Skip to content

Instantly share code, notes, and snippets.

@traut

traut/stix21-sample-bundle.json

Last active December 9, 2021 10:24
Show Gist options
  • Save traut/05d70be673133b0b4c938057fb38da04 to your computer and use it in GitHub Desktop.
Save traut/05d70be673133b0b4c938057fb38da04 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
stix21-sample-bundle.json
{
"type": "bundle",
"id": "bundle--a6fb81b8-46c7-40de-85be-bee510f08d1b",
"objects": [
{
"type": "campaign",
"spec_version": "2.1",
"id": "campaign--12a111f0-b824-4baf-a224-83b80237a094",
"lang": "en",
"created": "2017-02-08T21:31:22.007Z",
"modified": "2017-02-08T21:31:22.007Z",
"name": "Bank Attack",
"description": "Some description about attack on the Bank",
"created_by_ref": "identity--e5f1b90a-d9b6-40ab-81a9-8a29df4b6b65",
"granular_markings": [
{
"selectors": ["description"],
"lang": "de"
}
],
"object_marking_refs": [
"marking-definition--f88d31f6-486f-44da-b317-01333bde0b82"
],
"granular_markings": [
{
"marking_ref": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
"selectors": ["description", "name"]
}
]
},
{
"type": "artifact",
"spec_version": "2.1",
"id": "artifact--6f437177-6e48-5cf8-9d9e-872a2bddd641",
"mime_type": "application/zip",
"payload_bin": "dGVzdC1iaW4tcGF5bG9hZA==",
"encryption_algorithm": "mime-type-indicated",
"decryption_key": "My voice is my passport"
},
{
"type": "autonomous-system",
"spec_version": "2.1",
"id": "autonomous-system--f720c34b-98ae-597f-ade5-27dc241e8c74",
"number": 15139,
"name": "Slime Industries",
"rir": "ARIN"
},
{
"type": "directory",
"spec_version": "2.1",
"id": "directory--93c0a9b0-520d-545d-9094-1a08ddf46b05",
"path": "C:\\Windows\\System32"
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--3c10e93f-798e-5a26-a0c1-08156efab7f5",
"value": "example.com"
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--ff26c055-6336-5bc5-b98d-13d6226742dd",
"value": "198.51.100.3"
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--61cd40a7-0547-553e-8127-c9ee44ec47b3",
"value": "198.127.0.123"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--ecca811f-f6ce-4c46-86c6-1ea1b1d58a0a",
"created": "2018-11-23T08:17:27.000Z",
"modified": "2018-11-23T08:17:27.000Z",
"relationship_type": "resolves-to",
"source_ref": "domain-name--3c10e93f-798e-5a26-a0c1-08156efab7f5",
"target_ref": "ipv4-addr--ff26c055-6336-5bc5-b98d-13d6226742dd"
},
{
"type": "email-addr",
"spec_version": "2.1",
"id": "email-addr--2d77a846-6264-5d51-b586-e43822ea1ea3",
"value": "[email protected]",
"display_name": "John Doe",
"belongs_to_ref": "user-account--9bd3afcf-deee-54f9-83e2-520653cb6bba"
},
{
"type": "email-message",
"spec_version": "2.1",
"id": "email-message--e2846b57-e113-5272-8a16-9059d4a6784e",
"from_ref": "email-addr--2d77a846-6264-5d51-b586-e43822ea1ea3",
"subject": "Dummy email subject",
"is_multipart": false,
"body": "Dummy email body",
"date": "2004-04-19T12:22:23.000Z",
"additional_header_fields": {
"Reply-To": [
"[email protected]",
"[email protected]"
]
}
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--66156fad-2a0d-5237-bba4-ba1912887cfe",
"hashes": {
"SHA-256": "ceafbfd424be2ca4a5f0402cae090dda2fb0526cf521b60b60077c0f622b285a"
},
"parent_directory_ref": "directory--93c0a9b0-520d-545d-9094-1a08ddf46b05",
"name": "qwerty.dll"
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--9a1f834d-2506-5367-baec-7aa63996ac43",
"name": "foo.zip",
"hashes": {
"SHA-256": "35a01331e9ad96f751278b891b6ea09699806faedfa237d40513d92ad1b7100f"
},
"mime_type": "application/zip",
"parent_directory_ref": "directory--93c0a9b0-520d-545d-9094-1a08ddf46b05",
"extensions": {
"archive-ext": {
"contains_refs": [
