new: [exercises] Added spearphishing-incident simple exercise
This commit is contained in:
parent
caade24f8c
commit
87401f7ac0
2 changed files with 520 additions and 0 deletions
1
active_exercises/spearphishing-incident.json
Symbolic link
1
active_exercises/spearphishing-incident.json
Symbolic link
|
@ -0,0 +1 @@
|
|||
../exercises/spearphishing-incident.json
|
519
exercises/spearphishing-incident.json
Normal file
519
exercises/spearphishing-incident.json
Normal file
|
@ -0,0 +1,519 @@
|
|||
{
|
||||
"exercise": {
|
||||
"description": "MISP Encoding Exercise : Spearphishing Incident",
|
||||
"expanded": "MISP Encoding Exercise : Spearphishing Incident",
|
||||
"meta": {
|
||||
"author": "MISP Project",
|
||||
"level": "beginner",
|
||||
"priority": 5
|
||||
},
|
||||
"name": "MISP Encoding Exercise : Spearphishing Incident",
|
||||
"namespace": "data-model",
|
||||
"tags": [
|
||||
"exercise:software-scope=\"misp\"",
|
||||
"state:production"
|
||||
],
|
||||
"total_duration": "7200",
|
||||
"uuid": "53b20321-ac8c-4a3e-9c56-e772caf669e6",
|
||||
"version": "20240715"
|
||||
},
|
||||
"inject_flow": [
|
||||
{
|
||||
"description": "event-creation",
|
||||
"inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd",
|
||||
"reporting_callback": [],
|
||||
"requirements": {},
|
||||
"sequence": {
|
||||
"completion_trigger": [
|
||||
"time_expiration",
|
||||
"completion"
|
||||
],
|
||||
"followed_by": [],
|
||||
"trigger": [
|
||||
"startex"
|
||||
]
|
||||
},
|
||||
"timing": {
|
||||
"triggered_at": null
|
||||
}
|
||||
},
|
||||
{
|
||||
"description": "IP-address",
|
||||
"inject_uuid": "92fc404b-2dce-4815-8a7e-b68a582c3569",
|
||||
"reporting_callback": [],
|
||||
"requirements": {
|
||||
"inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd"
|
||||
},
|
||||
"sequence": {
|
||||
"completion_trigger": [
|
||||
"time_expiration",
|
||||
"completion"
|
||||
],
|
||||
"followed_by": [],
|
||||
"trigger": []
|
||||
},
|
||||
"timing": {
|
||||
"triggered_at": null
|
||||
}
|
||||
},
|
||||
{
|
||||
"description": "malicious-payloads",
|
||||
"inject_uuid": "cfc47f7c-590c-4897-bfb9-cc72965fee24",
|
||||
"reporting_callback": [],
|
||||
"requirements": {
|
||||
"inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd"
|
||||
},
|
||||
"sequence": {
|
||||
"completion_trigger": [
|
||||
"time_expiration",
|
||||
"completion"
|
||||
],
|
||||
"followed_by": [],
|
||||
"trigger": []
|
||||
},
|
||||
"timing": {
|
||||
"triggered_at": null
|
||||
}
|
||||
},
|
||||
{
|
||||
"description": "Download URL",
|
||||
"inject_uuid": "e849a314-3394-4501-a9e1-126e0e61f11d",
|
||||
"reporting_callback": [],
|
||||
"requirements": {
|
||||
"inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd"
|
||||
},
|
||||
"sequence": {
|
||||
"completion_trigger": [
|
||||
"time_expiration",
|
||||
"completion"
|
||||
],
|
||||
"followed_by": [],
|
||||
"trigger": []
|
||||
},
|
||||
"timing": {
|
||||
"triggered_at": null
|
||||
}
|
||||
},
|
||||
{
|
||||
"description": "CVE",
|
||||
"inject_uuid": "32141393-adce-4007-950c-77b4c7c60a39",
|
||||
"reporting_callback": [],
|
||||
"requirements": {
|
||||
"inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd"
|
||||
},
|
||||
"sequence": {
|
||||
"completion_trigger": [
|
||||
"time_expiration",
|
||||
"completion"
|
||||
],
|
||||
"followed_by": [],
|
||||
"trigger": []
|
||||
},
|
||||
"timing": {
|
||||
"triggered_at": null
|
||||
}
|
||||
},
|
||||
{
|
||||
"description": "C2",
|
||||
"inject_uuid": "a0d7f076-1737-4c1c-af36-c2717885299e",
|
||||
"reporting_callback": [],
|
||||
"requirements": {
|
||||
"inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd"
|
||||
},
|
||||
"sequence": {
|
||||
"completion_trigger": [
|
||||
"time_expiration",
|
||||
"completion"
|
||||
],
|
||||
"followed_by": [],
|
||||
"trigger": []
|
||||
},
|
||||
"timing": {
|
||||
"triggered_at": null
|
||||
}
|
||||
},
|
||||
{
|
||||
"description": "Person",
|
||||
"inject_uuid": "92a55537-0e4c-44f8-8bcd-102c38d343a9",
|
||||
"reporting_callback": [],
|
||||
"requirements": {
|
||||
"inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd"
|
||||
},
|
||||
"sequence": {
|
||||
"completion_trigger": [
|
||||
"time_expiration",
|
||||
"completion"
|
||||
],
|
||||
"followed_by": [],
|
||||
"trigger": []
|
||||
},
|
||||
"timing": {
|
||||
"triggered_at": null
|
||||
}
|
||||
},
|
||||
{
|
||||
"description": "Contextualization",
|
||||
"inject_uuid": "b19e8d39-e64e-4a51-94ee-462cd74b8d24",
|
||||
"reporting_callback": [],
|
||||
"requirements": {
|
||||
"inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd"
|
||||
},
|
||||
"sequence": {
|
||||
"completion_trigger": [
|
||||
"time_expiration",
|
||||
"completion"
|
||||
],
|
||||
"followed_by": [],
|
||||
"trigger": []
|
||||
},
|
||||
"timing": {
|
||||
"triggered_at": null
|
||||
}
|
||||
},
|
||||
{
|
||||
"description": "Published",
|
||||
"inject_uuid": "930459b8-ed61-4e62-b072-071577ea0430",
|
||||
"reporting_callback": [],
|
||||
"requirements": {
|
||||
"inject_uuid": "a95726bb-2761-442d-8b5c-842e384df2bd"
|
||||
},
|
||||
"sequence": {
|
||||
"completion_trigger": [
|
||||
"time_expiration",
|
||||
"completion"
|
||||
],
|
||||
"followed_by": [],
|
||||
"trigger": []
|
||||
},
|
||||
"timing": {
|
||||
"triggered_at": null
|
||||
}
|
||||
}
|
||||
],
|
||||
"inject_payloads": [],
|
||||
"injects": [
|
||||
{
|
||||
"action": "event-creation",
|
||||
"inject_evaluation": [
|
||||
{
|
||||
"parameters": [
|
||||
{
|
||||
".Event.info": {
|
||||
"comparison": "regex",
|
||||
"values": [
|
||||
".*[sS]pear[-\\s]?phishing.*"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"result": "MISP Event created",
|
||||
"evaluation_strategy": "data_filtering",
|
||||
"evaluation_context": {},
|
||||
"score_range": [
|
||||
0,
|
||||
10
|
||||
]
|
||||
}
|
||||
],
|
||||
"name": "Event Creation",
|
||||
"target_tool": "MISP",
|
||||
"uuid": "a95726bb-2761-442d-8b5c-842e384df2bd"
|
||||
},
|
||||
{
|
||||
"action": "ip-address",
|
||||
"inject_evaluation": [
|
||||
{
|
||||
"parameters": [
|
||||
{
|
||||
".Event.info": {
|
||||
"comparison": "regex",
|
||||
"values": [
|
||||
".*[sS]pear[-\\s]?phishing.*"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select(.value == \"john.doe@luxembourg.edu\")": {
|
||||
"extract_type": "all",
|
