MISP/SkillAegis
MISP/SkillAegis
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
SkillAegis/exercises/scam-call-encoding.json

558 lines
14 KiB
JSON
Raw Normal View History

new: [exercises] Added scamcall exercise and fixed basic-event-creation
2024-07-02 09:39:45 +00:00
{
"exercise": {
"description": "MISP Encoding Exercise : Scam Call",
"expanded": "MISP Encoding Exercise : Scam Call",
"meta": {
"author": "MISP Project",
"level": "beginner",
"priority": 5
},
"name": "MISP Encoding Exercise : Scam Call",
"namespace": "data-model",
"tags": [
"exercise:software-scope=\"misp\"",
"state:production"
],
"total_duration": "7200",
"uuid": "6c61b3a5-a760-4bac-be23-de97af397c2f",
"version": "20240702"
},
"inject_flow": [
{
"description": "event-creation",
"inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd",
"reporting_callback": [],
"requirements": {},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
"startex"
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "IP-address",
"inject_uuid": "cdf465dc-a859-43ed-b782-510427cfb451",
"reporting_callback": [],
"requirements": {
"inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "malicious-payload",
"inject_uuid": "79c8a538-28de-4edf-b0e2-253c59cbb973",
"reporting_callback": [],
"requirements": {
"inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "Download URL",
"inject_uuid": "60c6cfcc-99be-4b98-9eb7-e0a3e77bb449",
"reporting_callback": [],
"requirements": {
"inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "IBAN Number",
"inject_uuid": "ab32278b-a8e4-4539-8c1b-f262a2706ca8",
"reporting_callback": [],
"requirements": {
"inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "Phone Number",
"inject_uuid": "ee4a684e-2648-419a-bd65-29ab219660c4",
"reporting_callback": [],
"requirements": {
"inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "Person",
"inject_uuid": "14d11e1b-6609-47d5-9867-91996f432f34",
"reporting_callback": [],
"requirements": {
"inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "Contextualization",
"inject_uuid": "4c242d49-fcf7-4c76-974b-6d5983c0eff9",
"reporting_callback": [],
"requirements": {
new: [backend:exercies] Added `equals_any` comparison operator and improved scamcall
2024-07-02 10:13:41 +00:00
"inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd"
new: [exercises] Added scamcall exercise and fixed basic-event-creation
2024-07-02 09:39:45 +00:00
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "Published",
"inject_uuid": "68cc60ff-e659-4589-88e5-7490fa4e1dfa",
"reporting_callback": [],
"requirements": {
"inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
}
],
"inject_payloads": [
],
"injects": [
{
"action": "event-creation",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"scam",
"call"
]
}
}
],
"result": "MISP Event created",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
10
]
}
],
"name": "Event Creation",
"target_tool": "MISP",
"uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd"
},
{
"action": "ip-address",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"scam",
"call"
]
}
},
{
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select(.value == \"194.78.89.250\").to_ids": {
"extract_type": "all",
"comparison": "contains",
"values": [
true,
1
]
}
}
],
"result": "IP Address added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "IP Address",
"target_tool": "MISP",
"uuid": "cdf465dc-a859-43ed-b782-510427cfb451"
},
{
"action": "malware-sample",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"scam",
"call"
]
}
},
{
".Event.Object[].Attribute[] | select((.type == \"sha1\")).value": {
"extract_type": "all",
"comparison": "equals",
"values": [
"04d496d39bc9409bfdabdeb07002b97093b58f77"
]
}
}
],
"result": "Malware sample added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Malware sample",
"target_tool": "MISP",
"uuid": "79c8a538-28de-4edf-b0e2-253c59cbb973"
},
{
"action": "url",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"scam",
"call"
]
}
},
{
".Event.Object[].Attribute[] | select((.type == \"url\")).value": {
"extract_type": "all",
"comparison": "equals",
"values": [
"https://zdgyot.ugic0k.ru/assets/bin.exe"
]
}
},
{
new: [backend:exercies] Added `equals_any` comparison operator and improved scamcall
2024-07-02 10:13:41 +00:00
".Event.Object[].Attribute[] | select((.type == \"domain\") or (.type == \"hostname\")).value": {
new: [exercises] Added scamcall exercise and fixed basic-event-creation
2024-07-02 09:39:45 +00:00
"extract_type": "all",
"comparison": "equals",
"values": [
"zdgyot.ugic0k.ru"
]
}
}
],
"result": "Download URL added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Download URL",
"target_tool": "MISP",
"uuid": "60c6cfcc-99be-4b98-9eb7-e0a3e77bb449"
},
{
"action": "iban",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"scam",
"call"
]
}
},
{
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"iban\")).value": {
"extract_type": "all",
"comparison": "contains",
"values": [
"GB29NWBK60161331926819"
]
}
}
],
"result": "IBAN Number added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "IBAN Number",
"target_tool": "MISP",
"uuid": "ab32278b-a8e4-4539-8c1b-f262a2706ca8"
},
{
"action": "phone",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"scam",
"call"
]
}
},
{
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"phone-number\")).value": {
"extract_type": "all",
"comparison": "contains-regex",
"values": [
"\\+?12243359185"
]
}
}
],
"result": "Phone Number added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Phone Number",
"target_tool": "MISP",
"uuid": "ee4a684e-2648-419a-bd65-29ab219660c4"
},
{
"action": "person",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"scam",
"call"
]
}
},
{
new: [backend:exercies] Added `equals_any` comparison operator and improved scamcall
2024-07-02 10:13:41 +00:00
".Event.Object[] | select((.name == \"person\")).distribution": {
"comparison": "equals_any",
new: [exercises] Added scamcall exercise and fixed basic-event-creation
2024-07-02 09:39:45 +00:00
"values": [
"0",
"1",
"4"
]
}
}
],
"result": "Person added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Person",
"target_tool": "MISP",
"uuid": "14d11e1b-6609-47d5-9867-91996f432f34"
},
{
"action": "context",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"scam",
"call"
]
}
},
{
".Event.Tag | select(length > 0) | .[].name": {
"extract_type": "all",
"comparison": "count",
"values": [
">=3"
]
}
}
],
"result": "Context added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Contextualization",
"target_tool": "MISP",
"uuid": "4c242d49-fcf7-4c76-974b-6d5983c0eff9"
},
{
"action": "published",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"scam",
"call"
]
}
},
{
".Event.published": {
"comparison": "equals",
"values": [
"1"
]
}
}
],
"result": "Event published",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Published",
"target_tool": "MISP",
"uuid": "68cc60ff-e659-4589-88e5-7490fa4e1dfa"
}
]
}
Reference in a new issue Copy permalink