"file--66156fad-2a0d-5237-bba4-ba1912887cfe",
"file--e04f22d1-be2c-59de-add8-10f61d15fe20"
]
},
"ntfs-ext": {
"sid": "S-1-5-32-544",
"alternate_data_streams": [
{
"name": "second.stream",
"size": 25536
}
]
}
}
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--ec3415cc-5f4f-5ec8-bdb1-6f86996ae66d",
"parent_directory_ref": "directory--93c0a9b0-520d-545d-9094-1a08ddf46b05",
"extensions": {
"pdf-ext": {
"version": "1.7",
"document_info_dict": {
"Title": "Sample document",
"Author": "Adobe Systems Incorporated",
"Creator": "Adobe FrameMaker 5.5.3 for Power Macintosh",
"Producer": "Acrobat Distiller 3.01 for Power Macintosh",
"CreationDate": "20070412090123-02"
},
"pdfid0": "DFCE52BD827ECF765649852119D",
"pdfid1": "57A1E0F9ED2AE523E313C"
}
}
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--c7d1e135-8b34-549a-bb47-302f5cf998ed",
"name": "picture.jpg",
"parent_directory_ref": "directory--93c0a9b0-520d-545d-9094-1a08ddf46b05",
"hashes": {
"SHA-256": "4bac27393bdd9777ce02453256c5577cd02275510b2227f473d03f533924f877"
},
"extensions": {
"raster-image-ext": {
"exif_tags": {
"Make": "Nikon",
"Model": "D7000",
"XResolution": 4928,
"YResolution": 3264
}
}
}
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--fb0419a8-f09c-57f8-be64-71a80417591c",
"parent_directory_ref": "directory--93c0a9b0-520d-545d-9094-1a08ddf46b05",
"extensions": {
"windows-pebinary-ext": {
"pe_type": "exe",
"machine_hex": "014c",
"number_of_sections": 4,
"time_date_stamp": "2016-01-22T12:31:12Z",
"pointer_to_symbol_table_hex": "74726144",
"number_of_symbols": 4542568,
"size_of_optional_header": 224,
"characteristics_hex": "818f",
"optional_header": {
"magic_hex": "010b",
"major_linker_version": 2,
"minor_linker_version": 25,
"size_of_code": 512,
"size_of_initialized_data": 283648,
"size_of_uninitialized_data": 0,
"address_of_entry_point": 4096,
"base_of_code": 4096,
"base_of_data": 8192,
"image_base": 14548992,
"section_alignment": 4096,
"file_alignment": 4096,
"major_os_version": 1,
"minor_os_version": 0,
"major_image_version": 0,
"minor_image_version": 0,
"major_subsystem_version": 4,
"minor_subsystem_version": 0,
"win32_version_value_hex": "00",
"size_of_image": 299008,
"size_of_headers": 4096,
"checksum_hex": "00",
"subsystem_hex": "03",
"dll_characteristics_hex": "00",
"size_of_stack_reserve": 100000,
"size_of_stack_commit": 8192,
"size_of_heap_reserve": 100000,
"size_of_heap_commit": 4096,
"loader_flags_hex": "abdbffde",
"number_of_rva_and_sizes": 3758087646
},
"sections": [
{
"name": "CODE",
"entropy": 0.061089
},
{
"name": "DATA",
"entropy": 7.980693
},
{
"name": "NicolasB",
"entropy": 0.607433
},
{
"name": ".idata",
"entropy": 0.607433
}
]
}
}
},
{
"type": "ipv6-addr",
"spec_version": "2.1",
"id": "ipv6-addr--1e61d36c-a16c-53b7-a80f-2a00161c96b1",
"value": "2001:0db8:85a3:0000:0000:8a2e:0370:7334"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--8b3c6eb4-9e22-4193-9e16-e297a593e50b",
"created": "2016-05-12T08:17:27.000Z",
"modified": "2016-05-12T08:17:27.000Z",
"relationship_type": "belongs-to",
"source_ref": "ipv6-addr--1e61d36c-a16c-53b7-a80f-2a00161c96b1",
"target_ref": "autonomous-system--f720c34b-98ae-597f-ade5-27dc241e8c74"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--9bd32ea7-3110-4699-86d5-3ddb29b66304",
"created": "2016-05-12T08:17:27.000Z",
"modified": "2016-05-12T08:17:27.000Z",
"relationship_type": "resolves-to",
"source_ref": "ipv6-addr--1e61d36c-a16c-53b7-a80f-2a00161c96b1",
"target_ref": "mac-addr--65cfcf98-8a6e-5a1b-8f61-379ac4f92d00"
},
{
"type": "ipv6-addr",
"spec_version": "2.1",
"id": "ipv6-addr--5daf7456-8863-5481-9d42-237d477697f4",
"value": "2001:0db8::/96"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c333de37-0930-4d33-b4b8-892e75961dc2",