||||
"comparison": "count",
|
||||
"values": [
|
||||
">0"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"result": "Email address spoofed",
|
||||
"evaluation_strategy": "data_filtering",
|
||||
"evaluation_context": {},
|
||||
"score_range": [
|
||||
0,
|
||||
20
|
||||
]
|
||||
}
|
||||
],
|
||||
"name": "Email address",
|
||||
"target_tool": "MISP",
|
||||
"uuid": "92fc404b-2dce-4815-8a7e-b68a582c3569"
|
||||
},
|
||||
{
|
||||
"action": "malware-sample",
|
||||
"inject_evaluation": [
|
||||
{
|
||||
"parameters": [
|
||||
{
|
||||
".Event.info": {
|
||||
"comparison": "regex",
|
||||
"values": [
|
||||
".*[sS]pear[-\\s]?phishing.*"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
".Event.Object[].Attribute[].value": {
|
||||
"extract_type": "all",
|
||||
"comparison": "contains",
|
||||
"values": [
|
||||
"7c08ddb3b57cf9a00f02a484e23a4b6c8a6d738d"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"result": "Malware samples added",
|
||||
"evaluation_strategy": "data_filtering",
|
||||
"evaluation_context": {},
|
||||
"score_range": [
|
||||
0,
|
||||
20
|
||||
]
|
||||
}
|
||||
],
|
||||
"name": "Malware sample",
|
||||
"target_tool": "MISP",
|
||||
"uuid": "cfc47f7c-590c-4897-bfb9-cc72965fee24"
|
||||
},
|
||||
{
|
||||
"action": "download url",
|
||||
"inject_evaluation": [
|
||||
{
|
||||
"parameters": [
|
||||
{
|
||||
".Event.info": {
|
||||
"comparison": "regex",
|
||||
"values": [
|
||||
".*[sS]pear[-\\s]?phishing.*"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
".Event.Object[].Attribute[] | select((.type == \"url\")).value": {
|
||||
"extract_type": "all",
|
||||
"comparison": "contains",
|
||||
"values": [
|
||||
"https://evilprovider.com/this-is-not-malicious.exe"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
".Event.Object[].Attribute[] | select((.type == \"domain\") or (.type == \"hostname\")).value": {
|
||||
"extract_type": "all",
|
||||
"comparison": "equals",
|
||||
"values": [
|
||||
"evilprovider.com"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"result": "Download URL added",
|
||||
"evaluation_strategy": "data_filtering",
|
||||
"evaluation_context": {},
|
||||
"score_range": [
|
||||
0,
|
||||
20
|
||||
]
|
||||
}
|
||||
],
|
||||
"name": "Download URL",
|
||||
"target_tool": "MISP",
|
||||
"uuid": "e849a314-3394-4501-a9e1-126e0e61f11d"
|
||||
},
|
||||
{
|
||||
"action": "CVE",
|
||||
"inject_evaluation": [
|
||||
{
|
||||
"parameters": [
|
||||
{
|
||||
".Event.info": {
|
||||
"comparison": "regex",
|
||||
"values": [
|
||||
".*[sS]pear[-\\s]?phishing.*"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[].value": {
|
||||
"extract_type": "all",
|
||||
"comparison": "contains",
|
||||
"values": [
|
||||
"CVE-2015-5465"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"result": "CVE",
|
||||
"evaluation_strategy": "data_filtering",
|
||||
"evaluation_context": {},
|
||||
"score_range": [
|
||||
0,
|
||||
20
|
||||
]
|
||||
}
|
||||
],
|
||||
"name": "CVE",
|
||||
"target_tool": "MISP",
|
||||
"uuid": "32141393-adce-4007-950c-77b4c7c60a39"
|
||||
},
|
||||
{
|
||||
"action": "C2",
|
||||
"inject_evaluation": [
|
||||
{
|
||||
"parameters": [
