Sources of IoCs
A generic event, detected by different kinds of systems (e.g, IDS, vulnerability scanner and honeypoth), or received through some external sources (e.g., OSINT), is received through MISP, and stored in the related database, considering the MISP JSON format.
​
However, MISP is able to convert and export each event stored internally using the STIX 2.0 standard, which is better for representing cyber security related information, and widely used by other platforms. Indeed, the idea behind the ETIP Platform, is to deal with both the standards in an interchangeable way, depending on the needs of the counterpart who is providing/receiving events. Besides, MISP is also able to perform the opposite conversion, from STIX 2.0 to the MISP JSON format.
These factors influence the choice of the set of Heuristic features to be considered during the threat score evaluation. More in details, a specific set of properties and/or attributes is selected from the chosen standard as Heuristic features, taking into account the infrastructure and the assets that are continuously monitored.
For instance, in our tests, we had to exchange threat data with other MISP instances, relying on the MISP JSON format. For the computation of the threat score, specific MISP categories and attributes have been considered (more hints are given in "Results" section).​
The presence and the value of these properties are checked in every composed IoC received by the Context-Aware Sharing Module, and correlated with cybersecurity information retrieved from:
​
-
internal monitoring and detection systems (e.g., SIEMs)
-
public open source feeds (e.g., list of blacklisted IPs, malicious domain names and URLs)
New alarms raised by our internal SIEMs are continuosly retrieved and parsed for extracting relevant information. From this sources, we were mainly interested in:
-
IP addresses
-
ports
-
protocols
-
domain names
-
host names
-
malware hashes
A dynamic data set is built in this way, and stored in the Heuristic Database, which relies on a MongoDB instance. Regarding public open source feeds, instead, we selected the following, from the list of MISP feeds web page (https://www.misp-project.org/feeds/):
-
ZeuS IP blocklist (csv format)
-
ZeuS compromised URL blocklist (csv format)
-
OpenPhish url list (csv format)
-
Domains from High-Confidence DGA-based C&C Domains Actively Resolving (csv format)
-
CIRCL OSINT Feed (MISP JSON format)
​
For every of the aforementioned sources, the most relevant information have been stored on separated document in the MongoDB instance, and used for the evaluation of the threat score, every time a new composed IoC is received, either if MISP JSON or STIX 2.0 is chosen. This choice only has an impact with the selected set of Heuristic Features. When using STIX 2.0 for this purpose, this selection takes into account the overall set, or simply a sub-set, of STIX Domain Objects (SDOs) (http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part2-stix-objects.html), and their attributes (also in this case, more hints have been given in the "Results" section).
​
Below, some examples of Indicators of Compromise are presented. Each IoC is expressed through the two standards mentioned above.
​
Regarding the STIX examples, the relationships among detected events, STIX Observable Object and STIX Bundle (which represents the final JSON to be shared) is highlighted, especially regarding the connection between the pattern expressed in the Indicator of the STIX Bundle and the related Observable Object (which could, optionally, be inserted in the global STIX Bundle).
​
The following samples are related to the following simple scenarios:
-
Known malware detected
-
Known vulnerability detected
-
Distributed Denial of Service (DDoS) attack
-
Behavioral scanning from malicious IP address
-
Remote code execution
​
Examples of Indicators of Compromise (IoC)
​
1. Malware Detected​
​
1.1. Malware Detected MISP JSON format
​
{
"Event": {
"id": "2092",
"orgc_id": "1",
"org_id": "1",
"date": "2018-08-10",
"threat_level_id": "2",
"info": "Zeus Trojan malware is a form of malicious software that targets Microsoft Windows and is often used to steal financial data",
"published": false,
"uuid": "5b6db0e2-0718-4ab1-92f0-3d8c0a00020f",
"attribute_count": "2",
"analysis": "2",
"timestamp": "1534108159",
"distribution": "0",
"proposal_email_lock": false,
"locked": false,
"publish_timestamp": "0",
"sharing_group_id": "0",
"disable_correlation": false,
"extends_uuid": "",
"Org": {
"id": "1",
"name": "ARI CS Lab",
"uuid": "5a579708-ab5c-4458-bc14-12d7adba28c8"
},
"Orgc": {
"id": "1",
"name": "ARI CS Lab",
"uuid": "5a579708-ab5c-4458-bc14-12d7adba28c8"
},
"Attribute": [
{
"id": "10548",
"type": "ip-dst",
"category": "Network activity",
"to_ids": true,
"uuid": "c33f50d8-49bd-4ca2-8008-2990e529cd8e",
"event_id": "2092",
"distribution": "1",
"timestamp": "1533915362",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "188.72.243.72",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "10558",
"type": "link",
"category": "External analysis",
"to_ids": false,
"uuid": "5b70a09f-28a0-4054-ae48-5a920a00020f",
"event_id": "2092",
"distribution": "5",
"timestamp": "1534107807",
"comment": "Kaspersky",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "https:\/\/usa.kaspersky.com\/resource-center\/threats\/zeus-trojan-malwar",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "10559",
"type": "malware-type",
"category": "Payload installation",
"to_ids": false,
"uuid": "5b70a1ff-6194-43a2-8bc0-5bc50a00020f",
"event_id": "2092",
"distribution": "0",
"timestamp": "1534108159",
"comment": "Trojan",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "Win.Trojan.Zeus",
"Galaxy": [],
"ShadowAttribute": []
}
],
"ShadowAttribute": [],
"RelatedEvent": [],
"Galaxy": [],
"Object": [
{
"id": "8",
"name": "stix2-pattern",
"meta-category": "stix2-pattern",
"description": "An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.",
"template_uuid": "0c5bd072-7c3e-4d45-86f7-a8104d9143b9",
"template_version": "2",
"event_id": "2092",
"uuid": "43a4db6e-aac5-4dda-98e1-deca267e488b",
"timestamp": "1534107901",
"distribution": "1",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"ObjectReference": [
{
"id": "3",
"uuid": "5b709ffd-4e68-479f-a5ed-5b0f0a00020f",
"timestamp": "1534107645",
"object_id": "8",
"event_id": "2092",
"source_uuid": null,
"referenced_uuid": "c33f50d8-49bd-4ca2-8008-2990e529cd8e",
"referenced_id": "10548",
"referenced_type": "0",
"relationship_type": "",
"comment": "",
"deleted": "0",
"Attribute": {
"distribution": "1",
"sharing_group_id": "0",
"uuid": "c33f50d8-49bd-4ca2-8008-2990e529cd8e",
"type": "ip-dst",
"category": "Network activity",
"to_ids": true,
"value": "188.72.243.72"
}
}
],
"Attribute": [
{
"id": "10549",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "3c62b279-4583-40c7-9494-c4aecfb26d2a",
"event_id": "2092",
"distribution": "1",
"timestamp": "1533915362",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "8",
"object_relation": "version",
"value": "stix 2.0",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "10550",
"type": "stix2-pattern",
"category": "Payload installation",
"to_ids": true,
"uuid": "1663b74c-f3f6-4fc2-86aa-a0d90803f39e",
"event_id": "2092",
"distribution": "1",
"timestamp": "1534107901",
"comment": "malicious-activity",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "8",
"object_relation": "stix2-pattern",
"value": "[ipv4-addr:value = '188.72.243.72']",
"Galaxy": [],
"ShadowAttribute": []
}
]
}
]
}
}
​
1.2. Malware Detected STIX 2.0 format
​
{
"id": "bundle--565b3dc8-e61e-4e96-b63d-6931689a298f",
"objects": [
{
"type": "malware",
"name": "Win.Trojan.Zeus",
"created": "2017-07-24T06:33:46.852591Z",
"description": "Zeus Trojan malware is a form of malicious software that targets Microsoft Windows and is often used to steal financial data.",
"id": "malware--193103dd-88dc-4890-a277-0690af169780",
"labels": [
"trojan"
],
"modified": "2017-07-24T06:33:46.852591Z",
"external_references": [
{
"source_name": "Kaspersky ",
"url": "https://usa.kaspersky.com/resource-center/threats/zeus-trojan-malware"
}
]
},
{
"type": "indicator",
"created": "2017-07-24T06:33:46.852591Z",
"description": "Indicator for detecting Zeus Trojan from a specific IP address",
"id": "indicator--c2448bf6-16a1-4b0c-9478-2a33b3d2e322",
"labels": [
"malicious-activity"
],
"modified": "2017-07-24T06:33:46.852591Z",
"name": "Malicious File",
"pattern": "[ipv4-addr:value = '188.72.243.72']",
"valid_from": "2017-07-24T06:33:46.852591Z"
},
{
"type": "relationship",
"created": "2017-07-24T06:33:46.852904Z",
"id": "relationship--92b36699-a4ce-4e20-aeda-cc41bf6603c5",
"modified": "2017-07-24T06:33:46.852904Z",
"relationship_type": "indicates",
"source_ref": "indicator--c2448bf6-16a1-4b0c-9478-2a33b3d2e322",
"target_ref": "malware--193103dd-88dc-4890-a277-0690af169780"
},
{
"id": "observed-data--52a5bab7-2cfd-40c6-a35a-b5bcb8afb11b",
"type": "observed-data",
"first_observed": "2017-08-29T13:38:02Z",
"last_observed": "2017-08-29T13:38:02Z",
"number_observed": 1,
"objects": {
"0": {
"type": "ipv4-addr",
"value": "188.72.243.72"
}
}
},
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created": "2017-07-24T06:33:46.852591Z",
"modified": "2017-07-24T06:33:46.852591Z",
"sighting_of_ref": "indicator--c2448bf6-16a1-4b0c-9478-2a33b3d2e322",
"observed_data_refs": ["observed-data--52a5bab7-2cfd-40c6-a35a-b5bcb8afb11b"]
}
],
"spec_version": "2.0",
"type": "bundle"
}
2. Vulnerability Detected
​
2.1. Vulnerability Detected MISP JSON format
​
{
"Event": {
"id": "2093",
"orgc_id": "1",
"org_id": "1",
"date": "2018-08-12",
"threat_level_id": "1",
"info": "CRLF Injection Vulnerability in WildFly 10.0.0",
"published": false,
"uuid": "5b7083b3-42d4-4636-9eab-5a940a00020f",
"attribute_count": "3",
"analysis": "0",
"timestamp": "1534152107",
"distribution": "0",
"proposal_email_lock": false,
"locked": false,
"publish_timestamp": "0",
"sharing_group_id": "0",
"disable_correlation": false,
"extends_uuid": "",
"Org": {
"id": "1",
"name": "ARI CS Lab",
"uuid": "5a579708-ab5c-4458-bc14-12d7adba28c8"
},
"Orgc": {
"id": "1",
"name": "ARI CS Lab",
"uuid": "5a579708-ab5c-4458-bc14-12d7adba28c8"
},
"Attribute": [
{
"id": "10562",
"type": "other",
"category": "External analysis",
"to_ids": false,
"uuid": "5b714d90-8188-4b61-b84d-5f210a00020f",
"event_id": "2093",
"distribution": "5",
"timestamp": "1534152100",
"comment": "HTTP Response Splitting",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "CAPEC-34",
"Galaxy": [],
"ShadowAttribute": []
}
],
"ShadowAttribute": [],
"RelatedEvent": [],
"Galaxy": [],
"Object": [
{
"id": "13",
"name": "vulnerability",
"meta-category": "network",