"created": "2016-05-12T08:17:27.000Z",
"modified": "2016-05-12T08:17:27.000Z",
"relationship_type": "belongs-to",
"source_ref": "ipv6-addr--5daf7456-8863-5481-9d42-237d477697f4",
"target_ref": "autonomous-system--f720c34b-98ae-597f-ade5-27dc241e8c74"
},
{
"type": "mac-addr",
"spec_version": "2.1",
"id": "mac-addr--65cfcf98-8a6e-5a1b-8f61-379ac4f92d00",
"value": "d2:fb:49:24:37:18"
},
{
"type": "mutex",
"spec_version": "2.1",
"id": "mutex--eba44954-d4e4-5d3b-814c-2b17dd8de300",
"name": "__CLEANSWEEP__"
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--2568d22a-8998-58eb-99ec-3c8ca74f527d",
"src_ref": "ipv6-addr--1e61d36c-a16c-53b7-a80f-2a00161c96b1",
"dst_ref": "ipv6-addr--5daf7456-8863-5481-9d42-237d477697f4",
"protocols": ["ipv6", "tcp", "ssl", "https"],
"src_port": 12188,
"dst_port": 443,
"src_byte_count": 147600,
"src_packets": 100,
"encapsulated_by_ref": "network-traffic--b4a8c150-e214-57a3-9017-e85dfa345f46"
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--b4a8c150-e214-57a3-9017-e85dfa345f46",
"src_ref": "ipv4-addr--ff26c055-6336-5bc5-b98d-13d6226742dd",
"dst_ref": "ipv4-addr--61cd40a7-0547-553e-8127-c9ee44ec47b3",
"src_port": 2487,
"dst_port": 53,
"protocols": [
"ipv4",
"udp",
"dns"
],
"src_byte_count": 35779,
"dst_byte_count": 935750,
"encapsulates_refs": [
"network-traffic--2568d22a-8998-58eb-99ec-3c8ca74f527d"
]
},
{
"type": "process",
"spec_version": "2.1",
"id": "process--f52a906a-0dfc-40bd-92f1-e7778ead38a9",
"pid": 1221,
"created_time": "2016-01-20T14:11:25.55Z",
"command_line": "./gedit-bin --new-window",
"image_ref": "file--e04f22d1-be2c-59de-add8-10f61d15fe20",
"extensions": {
"windows-process-ext": {
"aslr_enabled": true,
"dep_enabled": true,
"priority": "HIGH_PRIORITY_CLASS",
"owner_sid": "S-1-5-21-186985262-1144665072-74031268-1309"
}
}
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--e04f22d1-be2c-59de-add8-10f61d15fe20",
"name": "gedit-bin",
"hashes": {
"SHA-256": "aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f"
}
},
{
"type": "software",
"spec_version": "2.1",
"id": "software--a1827f6d-ca53-5605-9e93-4316cd22a00a",
"name": "Word",
"cpe": "cpe:2.3:a:microsoft:word:2000:*:*:*:*:*:*:*",
"version": "2002",
"vendor": "Microsoft"
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--c1477287-23ac-5971-a010-5c287877fa60",
"value": "https://example.com/research/index.html"
},
{
"type": "user-account",
"spec_version": "2.1",
"id": "user-account--0d5b424b-93b8-5cd8-ac36-306e1789d63c",
"user_id": "1001",
"account_login": "jdoe",
"account_type": "unix",
"display_name": "John Doe",
"is_service_account": false,
"is_privileged": false,
"can_escalate_privs": true,
"account_created": "2016-01-20T12:31:12Z",
"credential_last_changed": "2016-01-20T14:27:43Z",
"account_first_login": "2016-01-20T14:26:07Z",
"account_last_login": "2016-07-22T16:08:28Z",
"extensions": {
"unix-account-ext": {
"gid": 1001,
"groups": ["wheel"],
"home_dir": "/home/jdoe",
"shell": "/bin/bash"
}
}
},
{
"type": "user-account",
"spec_version": "2.1",
"id": "user-account--9bd3afcf-deee-54f9-83e2-520653cb6bba",
"user_id": "thegrugq_ebooks",
"account_login": "thegrugq_ebooks",
"account_type": "twitter",
"display_name": "the grugq"
},
{
"type": "windows-registry-key",
"spec_version": "2.1",
"id": "windows-registry-key--9d60798d-4e3e-5fe4-af8a-0e4986f0f90b",
"key": "HKEY_LOCAL_MACHINE\\System\\Foo\\Bar",
"values": [
{
"name": "Foo",
"data": "qwerty",
"data_type": "REG_SZ"
},
{
"name": "Bar",
"data": "42",
"data_type": "REG_DWORD"
}
]
},
{
"type": "x509-certificate",
"spec_version": "2.1",
"id": "x509-certificate--463d7b2a-8516-5a50-a3d7-6f801465d5de",
