
61+ "binary_md5" : {
62+ "categories" : [
63+ " Payload delivery"
64+ ],
65+ "description" : " MD5 of the PE binary"
66+ "disable_correlation" : true ,
67+ "misp-attribute" : " md5"
68+ "multiple" : true ,
69+ "ui-priority" : 0
70+ },
71+ "binary_sha1" : {
72+ "categories" : [
73+ " Payload delivery"
74+ ],
75+ "description" : " SHA1 of the PE binary"
76+ "disable_correlation" : true ,
77+ "misp-attribute" : " sha1"
78+ "multiple" : true ,
79+ "ui-priority" : 0
80+ },
81+ "binary_sha256" : {
82+ "categories" : [
83+ " Payload delivery"
84+ ],
85+ "description" : " SHA256 of the PE binary"
86+ "disable_correlation" : true ,
87+ "misp-attribute" : " sha256"
88+ "multiple" : true ,
89+ "ui-priority" : 0
90+ },
91+ "city" : {
92+ "categories" : [
93+ " Other"
94+ ],
95+ "description" : " City location of the IP in question"
96+ "disable_correlation" : true ,
97+ "misp-attribute" : " text"
98+ "ui-priority" : 0
99+ },
100+ "config_md5" : {
101+ "categories" : [
102+ " External analysis"
103+ ],
104+ "description" : " MD5 of the config file"
105+ "disable_correlation" : true ,
106+ "misp-attribute" : " md5"
107+ "multiple" : true ,
108+ "ui-priority" : 0
109+ },
110+ "config_sha1" : {
111+ "categories" : [
112+ " External analysis"
113+ ],
114+ "description" : " SHA1 of the config file"
115+ "disable_correlation" : true ,
116+ "misp-attribute" : " sha1"
117+ "multiple" : true ,
118+ "ui-priority" : 0
119+ },
120+ "config_sha256" : {
121+ "categories" : [
122+ " External analysis"
123+ ],
124+ "description" : " SHA256 of the config file"
125+ "disable_correlation" : true ,
126+ "misp-attribute" : " sha256"
127+ "multiple" : true ,
128+ "ui-priority" : 0
129+ },
130+ "content_length" : {
131+ "categories" : [
132+ " Other"
133+ ],
134+ "description" : " The length of the response body in octets"
135+ "disable_correlation" : true ,
136+ "misp-attribute" : " text"
137+ "multiple" : true ,
138+ "ui-priority" : 0
139+ },
140+ "content_type" : {
141+ "categories" : [
142+ " Other"
143+ ],
144+ "description" : " The MIME type of the body of the request"
145+ "disable_correlation" : true ,
146+ "misp-attribute" : " text"
147+ "multiple" : true ,
148+ "ui-priority" : 0
149+ },
150+ "encoded_data" : {
151+ "categories" : [
152+ " Other"
153+ ],
154+ "description" : " Base64 encoded config file"
155+ "disable_correlation" : true ,
156+ "misp-attribute" : " text"
157+ "multiple" : true ,
158+ "ui-priority" : 0
159+ },
160+ "encoded_length" : {
161+ "categories" : [
162+ " Other"
163+ ],
164+ "description" : " Length of the base64 decoded raw config"
165+ "disable_correlation" : true ,
166+ "misp-attribute" : " text"
167+ "multiple" : true ,
168+ "ui-priority" : 0
169+ },
170+ "geo" : {
171+ "categories" : [
172+ " Other"
173+ ],
174+ "description" : " Country location of the IP"
175+ "disable_correlation" : true ,
176+ "misp-attribute" : " text"
177+ "ui-priority" : 0
178+ },
179+ "hostname" : {
180+ "categories" : [
181+ " Network activity"
182+ ],
183+ "description" : " Reverse DNS name of the device in question"
184+ "misp-attribute" : " text"
185+ "ui-priority" : 0
186+ },
187+ "hostname_source" : {
188+ "categories" : [
189+ " Other"
190+ ],
191+ "description" : " Source of the hostname field contents"
192+ "disable_correlation" : true ,
193+ "misp-attribute" : " text"
194+ "multiple" : true ,
