519 lines
13 KiB
JSON
519 lines
13 KiB
JSON
|
{
|
||
|
"exercise": {
|
||
|
"description": "MISP Encoding Exercise : Spearphishing Incident",
|
||
|
"expanded": "MISP Encoding Exercise : Spearphishing Incident",
|
||
|
"meta": {
|
||
|
"author": "MISP Project",
|
||
|
"level": "beginner",
|
||
|
"priority": 5
|
||
|
},
|
||
|
"name": "MISP Encoding Exercise : Spearphishing Incident",
|
||
|
"namespace": "data-model",
|
||
|
"tags": [
|
||
|
"exercise:software-scope=\"misp\"",
|
||
|
"state:production"
|
||
|
],
|
||
|
"total_duration": "7200",
|
||
|
"uuid": "53b20321-ac8c-4a3e-9c56-e772caf669e6",
|
||
|
"version": "20240715"
|
||
|
},
|
||
|
"inject_flow": [
|
||
|
{
|
||
|
"description": "event-creation",
|
||
|
"inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd",
|
||
|
"reporting_callback": [],
|
||
|
"requirements": {},
|
||
|
"sequence": {
|
||
|
"completion_trigger": [
|
||
|
"time_expiration",
|
||
|
"completion"
|
||
|
],
|
||
|
"followed_by": [],
|
||
|
"trigger": [
|
||
|
"startex"
|
||
|
]
|
||
|
},
|
||
|
"timing": {
|
||
|
"triggered_at": null
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"description": "IP-address",
|
||
|
"inject_uuid": "92fc404b-2dce-4815-8a7e-b68a582c3569",
|
||
|
"reporting_callback": [],
|
||
|
"requirements": {
|
||
|
"inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd"
|
||
|
},
|
||
|
"sequence": {
|
||
|
"completion_trigger": [
|
||
|
"time_expiration",
|
||
|
"completion"
|
||
|
],
|
||
|
"followed_by": [],
|
||
|
"trigger": []
|
||
|
},
|
||
|
"timing": {
|
||
|
"triggered_at": null
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"description": "malicious-payloads",
|
||
|
"inject_uuid": "cfc47f7c-590c-4897-bfb9-cc72965fee24",
|
||
|
"reporting_callback": [],
|
||
|
"requirements": {
|
||
|
"inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd"
|
||
|
},
|
||
|
"sequence": {
|
||
|
"completion_trigger": [
|
||
|
"time_expiration",
|
||
|
"completion"
|
||
|
],
|
||
|
"followed_by": [],
|
||
|
"trigger": []
|
||
|
},
|
||
|
"timing": {
|
||
|
"triggered_at": null
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"description": "Download URL",
|
||
|
"inject_uuid": "e849a314-3394-4501-a9e1-126e0e61f11d",
|
||
|
"reporting_callback": [],
|
||
|
"requirements": {
|
||
|
"inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd"
|
||
|
},
|
||
|
"sequence": {
|
||
|
"completion_trigger": [
|
||
|
"time_expiration",
|
||
|
"completion"
|
||
|
],
|
||
|
"followed_by": [],
|
||
|
"trigger": []
|
||
|
},
|
||
|
"timing": {
|
||
|
"triggered_at": null
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"description": "CVE",
|
||
|
"inject_uuid": "32141393-adce-4007-950c-77b4c7c60a39",
|
||
|
"reporting_callback": [],
|
||
|
"requirements": {
|
||
|
"inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd"
|
||
|
},
|
||
|
"sequence": {
|
||
|
"completion_trigger": [
|
||
|
"time_expiration",
|
||
|
"completion"
|
||
|
],
|
||
|
"followed_by": [],
|
||
|
"trigger": []
|
||
|
},
|
||
|
"timing": {
|
||
|
"triggered_at": null
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"description": "C2",
|
||
|
"inject_uuid": "a0d7f076-1737-4c1c-af36-c2717885299e",
|
||
|
"reporting_callback": [],
|
||
|
"requirements": {
|
||