"issuer": "C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/[email protected]",
"validity_not_before": "2016-03-12T12:00:00Z",
"validity_not_after": "2016-08-21T12:00:00Z",
"subject": "C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/[email protected]",
"serial_number": "36:f7:d4:32:f4:ab:70:ea:d3:ce:98:6e:ea:99:93:49:32:0a:b7:06"
},
{
"type": "language-content",
"id": "language-content--b86bd89f-98bb-4fa9-8cb2-9ad421da981d",
"spec_version": "2.1",
"created": "2017-02-08T21:31:22.007Z",
"modified": "2017-02-08T21:31:22.007Z",
"object_ref": "campaign--12a111f0-b824-4baf-a224-83b80237a094",
"object_modified": "2017-02-08T21:31:22.007Z",
"contents": {
"de": {
"name": "Bank Angriff",
"description": "Weitere Informationen über Banküberfall"
},
"fr": {
"name": "Attaque Bank",
"description": "Plus d'informations sur la crise bancaire"
}
}
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
"created": "2016-08-01T00:00:00.000Z",
"definition_type": "statement",
"definition": {
"statement": "Copyright 2019, Example Corp"
}
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:AMBER",
"definition": {
"tlp": "amber"
}
},
{
"type": "attack-pattern",
"spec_version": "2.1",
"id": "attack-pattern--7e33a43e-e34b-40ec-89da-36c9bb2cacd5",
"created": "2016-05-12T08:17:27.000Z",
"modified": "2016-05-12T08:17:27.000Z",
"name": "Spear Phishing as Practiced by Adversary X",
"description": "A particular form of spear phishing where the attacker claims that the target had won a contest, including personal details, to get them to click on a link.",
"external_references": [
{
"source_name": "capec",
"external_id": "CAPEC-163"
}
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--57b56a43-b8b0-4cba-9deb-34e3e1faed9e",
"created": "2016-05-12T08:17:27.000Z",
"modified": "2016-05-12T08:17:27.000Z",
"relationship_type": "uses",
"source_ref": "intrusion-set--0c7e22ad-b099-4dc3-b0df-2ea3f49ae2e6",
"target_ref": "attack-pattern--7e33a43e-e34b-40ec-89da-36c9bb2cacd5"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--1c620a2e-2a75-4a23-a617-eb4ed9d8ad0c",
"created": "2016-05-12T08:17:27.000Z",
"modified": "2016-05-12T08:17:27.000Z",
"relationship_type": "owns",
"source_ref": "intrusion-set--0c7e22ad-b099-4dc3-b0df-2ea3f49ae2e6",
"target_ref": "infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d"
},
{
"type": "intrusion-set",
"spec_version": "2.1",
"id": "intrusion-set--0c7e22ad-b099-4dc3-b0df-2ea3f49ae2e6",
"created": "2016-05-12T08:17:27.000Z",
"modified": "2016-05-12T08:17:27.000Z",
"name": "Bobcat Scare",
"description": "Incidents usually feature a shared TTP of a obcat being released within the building containing network access, scaring users to leave their computers without locking them first. Still determining where the threat actors are getting the bobcats.",
"aliases": ["Zookeeper"],
"goals": ["acquisition-theft", "harassment", "damage"],
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "course-of-action",
"spec_version": "2.1",
"id": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:03:48.000Z",
"modified": "2016-04-06T20:03:48.000Z",
"name": "Mitigation for a malware in a firewall",
"description": "This action points to a recommended set of steps to respond to the Poison Ivy malware on a Cisco firewall device",
"action_type": "cisco:ios",
"action_reference": {
"source_name": "internet",
"url": "https://www.stopthebad.com/poisonivyresponse.asa"
},
"object_marking_refs": [
"marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed"
]
},
{
"type": "malware",
"spec_version": "2.1",
"id": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:07:09.000Z",
"modified": "2016-04-06T20:07:09.000Z",
"is_family": true,
"name": "Poison Ivy",
"malware_types": ["trojan"],
"object_marking_refs": [
"marking-definition--5e57c739-391a-4eb3-b6be-7d15ca92d5ed"
]
},
{
"type": "malware-analysis",
"spec_version": "2.1",
"id": "malware-analysis--31b940d4-6f7f-459a-80ea-9c1f17b5891b",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:07:09.000Z",
"modified": "2016-04-06T20:07:09.000Z",
"product": "malware-analysis-suite",
"version": "0.1",
"av_result": "malicious",
"installed_software_refs": [
"software--a1827f6d-ca53-5605-9e93-4316cd22a00a"
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--db484eaf-0f91-434c-9f9a-64c6fb5c98c7",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:07:10.000Z",
"modified": "2016-04-06T20:07:10.000Z",
"relationship_type": "av-analysis-of",
"source_ref": "malware-analysis--31b940d4-6f7f-459a-80ea-9c1f17b5891b",
"target_ref": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--d628a168-4b1c-45c8-9324-59f1bf1ce618",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:07:10.000Z",
"modified": "2016-04-06T20:07:10.000Z",
"relationship_type": "targets",
"source_ref": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b",
"target_ref": "location--a6e9345f-5a15-4c29-8bb3-7dcc5d168d64"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--44298a74-ba52-4f0c-87a3-1824e67d7fad",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:07:10.000Z",
"modified": "2016-04-06T20:07:10.000Z",
"relationship_type": "mitigates",
"source_ref": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"target_ref": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--803fe1e3-56e8-46b7-a945-54f85fc55c2a",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:07:10.000Z",
"modified": "2016-04-06T20:07:10.000Z",
"relationship_type": "uses",
"source_ref": "campaign--12a111f0-b824-4baf-a224-83b80237a094",
"target_ref": "attack-pattern--7e33a43e-e34b-40ec-89da-36c9bb2cacd5"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
"created_by_ref": "identity--e5f1b90a-d9b6-40ab-81a9-8a29df4b6b65",
"created": "2015-12-21T19:59:11.000Z",
"modified": "2015-12-21T19:59:11.000Z",
"name": "The Black Vine Cyberespionage Group",
"description": "A simple collection of Black Vine Cyberespionage Group attributed intel",
"context": "suspicious-activity",
"object_refs": [
"indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"campaign--12a111f0-b824-4baf-a224-83b80237a094",
"relationship--44298a74-ba52-4f0c-87a3-1824e67d7fad",
"file--9a1f834d-2506-5367-baec-7aa63996ac43"
]
},
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:03:00.000Z",
"modified": "2016-04-06T20:03:00.000Z",
"name": "John Smith",
"identity_class": "individual"
},
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--e5f1b90a-d9b6-40ab-81a9-8a29df4b6b65",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:03:00.000Z",
"modified": "2016-04-06T20:03:00.000Z",
"name": "ComputerSecurity, Inc.",
"identity_class": "organization"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "identity--e5f1b90a-d9b6-40ab-81a9-8a29df4b6b65",
"created": "2016-04-06T20:03:48.000Z",
"modified": "2016-04-06T20:03:48.000Z",
"indicator_types": ["malicious-activity"],
"name": "Poison Ivy Malware",
"description": "This file is part of Poison Ivy",
"pattern": "[ file:hashes.'SHA-256' = '4bac27393bdd9777ce02453256c5577cd02275510b2227f473d03f533924f877' ]",
"pattern_type": "stix",
"valid_from": "2016-01-01T00:00:00Z"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--44298a74-ba52-4f0c-87a3-1824e67d7fad",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:06:37.000Z",
"modified": "2016-04-06T20:06:37.000Z",
"relationship_type": "indicates",
"source_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"target_ref": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b"
},
{
"type":"infrastructure",
"spec_version": "2.1",
"id":"infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d",
"created":"2016-05-07T11:22:30.000Z",
"modified":"2016-05-07T11:22:30.000Z",
"name":"Poison Ivy C2",
"infrastructure_types": ["command-and-control"]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7aebe2f0-28d6-48a2-9c3e-b0aaa60266ef",
"created": "2016-05-09T08:17:27.000Z",
"modified": "2016-05-09T08:17:27.000Z",
"relationship_type": "consists-of",
"source_ref": "infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d",
"target_ref": "ipv4-addr--ff26c055-6336-5bc5-b98d-13d6226742dd"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--60e35813-2a7f-4c8e-8d9d-ccb8e4fa481e",
"created": "2016-05-09T08:17:27.000Z",
"modified": "2016-05-09T08:17:27.000Z",
"relationship_type": "consists-of",
"source_ref": "infrastructure--38c47d93-d984-4fd9-b87b-d69d0841628d",
"target_ref": "ipv6-addr--5daf7456-8863-5481-9d42-237d477697f4"
},
{
"type": "location",
"spec_version": "2.1",
"id": "location--a6e9345f-5a15-4c29-8bb3-7dcc5d168d64",
"created_by_ref": "identity--e5f1b90a-d9b6-40ab-81a9-8a29df4b6b65",
"created": "2016-04-06T20:03:00.000Z",
"modified": "2016-04-06T20:03:00.000Z",
"region": "northern-america"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--7d9d2fa1-8518-4367-b43f-890f0025be5b",
"created": "2016-05-09T08:17:27.000Z",
"modified": "2016-05-09T08:17:27.000Z",
"relationship_type": "located-at",
"source_ref": "identity--e5f1b90a-d9b6-40ab-81a9-8a29df4b6b65",
"target_ref": "location--a6e9345f-5a15-4c29-8bb3-7dcc5d168d64"
},
{
"type": "note",
"spec_version": "2.1",
"id": "note--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
"created": "2016-05-12T08:17:27.000Z",
"modified": "2016-05-12T08:17:27.000Z",
"external_references": [
{
"source_name": "job-tracker",
"external_id": "job-id-1234"
}
],
"abstract": "Tracking Team Note#1",
"content": "This note indicates the various steps taken by the threat analyst team to investigate this specific campaign. Step 1) Do a scan 2) Review scanned results for identified hosts not known by external intel….etc",
"authors": ["John Doe"],
"object_refs": ["campaign--12a111f0-b824-4baf-a224-83b80237a094"]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T19:58:16.000Z",
"modified": "2016-04-06T19:58:16.000Z",
"first_observed": "2015-12-21T19:00:00Z",
"last_observed": "2015-12-21T19:00:00Z",
"number_observed": 50,
"object_refs": [
"ipv4-addr--ff26c055-6336-5bc5-b98d-13d6226742dd",
"domain-name--3c10e93f-798e-5a26-a0c1-08156efab7f5",
"ipv6-addr--1e61d36c-a16c-53b7-a80f-2a00161c96b1",
"x509-certificate--463d7b2a-8516-5a50-a3d7-6f801465d5de",
"artifact--6f437177-6e48-5cf8-9d9e-872a2bddd641",
"windows-registry-key--9d60798d-4e3e-5fe4-af8a-0e4986f0f90b",
"user-account--9bd3afcf-deee-54f9-83e2-520653cb6bba",
"user-account--0d5b424b-93b8-5cd8-ac36-306e1789d63c",
"url--c1477287-23ac-5971-a010-5c287877fa60",
"mutex--eba44954-d4e4-5d3b-814c-2b17dd8de300"
]
},
{
"type": "opinion",
"spec_version": "2.1",
"id": "opinion--b01efc25-77b4-4003-b18b-f6e24b5cd9f7",
"created_by_ref": "identity--e5f1b90a-d9b6-40ab-81a9-8a29df4b6b65",
"created": "2016-05-12T08:17:27.000Z",
"modified": "2016-05-12T08:17:27.000Z",
"object_refs": ["relationship--44298a74-ba52-4f0c-87a3-1824e67d7fad"],
"opinion": "strongly-disagree",
"explanation": "This doesn't seem like it is feasible. We've seen how PandaCat has attacked Spanish infrastructure over the last 3 years, so this change in targeting seems too great to be viable. The methods used are more commonly associated with the FlameDragonCrew."