195+ "ui-priority" : 0
196+ },
197+ "http" : {
198+ "categories" : [
199+ " Network activity"
200+ ],
201+ "description" : " HTTP version in used in response, e.g HTTP/1.1"
202+ "disable_correlation" : true ,
203+ "misp-attribute" : " text"
204+ "multiple" : true ,
205+ "ui-priority" : 0
206+ },
207+ "http_code" : {
208+ "categories" : [
209+ " Network activity"
210+ ],
211+ "description" : " HTTP Response code: e.g., 200, 401, 404"
212+ "disable_correlation" : true ,
213+ "misp-attribute" : " text"
214+ "multiple" : true ,
215+ "ui-priority" : 0
216+ },
217+ "http_url" : {
218+ "categories" : [
219+ " Network activity"
220+ ],
221+ "description" : " URL used to illicit the server response"
222+ "disable_correlation" : true ,
223+ "misp-attribute" : " text"
224+ "multiple" : true ,
225+ "ui-priority" : 0
226+ },
227+ "ip" : {
228+ "categories" : [
229+ " Network activity"
230+ ],
231+ "description" : " IP of the of the URL"
232+ "misp-attribute" : " ip-src"
233+ "multiple" : true ,
234+ "ui-priority" : 0
235+ },
236+ "license_id" : {
237+ "categories" : [
238+ " External analysis"
239+ ],
240+ "description" : " The license number"
241+ "disable_correlation" : true ,
242+ "misp-attribute" : " text"
243+ "multiple" : true ,
244+ "ui-priority" : 0
245+ },
246+ "naics" : {
247+ "categories" : [
248+ " Other"
249+ ],
250+ "description" : " North American Industry Classification System Code"
251+ "disable_correlation" : true ,
252+ "misp-attribute" : " text"
253+ "multiple" : true ,
254+ "ui-priority" : 0
255+ },
256+ "port" : {
257+ "categories" : [
258+ " Network activity"
259+ ],
260+ "description" : " Port that the response came from"
261+ "disable_correlation" : true ,
262+ "misp-attribute" : " text"
263+ "ui-priority" : 0
264+ },
265+ "protocol" : {
266+ "categories" : [
267+ " Network activity"
268+ ],
269+ "description" : " Protocol the response came in on"
270+ "disable_correlation" : true ,
271+ "misp-attribute" : " text"
272+ "ui-priority" : 0
273+ },
274+ "region" : {
275+ "categories" : [
276+ " Other"
277+ ],
278+ "description" : " State / Province / Administrative region where the device in question resides"
279+ "disable_correlation" : true ,
280+ "misp-attribute" : " text"
281+ "ui-priority" : 0
282+ },
283+ "sector" : {
284+ "categories" : [
285+ " Other"
286+ ],
287+ "description" : " Sector of the device in question"
288+ "disable_correlation" : true ,
289+ "misp-attribute" : " text"
290+ "multiple" : true ,
291+ "ui-priority" : 0
292+ },
293+ "severity" : {
294+ "categories" : [
295+ " Other"
296+ ],
297+ "description" : " Severity of the event"
298+ "disable_correlation" : true ,
299+ "misp-attribute" : " text"
300+ "ui-priority" : 0
301+ },
302+ "tag" : {
303+ "categories" : [
304+ " Other"
305+ ],
306+ "description" : " Attribute tags"
307+ "misp-attribute" : " text"
308+ "multiple" : true ,
309+ "ui-priority" : 0
310+ },
311+ "timestamp" : {
312+ "description" : " Time that the IP was probed in UTC+0"
313+ "disable_correlation" : true ,
314+ "misp-attribute" : " datetime"
315+ "ui-priority" : 0
316+ }
317+ },
318+ "description" : " Attacker Infrastructure"
319+ "meta-category" : " misc"
320+ "name" : " attacker-infra"
321+ "required" : [
322+ " ip"
323+ " port"
324+ ],
325+ "uuid" : " 0211496c-dbcf-465b-a147-3d965da016cd"
326+ "version" : 2
327+ }
0 commit comments