"description": "Vulnerability object describing common vulnerability enumeration",
"template_uuid": "81650945-f186-437b-8945-9f31715d32da",
"template_version": "2",
"event_id": "2093",
"uuid": "5b714c1d-0268-4607-8123-5f160a00020f",
"timestamp": "1534152107",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"ObjectReference": [
{
"id": "4",
"uuid": "5b714dab-ebb0-4a57-a985-5f210a00020f",
"timestamp": "1534152107",
"object_id": "13",
"event_id": "2093",
"source_uuid": null,
"referenced_uuid": "5b714d90-8188-4b61-b84d-5f210a00020f",
"referenced_id": "10562",
"referenced_type": "0",
"relationship_type": "",
"comment": "",
"deleted": "0",
"Attribute": {
"distribution": "5",
"sharing_group_id": "0",
"uuid": "5b714d90-8188-4b61-b84d-5f210a00020f",
"type": "other",
"category": "External analysis",
"to_ids": false,
"value": "CAPEC-34"
}
}
],
"Attribute": [
{
"id": "10560",
"type": "vulnerability",
"category": "External analysis",
"to_ids": false,
"uuid": "5b714c1d-2090-414a-979b-5f160a00020f",
"event_id": "2093",
"distribution": "5",
"timestamp": "1534151709",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "13",
"object_relation": "id",
"value": "CVE-2016-4993",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "10561",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "5b714c1d-416c-4a53-a590-5f160a00020f",
"event_id": "2093",
"distribution": "5",
"timestamp": "1534151779",
"comment": "WildFly, RedHat, CentOS",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "13",
"object_relation": "text",
"value": "CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.",
"Galaxy": [],
"ShadowAttribute": []
}
]
}
]
}
}
​
2.2. Vulnerability Detected STIX 2.0 format
​
{
"id": "bundle--565b3dc8-e61e-4e96-b63d-6931689a298f",
"objects": [
{
"type": "vulnerability",
"name": "CRLF Injection Vulnerability in WildFly 10.0.0",
"created": "2017-07-24T06:33:46.852591Z",
"description": "CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.",
"id": "vulnerability--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
"modified": "2017-07-24T06:33:46.852591Z",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2016-4993"
}
],
"labels": [
"wildfly",
"redhat",
"centos"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--7e33a43e-e34b-40ec-89da-36c9bb2cacd5",
"created": "2017-07-24T06:33:46.852591Z",
"modified": "2017-07-24T06:33:46.852591Z",
"name": "HTTP Response Splitting",
"description": "This attack uses a maliciously-crafted HTTP request in order to cause a vulnerable web server to respond with an HTTP response stream that will be interpreted by the client as two separate responses instead of one.",
"external_references": [
{
"source_name": "capec",
"external_id": "CAPEC-34"
}
]
},
{
"created": "2017-07-24T06:33:46.852591Z",
"id": "relationship--57b56a43-b8b0-4cba-9deb-34e3e1faed9e",
"modified": "2017-07-24T06:33:46.852904Z",
"relationship_type": "target",
"source_ref": "attack-pattern--7e33a43e-e34b-40ec-89da-36c9bb2cacd5",
"target_ref": "vulnerability--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
"type": "relationship"
},
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c76",
"created": "2017-07-24T06:33:46.852591Z",
"modified": "2017-07-24T06:33:46.852591Z",
"sighting_of_ref": "vulnerability--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061"
}
],
"spec_version": "2.0",
"type": "bundle"
}
3. Distributed Denial of Service (DDoS) Attack
​
3.1. Distributed Denial of Service (DDoS) Attack MISP JSON format
​
{
"Event": {
"id": "2094",
"orgc_id": "1",
"org_id": "1",
"date": "2018-08-12",
"threat_level_id": "1",
"info": "HTTP DDoS",
"published": false,
"uuid": "5b70845c-5244-4d14-9161-5a940a00020f",
"attribute_count": "0",
"analysis": "2",
"timestamp": "1534154301",
"distribution": "0",
"proposal_email_lock": false,
"locked": false,
"publish_timestamp": "0",
"sharing_group_id": "0",
"disable_correlation": false,
"extends_uuid": "",
"Org": {
"id": "1",
"name": "ARI CS Lab",
"uuid": "5a579708-ab5c-4458-bc14-12d7adba28c8"
},
"Orgc": {
"id": "1",
"name": "ARI CS Lab",
"uuid": "5a579708-ab5c-4458-bc14-12d7adba28c8"
},
"Attribute": [
{
"id": "10575",
"type": "other",
"category": "External analysis",
"to_ids": false,
"uuid": "5b71542c-fb48-4847-a332-61ac0a00020f",
"event_id": "2094",
"distribution": "5",
"timestamp": "1534153772",
"comment": "HTTP DDoS",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "CAPEC-469",
"Galaxy": [],
"ShadowAttribute": []
}
],
"ShadowAttribute": [],
"RelatedEvent": [],
"Galaxy": [],
"Object": [
{
"id": "9",
"name": "stix2-pattern",
"meta-category": "stix2-pattern",
"description": "An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.",
"template_uuid": "0c5bd072-7c3e-4d45-86f7-a8104d9143b9",
"template_version": "2",
"event_id": "2094",
"uuid": "6e19e71f-550b-4f75-a7e1-9cab64cb0e70",
"timestamp": "1534153855",
"distribution": "1",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"ObjectReference": [
{
"id": "11",
"uuid": "5b71547f-6cc8-43d2-a8b9-60970a00020f",
"timestamp": "1534153855",
"object_id": "9",
"event_id": "2094",
"source_uuid": null,
"referenced_uuid": "5b71542c-fb48-4847-a332-61ac0a00020f",
"referenced_id": "10575",
"referenced_type": "0",
"relationship_type": "",
"comment": "",
"deleted": "0",
"Attribute": {
"distribution": "5",
"sharing_group_id": "0",
"uuid": "5b71542c-fb48-4847-a332-61ac0a00020f",
"type": "other",
"category": "External analysis",
"to_ids": false,
"value": "CAPEC-469"
}
}
],
"Attribute": [
{
"id": "10551",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "b915128a-e938-4fc9-96d2-db1145e5d0f6",
"event_id": "2094",
"distribution": "1",
"timestamp": "1534100572",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "9",
"object_relation": "version",
"value": "stix 2.0",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "10552",
"type": "stix2-pattern",
"category": "Network activity",
"to_ids": true,
"uuid": "02a937f5-1ef7-4af0-bcd9-22ba32bf5c4b",
"event_id": "2094",
"distribution": "1",
"timestamp": "1534153692",
"comment": "Anomalous Network Traffic",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "9",
"object_relation": "stix2-pattern",
"value": "[( network-traffic:src_ref.type = 'ipv4-addr') AND ( network-traffic:src_ref.value = '217.18.143.167' OR network-traffic:src_ref.value = '211.22.163.77' OR network-traffic:src_ref.value = '62.215.44.26') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '139.91.143.175' AND network-traffic:dst_port =' 80') AND ( network-traffic:protocols[*] = 'tcp' )] REPEATS 5 TIMES WITHIN 300 SECONDS",
"Galaxy": [],
"ShadowAttribute": []
}
]
},
{
"id": "14",
"name": "ddos",
"meta-category": "network",
"description": "DDoS object describes a current DDoS activity from a specific or\/and to a specific target. Type of DDoS can be attached to the object as a taxonomy",
"template_uuid": "e2f124d6-f57c-4f93-99e6-8450545fa05d",
"template_version": "6",
"event_id": "2094",
"uuid": "5b71531d-0d8c-47f1-9934-60970a00020f",
"timestamp": "1534154291",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"ObjectReference": [
{
"id": "12",
"uuid": "5b71561f-8208-487d-a4a4-60940a00020f",
"timestamp": "1534154271",
"object_id": "14",
"event_id": "2094",
"source_uuid": null,
"referenced_uuid": "5b71542c-fb48-4847-a332-61ac0a00020f",
"referenced_id": "10575",
"referenced_type": "0",
"relationship_type": "",
"comment": "",
"deleted": "0",
"Attribute": {
"distribution": "5",
"sharing_group_id": "0",
"uuid": "5b71542c-fb48-4847-a332-61ac0a00020f",
"type": "other",
"category": "External analysis",
"to_ids": false,
"value": "CAPEC-469"
}
},
{
"id": "15",
"uuid": "5b715633-299c-499c-87d9-60940a00020f",
"timestamp": "1534154291",
"object_id": "14",
"event_id": "2094",
"source_uuid": null,
"referenced_uuid": "6e19e71f-550b-4f75-a7e1-9cab64cb0e70",
"referenced_id": "9",
"referenced_type": "1",
"relationship_type": "",
"comment": "",
"deleted": "0",
"Object": {
"distribution": "1",
"sharing_group_id": "0",
"uuid": "6e19e71f-550b-4f75-a7e1-9cab64cb0e70",
"name": "stix2-pattern",
"meta-category": "stix2-pattern"
}
}
],
"Attribute": [
{
"id": "10563",
"type": "ip-dst",
"category": "Network activity",
"to_ids": true,
"uuid": "5b71531d-ef70-4698-a308-60970a00020f",
"event_id": "2094",
"distribution": "5",
"timestamp": "1534153501",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "14",
"object_relation": "ip-dst",
"value": "139.91.143.175",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "10564",
"type": "ip-src",
"category": "Network activity",
"to_ids": true,
"uuid": "5b71531d-f2c0-4b42-be37-60970a00020f",
"event_id": "2094",
"distribution": "5",
"timestamp": "1534153501",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "14",
"object_relation": "ip-src",
"value": "217.18.143.167",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "10565",
"type": "port",
"category": "Network activity",
"to_ids": false,
"uuid": "5b71531d-d370-4be0-83fe-60970a00020f",
"event_id": "2094",
"distribution": "5",
"timestamp": "1534153501",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "14",
"object_relation": "dst-port",
"value": "80",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "10566",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "5b71531d-5e78-4d1a-8a69-60970a00020f",
"event_id": "2094",
"distribution": "5",
"timestamp": "1534153501",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "14",
"object_relation": "protocol",
"value": "TCP",
"Galaxy": [],
"ShadowAttribute": []
}
]
},
{
"id": "15",
"name": "ddos",
"meta-category": "network",
"description": "DDoS object describes a current DDoS activity from a specific or\/and to a specific target. Type of DDoS can be attached to the object as a taxonomy",
"template_uuid": "e2f124d6-f57c-4f93-99e6-8450545fa05d",
"template_version": "6",
"event_id": "2094",
"uuid": "5b715367-50cc-49a1-83d3-61750a00020f",
"timestamp": "1534154297",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"ObjectReference": [
{
"id": "13",
"uuid": "5b715625-b258-4e86-818f-60940a00020f",
"timestamp": "1534154277",
"object_id": "15",
"event_id": "2094",
"source_uuid": null,
"referenced_uuid": "5b71542c-fb48-4847-a332-61ac0a00020f",
"referenced_id": "10575",
"referenced_type": "0",
"relationship_type": "",
"comment": "",
"deleted": "0",
"Attribute": {
"distribution": "5",
"sharing_group_id": "0",
"uuid": "5b71542c-fb48-4847-a332-61ac0a00020f",
"type": "other",
"category": "External analysis",
"to_ids": false,
"value": "CAPEC-469"
}
},
{
"id": "16",
"uuid": "5b715639-6ff4-4924-9671-60940a00020f",
"timestamp": "1534154297",
"object_id": "15",
"event_id": "2094",
"source_uuid": null,
"referenced_uuid": "6e19e71f-550b-4f75-a7e1-9cab64cb0e70",
"referenced_id": "9",
"referenced_type": "1",
"relationship_type": "",
"comment": "",
"deleted": "0",
"Object": {
"distribution": "1",
"sharing_group_id": "0",
"uuid": "6e19e71f-550b-4f75-a7e1-9cab64cb0e70",
"name": "stix2-pattern",
"meta-category": "stix2-pattern"
}
}
],
"Attribute": [
{
"id": "10567",
"type": "ip-dst",
"category": "Network activity",
"to_ids": true,
"uuid": "5b715367-5634-480e-a9ef-61750a00020f",
"event_id": "2094",
"distribution": "5",
"timestamp": "1534153575",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "15",
"object_relation": "ip-dst",
"value": "139.91.143.175",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "10568",
"type": "ip-src",
"category": "Network activity",
"to_ids": true,
"uuid": "5b715367-c5dc-4b04-aed3-61750a00020f",
"event_id": "2094",
"distribution": "5",
"timestamp": "1534153575",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "15",
"object_relation": "ip-src",
"value": "211.22.163.77",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "10569",
"type": "port",
"category": "Network activity",
"to_ids": false,
"uuid": "5b715367-a4fc-46dd-ade6-61750a00020f",
"event_id": "2094",
"distribution": "5",
"timestamp": "1534153575",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "15",
"object_relation": "dst-port",
"value": "80",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "10570",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "5b715367-5200-4293-817d-61750a00020f",
"event_id": "2094",
"distribution": "5",
"timestamp": "1534153575",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "15",
"object_relation": "protocol",
"value": "TCP",
"Galaxy": [],
"ShadowAttribute": []
}
]
},
{
"id": "16",
"name": "ddos",
"meta-category": "network",
"description": "DDoS object describes a current DDoS activity from a specific or\/and to a specific target. Type of DDoS can be attached to the object as a taxonomy",
"template_uuid": "e2f124d6-f57c-4f93-99e6-8450545fa05d",
"template_version": "6",
"event_id": "2094",
"uuid": "5b7153b0-42e8-4156-9245-60940a00020f",
"timestamp": "1534154301",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"ObjectReference": [
{
"id": "14",
"uuid": "5b71562a-1cf8-48ae-b1e3-60940a00020f",
"timestamp": "1534154282",
"object_id": "16",
"event_id": "2094",
"source_uuid": null,
"referenced_uuid": "5b71542c-fb48-4847-a332-61ac0a00020f",
"referenced_id": "10575",
"referenced_type": "0",
"relationship_type": "",
"comment": "",
"deleted": "0",
"Attribute": {
"distribution": "5",
"sharing_group_id": "0",
"uuid": "5b71542c-fb48-4847-a332-61ac0a00020f",
"type": "other",
"category": "External analysis",
"to_ids": false,
"value": "CAPEC-469"
}
},
{
"id": "17",
"uuid": "5b71563d-fba0-4af2-86f7-60940a00020f",
"timestamp": "1534154301",
"object_id": "16",
"event_id": "2094",
"source_uuid": null,
"referenced_uuid": "6e19e71f-550b-4f75-a7e1-9cab64cb0e70",
"referenced_id": "9",
"referenced_type": "1",
"relationship_type": "",
"comment": "",
"deleted": "0",
"Object": {
"distribution": "1",
"sharing_group_id": "0",
"uuid": "6e19e71f-550b-4f75-a7e1-9cab64cb0e70",
"name": "stix2-pattern",
"meta-category": "stix2-pattern"
}
}
],
"Attribute": [
{
"id": "10571",
"type": "ip-dst",
"category": "Network activity",
"to_ids": true,
"uuid": "5b7153b0-5280-49d4-a9bf-60940a00020f",
"event_id": "2094",
"distribution": "5",
"timestamp": "1534153648",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "16",
"object_relation": "ip-dst",
"value": "139.91.143.175",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "10572",
"type": "ip-src",
"category": "Network activity",
"to_ids": true,
"uuid": "5b7153b0-fd24-4ff9-8f9e-60940a00020f",
"event_id": "2094",
"distribution": "5",
"timestamp": "1534153648",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "16",
"object_relation": "ip-src",
"value": "62.215.44.26",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "10573",
"type": "port",
"category": "Network activity",
"to_ids": false,
"uuid": "5b7153b0-c9e8-42f2-a563-60940a00020f",
"event_id": "2094",
"distribution": "5",
"timestamp": "1534153648",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "16",
"object_relation": "dst-port",
"value": "80",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "10574",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "5b7153b0-2718-45f0-a738-60940a00020f",
"event_id": "2094",
"distribution": "5",
"timestamp": "1534153648",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "16",
"object_relation": "protocol",
"value": "TCP",
"Galaxy": [],
"ShadowAttribute": []
}
]
}
]
}
}
​
3.2. Distributed Denial of Service (DDoS) Attack STIX 2.0 format
​
{
"id": "bundle--fd218113-fc68-4bbf-9293-4941c5ce1ec5",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--7e33a43e-e34b-40ec-89da-36c9bb2cacd5",
"created": "2017-07-24T06:33:46.852591Z",
"modified": "2017-07-24T06:33:46.852591Z",
"name": "HTTP DDoS",
"description": "An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This is an equivalent of SYN flood in HTTP.",
"labels": [
"ddos",
"honeypot"
],
"external_references": [
{
"source_name": "capec",
"external_id": "CAPEC-469"
}
]
},
{
"type": "indicator",
"created": "2017-07-24T06:33:46.852591Z",
"description": "indicator for detecting anomalous network traffic from multiple sources",
"id": "indicator--c2448bf6-16a1-4b0c-9478-2a33b3d2e322",
"labels": [
"anomalous-activity"
],
"modified": "2017-07-24T06:33:46.852591Z",
"name": "Anomalous Network Traffic",
"pattern": "[( network-traffic:src_ref.type = 'ipv4-addr') AND ( network-traffic:src_ref.value = '217.18.143.167' OR network-traffic:src_ref.value = '211.22.163.77' OR network-traffic:src_ref.value = '62.215.44.26') AND (network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '139.91.143.175' AND network-traffic:dst_port =' 80') AND ( network-traffic:protocols[*] = 'tcp' )] REPEATS 5 TIMES WITHIN 300 SECONDS",
"valid_from": "2017-07-24T06:33:46.852591Z"
},
{
"id": "observed-data--52a5bab7-2cfd-40c6-a35a-b5bcb8afb11b",
"type": "observed-data",
"first_observed": "2017-08-29T13:38:02Z",
"last_observed": "2017-08-29T13:38:02Z",
"number_observed": 5,
"objects": {
"0": {
"type": "network-traffic",
"src_ref": "1",
"dst_ref": "2",
"dst_port": "80",
"protocols": ["tcp"]
},
"1": {
"type": "ipv4-addr",
"value": "217.18.143.167"
},
"2": {
"type": "ipv4-addr",
"value": "139.91.143.175"
},
"3": {
"type": "network-traffic",
"src_ref": "4",
"dst_ref": "2",
"dst_port": "80",
"protocols": ["tcp"]
},
"4": {
"type": "ipv4-addr",
"value": "211.22.163.77"
},
"5": {
"type": "network-traffic",
"src_ref": "6",
"dst_ref": "2",
"dst_port": "80",
"protocols": ["tcp"]
},
"6": {
"type": "ipv4-addr",
"value": "62.215.44.26"
}
}
},
{
"created": "2017-07-24T06:33:46.852904Z",
"id": "relationship--92b36699-a4ce-4e20-aeda-cc41bf6603c5",
"modified": "2017-07-24T06:33:46.852904Z",
"relationship_type": "indicates",
"source_ref": "indicator--c2448bf6-16a1-4b0c-9478-2a33b3d2e322",
"target_ref": "attack-pattern--7e33a43e-e34b-40ec-89da-36c9bb2cacd5",
"type": "relationship"
},
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created": "2017-07-24T06:33:46.852591Z",
"modified": "2017-07-24T06:33:46.852591Z",
"sighting_of_ref": "indicator--c2448bf6-16a1-4b0c-9478-2a33b3d2e322",
"observed_data_refs": ["observed-data--52a5bab7-2cfd-40c6-a35a-b5bcb8afb11b"]
}
],
"spec_version": "2.0",
"type": "bundle"
}
​
4. Behavioural Scanning from IP address
4.1. Behavioural Scanning from IP address MISP JSON format
​
{
"Event": {
"id": "2095",
"orgc_id": "1",
"org_id": "1",
"date": "2018-08-12",
"threat_level_id": "1",
"info": "TCP Syn Scan",
"published": false,
"uuid": "5b7084ab-64a4-46a3-9b89-5a930a00020f",
"attribute_count": "1",
"analysis": "2",
"timestamp": "1534157098",
"distribution": "0",
"proposal_email_lock": false,
"locked": false,
"publish_timestamp": "0",
"sharing_group_id": "0",
"disable_correlation": false,
"extends_uuid": "",
"Org": {
"id": "1",
"name": "ARI CS Lab",
"uuid": "5a579708-ab5c-4458-bc14-12d7adba28c8"
},
"Orgc": {
"id": "1",
"name": "ARI CS Lab",
"uuid": "5a579708-ab5c-4458-bc14-12d7adba28c8"
},
"Attribute": [
{
"id": "10576",
"type": "other",
"category": "External analysis",
"to_ids": false,
"uuid": "5b715ecf-dd2c-4761-a379-61ab0a00020f",
"event_id": "2095",
"distribution": "5",
"timestamp": "1534156521",
"comment": "TCP Syn Scan",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "CAPEC-287",
"Galaxy": [],
"ShadowAttribute": []
}
],
"ShadowAttribute": [],
"RelatedEvent": [],
"Galaxy": [],
"Object": [
{
"id": "10",
"name": "stix2-pattern",
"meta-category": "stix2-pattern",
"description": "An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.",
"template_uuid": "0c5bd072-7c3e-4d45-86f7-a8104d9143b9",
"template_version": "2",
"event_id": "2095",
"uuid": "92b17ade-f44f-472f-95ac-0bb7fac91994",
"timestamp": "1534157098",
"distribution": "1",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"ObjectReference": [
{
"id": "18",
"uuid": "5b715f04-19d0-4531-9bc4-60940a00020f",
"timestamp": "1534156548",
"object_id": "10",
"event_id": "2095",
"source_uuid": null,
"referenced_uuid": "5b715ecf-dd2c-4761-a379-61ab0a00020f",
"referenced_id": "10576",
"referenced_type": "0",
"relationship_type": "",
"comment": "",
"deleted": "0",
"Attribute": {
"distribution": "5",
"sharing_group_id": "0",
"uuid": "5b715ecf-dd2c-4761-a379-61ab0a00020f",
"type": "other",
"category": "External analysis",
"to_ids": false,
"value": "CAPEC-287"
}
}
],
"Attribute": [
{
"id": "10553",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "8008bd0c-5413-462a-ac47-ede69160593d",
"event_id": "2095",
"distribution": "1",
"timestamp": "1534100651",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": true,
"object_id": "10",
"object_relation": "version",
"value": "stix 2.0",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "10554",
"type": "stix2-pattern",
"category": "Network activity",
"to_ids": true,
"uuid": "6b74341d-39d3-41eb-a3d1-81ba8dcfe2a2",
"event_id": "2095",
"distribution": "1",
"timestamp": "1534157098",
"comment": "Anomalous Network Activity",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "10",
"object_relation": "stix2-pattern",
"value": "[(network-traffic:src_ref.value = '217.18.143.138') AND (network-traffic:dst_ref.value = '139.91.143.66' OR network-traffic:dst_ref.value = '139.91.143.8' OR network-traffic:dst_ref.value = '139.91.143.98') AND (network-traffic:dst_port = '445' OR network-traffic:dst_port = '80') AND (network-traffic:protocols[*] ='tcp')]",
"Galaxy": [],
"ShadowAttribute": []
}
]
}
]
}
}
​
4.2. Behavioural Scanning from IP address STIX 2.0 format
​
{
"id": "bundle--fd218113-fc68-4bbf-9293-4941c5ce1ec5",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--7e33a43e-e34b-40ec-89da-36c9bb2cacd5",
"created": "2017-07-24T06:33:46.852591Z",
"modified": "2017-07-24T06:33:46.852591Z",
"name": "TCP Syn Scan",
"description": "An attacker uses a SYN scan to determine the status of ports on the remote target. SYN scanning is the most common type of port scanning that is used because of its enormous advantages and few drawbacks. As a result, novice attackers tend to overly rely on the SYN scan while performing system reconnaissance.",
"labels": [
"network-reconnaissance",
"honeypot"
],
"external_references": [
{
"source_name": "capec",
"external_id": "CAPEC-287"
}
]
},
{
"created": "2017-07-24T06:33:46.851281Z",
"description": "Anomalous Network Activity",
"id": "indicator--7b774179-3177-4449-90e8-fbf3f52f6306",
"labels": [
"anomalous-activity"
],
"modified": "2017-07-24T06:33:46.851281Z",
"name": "Indicator for anomalous network activity",
"pattern": "[(network-traffic:src_ref.value = '217.18.143.138') AND (network-traffic:dst_ref.value = '139.91.143.66' OR network-traffic:dst_ref.value = '139.91.143.8' OR network-traffic:dst_ref.value = '139.91.143.98') AND (network-traffic:dst_port = '445' OR network-traffic:dst_port = '80') AND (network-traffic:protocols[*] ='tcp')]",
"type": "indicator",
"valid_from": "2017-07-24T06:33:46.851281Z"
},
{
"id": "observed-data--52a5bab7-2cfd-40c6-a35a-b5bcb8afb11b",
"type": "observed-data",
"first_observed": "2017-08-29T13:38:02Z",
"last_observed": "2017-08-29T13:38:02Z",
"number_observed": 1,
"objects": {
"0": {
"type": "network-traffic",
"src_ref": "1",
"dst_ref": "2",
"dst_port": "445",
"protocols": ["tcp"]
},
"1": {
"type": "ipv4-addr",
"value": "217.18.143.138"
},
"2": {
"type": "ipv4-addr",
"value": "139.91.143.66"
},
"3": {
"type": "network-traffic",
"src_ref": "1",
"dst_ref": "4",
"dst_port": "445",
"protocols": ["tcp"]
},
"4": {
"type": "ipv4-addr",
"value": "139.91.143.8"
},
"5": {
"type": "network-traffic",
"src_ref": "1",
"dst_ref": "6",
"dst_port": "445",
"protocols": ["tcp"]
},
"6": {
"type": "ipv4-addr",
"value": "139.91.143.98"
}
}
},
{
"type": "relationship",
"id": "relationship--92b36699-a4ce-4e20-aeda-cc41bf6603c5",
"created": "2017-07-24T06:33:46.852904Z",
"modified": "2017-07-24T06:33:46.852904Z",
"relationship_type": "indicates",
"source_ref": "indicator--7b774179-3177-4449-90e8-fbf3f52f6306",
"target_ref": "attack-pattern--7e33a43e-e34b-40ec-89da-36c9bb2cacd5"
},
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created": "2017-07-24T06:33:46.852591Z",
"modified": "2017-07-24T06:33:46.852591Z",
"sighting_of_ref": "indicator--7b774179-3177-4449-90e8-fbf3f52f6306",
"observed_data_refs": ["observed-data--52a5bab7-2cfd-40c6-a35a-b5bcb8afb11b"]
}
],
"spec_version": "2.0",
"type": "bundle"
}
​
5. Remote Code Execution
​
5.1. Remote Code Execution MISP JSON format
​
{
"Event": {
"id": "2096",
"orgc_id": "4",
"org_id": "4",
"date": "2018-08-12",
"threat_level_id": "1",
"info": "Remote Code Execution in ApacheStruts2",
"published": false,
"uuid": "5b7084ef-3c2c-4891-b58d-545c0a00020f",
"attribute_count": "0",
"analysis": "2",
"timestamp": "1534862585",
"distribution": "1",
"proposal_email_lock": false,
"locked": false,
"publish_timestamp": "0",
"sharing_group_id": "0",
"disable_correlation": false,
"extends_uuid": "",
"Org": {
"id": "4",
"name": "ARI CS Lab",
"uuid": "5b7b146b-97a0-4ae6-9c28-28850a00020f"
},
"Orgc": {
"id": "4",
"name": "ARI CS Lab",
"uuid": "5b7b146b-97a0-4ae6-9c28-28850a00020f"
},
"Attribute": [
{
"id": "10580",
"type": "other",
"category": "External analysis",
"to_ids": false,
"uuid": "5b7c2494-2344-421a-89dd-06f30a00020f",
"event_id": "2096",
"distribution": "1",
"timestamp": "1534862525",
"comment": "Remote Code Execution, apachestruts, rest",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "CAPEC-242",
"Galaxy": [],
"ShadowAttribute": []
}
],
"ShadowAttribute": [],
"RelatedEvent": [],
"Galaxy": [],
"Object": [
{
"id": "11",
"name": "stix2-pattern",
"meta-category": "stix2-pattern",
"description": "An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.",
"template_uuid": "0c5bd072-7c3e-4d45-86f7-a8104d9143b9",
"template_version": "2",
"event_id": "2096",
"uuid": "ec1a4d1d-3d80-4988-b476-f14cb1e3390c",
"timestamp": "1534100719",
"distribution": "1",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"ObjectReference": [],
"Attribute": [
{
"id": "10555",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "522abbb1-3ac6-41de-8106-c4613409199f",
"event_id": "2096",
"distribution": "1",
"timestamp": "1534100719",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "11",
"object_relation": "version",
"value": "stix 2.0",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "10556",
"type": "stix2-pattern",
"category": "Payload installation",
"to_ids": true,
"uuid": "e389326b-1475-472f-b343-8bd747a64687",
"event_id": "2096",
"distribution": "1",
"timestamp": "1534100719",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "11",
"object_relation": "stix2-pattern",
"value": "[network-traffic:extensions.'http-request-ext'.'request-method' = 'post' AND network-traffic:extensions.'http-request-ext'.'request-value' ='\/struts2-rest-showcase\/orders\/3' AND network-traffic:extensions.'http-request-ext'.'request-header'.'Content-Type' = 'application\/xml']",
"Galaxy": [],
"ShadowAttribute": []
}
]
},
{
"id": "17",
"name": "vulnerability",
"meta-category": "network",
"description": "Vulnerability object describing common vulnerability enumeration",
"template_uuid": "81650945-f186-437b-8945-9f31715d32da",
"template_version": "2",
"event_id": "2096",
"uuid": "5b7c23b8-f9e8-41c9-8cc2-04ec0a00020f",
"timestamp": "1534862264",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"ObjectReference": [],
"Attribute": [
{
"id": "10578",
"type": "vulnerability",
"category": "External analysis",
"to_ids": false,
"uuid": "5b7c23b8-d990-4595-ab99-04ec0a00020f",
"event_id": "2096",
"distribution": "1",
"timestamp": "1534862264",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "17",
"object_relation": "id",
"value": "CVE-2017-9805",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "10579",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "5b7c23b8-d3e4-44a2-9b37-04ec0a00020f",
"event_id": "2096",
"distribution": "5",
"timestamp": "1534862264",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "17",
"object_relation": "text",
"value": "A critical remote code execution vulnerability has been discovered in the popular web application framework Apache Struts, which allows attackers to execute an arbitrary code. The root cause of this vulnerability lies in handling input data deserialization by the REST plugin of Apache Struts application. The attackers can embed commands into vulnerable field of POST request body. The vulnerability is triggered while processing a crafted POST request having header \u2018Content-Type\u2019 set to \u2018application\/xml",
"Galaxy": [],
"ShadowAttribute": []
}
]
}
]
}
}
​
5.2. Remote Code Execution STIX 2.0 format
​
{
"id": "bundle--565b3dc8-e61e-4e96-b63d-6931689a298f",
"objects": [
{
"type": "vulnerability",
"name": "Remote Code Execution in ApacheStruts2",
"created": "2017-09-13T06:33:46.852591Z",
"description": " A critical remote code execution vulnerability has been discovered in the popular web application framework Apache Struts, which allows attackers to execute an arbitrary code. The root cause of this vulnerability lies in handling input data deserialization by the REST plugin of Apache Struts application. The attackers can embed commands into vulnerable field of POST request body. The vulnerability is triggered while processing a crafted POST request having header ‘Content-Type’ set to ‘application/xml’",
"id": "vulnerability--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",
"modified": "2017-09-13T06:33:46.852591Z",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2017-9805"
}
],
"labels": [
"apachestruts",
"rest"
]
},
{
"type": "attack-pattern",
"id": "attack-pattern--7e33a43e-e34b-40ec-89da-36c9bb2cacd5",
"created": "2017-09-13T06:33:46.852591Z",
"modified": "2017-09-13T06:33:46.852591Z",
"name": "Remote Code Execution",
"description": "used to describe an attacker's ability to execute any command of the attacker's choice on a target machine or in a target process. It is commonly used in arbitrary code execution vulnerability to describe a software bug that gives an attacker a way to execute arbitrary code. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit.",
"external_references": [
{
"source_name": "capec",
"external_id": "CAPEC-242"
}
]
},
{
"created": "2017-07-24T06:33:46.851281Z",
"description": "Indicator related to a malicious HTTP POST Request for a potential attempt of arbitrary code execution",
"id": "indicator--a932fcc6-e032-176c-126f-cb970a5a1ade",
"labels": [
"malicious-activity"
],
"modified": "2017-07-24T06:33:46.851281Z",
"name": "Malicious HTTP POST Request",
"pattern": "[network-traffic:extensions.'http-request-ext'.'request-method' = 'post' AND network-traffic:extensions.'http-request-ext'.'request-value' ='/struts2-rest-showcase/orders/3' AND network-traffic:extensions.'http-request-ext'.'request-header'.'Content-Type' = 'application/xml']",
"type": "indicator",
"valid_from": "2017-07-24T06:33:46.851281Z"
},
{
"id": "observed-data--52a5bab7-2cfd-40c6-a35a-b5bcb8afb11b",
"type": "observed-data",
"first_observed": "2017-08-29T13:38:02Z",
"last_observed": "2017-08-29T13:38:02Z",
"number_observed": 1,
"objects": {
"0": {
"type": "network-traffic",
"protocols": ["http"],
"extensions": {
"http-request-ext": {
"request-method": "post",
"request-value": "/struts2-rest-showcase/orders/3",
"request-header": {
"Host": "www.example.com",
"User-Agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",
"Content-Type": "application/xml"
}
}
}
}
}
},
{
"type": "relationship",
"created": "2017-09-13T06:33:46.852591Z",
"id": "relationship--57b56a43-b8b0-4cba-9deb-34e3e1faed9e",
"modified": "2017-09-13T06:33:46.852591Z",
"relationship_type": "target",
"source_ref": "attack-pattern--7e33a43e-e34b-40ec-89da-36c9bb2cacd5",
"target_ref": "vulnerability--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061"
},
{
"type": "relationship",
"created": "2017-09-13T06:33:46.852591Z",
"id": "relationship--57b56a43-b8b0-4cba-9deb-43f5f1fead9a",
"modified": "2017-09-13T06:33:46.852591Z",
"relationship_type": "indicates",
"source_ref": "indicator--a932fcc6-e032-176c-126f-cb970a5a1ade",
"target_ref": "attack-pattern--7e33a43e-e34b-40ec-89da-36c9bb2cacd5"
},
{
"type": "sighting",
"id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
"created": "2017-07-24T06:33:46.852591Z",
"modified": "2017-07-24T06:33:46.852591Z",
"sighting_of_ref": "indicator--a932fcc6-e032-176c-126f-cb970a5a1ade",
"observed_data_refs": ["observed-data--52a5bab7-2cfd-40c6-a35a-b5bcb8afb11b"]
}
],
"spec_version": "2.0",
"type": "bundle"
}