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcb3",
"created_by_ref": "identity--e5f1b90a-d9b6-40ab-81a9-8a29df4b6b65",
"created": "2015-12-21T19:59:11.000Z",
"modified": "2015-12-21T19:59:11.000Z",
"name": "The Black Vine Cyberespionage Group",
"description": "A simple report with an indicator, a campaign and an opinion",
"published": "2016-01-20T17:00:00.000Z",
"report_types": ["campaign"],
"object_refs": [
"indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"campaign--12a111f0-b824-4baf-a224-83b80237a094",
"opinion--b01efc25-77b4-4003-b18b-f6e24b5cd9f7"
]
},
{
"type": "threat-actor",
"spec_version": "2.1",
"id": "threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "identity--e5f1b90a-d9b6-40ab-81a9-8a29df4b6b65",
"created": "2016-04-06T20:03:48.000Z",
"modified": "2016-04-06T20:03:48.000Z",
"threat_actor_types": ["crime-syndicate"],
"name": "Evil Org",
"description": "The Evil Org threat actor group",
"aliases": ["Syndicate 1", "Evil Syndicate 99"],
"roles": ["director", "sponsor"],
"goals": ["Steal bank money", "Steal credit cards"],
"sophistication": "advanced",
"resource_level": "team",
"primary_motivation": "organizational-gain"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--2b7c094b-dacc-40ee-8ffc-06b20bf5562b",
"created": "2016-05-09T08:17:27.000Z",
"modified": "2016-05-09T08:17:27.000Z",
"relationship_type": "authored-by",
"source_ref": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b",
"target_ref": "threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--3f1befad-ff3c-45c3-995c-459334a132bb",
"created": "2016-05-09T08:17:27.000Z",
"modified": "2016-05-09T08:17:27.000Z",
"relationship_type": "based-on",
"source_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"target_ref": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"
},
{
"type": "tool",
"spec_version": "2.1",
"id": "tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:03:48.000Z",
"modified": "2016-04-06T20:03:48.000Z",
"tool_types": ["remote-access"],
"name": "VNC"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--08da2890-ae07-4a42-980b-0f157851163a",
"created": "2016-05-09T08:17:27.000Z",
"modified": "2016-05-09T08:17:27.000Z",
"relationship_type": "downloads",
"source_ref": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b",
"target_ref": "tool--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f"
},
{
"type": "vulnerability",
"spec_version": "2.1",
"id": "vulnerability--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
"created": "2016-05-12T08:17:27.000Z",
"modified": "2016-05-12T08:17:27.000Z",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"name": "CVE-2016-1234",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2016-1234"
}
]
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--307be661-2003-489b-8afc-911454497091",
"created": "2016-05-09T08:17:27.000Z",
"modified": "2016-05-09T08:17:27.000Z",
"relationship_type": "exploits",
"source_ref": "malware--31b940d4-6f7f-459a-80ea-9c1f17b5891b",
"target_ref": "vulnerability--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061"
},
{
"type": "sighting",
"spec_version": "2.1",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:08:31.000Z",
"modified": "2016-04-06T20:08:31.000Z",
"first_seen": "2015-12-21T19:00:00Z",
"last_seen": "2015-12-21T19:00:00Z",
"count": 50,
"sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
"where_sighted_refs": ["identity--e5f1b90a-d9b6-40ab-81a9-8a29df4b6b65"]
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment