484 lines
12 KiB
JSON
484 lines
12 KiB
JSON
{
|
|
"exercise": {
|
|
"description": "MISP Encoding Exercise : Ransomware infection via e-mail",
|
|
"expanded": "MISP Encoding Exercise : Ransomware infection via e-mail",
|
|
"meta": {
|
|
"author": "MISP Project",
|
|
"level": "beginner",
|
|
"priority": 0
|
|
},
|
|
"name": "MISP Encoding Exercise : Ransomware infection via e-mail",
|
|
"namespace": "data-model",
|
|
"tags": [
|
|
"exercise:software-scope=\"misp\"",
|
|
"state:production"
|
|
],
|
|
"total_duration": "7200",
|
|
"uuid": "eb00428f-40b5-4da7-9402-7ce22a840659",
|
|
"version": "20240624"
|
|
},
|
|
"inject_flow": [
|
|
{
|
|
"description": "event-creation",
|
|
"inject_uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae",
|
|
"reporting_callback": [],
|
|
"requirements": {},
|
|
"sequence": {
|
|
"completion_trigger": [
|
|
"time_expiration",
|
|
"completion"
|
|
],
|
|
"followed_by": [
|
|
"8f636640-e4f0-4ffb-abff-4e85597aa1bd"
|
|
],
|
|
"trigger": [
|
|
"startex"
|
|
]
|
|
},
|
|
"timing": {
|
|
"triggered_at": null
|
|
}
|
|
},
|
|
{
|
|
"description": "infection-email",
|
|
"inject_uuid": "8f636640-e4f0-4ffb-abff-4e85597aa1bd",
|
|
"reporting_callback": [],
|
|
"requirements": {
|
|
"inject_uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae"
|
|
},
|
|
"sequence": {
|
|
"completion_trigger": [
|
|
"time_expiration",
|
|
"completion"
|
|
],
|
|
"followed_by": [
|
|
"3e61a340-0314-4622-91cc-042f3ff8543a"
|
|
],
|
|
"trigger": [
|
|
]
|
|
},
|
|
"timing": {
|
|
"triggered_at": null
|
|
}
|
|
},
|
|
{
|
|
"description": "malicious-payload",
|
|
"inject_uuid": "3e61a340-0314-4622-91cc-042f3ff8543a",
|
|
"reporting_callback": [],
|
|
"requirements": {
|
|
"inject_uuid": "8f636640-e4f0-4ffb-abff-4e85597aa1bd"
|
|
},
|
|
"sequence": {
|
|
"completion_trigger": [
|
|
"time_expiration",
|
|
"completion"
|
|
],
|
|
"followed_by": [
|
|
"8a2d58c8-2b3a-4ba2-bb77-15bcfa704828"
|
|
],
|
|
"trigger": [
|
|
]
|
|
},
|
|
"timing": {
|
|
"triggered_at": null
|
|
}
|
|
},
|
|
{
|
|
"description": "c2-ip-address",
|
|
"inject_uuid": "8a2d58c8-2b3a-4ba2-bb77-15bcfa704828",
|
|
"reporting_callback": [],
|
|
"requirements": {
|
|
"inject_uuid": "3e61a340-0314-4622-91cc-042f3ff8543a"
|
|
},
|
|
"sequence": {
|
|
"completion_trigger": [
|
|
"time_expiration",
|
|
"completion"
|
|
],
|
|
"followed_by": [
|
|
"9df13cc8-b61b-4c9f-a1a8-66def8b64439"
|
|
],
|
|
"trigger": [
|
|
]
|
|
},
|
|
"timing": {
|
|
"triggered_at": null
|
|
}
|
|
},
|
|
{
|
|
"description": "registry-keys",
|
|
"inject_uuid": "9df13cc8-b61b-4c9f-a1a8-66def8b64439",
|
|
"reporting_callback": [],
|
|
"requirements": {
|
|
"inject_uuid": "8a2d58c8-2b3a-4ba2-bb77-15bcfa704828"
|
|
},
|
|
"sequence": {
|
|
"completion_trigger": [
|
|
"time_expiration",
|
|
"completion"
|
|
],
|
|
"followed_by": [
|
|
"c5c03af1-7ef3-44e7-819a-6c4fd402148a"
|
|
],
|
|
"trigger": [
|
|
]
|
|
},
|
|
"timing": {
|
|
"triggered_at": null
|
|
}
|
|
},
|
|
{
|
|
"description": "asym-encryption-key",
|
|
"inject_uuid": "c5c03af1-7ef3-44e7-819a-6c4fd402148a",
|
|
"reporting_callback": [],
|
|
"requirements": {
|
|
"inject_uuid": "9df13cc8-b61b-4c9f-a1a8-66def8b64439"
|
|
},
|
|
"sequence": {
|
|
"completion_trigger": [
|
|
"time_expiration",