|
"inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd"
|
||
|
},
|
||
|
"sequence": {
|
||
|
"completion_trigger": [
|
||
|
"time_expiration",
|
||
|
"completion"
|
||
|
],
|
||
|
"followed_by": [],
|
||
|
"trigger": []
|
||
|
},
|
||
|
"timing": {
|
||
|
"triggered_at": null
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"description": "Person",
|
||
|
"inject_uuid": "92a55537-0e4c-44f8-8bcd-102c38d343a9",
|
||
|
"reporting_callback": [],
|
||
|
"requirements": {
|
||
|
"inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd"
|
||
|
},
|
||
|
"sequence": {
|
||
|
"completion_trigger": [
|
||
|
"time_expiration",
|
||
|
"completion"
|
||
|
],
|
||
|
"followed_by": [],
|
||
|
"trigger": []
|
||
|
},
|
||
|
"timing": {
|
||
|
"triggered_at": null
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"description": "Contextualization",
|
||
|
"inject_uuid": "b19e8d39-e64e-4a51-94ee-462cd74b8d24",
|
||
|
"reporting_callback": [],
|
||
|
"requirements": {
|
||
|
"inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd"
|
||
|
},
|
||
|
"sequence": {
|
||
|
"completion_trigger": [
|
||
|
"time_expiration",
|
||
|
"completion"
|
||
|
],
|
||
|
"followed_by": [],
|
||
|
"trigger": []
|
||
|
},
|
||
|
"timing": {
|
||
|
"triggered_at": null
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"description": "Published",
|
||
|
"inject_uuid": "930459b8-ed61-4e62-b072-071577ea0430",
|
||
|
"reporting_callback": [],
|
||
|
"requirements": {
|
||
|
"inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd"
|
||
|
},
|
||
|
"sequence": {
|
||
|
"completion_trigger": [
|
||
|
"time_expiration",
|
||
|
"completion"
|
||
|
],
|
||
|
"followed_by": [],
|
||
|
"trigger": []
|
||
|
},
|
||
|
"timing": {
|
||
|
"triggered_at": null
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"inject_payloads": [],
|
||
|
"injects": [
|
||
|
{
|
||
|
"action": "event-creation",
|
||
|
"inject_evaluation": [
|
||
|
{
|
||
|
"parameters": [
|
||
|
{
|
||
|
".Event.info": {
|
||
|
"comparison": "regex",
|
||
|
"values": [
|
||
|
".*[sS]pear[-\\s]?phishing.*"
|
||
|
]
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"result": "MISP Event created",
|
||
|
"evaluation_strategy": "data_filtering",
|
||
|
"evaluation_context": {},
|
||
|
"score_range": [
|
||
|
0,
|
||
|
10
|
||
|
]
|
||
|
}
|
||
|
],
|
||
|
"name": "Event Creation",
|
||
|
"target_tool": "MISP",
|
||
|
"uuid": "a95726bb-2761-442d-8b5c-842e384df2bd"
|
||
|
},
|
||
|
{
|
||
|
"action": "ip-address",
|
||
|
"inject_evaluation": [
|
||
|
{
|
||
|
"parameters": [
|
||
|
{
|
||
|
".Event.info": {
|
||
|
"comparison": "regex",
|
||
|
"values": [
|
||
|
".*[sS]pear[-\\s]?phishing.*"
|
||
|
]
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select(.value == \"john.doe@luxembourg.edu\")": {
|
||
|
"extract_type": "all",
|
||
|
"comparison": "count",
|
||
|
"values": [
|
||
|
">0"
|
||
|
]
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"result": "Email address spoofed",
|
||
|
"evaluation_strategy": "data_filtering",
|
||
|
"evaluation_context": {},
|
||
|
"score_range": [
|
||
|
0,
|
||
|
20
|
||
|
]
|
||
|
}
|
||
|
],
|
||
|
"name": "Email address",
|
||
|
"target_tool": "MISP",
|
||
|
"uuid": "92fc404b-2dce-4815-8a7e-b68a582c3569"
|
||
|
},
|
||
|
{
|
||
|
"action": "malware-sample",
|
||
|
"inject_evaluation": [
|
||
|
{
|
||
|
"parameters": [
|
||
|
{
|
||
|
".Event.info": {
|
||
|
"comparison": "regex",
|
||
|
"values": [
|
||
|
".*[sS]pear[-\\s]?phishing.*"
|
||
|
]
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
".Event.Object[].Attribute[].value": {
|
||
|
"extract_type": "all",
|
||
|
"comparison": "contains",
|
||
|
"values": [
|
||
|
"7c08ddb3b57cf9a00f02a484e23a4b6c8a6d738d"
|
||
|
]
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"result": "Malware samples added",
|
||
|
"evaluation_strategy": "data_filtering",
|
||
|
"evaluation_context": {},
|
||
|
"score_range": [
|
||
|
0,
|
||
|
20
|
||
|
]
|
||
|
}
|
||
|
],
|
||
|
"name": "Malware sample",
|
||
|
"target_tool": "MISP",
|
||
|
"uuid": "cfc47f7c-590c-4897-bfb9-cc72965fee24"
|
||
|
},
|
||
|
{
|
||
|
"action": "download url",
|
||
|
"inject_evaluation": [
|
||
|
{
|
||
|
"parameters": [
|
||
|
{
|
||
|
".Event.info": {
|
||
|
"comparison": "regex",
|
||
|
"values": [
|
||
|
".*[sS]pear[-\\s]?phishing.*"
|
||
|
]
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
".Event.Object[].Attribute[] | select((.type == \"url\")).value": {
|
||
|
"extract_type": "all",
|
||
|
"comparison": "contains",
|
||
|
"values": [
|
||
|
"https://evilprovider.com/this-is-not-malicious.exe"
|
||
|
]
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
".Event.Object[].Attribute[] | select((.type == \"domain\") or (.type == \"hostname\")).value": {
|
||
|
"extract_type": "all",
|
||
|
"comparison": "equals",
|
||
|
"values": [
|
||
|
"evilprovider.com"
|
||
|
]
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"result": "Download URL added",
|
||
|
"evaluation_strategy": "data_filtering",
|
||
|
"evaluation_context": {},
|
||
|
"score_range": [
|
||
|
0,
|
||
|
20
|
||
|
]
|
||
|
}
|
||
|
],
|
||
|
"name": "Download URL",
|
||
|
"target_tool": "MISP",
|
||
|
"uuid": "e849a314-3394-4501-a9e1-126e0e61f11d"
|
||
|
},
|
||
|
{
|
||
|
"action": "CVE",
|
||
|
"inject_evaluation": [
|
||
|
{
|
||
|
"parameters": [
|
||
|
{
|
||
|
".Event.info": {
|
||
|
"comparison": "regex",
|
||
|
"values": [
|
||
|
".*[sS]pear[-\\s]?phishing.*"
|
||
|
]
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[].value": {
|
||
|
"extract_type": "all",
|
||
|
"comparison": "contains",
|
||
|
"values": [
|
||
|
"CVE-2015-5465"
|
||
|
]
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"result": "CVE",
|
||
|
"evaluation_strategy": "data_filtering",
|
||
|
"evaluation_context": {},
|
||
|
"score_range": [
|
||
|
0,
|
||
|
20
|
||
|
]
|
||
|
}
|
||
|
],
|
||
|
"name": "CVE",
|
||
|
"target_tool": "MISP",
|
||
|
"uuid": "32141393-adce-4007-950c-77b4c7c60a39"
|
||
|
},
|
||
|
{
|
||
|
"action": "C2",
|
||
|
"inject_evaluation": [
|
||
|
{
|
||
|
"parameters": [
|
||
|
{
|
||
|
".Event.info": {
|
||
|
"comparison": "regex",
|
||
|
"values": [
|
||
|
".*[sS]pear[-\\s]?phishing.*"
|
||
|
]
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
".Event.Object[] | select((.name == \"url\")).Attribute[] | select(.type == \"url\").value": {
|
||
|
"extract_type": "all",
|
||
|
"comparison": "contains-regex",
|
||
|
"values": [
|
||
|
"https:\\/\\/another\\.evil\\.provider\\.com(:57666)?"
|
||
|
]
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"result": "C2 added",
|
||
|
"evaluation_strategy": "data_filtering",
|
||
|
"evaluation_context": {},
|
||
|
"score_range": [
|
||
|
0,
|
||
|
20
|
||
|
]
|
||
|
}
|
||
|
],
|
||
|
"name": "C2",
|
||
|
"target_tool": "MISP",
|
||
|
"uuid": "a0d7f076-1737-4c1c-af36-c2717885299e"
|
||
|
},
|
||
|
{
|
||
|
"action": "Email Provider",
|
||
|
"inject_evaluation": [
|
||
|
{
|
||
|
"parameters": [
|
||
|
{
|
||
|
".Event.info": {
|
||
|
"comparison": "regex",
|
||
|
"values": [
|
||
|
".*[sS]pear[-\\s]?phishing.*"
|
||
|
]
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
"[(.Event.Object[] | select((.name == \"email\")).Attribute[]), .Event.Attribute[]] | .[].value": {
|
||
|
"extract_type": "all",
|
||
|
"comparison": "contains",
|
||
|
"values": [
|
||
|
"throwaway-email-provider.com"
|
||
|
]
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"result": "Email Provider added",
|
||
|
"evaluation_strategy": "data_filtering",
|
||
|
"evaluation_context": {},
|
||
|
"score_range": [
|
||
|
0,
|
||
|
20
|
||
|
]
|
||
|
}
|
||
|
],
|
||
|
"name": "Email Provider",
|
||
|
"target_tool": "MISP",
|
||
|
"uuid": "92a55537-0e4c-44f8-8bcd-102c38d343a9"
|
||
|
},
|
||
|
{
|
||
|
"action": "context",
|
||
|
"inject_evaluation": [
|
||
|
{
|
||
|
"parameters": [
|
||
|
{
|
||
|
".Event.info": {
|
||
|
"comparison": "regex",
|
||
|
"values": [
|
||
|
".*[sS]pear[-\\s]?phishing.*"
|
||
|
]
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
".Event.Tag | select(length > 0) | .[].name": {
|
||
|
"extract_type": "all",
|
||
|
"comparison": "count",
|
||
|
"values": [
|
||
|
">=3"
|
||
|
]
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"result": "Context added",
|
||
|
"evaluation_strategy": "data_filtering",
|
||
|
"evaluation_context": {},
|
||
|
"score_range": [
|
||
|
0,
|
||
|
20
|
||
|
]
|
||
|
}
|
||
|
],
|
||
|
"name": "Contextualization",
|
||
|
"target_tool": "MISP",
|
||
|
"uuid": "b19e8d39-e64e-4a51-94ee-462cd74b8d24"
|
||
|
},
|
||
|
{
|
||
|
"action": "published",
|
||
|
"inject_evaluation": [
|
||
|
{
|
||
|
"parameters": [
|
||
|
{
|
||
|
".Event.info": {
|
||
|
"comparison": "regex",
|
||
|
"values": [
|
||
|
".*[sS]pear[-\\s]?phishing.*"
|
||
|
]
|
||
|
}
|
||
|
},
|
||
|
{
|
||
|
".Event.published": {
|
||
|
"comparison": "equals",
|
||
|
"values": [
|
||
|
"1"
|
||
|
]
|
||
|
}
|
||
|
}
|
||
|
],
|
||
|
"result": "Event published",
|
||
|
"evaluation_strategy": "data_filtering",
|
||
|
"evaluation_context": {},
|
||
|
"score_range": [
|
||
|
0,
|
||
|
20
|
||
|
]
|
||
|
}
|
||
|
],
|
||
|
"name": "Published",
|
||
|
"target_tool": "MISP",
|
||
|
"uuid": "930459b8-ed61-4e62-b072-071577ea0430"
|
||
|
}
|
||
|
]
|
||
|
}
|