SkillAegis/exercises/ransomware-encoding.json

484 lines
12 KiB
JSON

{
"exercise": {
"description": "MISP Encoding Exercise : Ransomware infection via e-mail",
"expanded": "MISP Encoding Exercise : Ransomware infection via e-mail",
"meta": {
"author": "MISP Project",
"level": "advanced",
"priority": 10
},
"name": "MISP Encoding Exercise : Ransomware infection via e-mail",
"namespace": "data-model",
"tags": [
"exercise:software-scope=\"misp\"",
"state:production"
],
"total_duration": "7200",
"uuid": "eb00428f-40b5-4da7-9402-7ce22a840659",
"version": "20240624"
},
"inject_flow": [
{
"description": "event-creation",
"inject_uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae",
"reporting_callback": [],
"requirements": {},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
"8f636640-e4f0-4ffb-abff-4e85597aa1bd"
],
"trigger": [
"startex"
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "infection-email",
"inject_uuid": "8f636640-e4f0-4ffb-abff-4e85597aa1bd",
"reporting_callback": [],
"requirements": {
"inject_uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
"3e61a340-0314-4622-91cc-042f3ff8543a"
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "malicious-payload",
"inject_uuid": "3e61a340-0314-4622-91cc-042f3ff8543a",
"reporting_callback": [],
"requirements": {
"inject_uuid": "8f636640-e4f0-4ffb-abff-4e85597aa1bd"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
"8a2d58c8-2b3a-4ba2-bb77-15bcfa704828"
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "c2-ip-address",
"inject_uuid": "8a2d58c8-2b3a-4ba2-bb77-15bcfa704828",
"reporting_callback": [],
"requirements": {
"inject_uuid": "3e61a340-0314-4622-91cc-042f3ff8543a"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
"9df13cc8-b61b-4c9f-a1a8-66def8b64439"
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "registry-keys",
"inject_uuid": "9df13cc8-b61b-4c9f-a1a8-66def8b64439",
"reporting_callback": [],
"requirements": {
"inject_uuid": "8a2d58c8-2b3a-4ba2-bb77-15bcfa704828"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
"c5c03af1-7ef3-44e7-819a-6c4fd402148a"
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "asym-encryption-key",
"inject_uuid": "c5c03af1-7ef3-44e7-819a-6c4fd402148a",
"reporting_callback": [],
"requirements": {
"inject_uuid": "9df13cc8-b61b-4c9f-a1a8-66def8b64439"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
"11f6f0c2-8813-42ee-a312-136649d3f077"
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "context",
"inject_uuid": "11f6f0c2-8813-42ee-a312-136649d3f077",
"reporting_callback": [],
"requirements": {
"inject_uuid": "c5c03af1-7ef3-44e7-819a-6c4fd402148a"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
"e3ef4e5f-454a-48c8-a5d7-b3d1d25ecc9f"
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "published",
"inject_uuid": "e3ef4e5f-454a-48c8-a5d7-b3d1d25ecc9f",
"reporting_callback": [],
"requirements": {
"inject_uuid": "11f6f0c2-8813-42ee-a312-136649d3f077"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
}
],
"inject_payloads": [
],
"injects": [
{
"action": "event-creation",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"ransomware"
]
}
}
],
"result": "MISP Event created",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Event Creation",
"target_tool": "MISP",
"uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae"
},
{
"action": "infection-email",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"ransomware"
]
}
},
{
".Event.Object[].Attribute[] | select(.object_relation == \"email-body\")": {
"extract_type": "all",
"comparison": "count",
"values": [
">=1"
]
}
}
],
"result": "Infection Email added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Infection Email",
"target_tool": "MISP",
"uuid": "8f636640-e4f0-4ffb-abff-4e85597aa1bd"
},
{
"action": "malicious-payload",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"ransomware"
]
}
},
{
".Event.Object[].Attribute[] | select((.type == \"filename\")).value": {
"extract_type": "all",
"comparison": "equals",
"values": [
"cryptolocker.exe"
]
}
}
],
"result": "Malicious payload added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Malicious Payload",
"target_tool": "MISP",
"uuid": "3e61a340-0314-4622-91cc-042f3ff8543a"
},
{
"action": "c2-ip",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"ransomware"
]
}
},
{
".Event.Object[] | select((.name == \"domain-ip\") or (.name == \"ip-port\")) | .Attribute[].value": {
"extract_type": "all",
"comparison": "contains",
"values": [
"81.177.170.166"
]
}
}
],
"result": "C2 IP added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "C2 IP Address",
"target_tool": "MISP",
"uuid": "8a2d58c8-2b3a-4ba2-bb77-15bcfa704828"
},
{
"action": "registry-key",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"ransomware"
]
}
},
{
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[].value": {
"extract_type": "all",
"comparison": "contains-regex",
"values": [
"HKCU.+SOFTWARE.+CryptoLocker.*"
]
}
}
],
"result": "Registry key added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Registry Keys",
"target_tool": "MISP",
"uuid": "9df13cc8-b61b-4c9f-a1a8-66def8b64439"
},
{
"action": "pub-key",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"ransomware"
]
}
},
{
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[].value": {
"extract_type": "all",
"comparison": "contains-regex",
"values": [
"-----BEGIN PUBLIC KEY-----.*"
]
}
}
],
"result": "Public key added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Public Key",
"target_tool": "MISP",
"uuid": "c5c03af1-7ef3-44e7-819a-6c4fd402148a"
},
{
"action": "context",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"ransomware"
]
}
},
{
".Event.Tag | select(length > 0) | .[].name": {
"extract_type": "all",
"comparison": "count",
"values": [
">=3"
]
}
}
],
"result": "Context added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Contextualization",
"target_tool": "MISP",
"uuid": "11f6f0c2-8813-42ee-a312-136649d3f077"
},
{
"action": "published",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"ransomware"
]
}
},
{
".Event.published": {
"comparison": "equals",
"values": [
"1"
]
}
}
],
"result": "Event published",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Published",
"target_tool": "MISP",
"uuid": "e3ef4e5f-454a-48c8-a5d7-b3d1d25ecc9f"
}
]
}