|
||||
{
|
||||
".Event.info": {
|
||||
"comparison": "regex",
|
||||
"values": [
|
||||
".*[sS]pear[-\\s]?phishing.*"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
".Event.Object[] | select((.name == \"url\")).Attribute[] | select(.type == \"url\").value": {
|
||||
"extract_type": "all",
|
||||
"comparison": "contains-regex",
|
||||
"values": [
|
||||
"https:\\/\\/another\\.evil\\.provider\\.com(:57666)?"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"result": "C2 added",
|
||||
"evaluation_strategy": "data_filtering",
|
||||
"evaluation_context": {},
|
||||
"score_range": [
|
||||
0,
|
||||
20
|
||||
]
|
||||
}
|
||||
],
|
||||
"name": "C2",
|
||||
"target_tool": "MISP",
|
||||
"uuid": "a0d7f076-1737-4c1c-af36-c2717885299e"
|
||||
},
|
||||
{
|
||||
"action": "Email Provider",
|
||||
"inject_evaluation": [
|
||||
{
|
||||
"parameters": [
|
||||
{
|
||||
".Event.info": {
|
||||
"comparison": "regex",
|
||||
"values": [
|
||||
".*[sS]pear[-\\s]?phishing.*"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"[(.Event.Object[] | select((.name == \"email\")).Attribute[]), .Event.Attribute[]] | .[].value": {
|
||||
"extract_type": "all",
|
||||
"comparison": "contains",
|
||||
"values": [
|
||||
"throwaway-email-provider.com"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"result": "Email Provider added",
|
||||
"evaluation_strategy": "data_filtering",
|
||||
"evaluation_context": {},
|
||||
"score_range": [
|
||||
0,
|
||||
20
|
||||
]
|
||||
}
|
||||
],
|
||||
"name": "Email Provider",
|
||||
"target_tool": "MISP",
|
||||
"uuid": "92a55537-0e4c-44f8-8bcd-102c38d343a9"
|
||||
},
|
||||
{
|
||||
"action": "context",
|
||||
"inject_evaluation": [
|
||||
{
|
||||
"parameters": [
|
||||
{
|
||||
".Event.info": {
|
||||
"comparison": "regex",
|
||||
"values": [
|
||||
".*[sS]pear[-\\s]?phishing.*"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
".Event.Tag | select(length > 0) | .[].name": {
|
||||
"extract_type": "all",
|
||||
"comparison": "count",
|
||||
"values": [
|
||||
">=3"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"result": "Context added",
|
||||
"evaluation_strategy": "data_filtering",
|
||||
"evaluation_context": {},
|
||||
"score_range": [
|
||||
0,
|
||||
20
|
||||
]
|
||||
}
|
||||
],
|
||||
"name": "Contextualization",
|
||||
"target_tool": "MISP",
|
||||
"uuid": "b19e8d39-e64e-4a51-94ee-462cd74b8d24"
|
||||
},
|
||||
{
|
||||
"action": "published",
|
||||
"inject_evaluation": [
|
||||
{
|
||||
"parameters": [
|
||||
{
|
||||
".Event.info": {
|
||||
"comparison": "regex",
|
||||
"values": [
|
||||
".*[sS]pear[-\\s]?phishing.*"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
".Event.published": {
|
||||
"comparison": "equals",
|
||||
"values": [
|
||||
"1"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"result": "Event published",
|
||||
"evaluation_strategy": "data_filtering",
|
||||
"evaluation_context": {},
|
||||
"score_range": [
|
||||
0,
|
||||
20
|
||||
]
|
||||
}
|
||||
],
|
||||
"name": "Published",
|
||||
"target_tool": "MISP",
|
||||
"uuid": "930459b8-ed61-4e62-b072-071577ea0430"
|
||||
}
|
||||
]
|
||||
}
|
Loading…
Reference in a new issue