|
|
"completion"
|
|
],
|
|
"followed_by": [
|
|
"11f6f0c2-8813-42ee-a312-136649d3f077"
|
|
],
|
|
"trigger": [
|
|
]
|
|
},
|
|
"timing": {
|
|
"triggered_at": null
|
|
}
|
|
},
|
|
{
|
|
"description": "context",
|
|
"inject_uuid": "11f6f0c2-8813-42ee-a312-136649d3f077",
|
|
"reporting_callback": [],
|
|
"requirements": {
|
|
"inject_uuid": "c5c03af1-7ef3-44e7-819a-6c4fd402148a"
|
|
},
|
|
"sequence": {
|
|
"completion_trigger": [
|
|
"time_expiration",
|
|
"completion"
|
|
],
|
|
"followed_by": [
|
|
"e3ef4e5f-454a-48c8-a5d7-b3d1d25ecc9f"
|
|
],
|
|
"trigger": [
|
|
]
|
|
},
|
|
"timing": {
|
|
"triggered_at": null
|
|
}
|
|
},
|
|
{
|
|
"description": "published",
|
|
"inject_uuid": "e3ef4e5f-454a-48c8-a5d7-b3d1d25ecc9f",
|
|
"reporting_callback": [],
|
|
"requirements": {
|
|
"inject_uuid": "11f6f0c2-8813-42ee-a312-136649d3f077"
|
|
},
|
|
"sequence": {
|
|
"completion_trigger": [
|
|
"time_expiration",
|
|
"completion"
|
|
],
|
|
"trigger": [
|
|
]
|
|
},
|
|
"timing": {
|
|
"triggered_at": null
|
|
}
|
|
}
|
|
],
|
|
"inject_payloads": [
|
|
],
|
|
"injects": [
|
|
{
|
|
"action": "event-creation",
|
|
"inject_evaluation": [
|
|
{
|
|
"parameters": [
|
|
{
|
|
".Event.info": {
|
|
"comparison": "contains",
|
|
"values": [
|
|
"ransomware"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"result": "MISP Event created",
|
|
"evaluation_strategy": "data_filtering",
|
|
"evaluation_context": {
|
|
},
|
|
"score_range": [
|
|
0,
|
|
20
|
|
]
|
|
}
|
|
],
|
|
"name": "Event Creation",
|
|
"target_tool": "MISP",
|
|
"uuid": "8e8dbda2-0f5e-4101-83ff-63c1ddda2cae"
|
|
},
|
|
{
|
|
"action": "infection-email",
|
|
"inject_evaluation": [
|
|
{
|
|
"parameters": [
|
|
{
|
|
".Event.info": {
|
|
"comparison": "contains",
|
|
"values": [
|
|
"ransomware"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
".Event.Object[].Attribute[] | select(.object_relation == \"email-body\")": {
|
|
"extract_type": "all",
|
|
"comparison": "count",
|
|
"values": [
|
|
">=1"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"result": "Infection Email added",
|
|
"evaluation_strategy": "data_filtering",
|
|
"evaluation_context": {
|
|
},
|
|
"score_range": [
|
|
0,
|
|
20
|
|
]
|
|
}
|
|
],
|
|
"name": "Infection Email",
|
|
"target_tool": "MISP",
|
|
"uuid": "8f636640-e4f0-4ffb-abff-4e85597aa1bd"
|
|
},
|
|
{
|
|
"action": "malicious-payload",
|
|
"inject_evaluation": [
|
|
{
|
|
"parameters": [
|
|
{
|
|
".Event.info": {
|
|
"comparison": "contains",
|
|
"values": [
|
|
"ransomware"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
".Event.Object[].Attribute[] | select((.type == \"filename\")).value": {
|
|
"extract_type": "all",
|
|
"comparison": "equals",
|
|
"values": [
|
|
"cryptolocker.exe"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"result": "Malicious payload added",
|
|
"evaluation_strategy": "data_filtering",
|
|
"evaluation_context": {
|
|
},
|
|
"score_range": [
|
|
0,
|
|
20
|
|
]
|
|
}
|
|
],
|
|
"name": "Malicious Payload",
|
|
"target_tool": "MISP",
|
|
"uuid": "3e61a340-0314-4622-91cc-042f3ff8543a"
|
|
},
|
|
{
|
|
"action": "c2-ip",
|
|
"inject_evaluation": [
|
|
{
|
|
"parameters": [
|
|
{
|
|
".Event.info": {
|
|
"comparison": "contains",
|
|
"values": [
|
|
"ransomware"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
".Event.Object[] | select((.name == \"domain-ip\") or (.name == \"ip-port\")) | .Attribute[].value": {
|
|
"extract_type": "all",
|
|
"comparison": "contains",
|
|
"values": [
|
|
"81.177.170.166"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"result": "C2 IP added",
|
|
"evaluation_strategy": "data_filtering",
|
|
"evaluation_context": {
|
|
},
|
|
"score_range": [
|
|
0,
|
|
20
|
|
]
|
|
}
|
|
],
|
|
"name": "C2 IP Address",
|
|
"target_tool": "MISP",
|
|
"uuid": "8a2d58c8-2b3a-4ba2-bb77-15bcfa704828"
|
|
},
|
|
{
|
|
"action": "registry-key",
|
|
"inject_evaluation": [
|
|
{
|
|
"parameters": [
|
|
{
|
|
".Event.info": {
|
|
"comparison": "contains",
|
|
"values": [
|
|
"ransomware"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[].value": {
|
|
"extract_type": "all",
|
|
"comparison": "contains-regex",
|
|
"values": [
|
|
"HKCU.+SOFTWARE.+CryptoLocker.*"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"result": "Registry key added",
|
|
"evaluation_strategy": "data_filtering",
|
|
"evaluation_context": {
|
|
},
|
|
"score_range": [
|
|
0,
|
|
20
|
|
]
|
|
}
|
|
],
|
|
"name": "Registry Keys",
|
|
"target_tool": "MISP",
|
|
"uuid": "9df13cc8-b61b-4c9f-a1a8-66def8b64439"
|
|
},
|
|
{
|
|
"action": "pub-key",
|
|
"inject_evaluation": [
|
|
{
|
|
"parameters": [
|
|
{
|
|
".Event.info": {
|
|
"comparison": "contains",
|
|
"values": [
|
|
"ransomware"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[].value": {
|
|
"extract_type": "all",
|
|
"comparison": "contains-regex",
|
|
"values": [
|
|
"-----BEGIN PUBLIC KEY-----.*"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"result": "Public key added",
|
|
"evaluation_strategy": "data_filtering",
|
|
"evaluation_context": {
|
|
},
|
|
"score_range": [
|
|
0,
|
|
20
|
|
]
|
|
}
|
|
],
|
|
"name": "Public Key",
|
|
"target_tool": "MISP",
|
|
"uuid": "c5c03af1-7ef3-44e7-819a-6c4fd402148a"
|
|
},
|
|
{
|
|
"action": "context",
|
|
"inject_evaluation": [
|
|
{
|
|
"parameters": [
|
|
{
|
|
".Event.info": {
|
|
"comparison": "contains",
|
|
"values": [
|
|
"ransomware"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
".Event.Tag | select(length > 0) | .[].name": {
|
|
"extract_type": "all",
|
|
"comparison": "count",
|
|
"values": [
|
|
">=3"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"result": "Context added",
|
|
"evaluation_strategy": "data_filtering",
|
|
"evaluation_context": {
|
|
},
|
|
"score_range": [
|
|
0,
|
|
20
|
|
]
|
|
}
|
|
],
|
|
"name": "Contextualization",
|
|
"target_tool": "MISP",
|
|
"uuid": "11f6f0c2-8813-42ee-a312-136649d3f077"
|
|
},
|
|
{
|
|
"action": "published",
|
|
"inject_evaluation": [
|
|
{
|
|
"parameters": [
|
|
{
|
|
".Event.info": {
|
|
"comparison": "contains",
|
|
"values": [
|
|
"ransomware"
|
|
]
|
|
}
|
|
},
|
|
{
|
|
".Event.published": {
|
|
"comparison": "equals",
|
|
"values": [
|
|
"1"
|
|
]
|
|
}
|
|
}
|
|
],
|
|
"result": "Event published",
|
|
"evaluation_strategy": "data_filtering",
|
|
"evaluation_context": {
|
|
},
|
|
"score_range": [
|
|
0,
|
|
20
|
|
]
|
|
}
|
|
],
|
|
"name": "Published",
|
|
"target_tool": "MISP",
|
|
"uuid": "e3ef4e5f-454a-48c8-a5d7-b3d1d25ecc9f"
|
|
}
|
|
]
|
|
}
|