-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create stix pattern rules for query builder. #313
Comments
Title (Key) - Value Grouping - Plugins?
Operators ?
Type of group ? Decorate Group output with characters
Convention Investigate - Qualifier Groups ?? Top Group ( ... ) WITHIN ${V} SECONDS ?? Top Group REPEATS ${V} TIMES T: File Object Magic Number Easy Patterns T: File Hash T: Email Domain T: Email Attachements Name T: File Type T: File Hash T: File Hash T: File Hash T: Windows Registry Key T: User Account - Account Type T: User Account - User Id T: User Account - Account Login T: Artifact - Payload Bin T: File Name T: File Path T: Windows File Entropy T: Network Traffic Type T: Network Traffic Destination T: Domain Name T: Domain DNS T: Url T: Certificate Issuer T: Certificate Number T: File Created Date T: Email Sender T: Email Subject T: USB Serial T: Process T: Certain Time Window T: Network Traffic T: Malware Artifacts T: Registry Key T: Malware Artifacts T: File Type |
Matching a File with a SHA-256 hash
[file:hashes.'SHA-256' = 'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f']
Matching an Email Message with a particular From Email Address and Attachment File Name Using a Regular Expression
[email-message:from_ref.value MATCHES '.+\\@example\\.com$' AND email-message:body_multipart[*].body_raw_ref.name MATCHES '^Final Report.+\\.exe$']
Matching a File with a SHA-256 hash and a PDF MIME type
[file:hashes.'SHA-256' = 'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f' AND file:mime_type = 'application/x-pdf']
Matching a File with SHA-256 or a MD5 hash (e.g., for the case of two different end point tools generating either an MD5 or a SHA-256), and a different File that has a different SHA-256 hash, against two different Observations
[file:hashes.'SHA-256' = 'bf07a7fbb825fc0aae7bf4a1177b2b31fcf8a3feeaf7092761e18c859ee52a9c' OR file:hashes.MD5 = 'cead3f77f6cda6ec00f57d76c9a6879f'] AND [file:hashes.'SHA-256' = 'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f']
Matching a File with a MD5 hash, followed by (temporally) a Registry Key object that matches a value, within 5 minutes
([file:hashes.MD5 = '79054025255fb1a26e4bc422aef54eb4'] FOLLOWEDBY [windows-registry-key:key = 'HKEY_LOCAL_MACHINE\\foo\\bar']) WITHIN 300 SECONDS
Matching three different, but specific Unix User Accounts
[user-account:account_type = 'unix' AND user-account:user_id = '1007' AND user-account:account_login = 'Peter'] AND [user-account:account_type = 'unix' AND user-account:user_id = '1008' AND user-account:account_login = 'Paul'] AND [user-account:account_type = 'unix' AND user-account:user_id = '1009' AND user-account:account_login = 'Mary']
Matching an Artifact object PCAP payload header
[artifact:mime_type = 'application/vnd.tcpdump.pcap' AND artifact:payload_bin MATCHES '\\xd4\\xc3\\xb2\\xa1\\x02\\x00\\x04\\x00']
Matching a File object with a Windows file path
[file:name = 'foo.dll' AND file:parent_directory_ref.path = 'C:\\Windows\\System32']
Matching on a Windows PE File with high section entropy
[file:extensions.'windows-pebinary-ext'.sections[*].entropy > 7.0]
Matching on a mismatch between a File object magic number and mime type
[file:mime_type = 'image/bmp' AND file:magic_number_hex = h'ffd8']
Matching on Network Traffic with a particular destination
[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.0.113.33/32']
Matching on Malware Beaconing to a Domain Name
[network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = '[example.com](http://example.com/)'] REPEATS 5 TIMES WITHIN 1800 SECONDS
Matching on a Domain Name with IPv4 Resolution
[domain-name:value = '[www.5z8.info](http://www.5z8.info/)' AND domain-name:resolves_to_refs[*].value = '198.51.100.1/32']
Matching on a URL
[url:value = 'http://example.com/foo' OR url:value = 'http://example.com/bar']
Matching on an X509 Certificate
[x509-certificate:issuer = 'CN=WEBMAIL' AND x509-certificate:serial_number = '4c:0b:1d:19:74:86:a7:66:b4:1a:bf:40:27:21:76:28']
Matching on a Windows Registry Key
[windows-registry-key:key = 'HKEY_CURRENT_USER\\Software\\CryptoLocker\\Files' OR windows-registry-key:key = 'HKEY_CURRENT_USER\\Software\\Microsoft\\CurrentVersion\\Run\\CryptoLocker_0388']
Matching on a File with a set of properties
[(file:name = 'pdf.exe' OR file:size = 371712) AND file:created = t'2014-01-13T07:03:17Z']
Matching on an Email Message with specific Sender and Subject
[email-message:sender_ref.value = '[jdoe@example.com](mailto:jdoe@example.com)' AND email-message:subject = 'Conference Info']
Matching on a Custom USB Device
[x-usb-device:usbdrive.serial_number = '575833314133343231313937']
Matching on Two Processes Launched with a Specific Set of Command Line Arguments Within a Certain Time Window
[process:command_line MATCHES '^.+>-add GlobalSign.cer -c -s -r localMachine Root$'] FOLLOWEDBY [process:command_line MATCHES'^.+>-add GlobalSign.cer -c -s -r localMachineTrustedPublisher$'] WITHIN 300 SECONDS
Matching on a Network Traffic IP that is part of a particular Subnet
[network-traffic:dst_ref.value ISSUBSET '2001:0db8:dead:beef:0000:0000:0000:0000/64']
Matching on several different combinations of Malware Artifacts. Note the following pattern requires that both a file and registry key exist, or that one of two processes exist.
([file:name = 'foo.dll'] AND [windows-registry-key:key = 'HKEY_LOCAL_MACHINE\\foo\\bar']) OR [process:image_ref.name = 'fooproc' OR process:image_ref.name = 'procfoo']
STIX-Patterning-Quick-Reference-Card (1).pdf
The text was updated successfully, but these errors were encountered: