From eade57bcd5c0ebd9338e6b93b01fdd604644f382 Mon Sep 17 00:00:00 2001 From: rhohimer Date: Wed, 13 Apr 2022 07:40:50 -0700 Subject: [PATCH 01/70] adding json context defintions --- .../stix-2.1/stix2-1_context.json | 270 ++++++++++++++++++ 1 file changed, 270 insertions(+) create mode 100644 context-definitions/stix-2.1/stix2-1_context.json diff --git a/context-definitions/stix-2.1/stix2-1_context.json b/context-definitions/stix-2.1/stix2-1_context.json new file mode 100644 index 0000000..fc11ebe --- /dev/null +++ b/context-definitions/stix-2.1/stix2-1_context.json @@ -0,0 +1,270 @@ + "@context": { + + "xsd": "http://www.w3.org/2001/XMLSchema#", + "stix-ns": "http://docs.oasis-open.org/cti/ns/stix#", + "adversary-ns": "http://docs.oasis-open.org/cti/ns/stix/adversary#", + "attack-ns": "http://attack.mitre.org/ns/attack#", + "identity-ns": "http://docs.oasis-open.org/cti/ns/stix/identity#", + "indicator-ns": "http://docs.oasis-open.org/cti/ns/stix/indicator#", + "malware-ns": "http://docs.oasis-open.org/cti/ns/stix/malware#", + "marking-ns": "http://docs.oasis-open.org/cti/ns/data-marking#", + "tool-ns": "http://docs.oasis-open.org/cti/ns/stix/tool#", + "relationship-ns": "http://docs.oasis-open.org/cti/ns/stix/relationship#", + "kb": "http://myKnowledgeGraph.com/kb#", + "@base": "http://myKnowledgeGraph.com/kb", + + "objects": "@graph", + "id": "@id", + "type": "@type", + + "threat-actor": "stix-ns:ThreatActor", + "intrusion-set": "stix-ns:IntrusionSet", + "indicator": "stix-ns:Indicator", + "identity": "stix-ns:Identity", + "malware": "stix-ns:Malware", + "report": "stix-ns:Report", + "tool": "stix-ns:Tool", + "relationship": "stix-ns:Relationship", + "attack-pattern": "stix-ns:AttackPattern", + "marking-definition": "marking-ns:MarkingDefinition", + "course-of-action": "stix-ns:CourseOfAction", + + "aliases":{ + "@id": "stix-ns:aliases", + "@type": "xsd:string" + }, + "contact_information": { + "@id": "identity-ns:contact_information", + "@type": "xsd:string" + }, + "created": { + "@id": "stix-ns:created", + "@type": "xsd:dateTime" + }, + "description": { + "@id": "stix-ns:description", + "@type": "xsd:string" + }, + "first_seen": { + "@id": "stix-ns:first_seen", + "@type": "xsd:dateTime" + }, + "identity_class": { + "@id": "identity-ns:identity_class", + "@type": "xsd:string" + }, + "is_family": { + "@id": "malware-ns:is_family", + "@type": "xsd:boolean" + }, + "labels": { + "@id": "stix-ns:labels", + "@type": "xsd:string" + }, + "last_seen": { + "@id": "stix-ns:last_seen", + "@type": "xsd:dateTime" + }, + "malware_types": { + "@id": "malware-ns:malware_types", + "@type": "xsd:string" + }, + "modified": { + "@id": "stix-ns:modified", + "@type": "xsd:dateTime" + }, + "name": { + "@id": "stix-ns:name", + "@type": "xsd:string" + }, + "pattern": { + "@id": "indicator-ns:pattern", + "@type": "xsd:string" + }, + "pattern_type": { + "@id": "indicator-ns:pattern_type", + "@type": "xsd:string" + }, + "primary_motivation":{ + "@id": "adversary-ns:primary_motivation", + "@type": "xsd:string" + }, + "relationship_type": { + "@id": "relationship-ns:relationship_type", + "@type": "xsd:string" + }, + "resource_level": { + "@id": "adversary-ns:resource_level", + "@type": "xsd:string" + }, + "roles": { + "@id": "adversary-ns:roles", + "@type": "xsd:string" + }, + "sectors": { + "@id": "identity-ns:sectors", + "@type": "xsd:string" + }, + "spec_version": { + "@id": "stix-ns:spec_version", + "@type": "xsd:string" + }, + "threat_actor_types": { + "@id": "adversary-ns:threat_actor_types", + "@type": "xsd:string" + }, + "tool_types": { + "@id": "tool-ns:tool_types", + "@type": "xsd:string" + }, + "valid_from": { + "@id": "stix-ns:valid_from", + "@type": "xsd:dateTime" + }, + + "source_name": { + "@id": "stix-ns:source-name", + "@type": "xsd:string" + }, + "url": { + "@id": "stix-ns:url", + "@type": "xsd:anyURI" + }, + "external_id": { + "@id": "stix-ns:external_id", + "@type": "xsd:string" + }, + + + "hashes": { + "@id": "stix-ns:hashes", + "@type": "@id" + }, + + + + "external_references": { + "@id": "stix-ns:external_references", + "@type": "@id" + }, + + + "object_marking_refs": { + "@id": "marking-ns:object_marking_refs", + "@type": "@id" + }, + "source_ref": { + "@id": "relationship-ns:source_ref", + "@type": "@id" + }, + "target_ref": { + "@id": "relationship-ns:target_ref", + "@type": "@id" + }, + "object_ref": { + "@id": "stix-ns:object_ref", + "@type": "@id" + }, + "object_modified": { + "@id": "stix-ns:object_modified", + "@type": "xsd:dateTime" + }, + + + "x_mitre_contents": { + "@id": "attack-ns:x_mitre_contents", + "@type": "stix-ns:StixObject" + }, + "x_mitre_contributors": { + "@id": "attack-ns:x_mitre_contributors", + "@type": "xsd:string" + }, + "x_mitre_modified_by_ref": { + "@id": "relationship-ns:x_mitre_modified_by_ref", + "@type": "@id" + }, + "x_mitre_domains": { + "@id": "attack-ns:x_mitre_domains", + "@type": "xsd:string" + }, + "x_mitre_detection": { + "@id": "attack-ns:x_mitre_detection", + "@type": "xsd:string" + }, + "x_mitre_is_subtechnique": { + "@id": "attack-ns:x_mitre_is_subtechnique", + "@type": "xsd:boolean" + }, + "x_mitre_platforms": { + "@id": "attack-ns:x_mitre_platforms", + "@type": "xsd:string" + }, + "x_mitre_permissions_required": { + "@id": "attack-ns:x_mitre_permissions_required", + "@type": "xsd:string" + }, + "x_mitre_data_sources": { + "@id": "attack-ns:x_mitre_data_sources", + "@type": "xsd:string" + }, + "x_mitre_version": { + "@id": "attack-ns:x_mitre_version", + "@type": "xsd:string" + }, + "x_mitre_attack_spec_version": { + "@id": "attack-ns:x_mitre_attack_spec_version", + "@type": "xsd:string" + }, + + "x-mitre-matrix": "attack-ns:Matrix", + "x-mitre-tactic": "attack-ns:Tactic", + "x-mitre-data-component": "attack-ns:DataComponent", + "x-mitre-data-source": "attack-ns:DataSource", + + "x_mitre_data_source_ref": { + "@id": "attack-ns:x_mitre_data_source_ref", + "@type": "@id" + }, + "tactic_refs": { + "@id": "attack-ns:tactic_refs", + "@type": "@id" + }, + "x_mitre_collection_layers": { + "@id": "attack-ns:x_mitre_collection_layers", + "@type": "xsd:string" + }, + "x_mitre_shortname": { + "@id": "attack-ns:x_mitre_shortname", + "@type": "xsd:string" + }, + "x_mitre_deprecated": { + "@id": "attack-ns:x_mitre_deprecated", + "@type": "xsd:boolean" + }, + "x_mitre_defense_bypassed": { + "@id": "attack-ns:x_mitre_defense_bypassed", + "@type": "xsd:string" + }, + "x_mitre_effective_permissions": { + "@id": "attack-ns:x_mitre_effective_permissions", + "@type": "xsd:string" + }, + "x_mitre_impact_type": { + "@id": "attack-ns:x_mitre_impact_type", + "@type": "xsd:string" + }, + "x_mitre_network_requirements": { + "@id": "attack-ns:x_mitre_network_requirements", + "@type": "xsd:boolean" + }, + "x_mitre_remote_support": { + "@id": "attack-ns:x_mitre_remote_support", + "@type": "xsd:boolean" + }, + "x_mitre_system_requirements": { + "@id": "attack-ns:x_mitre_system_requirements", + "@type": "xsd:string" + } + + + }, \ No newline at end of file From fe5bea09c52fa58e8f25c7991a2e9a096dfef242 Mon Sep 17 00:00:00 2001 From: rhohimer Date: Fri, 3 Jun 2022 15:34:17 -0700 Subject: [PATCH 02/70] working to change vocabularies (not using custom Datatype) --- stix-semex/stix-semex.owl | 19 ++- stix-spec/core/core.owl | 140 +--------------- stix-spec/core/stix-core.owl | 3 - tac/ta-classification-axioms.owl | 98 ------------ tac/tac.owl | 264 +++++++++++++++++-------------- 5 files changed, 158 insertions(+), 366 deletions(-) diff --git a/stix-semex/stix-semex.owl b/stix-semex/stix-semex.owl index 30bfd12..a87c420 100644 --- a/stix-semex/stix-semex.owl +++ b/stix-semex/stix-semex.owl @@ -17,7 +17,6 @@ - @@ -145,15 +144,15 @@ - + - + - + @@ -245,7 +244,7 @@ - + @@ -253,7 +252,7 @@ - + @@ -267,7 +266,7 @@ The outcome of the attacker activity attack activity outcome - + @@ -275,7 +274,7 @@ - + @@ -283,11 +282,11 @@ - + - + \ No newline at end of file diff --git a/stix-spec/core/core.owl b/stix-spec/core/core.owl index d508a49..a44ecd5 100644 --- a/stix-spec/core/core.owl +++ b/stix-spec/core/core.owl @@ -19,8 +19,6 @@ - - 2.1.0 @@ -284,16 +282,7 @@ confidence Identifies the confidence that the creator has in the correctness of their data. The confidence value MUST be a number in the range of 0-100. - - - - - - 100 - - - - + @@ -311,16 +300,7 @@ context A short descriptor of the particular context shared by the content referenced by the Grouping. - - - - - - - - - - + @@ -386,41 +366,7 @@ extension types This property specifies one or more extension types contained within this extension.\n\The values for this property MUST come from the extension-type-enum enumeration.\n\nWhen this property includes toplevel-property-extension then the extension_properties property SHOULD include one or more property names. - - - - - legacy - - - new-sco - - - new-sdo - - - new-sro - - - property-extension - - - toplevel-property-extension - - - - - - - - - - - - - - - + @@ -450,16 +396,7 @@ hash_algorithm Represents the cryptographic hash algorithm used.\n\nThe name of the cryptographic hash algorithm used SHOULD come from one of the values defined in the hash-algorithm-ov open vocabulary. - - - - - - - - - - + @@ -478,16 +415,7 @@ Dictionary keys MUST come from one of the entries listed in the hash-algorithm-o id Uniquely identifies this object. - - - - - - ^[a-z][a-z0-9-]+[a-z0-9]--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$ - - - - + @@ -583,36 +511,7 @@ Dictionary keys MUST come from one of the entries listed in the hash-algorithm-o opinion Specifies he opinion that the producer has about all of the STIX Object(s) listed in the object_refs property. - - - - - agree - - - disagree - - - neutral - - - strongly-agree - - - strongly-disagree - - - - - - - - - - - - - + @@ -630,16 +529,7 @@ Dictionary keys MUST come from one of the entries listed in the hash-algorithm-o report_types Specifies the primary type(s) of content found in this report.\n\nThe values for this property SHOULD come from the report-type-ov open vocabulary. - - - - - - - - - - + @@ -681,21 +571,7 @@ Dictionary keys MUST come from one of the entries listed in the hash-algorithm-o spec_version Identifies the version of the STIX specification used to represent this object. - - - - - 2.0 - - - 2.1 - - - - - - - + diff --git a/stix-spec/core/stix-core.owl b/stix-spec/core/stix-core.owl index c34f959..b8d980f 100644 --- a/stix-spec/core/stix-core.owl +++ b/stix-spec/core/stix-core.owl @@ -50,9 +50,6 @@ Abstract based class from which all STIX Domain Objects (SDOs) derive.\n\nSTIX Domain Objects characterize higher-level intelligence objects that represent behaviors and constructs that threat analysts would typically create or work with while understanding the threat landscape. - - - STIX Relationship Object diff --git a/tac/ta-classification-axioms.owl b/tac/ta-classification-axioms.owl index 7e03804..6360c67 100644 --- a/tac/ta-classification-axioms.owl +++ b/tac/ta-classification-axioms.owl @@ -17,103 +17,5 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/tac/tac.owl b/tac/tac.owl index bebadb1..ffcc5c3 100644 --- a/tac/tac.owl +++ b/tac/tac.owl @@ -1,248 +1,251 @@ + ]> - - + - + - + - + - + - + - + - + - + - + - - - + + + - + - + - + - + - + - + - + - + - + - + - - - + + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - - + + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - - + + + - - - + + + - + - + - + - + - + - + - + - + - - - + + + - - - + + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + There has been some ambiguity with respect to the differentiation of stix:IntrusionSet and stix:ThreatActor. They are different, and the tac:Adversary class is intended to clarify the differences. @@ -255,32 +258,32 @@ - + - + - + - + - + - + @@ -295,8 +298,23 @@ + + + + + + + + + activist + + + + + + - + \ No newline at end of file From d7f83040d97fadfb23e55aacf3b2ca6193e5805e Mon Sep 17 00:00:00 2001 From: rhohimer Date: Tue, 7 Jun 2022 15:56:12 -0700 Subject: [PATCH 03/70] adding class expressions to tal library to recognize threat_actor_types --- tac/tac.owl | 15 ++--------- tac/threat-agent-lib/ta-library.owl | 42 +++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 13 deletions(-) diff --git a/tac/tac.owl b/tac/tac.owl index ffcc5c3..84797d6 100644 --- a/tac/tac.owl +++ b/tac/tac.owl @@ -298,19 +298,8 @@ - - - - - - - - - activist - - - - + + tal:ThreatActor and (adversary:threat_actor_types value "nation-state" AND “spy”) diff --git a/tac/threat-agent-lib/ta-library.owl b/tac/threat-agent-lib/ta-library.owl index 42619a7..c10e23b 100644 --- a/tac/threat-agent-lib/ta-library.owl +++ b/tac/threat-agent-lib/ta-library.owl @@ -24,6 +24,12 @@ https://pdfs.semanticscholar.org/391e/70510353ba762fa1580a6d9c002eefd2d86b.pdf https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/understanding-cyberthreat-motivations-to-improve-defense-paper.pdf + + + + + + @@ -145,6 +151,22 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + nation-state + + + + spy + + + + @@ -169,6 +191,26 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + insider-disgruntled + + + + spy + + + + + + From 0e2a2d6f4662eb6361461d623db47f777f60b176 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Sat, 13 Aug 2022 13:54:31 -0700 Subject: [PATCH 04/70] Added DefiningAttribute classes and category instances. --- tac/tac.owl | 1 - .../ta-classification-axioms.owl | 0 tac/threat-agent-lib/ta-library.owl | 252 +++++++++--------- 3 files changed, 123 insertions(+), 130 deletions(-) rename tac/{ => threat-agent-lib}/ta-classification-axioms.owl (100%) diff --git a/tac/tac.owl b/tac/tac.owl index 84797d6..34eacc2 100644 --- a/tac/tac.owl +++ b/tac/tac.owl @@ -23,7 +23,6 @@ - diff --git a/tac/ta-classification-axioms.owl b/tac/threat-agent-lib/ta-classification-axioms.owl similarity index 100% rename from tac/ta-classification-axioms.owl rename to tac/threat-agent-lib/ta-classification-axioms.owl diff --git a/tac/threat-agent-lib/ta-library.owl b/tac/threat-agent-lib/ta-library.owl index c10e23b..8a04a0b 100644 --- a/tac/threat-agent-lib/ta-library.owl +++ b/tac/threat-agent-lib/ta-library.owl @@ -34,77 +34,77 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + @@ -113,41 +113,41 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + @@ -173,21 +173,21 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - - - + + + - - - + + + - - - + + + @@ -221,25 +221,25 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - - - + + + - - - + + + - - - + + + - - - + + + @@ -249,49 +249,49 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + - - - + + + @@ -313,25 +313,25 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - - - + + + - - - + + + - - - + + + - - - + + + @@ -418,9 +418,9 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - - - + + + @@ -440,8 +440,6 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - - @@ -464,10 +462,6 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - - - - From 7176524594da801c417f2d5ae8916da83f7b27eb Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Tue, 23 Aug 2022 18:15:25 -0700 Subject: [PATCH 05/70] adding axioms for inferring tal:GovernmentSpy --- tac/catalog-v001.xml | 9 ++-- tac/tac.owl | 4 ++ tac/talc.owl | 78 +++++++++++++++++++++++++++++ tac/threat-agent-lib/ta-library.owl | 2 +- 4 files changed, 88 insertions(+), 5 deletions(-) create mode 100644 tac/talc.owl diff --git a/tac/catalog-v001.xml b/tac/catalog-v001.xml index a3ade43..4c15a7a 100644 --- a/tac/catalog-v001.xml +++ b/tac/catalog-v001.xml @@ -1,10 +1,11 @@ + - - - - + + + + diff --git a/tac/tac.owl b/tac/tac.owl index 34eacc2..064abfa 100644 --- a/tac/tac.owl +++ b/tac/tac.owl @@ -250,6 +250,10 @@ There has been some ambiguity with respect to the differentiation of stix:IntrusionSet and stix:ThreatActor. They are different, and the tac:Adversary class is intended to clarify the differences. + + + + diff --git a/tac/talc.owl b/tac/talc.owl new file mode 100644 index 0000000..962b2f2 --- /dev/null +++ b/tac/talc.owl @@ -0,0 +1,78 @@ + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/tac/threat-agent-lib/ta-library.owl b/tac/threat-agent-lib/ta-library.owl index 8a04a0b..547dcce 100644 --- a/tac/threat-agent-lib/ta-library.owl +++ b/tac/threat-agent-lib/ta-library.owl @@ -137,7 +137,7 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + From e29896a70c43c6cd0e469766cece6779d142abf4 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Fri, 16 Sep 2022 19:45:19 -0700 Subject: [PATCH 06/70] added Equivalent class expressions for Threat Actors --- tac/threat-agent-lib/ta-library.owl | 311 ++++++++++++++++++++++++++++ 1 file changed, 311 insertions(+) diff --git a/tac/threat-agent-lib/ta-library.owl b/tac/threat-agent-lib/ta-library.owl index 547dcce..0835ead 100644 --- a/tac/threat-agent-lib/ta-library.owl +++ b/tac/threat-agent-lib/ta-library.owl @@ -30,6 +30,9 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + @@ -44,6 +47,42 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -60,6 +99,42 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -80,6 +155,42 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -92,6 +203,42 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -108,6 +255,42 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -143,6 +326,54 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -151,6 +382,46 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -211,6 +482,46 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 9b05cbd3970fb6b3f09e9ee3320f7f1f7519a798 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Wed, 19 Oct 2022 06:40:17 -0700 Subject: [PATCH 07/70] added categorizedBy predicate --- tac/talc.owl | 43 ------------------------------------------- 1 file changed, 43 deletions(-) diff --git a/tac/talc.owl b/tac/talc.owl index 962b2f2..5290e84 100644 --- a/tac/talc.owl +++ b/tac/talc.owl @@ -31,48 +31,5 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file From d86ee95270dc7a54ca67f3ba8c79fd901e72cc73 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Thu, 10 Nov 2022 17:14:11 -0800 Subject: [PATCH 08/70] updated the categorization axioms --- tac/talc.owl | 9 +- tac/threat-agent-lib/ta-library.owl | 645 +++++++++++++++++++++++++--- 2 files changed, 596 insertions(+), 58 deletions(-) diff --git a/tac/talc.owl b/tac/talc.owl index 5290e84..ab507e9 100644 --- a/tac/talc.owl +++ b/tac/talc.owl @@ -20,7 +20,7 @@ - + @@ -28,8 +28,11 @@ - - + + + + + \ No newline at end of file diff --git a/tac/threat-agent-lib/ta-library.owl b/tac/threat-agent-lib/ta-library.owl index 0835ead..bb55031 100644 --- a/tac/threat-agent-lib/ta-library.owl +++ b/tac/threat-agent-lib/ta-library.owl @@ -45,6 +45,10 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + @@ -93,6 +97,10 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + @@ -130,7 +138,7 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + @@ -160,14 +168,22 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + - - - - @@ -184,10 +200,6 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - - - - @@ -208,14 +220,22 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + - - - - @@ -230,11 +250,11 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + @@ -260,14 +280,22 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + - - - - @@ -282,11 +310,11 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + @@ -331,6 +359,34 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -339,26 +395,6 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - - - - - - - - - - - - - - - - - - - - @@ -387,14 +423,22 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + - - - - @@ -415,10 +459,6 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - - - - @@ -454,6 +494,46 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -491,6 +571,10 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + @@ -509,16 +593,12 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - - - - @@ -526,10 +606,98 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -554,12 +722,52 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -581,13 +789,16 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + + + + @@ -606,10 +817,90 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -618,6 +909,46 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -638,6 +969,54 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -646,6 +1025,42 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -735,14 +1150,134 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 6c674288a263617d6e658dee442ca16202903542 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Mon, 14 Nov 2022 15:17:21 -0800 Subject: [PATCH 09/70] typo in GovernmentSpy definition --- tac/tac.owl | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tac/tac.owl b/tac/tac.owl index 064abfa..e185353 100644 --- a/tac/tac.owl +++ b/tac/tac.owl @@ -301,10 +301,6 @@ - - tal:ThreatActor and (adversary:threat_actor_types value "nation-state" AND “spy”) - - From a72b62dc81f715150d0a08b1209bc03159cb8295 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Wed, 28 Dec 2022 10:59:19 -0800 Subject: [PATCH 10/70] directory structure refactor --- README.md | 2 +- .../mitre-custom-properties/x_mitre.owl | 112 ++ open-concepts/open-concepts.owl | 21 + open-concepts/security-playbook/.DS_Store | Bin 0 -> 6148 bytes .../security-playbook/security-playbook.owl | 11 +- .../threat-agent-lib/catalog-v001.xml | 63 + .../threat-agent-lib/ta-library.owl | 330 ++-- .../threat-agent-lib/tal-kb-example.owl | 45 + .../tal-kb-example.properties | 5 + stix-semex/README.md | 1 - stix-semex/catalog-v001.xml | 95 -- stix-semex/security-playbook/catalog-v001.xml | 21 - stix-semex/sro-properties/sro-props.owl | 105 -- stix-semex/stix-semex.owl | 292 ---- stix-spec/catalog-v001.xml | 91 -- stix-spec/core/core-context.owl | 671 -------- stix-spec/core/core.owl | 641 -------- stix-spec/core/grouping-context.owl | 147 -- stix-spec/core/identity-context.owl | 541 ------- stix-spec/core/location-context.owl | 731 --------- stix-spec/core/location.owl | 69 - stix-spec/core/note-context.owl | 141 -- stix-spec/core/note.owl | 33 - stix-spec/core/observed-data-context.owl | 135 -- stix-spec/core/opinion-context.owl | 129 -- stix-spec/core/report-context.owl | 133 -- stix-spec/core/stix-core-context.owl | 351 ---- stix-spec/core/stix-core.owl | 154 -- stix-spec/cti/cti-core-context.owl | 398 ----- stix-spec/cti/cti-core.owl | 242 --- .../cyber-observables/artifact-context.owl | 121 -- .../autonomous-system-context.owl | 91 -- .../cyber-observables/directory-context.owl | 134 -- .../cyber-observables/domain-name-context.owl | 79 - .../email-address-context.owl | 101 -- stix-spec/cyber-observables/file-context.owl | 1368 ---------------- stix-spec/cyber-observables/file.owl | 508 ------ .../cyber-observables/ip-address-context.owl | 131 -- .../cyber-observables/mac-address-context.owl | 71 - .../cyber-observables/message-context.owl | 264 --- stix-spec/cyber-observables/mutex-context.owl | 73 - .../network-traffic-context.owl | 1438 ----------------- .../cyber-observables/network-traffic.owl | 726 --------- .../cyber-observables/process-context.owl | 680 -------- stix-spec/cyber-observables/process.owl | 455 ------ .../cyber-observables/software-context.owl | 115 -- stix-spec/cyber-observables/uri-context.owl | 71 - .../user-account-context.owl | 354 ---- .../windows-registry-context.owl | 148 -- .../x509-certificate-context.owl | 354 ---- stix-spec/markings/marking-context.owl | 352 ---- .../meta-objects/language-content-context.owl | 135 -- .../relationships/relationship-context.owl | 177 -- stix-spec/relationships/sighting-context.owl | 183 --- stix-spec/stix-spec.owl | 63 - stix-spec/threat-intel/adversary-context.owl | 313 ---- stix-spec/threat-intel/adversary.owl | 426 ----- .../threat-intel/attack-pattern-context.owl | 125 -- stix-spec/threat-intel/campaign-context.owl | 151 -- stix-spec/threat-intel/campaign.owl | 37 - .../threat-intel/course-of-action-context.owl | 117 -- stix-spec/threat-intel/incident-context.owl | 109 -- stix-spec/threat-intel/indicator-context.owl | 175 -- stix-spec/threat-intel/indicator.owl | 128 -- .../threat-intel/infrastructure-context.owl | 149 -- stix-spec/threat-intel/malware-context.owl | 471 ------ stix-spec/threat-intel/tool-context.owl | 125 -- .../threat-intel/vulnerability-context.owl | 117 -- stix/.DS_Store | Bin 0 -> 6148 bytes stix/bundle-object/bundle.fowl | 0 stix/catalog-v001.xml | 55 + stix/core-objects/.DS_Store | Bin 0 -> 8196 bytes stix/core-objects/catalog-v001.xml | 47 + stix/core-objects/common-properties.owl | 289 ++++ stix/core-objects/data-types.owl | 179 ++ stix/core-objects/sco/.DS_Store | Bin 0 -> 16388 bytes .../core-objects/sco/artifact}/artifact.owl | 11 +- .../autonomus-system}/autonomous-system.owl | 9 +- stix/core-objects/sco/directory/.DS_Store | Bin 0 -> 6148 bytes .../core-objects/sco/directory}/directory.owl | 27 +- .../sco/domain-name}/domain-name.owl | 18 +- .../sco/email-address}/email-address.owl | 17 +- stix/core-objects/sco/email-message/.DS_Store | Bin 0 -> 6148 bytes .../sco/email-message/email-message.owl | 70 +- stix/core-objects/sco/file/file.owl | 121 ++ stix/core-objects/sco/ipv4-address/.DS_Store | Bin 0 -> 6148 bytes .../sco/ipv4-address/ipv4-address.owl | 33 +- stix/core-objects/sco/ipv6-address/.DS_Store | Bin 0 -> 6148 bytes .../sco/ipv6-address/ipv6-address.owl | 61 + .../sco/mac-address}/mac-address.owl | 11 +- .../core-objects/sco/mutex}/mutex.owl | 5 +- .../sco/network-traffic/network-traffic.owl | 219 +++ stix/core-objects/sco/process/process.owl | 131 ++ .../core-objects/sco/software}/software.owl | 23 +- stix/core-objects/sco/url/.DS_Store | Bin 0 -> 6148 bytes .../core-objects/sco/url/url.owl | 19 +- .../sco/user-account}/user-account.owl | 65 +- .../sco/windows-registry-key/.DS_Store | Bin 0 -> 6148 bytes .../windows-registry-key.owl | 35 +- .../x509-vertificate}/x509-certificate.owl | 66 +- stix/core-objects/sdo/.DS_Store | Bin 0 -> 18436 bytes .../sdo/attack-pattern}/attack-pattern.owl | 36 +- stix/core-objects/sdo/campaign/campaign.owl | 85 + .../course-of-action}/course-of-action.owl | 24 +- .../core-objects/sdo/grouping}/grouping.owl | 60 +- .../core-objects/sdo/identity}/identity.owl | 51 +- .../core-objects/sdo/incident}/incident.owl | 22 +- stix/core-objects/sdo/indicator/indicator.owl | 188 +++ .../sdo/infrastructure}/infrastructure.owl | 96 +- stix/core-objects/sdo/intrusion-set/.DS_Store | Bin 0 -> 6148 bytes .../sdo/intrusion-set/intrusion-set.owl | 85 + stix/core-objects/sdo/location/.DS_Store | Bin 0 -> 6148 bytes stix/core-objects/sdo/location/location.owl | 181 +++ .../sdo/malware-analysis/.DS_Store | Bin 0 -> 6148 bytes .../sdo/malware-analysis/malware-analysis.owl | 142 ++ .../core-objects/sdo/malware}/malware.owl | 600 +++---- stix/core-objects/sdo/note/.DS_Store | Bin 0 -> 6148 bytes stix/core-objects/sdo/note/note.owl | 73 + stix/core-objects/sdo/observed-data/.DS_Store | Bin 0 -> 6148 bytes .../sdo/observed-data}/observed-data.owl | 15 +- stix/core-objects/sdo/opinion/.DS_Store | Bin 0 -> 6148 bytes .../core-objects/sdo/opinion}/opinion.owl | 65 +- stix/core-objects/sdo/report/.DS_Store | Bin 0 -> 6148 bytes .../core-objects/sdo/report}/report.owl | 84 +- stix/core-objects/sdo/threat-actor/.DS_Store | Bin 0 -> 6148 bytes .../sdo/threat-actor/threat-actor.owl | 115 ++ .../core-objects/sdo/tool}/tool.owl | 84 +- .../sdo/vulnerability}/vulnerability.owl | 22 +- stix/core-objects/sro/.DS_Store | Bin 0 -> 8196 bytes stix/core-objects/sro/relationship/.DS_Store | Bin 0 -> 6148 bytes .../sro/relationship}/relationship.owl | 30 +- .../sro/relationship/sro-props.owl | 105 ++ stix/core-objects/sro/sighting/.DS_Store | Bin 0 -> 6148 bytes .../core-objects/sro/sighting}/sighting.owl | 25 +- stix/meta-objects/.DS_Store | Bin 0 -> 10244 bytes stix/meta-objects/data-marking/.DS_Store | Bin 0 -> 6148 bytes .../data-marking/data-marking.owl | 43 +- .../extension-definition/.DS_Store | Bin 0 -> 6148 bytes .../extension-definition.owl | 172 ++ stix/meta-objects/language-content/.DS_Store | Bin 0 -> 6148 bytes .../language-content}/language-content.owl | 13 +- {stix-spec => stix}/stix.owl | 68 +- {stix-spec => stix}/vocabularies/vocab.owl | 392 ++++- .../vocabularies/vocabulary-user-defs.owl | 0 tac-kb-example.owl | 23 + tac/.DS_Store | Bin 0 -> 8196 bytes tac/README.md | 15 +- tac/candidate-concepts.owl | 294 ++++ tac/catalog-v001.xml | 152 +- tac/mitre-custom-properties/x_mitre.owl | 112 -- tac/tac-objects/.DS_Store | Bin 0 -> 6148 bytes tac/tac-objects/adversary.owl | 30 + tac/tac-objects/tac-objects.owl | 28 + tac/tac-properties/.DS_Store | Bin 0 -> 6148 bytes tac/tac-properties/tac-properties.owl | 78 + tac/tac.owl | 287 +--- tac/talc.owl | 38 - .../ta-classification-axioms.owl | 21 - 158 files changed, 4517 insertions(+), 17293 deletions(-) create mode 100644 open-concepts/mitre-custom-properties/x_mitre.owl create mode 100644 open-concepts/open-concepts.owl create mode 100644 open-concepts/security-playbook/.DS_Store rename {stix-semex => open-concepts}/security-playbook/security-playbook.owl (95%) create mode 100644 open-concepts/threat-agent-lib/catalog-v001.xml rename {tac => open-concepts}/threat-agent-lib/ta-library.owl (72%) create mode 100644 open-concepts/threat-agent-lib/tal-kb-example.owl create mode 100644 open-concepts/threat-agent-lib/tal-kb-example.properties delete mode 100644 stix-semex/README.md delete mode 100644 stix-semex/catalog-v001.xml delete mode 100644 stix-semex/security-playbook/catalog-v001.xml delete mode 100644 stix-semex/sro-properties/sro-props.owl delete mode 100644 stix-semex/stix-semex.owl delete mode 100644 stix-spec/catalog-v001.xml delete mode 100644 stix-spec/core/core-context.owl delete mode 100644 stix-spec/core/core.owl delete mode 100644 stix-spec/core/grouping-context.owl delete mode 100644 stix-spec/core/identity-context.owl delete mode 100644 stix-spec/core/location-context.owl delete mode 100644 stix-spec/core/location.owl delete mode 100644 stix-spec/core/note-context.owl delete mode 100644 stix-spec/core/note.owl delete mode 100644 stix-spec/core/observed-data-context.owl delete mode 100644 stix-spec/core/opinion-context.owl delete mode 100644 stix-spec/core/report-context.owl delete mode 100644 stix-spec/core/stix-core-context.owl delete mode 100644 stix-spec/core/stix-core.owl delete mode 100644 stix-spec/cti/cti-core-context.owl delete mode 100644 stix-spec/cti/cti-core.owl delete mode 100644 stix-spec/cyber-observables/artifact-context.owl delete mode 100644 stix-spec/cyber-observables/autonomous-system-context.owl delete mode 100644 stix-spec/cyber-observables/directory-context.owl delete mode 100644 stix-spec/cyber-observables/domain-name-context.owl delete mode 100644 stix-spec/cyber-observables/email-address-context.owl delete mode 100644 stix-spec/cyber-observables/file-context.owl delete mode 100644 stix-spec/cyber-observables/file.owl delete mode 100644 stix-spec/cyber-observables/ip-address-context.owl delete mode 100644 stix-spec/cyber-observables/mac-address-context.owl delete mode 100644 stix-spec/cyber-observables/message-context.owl delete mode 100644 stix-spec/cyber-observables/mutex-context.owl delete mode 100644 stix-spec/cyber-observables/network-traffic-context.owl delete mode 100644 stix-spec/cyber-observables/network-traffic.owl delete mode 100644 stix-spec/cyber-observables/process-context.owl delete mode 100644 stix-spec/cyber-observables/process.owl delete mode 100644 stix-spec/cyber-observables/software-context.owl delete mode 100644 stix-spec/cyber-observables/uri-context.owl delete mode 100644 stix-spec/cyber-observables/user-account-context.owl delete mode 100644 stix-spec/cyber-observables/windows-registry-context.owl delete mode 100644 stix-spec/cyber-observables/x509-certificate-context.owl delete mode 100644 stix-spec/markings/marking-context.owl delete mode 100644 stix-spec/meta-objects/language-content-context.owl delete mode 100644 stix-spec/relationships/relationship-context.owl delete mode 100644 stix-spec/relationships/sighting-context.owl delete mode 100644 stix-spec/stix-spec.owl delete mode 100644 stix-spec/threat-intel/adversary-context.owl delete mode 100644 stix-spec/threat-intel/adversary.owl delete mode 100644 stix-spec/threat-intel/attack-pattern-context.owl delete mode 100644 stix-spec/threat-intel/campaign-context.owl delete mode 100644 stix-spec/threat-intel/campaign.owl delete mode 100644 stix-spec/threat-intel/course-of-action-context.owl delete mode 100644 stix-spec/threat-intel/incident-context.owl delete mode 100644 stix-spec/threat-intel/indicator-context.owl delete mode 100644 stix-spec/threat-intel/indicator.owl delete mode 100644 stix-spec/threat-intel/infrastructure-context.owl delete mode 100644 stix-spec/threat-intel/malware-context.owl delete mode 100644 stix-spec/threat-intel/tool-context.owl delete mode 100644 stix-spec/threat-intel/vulnerability-context.owl create mode 100644 stix/.DS_Store create mode 100644 stix/bundle-object/bundle.fowl create mode 100644 stix/catalog-v001.xml create mode 100644 stix/core-objects/.DS_Store create mode 100644 stix/core-objects/catalog-v001.xml create mode 100644 stix/core-objects/common-properties.owl create mode 100644 stix/core-objects/data-types.owl create mode 100644 stix/core-objects/sco/.DS_Store rename {stix-spec/cyber-observables => stix/core-objects/sco/artifact}/artifact.owl (90%) rename {stix-spec/cyber-observables => stix/core-objects/sco/autonomus-system}/autonomous-system.owl (89%) create mode 100644 stix/core-objects/sco/directory/.DS_Store rename {stix-spec/cyber-observables => stix/core-objects/sco/directory}/directory.owl (68%) rename {stix-spec/cyber-observables => stix/core-objects/sco/domain-name}/domain-name.owl (80%) rename {stix-spec/cyber-observables => stix/core-objects/sco/email-address}/email-address.owl (76%) create mode 100644 stix/core-objects/sco/email-message/.DS_Store rename stix-spec/cyber-observables/message.owl => stix/core-objects/sco/email-message/email-message.owl (85%) create mode 100644 stix/core-objects/sco/file/file.owl create mode 100644 stix/core-objects/sco/ipv4-address/.DS_Store rename stix-spec/cyber-observables/ip-address.owl => stix/core-objects/sco/ipv4-address/ipv4-address.owl (68%) create mode 100644 stix/core-objects/sco/ipv6-address/.DS_Store create mode 100644 stix/core-objects/sco/ipv6-address/ipv6-address.owl rename {stix-spec/cyber-observables => stix/core-objects/sco/mac-address}/mac-address.owl (70%) rename {stix-spec/cyber-observables => stix/core-objects/sco/mutex}/mutex.owl (90%) create mode 100644 stix/core-objects/sco/network-traffic/network-traffic.owl create mode 100644 stix/core-objects/sco/process/process.owl rename {stix-spec/cyber-observables => stix/core-objects/sco/software}/software.owl (74%) create mode 100644 stix/core-objects/sco/url/.DS_Store rename stix-spec/cyber-observables/uri.owl => stix/core-objects/sco/url/url.owl (59%) rename {stix-spec/cyber-observables => stix/core-objects/sco/user-account}/user-account.owl (76%) create mode 100644 stix/core-objects/sco/windows-registry-key/.DS_Store rename stix-spec/cyber-observables/windows-registry.owl => stix/core-objects/sco/windows-registry-key/windows-registry-key.owl (85%) rename {stix-spec/cyber-observables => stix/core-objects/sco/x509-vertificate}/x509-certificate.owl (83%) create mode 100644 stix/core-objects/sdo/.DS_Store rename {stix-spec/threat-intel => stix/core-objects/sdo/attack-pattern}/attack-pattern.owl (63%) create mode 100644 stix/core-objects/sdo/campaign/campaign.owl rename {stix-spec/threat-intel => stix/core-objects/sdo/course-of-action}/course-of-action.owl (69%) rename {stix-spec/core => stix/core-objects/sdo/grouping}/grouping.owl (53%) rename {stix-spec/core => stix/core-objects/sdo/identity}/identity.owl (90%) rename {stix-spec/threat-intel => stix/core-objects/sdo/incident}/incident.owl (65%) create mode 100644 stix/core-objects/sdo/indicator/indicator.owl rename {stix-spec/threat-intel => stix/core-objects/sdo/infrastructure}/infrastructure.owl (57%) create mode 100644 stix/core-objects/sdo/intrusion-set/.DS_Store create mode 100644 stix/core-objects/sdo/intrusion-set/intrusion-set.owl create mode 100644 stix/core-objects/sdo/location/.DS_Store create mode 100644 stix/core-objects/sdo/location/location.owl create mode 100644 stix/core-objects/sdo/malware-analysis/.DS_Store create mode 100644 stix/core-objects/sdo/malware-analysis/malware-analysis.owl rename {stix-spec/threat-intel => stix/core-objects/sdo/malware}/malware.owl (64%) create mode 100644 stix/core-objects/sdo/note/.DS_Store create mode 100644 stix/core-objects/sdo/note/note.owl create mode 100644 stix/core-objects/sdo/observed-data/.DS_Store rename {stix-spec/core => stix/core-objects/sdo/observed-data}/observed-data.owl (87%) create mode 100644 stix/core-objects/sdo/opinion/.DS_Store rename {stix-spec/core => stix/core-objects/sdo/opinion}/opinion.owl (56%) create mode 100644 stix/core-objects/sdo/report/.DS_Store rename {stix-spec/core => stix/core-objects/sdo/report}/report.owl (62%) create mode 100644 stix/core-objects/sdo/threat-actor/.DS_Store create mode 100644 stix/core-objects/sdo/threat-actor/threat-actor.owl rename {stix-spec/threat-intel => stix/core-objects/sdo/tool}/tool.owl (58%) rename {stix-spec/threat-intel => stix/core-objects/sdo/vulnerability}/vulnerability.owl (73%) create mode 100644 stix/core-objects/sro/.DS_Store create mode 100644 stix/core-objects/sro/relationship/.DS_Store rename {stix-spec/relationships => stix/core-objects/sro/relationship}/relationship.owl (64%) create mode 100644 stix/core-objects/sro/relationship/sro-props.owl create mode 100644 stix/core-objects/sro/sighting/.DS_Store rename {stix-spec/relationships => stix/core-objects/sro/sighting}/sighting.owl (86%) create mode 100644 stix/meta-objects/.DS_Store create mode 100644 stix/meta-objects/data-marking/.DS_Store rename stix-spec/markings/marking.owl => stix/meta-objects/data-marking/data-marking.owl (82%) create mode 100644 stix/meta-objects/extension-definition/.DS_Store create mode 100644 stix/meta-objects/extension-definition/extension-definition.owl create mode 100644 stix/meta-objects/language-content/.DS_Store rename {stix-spec/meta-objects => stix/meta-objects/language-content}/language-content.owl (90%) rename {stix-spec => stix}/stix.owl (70%) rename {stix-spec => stix}/vocabularies/vocab.owl (85%) rename {stix-spec => stix}/vocabularies/vocabulary-user-defs.owl (100%) create mode 100644 tac-kb-example.owl create mode 100644 tac/.DS_Store create mode 100644 tac/candidate-concepts.owl delete mode 100644 tac/mitre-custom-properties/x_mitre.owl create mode 100644 tac/tac-objects/.DS_Store create mode 100644 tac/tac-objects/adversary.owl create mode 100644 tac/tac-objects/tac-objects.owl create mode 100644 tac/tac-properties/.DS_Store create mode 100644 tac/tac-properties/tac-properties.owl delete mode 100644 tac/talc.owl delete mode 100644 tac/threat-agent-lib/ta-classification-axioms.owl diff --git a/README.md b/README.md index 1909451..8985b7e 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ As documented in [Public Participation Invited](https://github.com/oasis-open/ta ## Statement of Purpose -The OASIS Threat Actor Context Technical Committee (TAC-TC) is chartered to create an ontology for expressing the rich context around Threat Actors. +The OASIS Threat Actor Context Technical Committee (TAC-TC) is chartered to create an ontology for expressing the rich context around Threat Actors. *Additions to Statement of Purpose* diff --git a/open-concepts/mitre-custom-properties/x_mitre.owl b/open-concepts/mitre-custom-properties/x_mitre.owl new file mode 100644 index 0000000..df022c9 --- /dev/null +++ b/open-concepts/mitre-custom-properties/x_mitre.owl @@ -0,0 +1,112 @@ + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/open-concepts/open-concepts.owl b/open-concepts/open-concepts.owl new file mode 100644 index 0000000..970b8fd --- /dev/null +++ b/open-concepts/open-concepts.owl @@ -0,0 +1,21 @@ + + + + + + +]> + + + + Concepts that will be publicly available, meaning their inclusion in the official GitHub repository of the TAC ontology but have not been developed or encoded by the TAC TC, are called Open. The namespaces of concepts that follow the Open model are not incorporated into the main tac.owl file and thus are not part of the core ontology but users of the TAC ontology can do the imports manually. + + + \ No newline at end of file diff --git a/open-concepts/security-playbook/.DS_Store b/open-concepts/security-playbook/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..733d817a50851a7c56e4f32211a5fb2b0598bfe6 GIT binary patch literal 6148 zcmeHKyH3ME5S)V)k!aE&QQi*_i9aw=Qc&{);6Q<}WCTPgojX1oW*;CdgXk#GthGCL z>zzA$3a<}9S?zAlfCYd#-4L%9re^oeCw7pTLZowzN8I5Vdz|87QvH3xxW{q7;w< zQs7eo`#w~ZGFxA+SA3=H zt&^9tUR&u`^bcdLmos=PCVDI8#9Hymm%3_W-ft3zK&LbBbfSI)Oc$9H_zMNz0hf*+ AZU6uP literal 0 HcmV?d00001 diff --git a/stix-semex/security-playbook/security-playbook.owl b/open-concepts/security-playbook/security-playbook.owl similarity index 95% rename from stix-semex/security-playbook/security-playbook.owl rename to open-concepts/security-playbook/security-playbook.owl index 50bc73f..a9eb523 100644 --- a/stix-semex/security-playbook/security-playbook.owl +++ b/open-concepts/security-playbook/security-playbook.owl @@ -6,8 +6,6 @@ - - ]> An ontology for encapsulating security playbooks and their metadata. This ontology (security-playbook.owl) is based on the metadata template for security playbooks provided at: https://github.com/Vasileios-Mavroeidis/coa-playbook-metadata - @@ -32,11 +27,11 @@ - + - + @@ -44,7 +39,7 @@ - + diff --git a/open-concepts/threat-agent-lib/catalog-v001.xml b/open-concepts/threat-agent-lib/catalog-v001.xml new file mode 100644 index 0000000..ea8627e --- /dev/null +++ b/open-concepts/threat-agent-lib/catalog-v001.xml @@ -0,0 +1,63 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tac/threat-agent-lib/ta-library.owl b/open-concepts/threat-agent-lib/ta-library.owl similarity index 72% rename from tac/threat-agent-lib/ta-library.owl rename to open-concepts/threat-agent-lib/ta-library.owl index bb55031..52d1ca9 100644 --- a/tac/threat-agent-lib/ta-library.owl +++ b/open-concepts/threat-agent-lib/ta-library.owl @@ -3,6 +3,7 @@ + ]> @@ -11,17 +12,13 @@ xmlns:owl="http://www.w3.org/2002/07/owl#" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" + xmlns:tac="http://docs.oasis-open.org/tac/ns/tac#" xmlns:tal="http://www.intel.com/ns/ta-library#" xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> - Intel authored the conceptual notions captured in this ontological representation. Intel retains the copyright on the original work, which was published in open format in the 2007 time frame. - -Tim Casey and Intel Corporation were the orignal sources that inspired the members of the OASIS TAC-TC to capture and expand it in a formal ontology langauge, W3C's Ontology Web Language (OWL). - -https://pdfs.semanticscholar.org/391e/70510353ba762fa1580a6d9c002eefd2d86b.pdf - -https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/understanding-cyberthreat-motivations-to-improve-defense-paper.pdf + Intel authored the conceptual notions captured in this ontological representation. Intel retains the copyright on the original work, which was published in open format in the 2007 time frame. Tim Casey and Intel Corporation were the orignal sources that inspired the members of the OASIS TAC-TC to capture and expand it in a formal ontology langauge, W3C's Ontology Web Language (OWL). https://pdfs.semanticscholar.org/391e/70510353ba762fa1580a6d9c002eefd2d86b.pdf https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/understanding-cyberthreat-motivations-to-improve-defense-paper.pdf + @@ -30,9 +27,6 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - - - @@ -57,31 +51,31 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + - + - + - + - + @@ -113,31 +107,31 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + - + - + - + - + @@ -171,33 +165,33 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + - + - + - + - + @@ -223,37 +217,37 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + - + - + - + - + - + @@ -283,37 +277,37 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + - + - + - + - + - + @@ -362,15 +356,15 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + @@ -378,33 +372,33 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + - + - + - + - + @@ -426,37 +420,37 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + - + - + - + - + - + @@ -500,35 +494,35 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + - + - + - + - + - + @@ -568,35 +562,35 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + - + - + - + - + - + @@ -612,35 +606,35 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + - + - + - + - + - + @@ -658,41 +652,41 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + - + - + - + - + - + - + @@ -728,31 +722,31 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + - + - + - + - + @@ -823,35 +817,35 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + - + - + - + - + - + @@ -867,35 +861,35 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + - + - + - + - + - + @@ -915,35 +909,35 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + - + - + - + - + - + @@ -977,41 +971,41 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + - + - + - + - + - + - + @@ -1031,31 +1025,31 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + - + - + - + - + @@ -1156,35 +1150,35 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + - + - + - + - + - + @@ -1200,31 +1194,31 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + - + - + - + - + @@ -1242,37 +1236,37 @@ https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unders - + - + - + - + - + - + - + - + diff --git a/open-concepts/threat-agent-lib/tal-kb-example.owl b/open-concepts/threat-agent-lib/tal-kb-example.owl new file mode 100644 index 0000000..21711bf --- /dev/null +++ b/open-concepts/threat-agent-lib/tal-kb-example.owl @@ -0,0 +1,45 @@ + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/open-concepts/threat-agent-lib/tal-kb-example.properties b/open-concepts/threat-agent-lib/tal-kb-example.properties new file mode 100644 index 0000000..910af43 --- /dev/null +++ b/open-concepts/threat-agent-lib/tal-kb-example.properties @@ -0,0 +1,5 @@ +#Wed Dec 28 19:20:11 CET 2022 +jdbc.url= +jdbc.driver= +jdbc.user= +jdbc.password= diff --git a/stix-semex/README.md b/stix-semex/README.md deleted file mode 100644 index 8b13789..0000000 --- a/stix-semex/README.md +++ /dev/null @@ -1 +0,0 @@ - diff --git a/stix-semex/catalog-v001.xml b/stix-semex/catalog-v001.xml deleted file mode 100644 index 6102372..0000000 --- a/stix-semex/catalog-v001.xml +++ /dev/null @@ -1,95 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/stix-semex/security-playbook/catalog-v001.xml b/stix-semex/security-playbook/catalog-v001.xml deleted file mode 100644 index 6b2f0bf..0000000 --- a/stix-semex/security-playbook/catalog-v001.xml +++ /dev/null @@ -1,21 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - diff --git a/stix-semex/sro-properties/sro-props.owl b/stix-semex/sro-properties/sro-props.owl deleted file mode 100644 index 509ff07..0000000 --- a/stix-semex/sro-properties/sro-props.owl +++ /dev/null @@ -1,105 +0,0 @@ - - - - - - -]> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-semex/stix-semex.owl b/stix-semex/stix-semex.owl deleted file mode 100644 index a87c420..0000000 --- a/stix-semex/stix-semex.owl +++ /dev/null @@ -1,292 +0,0 @@ - - - - - - -]> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - goal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The outcome of the attacker activity - attack activity outcome - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/catalog-v001.xml b/stix-spec/catalog-v001.xml deleted file mode 100644 index 97dbf89..0000000 --- a/stix-spec/catalog-v001.xml +++ /dev/null @@ -1,91 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/stix-spec/core/core-context.owl b/stix-spec/core/core-context.owl deleted file mode 100644 index 5f319ff..0000000 --- a/stix-spec/core/core-context.owl +++ /dev/null @@ -1,671 +0,0 @@ - - - - - - - - -]> - - - - - 2.1.0 - - - - - - - - - - - - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - grouping - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - note - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - opinion - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - report - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/core/core.owl b/stix-spec/core/core.owl deleted file mode 100644 index a44ecd5..0000000 --- a/stix-spec/core/core.owl +++ /dev/null @@ -1,641 +0,0 @@ - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - Extension - Characterizes the base of all extensions to Cyber Observable objects. - - - - - - - - - - - - - - - - - - - - - - - Extension Definition - - - - - ExternalReference - Used to describe pointers to information represented outside of STIX. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material. - - - - - Grouping - A Grouping object explicitly asserts that the referenced STIX Objects have a shared context, unlike a STIX Bundle (which explicitly conveys no context). A Grouping object should not be confused with an intelligence product, which should be conveyed via a STIX Report. - - - - - Hash - Represents a cryptographic hashes, as a special set of key/value pairs. - - - - - - - - KeyValue - A key-value pair (KVP) is a set of two linked data items: a key, which is a unique identifier for some item of data, and the value, which is either the data that is identified or a pointer to the location of that data. The key MUST be unique in each dictionary, MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). Dictionary keys MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase. - - - - - KillChainPhase - Represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives. - - - - - Note - A Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to. Notes can be created by anyone (not just the original object creator). - - - - - Opinion - An Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity. The primary property is the opinion property, which captures the level of agreement or disagreement using a fixed scale. That fixed scale also supports a numeric mapping to allow for consistent statistical operations across opinions. - - - - - Report - Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story. - - - - - - - StixCyberObservable - STIX Cyber-observable Object (SCOs) characterizes a host-based and network-based information.\n\nA STIX Cyber Observable Object (SCOs) document the facts concerning what happened on a network or host, and do not capture the who, when, or why. - - - - http://docs.oasis-open.org/cti/ns/stix# - STIX Domain Objects (SDOs) represent a corresponding unique concept commonly represented in Cyber Threat Intelligence. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - STIX Object - Abstract base class from which all STIX objects are derived. - - - - abstract - A brief summary of the content. - - - - - administrative_area - The state, province, or other sub-national administrative area that this Location describes. - - - - - aliases - Specifies a list of other names that this entity is believed to use or is referred to by. - - - - - analysis_ended - Specifies the date and time that the analysis ended. - - - - - analysis_sco_refs - Specifies the references to the STIX Cyber-observable Objects that were captured during the analysis process. - - - - - analysis_started - Specifies the date and time that the analysis was initiated. - - - - - atime - Specifies the date and time the directory or file was last accessed. - - - - - authors - Specifies a list of the names of the author(s) of the content. - - - - - city - The name of the city. - - - - - comment - Specifies a comment included as part of the associated entity. - - - - - confidence - Identifies the confidence that the creator has in the correctness of their data. The confidence value MUST be a number in the range of 0-100. - - - - - contains refs - Specifies a list of references to other Cyber-observable Objects contained within the file or directory, such as another file that is appended to the end of the file, or an IP address that is contained somewhere in the file.\n\nThis is intended for use cases other than those targeted by the Archive extension. - - - - - content - Specifies the content of the note. - - - - - context - A short descriptor of the particular context shared by the content referenced by the Grouping. - - - - - count - Specifies a count of the number of times the something occurred. - - - - - country - The valid ISO 3166-1 ALPHA-2 Code [ISO3166-1] that is asigned to the country. - - - - - created - Idicates the date and time at which the object was originally created.\n\nThe object creator can use the time it deems most appropriate as the time the object was created. The minimum precision MUST be milliseconds (three digits after the decimal place in seconds), but MAY be more precise. - - - - - created_by_ref - Specifies the id property of the identity object that describes the entity that created this object.\n\nIf this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous. - - - - - created_by_ref_id - Specifies the identifier of the Identity object that describes the entity that created this object.\n\nIf this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous. - - - - - ctime - Specifies the date and time the file or directory was created. - - - - - defanged - Specifies whether or not the data contained within the object has been defanged.\n\nThis property MUST NOT be used on any STIX Objects other than SCOs. - - - - - description - Specifies a human readable description. - - - - - explanation - An explanation of why the producer has this Opinion. - - - - - extension_properties - This property contains the list of new property names that are added to an object by an extension.\n\nThis property MUST only be used when the extension_types property includes a value of toplevel-property-extension. In other words, when new properties are being added at the top-level of an existing object - - - - - extension types - This property specifies one or more extension types contained within this extension.\n\The values for this property MUST come from the extension-type-enum enumeration.\n\nWhen this property includes toplevel-property-extension then the extension_properties property SHOULD include one or more property names. - - - - - extensions - Specifies any extensions of the object - - - - - external id - An identifier for the external reference content. - - - - - external_references - Specifies a list of external references which refers to non-STIX information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. - - - - - first_seen - Specifies the date and time that this entity was first seen.\n\nA summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. - - - - - hash_algorithm - Represents the cryptographic hash algorithm used.\n\nThe name of the cryptographic hash algorithm used SHOULD come from one of the values defined in the hash-algorithm-ov open vocabulary. - - - - - hash_value - Represents the cryptographic hash value. - - - - - hashes - Specifies a set of hashes for the contents of the url. This SHOULD be provided when the url property is present. -Dictionary keys MUST come from one of the entries listed in the hash-algorithm-ov open vocabulary. - - - - - id - Uniquely identifies this object. - - - - - key_identifier - Specifies a unique identifer for some item of data. The key MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). A key identifier MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase. - - - - - key_value - A key value is the data that is associated with the key identified. The values MUST be valid property base types. - - - - - - - - kill chain phases - Specifies the kill chain phase(s) to which this indicator corresponds. - - - - - labels - Specifies a set of terms used to describe this object. The terms are user-defined or trust-group defined and their meaning is outside the scope of this specification and MAY be ignored. - - - - - lang - Identifies the language of the text content in this object. When present, it MUST be a language code conformant to [RFC5646]. If the property is not present, then the language of the content is en (English).\n\nThis property SHOULD be present if the object type contains translatable text properties (e.g. name, description). - - - - - languages - Specifies the languages supported by the software. The value of each list member MUST be an ISO 639-2 language code - - - - - last_seen - Specifies the date and time that this entity was last seen.\n\nA summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are later than the last seen timestamp, the object may be updated to account for the new data. This MUST be greater than or equal to the timestamp in the first_seen property. - - - - - machine_hex - Specifies the type of target machine. - - - - - mime_type - Specifies the MIME type name specified for the object.\n\nWhenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types].\n\nMaintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability. - - - - - modified - Represents the date and time that this particular version of the object was last modified.\n\nThe object creator can use the time it deems most appropriate as the time this version of the object was modified. The minimum precision MUST be milliseconds (three digits after the decimal place in seconds), but MAY be more precise.\n\nObject creators MUST set the modified property when creating a new version of an object if the created property was set. - - - - - mtime - Specifies the date and time the directory or file was last written to/modified. - - - - - name - Specifies the name used to identity the entity. - - - - - - - - - object_refs - Specifies a list of STIX Objects that are referred to by this entity. - - - - - object_type - Identifies the type of the Object. The value of the type property MUST be the name of one of the types of Objects or the name of a custom Object. - - - - opinion - Specifies he opinion that the producer has about all of the STIX Object(s) listed in the object_refs property. - - - - - postal_code - - - - - - published - Specifies the date that this Report object was officially published by the creator of this report. The publication date (public release, legal release, etc.) may be different than the date the report was created or shared internally (the date in the created property). - - - - - report_types - Specifies the primary type(s) of content found in this report.\n\nThe values for this property SHOULD come from the report-type-ov open vocabulary. - - - - - revoked - Indicates whether the object has been revoked.\n\nRevoked objects are no longer considered valid by the object creator. Revoking an object is permanent; future versions of the object with this id MUST NOT be created. - - - - - sample_ref - Specifies the reference to the Cyber Observable object that this analysis was performed against. - - - - - sample_refs - Specifies the sample_refs property specifies a list of identifiers of the Cyber Observable objects associated with this entity. - - - - - schema - Specifies a URL that points to a JSON schema or a location that contains information about the schema. - - - - - sid - Specifies the Windows Security ID (SID) value - - - - - source name - - - - - - spec_version - Identifies the version of the STIX specification used to represent this object. - - - - - start_time - Represents the earliest date and time at which the Relationship between the objects exists. If this property is a future timestamp, at the time the start_time property is defined, then this represents an estimate by the producer of the intelligence of the earliest time at which relationship will be asserted to be true.\n\nIf it is not specified, then the earliest time at which the relationship between the objects exists is not defined. - - - - - - - - - stop_time - Specifies the latest date and time at which the Relationship between the objects exists. If this property is a future timestamp, at the time the stop_time property is defined, then this represents an estimate by the producer of the intelligence of the latest time at which relationship will be asserted to be true.\n\nIf start_time and stop_time are both defined, then stop_time MUST be later than the start_time value.\n\nIf stop_time is not specified, then the latest time at which the relationship between the objects exists is either not known, not disclosed, or has no defined stop time. - - - - - street_address - The street address that this Location describes. This property includes all aspects or parts of the street address. For example, some addresses may have multiple lines including a mailstop or apartment number. - - - - - submitted - Specifies the date and time that the entity was first submitted for scanning or analysis. This value will stay constant while the scanned date can change. - - - - - type - Identifies the type of STIX Object. The value of the type property MUST be the name of one of the types of STIX Objectsor the name of a Custom Object. - - - - - url - Specifies a URL reference to an external resource - - - - - valid_from - Specifies the date and time from which this this entity is considered to be valid for the behaviors it is related or represents. - - - - - valid_until - Specifies the date and time at which this entity should no longer be considered valid for the behaviors it is related to or represents.\n\nIf the valid_until property is omitted, then there is no constraint on the latest time for which the entity is valid.\n\nThis MUST be greater than the timestamp in the valid_from property. - - - - - vendor - Specifies the name of the vendor of the software. - - - - - version - Specifies the version of the entity. - - - - \ No newline at end of file diff --git a/stix-spec/core/grouping-context.owl b/stix-spec/core/grouping-context.owl deleted file mode 100644 index bdad956..0000000 --- a/stix-spec/core/grouping-context.owl +++ /dev/null @@ -1,147 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - grouping - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/core/identity-context.owl b/stix-spec/core/identity-context.owl deleted file mode 100644 index cc1b590..0000000 --- a/stix-spec/core/identity-context.owl +++ /dev/null @@ -1,541 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - group - - - - - - group - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - identity - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - individual - - - - - - individual - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - class - - - - - - industry-sector - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - organization - - - - - - organization - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/core/location-context.owl b/stix-spec/core/location-context.owl deleted file mode 100644 index 13a5643..0000000 --- a/stix-spec/core/location-context.owl +++ /dev/null @@ -1,731 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - civic-location - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - country - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - global-position - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - location - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - region - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/core/location.owl b/stix-spec/core/location.owl deleted file mode 100644 index 0686140..0000000 --- a/stix-spec/core/location.owl +++ /dev/null @@ -1,69 +0,0 @@ - - - - - - - - - -]> - - - - - 2.1.0 - - - - - Civic Location - Identifies an actual civic location (e.g., street address, city, administrative area, postal code). - - - - - Country - Identifies an actual country. - - - - - Global Position - Identifies a physical position on the globe. - - - - - STIX Location - A Location represents a geographic location. The location may be described as any, some or all of the following: region (e.g., North America), civic address (e.g. New York, US), latitude and longitude. - - - - - Region - Identifies an actual region in the world. - - - - building details - Specifies additional details about the location within a building including things like floor, room, etc. - - - - - network details - Specifies additional details about this network location including things like wiring closet, rack number, rack location, and VLANs. - - - - \ No newline at end of file diff --git a/stix-spec/core/note-context.owl b/stix-spec/core/note-context.owl deleted file mode 100644 index 51d83be..0000000 --- a/stix-spec/core/note-context.owl +++ /dev/null @@ -1,141 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - note - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/core/note.owl b/stix-spec/core/note.owl deleted file mode 100644 index 9f4eeee..0000000 --- a/stix-spec/core/note.owl +++ /dev/null @@ -1,33 +0,0 @@ - - - - - - - - - -]> - - - - - 2.1.0 - - - - - Note - A Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to. Notes can be created by anyone (not just the original object creator). - - - \ No newline at end of file diff --git a/stix-spec/core/observed-data-context.owl b/stix-spec/core/observed-data-context.owl deleted file mode 100644 index d356d6c..0000000 --- a/stix-spec/core/observed-data-context.owl +++ /dev/null @@ -1,135 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - observed-data - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/core/opinion-context.owl b/stix-spec/core/opinion-context.owl deleted file mode 100644 index 10a527a..0000000 --- a/stix-spec/core/opinion-context.owl +++ /dev/null @@ -1,129 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - opinion - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/core/report-context.owl b/stix-spec/core/report-context.owl deleted file mode 100644 index 9f6e6d4..0000000 --- a/stix-spec/core/report-context.owl +++ /dev/null @@ -1,133 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - report - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/core/stix-core-context.owl b/stix-spec/core/stix-core-context.owl deleted file mode 100644 index 5b40103..0000000 --- a/stix-spec/core/stix-core-context.owl +++ /dev/null @@ -1,351 +0,0 @@ - - - - - - - - - - -]> - - - - - - - 2.1.0 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/core/stix-core.owl b/stix-spec/core/stix-core.owl deleted file mode 100644 index b8d980f..0000000 --- a/stix-spec/core/stix-core.owl +++ /dev/null @@ -1,154 +0,0 @@ - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - KillChainPhase - Represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives. - - - - - STIX Meta Object - Abstract base class from which all STIX Meta Objects (SMO) derive.\n\nSTIX Meta Objects characterize the necessary glue and associated metadata to enrich or extend STIX Core Objects to support user and system workflows. - - - - - STIX Cyber-Observable Object - Abstract base class from which all STIX Cyber-observable Object (SCOs) derive.\n\nSTIX Cyber Observables characterize observed facts about a network or host that may be used and related to higher level intelligence to form a more complete understanding of the threat landscape. - - - - - STIX Domain Object - Abstract based class from which all STIX Domain Objects (SDOs) derive.\n\nSTIX Domain Objects characterize higher-level intelligence objects that represent behaviors and constructs that threat analysts would typically create or work with while understanding the threat landscape. - - - - - STIX Relationship Object - A bstract base class from which all STIX Relationship objects (SROs) derive.\n\nSTIX Relationship Objects STIX Relationship Objects connect STIX Domain Objects together, STIX Cyber-observable Objects together, and connect STIX Domain Objects and STIX Cyber-observable Objects together to form a more complete understanding of the threat landscape. - - - - analysis_sco_refs - Specifies references to STIX Cyber-observable Objects that were captured during the analysis process. - - - - - analysis_sco_refs_id - Specifies the identifiers of STIX Cyber-observable Objects that were captured during the analysis process. - - - - - contains_refs - Specifies a list of references to other STIX CyberObservable Objects contained within the file or directory, such as another file that is appended to the end of the file, or an IP address that is contained somewhere in the file.\n\nThis is intended for use cases other than those targeted by the Archive extension. - - - - - contains_refs_id - Specifies a list of identifiers of other STIX Cyber Observable Objects contained within the file or directory, such as another file that is appended to the end of the file, or an IP address that is contained somewhere in the file.\n\nThis is intended for use cases other than those targeted by the Archive extension - - - - - defanged - Specifies whether or not the data contained within the object has been defanged.\n\nThis property MUST only be used on STIX Cyber Observable Objects. - - - - - kill_chain_name - Specifies the name of the kill chain.\n\nThe value of this property SHOULD be all lowercase and SHOULD use hyphens instead of spaces or underscores as word separators.@{en-US} - - - - - kill chain phases - Specifies the kill chain phase(s) to which this indicator corresponds. - - - - object_ref - Specifies a reference to a STIX Object that is referred to by this entity. - - - - - object_ref_id - Specifies the identifier of a STIX Object that is referred to by this entity. - - - - - object_refs - Specifies a list of references to STIX Objects that are referred to by this entity. - - - - - object_refs_id - Specifies a list of identifiers of STIX Objects that are referred to by this entity. - - - - - phase_name - Specifies the name of the phase in the kill chain.\n\nThe value of this property SHOULD be all lowercase and SHOULD use hyphens instead of spaces or underscores as word separators. - - - - - sample_ref - Specifies a reference to the Cyber Observable object that this analysis was performed against. - - - - - sample_ref_id - Specifies the identifier of the Cyber Observable object that this analysis was performed against. - - - - - sample_refs - Specifies a list of references to the Cyber Observable objects associated with this entity. - - - - - sample_refs_id - Specifies a list of identifiers to the Cyber Observable objects associated with this entity. - - - - \ No newline at end of file diff --git a/stix-spec/cti/cti-core-context.owl b/stix-spec/cti/cti-core-context.owl deleted file mode 100644 index c260409..0000000 --- a/stix-spec/cti/cti-core-context.owl +++ /dev/null @@ -1,398 +0,0 @@ - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - identity - - - - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/cti/cti-core.owl b/stix-spec/cti/cti-core.owl deleted file mode 100644 index a9d77fd..0000000 --- a/stix-spec/cti/cti-core.owl +++ /dev/null @@ -1,242 +0,0 @@ - - - - - - -]> - - - - 2.1.0 - - - - MD5 Hash Value - Specifies the MD5 message digest algorithm. The corresponding hash string for this value MUST be a valid MD5 message digest as defined in [RFC1321]. - - - - - SHA-1 Hash Value - Specifies the SHA-1 (secure-hash algorithm 1) cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA-1 message digest as defined in [RFC3174]. - - - - - SHA-256 Hash Value - Specifies the SHA-256 cryptographic hash function (part of the SHA2 family). The corresponding hash string for this value MUST be a valid SHA-256 message digest as defined in [RFC6234]. - - - - - SHA-512 Hash Value - Specifies the SHA-512 cryptographic hash function (part of the SHA2 family). The corresponding hash string for this value MUST be a valid SHA-512 message digest as defined in [RFC6234]. - - - - - SHA3-256 Hash Value - Specifies the SHA3-256 cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA3-256 message digest as defined in [FIPS202]. - - - - - SHA3-512 Hash Value - Specifies the SHA3-512 cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA3-512 message digest as defined in [FIPS202]. - - - - - SSDEEP Hash Value - Specifies the ssdeep fuzzy hashing algorithm. The corresponding hash string for this value MUST be a valid piecewise hash as defined in the [SSDEEP] specification. - - - - - TLSH Hash Value - Specifies the TLSH fuzzy hashing algorithm. The corresponding hash string for this value MUST be a valid 35 byte long hash as defined in the [TLSH] specification. - - - - - latitude - The WGS84 latitude of a SpatialThing (decimal degrees).\n\nPositive numbers describe latitudes north of the equator, and negative numbers describe latitudes south of the equator. The value of this property MUST be between -90.0 and 90.0, inclusive.\n\nIf the longitude property is present, this property MUST be present. - - - - - longitude - The WGS84 longitude of a SpatialThing (decimal degrees).\n\nPositive numbers describe longitudes east of the prime meridian and negative numbers describe longitudes west of the prime meridian. The value of this property MUST be between -180.0 and 180.0, inclusive.\n\nIf the latitude property is present, this property MUST be present. - - - - - precision - Defines the precision of the coordinates specified by the latitude and longitude properties. This is measured in meters. The actual Location may be anywhere up to precision meters from the defined point.\n\nIf this property is not present, then the precision is unspecified.\n\nIf this property is present, the latitude and longitude properties MUST be present. - - - - - region - The region that this Location describes.\n\nThe value for this property SHOULD come from the region-ov open vocabulary. - - - - - africa - - - americas - - - antarctica - - - asia - - - australia-new-zealand - - - caribbean - - - central-america - - - central-asia - - - eastern-africa - - - eastern-asia - - - eastern-europe - - - europe - - - latin-america-caribbean - - - melanesia - - - micronesia - - - middle-africa - - - northern-africa - - - northern-america - - - northern-europe - - - oceana - - - polynesia - - - south-america - - - south-eastern-asia - - - southern-africa - - - southern-asia - - - southern-europe - - - western-africa - - - western-asia - - - western-europe - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/artifact-context.owl b/stix-spec/cyber-observables/artifact-context.owl deleted file mode 100644 index ca03d75..0000000 --- a/stix-spec/cyber-observables/artifact-context.owl +++ /dev/null @@ -1,121 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - artifact - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/autonomous-system-context.owl b/stix-spec/cyber-observables/autonomous-system-context.owl deleted file mode 100644 index 2b6dc7b..0000000 --- a/stix-spec/cyber-observables/autonomous-system-context.owl +++ /dev/null @@ -1,91 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - autonomous-system - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/directory-context.owl b/stix-spec/cyber-observables/directory-context.owl deleted file mode 100644 index bd0b794..0000000 --- a/stix-spec/cyber-observables/directory-context.owl +++ /dev/null @@ -1,134 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - directory - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/domain-name-context.owl b/stix-spec/cyber-observables/domain-name-context.owl deleted file mode 100644 index 5f3c448..0000000 --- a/stix-spec/cyber-observables/domain-name-context.owl +++ /dev/null @@ -1,79 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - domain-name - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/email-address-context.owl b/stix-spec/cyber-observables/email-address-context.owl deleted file mode 100644 index 0b25083..0000000 --- a/stix-spec/cyber-observables/email-address-context.owl +++ /dev/null @@ -1,101 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - email-addr - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/file-context.owl b/stix-spec/cyber-observables/file-context.owl deleted file mode 100644 index 2a0eb9c..0000000 --- a/stix-spec/cyber-observables/file-context.owl +++ /dev/null @@ -1,1368 +0,0 @@ - - - - - - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - file - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - file - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - file - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - file - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - file - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - file - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/file.owl b/stix-spec/cyber-observables/file.owl deleted file mode 100644 index aae42b2..0000000 --- a/stix-spec/cyber-observables/file.owl +++ /dev/null @@ -1,508 +0,0 @@ - - - - - - - - - - - - - - -]> - - - - - - - 2.1.0 - - - - - File - The File object represents the properties of a file. A File object MUST contain at least one of hashes or name. - - - - - Archive File - The Archive File object represents the properties of an archive file. - - - - - - - comment - Specifies a comment included as part of the associated entity. - - - - - contains_refs - Specifies a list of references to other STIX CyberObservable Objects contained within the file or directory, such as another file that is appended to the end of the file, or an IP address that is contained somewhere in the file.\n\nThis is intended for use cases other than those targeted by the Archive extension. - - - - - - - - - - - - - - contains_refs_id - Specifies a list of identifiers of other STIX Cyber Observable Objects contained within the file or directory, such as another file that is appended to the end of the file, or an IP address that is contained somewhere in the file.\n\nThis is intended for use cases other than those targeted by the Archive extension - - - - - - Alternate data streams - Specifies a list of NTFS alternate data streams that exist for the file. - - - - - NTFS File - The NTFS File object represents the properties of a file in the NTFS file system. - - - - alternative data streams - Specifies a list of NTFS alternate data streams that exist for the file. - - - - - sid - Specifies the Windows Security ID (SID) value - - - - - - PDF File - The PDF File object represents the properties of a PDF file. - - - - - - document info dict - Specifies details of the PDF document information dictionary (DID), which includes properties like the document creation data and producer, as a dictionary. Each key in the dictionary SHOULD be a case-preserved version of the corresponding entry in the document information dictionary without the prepended forward slash, e.g., Title. The corresponding value for the key MUST be the value specified for the document information dictionary entry, as a string. - - - - is_optimized - Specifies whether the PDF file has been optimized. - - - - - pdfid0 - Specifies the first file identifier found for the PDF file. - - - - - pdfid1 - Specifies the second file identifier found for the PDF file. - - - - version - Specifies the version of the entity. - - - - - - Raster Image File - The Raster Image File object represents the properties of a rater image file (e.g., JPEG, PNG). - - - - - bits_per_pixel - Specifies the sum of bits used for each color channel in the image file, and thus the total number of pixels used for expressing the color depth of the image. - - - - - exif_tags - Specifies the set of EXIF tags found in the image file, as a dictionary. Each key/value pair in the dictionary represents the name/value of a single EXIF tag. Accordingly, each dictionary key MUST be a case-preserved version of the EXIF tag name, e.g., XResolution. Each dictionary value MUST be either an integer (for int* EXIF datatypes) or a string (for all other EXIF datatypes). - - - - image_height - Specifies the height of the image in the image file, in pixels. - - - - - image width - Specifies the width of the image in the image file, in pixels. - - - - - - Windows PE File - The Windows PE File object represents the properties of a Windows Portable Executable (PE) file. - - - - - Windows PE Optional Header - The Windows PE Optional Header type represents the properties of the PE optional header. An object using the Windows PE Optional Header Type MUST contain at least one property from this type. - - - - - Windows PE Section - The Windows PE Section type specifies metadata about a PE file section. - - - - address_of_entry_point - Specifies the address of the entry point relative to the image base when the executable is loaded into memory. - - - - - base_of_code - Specifies the address that is relative to the image base of the beginning-of-code section when it is loaded into memory. - - - - - base_of_data - Specifies the address that is relative to the image base of the beginning-of-data section when it is loaded into memory. - - - - - characteristics_hex - Specifies the flags that indicate the file’s characteristics. - - - - - dll_characteristics_hex - Specifies the flags that characterize the PE binary. - - - - - file_alignment - Specifies the factor (in bytes) that is used to align the raw data of sections in the image file. - - - - - file_header_hashes - Specifies any hashes that were computed for the file header.\n\nDictionary keys MUST come from the hash-algorithm-ov open vocabulary. - - - - image_base - Specifies the preferred address of the first byte of the image when loaded into memory. - - - - - imphash - Specifies the special import hash, or ‘imphash’, calculated for the PE Binary based on its imported libraries and functions. For more information on the imphash algorithm, see the original article by Mandiant/FireEye [. - - - - - loader_flags_hex - Specifies the reserved loader flags. - - - - - machine_hex - Specifies the type of target machine. - - - - - magic_hex - Specifies the hex value that indicates the type of the PE binary. - - - - - major_image_version - Specifies the major version number of the image. - - - - - major linker version - Specifies the linker major version number. - - - - - major_os_version - Specifies the major version number of the required operating system. - - - - - major_subsystem_version - Specifies the major version number of the subsystem. - - - - - minor_image_version - Specifies the minor version number of the image. - - - - - minor_linker_version - Specifies the linker minor version number. - - - - - minor_os_version - Specifies the minor version number of the required operating system. - - - - - minor_subsystem_version - Specifies the minor version number of the subsystem. - - - - - number_of_rva_and_sizes - Specifies the number of data-directory entries in the remainder of the optional header. - - - - - number_of_sections - Specifies the number of sections in the PE binary, as a non-negative integer. - - - - - number_of_symbols - Specifies the number of entries in the symbol table of the PE binary, as a non-negative integer. - - - - - optional_header - Specifies the PE optional header of the PE binary. When used, at least one property from the windows-pe-optional-header-type MUST be included. - - - - - pe_type - Specifies the type of the PE binary. This is an open vocabulary and values SHOULD come from the windows-pebinary-type-ov open vocabulary. - - - - - dll - - - exe - - - sys - - - - - - - - - - - - - pointer_to_symbol_table_hex - Specifies the file offset of the COFF symbol table. - - - - - section_alignment - Specifies the alignment (in bytes) of PE sections when they are loaded into memory. - - - - - sections - Specifies metadata about the sections in the PE file. - - - - - size_of_code - Specifies the size of the code (text) section. If there are multiple such sections, this refers to the sum of the sizes of each section. The value of this property MUST NOT be negative. - - - - - size_of_headers - Specifies the combined size of the MS-DOS, PE header, and section headers, rounded up to a multiple of the value specified in the file_alignment header. The value of this property MUST NOT be negative. - - - - - size_of_heap_commit - Specifies the size of the local heap space to commit, in bytes. The value of this property MUST NOT be negative. - - - - - size_of_heap_reserve - Specifies the size of the local heap space to reserve, in bytes. The value of this property MUST NOT be negative. - - - - - size_of_image - Specifies the size of the image in bytes, including all headers, as the image is loaded in memory. The value of this property MUST NOT be negative. - - - - - size_of_initialized_data - Specifies the size of the initialized data section. If there are multiple such sections, this refers to the sum of the sizes of each section. The value of this property MUST NOT be negative. - - - - - size_of_optional_header - Specifies the size of the optional header of the PE binary. The value of this property MUST NOT be negative. - - - - - size_of_stack_commit - Specifies the size of the stack to commit, in bytes. The value of this property MUST NOT be negative. - - - - - size_of_stack_reserve - Specifies the size of the stack to reserve, in bytes. The value of this property MUST NOT be negative. - - - - - size of uninitialized data - Specifies the size of the uninitialized data section. If there are multiple such sections, this refers to the sum of the sizes of each section. The value of this property MUST NOT be negative. - - - - - subsystem_hex - Specifies the subsystem (e.g., GUI, device driver, etc.) that is required to run this image. - - - - - time_date_stamp - Specifies the time when the PE binary was created. The timestamp value MUST be precise to the second. - - - - - win32_version_value_hex - Specifies the reserved win32 version value. - - - - - checksum_hex - Specifies the checksum of the file. - - - - - content_ref - Specifies the content of the file, represented as an Artifact object.\n\nThe object referenced in this property MUST be of type artifact. - - - - - content_ref_id - Specifies the identifier of an Artifact object that contains the contents of the file.\n\nThe identifier of the object specified in this property MUST be of type artifact. - - - - - entropy - Specifies the calculated entropy for the section, as calculated using the Shannon algorithm - - - - - magic_number_hex - Specifies the hexadecimal constant associated with a specific file format that corresponds to the file, if applicable. - - - - - name_enc - Specifies the observed encoding for the name of the file. This value MUST be specified using the corresponding name from the 2013-12-20 revision of the IANA character set registry. If the value from the Preferred MIME Name column for a character set is defined, this value MUST be used; if it is not defined, then the value from the Name column in the registry MUST be used instead.\n\nThis property allows for the capture of the original text encoding for the file name, which may be forensically relevant; for example, a file on an NTFS volume whose name was created using the windows-1251 encoding, commonly used for languages based on Cyrillic script. - - - - - parent_directory_ref - Specifies a reference to a SCO Directory object that represents the parent directory of the file.\n\nThe object referenced in this property MUST be of type directory. - - - - - parent_directory_ref_id - Specifies the identifier of a SCO Directory object that represents the parent directory of the file.\n\nThe identifier of the object referenced in this property MUST be of type directory. - - - - - size - Specifies the size, in bytes. The value of this property MUST NOT be negative. - - - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/ip-address-context.owl b/stix-spec/cyber-observables/ip-address-context.owl deleted file mode 100644 index e3a6529..0000000 --- a/stix-spec/cyber-observables/ip-address-context.owl +++ /dev/null @@ -1,131 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - ipv4-addr - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - ipv6-addr - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/mac-address-context.owl b/stix-spec/cyber-observables/mac-address-context.owl deleted file mode 100644 index b552dd5..0000000 --- a/stix-spec/cyber-observables/mac-address-context.owl +++ /dev/null @@ -1,71 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - mac-addr - - - - - - 1 - - - - - - 1 - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/message-context.owl b/stix-spec/cyber-observables/message-context.owl deleted file mode 100644 index fb827d0..0000000 --- a/stix-spec/cyber-observables/message-context.owl +++ /dev/null @@ -1,264 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - email-message - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/mutex-context.owl b/stix-spec/cyber-observables/mutex-context.owl deleted file mode 100644 index 7f559b3..0000000 --- a/stix-spec/cyber-observables/mutex-context.owl +++ /dev/null @@ -1,73 +0,0 @@ - - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - mutext - - - - - - 1 - - - - - - 1 - - - - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/network-traffic-context.owl b/stix-spec/cyber-observables/network-traffic-context.owl deleted file mode 100644 index 5f98b1a..0000000 --- a/stix-spec/cyber-observables/network-traffic-context.owl +++ /dev/null @@ -1,1438 +0,0 @@ - - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - 1 - - - - - - 1 - - - - - - network-traffic - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - network-traffic - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - network-traffic - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - network-traffic - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - network-traffic - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/network-traffic.owl b/stix-spec/cyber-observables/network-traffic.owl deleted file mode 100644 index 6c799fe..0000000 --- a/stix-spec/cyber-observables/network-traffic.owl +++ /dev/null @@ -1,726 +0,0 @@ - - - - - - - - - - -]> - - - - - - - - - 2.1.0 - - - - - Network Traffic - The Network Traffic object represents arbitrary network traffic that originates from a source and is addressed to a destination. The network traffic MAY or MAY NOT constitute a valid unicast, multicast, or broadcast network connection. This MAY also include traffic that is not established, such as a SYN flood.\n\nTo allow for use cases where a source or destination address may be sensitive and not suitable for sharing, such as addresses that are internal to an organization’s network, the source and destination properties (src_ref and dst_ref, respectively) are defined as optional in the properties table below. However, a Network Traffic object MUST contain the protocols property and at least one of the src_ref or dst_ref properties and SHOULD contain the src_port and dst_port properties. - - - - - HTTP Request - The HttpRequest object represents network traffic properties specific to HTTP requests. - - - - - - ICMP Network Traffic - The ICMP Network Traffic object represents ICMP network traffic that originates from a source and is addressed to a destination. The network traffic MAY or MAY NOT constitute a valid unicast, multicast, or broadcast network connection. This MAY also include traffic that is not established, such as a SYN flood.\n\nTo allow for use cases where a source or destination address may be sensitive and not suitable for sharing, such as addresses that are internal to an organization’s network, the source and destination properties (src_ref and dst_ref, respectively) are defined as optional in the properties table below. However, a TCP Network Traffic object MUST contain the protocols property and at least one of the src_ref or dst_ref properties and SHOULD contain the src_port and dst_port properties. - - - - - - NetworkSocket - The Network Socket object represents network traffic properties associated with network sockets. - - - - SO_ACCEPTCONN - Specifies whether or not this socket has been marked to accept connections with listen(2). - - - - - SO_ATTACH_BPF - Specifies whether an extended BPF program is attached to the socket for use as a filter of incoming packets. - - - - - SO_ATTACH_FILTER - Specifies whether a classic BPF program is attached to the socket for use as a filter of incoming packets. - - - - - SO_ATTACH_REUSEPORT_CBPF - Specific a classic BPF program which defines how packets are assigned to the sockets in the reuseport group - - - - - SO_ATTACH_REUSEPORT_EBPF - Specifies a extended EBPF program which defines how packets are assigned to the sockets in the reuseport group - - - - - SO_BINDTODEVICE - Specifies whether this socket is bound to a particular device like \“eth0\”, as specified in the passed interface name. - - - - - SO_BROADCAST - Specifies whether the broadcast flag. - - - - - SO_BSDCOMPAT - Specifies whether BSD bug-to-bug compatibility is enabled. - - - - - SO_BUSY_POLL - Specifies the approximate time in microseconds to busy poll on a blocking receive when there is no data. - - - - - SO_DEBUG - Specifies whether socket debugging is enabled. Allowed only for processes with the CAP_NET_ADMIN capability or an effective user ID of 0. - - - - - SO_DETACH_FILTER - Specifies whether to remove the extended BPF program attached to a socket with either SO_ATTACH_FILTER or SO_ATTACH_BPF. - - - - - SO_DETACH_FILTER - Specifies whether to remove the classic BPF program attached to a socket with either SO_ATTACH_FILTER or SO_ATTACH_BPF. - - - - - SO_DOMAIN - Specifies the socket domain as an integer, returning a value such as AF_INET6. - - - - - SO_DOUNTROUTE - Specifies not send via a gateway, send only to directly connected hosts. - - - - - SO_ERROR - Specifies whether there is a pending socket error. - - - - - SO_INCOMING_CPU - Specifies the CPU affinity of a socket. Expects an integer flag. - - - - - SO_INCOMING_NAPI_ID - Specifies whether a system-level unique ID called NAPI ID that is associated with a RX queue on which the last packet associated with that socket is received. - - - - - SO_KEEPALIVE - Specifies whether sending of keep-alive messages on connection-oriented sockets is performed. Expects an integer boolean flag. - - - - - SO_LINGER - Specifies whether a close(2) or shutdown(2) will not return until all queued messages for the socket have been successfully sent or the linger timeout has been reached. - - - - - SO_LOCK_FILTER - Specifies whether prevent changing the filters associated with the socket is prevented. - - - - - SO_MARK - Specifies wehther the mark for each packet sent through this socket (similar to the netfilter MARK target but socket-based). - - - - - SO_OOBINLINE - Specifies whether out-of-band data is directly placed into the receive data stream. - - - - - SO_PASSCRED - Specifies whether the receiving of the SCM_CREDENTIALS control message is enabled or disbled. - - - - - SO_PASSSEC - Specifies whether the receiving of the SCM_SECURITY control message is enabled or disbled. - - - - - SO_PEEK_OFF - Specifies the value of the "peek offset" for the recv(2) system call when used with MSG_PEEK flag. - - - - - SO_PEERCRED - Specifies the credentials of the peer process connected to this socket. - - - - - SO_PEERSEC - Specifies the security context of the peer socket connected to this socket. - - - - - SO_PRIORITY - Specifies the protocol-defined priority for all packets to be sent on this socket. - - - - - SO_PROTOCOL - Specifies the socket protocol as an integer, returning a value such as IPPROTO_SCTP. - - - - - SO_RCVBUF - Specifies the maximum socket receive buffer in bytes. The kernel doubles this value (to allow space for bookkeeping overhead) when it is set using setsockopt(2), and this doubled value is returned by getsockopt(2). - - - - - SO_RECBUFFORCE - Specifies whether a privileged (CAP_NET_ADMIN) process can perform the same task as SO_RCVBUF, but the rmem_max limit can be overridden. - - - - - SO_RCVLOWAT - Specify the minimum number of bytes in the buffer until the socket layer will pass the data the user on receiving. - - - - - SO_RCVTIMEO - Specifies whether receiving timeouts until reporting an error. - - - - - SO_REUSEADDR - Specifies whether the rules used in validating addresses supplied in a bind(2) call should allow reuse of local addresses. - - - - - SO_REUSEPORT - Specifies whether multiple AF_INET or AF_INET6 sockets are permitted to be bound to an identical socket address. - - - - - SO_RXQ_OVFL - Specifies that an unsigned 32-bit value ancillary message (cmsg) should be attached to received skbs indicating the number of packets dropped by the socket since its creation. - - - - - SO_SELECT_ERR_QUEUE - Specifies whether an error condition on a socket causes notification not only via the exceptfds set of select(2). - - - - - SO_SNDBUF - Specifies the maximum socket send buffer in bytes. - - - - - SO_SNDBUFFORCE - Specifies a privileged (CAP_NET_ADMIN) process can perform the same task as SO_SNDBUF, but the wmem_max limit can be overridden. - - - - - SO_SNDLOWAT - Specify the minimum number of bytes in the buffer until the socket layer will pass the data to the protocol - - - - - SO_SNDTIMEO - Specifies whether sending timeouts until reporting an error. - - - - - SO_TIMESTAMP - Specifies whether the receiving of the SO_TIMESTAMP control message is enabled or disabled. - - - - - SO_TIMESTAMPNS - Specifies whether the receiving of the SO_TIMESTAMPNS control message are enabled or disabled. - - - - - SO_TYPE - Specifies the socket type as an integer - - - - - - Socket Options - The SocketOptions object represents any options (e.g., SO_*) that may be used by the socket. - - - - - TCP Network Traffic - The TCP Network Traffic object represents TCP network traffic that originates from a source and is addressed to a destination. The network traffic MAY or MAY NOT constitute a valid unicast, multicast, or broadcast network connection. This MAY also include traffic that is not established, such as a SYN flood.\n\nTo allow for use cases where a source or destination address may be sensitive and not suitable for sharing, such as addresses that are internal to an organization’s network, the source and destination properties (src_ref and dst_ref, respectively) are defined as optional in the properties table below. However, a TCP Network Traffic object MUST contain the protocols property and at least one of the src_ref or dst_ref properties and SHOULD contain the src_port and dst_port properties. - - - - address_family - Specifies the address family (AF_*) that the socket is configured for. The values of this property MUST come from the network-socket-address-family-enum enumeration. - - - - - AF_APPLETALK - - - AF_BTH - - - AF_INET - - - AF_INET6 - - - AF_IPX - - - AF_IRDA - - - AF_NETBIOS - - - AF_UNSPEC - - - - - - - - - - - - - - - - - - - - - - - dst_flags_hex - Specifies the destination TCP flags, as the union of all TCP flags observed between the start of the traffic (as defined by the start property) and the end of the traffic (as defined by the end property).\n\nIf the start and end times of the traffic are not specified, this property SHOULD be interpreted as the union of all TCP flags observed over the entirety of the network traffic being reported upon. - - - - - icmp_code_hex - Specifies the ICMP code byte. - - - - - icmp_type_hex - Specifies the ICMP type byte. - - - - - is_blocking - Specifies whether the socket is in blocking mode. - - - - - is_listening - Specifies whether the socket is in listening mode. - - - - - message_body_data_ref - Specifies a reference to an Artifact object that contains the data contained in the HTTP message body, if included.\n\nThe object referenced in this property MUST be of type artifact. - - - - - message_body_data_ref_id - Specifies the identifier of an Artifact object that contains the data contained in the HTTP message body, if included.\n\nThe identifier of the object specified MUST be of type artifact. - - - - - message_body_length - Specifies the length of the HTTP message body, if included, in bytes. - - - - - options - Specifies any options (e.g., SO_*) that may be used by the socket, as a dictionary. Each key in the dictionary SHOULD be a case-preserved version of the option name, e.g., SO_ACCEPTCONN. Each key value in the dictionary MUST be the value for the corresponding options key. Each dictionary value MUST be an integer. For SO_RCVTIMEO, SO_SNDTIMEO and SO_LINGER the value represents the number of milliseconds. If the SO_LINGER key is present, it indicates that the SO_LINGER option is active. - - - - - request_header - Specifies all of the HTTP header fields that may be found in the HTTP client request, as a dictionary.\n\nEach key in the dictionary MUST be the name of the header field and SHOULD preserve case, e.g., User-Agent. The corresponding value for each dictionary key MUST always be a list of type string to support when a header field is repeated. - - - - request_method - Specifies the HTTP method portion of the HTTP request line, as a lowercase string. - - - - - delete - - - get - - - patch - - - post - - - put - - - - - - - - - - - - - - - - - request_value - Specifies the value (typically a resource path) portion of the HTTP request line. - - - - - request_version - Specifies the HTTP version portion of the HTTP request line, as a lowercase string. - - - - - socket_descriptor - Specifies the socket file descriptor value associated with the socket, as a non-negative integer. - - - - - socket_handle - Specifies the handle or inode value associated with the socket. - - - - - socket_type - Specifies the type of the socket.\n\nThe values of this property MUST come from the network-socket-type-enum enumeration. - - - - - SOCK_DGRAM - - - SOCK_RAW - - - SOCK_RDM - - - SOCK_SEQPACKET - - - SOCK_STREAM - - - - - - - - - - - - - - - - - src_flags_hex - Specifies the source TCP flags, as the union of all TCP flags observed between the start of the traffic (as defined by the start property) and the end of the traffic (as defined by the end property).\n\nIf the start and end times of the traffic are not specified, this property SHOULD be interpreted as the union of all TCP flags observed over the entirety of the network traffic being reported upon. - - - - - dst_byte_count - Specifies the number of bytes, as a positive integer, sent from the destination to the source. - - - - - dst_packets - Specifies the number of packets, as a positive integer, sent from the destination to the source. - - - - - dst_payload_ref - Specifies the bytes sent from the destination to the source.\n\nThe object referenced in this property MUST be of type artifact. - - - - - dst_payload_ref_id - Specifies the bytes sent from the destination to the source.\n\nThe identifier for the object specified in this property MUST be of type artifact. - - - - - dst_port - Specifies the destination port used in the network traffic, as an integer. The port value MUST be in the range of 0 - 65535. - - - - - - 65535 - - - - - - - - dst_ref - Specifies the destination of the network traffic, as a reference to a Cyber-observable Object.\n\nThe object referenced MUST be of type ipv4-addr, ipv6-addr, mac-addr, or domain-name (for cases where the IP address for a domain name is unknown). - - - - - - - - - - - - - - - - - - dst_ref_id - Specifies the destination of the network traffic, as the identifier of a Cyber-observable Object.\n\nThe identifier of object specified MUST be of type ipv4-addr, ipv6-addr, mac-addr, or domain-name (for cases where the IP address for a domain name is unknown). - - - - - encapsulated_by_ref - Specifies a reference to another network-traffic object which encapsulates this object.\n\nThe object referenced in this property MUST be of type network-traffic. - - - - - encapsulated_by_ref_id - Specifies the identifier of another network-traffic object which encapsulates this object.\n\nThe identifier of the object specified MUST be of type network-traffic. - - - - - encapsulates_refs - Specifies references to other network-traffic objects encapsulated by this network-traffic object.\n\nThe objects referenced in this property MUST be of type network-traffic. - - - - - encapsulates_refs_id - Specifies identifiers of other network-traffic objects encapsulated by this network-traffic object.\n\nThe identifier of objects specified MUST be of type network-traffic. - - - - - end - Specifies the date/time the network traffic ended, if known.\n\nIf the is_active property is true, then the end property MUST NOT be included.\n\nIf start and end are both defined, then end MUST be later than the start value. - - - - - ipfix - Specifies any IP Flow Information Export [IPFIX] data for the traffic, as a dictionary. Each key/value pair in the dictionary represents the name/value of a single IPFIX element. Accordingly, each dictionary key SHOULD be a case-preserved version of the IPFIX element name, e.g., octetDeltaCount. Each dictionary value MUST be either an integer or a string, as well as a valid IPFIX property. - - - - is_active - Indicates whether the network traffic is still ongoing.\n\nIf the end property is provided, this property MUST be false. - - - - - protocols - Specifies the protocols observed in the network traffic, along with their corresponding state.\n\nProtocols MUST be listed in low to high order, from outer to inner in terms of packet encapsulation. That is, the protocols in the outer level of the packet, such as IP, MUST be listed first.\n\nThe protocol names SHOULD come from the service names defined in the Service Name column of the IANA Service Name and Port Number Registry [Port Numbers]. In cases where there is variance in the name of a network protocol not included in the IANA Registry, content producers should exercise their best judgement, and it is recommended that lowercase names be used for consistency with the IANA registry. - - - - - src_type_count - Specifies the number of bytes, as a positive integer, sent from the source to the destination. - - - - - src_packets - Specifies the number of packets, as a positive integer, sent from the source to the destination. - - - - - src_payload_ref - Specifies a reference to an Artfact object that contains the bytes sent from the source to the destination.\n\nThe object referenced in this property MUST be of type artifact. - - - - - src_payload_ref_id - Specifies the identifier of an Artfact object that contains the bytes sent from the source to the destination.\n\nThe identifier of the object specified MUST be of type artifact. - - - - - src port - Specifies the source port used in the network traffic, as an integer. The port value MUST be in the range of 0 - 65535. - - - - - - 65535 - - - - - - - - src_ref - Specifies a reference to a Cyber-observable object that is the source of the network traffic.\n\nThe object referenced MUST be of type ipv4-addr, ipv6-addr, mac-addr, or domain-name (for cases where the IP address for a domain name is unknown). - - - - - - - - - - - - - - - - - - src_ref_id - Specifies the identifier of a Cyber-observable object that is the source of the network traffic.\n\nThe identifier of the object specified MUST be of type ipv4-addr, ipv6-addr, mac-addr, or domain-name (for cases where the IP address for a domain name is unknown). - - - - - start - Specifies the date/time the network traffic was initiated, if known. - - - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/process-context.owl b/stix-spec/cyber-observables/process-context.owl deleted file mode 100644 index 227bf2d..0000000 --- a/stix-spec/cyber-observables/process-context.owl +++ /dev/null @@ -1,680 +0,0 @@ - - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - 1 - - - - - - 1 - - - - - - process - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - process - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - process - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/process.owl b/stix-spec/cyber-observables/process.owl deleted file mode 100644 index 810a84f..0000000 --- a/stix-spec/cyber-observables/process.owl +++ /dev/null @@ -1,455 +0,0 @@ - - - - - - - - - - -]> - - - - - - - - 2.1.0 - - - - - Process - The Process object represents common properties of an instance of a computer program as executed on an operating system. A Process object MUST contain at least one property (other than type) from this object (or one of its extensions). - - - - - Windows Process - The Windows Process object represents common properties of an instance of a Windows computer program as executed on an operating system. A Windows Process object MUST contain at least one property (other than type) from this object. - - - - - - STARTUP_INFO Structure - The StartupInfo type specifies the window station, desktop, standard handles, and appearance of the main window for a process at creation time - - - - - Windows Service Process - The Windows Service Process object represents common properties of an instance of a Windows Service. A Windows Service Process object MUST contain at least one property (other than type) from this object. - - - - aslr_enabled - Specifies whether Address Space Layout Randomization (ASLR) is enabled for the process. - - - - - cb - Specifies the size of the structure, in bytes. - - - - - dep_enabled - Specifies whether Data Execution Prevention (DEP) is enabled for the process. - - - - - descriptions - Specifies the descriptions defined for the service. - - - - - display_name - Specifies the display name of the service in Windows GUI controls. - - - - - dwFillAttribute - If dwFlags specifies STARTF_USEFILLATTRIBUTE, this member is the initial text and background colors if a new console window is created in a console application. Otherwise, this member is ignored - - - - - dwFlags - A bitfield that determines whether certain STARTUPINFO members are used when the process creates a window. - - - - - dwX - If dwFlags specifies STARTF_USEPOSITION, this member is the x offset of the upper left corner of a window if a new window is created, in pixels. Otherwise, this member is ignored.\n\nThe offset is from the upper left corner of the screen. For GUI processes, the specified position is used the first time the new process calls CreateWindow to create an overlapped window if the x parameter of CreateWindow is CW_USEDEFAULT. - - - - - dwXCountChars - If dwFlags specifies STARTF_USECOUNTCHARS, if a new console window is created in a console process, this member specifies the screen buffer width, in character columns. Otherwise, this member is ignored. - - - - - dwXSize - If dwFlags specifies STARTF_USESIZE, this member is the width of the window if a new window is created, in pixels. Otherwise, this member is ignored.\n\nFor GUI processes, this is used only the first time the new process calls CreateWindow to create an overlapped window if the nWidth parameter of CreateWindow is CW_USEDEFAULT. - - - - - dwY - If dwFlags specifies STARTF_USEPOSITION, this member is the y offset of the upper left corner of a window if a new window is created, in pixels. Otherwise, this member is ignored.\n\nThe offset is from the upper left corner of the screen. For GUI processes, the specified position is used the first time the new process calls CreateWindow to create an overlapped window if the y parameter of CreateWindow is CW_USEDEFAULT. - - - - - dwYCountChars - If dwFlags specifies STARTF_USECOUNTCHARS, if a new console window is created in a console process, this member specifies the screen buffer height, in character rows. Otherwise, this member is ignored. - - - - - dwYSize - If dwFlags specifies STARTF_USESIZE, this member is the height of the window if a new window is created, in pixels. Otherwise, this member is ignored.\n\nFor GUI processes, this is used only the first time the new process calls CreateWindow to create an overlapped window if the nHeight parameter of CreateWindow is CW_USEDEFAULT. - - - - - group_name - Specifies the name of the load ordering group of which the service is a member. - - - - - hStdError - If dwFlags specifies STARTF_USESTDHANDLES, this member is the standard error handle for the process. Otherwise, this member is ignored and the default for standard error is the console window's buffer. - - - - - hStdInput - If dwFlags specifies STARTF_USESTDHANDLES, this member is the standard input handle for the process. If STARTF_USESTDHANDLES is not specified, the default for standard input is the keyboard buffer.\n\nIf dwFlags specifies STARTF_USEHOTKEY, this member specifies a hotkey value that is sent as the wParam parameter of a WM_SETHOTKEY message to the first eligible top-level window created by the application that owns the process. If the window is created with the WS_POPUP window style, it is not eligible unless the WS_EX_APPWINDOW extended window style is also set. For more information, see CreateWindowEx.\n\nOtherwise, this member is ignored. - - - - - hStdOutput - If dwFlags specifies STARTF_USESTDHANDLES, this member is the standard output handle for the process. Otherwise, this member is ignored and the default for standard output is the console window's buffer.\n\nIf a process is launched from the taskbar or jump list, the system sets hStdOutput to a handle to the monitor that contains the taskbar or jump list used to launch the process. For more information, see Remarks.Windows 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows XP and Windows Server 2003: This behavior was introduced in Windows 8 and Windows Server 2012. - - - - - integrity_level - Specifies the Windows integrity level, or trustworthiness, of the process.\n\nThe values of this property MUST come from the windows-integrity-level-enum enumeration. - - - - - high - - - low - - - medium - - - system - - - - - - - - - - - - - - - lpDesktop - Specifies the name of the desktop, or the name of both the desktop and window station for this process. A backslash in the string indicates that the string includes both the desktop and window station names. - - - - - lpTitle - For console processes, specifies the title displayed in the title bar if a new console window is created. If NULL, the name of the executable file is used as the window title instead. This parameter must be NULL for GUI or console processes that do not create a new console window. - - - - - owner_sid - Specifies the Security ID (SID) value of the owner of the process. - - - - - priority - Specifies the current priority class of the process in Windows.\n\nThis value SHOULD be a string that ends in _CLASS. - - - - - service_dll_refs - Specifies a list of references to File objects that represent the DLLs loaded by the service.\n\nThe objects referenced in this property MUST be of type file. - - - - - service_dll_refs_id - Specifies a list of identifiers of File objects that represent the DLLs loaded by the service.\n\nThe identifiers of objects specified MUST be of type file. - - - - - service_name - Specifies the name of the service. - - - - - service_status - Specifies the current status of the service.\n\nThe values of this property MUST come from the windows-service-status-enum enumeration. - - - - - SERVICE_CONTINUE_PENDING - - - SERVICE_PAUSED - - - SERVICE_PAUSE_PENDING - - - SERVICE_RUNNING - - - SERVICE_START_PENDING - - - SERVICE_STOPPED - - - SERVICE_STOP_PENDING - - - - - - - - - - - - - - - - - - - - - service_type - Specifies the type of the service.\n\nThe values of this property MUST come from the windows-service-type-enum enumeration. - - - - - SERVICE_FILE_SYSTEM_DRIVER - - - SERVICE_KERNEL_DRIVER - - - SERVICE_WIN32_OWN_PROCESS - - - SERVICE_WIN32_SHARE_PROCESS - - - - - - - - - - - - - - - start_type - Specifies the start options defined for the service.\n\nThe values of this property MUST come from the windows-service-start-type-enum enumeration. - - - - - SERVICE_AUTO_START - - - SERVICE_BOOT_START - - - SERVICE_DEMAND_START - - - SERVICE_DISABLED - - - SERVICE_SYSTEM_ALERT - - - - - - - - - - - - - - - - - startup_info - Specifies the STARTUP_INFO struct used by the process, as a dictionary.\n\nEach name/value pair in the struct MUST be represented as a key/value pair in the dictionary, where each key MUST be a case-preserved version of the original name. For example, given a name of "lpDesktop" the corresponding key would be lpDesktop. - - - - - wShowWindow - If dwFlags specifies STARTF_USESHOWWINDOW, this member can be any of the values that can be specified in the nCmdShow parameter for the ShowWindow function, except for SW_SHOWDEFAULT. Otherwise, this member is ignored.\n\nFor GUI processes, the first time ShowWindow is called, its nCmdShow parameter is ignored wShowWindow specifies the default value. In subsequent calls to ShowWindow, the wShowWindow member is used if the nCmdShow parameter of ShowWindow is set to SW_SHOWDEFAULT. - - - - - windows_title - Specifies the title of the main window of the process. - - - - - child_refs - Specifies references to other Process objects that represent the other processes that were spawned by (i.e. children of) this process.\n\nThe objects referenced in this list MUST be of type process. - - - - - child_refs_id - Specifies the list of identifiers of Process objects that represent the other processes that were spawned by (i.e. children of) this process.\n\nThe identifiers of the objects specified MUST be of type process. - - - - - command_line - Specifies the full command line used in executing the process, including the process name (which may be specified individually via the image_ref.name property) and any arguments. - - - - - created_time - Specifies the date and time at which the process was created. - - - - - creator_user_ref - Specifies a reference to a UserAccount object that represents the user that created the process.\n\nThe reference to the object specified MUST be of type user-account. - - - - - creator_user_ref_id - Specifies the idetifier of a UserAccount object that represents the user that created the process.\n\nThe idetntifier of the object specified MUST be of type user-account. - - - - - cwd - Specifies the current working directory of the process. - - - - - environment_variables - Specifies the list of environment variables associated with the process as a dictionary. Each key in the dictionary MUST be a case preserved version of the name of the environment variable, and each corresponding value MUST be the environment variable value as a string. - - - - image_ref - Specifies a reference to a File object tha represents the executable binary that was executed as the process image.\n\nThe object referenced in this property MUST be of type file. - - - - - image_ref_id - Specifies the identifier of a File object tha represents the executable binary that was executed as the process image.\n\nThe identifier of the object specified MUST be of type file. - - - - - is_hidden - Specifies whether the process is hidden. - - - - - opened_connection_refs - Specifies a list of references to Network Traffic objects that represent the network connections opened by the process.\n\nThe objects referenced in this list MUST be of type network-traffic. - - - - - opened_connection_refs_id - Specifies a list of identifiers of Network Traffic objects that represent the network connections opened by the process.\n\nThe identifiers of the objects specified MUST be of type network-traffic. - - - - - parent_ref - Specifies a reference to the Process object that references the other process that spawned (i.e. is the parent of) this one.\n\nThe object referenced in this property MUST be of type process. - - - - - parent_ref_id - Specifies the identifier of the Process object that references the other process that spawned (i.e. is the parent of) this one.\n\nThe identifier of the object specified MUST be of type process. - - - - - pid - Specifies the Process ID, or PID, of the process. - - - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/software-context.owl b/stix-spec/cyber-observables/software-context.owl deleted file mode 100644 index 3e1411b..0000000 --- a/stix-spec/cyber-observables/software-context.owl +++ /dev/null @@ -1,115 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - software - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/uri-context.owl b/stix-spec/cyber-observables/uri-context.owl deleted file mode 100644 index 3d3cf31..0000000 --- a/stix-spec/cyber-observables/uri-context.owl +++ /dev/null @@ -1,71 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - url - - - - - - 1 - - - - - - 1 - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/user-account-context.owl b/stix-spec/cyber-observables/user-account-context.owl deleted file mode 100644 index cf42799..0000000 --- a/stix-spec/cyber-observables/user-account-context.owl +++ /dev/null @@ -1,354 +0,0 @@ - - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - 1 - - - - - - 1 - - - - - - user-account - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - user-account - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/windows-registry-context.owl b/stix-spec/cyber-observables/windows-registry-context.owl deleted file mode 100644 index 06006dd..0000000 --- a/stix-spec/cyber-observables/windows-registry-context.owl +++ /dev/null @@ -1,148 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - 1 - - - - - - 1 - - - - - - windows-registry-key - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/x509-certificate-context.owl b/stix-spec/cyber-observables/x509-certificate-context.owl deleted file mode 100644 index 076832d..0000000 --- a/stix-spec/cyber-observables/x509-certificate-context.owl +++ /dev/null @@ -1,354 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - x509-certificate - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/markings/marking-context.owl b/stix-spec/markings/marking-context.owl deleted file mode 100644 index c2302a6..0000000 --- a/stix-spec/markings/marking-context.owl +++ /dev/null @@ -1,352 +0,0 @@ - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - marking-definition - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - marking-definition - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - marking-definition - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/meta-objects/language-content-context.owl b/stix-spec/meta-objects/language-content-context.owl deleted file mode 100644 index 3b2370b..0000000 --- a/stix-spec/meta-objects/language-content-context.owl +++ /dev/null @@ -1,135 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - language-content - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/relationships/relationship-context.owl b/stix-spec/relationships/relationship-context.owl deleted file mode 100644 index 9b34a6d..0000000 --- a/stix-spec/relationships/relationship-context.owl +++ /dev/null @@ -1,177 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - relationship - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/relationships/sighting-context.owl b/stix-spec/relationships/sighting-context.owl deleted file mode 100644 index 9c14f7a..0000000 --- a/stix-spec/relationships/sighting-context.owl +++ /dev/null @@ -1,183 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - sighting - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/stix-spec.owl b/stix-spec/stix-spec.owl deleted file mode 100644 index f654d49..0000000 --- a/stix-spec/stix-spec.owl +++ /dev/null @@ -1,63 +0,0 @@ - - - - - - - -]> - - - - This ontology is the master ontology for the definition the concepts contained in the STIX 2.1.0 specification. It imports all the various STIX ontologies files to create an unified ontology based on the various component ontologies that make up STIX. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2.1.0 - - - \ No newline at end of file diff --git a/stix-spec/threat-intel/adversary-context.owl b/stix-spec/threat-intel/adversary-context.owl deleted file mode 100644 index f7869b9..0000000 --- a/stix-spec/threat-intel/adversary-context.owl +++ /dev/null @@ -1,313 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - intrusion-set - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - threat-actor - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/threat-intel/adversary.owl b/stix-spec/threat-intel/adversary.owl deleted file mode 100644 index 9a70e8b..0000000 --- a/stix-spec/threat-intel/adversary.owl +++ /dev/null @@ -1,426 +0,0 @@ - - - - - - - - - -]> - - - - - 2.1.0 - - - - - Intrusion Set - An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Threat Actor. New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets.\n\nWhere a Campaign is a set of attacks over a period of time against a specific set of targets to achieve some objective, an Intrusion Set is the entire attack package and may be used over a very long period of time in multiple Campaigns to achieve potentially multiple purposes. - - - - - Threat Actor - Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. A Threat Actor is not an Intrusion Set but may support or be affiliated with various Intrusion Sets, groups, or organizations over time.\n\nThreat Actors leverage their resources, and possibly the resources of an Intrusion Set, to conduct attacks and run Campaigns against targets.\n\nThreat Actors can be characterized by their motives, capabilities, goals, sophistication level, past activities, resources they have access to, and their role in the organization. - - - - goals - Specifies the high-level goals of this Intrusion Set, namely, what are they trying to do. For example, they may be motivated by personal gain, but their goal is to steal credit card numbers. To do this, they may execute specific Campaigns that have detailed objectives like compromising point of sale systems at a large retailer. - - - - - personal_motivations - The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals.\n\nPersonal motivation, which is independent of the organization’s goals, describes what impels an individual to carry out an attack. Personal motivation may align with the organization’s motivation—as is common with activists—but more often it supports personal goals. For example, an individual analyst may join a Data Miner corporation because his or her skills may align with the corporation’s objectives. But the analyst most likely performs his or her daily work toward those objectives for personal reward in the form of a paycheck. The motivation of personal reward may be even stronger for Threat Actors who commit illegal acts, as it is more difficult for someone to cross that line purely for altruistic reasons. The position in the list has no significance.\n\nThe values for this property SHOULD come from the attack-motivation-ov open vocabulary. - - - - - accidental - - - coercion - - - dominance - - - ideology - - - notoriety - - - organizational-gain - - - personal-gain - - - personal-satisfaction - - - revenge - - - unpredictable - - - - - - - - - - - - - - - - - - - - - - - - - - - primary_motivation - Specifies the primary reason, motivation, or purpose behind this Intrusion Set. The motivation is why the Intrusion Set wishes to achieve the goal (what they are trying to achieve).\n\nThe value for this property SHOULD come from the attack-motivation-ov open vocabulary. - - - - - accidental - - - coercion - - - dominance - - - ideology - - - notoriety - - - organizational-gain - - - personal-gain - - - personal-satisfaction - - - revenge - - - unpredictable - - - - - - - - - - - - - - - - - - - - - - - - - - - resource_level - Specifies the organizational level at which this Intrusion Set typically works, which in turn determines the resources available to this Intrusion Set for use in an attack.\n\nThe value for this property SHOULD come from the attack-resource-level-ov open vocabulary. - - - - - club - - - contest - - - government - - - individual - - - organization - - - team - - - - - - - - - - - - - - - - - - - roles - Specifies a list of roles the Threat Actor plays.\n\nThe values for this property SHOULD come from the threat-actor-role-ov open vocabulary. - - - - - agent - - - director - - - independent - - - infrastructure-architect - - - infrastructure-operator - - - malware-author - - - sponsor - - - - - - - - - - - - - - - - - - - - - secondary_motivations - Specifies the secondary reasons, motivations, or purposes behind this Intrusion Set. These motivations can exist as an equal or near-equal cause to the primary motivation. However, it does not replace or necessarily magnify the primary motivation, but it might indicate additional context. The position in the list has no significance.\n\nThe values for this property SHOULD come from the attack-motivation-ov open vocabulary. - - - - - accidental - - - coercion - - - dominance - - - ideology - - - notoriety - - - organizational-gain - - - personal-gain - - - personal-satisfaction - - - revenge - - - unpredictable - - - - - - - - - - - - - - - - - - - - - - - - - - - sophistication - Specifies the skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack.\n\nThe value for this property SHOULD come from the threat-actor-sophistication-ov open vocabulary. - - - - - advanced - - - expert - - - innovator - - - intermediate - - - minimal - - - none - - - strategic - - - - - - - - - - - - - - - - - - - - - threat_actor_types - Specifies the type(s) of this threat actor.\n\nThe values for this property SHOULD come from the threat-actor-type-ov open vocabulary. - - - - - activist - - - competitor - - - crime-syndicate - - - criminal - - - hacker - - - insider-accidential - - - insider-disgruntled - - - nation-state - - - sensationalist - - - spy - - - terrorist - - - unknown - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/threat-intel/attack-pattern-context.owl b/stix-spec/threat-intel/attack-pattern-context.owl deleted file mode 100644 index 4c3f7e6..0000000 --- a/stix-spec/threat-intel/attack-pattern-context.owl +++ /dev/null @@ -1,125 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - attack-pattern - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/threat-intel/campaign-context.owl b/stix-spec/threat-intel/campaign-context.owl deleted file mode 100644 index d1a072c..0000000 --- a/stix-spec/threat-intel/campaign-context.owl +++ /dev/null @@ -1,151 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - campaign - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/threat-intel/campaign.owl b/stix-spec/threat-intel/campaign.owl deleted file mode 100644 index cb12900..0000000 --- a/stix-spec/threat-intel/campaign.owl +++ /dev/null @@ -1,37 +0,0 @@ - - - - - - - - -]> - - - - - 2.1.0 - - - - - Campaign - A Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be part of an Intrusion Set.\n\nCampaigns are often attributed to an intrusion set and threat actors. The threat actors may reuse known infrastructure from the intrusion set or may set up new infrastructure specific for conducting that campaign.\n\nCampaigns can be characterized by their objectives and the incidents they cause, people or resources they target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. - - - - objective - Specifies the Campaign’s primary goal, objective, desired outcome, or intended effect — what the Threat Actor or Intrusion Set hopes to accomplish with this Campaign. - - - - \ No newline at end of file diff --git a/stix-spec/threat-intel/course-of-action-context.owl b/stix-spec/threat-intel/course-of-action-context.owl deleted file mode 100644 index 553e14c..0000000 --- a/stix-spec/threat-intel/course-of-action-context.owl +++ /dev/null @@ -1,117 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - course-of-action - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - \ No newline at end of file diff --git a/stix-spec/threat-intel/incident-context.owl b/stix-spec/threat-intel/incident-context.owl deleted file mode 100644 index 4ba99c8..0000000 --- a/stix-spec/threat-intel/incident-context.owl +++ /dev/null @@ -1,109 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - incident - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - \ No newline at end of file diff --git a/stix-spec/threat-intel/indicator-context.owl b/stix-spec/threat-intel/indicator-context.owl deleted file mode 100644 index c4d101d..0000000 --- a/stix-spec/threat-intel/indicator-context.owl +++ /dev/null @@ -1,175 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - indicator - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/threat-intel/indicator.owl b/stix-spec/threat-intel/indicator.owl deleted file mode 100644 index ea5f76d..0000000 --- a/stix-spec/threat-intel/indicator.owl +++ /dev/null @@ -1,128 +0,0 @@ - - - - - - - - -]> - - - - - 2.1.0 - - - - - Indicator - Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity. For example, an Indicator may be used to represent a set of malicious domains and use the STIX Patterning Language to specify these domains.\n\nThe Indicator SDO contains a simple textual description, the Kill Chain Phases that it detects behavior in, a time window for when the Indicator is valid or useful, and a required pattern property to capture a structured detection pattern. Conforming STIX implementations MUST support the STIX Patterning Language.\n\nRelationships from the Indicator can describe the malicious or suspicious behavior that it directly detects (Malware, Tool, and Attack Pattern). In addition, it may also imply the presence of a Campaigns, Intrusion Sets, and Threat Actors, etc. - - - - indicator types - Specifies A set of categorizations for this indicator.\n\nThe values for this property SHOULD come from the indicator-type-ov open vocabulary. - - - - - anomalous-activity - - - anonymization - - - benign - - - compromised - - - malicious-activity - - - attribution - - - unknown - - - - - - - - - - - - - - - - - - - - - pattern - Specifies the detection pattern for this Indicator MAY be expressed as a STIX Pattern or another appropriate language such as SNORT, YARA, etc. - - - - - pattern_type - Specifies the pattern language used in this indicator.\n\nThe value for this property SHOULD come from the pattern-type-ov open vocabulary.\n\nThe value of this property MUST match the type of pattern data included in the pattern property. - - - - - stix - - - pcre - - - sigma - - - snort - - - suricata - - - yara - - - - - - - - - - - - - - - - - - - pattern_version - Specifies the version of the pattern language that is used for the data in the pattern property which MUST match the type of pattern data included in the pattern property.\n\nFor patterns that do not have a formal specification, the build or code version that the pattern is known to work with SHOULD be used.\n\nFor the STIX Pattern language, the default value is determined by the specification version of the object.\n\nFor other languages, the default value SHOULD be the latest version of the patterning language at the time of this object's creation. - - - - \ No newline at end of file diff --git a/stix-spec/threat-intel/infrastructure-context.owl b/stix-spec/threat-intel/infrastructure-context.owl deleted file mode 100644 index 5cd0eb3..0000000 --- a/stix-spec/threat-intel/infrastructure-context.owl +++ /dev/null @@ -1,149 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - infrastructure - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/threat-intel/malware-context.owl b/stix-spec/threat-intel/malware-context.owl deleted file mode 100644 index 6d146fc..0000000 --- a/stix-spec/threat-intel/malware-context.owl +++ /dev/null @@ -1,471 +0,0 @@ - - - - - - - - - -]> - - - - - - - - - 2.1.0 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - malware - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - malware-analysis - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/threat-intel/tool-context.owl b/stix-spec/threat-intel/tool-context.owl deleted file mode 100644 index 0f95343..0000000 --- a/stix-spec/threat-intel/tool-context.owl +++ /dev/null @@ -1,125 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - tool - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/threat-intel/vulnerability-context.owl b/stix-spec/threat-intel/vulnerability-context.owl deleted file mode 100644 index e1dba1c..0000000 --- a/stix-spec/threat-intel/vulnerability-context.owl +++ /dev/null @@ -1,117 +0,0 @@ - - - - - - - - - -]> - - - - - - 2.1.0 - - - - - - - - - - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - vulnerability - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - - 1 - - - - - \ No newline at end of file diff --git a/stix/.DS_Store b/stix/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..e1148d868405a72b9d2a3b7ac71d7c5d90c1bac5 GIT binary patch literal 6148 zcmeHKO^?$s5FK|5o3dT02UdauQY5aWwEKZTTtZn6TnT~$pprDv63E7@B;6oYm2!ta z#1Dc0!U^8kuGDUJB~DNwPc?pyJugn*#CA+XVmymRL_H#M;Ee4XC@wMXXKz@`v~Z_T z_ed$Gdn75OkBw;CU=^?mY?=Z*cXu&gXOvMytMfOeDV5JtISo@8B8r!YC-A{9WvFr6 zlmaT@DQ5i%=KeVi@f*>AKGP|s>-^UD3;ZtllJb>RLybzsI#1mBQ(jmVXXbgog=c9} zl*8c<(b{TXyT0u>&W`iW{~#;B49ZzC4)QmA^-{_-T-Jl|RT5W|-p!{nD}yA9b45s^ z7$I+8Cs`z`v7BX5p}4;8a5|mNq<4Eh-#;2X?7K$?hl{>Df3!dByN3r47K@IvclZ9| z7n4uvX(qq0a#%63WGdS=xP-5$Tq(@CpJ%DeP7uTVE<}!10+!3}gNR>F0E~<0_FvDb~g0^?Q>ZLtOEZ`0bUa6zT{7Y@=Bj>inU=9M_;{u-1qkn9x+9rV4Y!5Sos5*Ti`SYmJ&t!W=$? z8CjSUicq8D{;moq;c2v`Rlq8+uE3VQ?D78p?CSIXI>}yH1*`)9l>(xD>>rQum(1SU y_;bA1y72dKHjb+`Dhdj-9jgj&#kb(f(C2am=ozdvq6KC@1e6T6unPQD1%3lBd#4ou literal 0 HcmV?d00001 diff --git a/stix/bundle-object/bundle.fowl b/stix/bundle-object/bundle.fowl new file mode 100644 index 0000000..e69de29 diff --git a/stix/catalog-v001.xml b/stix/catalog-v001.xml new file mode 100644 index 0000000..5048fc2 --- /dev/null +++ b/stix/catalog-v001.xml @@ -0,0 +1,55 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/stix/core-objects/.DS_Store b/stix/core-objects/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..a9dd2b1dcf12da7c7e04b57dab396e69f44c8f76 GIT binary patch literal 8196 zcmeHM%T5$Q6ukwgJ@RTEgBUgGI2#iXd5=aD+W})x6ObVY0UUd#o3TSvHFh_QNJwU_ zAK(Z00c>5F_yaE8y6^|wxNwEH9>ZgRjWIxC6{$M6tM2LBeX6>9ZUF!!v*r!}bOV5a zm802+%@Ku<^LnV%sh%c8f_wl56mCKZLbPA>9hC)Pi#O*;KYuTQhk1Mq zK4JuYI97&WB4CAl!1Bn#2aUW(?AsAVoVo>EaFFBRE7G<1pfgjB<7UZk8lb`jy za?b1=V>EVr>V<;fyB@kMKKH51${Dss-AHh=a==I=5;?Pbb8}>1xYrsQ9o*`*Ht*a{ z_gbTa>8-7VkxbpXJDpnzRw;WY6ak`MSkNqwcU!KVy65$5NCQTT*u%YfuX{*|Z5-LJ zwemV`CDJ3P#PDcZC^6WN_R#2GDuMUx7uMChlF!w7{cf7onN3`5Y-(<4HQU-d+B(~k z$*xP?$;<6muI9{+yi-^yhJ41xSir(eu;%5=)(Gc)qQK}>=&j>?&&A%GIP1T~q4pZW zwCBFq>zdgpp-<;thdAk@(DUd*G4$QZ<>knW=l0q2JX#@SK`_N4KlT}&Ulh?}Z*_t$ zGmOZuV6w!AqFFDD5D#(Y=AAHfXwl1TECo*93npoX#W7o*^YJeDm5Y$sl2h<$F?IhZ zE($D(lzl^5CZwbRkh1Sd(=f>lWz<8jDcO^yp>b|DVr+~Oc;)SgU>nP{Myxx zUZ=gf|KW3vcT=OpLCN%yR^Vh6sF&fodH(I4A*&zr z+UPvjwy?g$$_w|aNE8%oL^_Tr(s9Jye;A@|p)2Ru3M&$^2g`|X1f16IeEt0w^R1h+ Gp}-%*ew{x6 literal 0 HcmV?d00001 diff --git a/stix/core-objects/catalog-v001.xml b/stix/core-objects/catalog-v001.xml new file mode 100644 index 0000000..2d64f7e --- /dev/null +++ b/stix/core-objects/catalog-v001.xml @@ -0,0 +1,47 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/stix/core-objects/common-properties.owl b/stix/core-objects/common-properties.owl new file mode 100644 index 0000000..cb48886 --- /dev/null +++ b/stix/core-objects/common-properties.owl @@ -0,0 +1,289 @@ + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + STIX Cyber-Observable Object + Abstract base class from which all STIX Cyber-observable Object (SCOs) derive.\n\nSTIX Cyber Observables characterize observed facts about a network or host that may be used and related to higher level intelligence to form a more complete understanding of the threat landscape. + + + + + STIX Domain Object + Abstract based class from which all STIX Domain Objects (SDOs) derive.\n\nSTIX Domain Objects characterize higher-level intelligence objects that represent behaviors and constructs that threat analysts would typically create or work with while understanding the threat landscape. + + + + + STIX Meta Object + Abstract base class from which all STIX Meta Objects (SMO) derive.\n\nSTIX Meta Objects characterize the necessary glue and associated metadata to enrich or extend STIX Core Objects to support user and system workflows. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + STIX Object + Abstract base class from which all STIX objects are derived. + + + + + STIX Relationship Object + A bstract base class from which all STIX Relationship objects (SROs) derive.\n\nSTIX Relationship Objects STIX Relationship Objects connect STIX Domain Objects together, STIX Cyber-observable Objects together, and connect STIX Domain Objects and STIX Cyber-observable Objects together to form a more complete understanding of the threat landscape. + + + + confidence + Identifies the confidence that the creator has in the correctness of their data. The confidence value MUST be a number in the range of 0-100. + + + + + contains_refs + Specifies a list of references to other STIX CyberObservable Objects contained within the file or directory, such as another file that is appended to the end of the file, or an IP address that is contained somewhere in the file.\n\nThis is intended for use cases other than those targeted by the Archive extension. + + + + + contains_refs_id + Specifies a list of identifiers of other STIX Cyber Observable Objects contained within the file or directory, such as another file that is appended to the end of the file, or an IP address that is contained somewhere in the file.\n\nThis is intended for use cases other than those targeted by the Archive extension + + + + + created + Idicates the date and time at which the object was originally created.\n\nThe object creator can use the time it deems most appropriate as the time the object was created. The minimum precision MUST be milliseconds (three digits after the decimal place in seconds), but MAY be more precise. + + + + + created_by_ref + Specifies the id property of the identity object that describes the entity that created this object.\n\nIf this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous. + + + + + created_by_ref_id + Specifies the identifier of the Identity object that describes the entity that created this object.\n\nIf this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous. + + + + + defanged + Specifies whether or not the data contained within the object has been defanged.\n\nThis property MUST NOT be used on any STIX Objects other than SCOs. + + + + + extensions + Specifies any extensions of the object + + + + + id + Uniquely identifies this object. + + + + + labels + Specifies a set of terms used to describe this object. The terms are user-defined or trust-group defined and their meaning is outside the scope of this specification and MAY be ignored. + + + + + lang + Identifies the language of the text content in this object. When present, it MUST be a language code conformant to [RFC5646]. If the property is not present, then the language of the content is en (English).\n\nThis property SHOULD be present if the object type contains translatable text properties (e.g. name, description). + + + + + modified + Represents the date and time that this particular version of the object was last modified.\n\nThe object creator can use the time it deems most appropriate as the time this version of the object was modified. The minimum precision MUST be milliseconds (three digits after the decimal place in seconds), but MAY be more precise.\n\nObject creators MUST set the modified property when creating a new version of an object if the created property was set. + + + + + name + Specifies the name used to identity the entity. + + + + + object_ref + Specifies a reference to a STIX Object that is referred to by this entity. + + + + + object_ref_id + Specifies the identifier of a STIX Object that is referred to by this entity. + + + + + object_refs_id + Specifies a list of identifiers of STIX Objects that are referred to by this entity. + + + + + revoked + Indicates whether the object has been revoked.\n\nRevoked objects are no longer considered valid by the object creator. Revoking an object is permanent; future versions of the object with this id MUST NOT be created. + + + + + sample_refs + Specifies a list of references to the Cyber Observable objects associated with this entity. + + + + + sample_refs_id + Specifies a list of identifiers to the Cyber Observable objects associated with this entity. + + + + + spec_version + Identifies the version of the STIX specification used to represent this object. + + + + + + + + + type + Identifies the type of STIX Object. The value of the type property MUST be the name of one of the types of STIX Objectsor the name of a Custom Object. + + + + \ No newline at end of file diff --git a/stix/core-objects/data-types.owl b/stix/core-objects/data-types.owl new file mode 100644 index 0000000..fd66ac7 --- /dev/null +++ b/stix/core-objects/data-types.owl @@ -0,0 +1,179 @@ + + + + + + +]> + + + + + 2.1.0 + + + + + external_reference + Used to describe pointers to information represented outside of STIX. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material. + + + + + Hash + Represents a cryptographic hashes, as a special set of key/value pairs. + + + + + KeyValue + A key-value pair (KVP) is a set of two linked data items: a key, which is a unique identifier for some item of data, and the value, which is either the data that is identified or a pointer to the location of that data. The key MUST be unique in each dictionary, MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). Dictionary keys MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase. + + + + + KillChainPhase + Represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives. + + + + MD5 Hash Value + Specifies the MD5 message digest algorithm. The corresponding hash string for this value MUST be a valid MD5 message digest as defined in [RFC1321]. + + + + + SHA-1 Hash Value + Specifies the SHA-1 (secure-hash algorithm 1) cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA-1 message digest as defined in [RFC3174]. + + + + + SHA-256 Hash Value + Specifies the SHA-256 cryptographic hash function (part of the SHA2 family). The corresponding hash string for this value MUST be a valid SHA-256 message digest as defined in [RFC6234]. + + + + + SHA-512 Hash Value + Specifies the SHA-512 cryptographic hash function (part of the SHA2 family). The corresponding hash string for this value MUST be a valid SHA-512 message digest as defined in [RFC6234]. + + + + + SHA3-256 Hash Value + Specifies the SHA3-256 cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA3-256 message digest as defined in [FIPS202]. + + + + + SHA3-512 Hash Value + Specifies the SHA3-512 cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA3-512 message digest as defined in [FIPS202]. + + + + + SSDEEP Hash Value + Specifies the ssdeep fuzzy hashing algorithm. The corresponding hash string for this value MUST be a valid piecewise hash as defined in the [SSDEEP] specification. + + + + + TLSH Hash Value + Specifies the TLSH fuzzy hashing algorithm. The corresponding hash string for this value MUST be a valid 35 byte long hash as defined in the [TLSH] specification. + + + + + description + Specifies a human readable description. + + + + + external id + An identifier for the external reference content. + + + + + external_references + Specifies a list of external references which refers to non-STIX information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. + + + + + hash_algorithm + Represents the cryptographic hash algorithm used.\n\nThe name of the cryptographic hash algorithm used SHOULD come from one of the values defined in the hash-algorithm-ov open vocabulary. + + + + + hash_value + Represents the cryptographic hash value. + + + + + hashes + Specifies a set of hashes for the contents of the url. This SHOULD be provided when the url property is present. Dictionary keys MUST come from one of the entries listed in the hash-algorithm-ov open vocabulary. + + + + + key_identifier + Specifies a unique identifer for some item of data. The key MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). A key identifier MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase. + + + + + key_value + A key value is the data that is associated with the key identified. The values MUST be valid property base types. + + + + + + + + kill_chain_name + Specifies the name of the kill chain.\n\nThe value of this property SHOULD be all lowercase and SHOULD use hyphens instead of spaces or underscores as word separators.@{en-US} + + + + + kill chain phases + Specifies the kill chain phase(s) to which this indicator corresponds. + + + + + + + + + phase_name + Specifies the name of the phase in the kill chain.\n\nThe value of this property SHOULD be all lowercase and SHOULD use hyphens instead of spaces or underscores as word separators. + + + + + source name + + + + + + url + Specifies a URL reference to an external resource + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/.DS_Store b/stix/core-objects/sco/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..1ceec4db4fcf1c5e768faac989df426a31b94b2a GIT binary patch literal 16388 zcmeI3O=u)V6vtoZvxj8exWv_qI--|_M3Z$lA9$IKSw!&Uh##oL`P%G|ndvw)$s~qo zuDhP}?(WTtEV3sRy)1|bo)i>sA}9#r(G@|^e^u8^S69FOh{6&(U7@Br-S2hJd%xFR z{i}ZnewCUs5rW$pqQ|@&(%MGUtnUBhwje4g$H}{=2G(0joHg4PYg#Bvq zvePSeOWm!`N~!&_`0qK#X_WihrSkLjT5oM?`bnqNE!A7Kwp6HBYY=(mg?g*%^j4g$ zR<$E_i|zqCm&>h9-MhE9FuypHUs&9q$?q*MiOsW%`};Zjo`)ZM;@P#0MziHy!B<1E zL@0`K!fghhSFtsUIt~Nd%_ zva6)hfl3*}08&SEET>-ljNWju432s*f=3wyO3!foBplztP(xdeAXG4t;9yUSx(135 z4HThz>3|bz9)l}XRtNakHy1_~zzBH{X%cw`a_G4Y?9+Hm)`7VS+&u)qtaxP7I`(z& z2yN3Y_H1C!u0ISc3_tnq$i(MKM_42_mkE=^x_a20{_$!~h0P)Ky)gPW`b=0QzP1r& zQ?x_pX^xf=PTTS+(?y6~Lam^e?wY-{^|ldSvHIx0=DZf16TGRx;aSk#aM~v)28Ef z{!wyFXCJtx(Ya57-xjXrAnkB4Yc2B5S=3#ba@45lPc;Y`r;lf>zQ*@|yapiFOa^zX zj*fr$%$ZLV{seknI2=Zg36I!o8R3#cZd#XFDQTqvAbN!Zr8!GJqj+bU2hn&{{eF90oi@5>J?h-q-B+0mY|1@AnXr=>rgn9 ze)YyzY!Db4UJxYHhz$bY`HdhLk;8nA0CF)Arz0Q8r33K590up$m=5pt>!-d}@U-I| zD(*M~W}s_e=&zVP7yUREQ*FNa(NMi~Uk-113cv3&`ro#-}g-WFTYYJ!DDbBaj8oZ6FI-$!)wg z9kcb{?BaF?c!=|K+)v%!`9z!b^;ttu#Q1EQgZ+&q3Hw8IX%LAWWiwTC9>lguIEI;!HgiK`gfH0)f5del!3~)n2 z2mJGm+V2W*K*|H!m+Frk;658eMOm7_$Hnm9|4E_jBlAG!fpmJn8d)u_uD~`c#6Gds zK9BkuswhJ4z-oQi!GEp{sVv`{Oi=1{*vhqVl?#bA$d=( hPf;e<%KHER{_|v`-)4Xt5<1|1&yJfaAQj&K{{w3GSJ40f literal 0 HcmV?d00001 diff --git a/stix-spec/cyber-observables/artifact.owl b/stix/core-objects/sco/artifact/artifact.owl similarity index 90% rename from stix-spec/cyber-observables/artifact.owl rename to stix/core-objects/sco/artifact/artifact.owl index e2e85ee..25deed3 100644 --- a/stix-spec/cyber-observables/artifact.owl +++ b/stix/core-objects/sco/artifact/artifact.owl @@ -5,7 +5,6 @@ - ]> - + + 2.1.0 @@ -28,13 +27,13 @@ The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload.\n\nOne of payload_bin or url MUST be provided. It is incumbent on object creators to ensure that the URL is accessible for downstream consumers. - + decryption_key Specifies the decryption key for the encrypted binary data (either via payload_bin or url). For example, this may be useful in cases of sharing malware samples, which are often encoded in an encrypted archive.\n\nThis property MUST NOT be present when the encryption_algorithm property is absent. - + encryption algorithm Specifies the type of encryption algorithm the binary data (either via payload_bin or url) is encoded in, if the artifact is encrypted.\n\nIf both mime_type and encryption_algorithm are included, this signifies that the artifact represents an encrypted archive. @@ -59,7 +58,7 @@ - + payload_bin Specifies the binary data contained in the artifact as a base64-encoded string.\n\nThis property MUST NOT be present if url is provided. diff --git a/stix-spec/cyber-observables/autonomous-system.owl b/stix/core-objects/sco/autonomus-system/autonomous-system.owl similarity index 89% rename from stix-spec/cyber-observables/autonomous-system.owl rename to stix/core-objects/sco/autonomus-system/autonomous-system.owl index d8c8893..f22d4b0 100644 --- a/stix-spec/cyber-observables/autonomous-system.owl +++ b/stix/core-objects/sco/autonomus-system/autonomous-system.owl @@ -5,7 +5,6 @@ - ]> - + + 2.1.0 @@ -28,13 +27,13 @@ This object represents the properties of an Autonomous System (AS). - + number Specifies the number assigned to the AS. Such assignments are typically performed by a Regional Internet Registry (RIR). - + rir Specifies the name of the Regional Internet Registry (RIR) that assigned the number to the AS. diff --git a/stix/core-objects/sco/directory/.DS_Store b/stix/core-objects/sco/directory/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..5008ddfcf53c02e82d7eee2e57c38e5672ef89f6 GIT binary patch literal 6148 zcmeH~Jr2S!425mzP>H1@V-^m;4Wg<&0T*E43hX&L&p$$qDprKhvt+--jT7}7np#A3 zem<@ulZcFPQ@L2!n>{z**++&mCkOWA81W14cNZlEfg7;MkzE(HCqgga^y>{tEnwC%0;vJ&^%eQ zLs35+`xjp>T0 - ]> - + + 2.1.0 @@ -29,13 +28,31 @@ The Directory object represents the properties common to a file system directory. - + + atime + Specifies the date and time the directory or file was last accessed. + + + + + ctime + Specifies the date and time the file or directory was created. + + + + + mtime + Specifies the date and time the directory or file was last written to/modified. + + + + path Specifies the path, as originally observed, to the directory on the file system. - + path_enc Specifies the observed encoding for the path. The value MUST be specified if the path is stored in a non-Unicode encoding. This value MUST be specified using the corresponding name from the 2013-12-20 revision of the IANA character set registry. If the preferred MIME name for a character set is defined, this value MUST be used; if it is not defined, then the Name value from the registry MUST be used instead. diff --git a/stix-spec/cyber-observables/domain-name.owl b/stix/core-objects/sco/domain-name/domain-name.owl similarity index 80% rename from stix-spec/cyber-observables/domain-name.owl rename to stix/core-objects/sco/domain-name/domain-name.owl index 5bbe11f..d3252c6 100644 --- a/stix-spec/cyber-observables/domain-name.owl +++ b/stix/core-objects/sco/domain-name/domain-name.owl @@ -5,7 +5,6 @@ - ]> - - + + + + 2.1.0 @@ -29,7 +29,7 @@ The Domain Name object represents the properties of a network domain name. - + resolved_to_refs Specifies a list of references to one or more IP addresses or domain names that the domain name resolves to.\n\nThe objects referenced in this list MUST be of type ipv4-addr or ipv6-addr or domain-name (for cases such as CNAME records). @@ -46,15 +46,15 @@ - + resolved_to_refs_id Specifies a list of identifiers to one or more SCO IP Address or Domain Name objectss that the domain name resolves to.\n\nThe object identifiers referenced in this list MUST be for objects of type ipv4-addr or ipv6-addr or domain-name (for cases such as CNAME records). - - value - Specifies the value of the domain name.\n\nThe value of this property MUST conform to [RFC1034], and each domain and sub-domain contained within the domain name MUST conform to [RFC5890]. + + value + Specifies the value of the subject as a string. diff --git a/stix-spec/cyber-observables/email-address.owl b/stix/core-objects/sco/email-address/email-address.owl similarity index 76% rename from stix-spec/cyber-observables/email-address.owl rename to stix/core-objects/sco/email-address/email-address.owl index e4d0497..4fbb0cd 100644 --- a/stix-spec/cyber-observables/email-address.owl +++ b/stix/core-objects/sco/email-address/email-address.owl @@ -5,7 +5,6 @@ - ]> - + + 2.1.0 @@ -29,28 +28,22 @@ An Email Address object represents a single email address. - + belongs_to_ref Specifies the user account that the email address belongs to, as a reference to a User Account object.\n\nThe object referenced in this property MUST be of type user-account. - + belongs_to_ref_id Specifies the identifier of the SCO UserAccount object that the email address belongs to.\n\nThe object referenced in this property MUST be of type user-account. - + display_name Specifies a single email display name, i.e., the name that is displayed to the human user of a mail application. - - - value - Specifies the value of the email address. This MUST NOT include the display name.\n\nThis property corresponds to the addr-spec construction in section 3.4 of RFC5322, for example, jane.smith@example.com. - - \ No newline at end of file diff --git a/stix/core-objects/sco/email-message/.DS_Store b/stix/core-objects/sco/email-message/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..6b0bb4d3aa5dd481b81e38212ada2708055c24aa GIT binary patch literal 6148 zcmeHKyH3ME5S$|^BGDur<^2GW_=8gv3Tl3U1Q0@UL5<0hG4q);d#X0 z;feV*dc2~$>H7P9*Y8R|8@fH-H`jccDJh}9CrmN*15Ln}cg2DRjfQG(8V&AOI21O^?&Pv(8{ z)_~J)hwKcD|#39h>%sZW^4*}CfCI$XNflt-{9oPT> literal 0 HcmV?d00001 diff --git a/stix-spec/cyber-observables/message.owl b/stix/core-objects/sco/email-message/email-message.owl similarity index 85% rename from stix-spec/cyber-observables/message.owl rename to stix/core-objects/sco/email-message/email-message.owl index b45f1b0..75803eb 100644 --- a/stix-spec/cyber-observables/message.owl +++ b/stix/core-objects/sco/email-message/email-message.owl @@ -1,29 +1,26 @@ - + - ]> - - + - + + 2.1.0 @@ -35,151 +32,150 @@ The Email Message object represents an instance of an email message, corresponding to the internet message format described in [RFC5322] and related RFCs.\n\nHeader field values that have been encoded as described in section 2 of [RFC2047] MUST be decoded before inclusion in Email Message object properties. For example, this is some text MUST be used instead of =?iso-8859-1?q?this=20is=20some=20text?=. Any characters in the encoded value which cannot be decoded into Unicode SHOULD be replaced with the 'REPLACEMENT CHARACTER' (U+FFFD). If it is necessary to capture the header value as observed, this can be achieved by referencing an Artifact object through the raw_email_ref property. - - + MimePart Specifies one component of a multi-part body.\n\nThere is no property to capture the value of the “Content-Transfer-Encoding” header field, since the body MUST be decoded before being represented in the body property. - + additional header fields Specifies any other header fields (except for date, received_lines, content_type, from_ref, sender_ref, to_refs, cc_refs, bcc_refs, and subject) found in the email message, as a dictionary.\n\nEach key/value pair in the dictionary represents the name/value of a single header field or names/values of a header field that occurs more than once. Each dictionary key SHOULD be a case-preserved version of the header field name. The corresponding value for each dictionary key MUST always be a list of type string to support when a header field is repeated. - + bcc_refs Specifies the mailboxes that are “BCC:” recipients of the email message.\n\nAs per [RFC5322], the absence of this property should not be interpreted as semantically equivalent to an absent BCC header on the message being characterized.\n\nThe objects referenced in this list MUST be of type email-address. - + bcc_refs_id Specifies the mailboxes that are “BCC:” recipients of the email message.\n\nAs per [RFC5322], the absence of this property should not be interpreted as semantically equivalent to an absent BCC header on the message being characterized.\n\nThe identifiers specifed in this list MUST be of type email-address. - + body Specifies a string containing the body. \n\nIn an EmailMessage, this property MUST NOT be used if is_multipart is true.\n\nIn a MIME Part, specifies the contents of the MIME part if the content_type is not provided or starts with text/ (e.g., in the case of plain text or HTML email). For inclusion in this property, the contents MUST be decoded to Unicode. Note that the charset provided in content_type is for informational usage and not for decoding of this property. - + body_multipart Specifies a list of the MIME parts that make up the email body. This property MUST NOT be used if is_multipart is false. - + - + body_raw_ref Specifies the contents of non-textual MIME parts, that is those whose content_type does not start with text/, as a reference to an Artifact object or File object.\n\nThe object referenced in this property MUST be of type artifact or file. For use cases where conveying the actual data contained in the MIME part is of primary importance, artifact SHOULD be used. Otherwise, for use cases where conveying metadata about the file-like properties of the MIME part is of primary importance, file SHOULD be used. - + body_raw_ref_id Specifies the contents of non-textual MIME parts, that is those whose content_type does not start with text/, as the identifier to an Artifact object or File object.\n\nThe object referenced in this property MUST be of type artifact or file. For use cases where conveying the actual data contained in the MIME part is of primary importance, artifact SHOULD be used. Otherwise, for use cases where conveying metadata about the file-like properties of the MIME part is of primary importance, file SHOULD be used. - + cc_refs Specifies the mailboxes that are “CC:” recipients of the email message.\n\nThe objects referenced in this list MUST be of type email-address. - + cc_refs_id Specifies the mailboxes that are “CC:” recipients of the email message.\n\nThe identifiers specified in this list MUST be for objects of type email-address. - + content_disposition Specifies the value of the “Content-Disposition” header field of the MIME part. - + content_type Specifies the value of the “Content-Type” header of the email message or MIME part. - + date Specifies the date/time that the email message was sent. - + from_ref Specifies a reference to a SCO EmailAddress object of the “From:” header of the email message. The "From:" field specifies the author of the message, that is, the mailbox(es) of the person or system responsible for the writing of the message.\n\nThe object referenced in this property MUST be of type email-address. - + from_ref_id Specifies an identifier of a SCO EmailAddress object of the “From:” header of the email message. The "From:" field specifies the author of the message, that is, the mailbox(es) of the person or system responsible for the writing of the message.\n\nThe object referenced in this property MUST be of type email-address. - + is_multipart Indicates whether the email body contains multiple MIME parts. - + message_id Specifies the Message-ID field of the email message. - + raw_email_ref Specifies the raw binary contents of the email message, including both the headers and body, as a reference to an Artifact object.\n\nThe object referenced in this property MUST be of type artifact. - + raw_email_ref_id Specifies the raw binary contents of the email message, including both the headers and body, as the identifer of an Artifact object.\n\nThe object referenced in this property MUST be of type artifact. - + recevied_lines Specifies one or more "Received" header fields that may be included in the email headers.\n\nList values MUST appear in the same order as present in the email message. - + sender_ref Specifies the value of the “Sender” field of the email message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message.\n\nThe object referenced in this property MUST be of type email-address. - + sender_ref_id Specifies the value of the “Sender” field of the email message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message.\n\nThe identifier specified MUST be for an object of type email-address. - + subject Specifies the subject of the message. - + to_refs Specifies a list of references to SCO EmailAddress objects that represents the mailboxes that are “To:” recipients of the email message. - + to_refs_id Specifies a list of identifiers of SCO EmailAddress objects that represents the mailboxes that are “To:” recipients of the email message diff --git a/stix/core-objects/sco/file/file.owl b/stix/core-objects/sco/file/file.owl new file mode 100644 index 0000000..d70fb41 --- /dev/null +++ b/stix/core-objects/sco/file/file.owl @@ -0,0 +1,121 @@ + + + + + + + + + + + + +]> + + + + + + + + 2.1.0 + + + + + File + The File object represents the properties of a file. A File object MUST contain at least one of hashes or name. + + + + checksum_hex + Specifies the checksum of the file. + + + + + comment + Specifies a comment included as part of the associated entity. + + + + + content_ref + Specifies the content of the file, represented as an Artifact object.\n\nThe object referenced in this property MUST be of type artifact. + + + + + content_ref_id + Specifies the identifier of an Artifact object that contains the contents of the file.\n\nThe identifier of the object specified in this property MUST be of type artifact. + + + + + entropy + Specifies the calculated entropy for the section, as calculated using the Shannon algorithm + + + + + machine_hex + Specifies the type of target machine. + + + + + magic_number_hex + Specifies the hexadecimal constant associated with a specific file format that corresponds to the file, if applicable. + + + + + mime_type + Specifies the MIME type name specified for the object.\n\nWhenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types].\n\nMaintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability. + + + + + name_enc + Specifies the observed encoding for the name of the file. This value MUST be specified using the corresponding name from the 2013-12-20 revision of the IANA character set registry. If the value from the Preferred MIME Name column for a character set is defined, this value MUST be used; if it is not defined, then the value from the Name column in the registry MUST be used instead.\n\nThis property allows for the capture of the original text encoding for the file name, which may be forensically relevant; for example, a file on an NTFS volume whose name was created using the windows-1251 encoding, commonly used for languages based on Cyrillic script. + + + + + parent_directory_ref + Specifies a reference to a SCO Directory object that represents the parent directory of the file.\n\nThe object referenced in this property MUST be of type directory. + + + + + parent_directory_ref_id + Specifies the identifier of a SCO Directory object that represents the parent directory of the file.\n\nThe identifier of the object referenced in this property MUST be of type directory. + + + + + sid + Specifies the Windows Security ID (SID) value + + + + + size + Specifies the size, in bytes. The value of this property MUST NOT be negative. + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/ipv4-address/.DS_Store b/stix/core-objects/sco/ipv4-address/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..3c2d2c46a1c2b2307e0720faa35b62f93953df93 GIT binary patch literal 6148 zcmeH~F;2rk5Jmq$ibymrDfa?ILgD~c6bfoC03j4emW+r3tvimBBZfaS3&L{JQlLN9 z?DLLicI97qyZ~&u+gt+;fH~cXPame{&)p|>RwG8zxyBV9vElWG=SlYQfY&y7!7JWz zGpgTWiv@aopu6k(r*+q_BNy0{i$mD)MHQ6-Qa}nw0VyB_PAcHNmo~phYLo&}KnnaQ z;NOQrcea&7GCmy~;s`*_7!KoooF&NO0kW+el8n$SOUW#?dc?3SXS~$BwsJ^jIV^VO zI(28OClrg_8849zYm*wKfD{-jaGuk~`~NNd#QA?*q?r_u0{=<@o2~9wOTJR=t&^AY wUR&r7^lxKsq;rT?Ohzl_#9Q&@ue{>-eBM?L$tY($%1QkQxGpj&@D~bv0dpfAF8}}l literal 0 HcmV?d00001 diff --git a/stix-spec/cyber-observables/ip-address.owl b/stix/core-objects/sco/ipv4-address/ipv4-address.owl similarity index 68% rename from stix-spec/cyber-observables/ip-address.owl rename to stix/core-objects/sco/ipv4-address/ipv4-address.owl index 2834810..4dcd9d8 100644 --- a/stix-spec/cyber-observables/ip-address.owl +++ b/stix/core-objects/sco/ipv4-address/ipv4-address.owl @@ -1,29 +1,28 @@ - + - ]> - - + - + + 2.1.0 @@ -34,41 +33,29 @@ The IPv4 Address object represents one or more IPv4 addresses expressed using CIDR notation. - - - IPv6Address - The IPv6 Address object represents one or more IPv6 addresses expressed using CIDR notation. - - - + belongs_to_refs Specifies a list of references to one or more autonomous systems (AS) that the IPv4/IPv6 address belongs to.\n\nThe objects referenced in this list MUST be of type autonomous-system. - + belongs_to_refs_id Specifies a list of identifiers to one or more SCO Autonomous Systems (AS) objects that the IPv4/IPv6 address belongs to.\n\nThe identifiers of the objects specified in this list MUST be of type autonomous-system - + resolved_to_refs Specifies a list of references to one or more Layer 2 Media Access Control (MAC) addresses that the IPv4/IPv6 address resolves to. The objects referenced in this list MUST be of type mac-addr. - + resolved_to_refs_id Specifies a list of identifiers to one or more Layer 2 Media Access Control (MAC) addresses objects that the IPv4/IPv6 address resolves to.\n\nThe identifiers of the objects specified in this list MUST be of type mac-addr. - - - value - Specifies the values of one or more IP addresses expressed using CIDR notation.\n\nIf a given IPv4 Address object represents a single IPv4 address, the CIDR /32 suffix MAY be omitted. \n\nIf a given IPv6 Address object represents a single IPv6 address, the CIDR /128 suffix MAY be omitted. - - \ No newline at end of file diff --git a/stix/core-objects/sco/ipv6-address/.DS_Store b/stix/core-objects/sco/ipv6-address/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..cd4eb623d774f54ff89d82cc6ab5f664fc8e8c7f GIT binary patch literal 6148 zcmeH~u};H442FM0he|9N8Se$C#KIg^Wnkt7pp*eAQV>;P&Bo*O5zBA;KtyR*2J}1f zeL2UzQ~n{&0kGw6a}6{A=5!}MeVCd*cc0if)?L4jTwqTw4q?X^Ra6Q{0VyB_q<|DSset!h+WaD^Q3^-_De$9! ze;*3n*;Wq8_;hfHBLF#LIE?pkmLQ7<$hLAwGD5Q~C9~A(5yP^a@lx~J$|0HMu-KXF z)Sa!KP%L(5yhJ*zO=^?^QedpWc}^Se|F`rL=l^k$W>P>3{3``)wz^*}`AW67PF~J? vZJ|HVzm2((&LLVc8LgNTZ^f6t@`~T{d0ROoqnz<5C-o!Xy2zx!UnuYeq5T~( literal 0 HcmV?d00001 diff --git a/stix/core-objects/sco/ipv6-address/ipv6-address.owl b/stix/core-objects/sco/ipv6-address/ipv6-address.owl new file mode 100644 index 0000000..005a2d9 --- /dev/null +++ b/stix/core-objects/sco/ipv6-address/ipv6-address.owl @@ -0,0 +1,61 @@ + + + + + + + + + +]> + + + + + + + + 2.1.0 + + + + + IPv6Address + The IPv6 Address object represents one or more IPv6 addresses expressed using CIDR notation. + + + + belongs_to_refs + Specifies a list of references to one or more autonomous systems (AS) that the IPv4/IPv6 address belongs to.\n\nThe objects referenced in this list MUST be of type autonomous-system. + + + + + belongs_to_refs_id + Specifies a list of identifiers to one or more SCO Autonomous Systems (AS) objects that the IPv4/IPv6 address belongs to.\n\nThe identifiers of the objects specified in this list MUST be of type autonomous-system + + + + + resolved_to_refs + Specifies a list of references to one or more Layer 2 Media Access Control (MAC) addresses that the IPv4/IPv6 address resolves to. +The objects referenced in this list MUST be of type mac-addr. + + + + + resolved_to_refs_id + Specifies a list of identifiers to one or more Layer 2 Media Access Control (MAC) addresses objects that the IPv4/IPv6 address resolves to.\n\nThe identifiers of the objects specified in this list MUST be of type mac-addr. + + + + \ No newline at end of file diff --git a/stix-spec/cyber-observables/mac-address.owl b/stix/core-objects/sco/mac-address/mac-address.owl similarity index 70% rename from stix-spec/cyber-observables/mac-address.owl rename to stix/core-objects/sco/mac-address/mac-address.owl index 395e11a..e6bcae1 100644 --- a/stix-spec/cyber-observables/mac-address.owl +++ b/stix/core-objects/sco/mac-address/mac-address.owl @@ -5,7 +5,6 @@ - ]> - + + 2.1.0 @@ -27,11 +26,5 @@ MACAddress The MAC Address object represents a single Media Access Control (MAC) address. - - - value - Specifies the value of a single MAC address.\n\nThe MAC address value MUST be represented as a single colon-delimited, lowercase MAC-48 address, which MUST include leading zeros for each octet. - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/mutex.owl b/stix/core-objects/sco/mutex/mutex.owl similarity index 90% rename from stix-spec/cyber-observables/mutex.owl rename to stix/core-objects/sco/mutex/mutex.owl index a0fd472..e2e3d3f 100644 --- a/stix-spec/cyber-observables/mutex.owl +++ b/stix/core-objects/sco/mutex/mutex.owl @@ -5,7 +5,6 @@ - ]> - + + 2.1.0 diff --git a/stix/core-objects/sco/network-traffic/network-traffic.owl b/stix/core-objects/sco/network-traffic/network-traffic.owl new file mode 100644 index 0000000..370b5ca --- /dev/null +++ b/stix/core-objects/sco/network-traffic/network-traffic.owl @@ -0,0 +1,219 @@ + + + + + + + + +]> + + + + + + + + + + + 2.1.0 + + + + + Network Traffic + The Network Traffic object represents arbitrary network traffic that originates from a source and is addressed to a destination. The network traffic MAY or MAY NOT constitute a valid unicast, multicast, or broadcast network connection. This MAY also include traffic that is not established, such as a SYN flood.\n\nTo allow for use cases where a source or destination address may be sensitive and not suitable for sharing, such as addresses that are internal to an organization’s network, the source and destination properties (src_ref and dst_ref, respectively) are defined as optional in the properties table below. However, a Network Traffic object MUST contain the protocols property and at least one of the src_ref or dst_ref properties and SHOULD contain the src_port and dst_port properties. + + + + dst_byte_count + Specifies the number of bytes, as a positive integer, sent from the destination to the source. + + + + + dst_packets + Specifies the number of packets, as a positive integer, sent from the destination to the source. + + + + + dst_payload_ref + Specifies the bytes sent from the destination to the source.\n\nThe object referenced in this property MUST be of type artifact. + + + + + dst_payload_ref_id + Specifies the bytes sent from the destination to the source.\n\nThe identifier for the object specified in this property MUST be of type artifact. + + + + + dst_port + Specifies the destination port used in the network traffic, as an integer. The port value MUST be in the range of 0 - 65535. + + + + + + 65535 + + + + + + + + dst_ref + Specifies the destination of the network traffic, as a reference to a Cyber-observable Object.\n\nThe object referenced MUST be of type ipv4-addr, ipv6-addr, mac-addr, or domain-name (for cases where the IP address for a domain name is unknown). + + + + + + + + + + + + + + + + + + dst_ref_id + Specifies the destination of the network traffic, as the identifier of a Cyber-observable Object.\n\nThe identifier of object specified MUST be of type ipv4-addr, ipv6-addr, mac-addr, or domain-name (for cases where the IP address for a domain name is unknown). + + + + + encapsulated_by_ref + Specifies a reference to another network-traffic object which encapsulates this object.\n\nThe object referenced in this property MUST be of type network-traffic. + + + + + encapsulated_by_ref_id + Specifies the identifier of another network-traffic object which encapsulates this object.\n\nThe identifier of the object specified MUST be of type network-traffic. + + + + + encapsulates_refs + Specifies references to other network-traffic objects encapsulated by this network-traffic object.\n\nThe objects referenced in this property MUST be of type network-traffic. + + + + + encapsulates_refs_id + Specifies identifiers of other network-traffic objects encapsulated by this network-traffic object.\n\nThe identifier of objects specified MUST be of type network-traffic. + + + + + end + Specifies the date/time the network traffic ended, if known.\n\nIf the is_active property is true, then the end property MUST NOT be included.\n\nIf start and end are both defined, then end MUST be later than the start value. + + + + + ipfix + Specifies any IP Flow Information Export [IPFIX] data for the traffic, as a dictionary. Each key/value pair in the dictionary represents the name/value of a single IPFIX element. Accordingly, each dictionary key SHOULD be a case-preserved version of the IPFIX element name, e.g., octetDeltaCount. Each dictionary value MUST be either an integer or a string, as well as a valid IPFIX property. + + + + is_active + Indicates whether the network traffic is still ongoing.\n\nIf the end property is provided, this property MUST be false. + + + + + protocols + Specifies the protocols observed in the network traffic, along with their corresponding state.\n\nProtocols MUST be listed in low to high order, from outer to inner in terms of packet encapsulation. That is, the protocols in the outer level of the packet, such as IP, MUST be listed first.\n\nThe protocol names SHOULD come from the service names defined in the Service Name column of the IANA Service Name and Port Number Registry [Port Numbers]. In cases where there is variance in the name of a network protocol not included in the IANA Registry, content producers should exercise their best judgement, and it is recommended that lowercase names be used for consistency with the IANA registry. + + + + + src_type_count + Specifies the number of bytes, as a positive integer, sent from the source to the destination. + + + + + src_packets + Specifies the number of packets, as a positive integer, sent from the source to the destination. + + + + + src_payload_ref + Specifies a reference to an Artfact object that contains the bytes sent from the source to the destination.\n\nThe object referenced in this property MUST be of type artifact. + + + + + src_payload_ref_id + Specifies the identifier of an Artfact object that contains the bytes sent from the source to the destination.\n\nThe identifier of the object specified MUST be of type artifact. + + + + + src port + Specifies the source port used in the network traffic, as an integer. The port value MUST be in the range of 0 - 65535. + + + + + + 65535 + + + + + + + + src_ref + Specifies a reference to a Cyber-observable object that is the source of the network traffic.\n\nThe object referenced MUST be of type ipv4-addr, ipv6-addr, mac-addr, or domain-name (for cases where the IP address for a domain name is unknown). + + + + + + + + + + + + + + + + + + src_ref_id + Specifies the identifier of a Cyber-observable object that is the source of the network traffic.\n\nThe identifier of the object specified MUST be of type ipv4-addr, ipv6-addr, mac-addr, or domain-name (for cases where the IP address for a domain name is unknown). + + + + + start + Specifies the date/time the network traffic was initiated, if known. + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/process/process.owl b/stix/core-objects/sco/process/process.owl new file mode 100644 index 0000000..1de5781 --- /dev/null +++ b/stix/core-objects/sco/process/process.owl @@ -0,0 +1,131 @@ + + + + + + + + +]> + + + + + + + + + 2.1.0 + + + + + Process + The Process object represents common properties of an instance of a computer program as executed on an operating system. A Process object MUST contain at least one property (other than type) from this object (or one of its extensions). + + + + child_refs + Specifies references to other Process objects that represent the other processes that were spawned by (i.e. children of) this process.\n\nThe objects referenced in this list MUST be of type process. + + + + + child_refs_id + Specifies the list of identifiers of Process objects that represent the other processes that were spawned by (i.e. children of) this process.\n\nThe identifiers of the objects specified MUST be of type process. + + + + + command_line + Specifies the full command line used in executing the process, including the process name (which may be specified individually via the image_ref.name property) and any arguments. + + + + + created_time + Specifies the date and time at which the process was created. + + + + + creator_user_ref + Specifies a reference to a UserAccount object that represents the user that created the process.\n\nThe reference to the object specified MUST be of type user-account. + + + + + creator_user_ref_id + Specifies the idetifier of a UserAccount object that represents the user that created the process.\n\nThe idetntifier of the object specified MUST be of type user-account. + + + + + cwd + Specifies the current working directory of the process. + + + + + environment_variables + Specifies the list of environment variables associated with the process as a dictionary. Each key in the dictionary MUST be a case preserved version of the name of the environment variable, and each corresponding value MUST be the environment variable value as a string. + + + + image_ref + Specifies a reference to a File object tha represents the executable binary that was executed as the process image.\n\nThe object referenced in this property MUST be of type file. + + + + + image_ref_id + Specifies the identifier of a File object tha represents the executable binary that was executed as the process image.\n\nThe identifier of the object specified MUST be of type file. + + + + + is_hidden + Specifies whether the process is hidden. + + + + + opened_connection_refs + Specifies a list of references to Network Traffic objects that represent the network connections opened by the process.\n\nThe objects referenced in this list MUST be of type network-traffic. + + + + + opened_connection_refs_id + Specifies a list of identifiers of Network Traffic objects that represent the network connections opened by the process.\n\nThe identifiers of the objects specified MUST be of type network-traffic. + + + + + parent_ref + Specifies a reference to the Process object that references the other process that spawned (i.e. is the parent of) this one.\n\nThe object referenced in this property MUST be of type process. + + + + + parent_ref_id + Specifies the identifier of the Process object that references the other process that spawned (i.e. is the parent of) this one.\n\nThe identifier of the object specified MUST be of type process. + + + + + pid + Specifies the Process ID, or PID, of the process. + + + + \ No newline at end of file diff --git a/stix-spec/cyber-observables/software.owl b/stix/core-objects/sco/software/software.owl similarity index 74% rename from stix-spec/cyber-observables/software.owl rename to stix/core-objects/sco/software/software.owl index dbd81ae..8425163 100644 --- a/stix-spec/cyber-observables/software.owl +++ b/stix/core-objects/sco/software/software.owl @@ -1,27 +1,24 @@ - ]> - + + 2.1.0 @@ -31,15 +28,27 @@ The Software object represents high-level properties associated with software, including software products. - + cpe Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary.\n\nWhile the CPE dictionary does not contain entries for all software, whenever it does contain an identifier for a given instance of software, this property SHOULD be present. - + + languages + Specifies the languages supported by the software. The value of each list member MUST be an ISO 639-2 language code + + + + swid Specifies the Software Identification (SWID) Tags entry for the software, if available. The tag attribute, tagId, a globally unique identifier, SHOULD be used as a proxy identifier of the tagged product. + + + vendor + Specifies the name of the vendor of the software. + + \ No newline at end of file diff --git a/stix/core-objects/sco/url/.DS_Store b/stix/core-objects/sco/url/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..e9396a8c3a94410e9de8fa6739d34d7b256d650f GIT binary patch literal 6148 zcmeHK%Sr=55UkdK0WUdvoG%FY2SZ2>p8Wxd9v2pb;B`;_j=$iand%2(*yJQ$q#C+w zrl)HsTZip50NWg1?tvA6CEXG49_Hrf?lZfpj1lR4#)vlz55xGpA7<6(6VAQC0k0Ua z{>dNrJn^6PL0^A`aV3)iQa}nw0VyB_ey4!AHDXxOnQv9s3#Y`S!{TN>r*5{IP%Lg|zC}5# zCn`z-DR8R5b#7PQ|9A8Y^ZzMHJ1HOq{*?l@*gkGIe5LBGvzPN;+vrbpulc0AaUB$f mXvf58$J}^3zKf!)Yrf`rFPsvC&V0~``ZM6V$fUquD{ut5CLA09 literal 0 HcmV?d00001 diff --git a/stix-spec/cyber-observables/uri.owl b/stix/core-objects/sco/url/url.owl similarity index 59% rename from stix-spec/cyber-observables/uri.owl rename to stix/core-objects/sco/url/url.owl index 0d19d03..6766890 100644 --- a/stix-spec/cyber-observables/uri.owl +++ b/stix/core-objects/sco/url/url.owl @@ -4,21 +4,20 @@ - - + ]> - - - + + + 2.1.0 @@ -27,11 +26,5 @@ URL The URL object represents the properties of a uniform resource locator (URL). - - - value - Specifies the value of the URL. The value of this property MUST conform to [RFC3986], more specifically section 1.1.3 with reference to the definition for "Uniform Resource Locator". - - \ No newline at end of file diff --git a/stix-spec/cyber-observables/user-account.owl b/stix/core-objects/sco/user-account/user-account.owl similarity index 76% rename from stix-spec/cyber-observables/user-account.owl rename to stix/core-objects/sco/user-account/user-account.owl index a98b614..532cd57 100644 --- a/stix-spec/cyber-observables/user-account.owl +++ b/stix/core-objects/sco/user-account/user-account.owl @@ -1,28 +1,25 @@ - ]> - + + 2.1.0 @@ -32,67 +29,37 @@ The User Account object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts. As all properties of this object are optional, at least one of the properties defined below MUST be included when using this object. - - - Unix User Account - The Unix UserAccount object represents an instance of a Unix user account. - - - - gid - Specifies the primary group ID of the account. - - - - - groups - Specifies a list of names of groups that the account is a member of. - - - - - home_dir - Specifies the home directory of the account. - - - - - shell - Specifies the account’s command shell. - - - - + account_created Specifies date and time when the account was created. - + account_expires Specifies the expiration date and time of the account. - + account_first_login Specifies the date and time when the account was first accessed. - + account_last_login Specifies the date and time when the account was last accessed. - + account_login Specifies the account login string, used in cases where the user_id property specifies something other than what a user would type when they login.\n\nFor example, in the case of a Unix account with user_id 0, the account_login might be “root”. - + account_type Specifies the type of the account.\n\nThis is an open vocabulary and values SHOULD come from the account-type-ov open vocabulary. @@ -157,49 +124,49 @@ - + can_escalate_privs Specifies that the account has the ability to escalate privileges (i.e., in the case of sudo on Unix or a Windows Domain Admin account) - + credential Specifies a cleartext credential. This is only intended to be used in capturing metadata from malware analysis (e.g., a hard-coded domain administrator password that the malware attempts to use for lateral movement) and SHOULD NOT be used for sharing of PII. - + credential_last_changed Specifies when the account credential was last changed. - + display_name Specifies the display name of the account, to be shown in user interfaces, if applicable.\n\nOn Unix, this is equivalent to the GECOS field. - + is_disabled Specifies if the account is disabled. - + is_privileged Specifies that the account has elevated privileges (i.e., in the case of root on Unix or the Windows Administrator account). - + is_service_account Indicates that the account is associated with a network service or system process (daemon), not a specific individual. - + user_id Specifies the identifier of the account. The format of the identifier depends on the system the user account is maintained in, and may be a numeric ID, a GUID, an account name, an email address, etc. The user_id property should be populated with whatever field is the unique identifier for the system the account is a member of. For example, on UNIX systems it would be populated with the UID. diff --git a/stix/core-objects/sco/windows-registry-key/.DS_Store b/stix/core-objects/sco/windows-registry-key/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..25b65f986a17397c509da515a316fe945b78a90c GIT binary patch literal 6148 zcmeHKF-`+P3>-s>NHi%^?gxm(4^B~1q~-%C1R=zUlSmLscOB2+i7>Vo#OZ*N0*xi_ z?D{<3+!W^+fGwYP7r+d_l$;g3VbTy--kkXY%2DN@#)|aBLH#2a2WS7OAw0(h)u;lkrA3Dm6%kkBZeiN@lx}e zihW|zVR19-)SInNC>FOfULqaVBx;ocQeddSX&z_Z|JU>%=Kmo{Cn+EW{*?kYSzWG{ ze5Kl3M=$5Sw$QKWAI98B=Mt@$7_FEGZ^iR3dByj9-c;-pgU)!+iTWepy2zx!UnuYn DC_W(g literal 0 HcmV?d00001 diff --git a/stix-spec/cyber-observables/windows-registry.owl b/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl similarity index 85% rename from stix-spec/cyber-observables/windows-registry.owl rename to stix/core-objects/sco/windows-registry-key/windows-registry-key.owl index 1378468..6d92217 100644 --- a/stix-spec/cyber-observables/windows-registry.owl +++ b/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl @@ -1,26 +1,23 @@ - ]> - + + 2.1.0 @@ -31,31 +28,31 @@ The Windows Registry Key object represents the properties of a Windows registry key.\n\nAs all properties of this object are optional, at least one of the properties defined below MUST be included when using this object. - - + + RegistryValue The Windows Registry Value type captures the properties of a Windows Registry Key Value.\n\nAs all properties of this type are optional, at least one of the properties defined below MUST be included when using this type. - + creator_user_ref Specifies a reference to the UsedrAccount object that represents the user account that created the registry key.\n\nThe object referenced in this property MUST be of type user-account. - + creator_user_ref_id Specifies the identifier of the UserAccount object that represents the user account that created the registry key.\n\nThe identifier of the object specified MUST be of type user-account. - + data Specifies the data contained in the registry value. - + data_type Specifies the registry (REG_*) data type used in the registry value.\n\nThe values of this property MUST come from the windows-registry-datatype-enum enumeration. @@ -135,34 +132,28 @@ - + key Specifies the full registry key including the hive.\n\nThe value of the key, including the hive portion, SHOULD be case-preserved. The hive portion of the key MUST be fully expanded and not truncated; e.g., HKEY_LOCAL_MACHINE must be used instead of HKLM. - + modified_time Specifies the last date/time that the registry key was modified. - - name - Specifies the name of the registry value.\n\nFor specifying the default value in a registry key, an empty string MUST be used. - - - - + number_of_subkeys Specifies the number of subkeys contained under the registry key. - + values Specifies the values found under the registry key. - + \ No newline at end of file diff --git a/stix-spec/cyber-observables/x509-certificate.owl b/stix/core-objects/sco/x509-vertificate/x509-certificate.owl similarity index 83% rename from stix-spec/cyber-observables/x509-certificate.owl rename to stix/core-objects/sco/x509-vertificate/x509-certificate.owl index 688552f..657ed6d 100644 --- a/stix-spec/cyber-observables/x509-certificate.owl +++ b/stix/core-objects/sco/x509-vertificate/x509-certificate.owl @@ -1,26 +1,23 @@ - ]> - + + 2.1.0 @@ -30,172 +27,171 @@ The X.509 Certificate object represents the properties of an X.509 certificate, as defined by ITU recommendation X.509 [X.509]. An X.509 Certificate object MUST contain at least one object specific property (other than type) from this object. - - + X509v3Extensions The X.509 v3 Extensions type captures properties associated with X.509 v3 extensions, which serve as a mechanism for specifying additional information such as alternative subject names. An object using the X.509 v3 Extensions type MUST contain at least one property from this type.\n\nNote that the use of the term "extensions" in this context refers to the X.509 v3 Extensions type and is not a STIX Cyber Observables extension. Therefore, it is a type that describes X.509 extensions. - + authority_key_identifier Specifies the identifier that provides a means of identifying the public key corresponding to the private key used to sign a certificate. Also equivalent to the object ID (OID) value of 2.5.29.35. - + basic_constraints Specifies a multi-valued extension which indicates whether a certificate is a CA certificate. The first (mandatory) name is CA followed by TRUE or FALSE. If CA is TRUE, then an optional pathlen name followed by a non-negative value can be included. Also equivalent to the object ID (OID) value of 2.5.29.19. - + certificate_policies Specifies a sequence of one or more policy information terms, each of which consists of an object identifier (OID) and optional qualifiers. Also equivalent to the object ID (OID) value of 2.5.29.32. - + crl_distribution_points Specifies how CRL information is obtained. Also equivalent to the object ID (OID) value of 2.5.29.31. - + extended_key_usage Specifies a list of usages indicating purposes for which the certificate public key can be used for. Also equivalent to the object ID (OID) value of 2.5.29.37. - + inhibit_any_policy Specifies the number of additional certificates that may appear in the path before anyPolicy is no longer permitted. Also equivalent to the object ID (OID) value of 2.5.29.54. - + is_self_signed Specifies whether the certificate is self-signed, i.e., whether it is signed by the same entity whose identity it certifies. - + issuer Specifies the name of the Certificate Authority that issued the certificate. - + issuer_alternative_name Specifies the additional identities to be bound to the issuer of the certificate. Also equivalent to the object ID (OID) value of 2.5.29.18. - + key_usage Specifies a multi-valued extension consisting of a list of names of the permitted key usages. Also equivalent to the object ID (OID) value of 2.5.29.15. - + name_constraints Specifies a namespace within which all subject names in subsequent certificates in a certification path MUST be located. Also equivalent to the object ID (OID) value of 2.5.29.30. - + policy_constraints Specifies any constraints on path validation for certificates issued to CAs. Also equivalent to the object ID (OID) value of 2.5.29.36. - + policy_mappings Specifies one or more pairs of OIDs; each pair includes an issuerDomainPolicy and a subjectDomainPolicy. The pairing indicates whether the issuing CA considers its issuerDomainPolicy equivalent to the subject CA's subjectDomainPolicy. Also equivalent to the object ID (OID) value of 2.5.29.33. - + private_key_usage_period_not_after Specifies the date on which the validity period ends for the private key, if it is different from the validity period of the certificate. - + private_key_usage_period_not_before Specifies the date on which the validity period begins for the private key, if it is different from the validity period of the certificate. - + serial_number Specifies the unique identifier for the certificate, as issued by a specific Certificate Authority. - + signature_algorithm Specifies the name of the algorithm used to sign the certificate. - + subject Specifies the name of the entity associated with the public key stored in the subject public key field of the certificate. - + subject_alternative_name Specifies the additional identities to be bound to the subject of the certificate. Also equivalent to the object ID (OID) value of 2.5.29.17. - + subject_directory_attributes Specifies the identification attributes (e.g., nationality) of the subject. Also equivalent to the object ID (OID) value of 2.5.29.9. - + subject_key_identifier Specifies the identifier that provides a means of identifying certificates that contain a particular public key. Also equivalent to the object ID (OID) value of 2.5.29.14. - + subject_public_key_algorithm Specifies the name of the algorithm with which to encrypt data being sent to the subject. - + subject_public_key_exponent Specifies the exponent portion of the subject’s public RSA key, as an integer. - + subject_public_key_modulus Specifies the modulus portion of the subject’s public RSA key. - + validity_not_after Specifies the date on which the certificate validity period ends. - + validity_not_before Specifies the date on which the certificate validity period begins. - + x509_v3_extensions Specifies any standard X.509 v3 extensions that may be used in the certificate. - + \ No newline at end of file diff --git a/stix/core-objects/sdo/.DS_Store b/stix/core-objects/sdo/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..79c5fa9f69c3452172b2e3a290bdce00f1aef281 GIT binary patch literal 18436 zcmeHPUu+ab7@sMn+ySKrrBE@#VMPd1XaQRc51dC$t^e9^fDpj4*W0^pxZAz#?X}jX zNli3HF~0afe9;Hrj3mCP81+GYGA0@mpOhC9pG|zwC-s}zx!u{>*}3ZrxgNX8cJ^j| z-|Wr&zTez@vpYoy;cUGyickh2lz@|@sjUcgB@s$PIs#|oAm!u?9UCAA!}$)J-C&Q9 zgKShsHDn+wgpM=Xtp~c`3y~AJL%qP68Q{-E!@#7DoXK-DBlVhNQ{)RsLlwwHXd|_< zP@bY}v;esUuqgn-L7FkQP|cUEJh;f~`D)pyIU^%?ao2|KjXj$Z$<14~_HOG-ZSULB z*WbT$VAt-!U9+kFyf$~EWLtH!aMmhYcD7vCuas<~kgIBQhFQAg=r21t;}v~2wL^fO z(+e;8S?8CkfZ6G1(CQ{_T{mfc)5T&f8A1TMiEg0}(I@CT^fUSm{ek|$7;nb? zcmVIk`|y7JFg}P!T+=QhNOJ6Plg3{>Dzvas5T|hu#656d_5d3y5?k)e*2j&Gdm!!s zRS%HyAq^)B5m8*ZG@6^U zDpk%3h5*PMQ9h-mu+b7laSFFMsEvoZt`9=#l+bmmV3BCmxI5t5`t2ELj zD->o#WGkSi%GMlf6&YNzP}RQw=mDQXb>#ld`= z1@mEwBuW+hm{%vhcHuZvX9(phG8!dOp-_*YydGE?)Ioa|q){tM0gRx!FF|#OIn@QQ zouRovlVZiSpW*@pN%R&d=hgOA@!bjwb(gG zL3I(ob&>d>{_tah{vz!Bd$6s!(%cX z23QS3CIdbhK+aN-n66C%F$&Ahpi0p|33&=MPv_wGE8~n#rG-y$YZem974-{F5Db;p z|EE*Xgl+VREj+V@xxx*YGgR4U;^t=1wb3--pW)`=O54tGZeI zjJrBo65Io3ngRC+;XA_}Ld}xUAHwi-Up=~Kx2JZYOZla46;48D=$;|^40!EIr!R0t z%trqjsJ^axNPXm8Jr3VF z^aYv~L0jH6J2Z*2>e|jP-4*;6iON< zAyI}8}kvGM6|)kfk7%6srGvBZA>8F$+8C^Sg%?ziCaB<$lo zUSY}k`+5!l6)lV(1+?Fz00mu=(Mf^k$ENH<#YfoKq_pryrq(PZP&5X6&ep+ry znnc@8ZFsH!HT=V2ru7!={NLua*h$8MruP!YhHe-MEC?X=h%vw`7qm_mefZyH57!x* z_L>uGxBay1kt5NlSH^4cwKonOWm@FQea*?rCED_A1q~@)Ige14!a~p)S)1c^rm*Cc zx1K{=N!$Z*4|HM=;O>ds1Z-=eTV!MnBzx`Ba9)R#9AxLn zs+%@8k&ryP6%VjvE8f#^lDrv~UMDFzAaB)8UDJEM5zv7Ze%SjH&pX<0-VutkCG(FE ThM$M1;`%uLcmD|s+l=-OO literal 0 HcmV?d00001 diff --git a/stix-spec/threat-intel/attack-pattern.owl b/stix/core-objects/sdo/attack-pattern/attack-pattern.owl similarity index 63% rename from stix-spec/threat-intel/attack-pattern.owl rename to stix/core-objects/sdo/attack-pattern/attack-pattern.owl index db9159e..2b309a5 100644 --- a/stix-spec/threat-intel/attack-pattern.owl +++ b/stix/core-objects/sdo/attack-pattern/attack-pattern.owl @@ -1,33 +1,55 @@ - - ]> - + + 2.1.0 - AttackPattern - Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed. An example of an attack pattern is "spear phishing": a common type of attack where an attacker sends a carefully crafted e-mail message to a party with the intent of getting them to click a link or open an attachment to deliver malware. Attack Patterns can also be more specific; spear phishing as practiced by a particular threat actor (e.g., they might generally say that the target won a contest) can also be an Attack Pattern.\n\nThe Attack Pattern SDO contains textual descriptions of the pattern along with references to externally-defined taxonomies of attacks such as CAPEC [CAPEC]. + + + + + + + + + + + + + + + + + + + AttackPattern + Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed. An example of an attack pattern is "spear phishing": a common type of attack where an attacker sends a carefully crafted e-mail message to a party with the intent of getting them to click a link or open an attachment to deliver malware. Attack Patterns can also be more specific; spear phishing as practiced by a particular threat actor (e.g., they might generally say that the target won a contest) can also be an Attack Pattern.\n\nThe Attack Pattern SDO contains textual descriptions of the pattern along with references to externally-defined taxonomies of attacks such as CAPEC [CAPEC]. + + + aliases + Specifies a list of other names that this entity is believed to use or is referred to by. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/campaign/campaign.owl b/stix/core-objects/sdo/campaign/campaign.owl new file mode 100644 index 0000000..ace89ff --- /dev/null +++ b/stix/core-objects/sdo/campaign/campaign.owl @@ -0,0 +1,85 @@ + + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Campaign + A Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be part of an Intrusion Set.\n\nCampaigns are often attributed to an intrusion set and threat actors. The threat actors may reuse known infrastructure from the intrusion set or may set up new infrastructure specific for conducting that campaign.\n\nCampaigns can be characterized by their objectives and the incidents they cause, people or resources they target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. + + + + first_seen + Specifies the date and time that this entity was first seen.\n\nA summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. + + + + + last_seen + Specifies the date and time that this entity was last seen.\n\nA summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are later than the last seen timestamp, the object may be updated to account for the new data. This MUST be greater than or equal to the timestamp in the first_seen property. + + + + + objective + Specifies the Campaign’s primary goal, objective, desired outcome, or intended effect — what the Threat Actor or Intrusion Set hopes to accomplish with this Campaign. + + + + \ No newline at end of file diff --git a/stix-spec/threat-intel/course-of-action.owl b/stix/core-objects/sdo/course-of-action/course-of-action.owl similarity index 69% rename from stix-spec/threat-intel/course-of-action.owl rename to stix/core-objects/sdo/course-of-action/course-of-action.owl index 758f45a..ac7470e 100644 --- a/stix-spec/threat-intel/course-of-action.owl +++ b/stix/core-objects/sdo/course-of-action/course-of-action.owl @@ -1,33 +1,43 @@ - - ]> - + + 2.1.0 - Course Of Action - A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. It may describe technical, automatable responses (applying patches, reconfiguring firewalls) but can also describe higher level actions like employee training or policy changes. For example, a course of action to mitigate a vulnerability could describe applying the patch that fixes it. + + + + + + + + + + + + + Course Of Action + A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. It may describe technical, automatable responses (applying patches, reconfiguring firewalls) but can also describe higher level actions like employee training or policy changes. For example, a course of action to mitigate a vulnerability could describe applying the patch that fixes it. \ No newline at end of file diff --git a/stix-spec/core/grouping.owl b/stix/core-objects/sdo/grouping/grouping.owl similarity index 53% rename from stix-spec/core/grouping.owl rename to stix/core-objects/sdo/grouping/grouping.owl index 2070dac..e4fac62 100644 --- a/stix-spec/core/grouping.owl +++ b/stix/core-objects/sdo/grouping/grouping.owl @@ -1,55 +1,79 @@ - ]> - + + 2.1.0 - Grouping - A Grouping object explicitly asserts that the referenced STIX Objects have a shared context, unlike a STIX Bundle (which explicitly conveys no context). A Grouping object should not be confused with an intelligence product, which should be conveyed via a STIX Report. + + + + + + + + + + + + + + + + + + + + + + + + + Grouping + A Grouping object explicitly asserts that the referenced STIX Objects have a shared context, unlike a STIX Bundle (which explicitly conveys no context). A Grouping object should not be confused with an intelligence product, which should be conveyed via a STIX Report. - - context - A short descriptor of the particular context shared by the content referenced by the Grouping. + + context + context + A short descriptor of the particular context shared by the content referenced by the Grouping. + - - suspicious-activity + + malware-analysis - - malware-analysis + + suspicious-activity - + unspecified - + - + - + diff --git a/stix-spec/core/identity.owl b/stix/core-objects/sdo/identity/identity.owl similarity index 90% rename from stix-spec/core/identity.owl rename to stix/core-objects/sdo/identity/identity.owl index 6dd3f43..0a49d76 100644 --- a/stix-spec/core/identity.owl +++ b/stix/core-objects/sdo/identity/identity.owl @@ -1,27 +1,24 @@ - ]> - + + 2.1.0 @@ -36,6 +33,42 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + STIX Identity Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). @@ -61,13 +94,13 @@ Identifies an actual formal organization of people, with governance, such as a company. - + contact_information The contact information (e-mail, phone number, etc.) for this Identity. No format for this information is currently defined by this specification. - + identity_class The type of entity that this Identity describes, e.g., an individual or organization.\n\nThe value for this property SHOULD come from the identity-class-ov open vocabulary. @@ -107,13 +140,13 @@ - + roles The list of roles that this Identity performs (e.g., CEO, Domain Administrators, Doctors, Hospital, or Retailer). No open vocabulary is yet defined for this property. - + sectors The list of industry sectors that this Identity belongs to.\n\nThe values for this property SHOULD come from the industry-sector-ov open vocabulary. diff --git a/stix-spec/threat-intel/incident.owl b/stix/core-objects/sdo/incident/incident.owl similarity index 65% rename from stix-spec/threat-intel/incident.owl rename to stix/core-objects/sdo/incident/incident.owl index 26b2653..086dfee 100644 --- a/stix-spec/threat-intel/incident.owl +++ b/stix/core-objects/sdo/incident/incident.owl @@ -5,27 +5,39 @@ - ]> - + + 2.1.0 - Incident - An Incident is a set of related security events affecting an organization, along with information discovered or decided during an incident response investigation. + + + + + + + + + + + + + Incident + An Incident is a set of related security events affecting an organization, along with information discovered or decided during an incident response investigation. \ No newline at end of file diff --git a/stix/core-objects/sdo/indicator/indicator.owl b/stix/core-objects/sdo/indicator/indicator.owl new file mode 100644 index 0000000..006c571 --- /dev/null +++ b/stix/core-objects/sdo/indicator/indicator.owl @@ -0,0 +1,188 @@ + + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Indicator + Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity. For example, an Indicator may be used to represent a set of malicious domains and use the STIX Patterning Language to specify these domains.\n\nThe Indicator SDO contains a simple textual description, the Kill Chain Phases that it detects behavior in, a time window for when the Indicator is valid or useful, and a required pattern property to capture a structured detection pattern. Conforming STIX implementations MUST support the STIX Patterning Language.\n\nRelationships from the Indicator can describe the malicious or suspicious behavior that it directly detects (Malware, Tool, and Attack Pattern). In addition, it may also imply the presence of a Campaigns, Intrusion Sets, and Threat Actors, etc. + + + + indicator types + Specifies A set of categorizations for this indicator.\n\nThe values for this property SHOULD come from the indicator-type-ov open vocabulary. + + + + + anomalous-activity + + + anonymization + + + attribution + + + benign + + + compromised + + + malicious-activity + + + unknown + + + + + + + + + + + + + + + + + + + + + pattern + Specifies the detection pattern for this Indicator MAY be expressed as a STIX Pattern or another appropriate language such as SNORT, YARA, etc. + + + + + pattern_type + Specifies the pattern language used in this indicator.\n\nThe value for this property SHOULD come from the pattern-type-ov open vocabulary.\n\nThe value of this property MUST match the type of pattern data included in the pattern property. + + + + + pcre + + + sigma + + + snort + + + stix + + + suricata + + + yara + + + + + + + + + + + + + + + + + + + pattern_version + Specifies the version of the pattern language that is used for the data in the pattern property which MUST match the type of pattern data included in the pattern property.\n\nFor patterns that do not have a formal specification, the build or code version that the pattern is known to work with SHOULD be used.\n\nFor the STIX Pattern language, the default value is determined by the specification version of the object.\n\nFor other languages, the default value SHOULD be the latest version of the patterning language at the time of this object's creation. + + + + + valid_from + Specifies the date and time from which this this entity is considered to be valid for the behaviors it is related or represents. + + + + + valid_until + Specifies the date and time at which this entity should no longer be considered valid for the behaviors it is related to or represents.\n\nIf the valid_until property is omitted, then there is no constraint on the latest time for which the entity is valid.\n\nThis MUST be greater than the timestamp in the valid_from property. + + + + \ No newline at end of file diff --git a/stix-spec/threat-intel/infrastructure.owl b/stix/core-objects/sdo/infrastructure/infrastructure.owl similarity index 57% rename from stix-spec/threat-intel/infrastructure.owl rename to stix/core-objects/sdo/infrastructure/infrastructure.owl index 61de871..4339f13 100644 --- a/stix-spec/threat-intel/infrastructure.owl +++ b/stix/core-objects/sdo/infrastructure/infrastructure.owl @@ -5,89 +5,125 @@ - ]> - + + 2.1.0 - Infrastructure - The Infrastructure SDO represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defense, database servers targeted by an attack, etc.). While elements of an attack can be represented by other SDOs or SCOs, the Infrastructure SDO represents a named group of related data that constitutes the infrastructure. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Infrastructure + The Infrastructure SDO represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defense, database servers targeted by an attack, etc.). While elements of an attack can be represented by other SDOs or SCOs, the Infrastructure SDO represents a named group of related data that constitutes the infrastructure. - - infrastructure_types - Specifies the type of infrastructure being described. The values for this property SHOULD come from the infrastructure-type-ov open vocabulary. + + infrastructure_types + Specifies the type of infrastructure being described. The values for this property SHOULD come from the infrastructure-type-ov open vocabulary. - + amplification - + anonymization - + botnet - + command-and-control - + exfiltration - + hostig-malware - + hosting-target-lists - + phishing - + reconnaissance - + staging - + undefined - + - + - + - + - + - + - + - + - + - + - + diff --git a/stix/core-objects/sdo/intrusion-set/.DS_Store b/stix/core-objects/sdo/intrusion-set/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..f887bb296b54802d72302973acbd863a339af522 GIT binary patch literal 6148 zcmeHKF-`+P3>-s>NHn3N+z)`n4^~k?Q1by4pg=n1Btk@cU7j7r_JTMaNK_PPEZMW` z^X%rPIL82NxqG|>769gSN9;XJ&7ZqZ?5JgoNaq0^WOR^OHnHDIf);z^4NK zeJFIt+HgpWPX|Mc0K^&7VO+;7K`fpi)`mkOGc-#oF{#!@3`;umrPbAjLt@flaWl_p zH(Q%fEN*AML^-S`DoOz# + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Intrusion Set + An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Threat Actor. New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets.\n\nWhere a Campaign is a set of attacks over a period of time against a specific set of targets to achieve some objective, an Intrusion Set is the entire attack package and may be used over a very long period of time in multiple Campaigns to achieve potentially multiple purposes. + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/location/.DS_Store b/stix/core-objects/sdo/location/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..c5cbbc07658c7747490d4f15e51a521392413e10 GIT binary patch literal 6148 zcmeHKyGjH>5Ukb<4!qz(!}$WiKUj{tz}O$qI}>4X6UFFYBk{BRGp&9gtc!4oiBv;( z&GdH7uoY}?1F+4@!!@u5u%tWU&BNUMx%bk-)G3l_lndj8aRuhWF z?aa3*hjodHQa}n!6*$lB+WY^G{>%J7C21!Gq`<#Yz!uxv?S`*Zy><3--fJ8Ej_x%d sbT_Vp!VvA4810xFZ^xHWly%M5eBKp~i9u&R=tTVtxGpj&@Yf1_0VMAp{r~^~ literal 0 HcmV?d00001 diff --git a/stix/core-objects/sdo/location/location.owl b/stix/core-objects/sdo/location/location.owl new file mode 100644 index 0000000..88a9fb5 --- /dev/null +++ b/stix/core-objects/sdo/location/location.owl @@ -0,0 +1,181 @@ + + + + + + + +]> + + + + + + 2.1.0 + + + + + Civic Location + Identifies an actual civic location (e.g., street address, city, administrative area, postal code). + + + + + Country + Identifies an actual country. + + + + + Global Position + Identifies a physical position on the globe. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + STIX Location + A Location represents a geographic location. The location may be described as any, some or all of the following: region (e.g., North America), civic address (e.g. New York, US), latitude and longitude. + + + + + Region + Identifies an actual region in the world. + + + + administrative_area + The state, province, or other sub-national administrative area that this Location describes. + + + + + building details + Specifies additional details about the location within a building including things like floor, room, etc. + + + + + city + The name of the city. + + + + + country + The valid ISO 3166-1 ALPHA-2 Code [ISO3166-1] that is asigned to the country. + + + + + latitude + The WGS84 latitude of a SpatialThing (decimal degrees).\n\nPositive numbers describe latitudes north of the equator, and negative numbers describe latitudes south of the equator. The value of this property MUST be between -90.0 and 90.0, inclusive.\n\nIf the longitude property is present, this property MUST be present. + + + + + longitude + The WGS84 longitude of a SpatialThing (decimal degrees).\n\nPositive numbers describe longitudes east of the prime meridian and negative numbers describe longitudes west of the prime meridian. The value of this property MUST be between -180.0 and 180.0, inclusive.\n\nIf the latitude property is present, this property MUST be present. + + + + + network details + Specifies additional details about this network location including things like wiring closet, rack number, rack location, and VLANs. + + + + + postal_code + + + + + + precision + Defines the precision of the coordinates specified by the latitude and longitude properties. This is measured in meters. The actual Location may be anywhere up to precision meters from the defined point.\n\nIf this property is not present, then the precision is unspecified.\n\nIf this property is present, the latitude and longitude properties MUST be present. + + + + + street_address + The street address that this Location describes. This property includes all aspects or parts of the street address. For example, some addresses may have multiple lines including a mailstop or apartment number. + + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/malware-analysis/.DS_Store b/stix/core-objects/sdo/malware-analysis/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..13df802237ca012c372a6b80d99ace2893ac5f6f GIT binary patch literal 6148 zcmeHKyH3ME5S)V)k!Vs-P~H!K#2=iZq@d;pAV7g+uoQ$4oxA)9AI6`+>;r^l5FG`Y zm3HTDZ^su;;mral%g5_eU;$uGH^k1u)a=}RVtbh>L^_{wi7jq$OuU~|f1fb!A@0cN z@HFCE<{1yTrJtbZX?NE3SDUWikYhjimHzUU#LCzRs1Ghe+Nr3ETV0Vyz6U_Z7C>;G%|5A*++q@5Iy0{=>ZGFzRmmVBk` zt&^9tUR&uG^bcdLmos=PCVDI8##-^wm%3_ep0~sy(CN%Oov1$ori)Ap{DlJVq?94U literal 0 HcmV?d00001 diff --git a/stix/core-objects/sdo/malware-analysis/malware-analysis.owl b/stix/core-objects/sdo/malware-analysis/malware-analysis.owl new file mode 100644 index 0000000..893a47a --- /dev/null +++ b/stix/core-objects/sdo/malware-analysis/malware-analysis.owl @@ -0,0 +1,142 @@ + + + + + + + + +]> + + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + MalwareAnalysis + Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family. One of result or analysis_sco_refs properties MUST be provided. + + + + analysis_ended + Specifies the date and time that the analysis ended. + + + + + analysis_sco_refs + Specifies references to STIX Cyber-observable Objects that were captured during the analysis process. + + + + + analysis_sco_refs_id + Specifies the identifiers of STIX Cyber-observable Objects that were captured during the analysis process. + + + + + analysis_started + Specifies the date and time that the analysis was initiated. + + + + + sample_ref + Specifies a reference to the Cyber Observable object that this analysis was performed against. + + + + + sample_ref_id + Specifies the identifier of the Cyber Observable object that this analysis was performed against. + + + + + submitted + Specifies the date and time that the entity was first submitted for scanning or analysis. This value will stay constant while the scanned date can change. + + + + \ No newline at end of file diff --git a/stix-spec/threat-intel/malware.owl b/stix/core-objects/sdo/malware/malware.owl similarity index 64% rename from stix-spec/threat-intel/malware.owl rename to stix/core-objects/sdo/malware/malware.owl index f462a48..9344bbd 100644 --- a/stix-spec/threat-intel/malware.owl +++ b/stix/core-objects/sdo/malware/malware.owl @@ -6,640 +6,694 @@ - ]> - + + 2.1.0 - Malware - Malware is a type of TTP that represents malicious code. It generally refers to a program that is inserted into a system, usually covertly. The intent is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or otherwise annoy or disrupt the victim.\n\nThe Malware SDO characterizes, identifies, and categorizes malware instances and families from data that may be derived from analysis. This SDO captures detailed information about how the malware works and what it does. This SDO captures contextual data relevant to sharing Malware data without requiring the full analysis provided by the Malware Analysis SDO.\n\nTo minimize the risk of a consumer compromising their system in parsing malware samples, producers SHOULD consider sharing defanged content (archive and password-protected samples) instead of raw, base64-encoded malware samples. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Malware + Malware is a type of TTP that represents malicious code. It generally refers to a program that is inserted into a system, usually covertly. The intent is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or otherwise annoy or disrupt the victim.\n\nThe Malware SDO characterizes, identifies, and categorizes malware instances and families from data that may be derived from analysis. This SDO captures detailed information about how the malware works and what it does. This SDO captures contextual data relevant to sharing Malware data without requiring the full analysis provided by the Malware Analysis SDO.\n\nTo minimize the risk of a consumer compromising their system in parsing malware samples, producers SHOULD consider sharing defanged content (archive and password-protected samples) instead of raw, base64-encoded malware samples. - - - MalwareAnalysis - Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family. One of result or analysis_sco_refs properties MUST be provided. - - - - analysis_defintion_version - Specifies the version of the analysis definitions used by the analysis tool (including AV tools). + + analysis_defintion_version + Specifies the version of the analysis definitions used by the analysis tool (including AV tools). - - analysis_engine_version - Specifies the version of the analysis engine or product (including AV engines) that was used to perform the analysis. + + analysis_engine_version + Specifies the version of the analysis engine or product (including AV engines) that was used to perform the analysis. - - architecture_execution_envs - Specifies the processor architectures (e.g., x86, ARM, etc.) that the malware instance or family is executable on.\n\nThe values for this property SHOULD come from the processor-architecture-ov open vocabulary. + + architecture_execution_envs + Specifies the processor architectures (e.g., x86, ARM, etc.) that the malware instance or family is executable on.\n\nThe values for this property SHOULD come from the processor-architecture-ov open vocabulary. - + alpha - + arm - + ia-64 - + mips - + powerpc - + sparc - + x86 - + x86-64 - + - + - + - + - + - + - + - + - - capabilities - Specifies any of the capabilities identified for the malware instance or family.\n\nThe values for this property SHOULD come from the malware-capabilities-ov open vocabulary. + + capabilities + Specifies any of the capabilities identified for the malware instance or family.\n\nThe values for this property SHOULD come from the malware-capabilities-ov open vocabulary. - + accesses-remote-machinesstix:Software - + anti-debuggingstix:Software - + anti-disassemblystix:Software - + anti-emulationstix:Software - - antimemory-forensicsstix:Software + + anti-sandboxstix:Software - - anti-sandboxstix:Software + + anti-vmstix:Software - - anti-vmstix:Software + + antimemory-forensicsstix:Software - + captures-input-peripheralsstix:Software - + captures-outputperipheralsstix:Software - + captures-system-state-datastix:Software - + cleans-traces-of-infectionstix:Software - + commits-fraudstix:Software - + communicates-with-c2stix:Software - + compromises-data-availabilitystix:Software - + compromises-data-integritystix:Software - + compromises-system-availabilitystix:Software - + controls-local-machinestix:Software - + degrades-security-softwarestix:Software - + degrades-system-updatesstix:Software - + determines-c2-serverstix:Software - + emails-spamstix:Software - + escalates-privilegesstix:Software - + evades-avstix:Software - + exfiltrates-datastix:Software - + fingerprints-hoststix:Software - + hides-artifactsstix:Software - + hides-executing-codestix:Software - + infects-filesstix:Software - + infects-remote-machinesstix:Software - + installs-other-componentsstix:Software - + persists-aftersystem-rebootstix:Software - + prevents-artifact-accessstix:Software - + prevents-artifact-deletionstix:Software - + probes-networkenvironmentstix:Software - + self-modifiesstix:Software - + steals-authentication-credentialsstix:Software - + violates-systemoperational-integrity - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - configuration_version - Specifies the named configuration of additional product configuration parameters for this analysis run. + + configuration_version + Specifies the named configuration of additional product configuration parameters for this analysis run. - - host_vm_ref - Specifies a reference to a Software object used to describe the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family.\n\nIf this value is not included in conjunction with the operating_system_ref property, this means that the dynamic analysis may have been performed on bare metal (i.e. without virtualization) or the information was redacted.\n\nThe value of this property MUST be a reference to a SCO Software object. + + host_vm_ref + Specifies a reference to a Software object used to describe the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family.\n\nIf this value is not included in conjunction with the operating_system_ref property, this means that the dynamic analysis may have been performed on bare metal (i.e. without virtualization) or the information was redacted.\n\nThe value of this property MUST be a reference to a SCO Software object. - - host_vm_ref_id - Specifies the identifier to a Software object used to describe the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family.\n\nIf this value is not included in conjunction with the operating_system_ref property, this means that the dynamic analysis may have been performed on bare metal (i.e. without virtualization) or the information was redacted.\n\nThe value of this property MUST be the identifier of a SCO Software object. + + host_vm_ref_id + Specifies the identifier to a Software object used to describe the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family.\n\nIf this value is not included in conjunction with the operating_system_ref property, this means that the dynamic analysis may have been performed on bare metal (i.e. without virtualization) or the information was redacted.\n\nThe value of this property MUST be the identifier of a SCO Software object. - - implementation_languages - Specifies the programming language(s) used to implement the malware instance or family.\n\nThe values for this property SHOULD come from the implementation-language-ov open vocabulary. + + implementation_languages + Specifies the programming language(s) used to implement the malware instance or family.\n\nThe values for this property SHOULD come from the implementation-language-ov open vocabulary. - + applescript - + bash - + c - - c++ + + c# - - c# + + c++ - + go - + java - + javascript - + lua - + objective-c - + perl - + php - + powershell - + python - + ruby - + scala - + swift - + typescript - + visual-basic - + x86-32 - + x86-64 - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - installed_software_refs - Specifies references to SCO Software objects that represents any non-standard software installed on the operating system (specified through the operating-system value) used for the dynamic analysis of the malware instance or family.\n\nThe value of this property MUST be references to SCO software objects. + + installed_software_refs + Specifies references to SCO Software objects that represents any non-standard software installed on the operating system (specified through the operating-system value) used for the dynamic analysis of the malware instance or family.\n\nThe value of this property MUST be references to SCO software objects. - - installed_software_refs_id - Specifies identifiers of SCO Software objects that represents any non-standard software installed on the operating system (specified through the operating-system value) used for the dynamic analysis of the malware instance or family.\n\nThe value of this property MUST be identifiers of SCO software objects. + + installed_software_refs_id + Specifies identifiers of SCO Software objects that represents any non-standard software installed on the operating system (specified through the operating-system value) used for the dynamic analysis of the malware instance or family.\n\nThe value of this property MUST be identifiers of SCO software objects. - - is_family - Specifies whether the object represents a malware family (if true) or a malware instance (if false). + + is_family + Specifies whether the object represents a malware family (if true) or a malware instance (if false). - - malware_types - Specifies a set of categorizations for the malware being described.\n\nThe values for this property SHOULD come from the malware-type-ov open vocabulary. + + malware_types + Specifies a set of categorizations for the malware being described.\n\nThe values for this property SHOULD come from the malware-type-ov open vocabulary. - + adware - + backdoor - - bot + + bootkit - - bootkit + + bot - + ddos - + downloader - + dropper - + exploit-kit - + keylogger - + ransomware - + remote-access-trojan - + resource-exploitation - + rogue-security-software - + rootkit - + screen-capture - + spyware - + trojan - - virus + + unknown - - webshell + + virus - - wiper + + webshell - - worm + + wiper - - unknown + + worm - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - modules - Specifies the specific analysis modules that were used and configured in the product during this analysis run. + + modules + Specifies the specific analysis modules that were used and configured in the product during this analysis run. - - operating_system_ref - Specifies a reference to a SCO Software object that represents the operating system used for the dynamic analysis of the malware instance or family. This applies to virtualized operating systems as well as those running on bare metal.\n\nThe value of this property MUST be a reference to a SCO Software object. + + operating_system_ref + Specifies a reference to a SCO Software object that represents the operating system used for the dynamic analysis of the malware instance or family. This applies to virtualized operating systems as well as those running on bare metal.\n\nThe value of this property MUST be a reference to a SCO Software object. - - operating_system_ref_id - Specifies the identifier of a SCO Software object that represents the operating system used for the dynamic analysis of the malware instance or family. This applies to virtualized operating systems as well as those running on bare metal.\n\nThe value of this property MUST be the identifier a SCO Software object. + + operating_system_ref_id + Specifies the identifier of a SCO Software object that represents the operating system used for the dynamic analysis of the malware instance or family. This applies to virtualized operating systems as well as those running on bare metal.\n\nThe value of this property MUST be the identifier a SCO Software object. - - operating_system_refs - Specifies a reference to a SCO Software object that represents the operating systems that the malware family or malware instance is executable on. This applies to virtualized operating systems as well as those running on bare metal.\n\nThe value of this property MUST be a references to SCO Software objects. + + operating_system_refs + Specifies a reference to a SCO Software object that represents the operating systems that the malware family or malware instance is executable on. This applies to virtualized operating systems as well as those running on bare metal.\n\nThe value of this property MUST be a references to SCO Software objects. - - operating_system_refs_id - Specifies identifiers of SCO Software objects that represents the operating systems that the malware family or malware instance is executable on. This applies to virtualized operating systems as well as those running on bare metal.\n\nThe value of this property MUST be identifiers of SCO Software objects. + + operating_system_refs_id + Specifies identifiers of SCO Software objects that represents the operating systems that the malware family or malware instance is executable on. This applies to virtualized operating systems as well as those running on bare metal.\n\nThe value of this property MUST be identifiers of SCO Software objects. - - product - Specifies the name of the analysis engine or product that was used. Product names SHOULD be all lowercase with words separated by a dash "-".\n\nFor cases where the name of a product cannot be specified, a value of "anonymized" MUST be used. + + product + Specifies the name of the analysis engine or product that was used. Product names SHOULD be all lowercase with words separated by a dash "-".\n\nFor cases where the name of a product cannot be specified, a value of "anonymized" MUST be used. - - result - Specifies the classification result as determined by the scanner or tool analysis process.\n\nThe value for this property SHOULD come from the malware-result-ov open vocabulary. + + result + Specifies the classification result as determined by the scanner or tool analysis process.\n\nThe value for this property SHOULD come from the malware-result-ov open vocabulary. - - malicious + + benign - - suspicious + + malicious - - benign + + suspicious - + unknown - + - + - + - + - - result_name - Specifies the classification result or name assigned to the malware instance by the scanner tool. + + result_name + Specifies the classification result or name assigned to the malware instance by the scanner tool. - - version - Specifies the version of the analysis product that was used to perform the analysis. + + version + Specifies the version of the analysis product that was used to perform the analysis. diff --git a/stix/core-objects/sdo/note/.DS_Store b/stix/core-objects/sdo/note/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..2c0643c747098a7359298fdbba5c3fd49d238297 GIT binary patch literal 6148 zcmeHKyJ`b55ZsMj9K^+yDfI;g|A8=0;o5x&PTU>7CMNAw{x1JnJo_NzI0w?W3A3;o zX|*GvDQ<5?MAxVHl}IZh4ct)9HcZX-%_sJd5e33=#!`Culy2MgZaZmjD(E0Bhn9hzLxB3Jj`di=jbBykuTY90G$b>Nn$@yjinDQNJDW z;_0F_kRuhK0%HYcv23mWKf{0N|HmY*r~noCR|@ESv)iokq^zxz$62i{@K?CyT;OJy oI|YN6W1yE~EUX+qc~ayRn`6Hw4uMWb-0496445u7DsXQFuF1U{Z~y=R literal 0 HcmV?d00001 diff --git a/stix/core-objects/sdo/note/note.owl b/stix/core-objects/sdo/note/note.owl new file mode 100644 index 0000000..6b2e2a8 --- /dev/null +++ b/stix/core-objects/sdo/note/note.owl @@ -0,0 +1,73 @@ + + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + Note + A Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to. Notes can be created by anyone (not just the original object creator). + + + + abstract + A brief summary of the content. + + + + + authors + Specifies a list of the names of the author(s) of the content. + + + + + content + Specifies the content of the note. + + + + + object_refs + Specifies a list of STIX Objects that are referred to by this entity. + + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/observed-data/.DS_Store b/stix/core-objects/sdo/observed-data/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..f79aae7290dc9aa6e35a7de655ab51604a4232bb GIT binary patch literal 6148 zcmeHKyH3ME5S$|^B9S6=l=lN5@du|U6x93xF`=_$iD&CBpAEAQP$CN{6$P4=_Qtoj zb1P5b^#UmCx7`h}0wUzr`!I zxaQdh`n!I3?E0Z&Hp|SG#O~AWv@*()0#ZN#SPOO6;N=#1CQYl&lE&{4cH@5#y~ zCzRsV8Lys>(gL+g0V!~-z$~^a>;Jd(U*`W~l6F!+3j8Yt%6xObS@V^$w@zNpdTpgY s(7%njp3cQvG0|HwH`apF literal 0 HcmV?d00001 diff --git a/stix-spec/core/observed-data.owl b/stix/core-objects/sdo/observed-data/observed-data.owl similarity index 87% rename from stix-spec/core/observed-data.owl rename to stix/core-objects/sdo/observed-data/observed-data.owl index 9dc93a9..c2ef165 100644 --- a/stix-spec/core/observed-data.owl +++ b/stix/core-objects/sdo/observed-data/observed-data.owl @@ -1,27 +1,24 @@ - ]> - + + 2.1.0 @@ -31,25 +28,25 @@ Observed Data conveys information about cyber security related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs). - + first_observed The beginning of the date and time window during which the data was seen. - + last_observed The end of the date and time window during which the data was seen. - + number_observed The number of times that each Cyber-observable object represented in the objects or object_ref property was seen. If present, this MUST be an integer between 1 and 999,999,999 inclusive.\n\nIf the number_observed property is greater than 1, the data contained in the objects or object_refs property was seen multiple times. In these cases, object creators MAY omit properties of the SCO (such as timestamps) that are specific to a single instance of that observed data. - + objects A dictionary of SCO representing the observation. The dictionary MUST contain at least one object.\n\nThe cyber observable content MAY include multiple objects if those objects are related as part of a single observation. Multiple objects not related to each other via cyber observable Relationships MUST NOT be contained within the same Observed Data instance.\n\nThis property MUST NOT be present if object_refs is provided. true diff --git a/stix/core-objects/sdo/opinion/.DS_Store b/stix/core-objects/sdo/opinion/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..5d249ee5fc207e581cded0780fca757bf6faef2a GIT binary patch literal 6148 zcmeHKyNUuq5bQn;1TQc&oG&=IKNv&TZU zOmEi=Tfz3Wi0Iz+mKg=YamJUla+D9m-$C{LgmI^+{|5Ki z<2UQ3-S3)qhYB1$dIz4bZugI3mI_b-DnJFO02O#b0qec6$uy9W3Qz$ma8tm(4+U;m z6T3kFbRhT$030LjhPBTUz+wqtP3!`ZfoV{ILDd{FH0a2etgDG#V9-VVW}K5ZYfdQY zw$L^Gg - ]> - + + 2.1.0 - Opinion - An Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity. The primary property is the opinion property, which captures the level of agreement or disagreement using a fixed scale. That fixed scale also supports a numeric mapping to allow for consistent statistical operations across opinions. + + + + + + + + + + + + + Opinion + An Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity. The primary property is the opinion property, which captures the level of agreement or disagreement using a fixed scale. That fixed scale also supports a numeric mapping to allow for consistent statistical operations across opinions. - - explanation - An explanation of why the producer has this Opinion. + + explanation + An explanation of why the producer has this Opinion. - - opinion - Specifies the opinion that the producer has about all of the STIX Object(s) listed in the object_refs property. + + opinion + opinion + Specifies he opinion that the producer has about all of the STIX Object(s) listed in the object_refs property. + Specifies the opinion that the producer has about all of the STIX Object(s) listed in the object_refs property. + - - strongly-disagree + + agree - + disagree - + neutral - - agree + + strongly-agree - - strongly-agree + + strongly-disagree - + - + - + - + - + diff --git a/stix/core-objects/sdo/report/.DS_Store b/stix/core-objects/sdo/report/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..a2610f4290c0821567b51fd14a1aa4b2da33b342 GIT binary patch literal 6148 zcmeHKyGjH>5UlntI5fG?aK7Nc4-kgq42=B&IW=2Y5yf;Pzso<<>IdSnCzzN>HT2X> zPuC1n!S*%)+rHdi0BZm%x+C6vn49mr&+MckMx^tMCp=?=5w93#*~bIUJtgk}kK}#h zUk~Hmei--M=fR6h;^rgl_(6(F0VyB_q<|EV0>4tgYcFkemZ(t*NC7GErGS4Q8r`uM zPKoj9;1DeUamjEP=g~_Ln+J%!a7tu^W=SO`)vCp?q%+QF3h zXS_u^tS4%e0#e{mfkiIYUjMJ?KlJ~HB(0=?6!=#P*m8HX+ww_OTW62+THENibkBLG ryKx>A4pEMYQI5Ira(o_1nb&;I{a!dF2A%Ps6ZJFTy2zx!Un}ql5r7-G literal 0 HcmV?d00001 diff --git a/stix-spec/core/report.owl b/stix/core-objects/sdo/report/report.owl similarity index 62% rename from stix-spec/core/report.owl rename to stix/core-objects/sdo/report/report.owl index 855513a..29adc23 100644 --- a/stix-spec/core/report.owl +++ b/stix/core-objects/sdo/report/report.owl @@ -1,95 +1,117 @@ - ]> - + + 2.1.0 - Report - Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story. + + + + + + + + + + + + + + + + + + + + + + + + + Report + Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story. - - report_types + + report_types Specifies the primary type(s) of content found in this report.\n\nThe values for this property SHOULD come from the report-type-ov open vocabulary. - + attack-pattern - + campaign - + identity - + indicator - + intrusion-set - + malware - + observed-data - + threat-actor - + threat-report - + tool - + vulnerability - + - + - + - + - + - + - + - + - + - + - + diff --git a/stix/core-objects/sdo/threat-actor/.DS_Store b/stix/core-objects/sdo/threat-actor/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..02fbe6e1ec02d69a3df112c9033ed17b42f3649e GIT binary patch literal 6148 zcmeH~y-veW426$rhe|MH?08=QB;MevDg!ewP+E`}B1J;{tl4;MIJPepQH0cq0Ub;B zm+RQM${FHZ0JeF3xCS}^E4mXO9_Hrv-Dh^zGDgz*jC;J`lJP*EX5QPe`U%f?ob(UO zTw%aF`rCdu?E7IKwOCw`Z=YeOZK5hEAO)m=6p#W^;HZGlUfSwBsVD`cfD||?;NOQr zch<%+8J`Y@I0BGMro(t0X9==+f~<{Wk{Oz1E19jg}!(wMXr|oR* zgkrHf^Cik*HK`~Cq`*{xMJ_v^|2Ons&i~UUt)zey_*V+pa(lPk@RizZoxPmT+Ctya rzm2s~&Jd%Rj8V*mkK*-@y5iToUmM3{v@;*=q<#ck7nv0J3kALa$5R~~ literal 0 HcmV?d00001 diff --git a/stix/core-objects/sdo/threat-actor/threat-actor.owl b/stix/core-objects/sdo/threat-actor/threat-actor.owl new file mode 100644 index 0000000..68c687f --- /dev/null +++ b/stix/core-objects/sdo/threat-actor/threat-actor.owl @@ -0,0 +1,115 @@ + + + + + + + +]> + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Threat Actor + Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. A Threat Actor is not an Intrusion Set but may support or be affiliated with various Intrusion Sets, groups, or organizations over time.\n\nThreat Actors leverage their resources, and possibly the resources of an Intrusion Set, to conduct attacks and run Campaigns against targets.\n\nThreat Actors can be characterized by their motives, capabilities, goals, sophistication level, past activities, resources they have access to, and their role in the organization. + + + + goals + Specifies the high-level goals of this Intrusion Set, namely, what are they trying to do. For example, they may be motivated by personal gain, but their goal is to steal credit card numbers. To do this, they may execute specific Campaigns that have detailed objectives like compromising point of sale systems at a large retailer. + + + + \ No newline at end of file diff --git a/stix-spec/threat-intel/tool.owl b/stix/core-objects/sdo/tool/tool.owl similarity index 58% rename from stix-spec/threat-intel/tool.owl rename to stix/core-objects/sdo/tool/tool.owl index df358de..1799b8b 100644 --- a/stix-spec/threat-intel/tool.owl +++ b/stix/core-objects/sdo/tool/tool.owl @@ -4,75 +4,97 @@ - ]> - + + 2.1.0 - Tool - The Tool SDO characterizes the properties of these software tools and can be used as a basis for making an assertion about how a Threat Actor uses them during an attack. It contains properties to name and describe the tool, a list of Kill Chain Phases the tool can be used to carry out, and the version of the tool.\n\nTools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack. + + + + + + + + + + + + + + + + + + + Tool + The Tool SDO characterizes the properties of these software tools and can be used as a basis for making an assertion about how a Threat Actor uses them during an attack. It contains properties to name and describe the tool, a list of Kill Chain Phases the tool can be used to carry out, and the version of the tool.\n\nTools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack. - - tool_types - Specifies the kind(s) of tool(s) being described.\n\nThe values for this property SHOULD come from the tool-type-ov open vocabulary. + + + + + + tool_types + Specifies the kind(s) of tool(s) being described.\n\nThe values for this property SHOULD come from the tool-type-ov open vocabulary. - - denial-of-service + + credential-exploitation - - exploitation + + denial-of-service - - information-gathering + + exploitation - - network-capture + + information-gathering - - credential-exploitation + + network-capture - + remote-access - - vulnerability-scanning + + unknown - - unknown + + vulnerability-scanning - + - + - + - + - + - + - + - + diff --git a/stix-spec/threat-intel/vulnerability.owl b/stix/core-objects/sdo/vulnerability/vulnerability.owl similarity index 73% rename from stix-spec/threat-intel/vulnerability.owl rename to stix/core-objects/sdo/vulnerability/vulnerability.owl index 924dc06..8558920 100644 --- a/stix-spec/threat-intel/vulnerability.owl +++ b/stix/core-objects/sdo/vulnerability/vulnerability.owl @@ -4,28 +4,40 @@ - ]> - + + 2.1.0 - Vulnerability - A Vulnerability is a weakness or defect in the requirements, designs, or implementations of the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that can be directly exploited to negatively impact the confidentiality, integrity, or availability of that system.\n\nThe Vulnerability SDO is primarily used to link to external definitions of vulnerabilities or to describe 0-day vulnerabilities that do not yet have an external definition. Typically, other SDOs assert relationships to Vulnerability objects when a specific vulnerability is targeted and exploited as part of malicious cyber activity. As such, Vulnerability objects can be used as a linkage to the asset management and compliance process. + + + + + + + + + + + + + Vulnerability + A Vulnerability is a weakness or defect in the requirements, designs, or implementations of the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that can be directly exploited to negatively impact the confidentiality, integrity, or availability of that system.\n\nThe Vulnerability SDO is primarily used to link to external definitions of vulnerabilities or to describe 0-day vulnerabilities that do not yet have an external definition. Typically, other SDOs assert relationships to Vulnerability objects when a specific vulnerability is targeted and exploited as part of malicious cyber activity. As such, Vulnerability objects can be used as a linkage to the asset management and compliance process. \ No newline at end of file diff --git a/stix/core-objects/sro/.DS_Store b/stix/core-objects/sro/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..03edca2302ee3ae312245bea703aa3bf6704fde7 GIT binary patch literal 8196 zcmeHM%}*0S6n_I%w|v;jcRXmdF?t|cJb;FSrCT97s~3E;R$1fgl4Sc5ed*DA-{B z62Dte8lRp@lwHq3nGjsZ{vygXke{%5E^G5F$_O_c!F>LQOjv86mtA*DzTTT`$+lcC zk@!fOnnQ;UA2AH0)mTce@b$E3dSy3dIt$`yhI2bxt()0di>_y)U89_Nrp2fu6|6i( zk;R)9%k%XVFSEQWbm-SG><)0tJf z$oNA!0U-YF1MTX0yL{AWdRA`DpB{Noo!;l_^ujHzZS6-R(PNR0NM~nPcTaC$PbS)# zHFK*4M+|wC+uTXnWx7ystbDp;<}6m2^XMHfZQZ4rXvZGWX_~*a(=@YDLYc0e25D~G zp_EB`lgrC4_2zcf=NDb1cfzB^3AW79{u)v{S@JB-+*#_lh)cGarS>FCanIw$dDC%B zR-mbkIV;DR8dXFZ!N)0w3Ip*g-xOK#Uc-C%0H5Fsd?$pokWSJ~PLPx26gf@Kl7v!is{UBVtL7CFy!WcV z=Iz2jI>(EpT{?CBqsYg`{B>*Gc=`6;#`AY#%{P$G|B-xY<@d+3mUfuUSpnZK=562| zoCO8EhZA>l3<`C8IUu*khhL$s-98+UKN!9nn3ne0{pYiRAE}0~24r^o=-2yCpZPvo zLvF`68_Cu1$$+grzKAZgFH^G`RiB9euhzf+-+^pE MmuFyM9F+6_C;MxD^Z)<= literal 0 HcmV?d00001 diff --git a/stix/core-objects/sro/relationship/.DS_Store b/stix/core-objects/sro/relationship/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..8d9ce81a67a972392ccff6104ffaea4636302cd8 GIT binary patch literal 6148 zcmeH~u};H442FNx4wYcY$aqhH#2Z9aJ1{Wu0#HDrQbZ~!V$H^5!*BaQL}^zB^jq@% zIiG!}d_$ZAV9U3MOP~R;pu6J3hpG9x`@~La#He)cvBwrYp7DyON%rA@*EV>;BRbrT z>bKb8g1fz=yXyM;P1kQC7qc_!^=H`OO%)XZ5fA|p5CIW5O2B(BZE>2aQ3OOl1bztk z_o2{T+p0rqd^$M96@WTtIE>G6m!K98P}{0QDkC(@Qfii3y<%9FGhS+5TXjgya#) - ]> - + + + 2.1.0 @@ -30,31 +28,43 @@ The Relationship object is used to link together two SDOs or SCOs in order to describe how they are related to each other. If SDOs and SCOs are considered "nodes" or "vertices" in the graph, the Relationship Objects (SROs) represent "edges". - + relationship_type The name used to identify the type of Relationship. This value SHOULD be an exact value listed in the relationships for the source and target SDO, but MAY be any string. The value of this property MUST be in ASCII and is limited to characters a–z (lowercase ASCII), 0–9, and hyphen (-). - + source_ref Specifies a reference to the source (from) object. The value MUST be a reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). - + source_ref_id Specifies the identifier of the source (from) object. The value MUST be the identifier of a SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). - + + start_time + Represents the earliest date and time at which the Relationship between the objects exists. If this property is a future timestamp, at the time the start_time property is defined, then this represents an estimate by the producer of the intelligence of the earliest time at which relationship will be asserted to be true.\n\nIf it is not specified, then the earliest time at which the relationship between the objects exists is not defined. + + + + + stop_time + Specifies the latest date and time at which the Relationship between the objects exists. If this property is a future timestamp, at the time the stop_time property is defined, then this represents an estimate by the producer of the intelligence of the latest time at which relationship will be asserted to be true.\n\nIf start_time and stop_time are both defined, then stop_time MUST be later than the start_time value.\n\nIf stop_time is not specified, then the latest time at which the relationship between the objects exists is either not known, not disclosed, or has no defined stop time. + + + + target_ref Specifies a reference to the target (to) object. The value MUST be reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). - + target_ref_id Specifies the identifier of the target (to) object. The value MUST be the identifier of a SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). diff --git a/stix/core-objects/sro/relationship/sro-props.owl b/stix/core-objects/sro/relationship/sro-props.owl new file mode 100644 index 0000000..b6b8d23 --- /dev/null +++ b/stix/core-objects/sro/relationship/sro-props.owl @@ -0,0 +1,105 @@ + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/stix/core-objects/sro/sighting/.DS_Store b/stix/core-objects/sro/sighting/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..ad531e72ddda71ec58822507652636f91bf81638 GIT binary patch literal 6148 zcmeHKyGjH>5UlntIPiiC4d)94|6n=Jz}Uc4PT>?5H&8L%$nWycwEBUt?1_o z^mfg#6>M(Sn76 z#o~76Ta?4PL`5ke1*Qrta=Y>Ve@Xvg{-2VxlLAuUUnyYA-SuwESE}ARdpYm5jebk_ unh&}g*Fj;3c1(vna~C=4(Fh3dh8tGaq!Keg<3@nH2bI1-<~@SR7mc literal 0 HcmV?d00001 diff --git a/stix-spec/relationships/sighting.owl b/stix/core-objects/sro/sighting/sighting.owl similarity index 86% rename from stix-spec/relationships/sighting.owl rename to stix/core-objects/sro/sighting/sighting.owl index 2a74641..d8c410a 100644 --- a/stix-spec/relationships/sighting.owl +++ b/stix/core-objects/sro/sighting/sighting.owl @@ -5,7 +5,6 @@ - ]> - + + 2.1.0 @@ -30,36 +29,42 @@ A Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.) was seen. Sightings are used to track who and what are being targeted, how attacks are carried out, and to track trends in attack behavior.\n\nThe Sighting relationship object is a special type of SRO; it is a relationship that contains extra properties not present on the Generic Relationship object. These extra properties are included to represent data specific to sighting relationships (e.g., count, representing how many times something was seen), but for other purposes a Sighting can be thought of as a Relationship with a name of "sighting-of". Sighting is captured as a relationship because you cannot have a sighting unless you have something that has been sighted. Sighting does not make sense without the relationship to what was sighted. - + + count + Specifies a count of the number of times the something occurred. + + + + observed_data_refs Specifies a list of references to the Observed Data objects that contain the raw cyber data for this Sighting. - + observed_data_refs_id Specifies a list of identifiers of the Observed Data objects that contain the raw cyber data for this Sighting. - + sighting_of_ref Specifies a reference to the SDO that was sighted (e.g., Indicator or Malware). - + sighting_of_ref_id Specifies the identifier of the SDO that was sighted (e.g., Indicator or Malware). - + summary Indicates whether the Sighting should be considered summary data. Summary data is an aggregation of previous Sightings reports and should not be considered primary source data. Default value is false. - + where_sighted_refs Specifies a list of references to the Identity or Location objects describing the entities or types of entities that saw the sighting.\n\nOmitting the where_sighted_refs property does not imply that the sighting was seen by the object creator. To indicate that the sighting was seen by the object creator, an Identity representing the object creator should be listed in where_sighted_refs.\n\nThis property MUST reference only Identity or Location SDOs. @@ -74,7 +79,7 @@ - + where_sighted_refs_id Specifies a list of identifiers of the Identity or Location objects describing the entities or types of entities that saw the sighting.\n\nOmitting the where_sighted_refs_id property does not imply that the sighting was seen by the object creator. To indicate that the sighting was seen by the object creator, an Identity representing the object creator should be listed in where_sighted_refs_id.\n\nThis property MUST refer to only Identity or Location SDOs diff --git a/stix/meta-objects/.DS_Store b/stix/meta-objects/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..b8dbec363233a0765da930d0e35dc0d4a4f4db6b GIT binary patch literal 10244 zcmeHMO>Y!87=9g6I!gkXk^~SH?UYs39uk^RzA6rEmsC-N)I`|`f`BfwJI*r7jJ=xi zCZSQJy>NkBFTM59{s1`k2hd|rmD*D|azpB=s<_bC_AHrhcC(WRRV!pm_G^3m_~V)J zv-Z0HK#C1-8o&Vn3!}95FeV*>d@kdTFp$)|kCq@FU=l)bA%a!#ceFMYh5^HXVZbn8 z7%&X<0|WS*ErT_rtw{|7h5^ICYX+n~I2ffZB(|xok`7GN6#(rZR;z${yayH1`luT0%Q9A&Y(8CxG>d-MTBhz;cI*z0^P0sT)?Z9fLE{$ZbNbk?U`39U~ZRj zD(i7Q!TnsR2YxK3rhX>_2L|6c_^xGHL)M+rJ-%KNu4u$XH@YQDOPmLlR^F{#_vw1s z9=pn!aD7H21@JwJO>W=tna9_QyurL!VN3dfmCNPI_KD5S^V8=hoX;wM=Nf1wHC=aU*!Rhia~?ksztt6s=HO6)s_X_5GDUxTDFh2 zHC?3MH``T9_v_eZY`a2rHycsPRDbg;D=`(zsr=2`G4eYnXgJ4KIQGAW+|Jj9&slt( zMlsqufm@-$JS%b`czDx|BA3-@@&2-3l-SWaSIjTA5FE#)iDk z;91lrxh3X?G+$WIbvgWD_!ut3EG*#1C*To$4?n>Z_yvB0KjAt2LkKxUM#(t&fP6?k zBB#kGWJ*H^S}*Hlt9xw;I=;Gp^g(U9ROMkkh3UFMLOwH-e7KhPWaFjx!_zN!>pSG$ zp4!*%WuMDhDPjRH%*QbBHNJL`~_-zr{559w_WFEUsWNZlVRDdT1 zXrQg3xJ*J-NsUm#Bf5x7Ph6X*JZ=+}p7^&!OnR=H|+$>e3dds_x?M&XMTAdj_{eW>7)F9?(bir4hc36}3Lf_^; z;~wW2@P_`XAMRHDu<}~qllcCXw*OdVrGONW0#ZN zE;*qTzn%H&V>i%HBG8IqS8R tenbB;)_OUEw_>8VVlJ!|pKjGvd**&i90Q%sywi#L5inh3Qs6HX_y#%BANT+O literal 0 HcmV?d00001 diff --git a/stix-spec/markings/marking.owl b/stix/meta-objects/data-marking/data-marking.owl similarity index 82% rename from stix-spec/markings/marking.owl rename to stix/meta-objects/data-marking/data-marking.owl index 8cc02fe..919831f 100644 --- a/stix-spec/markings/marking.owl +++ b/stix/meta-objects/data-marking/data-marking.owl @@ -1,7 +1,5 @@ - @@ -10,8 +8,6 @@ ]> - 2.1.0 - - + Granular Marking Specifies how the marking-definition object referenced by the marking_ref property or a language specified by the lang property applies to a set of content identified by the list of selectors in the selectors property. - + + Marking Definition Represents a specific marking. Data markings typically represent handling or sharing requirements for data and are applied in the object_marking_refs and granular_markings properties on Objects. - - + + Statement Marking The Statement marking type defines the representation of a textual marking statement (e.g., copyright, terms of use, etc.) in a definition.@[en-US} - - + + TLP Marking Represent a Traffic Light Protocol (TLP) marking in a definition property. The value of the definition_type property MUST be tlp when using this marking type. - + definition_type Specifies the type of Marking Definition. @@ -66,49 +61,49 @@ - + granular_markings Specifies a list of granular markings applied to this object.\n\nIn some cases, though uncommon, marking definitions themselves may be marked with sharing or handling guidance. In this case, this property MUST NOT contain any references to the same Marking Definition object (i.e., it cannot contain any circular references). - + - + marking_ref Specifies a reference to the marking-definition object that describes the marking.\n\nIf the lang property is not present, this property MUST be present. If the lang property is present, this property MUST NOT be present.@[en-US} - + - + marking_ref_id Specifies an identifier to the marking-definition object that describes the marking.\n\nIf the lang property is not present, this property MUST be present. If the lang property is present, this property MUST NOT be present. - + object_marking_refs Specifies a list of references to marking-definition objects that apply to this object.\n\nIn some cases, though uncommon, marking definitions themselves may be marked with sharing or handling guidance. In this case, this property MUST NOT contain any references to the same Marking Definition object (i.e., it cannot contain any circular references). - + - + object marking_refs_id Specifies a list of identifiers to marking-definition objects that apply to this object.\n\nIn some cases, though uncommon, marking definitions themselves may be marked with sharing or handling guidance. In this case, this property MUST NOT contain any references to the same Marking Definition object (i.e., it cannot contain any circular references). - + selectors Specifies a list of selectors for content contained within the Object in which this property appears.\n\nThe marking-definition referenced in the marking_ref property is applied to the content selected by the selectors in this list.\n\nThe [RFC5646] language code specified by the lang property is applied to the content selected by the selectors in this list. - + statement A Statement (e.g., copyright, terms of use) applied to the content marked by this marking definition. - + tlp Specifies the TLP level [TLP] of the content marked by this marking definition. diff --git a/stix/meta-objects/extension-definition/.DS_Store b/stix/meta-objects/extension-definition/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..742dbae1ead809fddef150de3eb05bff1295a12a GIT binary patch literal 6148 zcmeH~J#GR)42A7Lfs_=Klydz^`?hS_C3vUr~nn90#x9rfX!am=sw6u z1*iZOI4WSj4+U)V*yjHe{L20RyooC+Kn4Dl0y + + + + + + +]> + + + + + + + 2.1.0 + + + + + + + + + + + + + + + + + Extension + Characterizes the base of all extensions to Cyber Observable objects. + + + + + + + + + + + + + + + + + + + + + + + Extension Definition + + + + + + + + + + + + + + + + + + + + extension_properties + This property contains the list of new property names that are added to an object by an extension.\n\nThis property MUST only be used when the extension_types property includes a value of toplevel-property-extension. In other words, when new properties are being added at the top-level of an existing object + + + + + + + + + + legacy + + + new-sco + + + new-sdo + + + new-sro + + + property-extension + + + toplevel-property-extension + + + + + + + + + + + + + + + + + + + extension types + This property specifies one or more extension types contained within this extension.\n\The values for this property MUST come from the extension-type-enum enumeration.\n\nWhen this property includes toplevel-property-extension then the extension_properties property SHOULD include one or more property names. + + + + + + + + + + + + + + + + + + + + + + + + + + schema + Specifies a URL that points to a JSON schema or a location that contains information about the schema. + + + + + + + + + + version + Specifies the version of the entity. + + + + + \ No newline at end of file diff --git a/stix/meta-objects/language-content/.DS_Store b/stix/meta-objects/language-content/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..956a5d7925c77eea467ff67ac0b38a55e9c264cb GIT binary patch literal 6148 zcmeHKyH3ME5S)b+k!Vs-P~H!K#2;8uC}?Q-0Z2eJ78Vi_tvfy&W*?vghn51(O1tCR z+qsjc@OlB*a{F)zEC9^uj(GPlHQ#ri*imJSNaq<_+~Wz4ILBsEeK_IVQ}pCLlex - ]> - + + 2.1.0 - + LanguageContent The Language Content object represents text content for STIX Objects represented in languages other than that of the original object. Language content may be a translation of the original object by a third-party, a first-source translation by the original publisher, or additional official language content provided at the time of creation.\n\nFor each key in the nested dictionary:\n * If the original property is a string, the corresponding property in the language content object MUST contain a string with the content for that property in the language of the top-level key\n. * If the original property is a list, the corresponding property in the translation object must also be a list. Each item in this list recursively maps to the item at the same position in the list contained in the target object. The lists MUST have the same length.\n * In the event that translations are only provided for some list items, the untranslated list items MUST be represented by an empty string (""). This indicates to a consumer of the Language Content object that they should interpolate the translated list items in the Language Content object with the corresponding (untranslated) list items from the original object as indicated by the object_ref property.\n * If the original property is an object (including dictionaries), the corresponding location in the translation object must also be an object. Each key/value field in this object recursively maps to the object with the same key in the original. - + contents Specifies the contains the actual Language Content (translation).\n\nThe keys in the dictionary MUST be RFC 5646 language codes for which language content is being provided [RFC5646]. The values each consist of a dictionary that mirrors the properties in the target object (identified by object_ref and object_modified). For example, to provide a translation of the name property on the target object the key in the dictionary would be name. - + object_modified Identifies the modified data and time of the object that this Language Content applies to. It MUST be an exact match for the modified time of the STIX Object being referenced. diff --git a/stix-spec/stix.owl b/stix/stix.owl similarity index 70% rename from stix-spec/stix.owl rename to stix/stix.owl index 0f825d1..c180cb8 100644 --- a/stix-spec/stix.owl +++ b/stix/stix.owl @@ -15,31 +15,33 @@ xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> - This ontology is the master ontology for the STIX 2.1.0. It imports all the various STIX ontologies files to create an unified ontology based on the various component ontologies that make up STIX. - + This ontology is the master ontology for the STIX 2.1.0. It imports all the various STIX ontologies files to create an unified ontology based on the various component ontologies that make up STIX. - - + + + + - + + + - @@ -50,64 +52,14 @@ + - + 2.1.0 - - - - - - - - - - - - - - - - legacy - - - new-sco - - - new-sdo - - - new-sro - - - property-extension - - - toplevel-property-extension - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix-spec/vocabularies/vocab.owl b/stix/vocabularies/vocab.owl similarity index 85% rename from stix-spec/vocabularies/vocab.owl rename to stix/vocabularies/vocab.owl index a1770a1..53d9ea6 100644 --- a/stix-spec/vocabularies/vocab.owl +++ b/stix/vocabularies/vocab.owl @@ -2105,10 +2105,130 @@ - - region-ov - Defines an open-vocabulary that captures the world regions based on the United Nations geoscheme. - + + personal_motivations + The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals.\n\nPersonal motivation, which is independent of the organization’s goals, describes what impels an individual to carry out an attack. Personal motivation may align with the organization’s motivation—as is common with activists—but more often it supports personal goals. For example, an individual analyst may join a Data Miner corporation because his or her skills may align with the corporation’s objectives. But the analyst most likely performs his or her daily work toward those objectives for personal reward in the form of a paycheck. The motivation of personal reward may be even stronger for Threat Actors who commit illegal acts, as it is more difficult for someone to cross that line purely for altruistic reasons. The position in the list has no significance.\n\nThe values for this property SHOULD come from the attack-motivation-ov open vocabulary. + + + + + accidental + + + coercion + + + dominance + + + ideology + + + notoriety + + + organizational-gain + + + personal-gain + + + personal-satisfaction + + + revenge + + + unpredictable + + + + + + + + + + + + + + + + + + + + + + + + + + + primary_motivation + Specifies the primary reason, motivation, or purpose behind this Intrusion Set. The motivation is why the Intrusion Set wishes to achieve the goal (what they are trying to achieve).\n\nThe value for this property SHOULD come from the attack-motivation-ov open vocabulary. + + + + + accidental + + + coercion + + + dominance + + + ideology + + + notoriety + + + organizational-gain + + + personal-gain + + + personal-satisfaction + + + revenge + + + unpredictable + + + + + + + + + + + + + + + + + + + + + + + + + + + region + The region that this Location describes.\n\nThe value for this property SHOULD come from the region-ov open vocabulary. + @@ -2257,7 +2377,267 @@ - - + + + + + resource_level + Specifies the organizational level at which this Intrusion Set typically works, which in turn determines the resources available to this Intrusion Set for use in an attack.\n\nThe value for this property SHOULD come from the attack-resource-level-ov open vocabulary. + + + + + club + + + contest + + + government + + + individual + + + organization + + + team + + + + + + + + + + + + + + + + + + + roles + Specifies a list of roles the Threat Actor plays.\n\nThe values for this property SHOULD come from the threat-actor-role-ov open vocabulary. + + + + + agent + + + director + + + independent + + + infrastructure-architect + + + infrastructure-operator + + + malware-author + + + sponsor + + + + + + + + + + + + + + + + + + + + + secondary_motivations + Specifies the secondary reasons, motivations, or purposes behind this Intrusion Set. These motivations can exist as an equal or near-equal cause to the primary motivation. However, it does not replace or necessarily magnify the primary motivation, but it might indicate additional context. The position in the list has no significance.\n\nThe values for this property SHOULD come from the attack-motivation-ov open vocabulary. + + + + + accidental + + + coercion + + + dominance + + + ideology + + + notoriety + + + organizational-gain + + + personal-gain + + + personal-satisfaction + + + revenge + + + unpredictable + + + + + + + + + + + + + + + + + + + + + + + + + + + sophistication + Specifies the skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack.\n\nThe value for this property SHOULD come from the threat-actor-sophistication-ov open vocabulary. + + + + + advanced + + + expert + + + innovator + + + intermediate + + + minimal + + + none + + + strategic + + + + + + + + + + + + + + + + + + + + + threat_actor_types + Specifies the type(s) of this threat actor.\n\nThe values for this property SHOULD come from the threat-actor-type-ov open vocabulary. + + + + + activist + + + competitor + + + crime-syndicate + + + criminal + + + hacker + + + insider-accidential + + + insider-disgruntled + + + nation-state + + + sensationalist + + + spy + + + terrorist + + + unknown + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/stix-spec/vocabularies/vocabulary-user-defs.owl b/stix/vocabularies/vocabulary-user-defs.owl similarity index 100% rename from stix-spec/vocabularies/vocabulary-user-defs.owl rename to stix/vocabularies/vocabulary-user-defs.owl diff --git a/tac-kb-example.owl b/tac-kb-example.owl new file mode 100644 index 0000000..74d7e47 --- /dev/null +++ b/tac-kb-example.owl @@ -0,0 +1,23 @@ + + + + + + +]> + + + + The TAC ontology is a knowledge representation framework focused on comprehensively representing the context around adversaries. The project comprises a set of concept definitions and their relationships encoded in Web Ontology Language (OWL) that altogether harmonise into what we call the Threat Actor Context ontology. + + + + + \ No newline at end of file diff --git a/tac/.DS_Store b/tac/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..1539ccec7f633cb248621c5aba25af57e5732ff4 GIT binary patch literal 8196 zcmeHM&2G~`5T0!VbrezM08%+1S>hT((jNrs#SQ6!0}_f69103?9HpkV*GilQDT?GH z5k0yDcyNb^T~K@?`B-EX}+pLh2g%bRfkK-30)6<`YhEG&e@0#*x* z#;MHNn(5g@6vzh%K|&Yqz$sMbyt#uFU*1rj`X4INxT3VmZz2W_p{ydo&}v@vv~cXjMG*ScY2Bt z_#Je4@jQrqIjqS+?DrMd)dN;OpKlg#jz-&i)%zuTZ)bO0vPTcLD*Jhv1sNp49KLwPbr?x9YZKluUe=dPcHdH$qt9hsN6{A3q-~zi%Y{ z3wS5T=Uv6A+lxaPcX4Lg?dBwC3G^^<35KnQeF5S>6S|d~ToAyO{?lRnb|k)XBXv=~I)xGW{3k)!Sb + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + goal + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + The outcome of the attacker activity + attack activity outcome + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/tac/catalog-v001.xml b/tac/catalog-v001.xml index 4c15a7a..c521083 100644 --- a/tac/catalog-v001.xml +++ b/tac/catalog-v001.xml @@ -1,101 +1,59 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tac/mitre-custom-properties/x_mitre.owl b/tac/mitre-custom-properties/x_mitre.owl deleted file mode 100644 index 7a068a0..0000000 --- a/tac/mitre-custom-properties/x_mitre.owl +++ /dev/null @@ -1,112 +0,0 @@ - - - - - - -]> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/tac/tac-objects/.DS_Store b/tac/tac-objects/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..5008ddfcf53c02e82d7eee2e57c38e5672ef89f6 GIT binary patch literal 6148 zcmeH~Jr2S!425mzP>H1@V-^m;4Wg<&0T*E43hX&L&p$$qDprKhvt+--jT7}7np#A3 zem<@ulZcFPQ@L2!n>{z**++&mCkOWA81W14cNZlEfg7;MkzE(HCqgga^y>{tEnwC%0;vJ&^%eQ zLs35+`xjp>T0 + + + + + + + + +]> + + + + + + + There has been some ambiguity with respect to the differentiation of stix:IntrusionSet and stix:ThreatActor. They are different, and the tac:Adversary class is intended to clarify the differences. + + + \ No newline at end of file diff --git a/tac/tac-objects/tac-objects.owl b/tac/tac-objects/tac-objects.owl new file mode 100644 index 0000000..7d2fcc3 --- /dev/null +++ b/tac/tac-objects/tac-objects.owl @@ -0,0 +1,28 @@ + + + + + + + + + +]> + + + + + + + + \ No newline at end of file diff --git a/tac/tac-properties/.DS_Store b/tac/tac-properties/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..7def18bc721ce68a6ae538e7c35dae986ac99414 GIT binary patch literal 6148 zcmeHKJxc>Y5PhpD0ye?Qa{qt<|G^rP!rDKei59}aiAHR%^Jm95ABx8zq_U9rVCL=4 z&Fto0agza1R&NhizyiRWW{eMWQ`mE}2~ILn$TXhuj2HCukL2TEwddI59y?r)>i2l! zIj>mq#CLQzUBBCQ{g(OmW3Oq;gM%wU3P=GdAO)m=6gXA^>%GMMELdI&NC7GEt$=+W zD$Teh55fNFpz{%cJY(3wwa*gdY5{Uf9)cMmN|chLwB(3UqMY%Xc`bPej&c;gndjuq zB`1{Pw=-Tn9i;`!O93e`R^T+Y3+w+I+As6}xJWxGAO-%F0%f+oU9b2`*;^+sXT7%4 t?r2|NuBX#^D<*p@=Ehp_#gDvdYd&wuL$H@K?&W0t5inf@DexBxd;&)N9!dZJ literal 0 HcmV?d00001 diff --git a/tac/tac-properties/tac-properties.owl b/tac/tac-properties/tac-properties.owl new file mode 100644 index 0000000..3dc33bf --- /dev/null +++ b/tac/tac-properties/tac-properties.owl @@ -0,0 +1,78 @@ + + + + + + + + + +]> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/tac/tac.owl b/tac/tac.owl index e185353..05e1bd5 100644 --- a/tac/tac.owl +++ b/tac/tac.owl @@ -21,288 +21,11 @@ xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> - - - + Concepts that have been developed and approved at a committee level by the OASIS Threat Actor Context Technical Committee are called TAC TC concepts. TAC TC concepts are incorporated as import statements into the main tac.owl file and thus are part of the core ontology. + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - There has been some ambiguity with respect to the differentiation of stix:IntrusionSet and stix:ThreatActor. They are different, and the tac:Adversary class is intended to clarify the differences. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/tac/talc.owl b/tac/talc.owl deleted file mode 100644 index ab507e9..0000000 --- a/tac/talc.owl +++ /dev/null @@ -1,38 +0,0 @@ - - - - - - - -]> - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/tac/threat-agent-lib/ta-classification-axioms.owl b/tac/threat-agent-lib/ta-classification-axioms.owl deleted file mode 100644 index 6360c67..0000000 --- a/tac/threat-agent-lib/ta-classification-axioms.owl +++ /dev/null @@ -1,21 +0,0 @@ - - - - - - -]> - - - - - - - \ No newline at end of file From 3080c92d4d1abf53fb1ae523745e9a99db5ce7e6 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Sat, 31 Dec 2022 08:37:18 -0800 Subject: [PATCH 11/70] organizing directory structure --- .../stix-2.1/stix2-1_context.json | 0 .../mitre-custom-properties/x_mitre.owl | 112 ------------------ open-concepts/open-concepts.owl | 21 ---- open-concepts/security-playbook/.DS_Store | Bin 6148 -> 0 bytes .../security-playbook.owl | 0 .../catalog-v001.xml | 4 +- .../ta-library.owl | 0 .../tal-kb-example.owl | 0 .../tal-kb-example.properties | 0 9 files changed, 2 insertions(+), 135 deletions(-) rename {context-definitions => json-dl-contexts}/stix-2.1/stix2-1_context.json (100%) delete mode 100644 open-concepts/mitre-custom-properties/x_mitre.owl delete mode 100644 open-concepts/open-concepts.owl delete mode 100644 open-concepts/security-playbook/.DS_Store rename {open-concepts/security-playbook => security-playbook}/security-playbook.owl (100%) rename {open-concepts/threat-agent-lib => threat-agent-lib}/catalog-v001.xml (98%) rename {open-concepts/threat-agent-lib => threat-agent-lib}/ta-library.owl (100%) rename {open-concepts/threat-agent-lib => threat-agent-lib}/tal-kb-example.owl (100%) rename {open-concepts/threat-agent-lib => threat-agent-lib}/tal-kb-example.properties (100%) diff --git a/context-definitions/stix-2.1/stix2-1_context.json b/json-dl-contexts/stix-2.1/stix2-1_context.json similarity index 100% rename from context-definitions/stix-2.1/stix2-1_context.json rename to json-dl-contexts/stix-2.1/stix2-1_context.json diff --git a/open-concepts/mitre-custom-properties/x_mitre.owl b/open-concepts/mitre-custom-properties/x_mitre.owl deleted file mode 100644 index df022c9..0000000 --- a/open-concepts/mitre-custom-properties/x_mitre.owl +++ /dev/null @@ -1,112 +0,0 @@ - - - - - - -]> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/open-concepts/open-concepts.owl b/open-concepts/open-concepts.owl deleted file mode 100644 index 970b8fd..0000000 --- a/open-concepts/open-concepts.owl +++ /dev/null @@ -1,21 +0,0 @@ - - - - - - -]> - - - - Concepts that will be publicly available, meaning their inclusion in the official GitHub repository of the TAC ontology but have not been developed or encoded by the TAC TC, are called Open. The namespaces of concepts that follow the Open model are not incorporated into the main tac.owl file and thus are not part of the core ontology but users of the TAC ontology can do the imports manually. - - - \ No newline at end of file diff --git a/open-concepts/security-playbook/.DS_Store b/open-concepts/security-playbook/.DS_Store deleted file mode 100644 index 733d817a50851a7c56e4f32211a5fb2b0598bfe6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHKyH3ME5S)V)k!aE&QQi*_i9aw=Qc&{);6Q<}WCTPgojX1oW*;CdgXk#GthGCL z>zzA$3a<}9S?zAlfCYd#-4L%9re^oeCw7pTLZowzN8I5Vdz|87QvH3xxW{q7;w< zQs7eo`#w~ZGFxA+SA3=H zt&^9tUR&u`^bcdLmos=PCVDI8#9Hymm%3_W-ft3zK&LbBbfSI)Oc$9H_zMNz0hf*+ AZU6uP diff --git a/open-concepts/security-playbook/security-playbook.owl b/security-playbook/security-playbook.owl similarity index 100% rename from open-concepts/security-playbook/security-playbook.owl rename to security-playbook/security-playbook.owl diff --git a/open-concepts/threat-agent-lib/catalog-v001.xml b/threat-agent-lib/catalog-v001.xml similarity index 98% rename from open-concepts/threat-agent-lib/catalog-v001.xml rename to threat-agent-lib/catalog-v001.xml index ea8627e..43ea2cd 100644 --- a/open-concepts/threat-agent-lib/catalog-v001.xml +++ b/threat-agent-lib/catalog-v001.xml @@ -57,7 +57,7 @@ - - + + diff --git a/open-concepts/threat-agent-lib/ta-library.owl b/threat-agent-lib/ta-library.owl similarity index 100% rename from open-concepts/threat-agent-lib/ta-library.owl rename to threat-agent-lib/ta-library.owl diff --git a/open-concepts/threat-agent-lib/tal-kb-example.owl b/threat-agent-lib/tal-kb-example.owl similarity index 100% rename from open-concepts/threat-agent-lib/tal-kb-example.owl rename to threat-agent-lib/tal-kb-example.owl diff --git a/open-concepts/threat-agent-lib/tal-kb-example.properties b/threat-agent-lib/tal-kb-example.properties similarity index 100% rename from open-concepts/threat-agent-lib/tal-kb-example.properties rename to threat-agent-lib/tal-kb-example.properties From 907f20a9d3684b8db9a923b74c5c52be0596c6ab Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Sat, 31 Dec 2022 13:18:52 -0800 Subject: [PATCH 12/70] fixing directory structure and adding relative path catalog-v001.xml files for Protege users --- stix/.DS_Store | Bin 6148 -> 0 bytes stix/catalog-v001.xml | 96 +++++++-------- stix/core-objects/.DS_Store | Bin 8196 -> 0 bytes stix/core-objects/catalog-v001.xml | 47 -------- stix/core-objects/common-properties.owl | 2 +- stix/core-objects/data-types.owl | 8 +- stix/core-objects/sco/.DS_Store | Bin 16388 -> 0 bytes stix/core-objects/sco/directory/.DS_Store | Bin 6148 -> 0 bytes stix/core-objects/sco/email-message/.DS_Store | Bin 6148 -> 0 bytes .../sco/email-message/email-message.owl | 1 + stix/core-objects/sco/ipv4-address/.DS_Store | Bin 6148 -> 0 bytes stix/core-objects/sco/ipv6-address/.DS_Store | Bin 6148 -> 0 bytes stix/core-objects/sco/url/.DS_Store | Bin 6148 -> 0 bytes .../sco/windows-registry-key/.DS_Store | Bin 6148 -> 0 bytes .../windows-registry-key.owl | 2 +- .../sco/x509-vertificate/x509-certificate.owl | 1 + stix/core-objects/sdo/.DS_Store | Bin 18436 -> 0 bytes .../sdo/threat-actor/threat-actor.owl | 30 +++++ stix/core-objects/sro/.DS_Store | Bin 8196 -> 0 bytes stix/meta-objects/.DS_Store | Bin 10244 -> 0 bytes stix/meta-objects/data-marking/.DS_Store | Bin 6148 -> 0 bytes .../extension-definition/.DS_Store | Bin 6148 -> 0 bytes .../extension-definition.owl | 70 +---------- stix/meta-objects/language-content/.DS_Store | Bin 6148 -> 0 bytes tac/.DS_Store | Bin 8196 -> 0 bytes tac/candidate-concepts.owl | 7 +- tac/catalog-v001.xml | 104 ++++++++--------- tac/tac-objects/.DS_Store | Bin 6148 -> 0 bytes tac/tac-objects/adversary.owl | 8 +- tac/tac-objects/tac-objects.owl | 8 +- tac/tac-properties/.DS_Store | Bin 6148 -> 0 bytes tac/tac-properties/tac-properties.owl | 6 +- tac/tac.owl | 8 +- threat-agent-lib/catalog-v001.xml | 109 ++++++++---------- threat-agent-lib/tal-kb-example.properties | 5 - 35 files changed, 210 insertions(+), 302 deletions(-) delete mode 100644 stix/.DS_Store delete mode 100644 stix/core-objects/.DS_Store delete mode 100644 stix/core-objects/catalog-v001.xml delete mode 100644 stix/core-objects/sco/.DS_Store delete mode 100644 stix/core-objects/sco/directory/.DS_Store delete mode 100644 stix/core-objects/sco/email-message/.DS_Store delete mode 100644 stix/core-objects/sco/ipv4-address/.DS_Store delete mode 100644 stix/core-objects/sco/ipv6-address/.DS_Store delete mode 100644 stix/core-objects/sco/url/.DS_Store delete mode 100644 stix/core-objects/sco/windows-registry-key/.DS_Store delete mode 100644 stix/core-objects/sdo/.DS_Store delete mode 100644 stix/core-objects/sro/.DS_Store delete mode 100644 stix/meta-objects/.DS_Store delete mode 100644 stix/meta-objects/data-marking/.DS_Store delete mode 100644 stix/meta-objects/extension-definition/.DS_Store delete mode 100644 stix/meta-objects/language-content/.DS_Store delete mode 100644 tac/.DS_Store delete mode 100644 tac/tac-objects/.DS_Store delete mode 100644 tac/tac-properties/.DS_Store delete mode 100644 threat-agent-lib/tal-kb-example.properties diff --git a/stix/.DS_Store b/stix/.DS_Store deleted file mode 100644 index e1148d868405a72b9d2a3b7ac71d7c5d90c1bac5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHKO^?$s5FK|5o3dT02UdauQY5aWwEKZTTtZn6TnT~$pprDv63E7@B;6oYm2!ta z#1Dc0!U^8kuGDUJB~DNwPc?pyJugn*#CA+XVmymRL_H#M;Ee4XC@wMXXKz@`v~Z_T z_ed$Gdn75OkBw;CU=^?mY?=Z*cXu&gXOvMytMfOeDV5JtISo@8B8r!YC-A{9WvFr6 zlmaT@DQ5i%=KeVi@f*>AKGP|s>-^UD3;ZtllJb>RLybzsI#1mBQ(jmVXXbgog=c9} zl*8c<(b{TXyT0u>&W`iW{~#;B49ZzC4)QmA^-{_-T-Jl|RT5W|-p!{nD}yA9b45s^ z7$I+8Cs`z`v7BX5p}4;8a5|mNq<4Eh-#;2X?7K$?hl{>Df3!dByN3r47K@IvclZ9| z7n4uvX(qq0a#%63WGdS=xP-5$Tq(@CpJ%DeP7uTVE<}!10+!3}gNR>F0E~<0_FvDb~g0^?Q>ZLtOEZ`0bUa6zT{7Y@=Bj>inU=9M_;{u-1qkn9x+9rV4Y!5Sos5*Ti`SYmJ&t!W=$? z8CjSUicq8D{;moq;c2v`Rlq8+uE3VQ?D78p?CSIXI>}yH1*`)9l>(xD>>rQum(1SU y_;bA1y72dKHjb+`Dhdj-9jgj&#kb(f(C2am=ozdvq6KC@1e6T6unPQD1%3lBd#4ou diff --git a/stix/catalog-v001.xml b/stix/catalog-v001.xml index 5048fc2..93fe0d3 100644 --- a/stix/catalog-v001.xml +++ b/stix/catalog-v001.xml @@ -3,53 +3,53 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/stix/core-objects/.DS_Store b/stix/core-objects/.DS_Store deleted file mode 100644 index a9dd2b1dcf12da7c7e04b57dab396e69f44c8f76..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8196 zcmeHM%T5$Q6ukwgJ@RTEgBUgGI2#iXd5=aD+W})x6ObVY0UUd#o3TSvHFh_QNJwU_ zAK(Z00c>5F_yaE8y6^|wxNwEH9>ZgRjWIxC6{$M6tM2LBeX6>9ZUF!!v*r!}bOV5a zm802+%@Ku<^LnV%sh%c8f_wl56mCKZLbPA>9hC)Pi#O*;KYuTQhk1Mq zK4JuYI97&WB4CAl!1Bn#2aUW(?AsAVoVo>EaFFBRE7G<1pfgjB<7UZk8lb`jy za?b1=V>EVr>V<;fyB@kMKKH51${Dss-AHh=a==I=5;?Pbb8}>1xYrsQ9o*`*Ht*a{ z_gbTa>8-7VkxbpXJDpnzRw;WY6ak`MSkNqwcU!KVy65$5NCQTT*u%YfuX{*|Z5-LJ zwemV`CDJ3P#PDcZC^6WN_R#2GDuMUx7uMChlF!w7{cf7onN3`5Y-(<4HQU-d+B(~k z$*xP?$;<6muI9{+yi-^yhJ41xSir(eu;%5=)(Gc)qQK}>=&j>?&&A%GIP1T~q4pZW zwCBFq>zdgpp-<;thdAk@(DUd*G4$QZ<>knW=l0q2JX#@SK`_N4KlT}&Ulh?}Z*_t$ zGmOZuV6w!AqFFDD5D#(Y=AAHfXwl1TECo*93npoX#W7o*^YJeDm5Y$sl2h<$F?IhZ zE($D(lzl^5CZwbRkh1Sd(=f>lWz<8jDcO^yp>b|DVr+~Oc;)SgU>nP{Myxx zUZ=gf|KW3vcT=OpLCN%yR^Vh6sF&fodH(I4A*&zr z+UPvjwy?g$$_w|aNE8%oL^_Tr(s9Jye;A@|p)2Ru3M&$^2g`|X1f16IeEt0w^R1h+ Gp}-%*ew{x6 diff --git a/stix/core-objects/catalog-v001.xml b/stix/core-objects/catalog-v001.xml deleted file mode 100644 index 2d64f7e..0000000 --- a/stix/core-objects/catalog-v001.xml +++ /dev/null @@ -1,47 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/stix/core-objects/common-properties.owl b/stix/core-objects/common-properties.owl index cb48886..0ef875e 100644 --- a/stix/core-objects/common-properties.owl +++ b/stix/core-objects/common-properties.owl @@ -83,7 +83,7 @@ - + diff --git a/stix/core-objects/data-types.owl b/stix/core-objects/data-types.owl index fd66ac7..f4d5937 100644 --- a/stix/core-objects/data-types.owl +++ b/stix/core-objects/data-types.owl @@ -20,25 +20,25 @@ - + external_reference Used to describe pointers to information represented outside of STIX. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material. - + Hash Represents a cryptographic hashes, as a special set of key/value pairs. - + KeyValue A key-value pair (KVP) is a set of two linked data items: a key, which is a unique identifier for some item of data, and the value, which is either the data that is identified or a pointer to the location of that data. The key MUST be unique in each dictionary, MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). Dictionary keys MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase. - + KillChainPhase Represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives. diff --git a/stix/core-objects/sco/.DS_Store b/stix/core-objects/sco/.DS_Store deleted file mode 100644 index 1ceec4db4fcf1c5e768faac989df426a31b94b2a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16388 zcmeI3O=u)V6vtoZvxj8exWv_qI--|_M3Z$lA9$IKSw!&Uh##oL`P%G|ndvw)$s~qo zuDhP}?(WTtEV3sRy)1|bo)i>sA}9#r(G@|^e^u8^S69FOh{6&(U7@Br-S2hJd%xFR z{i}ZnewCUs5rW$pqQ|@&(%MGUtnUBhwje4g$H}{=2G(0joHg4PYg#Bvq zvePSeOWm!`N~!&_`0qK#X_WihrSkLjT5oM?`bnqNE!A7Kwp6HBYY=(mg?g*%^j4g$ zR<$E_i|zqCm&>h9-MhE9FuypHUs&9q$?q*MiOsW%`};Zjo`)ZM;@P#0MziHy!B<1E zL@0`K!fghhSFtsUIt~Nd%_ zva6)hfl3*}08&SEET>-ljNWju432s*f=3wyO3!foBplztP(xdeAXG4t;9yUSx(135 z4HThz>3|bz9)l}XRtNakHy1_~zzBH{X%cw`a_G4Y?9+Hm)`7VS+&u)qtaxP7I`(z& z2yN3Y_H1C!u0ISc3_tnq$i(MKM_42_mkE=^x_a20{_$!~h0P)Ky)gPW`b=0QzP1r& zQ?x_pX^xf=PTTS+(?y6~Lam^e?wY-{^|ldSvHIx0=DZf16TGRx;aSk#aM~v)28Ef z{!wyFXCJtx(Ya57-xjXrAnkB4Yc2B5S=3#ba@45lPc;Y`r;lf>zQ*@|yapiFOa^zX zj*fr$%$ZLV{seknI2=Zg36I!o8R3#cZd#XFDQTqvAbN!Zr8!GJqj+bU2hn&{{eF90oi@5>J?h-q-B+0mY|1@AnXr=>rgn9 ze)YyzY!Db4UJxYHhz$bY`HdhLk;8nA0CF)Arz0Q8r33K590up$m=5pt>!-d}@U-I| zD(*M~W}s_e=&zVP7yUREQ*FNa(NMi~Uk-113cv3&`ro#-}g-WFTYYJ!DDbBaj8oZ6FI-$!)wg z9kcb{?BaF?c!=|K+)v%!`9z!b^;ttu#Q1EQgZ+&q3Hw8IX%LAWWiwTC9>lguIEI;!HgiK`gfH0)f5del!3~)n2 z2mJGm+V2W*K*|H!m+Frk;658eMOm7_$Hnm9|4E_jBlAG!fpmJn8d)u_uD~`c#6Gds zK9BkuswhJ4z-oQi!GEp{sVv`{Oi=1{*vhqVl?#bA$d=( hPf;e<%KHER{_|v`-)4Xt5<1|1&yJfaAQj&K{{w3GSJ40f diff --git a/stix/core-objects/sco/directory/.DS_Store b/stix/core-objects/sco/directory/.DS_Store deleted file mode 100644 index 5008ddfcf53c02e82d7eee2e57c38e5672ef89f6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeH~Jr2S!425mzP>H1@V-^m;4Wg<&0T*E43hX&L&p$$qDprKhvt+--jT7}7np#A3 zem<@ulZcFPQ@L2!n>{z**++&mCkOWA81W14cNZlEfg7;MkzE(HCqgga^y>{tEnwC%0;vJ&^%eQ zLs35+`xjp>T0L5<0hG4q);d#X0 z;feV*dc2~$>H7P9*Y8R|8@fH-H`jccDJh}9CrmN*15Ln}cg2DRjfQG(8V&AOI21O^?&Pv(8{ z)_~J)hwKcD|#39h>%sZW^4*}CfCI$XNflt-{9oPT> diff --git a/stix/core-objects/sco/email-message/email-message.owl b/stix/core-objects/sco/email-message/email-message.owl index 75803eb..393890a 100644 --- a/stix/core-objects/sco/email-message/email-message.owl +++ b/stix/core-objects/sco/email-message/email-message.owl @@ -33,6 +33,7 @@ + MimePart Specifies one component of a multi-part body.\n\nThere is no property to capture the value of the “Content-Transfer-Encoding” header field, since the body MUST be decoded before being represented in the body property. diff --git a/stix/core-objects/sco/ipv4-address/.DS_Store b/stix/core-objects/sco/ipv4-address/.DS_Store deleted file mode 100644 index 3c2d2c46a1c2b2307e0720faa35b62f93953df93..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeH~F;2rk5Jmq$ibymrDfa?ILgD~c6bfoC03j4emW+r3tvimBBZfaS3&L{JQlLN9 z?DLLicI97qyZ~&u+gt+;fH~cXPame{&)p|>RwG8zxyBV9vElWG=SlYQfY&y7!7JWz zGpgTWiv@aopu6k(r*+q_BNy0{i$mD)MHQ6-Qa}nw0VyB_PAcHNmo~phYLo&}KnnaQ z;NOQrcea&7GCmy~;s`*_7!KoooF&NO0kW+el8n$SOUW#?dc?3SXS~$BwsJ^jIV^VO zI(28OClrg_8849zYm*wKfD{-jaGuk~`~NNd#QA?*q?r_u0{=<@o2~9wOTJR=t&^AY wUR&r7^lxKsq;rT?Ohzl_#9Q&@ue{>-eBM?L$tY($%1QkQxGpj&@D~bv0dpfAF8}}l diff --git a/stix/core-objects/sco/ipv6-address/.DS_Store b/stix/core-objects/sco/ipv6-address/.DS_Store deleted file mode 100644 index cd4eb623d774f54ff89d82cc6ab5f664fc8e8c7f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeH~u};H442FM0he|9N8Se$C#KIg^Wnkt7pp*eAQV>;P&Bo*O5zBA;KtyR*2J}1f zeL2UzQ~n{&0kGw6a}6{A=5!}MeVCd*cc0if)?L4jTwqTw4q?X^Ra6Q{0VyB_q<|DSset!h+WaD^Q3^-_De$9! ze;*3n*;Wq8_;hfHBLF#LIE?pkmLQ7<$hLAwGD5Q~C9~A(5yP^a@lx~J$|0HMu-KXF z)Sa!KP%L(5yhJ*zO=^?^QedpWc}^Se|F`rL=l^k$W>P>3{3``)wz^*}`AW67PF~J? vZJ|HVzm2((&LLVc8LgNTZ^f6t@`~T{d0ROoqnz<5C-o!Xy2zx!UnuYeq5T~( diff --git a/stix/core-objects/sco/url/.DS_Store b/stix/core-objects/sco/url/.DS_Store deleted file mode 100644 index e9396a8c3a94410e9de8fa6739d34d7b256d650f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHK%Sr=55UkdK0WUdvoG%FY2SZ2>p8Wxd9v2pb;B`;_j=$iand%2(*yJQ$q#C+w zrl)HsTZip50NWg1?tvA6CEXG49_Hrf?lZfpj1lR4#)vlz55xGpA7<6(6VAQC0k0Ua z{>dNrJn^6PL0^A`aV3)iQa}nw0VyB_ey4!AHDXxOnQv9s3#Y`S!{TN>r*5{IP%Lg|zC}5# zCn`z-DR8R5b#7PQ|9A8Y^ZzMHJ1HOq{*?l@*gkGIe5LBGvzPN;+vrbpulc0AaUB$f mXvf58$J}^3zKf!)Yrf`rFPsvC&V0~``ZM6V$fUquD{ut5CLA09 diff --git a/stix/core-objects/sco/windows-registry-key/.DS_Store b/stix/core-objects/sco/windows-registry-key/.DS_Store deleted file mode 100644 index 25b65f986a17397c509da515a316fe945b78a90c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHKF-`+P3>-s>NHi%^?gxm(4^B~1q~-%C1R=zUlSmLscOB2+i7>Vo#OZ*N0*xi_ z?D{<3+!W^+fGwYP7r+d_l$;g3VbTy--kkXY%2DN@#)|aBLH#2a2WS7OAw0(h)u;lkrA3Dm6%kkBZeiN@lx}e zihW|zVR19-)SInNC>FOfULqaVBx;ocQeddSX&z_Z|JU>%=Kmo{Cn+EW{*?kYSzWG{ ze5Kl3M=$5Sw$QKWAI98B=Mt@$7_FEGZ^iR3dByj9-c;-pgU)!+iTWepy2zx!UnuYn DC_W(g diff --git a/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl b/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl index 6d92217..d03ec3b 100644 --- a/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl +++ b/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl @@ -29,7 +29,7 @@ - + RegistryValue The Windows Registry Value type captures the properties of a Windows Registry Key Value.\n\nAs all properties of this type are optional, at least one of the properties defined below MUST be included when using this type. diff --git a/stix/core-objects/sco/x509-vertificate/x509-certificate.owl b/stix/core-objects/sco/x509-vertificate/x509-certificate.owl index 657ed6d..549fe38 100644 --- a/stix/core-objects/sco/x509-vertificate/x509-certificate.owl +++ b/stix/core-objects/sco/x509-vertificate/x509-certificate.owl @@ -28,6 +28,7 @@ + X509v3Extensions The X.509 v3 Extensions type captures properties associated with X.509 v3 extensions, which serve as a mechanism for specifying additional information such as alternative subject names. An object using the X.509 v3 Extensions type MUST contain at least one property from this type.\n\nNote that the use of the term "extensions" in this context refers to the X.509 v3 Extensions type and is not a STIX Cyber Observables extension. Therefore, it is a type that describes X.509 extensions. diff --git a/stix/core-objects/sdo/.DS_Store b/stix/core-objects/sdo/.DS_Store deleted file mode 100644 index 79c5fa9f69c3452172b2e3a290bdce00f1aef281..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 18436 zcmeHPUu+ab7@sMn+ySKrrBE@#VMPd1XaQRc51dC$t^e9^fDpj4*W0^pxZAz#?X}jX zNli3HF~0afe9;Hrj3mCP81+GYGA0@mpOhC9pG|zwC-s}zx!u{>*}3ZrxgNX8cJ^j| z-|Wr&zTez@vpYoy;cUGyickh2lz@|@sjUcgB@s$PIs#|oAm!u?9UCAA!}$)J-C&Q9 zgKShsHDn+wgpM=Xtp~c`3y~AJL%qP68Q{-E!@#7DoXK-DBlVhNQ{)RsLlwwHXd|_< zP@bY}v;esUuqgn-L7FkQP|cUEJh;f~`D)pyIU^%?ao2|KjXj$Z$<14~_HOG-ZSULB z*WbT$VAt-!U9+kFyf$~EWLtH!aMmhYcD7vCuas<~kgIBQhFQAg=r21t;}v~2wL^fO z(+e;8S?8CkfZ6G1(CQ{_T{mfc)5T&f8A1TMiEg0}(I@CT^fUSm{ek|$7;nb? zcmVIk`|y7JFg}P!T+=QhNOJ6Plg3{>Dzvas5T|hu#656d_5d3y5?k)e*2j&Gdm!!s zRS%HyAq^)B5m8*ZG@6^U zDpk%3h5*PMQ9h-mu+b7laSFFMsEvoZt`9=#l+bmmV3BCmxI5t5`t2ELj zD->o#WGkSi%GMlf6&YNzP}RQw=mDQXb>#ld`= z1@mEwBuW+hm{%vhcHuZvX9(phG8!dOp-_*YydGE?)Ioa|q){tM0gRx!FF|#OIn@QQ zouRovlVZiSpW*@pN%R&d=hgOA@!bjwb(gG zL3I(ob&>d>{_tah{vz!Bd$6s!(%cX z23QS3CIdbhK+aN-n66C%F$&Ahpi0p|33&=MPv_wGE8~n#rG-y$YZem974-{F5Db;p z|EE*Xgl+VREj+V@xxx*YGgR4U;^t=1wb3--pW)`=O54tGZeI zjJrBo65Io3ngRC+;XA_}Ld}xUAHwi-Up=~Kx2JZYOZla46;48D=$;|^40!EIr!R0t z%trqjsJ^axNPXm8Jr3VF z^aYv~L0jH6J2Z*2>e|jP-4*;6iON< zAyI}8}kvGM6|)kfk7%6srGvBZA>8F$+8C^Sg%?ziCaB<$lo zUSY}k`+5!l6)lV(1+?Fz00mu=(Mf^k$ENH<#YfoKq_pryrq(PZP&5X6&ep+ry znnc@8ZFsH!HT=V2ru7!={NLua*h$8MruP!YhHe-MEC?X=h%vw`7qm_mefZyH57!x* z_L>uGxBay1kt5NlSH^4cwKonOWm@FQea*?rCED_A1q~@)Ige14!a~p)S)1c^rm*Cc zx1K{=N!$Z*4|HM=;O>ds1Z-=eTV!MnBzx`Ba9)R#9AxLn zs+%@8k&ryP6%VjvE8f#^lDrv~UMDFzAaB)8UDJEM5zv7Ze%SjH&pX<0-VutkCG(FE ThM$M1;`%uLcmD|s+l=-OO diff --git a/stix/core-objects/sdo/threat-actor/threat-actor.owl b/stix/core-objects/sdo/threat-actor/threat-actor.owl index 68c687f..de3672b 100644 --- a/stix/core-objects/sdo/threat-actor/threat-actor.owl +++ b/stix/core-objects/sdo/threat-actor/threat-actor.owl @@ -106,10 +106,40 @@ Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. A Threat Actor is not an Intrusion Set but may support or be affiliated with various Intrusion Sets, groups, or organizations over time.\n\nThreat Actors leverage their resources, and possibly the resources of an Intrusion Set, to conduct attacks and run Campaigns against targets.\n\nThreat Actors can be characterized by their motives, capabilities, goals, sophistication level, past activities, resources they have access to, and their role in the organization. + + + + + + goals Specifies the high-level goals of this Intrusion Set, namely, what are they trying to do. For example, they may be motivated by personal gain, but their goal is to steal credit card numbers. To do this, they may execute specific Campaigns that have detailed objectives like compromising point of sale systems at a large retailer. + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/stix/core-objects/sro/.DS_Store b/stix/core-objects/sro/.DS_Store deleted file mode 100644 index 03edca2302ee3ae312245bea703aa3bf6704fde7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8196 zcmeHM%}*0S6n_I%w|v;jcRXmdF?t|cJb;FSrCT97s~3E;R$1fgl4Sc5ed*DA-{B z62Dte8lRp@lwHq3nGjsZ{vygXke{%5E^G5F$_O_c!F>LQOjv86mtA*DzTTT`$+lcC zk@!fOnnQ;UA2AH0)mTce@b$E3dSy3dIt$`yhI2bxt()0di>_y)U89_Nrp2fu6|6i( zk;R)9%k%XVFSEQWbm-SG><)0tJf z$oNA!0U-YF1MTX0yL{AWdRA`DpB{Noo!;l_^ujHzZS6-R(PNR0NM~nPcTaC$PbS)# zHFK*4M+|wC+uTXnWx7ystbDp;<}6m2^XMHfZQZ4rXvZGWX_~*a(=@YDLYc0e25D~G zp_EB`lgrC4_2zcf=NDb1cfzB^3AW79{u)v{S@JB-+*#_lh)cGarS>FCanIw$dDC%B zR-mbkIV;DR8dXFZ!N)0w3Ip*g-xOK#Uc-C%0H5Fsd?$pokWSJ~PLPx26gf@Kl7v!is{UBVtL7CFy!WcV z=Iz2jI>(EpT{?CBqsYg`{B>*Gc=`6;#`AY#%{P$G|B-xY<@d+3mUfuUSpnZK=562| zoCO8EhZA>l3<`C8IUu*khhL$s-98+UKN!9nn3ne0{pYiRAE}0~24r^o=-2yCpZPvo zLvF`68_Cu1$$+grzKAZgFH^G`RiB9euhzf+-+^pE MmuFyM9F+6_C;MxD^Z)<= diff --git a/stix/meta-objects/.DS_Store b/stix/meta-objects/.DS_Store deleted file mode 100644 index b8dbec363233a0765da930d0e35dc0d4a4f4db6b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 10244 zcmeHMO>Y!87=9g6I!gkXk^~SH?UYs39uk^RzA6rEmsC-N)I`|`f`BfwJI*r7jJ=xi zCZSQJy>NkBFTM59{s1`k2hd|rmD*D|azpB=s<_bC_AHrhcC(WRRV!pm_G^3m_~V)J zv-Z0HK#C1-8o&Vn3!}95FeV*>d@kdTFp$)|kCq@FU=l)bA%a!#ceFMYh5^HXVZbn8 z7%&X<0|WS*ErT_rtw{|7h5^ICYX+n~I2ffZB(|xok`7GN6#(rZR;z${yayH1`luT0%Q9A&Y(8CxG>d-MTBhz;cI*z0^P0sT)?Z9fLE{$ZbNbk?U`39U~ZRj zD(i7Q!TnsR2YxK3rhX>_2L|6c_^xGHL)M+rJ-%KNu4u$XH@YQDOPmLlR^F{#_vw1s z9=pn!aD7H21@JwJO>W=tna9_QyurL!VN3dfmCNPI_KD5S^V8=hoX;wM=Nf1wHC=aU*!Rhia~?ksztt6s=HO6)s_X_5GDUxTDFh2 zHC?3MH``T9_v_eZY`a2rHycsPRDbg;D=`(zsr=2`G4eYnXgJ4KIQGAW+|Jj9&slt( zMlsqufm@-$JS%b`czDx|BA3-@@&2-3l-SWaSIjTA5FE#)iDk z;91lrxh3X?G+$WIbvgWD_!ut3EG*#1C*To$4?n>Z_yvB0KjAt2LkKxUM#(t&fP6?k zBB#kGWJ*H^S}*Hlt9xw;I=;Gp^g(U9ROMkkh3UFMLOwH-e7KhPWaFjx!_zN!>pSG$ zp4!*%WuMDhDPjRH%*QbBHNJL`~_-zr{559w_WFEUsWNZlVRDdT1 zXrQg3xJ*J-NsUm#Bf5x7Ph6X*JZ=+}p7^&!OnR=H|+$>e3dds_x?M&XMTAdj_{eW>7)F9?(bir4hc36}3Lf_^; z;~wW2@P_`XAMRHDu<}~qllcCXw*OdVrGONW0#ZN zE;*qTzn%H&V>i%HBG8IqS8R tenbB;)_OUEw_>8VVlJ!|pKjGvd**&i90Q%sywi#L5inh3Qs6HX_y#%BANT+O diff --git a/stix/meta-objects/extension-definition/.DS_Store b/stix/meta-objects/extension-definition/.DS_Store deleted file mode 100644 index 742dbae1ead809fddef150de3eb05bff1295a12a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeH~J#GR)42A7Lfs_=Klydz^`?hS_C3vUr~nn90#x9rfX!am=sw6u z1*iZOI4WSj4+U)V*yjHe{L20RyooC+Kn4Dl0y ]> - - + 2.1.0 - - - - - - - - - - - - Extension @@ -63,22 +51,6 @@ Extension Definition - - - - - - - - - - - - - - - - extension_properties This property contains the list of new property names that are added to an object by an extension.\n\nThis property MUST only be used when the extension_types property includes a value of toplevel-property-extension. In other words, when new properties are being added at the top-level of an existing object @@ -130,43 +102,5 @@ - - - - - - - - - - - - - - - - - - - - - - - schema - Specifies a URL that points to a JSON schema or a location that contains information about the schema. - - - - - - - - - - version - Specifies the version of the entity. - - - \ No newline at end of file diff --git a/stix/meta-objects/language-content/.DS_Store b/stix/meta-objects/language-content/.DS_Store deleted file mode 100644 index 956a5d7925c77eea467ff67ac0b38a55e9c264cb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHKyH3ME5S)b+k!Vs-P~H!K#2;8uC}?Q-0Z2eJ78Vi_tvfy&W*?vghn51(O1tCR z+qsjc@OlB*a{F)zEC9^uj(GPlHQ#ri*imJSNaq<_+~Wz4ILBsEeK_IVQ}pCLlexhT((jNrs#SQ6!0}_f69103?9HpkV*GilQDT?GH z5k0yDcyNb^T~K@?`B-EX}+pLh2g%bRfkK-30)6<`YhEG&e@0#*x* z#;MHNn(5g@6vzh%K|&Yqz$sMbyt#uFU*1rj`X4INxT3VmZz2W_p{ydo&}v@vv~cXjMG*ScY2Bt z_#Je4@jQrqIjqS+?DrMd)dN;OpKlg#jz-&i)%zuTZ)bO0vPTcLD*Jhv1sNp49KLwPbr?x9YZKluUe=dPcHdH$qt9hsN6{A3q-~zi%Y{ z3wS5T=Uv6A+lxaPcX4Lg?dBwC3G^^<35KnQeF5S>6S|d~ToAyO{?lRnb|k)XBXv=~I)xGW{3k)!Sb - + + ]> - diff --git a/tac/catalog-v001.xml b/tac/catalog-v001.xml index c521083..11b46e1 100644 --- a/tac/catalog-v001.xml +++ b/tac/catalog-v001.xml @@ -1,59 +1,55 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - + + + + diff --git a/tac/tac-objects/.DS_Store b/tac/tac-objects/.DS_Store deleted file mode 100644 index 5008ddfcf53c02e82d7eee2e57c38e5672ef89f6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeH~Jr2S!425mzP>H1@V-^m;4Wg<&0T*E43hX&L&p$$qDprKhvt+--jT7}7np#A3 zem<@ulZcFPQ@L2!n>{z**++&mCkOWA81W14cNZlEfg7;MkzE(HCqgga^y>{tEnwC%0;vJ&^%eQ zLs35+`xjp>T0 + - + ]> diff --git a/tac/tac-objects/tac-objects.owl b/tac/tac-objects/tac-objects.owl index 7d2fcc3..4977e48 100644 --- a/tac/tac-objects/tac-objects.owl +++ b/tac/tac-objects/tac-objects.owl @@ -1,23 +1,19 @@ - - + ]> diff --git a/tac/tac-properties/.DS_Store b/tac/tac-properties/.DS_Store deleted file mode 100644 index 7def18bc721ce68a6ae538e7c35dae986ac99414..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHKJxc>Y5PhpD0ye?Qa{qt<|G^rP!rDKei59}aiAHR%^Jm95ABx8zq_U9rVCL=4 z&Fto0agza1R&NhizyiRWW{eMWQ`mE}2~ILn$TXhuj2HCukL2TEwddI59y?r)>i2l! zIj>mq#CLQzUBBCQ{g(OmW3Oq;gM%wU3P=GdAO)m=6gXA^>%GMMELdI&NC7GEt$=+W zD$Teh55fNFpz{%cJY(3wwa*gdY5{Uf9)cMmN|chLwB(3UqMY%Xc`bPej&c;gndjuq zB`1{Pw=-Tn9i;`!O93e`R^T+Y3+w+I+As6}xJWxGAO-%F0%f+oU9b2`*;^+sXT7%4 t?r2|NuBX#^D<*p@=Ehp_#gDvdYd&wuL$H@K?&W0t5inf@DexBxd;&)N9!dZJ diff --git a/tac/tac-properties/tac-properties.owl b/tac/tac-properties/tac-properties.owl index 3dc33bf..084f495 100644 --- a/tac/tac-properties/tac-properties.owl +++ b/tac/tac-properties/tac-properties.owl @@ -6,7 +6,8 @@ - + + ]> diff --git a/tac/tac.owl b/tac/tac.owl index 05e1bd5..d5a616b 100644 --- a/tac/tac.owl +++ b/tac/tac.owl @@ -23,9 +23,15 @@ Concepts that have been developed and approved at a committee level by the OASIS Threat Actor Context Technical Committee are called TAC TC concepts. TAC TC concepts are incorporated as import statements into the main tac.owl file and thus are part of the core ontology. - + + + + + + + \ No newline at end of file diff --git a/threat-agent-lib/catalog-v001.xml b/threat-agent-lib/catalog-v001.xml index 43ea2cd..1c58063 100644 --- a/threat-agent-lib/catalog-v001.xml +++ b/threat-agent-lib/catalog-v001.xml @@ -1,63 +1,56 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + diff --git a/threat-agent-lib/tal-kb-example.properties b/threat-agent-lib/tal-kb-example.properties deleted file mode 100644 index 910af43..0000000 --- a/threat-agent-lib/tal-kb-example.properties +++ /dev/null @@ -1,5 +0,0 @@ -#Wed Dec 28 19:20:11 CET 2022 -jdbc.url= -jdbc.driver= -jdbc.user= -jdbc.password= From 34f26d807786cc649ce572b6d659a8b1860fa194 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Sat, 31 Dec 2022 13:23:14 -0800 Subject: [PATCH 13/70] committing tal catalog-v001.xml file --- threat-agent-lib/catalog-v001.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/threat-agent-lib/catalog-v001.xml b/threat-agent-lib/catalog-v001.xml index 1c58063..b9947b7 100644 --- a/threat-agent-lib/catalog-v001.xml +++ b/threat-agent-lib/catalog-v001.xml @@ -50,7 +50,7 @@ - - + + From bcb09849dcd342adcf234fd5aab18acd7edcf3a8 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Sat, 31 Dec 2022 13:32:07 -0800 Subject: [PATCH 14/70] added threat-agent-lib/catalog-v001.xml file --- threat-agent-lib/catalog-v001.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/threat-agent-lib/catalog-v001.xml b/threat-agent-lib/catalog-v001.xml index b9947b7..81139fd 100644 --- a/threat-agent-lib/catalog-v001.xml +++ b/threat-agent-lib/catalog-v001.xml @@ -50,7 +50,7 @@ - - + + From 543522275000e0f4532b4bac60e18d0b201e650a Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Thu, 5 Jan 2023 15:36:57 +0100 Subject: [PATCH 15/70] Work in progress. added several class definitions and missing specific properties. --- stix/core-objects/common-properties.owl | 13 -- stix/core-objects/sco/artifact/artifact.owl | 73 ++++++- .../autonomus-system/autonomous-system.owl | 25 ++- stix/core-objects/sco/directory/directory.owl | 54 +++++ .../sco/domain-name/domain-name.owl | 19 +- .../sco/email-address/email-address.owl | 25 ++- .../sco/email-message/email-message.owl | 151 +++++++++++++- .../sco/ipv4-address/ipv4-address.owl | 46 ++++- .../sco/ipv6-address/ipv6-address.owl | 46 ++++- .../sco/mac-address/mac-address.owl | 13 +- stix/core-objects/sco/mutex/mutex.owl | 12 ++ stix/core-objects/sco/software/software.owl | 55 ++++- stix/core-objects/sco/url/url.owl | 12 ++ .../sco/user-account/user-account.owl | 156 ++++++++++++++- .../sco/x509-vertificate/x509-certificate.owl | 189 +++++++++++++++++- 15 files changed, 830 insertions(+), 59 deletions(-) diff --git a/stix/core-objects/common-properties.owl b/stix/core-objects/common-properties.owl index 0ef875e..012812c 100644 --- a/stix/core-objects/common-properties.owl +++ b/stix/core-objects/common-properties.owl @@ -15,7 +15,6 @@ xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> - 2.1.0 @@ -162,18 +161,6 @@ - - contains_refs - Specifies a list of references to other STIX CyberObservable Objects contained within the file or directory, such as another file that is appended to the end of the file, or an IP address that is contained somewhere in the file.\n\nThis is intended for use cases other than those targeted by the Archive extension. - - - - - contains_refs_id - Specifies a list of identifiers of other STIX Cyber Observable Objects contained within the file or directory, such as another file that is appended to the end of the file, or an IP address that is contained somewhere in the file.\n\nThis is intended for use cases other than those targeted by the Archive extension - - - created Idicates the date and time at which the object was originally created.\n\nThe object creator can use the time it deems most appropriate as the time the object was created. The minimum precision MUST be milliseconds (three digits after the decimal place in seconds), but MAY be more precise. diff --git a/stix/core-objects/sco/artifact/artifact.owl b/stix/core-objects/sco/artifact/artifact.owl index 25deed3..009df9e 100644 --- a/stix/core-objects/sco/artifact/artifact.owl +++ b/stix/core-objects/sco/artifact/artifact.owl @@ -17,22 +17,75 @@ - 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Artifact The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload.\n\nOne of payload_bin or url MUST be provided. It is incumbent on object creators to ensure that the URL is accessible for downstream consumers. - - decryption_key - Specifies the decryption key for the encrypted binary data (either via payload_bin or url). For example, this may be useful in cases of sharing malware samples, which are often encoded in an encrypted archive.\n\nThis property MUST NOT be present when the encryption_algorithm property is absent. + + mime_type + Whenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types]. Maintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability. + + payload_bin + Specifies the binary data contained in the artifact as a base64-encoded string.\n\nThis property MUST NOT be present if url is provided. + + + + + url + The value of this property MUST be a valid URL that resolves to the unencoded content. This property MUST NOT be present if payload_bin is provided. + + + + + hashes + Specifies a dictionary of hashes for the contents of the url or the payload_bin. This property MUST be present when the url property is present. Dictionary keys MUST come from the hash-algorithm-ov open vocabulary. + + + encryption algorithm Specifies the type of encryption algorithm the binary data (either via payload_bin or url) is encoded in, if the artifact is encrypted.\n\nIf both mime_type and encryption_algorithm are included, this signifies that the artifact represents an encrypted archive. @@ -57,11 +110,11 @@ - - - payload_bin - Specifies the binary data contained in the artifact as a base64-encoded string.\n\nThis property MUST NOT be present if url is provided. - - + + decryption_key + Specifies the decryption key for the encrypted binary data (either via payload_bin or url). For example, this may be useful in cases of sharing malware samples, which are often encoded in an encrypted archive.\n\nThis property MUST NOT be present when the encryption_algorithm property is absent. + + + \ No newline at end of file diff --git a/stix/core-objects/sco/autonomus-system/autonomous-system.owl b/stix/core-objects/sco/autonomus-system/autonomous-system.owl index f22d4b0..eaa98dd 100644 --- a/stix/core-objects/sco/autonomus-system/autonomous-system.owl +++ b/stix/core-objects/sco/autonomus-system/autonomous-system.owl @@ -17,12 +17,29 @@ - 2.1.0 + + + + + + + + + + + + + + + + + + AutonomousSystem This object represents the properties of an Autonomous System (AS). @@ -33,6 +50,12 @@ + + name + Specifies the name of the AS. + + + rir Specifies the name of the Regional Internet Registry (RIR) that assigned the number to the AS. diff --git a/stix/core-objects/sco/directory/directory.owl b/stix/core-objects/sco/directory/directory.owl index cd16eef..736ae78 100644 --- a/stix/core-objects/sco/directory/directory.owl +++ b/stix/core-objects/sco/directory/directory.owl @@ -24,6 +24,48 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Directory The Directory object represents the properties common to a file system directory. @@ -58,4 +100,16 @@ + + contains_refs + Specifies a list of references to other STIX CyberObservable Objects contained within the file or directory, such as another file that is appended to the end of the file, or an IP address that is contained somewhere in the file.\n\nThis is intended for use cases other than those targeted by the Archive extension. + + + + + contains_refs_id + Specifies a list of identifiers of other STIX Cyber Observable Objects contained within the file or directory, such as another file that is appended to the end of the file, or an IP address that is contained somewhere in the file.\n\nThis is intended for use cases other than those targeted by the Archive extension + + + \ No newline at end of file diff --git a/stix/core-objects/sco/domain-name/domain-name.owl b/stix/core-objects/sco/domain-name/domain-name.owl index d3252c6..65e6b4b 100644 --- a/stix/core-objects/sco/domain-name/domain-name.owl +++ b/stix/core-objects/sco/domain-name/domain-name.owl @@ -17,13 +17,30 @@ - 2.1.0 + + + + + + + + + + + + + + + + + + Domain Name The Domain Name object represents the properties of a network domain name. diff --git a/stix/core-objects/sco/email-address/email-address.owl b/stix/core-objects/sco/email-address/email-address.owl index 4fbb0cd..b15a6b9 100644 --- a/stix/core-objects/sco/email-address/email-address.owl +++ b/stix/core-objects/sco/email-address/email-address.owl @@ -17,13 +17,30 @@ - 2.1.0 + + + + + + + + + + + + + + + + + + Email Address An Email Address object represents a single email address. @@ -46,4 +63,10 @@ + + value + Specifies the value of the subject as a string. + + + \ No newline at end of file diff --git a/stix/core-objects/sco/email-message/email-message.owl b/stix/core-objects/sco/email-message/email-message.owl index 393890a..0fe855b 100644 --- a/stix/core-objects/sco/email-message/email-message.owl +++ b/stix/core-objects/sco/email-message/email-message.owl @@ -28,6 +28,151 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + EmailMessage The Email Message object represents an instance of an email message, corresponding to the internet message format described in [RFC5322] and related RFCs.\n\nHeader field values that have been encoded as described in section 2 of [RFC2047] MUST be decoded before inclusion in Email Message object properties. For example, this is some text MUST be used instead of =?iso-8859-1?q?this=20is=20some=20text?=. Any characters in the encoded value which cannot be decoded into Unicode SHOULD be replaced with the 'REPLACEMENT CHARACTER' (U+FFFD). If it is necessary to capture the header value as observed, this can be achieved by referencing an Artifact object through the raw_email_ref property. @@ -104,7 +249,7 @@ - + date Specifies the date/time that the email message was sent. @@ -146,8 +291,8 @@ - - recevied_lines + + received_lines Specifies one or more "Received" header fields that may be included in the email headers.\n\nList values MUST appear in the same order as present in the email message. diff --git a/stix/core-objects/sco/ipv4-address/ipv4-address.owl b/stix/core-objects/sco/ipv4-address/ipv4-address.owl index 4dcd9d8..993b857 100644 --- a/stix/core-objects/sco/ipv4-address/ipv4-address.owl +++ b/stix/core-objects/sco/ipv4-address/ipv4-address.owl @@ -22,39 +22,73 @@ - 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IPv4Address The IPv4 Address object represents one or more IPv4 addresses expressed using CIDR notation. belongs_to_refs - Specifies a list of references to one or more autonomous systems (AS) that the IPv4/IPv6 address belongs to.\n\nThe objects referenced in this list MUST be of type autonomous-system. + Specifies a list of references to one or more autonomous systems (AS) that the IPv4 address belongs to. The objects referenced in this list MUST be of type autonomous-system. belongs_to_refs_id - Specifies a list of identifiers to one or more SCO Autonomous Systems (AS) objects that the IPv4/IPv6 address belongs to.\n\nThe identifiers of the objects specified in this list MUST be of type autonomous-system + Specifies a list of references to one or more autonomous systems (AS) that the IPv4 address belongs to. The objects referenced in this list MUST be of type autonomous-system. resolved_to_refs - Specifies a list of references to one or more Layer 2 Media Access Control (MAC) addresses that the IPv4/IPv6 address resolves to. -The objects referenced in this list MUST be of type mac-addr. + Specifies a list of references to one or more Layer 2 Media Access Control (MAC) addresses that the IPv4 address resolves to. The objects referenced in this list MUST be of type mac-addr. resolved_to_refs_id - Specifies a list of identifiers to one or more Layer 2 Media Access Control (MAC) addresses objects that the IPv4/IPv6 address resolves to.\n\nThe identifiers of the objects specified in this list MUST be of type mac-addr. + Specifies a list of references to one or more Layer 2 Media Access Control (MAC) addresses that the IPv4 address resolves to. The objects referenced in this list MUST be of type mac-addr. + + + + + value + Specifies the values of one or more IPv4 addresses expressed using CIDR notation. If a given IPv4 Address object represents a single IPv4 address, the CIDR /32 suffix MAY be omitted. Example: 10.2.4.5/24 diff --git a/stix/core-objects/sco/ipv6-address/ipv6-address.owl b/stix/core-objects/sco/ipv6-address/ipv6-address.owl index 005a2d9..943f5c4 100644 --- a/stix/core-objects/sco/ipv6-address/ipv6-address.owl +++ b/stix/core-objects/sco/ipv6-address/ipv6-address.owl @@ -22,39 +22,73 @@ - 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IPv6Address The IPv6 Address object represents one or more IPv6 addresses expressed using CIDR notation. belongs_to_refs - Specifies a list of references to one or more autonomous systems (AS) that the IPv4/IPv6 address belongs to.\n\nThe objects referenced in this list MUST be of type autonomous-system. + Specifies a list of references to one or more autonomous systems (AS) that the IPv6 address belongs to. The objects referenced in this list MUST be of type autonomous-system. belongs_to_refs_id - Specifies a list of identifiers to one or more SCO Autonomous Systems (AS) objects that the IPv4/IPv6 address belongs to.\n\nThe identifiers of the objects specified in this list MUST be of type autonomous-system + Specifies a list of references to one or more autonomous systems (AS) that the IPv6 address belongs to. The objects referenced in this list MUST be of type autonomous-system. resolved_to_refs - Specifies a list of references to one or more Layer 2 Media Access Control (MAC) addresses that the IPv4/IPv6 address resolves to. -The objects referenced in this list MUST be of type mac-addr. + Specifies a list of references to one or more Layer 2 Media Access Control (MAC) addresses that the IPv6 address resolves to. The objects referenced in this list MUST be of type mac-addr. resolved_to_refs_id - Specifies a list of identifiers to one or more Layer 2 Media Access Control (MAC) addresses objects that the IPv4/IPv6 address resolves to.\n\nThe identifiers of the objects specified in this list MUST be of type mac-addr. + Specifies a list of references to one or more Layer 2 Media Access Control (MAC) addresses that the IPv6 address resolves to. The objects referenced in this list MUST be of type mac-addr. + + + + + value + Specifies the values of one or more IPv6 addresses expressed using CIDR notation. If a given IPv6 Address object represents a single IPv6 address, the CIDR /128 suffix MAY be omitted. diff --git a/stix/core-objects/sco/mac-address/mac-address.owl b/stix/core-objects/sco/mac-address/mac-address.owl index e6bcae1..a7c7f39 100644 --- a/stix/core-objects/sco/mac-address/mac-address.owl +++ b/stix/core-objects/sco/mac-address/mac-address.owl @@ -17,14 +17,25 @@ - 2.1.0 + + + + + + MACAddress The MAC Address object represents a single Media Access Control (MAC) address. + + value + Specifies the value of a single MAC address. The MAC address value MUST be represented as a single colon-delimited, lowercase MAC-48 address, which MUST include leading zeros for each octet. Example: 00:00:ab:cd:ef:01 + + + \ No newline at end of file diff --git a/stix/core-objects/sco/mutex/mutex.owl b/stix/core-objects/sco/mutex/mutex.owl index e2e3d3f..b43472e 100644 --- a/stix/core-objects/sco/mutex/mutex.owl +++ b/stix/core-objects/sco/mutex/mutex.owl @@ -23,8 +23,20 @@ + + + + + + Mutex The Mutex object represents the properties of a mutual exclusion (mutex) object. + + name + Specifies the name of the mutex object. + + + \ No newline at end of file diff --git a/stix/core-objects/sco/software/software.owl b/stix/core-objects/sco/software/software.owl index 8425163..4ccfe4a 100644 --- a/stix/core-objects/sco/software/software.owl +++ b/stix/core-objects/sco/software/software.owl @@ -24,24 +24,67 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Software The Software object represents high-level properties associated with software, including software products. cpe - Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary.\n\nWhile the CPE dictionary does not contain entries for all software, whenever it does contain an identifier for a given instance of software, this property SHOULD be present. + Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary [NVD]. While the CPE dictionary does not contain entries for all software, whenever it does contain an identifier for a given instance of software, this property SHOULD be present. + languages - Specifies the languages supported by the software. The value of each list member MUST be an ISO 639-2 language code + Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to [RFC5646]. + + + + + name + Specifies the name of the software. swid - Specifies the Software Identification (SWID) Tags entry for the software, if available. The tag attribute, tagId, a globally unique identifier, SHOULD be used as a proxy identifier of the tagged product. + Specifies the Software Identification (SWID) Tags [SWID] entry for the software, if available. The tag attribute, tagId, a globally unique identifier, SHOULD be used as a proxy identifier of the tagged product. @@ -51,4 +94,10 @@ + + version + Specifies the version of the software. + + + \ No newline at end of file diff --git a/stix/core-objects/sco/url/url.owl b/stix/core-objects/sco/url/url.owl index 6766890..b9b3388 100644 --- a/stix/core-objects/sco/url/url.owl +++ b/stix/core-objects/sco/url/url.owl @@ -23,8 +23,20 @@ + + + + + + URL The URL object represents the properties of a uniform resource locator (URL). + + value + Specifies the value of the URL. The value of this property MUST conform to [RFC3986], more specifically section 1.1.3 with reference to the definition for "Uniform Resource Locator". + + + \ No newline at end of file diff --git a/stix/core-objects/sco/user-account/user-account.owl b/stix/core-objects/sco/user-account/user-account.owl index 532cd57..bc12fb5 100644 --- a/stix/core-objects/sco/user-account/user-account.owl +++ b/stix/core-objects/sco/user-account/user-account.owl @@ -19,49 +19,187 @@ - 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + User Account The User Account object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts. As all properties of this object are optional, at least one of the properties defined below MUST be included when using this object. + + + + + + + + + + + + + + + + + + + + + + + + + + + + UNIX Account Extension + The UNIX account extension specifies a default extension for capturing the additional information for an account on a UNIX system. The key for this extension when used in the extensions dictionary MUST be unix-account-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the UNIX Account Extension MUST contain at least one property from this extension. + + + gid + Specifies the primary group ID of the account. + + + + + groups + Specifies a list of names of groups that the account is a member of. + + + + + home_dir + Specifies the home directory of the account. + + + + + shell + Specifies the account's command shell. + + + + account_created - Specifies date and time when the account was created. + Specifies when the account was created. account_expires - Specifies the expiration date and time of the account. + Specifies the expiration date of the account. account_first_login - Specifies the date and time when the account was first accessed. + Specifies when the account was first accessed. account_last_login - Specifies the date and time when the account was last accessed. + Specifies when the account was last accessed. account_login - Specifies the account login string, used in cases where the user_id property specifies something other than what a user would type when they login.\n\nFor example, in the case of a Unix account with user_id 0, the account_login might be “root”. + Specifies the account login string, used in cases where the user_id property specifies something other than what a user would type when they login. For example, in the case of a Unix account with user_id 0, the account_login might be "root". account_type - Specifies the type of the account.\n\nThis is an open vocabulary and values SHOULD come from the account-type-ov open vocabulary. + Specifies the type of the account. This is an open vocabulary and values SHOULD come from the account-type-ov open vocabulary. @@ -126,7 +264,7 @@ can_escalate_privs - Specifies that the account has the ability to escalate privileges (i.e., in the case of sudo on Unix or a Windows Domain Admin account) + Specifies that the account has the ability to escalate privileges (i.e., in the case of sudo on Unix or a Windows Domain Admin account). @@ -144,7 +282,7 @@ display_name - Specifies the display name of the account, to be shown in user interfaces, if applicable.\n\nOn Unix, this is equivalent to the GECOS field. + Specifies the display name of the account, to be shown in user interfaces, if applicable. On Unix, this is equivalent to the GECOS field. diff --git a/stix/core-objects/sco/x509-vertificate/x509-certificate.owl b/stix/core-objects/sco/x509-vertificate/x509-certificate.owl index 549fe38..829a086 100644 --- a/stix/core-objects/sco/x509-vertificate/x509-certificate.owl +++ b/stix/core-objects/sco/x509-vertificate/x509-certificate.owl @@ -17,21 +17,200 @@ - 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + X509Certificate The X.509 Certificate object represents the properties of an X.509 certificate, as defined by ITU recommendation X.509 [X.509]. An X.509 Certificate object MUST contain at least one object specific property (other than type) from this object. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + X509v3Extensions The X.509 v3 Extensions type captures properties associated with X.509 v3 extensions, which serve as a mechanism for specifying additional information such as alternative subject names. An object using the X.509 v3 Extensions type MUST contain at least one property from this type.\n\nNote that the use of the term "extensions" in this context refers to the X.509 v3 Extensions type and is not a STIX Cyber Observables extension. Therefore, it is a type that describes X.509 extensions. + + + version + Specifies the version of the encoded certificate. + + authority_key_identifier @@ -71,7 +250,7 @@ is_self_signed - Specifies whether the certificate is self-signed, i.e., whether it is signed by the same entity whose identity it certifies. + Specifies whether the certificate is self-signed, i.e., whether it is signed by the same entity whose identity it certifies. @@ -107,7 +286,7 @@ policy_mappings - Specifies one or more pairs of OIDs; each pair includes an issuerDomainPolicy and a subjectDomainPolicy. The pairing indicates whether the issuing CA considers its issuerDomainPolicy equivalent to the subject CA's subjectDomainPolicy. Also equivalent to the object ID (OID) value of 2.5.29.33. + Specifies one or more pairs of OIDs; each pair includes an issuerDomainPolicy and a subjectDomainPolicy. The pairing indicates whether the issuing CA considers its issuerDomainPolicy equivalent to the subject CA's subjectDomainPolicy. Also equivalent to the object ID (OID) value of 2.5.29.33. @@ -167,13 +346,13 @@ subject_public_key_exponent - Specifies the exponent portion of the subject’s public RSA key, as an integer. + Specifies the exponent portion of the subject's public RSA key, as an integer. subject_public_key_modulus - Specifies the modulus portion of the subject’s public RSA key. + Specifies the modulus portion of the subject's public RSA key. From b2bbafaed110b0cc5f26dad6b9ce38d16dfaaed3 Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Fri, 6 Jan 2023 15:11:01 +0100 Subject: [PATCH 16/70] Work in progress. Added several extension as class definitions with all properties in the respective base object.owl file. --- .../sco/email-message/email-message.owl | 36 +- .../sco/network-traffic/network-traffic.owl | 478 +++++++++++++++++- .../sco/user-account/user-account.owl | 1 - .../windows-registry-key.owl | 71 ++- 4 files changed, 552 insertions(+), 34 deletions(-) diff --git a/stix/core-objects/sco/email-message/email-message.owl b/stix/core-objects/sco/email-message/email-message.owl index 0fe855b..78267a2 100644 --- a/stix/core-objects/sco/email-message/email-message.owl +++ b/stix/core-objects/sco/email-message/email-message.owl @@ -20,7 +20,6 @@ - 2.1.0 @@ -154,11 +153,22 @@ + EmailMessage + The Email Message object represents an instance of an email message, corresponding to the internet message format described in [RFC5322] and related RFCs.\n\nHeader field values that have been encoded as described in section 2 of [RFC2047] MUST be decoded before inclusion in Email Message object properties. For example, this is some text MUST be used instead of =?iso-8859-1?q?this=20is=20some=20text?=. Any characters in the encoded value which cannot be decoded into Unicode SHOULD be replaced with the 'REPLACEMENT CHARACTER' (U+FFFD). If it is necessary to capture the header value as observed, this can be achieved by referencing an Artifact object through the raw_email_ref property. + + + + + + + + + + - - + @@ -167,18 +177,18 @@ + + + + + + - EmailMessage - The Email Message object represents an instance of an email message, corresponding to the internet message format described in [RFC5322] and related RFCs.\n\nHeader field values that have been encoded as described in section 2 of [RFC2047] MUST be decoded before inclusion in Email Message object properties. For example, this is some text MUST be used instead of =?iso-8859-1?q?this=20is=20some=20text?=. Any characters in the encoded value which cannot be decoded into Unicode SHOULD be replaced with the 'REPLACEMENT CHARACTER' (U+FFFD). If it is necessary to capture the header value as observed, this can be achieved by referencing an Artifact object through the raw_email_ref property. - - - - MimePart Specifies one component of a multi-part body.\n\nThere is no property to capture the value of the “Content-Transfer-Encoding” header field, since the body MUST be decoded before being represented in the body property. @@ -202,7 +212,7 @@ body - Specifies a string containing the body. \n\nIn an EmailMessage, this property MUST NOT be used if is_multipart is true.\n\nIn a MIME Part, specifies the contents of the MIME part if the content_type is not provided or starts with text/ (e.g., in the case of plain text or HTML email). For inclusion in this property, the contents MUST be decoded to Unicode. Note that the charset provided in content_type is for informational usage and not for decoding of this property. + Specifies the contents of the MIME part if the content_type is not provided or starts with text/ (e.g., in the case of plain text or HTML email). For inclusion in this property, the contents MUST be decoded to Unicode. Note that the charset provided in content_type is for informational usage and not for decoding of this property. @@ -214,14 +224,14 @@ body_raw_ref - Specifies the contents of non-textual MIME parts, that is those whose content_type does not start with text/, as a reference to an Artifact object or File object.\n\nThe object referenced in this property MUST be of type artifact or file. For use cases where conveying the actual data contained in the MIME part is of primary importance, artifact SHOULD be used. Otherwise, for use cases where conveying metadata about the file-like properties of the MIME part is of primary importance, file SHOULD be used. + Specifies the contents of non-textual MIME parts, that is those whose content_type does not start with text/, as a reference to an Artifact object or File object. The object referenced in this property MUST be of type artifact or file. For use cases where conveying the actual data contained in the MIME part is of primary importance, artifact SHOULD be used. Otherwise, for use cases where conveying metadata about the file-like properties of the MIME part is of primary importance, file SHOULD be used. body_raw_ref_id - Specifies the contents of non-textual MIME parts, that is those whose content_type does not start with text/, as the identifier to an Artifact object or File object.\n\nThe object referenced in this property MUST be of type artifact or file. For use cases where conveying the actual data contained in the MIME part is of primary importance, artifact SHOULD be used. Otherwise, for use cases where conveying metadata about the file-like properties of the MIME part is of primary importance, file SHOULD be used. + Specifies the contents of non-textual MIME parts, that is those whose content_type does not start with text/, as a reference to an Artifact object or File object. The object referenced in this property MUST be of type artifact or file. For use cases where conveying the actual data contained in the MIME part is of primary importance, artifact SHOULD be used. Otherwise, for use cases where conveying metadata about the file-like properties of the MIME part is of primary importance, file SHOULD be used. @@ -245,7 +255,7 @@ content_type - Specifies the value of the “Content-Type” header of the email message or MIME part. + diff --git a/stix/core-objects/sco/network-traffic/network-traffic.owl b/stix/core-objects/sco/network-traffic/network-traffic.owl index 370b5ca..5f9f50f 100644 --- a/stix/core-objects/sco/network-traffic/network-traffic.owl +++ b/stix/core-objects/sco/network-traffic/network-traffic.owl @@ -21,7 +21,6 @@ - @@ -31,9 +30,375 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Network Traffic - The Network Traffic object represents arbitrary network traffic that originates from a source and is addressed to a destination. The network traffic MAY or MAY NOT constitute a valid unicast, multicast, or broadcast network connection. This MAY also include traffic that is not established, such as a SYN flood.\n\nTo allow for use cases where a source or destination address may be sensitive and not suitable for sharing, such as addresses that are internal to an organization’s network, the source and destination properties (src_ref and dst_ref, respectively) are defined as optional in the properties table below. However, a Network Traffic object MUST contain the protocols property and at least one of the src_ref or dst_ref properties and SHOULD contain the src_port and dst_port properties. + The Network Traffic object represents arbitrary network traffic that originates from a source and is addressed to a destination. The network traffic MAY or MAY NOT constitute a valid unicast, multicast, or broadcast network connection. This MAY also include traffic that is not established, such as a SYN flood. To allow for use cases where a source or destination address may be sensitive and not suitable for sharing, such as addresses that are internal to an organization's network, the source and destination properties (src_ref and dst_ref, respectively) are defined as optional in the properties table below. However, a Network Traffic object MUST contain the protocols property and at least one of the src_ref or dst_ref properties and SHOULD contain the src_port and dst_port properties. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + HTTP Request Extension + The HTTP request extension specifies a default extension for capturing network traffic properties specific to HTTP requests. The key for this extension when used in the extensions dictionary MUST be http-request-ext. Note that this predefined extension does not use the extension facility described in section 7.3. The corresponding protocol value for this extension is http. + + + + + + + + + + + + + + + + + ICMP Extension + The ICMP extension specifies a default extension for capturing network traffic properties specific to ICMP. The key for this extension when used in the extensions dictionary MUST be icmp-ext. Note that this predefined extension does not use the extension facility described in section 7.3. The corresponding protocol value for this extension is icmp. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Network Socket Extension + The Network Socket extension specifies a default extension for capturing network traffic properties associated with network sockets. The key for this extension when used in the extensions dictionary MUST be socket-ext. Note that this predefined extension does not use the extension facility described in section 7.3. + + + + + + + + + + + + + + + + + TCP Extension + The TCP extension specifies a default extension for capturing network traffic properties specific to TCP. The key for this extension when used in the extensions dictionary MUST be tcp-ext. Note that this predefined extension does not use the extension facility described in section 7.3. The corresponding protocol value for this extension is tcp. An object using the TCP Extension MUST contain at least one property from this extension. + + + + src_flags_hex + Specifies the source TCP flags, as the union of all TCP flags observed between the start of the traffic (as defined by the start property) and the end of the traffic (as defined by the end property). If the start and end times of the traffic are not specified, this property SHOULD be interpreted as the union of all TCP flags observed over the entirety of the network traffic being reported upon. + + + + + dst_flags_hex + Specifies the destination TCP flags, as the union of all TCP flags observed between the start of the traffic (as defined by the start property) and the end of the traffic (as defined by the end property). If the start and end times of the traffic are not specified, this property SHOULD be interpreted as the union of all TCP flags observed over the entirety of the network traffic being reported upon. + + + + + address_family + Specifies the address family (AF_*) that the socket is configured for. The values of this property MUST come from the network-socket-address-family-enum enumeration. + + + + + is_blocking + Specifies whether the socket is in blocking mode. + + + + + is_listening + Specifies whether the socket is in listening mode. + + + + + options + Specifies any options (e.g., SO_*) that may be used by the socket, as a dictionary. Each key in the dictionary SHOULD be a case-preserved version of the option name, e.g., SO_ACCEPTCONN. Each key value in the dictionary MUST be the value for the corresponding options key. Each dictionary value MUST be an integer. For SO_RCVTIMEO, SO_SNDTIMEO and SO_LINGER the value represents the number of milliseconds. If the SO_LINGER key is present, it indicates that the SO_LINGER option is active. + + + + + socket_type + Specifies the type of the socket. The values of this property MUST come from the network-socket-type-enum enumeration. + + + + + socket_descriptor + Specifies the socket file descriptor value associated with the socket, as a non-negative integer. + + + + + socket_handle + Specifies the handle or inode value associated with the socket. + + + + + icmp_type_hex + Specifies the ICMP type byte. + + + + + icmp_code_hex + Specifies the ICMP code byte. + + + + + request_method + Specifies the HTTP method portion of the HTTP request line, as a lowercase string. + + + + + request_value + Specifies the value (typically a resource path) portion of the HTTP request line. + + + + + request_version + Specifies the HTTP version portion of the HTTP request line, as a lowercase string. + + + + + request_header + Specifies all of the HTTP header fields that may be found in the HTTP client request, as a dictionary. Each key in the dictionary MUST be the name of the header field and SHOULD preserve case, e.g., User-Agent. The corresponding value for each dictionary key MUST always be a list of type string to support when a header field is repeated. + + + + + message_body_length + Specifies the length of the HTTP message body, if included, in bytes. + + + + + message_body_data_ref + Specifies the data contained in the HTTP message body, if included. The object referenced in this property MUST be of type artifact. + + + + + message_body_data_ref_id + Specifies the data contained in the HTTP message body, if included. The object referenced in this property MUST be of type artifact. + + dst_byte_count @@ -49,13 +414,13 @@ dst_payload_ref - Specifies the bytes sent from the destination to the source.\n\nThe object referenced in this property MUST be of type artifact. + Specifies the bytes sent from the destination to the source. The object referenced in this property MUST be of type artifact. dst_payload_ref_id - Specifies the bytes sent from the destination to the source.\n\nThe identifier for the object specified in this property MUST be of type artifact. + Specifies the bytes sent from the destination to the source. The object referenced in this property MUST be of type artifact. @@ -76,7 +441,7 @@ dst_ref - Specifies the destination of the network traffic, as a reference to a Cyber-observable Object.\n\nThe object referenced MUST be of type ipv4-addr, ipv6-addr, mac-addr, or domain-name (for cases where the IP address for a domain name is unknown). + Specifies the destination of the network traffic, as a reference to a Cyber-observable Object. The object referenced MUST be of type ipv4-addr, ipv6-addr, mac-addr, or domain-name (for cases where the IP address for a domain name is unknown). @@ -101,31 +466,31 @@ encapsulated_by_ref - Specifies a reference to another network-traffic object which encapsulates this object.\n\nThe object referenced in this property MUST be of type network-traffic. + Links to another network-traffic object which encapsulates this object. The object referenced in this property MUST be of type network-traffic. encapsulated_by_ref_id - Specifies the identifier of another network-traffic object which encapsulates this object.\n\nThe identifier of the object specified MUST be of type network-traffic. + Links to another network-traffic object which encapsulates this object. The object referenced in this property MUST be of type network-traffic. encapsulates_refs - Specifies references to other network-traffic objects encapsulated by this network-traffic object.\n\nThe objects referenced in this property MUST be of type network-traffic. + Links to other network-traffic objects encapsulated by this network-traffic object. The objects referenced in this property MUST be of type network-traffic. encapsulates_refs_id - Specifies identifiers of other network-traffic objects encapsulated by this network-traffic object.\n\nThe identifier of objects specified MUST be of type network-traffic. + Links to other network-traffic objects encapsulated by this network-traffic object. The objects referenced in this property MUST be of type network-traffic. end - Specifies the date/time the network traffic ended, if known.\n\nIf the is_active property is true, then the end property MUST NOT be included.\n\nIf start and end are both defined, then end MUST be later than the start value. + Specifies the date/time the network traffic ended, if known. If the is_active property is true, then the end property MUST NOT be included. If this property and the start property are both defined, then this property MUST be greater than or equal to the timestamp in the start property. @@ -136,13 +501,13 @@ is_active - Indicates whether the network traffic is still ongoing.\n\nIf the end property is provided, this property MUST be false. + Indicates whether the network traffic is still ongoing. If the end property is provided, this property MUST be false. protocols - Specifies the protocols observed in the network traffic, along with their corresponding state.\n\nProtocols MUST be listed in low to high order, from outer to inner in terms of packet encapsulation. That is, the protocols in the outer level of the packet, such as IP, MUST be listed first.\n\nThe protocol names SHOULD come from the service names defined in the Service Name column of the IANA Service Name and Port Number Registry [Port Numbers]. In cases where there is variance in the name of a network protocol not included in the IANA Registry, content producers should exercise their best judgement, and it is recommended that lowercase names be used for consistency with the IANA registry. + Specifies the protocols observed in the network traffic, along with their corresponding state. Protocols MUST be listed in low to high order, from outer to inner in terms of packet encapsulation. That is, the protocols in the outer level of the packet, such as IP, MUST be listed first. The protocol names SHOULD come from the service names defined in the Service Name column of the IANA Service Name and Port Number Registry [Port Numbers]. In cases where there is variance in the name of a network protocol not included in the IANA Registry, content producers should exercise their best judgement, and it is recommended that lowercase names be used for consistency with the IANA registry. If the protocol extension is present, the corresponding protocol value for that extension SHOULD be listed in this property. Examples: ipv4, tcp, http @@ -160,13 +525,13 @@ src_payload_ref - Specifies a reference to an Artfact object that contains the bytes sent from the source to the destination.\n\nThe object referenced in this property MUST be of type artifact. + Specifies the bytes sent from the source to the destination. The object referenced in this property MUST be of type artifact. src_payload_ref_id - Specifies the identifier of an Artfact object that contains the bytes sent from the source to the destination.\n\nThe identifier of the object specified MUST be of type artifact. + Specifies the bytes sent from the source to the destination. The object referenced in this property MUST be of type artifact. @@ -187,7 +552,7 @@ src_ref - Specifies a reference to a Cyber-observable object that is the source of the network traffic.\n\nThe object referenced MUST be of type ipv4-addr, ipv6-addr, mac-addr, or domain-name (for cases where the IP address for a domain name is unknown). + Specifies the source of the network traffic, as a reference to a Cyber-observable Object. The object referenced MUST be of type ipv4-addr, ipv6-addr, mac-addr, or domain-name (for cases where the IP address for a domain name is unknown). @@ -216,4 +581,87 @@ + + network-socket-address-family-enum + + + + + AF_UNSPEC + + + AF_INET + + + AF_IPX + + + AF_APPLETALK + + + AF_NETBIOS + + + AF_INET6 + + + AF_IRDA + + + AF_BTH + + + + + + + + + + + + + + + + + + + + + + + network-socket-type-enum + + + + + SOCK_STREAM + + + SOCK_DGRAM + + + SOCK_RAW + + + SOCK_RDM + + + SOCK_SEQPACKET + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/user-account/user-account.owl b/stix/core-objects/sco/user-account/user-account.owl index bc12fb5..47fa9f8 100644 --- a/stix/core-objects/sco/user-account/user-account.owl +++ b/stix/core-objects/sco/user-account/user-account.owl @@ -166,7 +166,6 @@ - account_created Specifies when the account was created. diff --git a/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl b/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl index d03ec3b..186c0c2 100644 --- a/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl +++ b/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl @@ -17,12 +17,48 @@ - 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + WindowsRegistryKey The Windows Registry Key object represents the properties of a Windows registry key.\n\nAs all properties of this object are optional, at least one of the properties defined below MUST be included when using this object. @@ -30,19 +66,44 @@ + + + + + + + + + + + + + + + + + + + RegistryValue The Windows Registry Value type captures the properties of a Windows Registry Key Value.\n\nAs all properties of this type are optional, at least one of the properties defined below MUST be included when using this type. + + + name + Specifies the name of the registry value. For specifying the default value in a registry key, an empty string MUST be used. + + creator_user_ref - Specifies a reference to the UsedrAccount object that represents the user account that created the registry key.\n\nThe object referenced in this property MUST be of type user-account. + Specifies a reference to the user account that created the registry key. The object referenced in this property MUST be of type user-account. creator_user_ref_id - Specifies the identifier of the UserAccount object that represents the user account that created the registry key.\n\nThe identifier of the object specified MUST be of type user-account. + Specifies a reference to the user account that created the registry key. The object referenced in this property MUST be of type user-account. @@ -134,7 +195,7 @@ key - Specifies the full registry key including the hive.\n\nThe value of the key, including the hive portion, SHOULD be case-preserved. The hive portion of the key MUST be fully expanded and not truncated; e.g., HKEY_LOCAL_MACHINE must be used instead of HKLM. + Specifies the full registry key including the hive. The value of the key, including the hive portion, SHOULD be case-preserved. The hive portion of the key MUST be fully expanded and not truncated; e.g., HKEY_LOCAL_MACHINE must be used instead of HKLM. @@ -152,7 +213,7 @@ values - Specifies the values found under the registry key. + Specifies the number of subkeys contained under the registry key. From 9d127c2746d588f0eee227b659a4556e7e3deaff Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Sun, 8 Jan 2023 19:41:22 +0100 Subject: [PATCH 17/70] Added all missing class definitions and properties for all SCOs --- stix/core-objects/sco/file/file.owl | 963 ++++++++++++++++++++- stix/core-objects/sco/process/process.owl | 453 +++++++++- stix/vocabularies/vocabulary-user-defs.owl | 22 +- 3 files changed, 1369 insertions(+), 69 deletions(-) diff --git a/stix/core-objects/sco/file/file.owl b/stix/core-objects/sco/file/file.owl index d70fb41..1ac3517 100644 --- a/stix/core-objects/sco/file/file.owl +++ b/stix/core-objects/sco/file/file.owl @@ -29,93 +29,984 @@ - 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + File The File object represents the properties of a file. A File object MUST contain at least one of hashes or name. + + + + + + + + + + + + + + + + + + + + + + Archive File Extension + The Archive File extension specifies a default extension for capturing properties specific to archive files. The key for this extension when used in the extensions dictionary MUST be archive-ext. Note that this predefined extension does not use the extension facility described in section 7.3. + + + + + + + + + + + + + + + + + NTFS File Extension + The NTFS file extension specifies a default extension for capturing properties specific to the storage of the file on the NTFS file system. The key for this extension when used in the extensions dictionary MUST be ntfs-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the NTFS File Extension MUST contain at least one property from this extension. + + + + + + + + + + + + + + + + + + + + + + + Alternate Data Stream Type + The Alternate Data Stream type represents an NTFS alternate data stream. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PDF File Extension + The PDF file extension specifies a default extension for capturing properties specific to PDF files. The key for this extension when used in the extensions dictionary MUST be pdf-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the PDF File Extension MUST contain at least one property from this extension. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Raster Image File Extension + The Raster Image file extension specifies a default extension for capturing properties specific to raster image files. The key for this extension when used in the extensions dictionary MUST be raster-image-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the Raster Image File Extension MUST contain at least one property from this extension. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Windows PE Binary File Extension + The Windows PE Binary File extension specifies a default extension for capturing properties specific to Windows portable executable (PE) files. The key for this extension when used in the extensions dictionary MUST be windows-pebinary-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the Windows™ PE Binary File Extension MUST contain at least one property other than the required pe_type property from this extension. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Windows PE Optional Header Type + The Windows PE Optional Header type represents the properties of the PE optional header. An object using the Windows PE Optional Header Type MUST contain at least one property from this type. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Windows PE Section Type + The Windows PE Section type specifies metadata about a PE file section. + + + + entropy + Specifies the calculated entropy for the section, as calculated using the Shannon algorithm (https://en.wiktionary.org/wiki/Shannon_entropy). The size of each input character is defined as a byte, resulting in a possible range of 0 through 8. + + + + + magic_hex + Specifies the hex value that indicates the type of the PE binary. + + + + + major_linker_version + Specifies the linker major version number. + + + + + minor_linker_version + Specifies the linker minor version number. + + + + + size_of_code + Specifies the size of the code (text) section. If there are multiple such sections, this refers to the sum of the sizes of each section. The value of this property MUST NOT be negative. + + + + + size_of_initialized_data + Specifies the size of the initialized data section. If there are multiple such sections, this refers to the sum of the sizes of each section. The value of this property MUST NOT be negative. + + + + + size_of_uninitialized_data + Specifies the size of the uninitialized data section. If there are multiple such sections, this refers to the sum of the sizes of each section. The value of this property MUST NOT be negative. + + + + + address_of_entry_point + Specifies the address of the entry point relative to the image base when the executable is loaded into memory. + + + + + base_of_code + Specifies the address that is relative to the image base of the beginning-of-code section when it is loaded into memory. + + + + + base_of_data + base_of_data + + + + + image_base + Specifies the preferred address of the first byte of the image when loaded into memory. + + + + + section_alignment + Specifies the alignment (in bytes) of PE sections when they are loaded into memory. + + + + + file_alignment + Specifies the factor (in bytes) that is used to align the raw data of sections in the image file. + + + + + major_os_version + Specifies the major version number of the required operating system. + + + + + minor_os_version + Specifies the minor version number of the required operating system. + + + + + major_image_version + Specifies the major version number of the image. + + + + + minor_image_version + Specifies the minor version number of the image. + + + + + major_subsystem_version + Specifies the major version number of the subsystem. + + + + + minor_subsystem_version + Specifies the minor version number of the subsystem. + + + + + win32_version_value_hex + Specifies the reserved win32 version value. + + + + + size_of_image + Specifies the size of the image in bytes, including all headers, as the image is loaded in memory. The value of this property MUST NOT be negative. + + + + + size_of_headers + Specifies the combined size of the MS-DOS, PE header, and section headers, rounded up to a multiple of the value specified in the file_alignment header. The value of this property MUST NOT be negative.. + + checksum_hex - Specifies the checksum of the file. + Specifies the checksum of the PE binary. - - comment - Specifies a comment included as part of the associated entity. - + + subsystem_hex + Specifies the subsystem (e.g., GUI, device driver, etc.) that is required to run this image. + - - content_ref - Specifies the content of the file, represented as an Artifact object.\n\nThe object referenced in this property MUST be of type artifact. - - + + dll_characteristics_hex + Specifies the flags that characterize the PE binary. + + - - content_ref_id - Specifies the identifier of an Artifact object that contains the contents of the file.\n\nThe identifier of the object specified in this property MUST be of type artifact. + + size_of_stack_reserve + Specifies the size of the stack to reserve, in bytes. The value of this property MUST NOT be negative. + + + + + size_of_stack_commit + Specifies the size of the stack to commit, in bytes. The value of this property MUST NOT be negative. + + + + + size_of_heap_reserve + Specifies the size of the local heap space to reserve, in bytes. The value of this property MUST NOT be negative. + + + + + size_of_heap_commit + Specifies the size of the local heap space to commit, in bytes. The value of this property MUST NOT be negative. + + + + + loader_flags_hex + Specifies the reserved loader flags. + + + + + number_of_rva_and_sizes + Specifies the number of data-directory entries in the remainder of the optional header. - - entropy - Specifies the calculated entropy for the section, as calculated using the Shannon algorithm - + + pe_type + Specifies the type of the PE binary. This is an open vocabulary and values SHOULD come from the windows-pebinary-type-ov open vocabulary. + + + + windows-pebinary-type-ov-open + Defines an open-vocabulary used to capture the types of Windows PE files + + + + + user-definition-01 + + + user-definition-02 + + + + + + + + + + imphash + Specifies the special import hash, or 'imphash', calculated for the PE Binary based on its imported libraries and functions. For more information on the imphash algorithm, see the original article by Mandiant/FireEye [FireEye 2014]. + + + machine_hex Specifies the type of target machine. + + + number_of_sections + Specifies the number of sections in the PE binary, as a non-negative integer. + + + + + time_date_stamp + Specifies the time when the PE binary was created. The timestamp value MUST be precise to the second. + + + + + pointer_to_symbol_table_hex + Specifies the file offset of the COFF symbol table. + + + + + number_of_symbols + Specifies the number of entries in the symbol table of the PE binary, as a non-negative integer. + + + + + size_of_optional_header + Specifies the size of the optional header of the PE binary. The value of this property MUST NOT be negative. + + + + + characteristics_hex + Specifies the flags that indicate the file's characteristics. + + + + + file_header_hashes + Specifies any hashes that were computed for the file header. Dictionary keys MUST come from the hash-algorithm-ov open vocabulary. + + + + + optional_header + Specifies the PE optional header of the PE binary. When used, at least one property from the windows-pe-optional-header-type MUST be included. + + + + + optional_header_id + Specifies the PE optional header of the PE binary. When used, at least one property from the windows-pe-optional-header-type MUST be included. + + + + + sections + Specifies metadata about the sections in the PE file. + + + + + sections_id + Specifies metadata about the sections in the PE file. + + + + + image_height + Specifies the height of the image in the image file, in pixels. + + + + + image_width + Specifies the width of the image in the image file, in pixels. + + + + + bits_per_pixel + Specifies the sum of bits used for each color channel in the image file, and thus the total number of pixels used for expressing the color depth of the image. + + + + + exif_tags + Specifies the set of EXIF tags found in the image file, as a dictionary. Each key/value pair in the dictionary represents the name/value of a single EXIF tag. Accordingly, each dictionary key MUST be a case-preserved version of the EXIF tag name, e.g., XResolution. Each dictionary value MUST be either an integer (for int* EXIF datatypes) or a string (for all other EXIF datatypes). + + + + + version + Specifies the decimal version number of the string from the PDF header that specifies the version of the PDF specification to which the PDF file conforms. E.g., 1.4. + + + + + is_optimized + Specifies whether the PDF file has been optimized. + + + + + document_info_dict + Specifies details of the PDF document information dictionary (DID), which includes properties like the document creation data and producer, as a dictionary. Each key in the dictionary SHOULD be a case-preserved version of the corresponding entry in the document information dictionary without the prepended forward slash, e.g., Title. The corresponding value for the key MUST be the value specified for the document information dictionary entry, as a string. + + + + + pdfid0 + Specifies the first file identifier found for the PDF file. + + + + + pdfid1 + Specifies the second file identifier found for the PDF file. + + + + + sid + Specifies the security ID (SID) value assigned to the file. + + + + + alternate_data_streams + Specifies a list of NTFS alternate data streams that exist for the file. + + + + + comment + Specifies a comment included as part of the archive file. + + + + size + + + + + name + + + + + name_enc + Specifies the observed encoding for the name of the file. This value MUST be specified using the corresponding name from the 2013-12-20 revision of the IANA character set registry [Character Sets]. If the value from the Preferred MIME Name column for a character set is defined, this value MUST be used; if it is not defined, then the value from the Name column in the registry MUST be used instead. This property allows for the capture of the original text encoding for the file name, which may be forensically relevant; for example, a file on an NTFS volume whose name was created using the windows-1251 encoding, commonly used for languages based on Cyrillic script. + + + magic_number_hex - Specifies the hexadecimal constant associated with a specific file format that corresponds to the file, if applicable. + Specifies the hexadecimal constant ("magic number") associated with a specific file format that corresponds to the file, if applicable. - + mime_type - Specifies the MIME type name specified for the object.\n\nWhenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types].\n\nMaintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability. + Specifies the MIME type name specified for the file, e.g., application/msword. Whenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types].Maintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability. - - - name_enc - Specifies the observed encoding for the name of the file. This value MUST be specified using the corresponding name from the 2013-12-20 revision of the IANA character set registry. If the value from the Preferred MIME Name column for a character set is defined, this value MUST be used; if it is not defined, then the value from the Name column in the registry MUST be used instead.\n\nThis property allows for the capture of the original text encoding for the file name, which may be forensically relevant; for example, a file on an NTFS volume whose name was created using the windows-1251 encoding, commonly used for languages based on Cyrillic script. - + + + ctime + Specifies the date/time the file was created. + + + mtime + Specifies the date/time the file was last written to/modified. + + + + + atime + Specifies the date/time the file was last accessed. + + + parent_directory_ref - Specifies a reference to a SCO Directory object that represents the parent directory of the file.\n\nThe object referenced in this property MUST be of type directory. + Specifies the parent directory of the file, as a reference to a Directory object. The object referenced in this property MUST be of type directory. parent_directory_ref_id - Specifies the identifier of a SCO Directory object that represents the parent directory of the file.\n\nThe identifier of the object referenced in this property MUST be of type directory. + Specifies the parent directory of the file, as a reference to a Directory object. The object referenced in this property MUST be of type directory. + + + contains_refs + + - - sid - Specifies the Windows Security ID (SID) value + + contains_refs_id + + + content_ref + Specifies the content of the file, represented as an Artifact object. The object referenced in this property MUST be of type artifact. + + - - size - Specifies the size, in bytes. The value of this property MUST NOT be negative. - + + content_ref_id + Specifies the content of the file, represented as an Artifact object. The object referenced in this property MUST be of type artifact. + - + \ No newline at end of file diff --git a/stix/core-objects/sco/process/process.owl b/stix/core-objects/sco/process/process.owl index 1de5781..b488587 100644 --- a/stix/core-objects/sco/process/process.owl +++ b/stix/core-objects/sco/process/process.owl @@ -20,7 +20,6 @@ - @@ -28,20 +27,450 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Process The Process object represents common properties of an instance of a computer program as executed on an operating system. A Process object MUST contain at least one property (other than type) from this object (or one of its extensions). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Windows Process Extension + The Windows Process extension specifies a default extension for capturing properties specific to Windows processes. The key for this extension when used in the extensions dictionary MUST be windows-process-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the Windows Process Extension MUST contain at least one property from this extension. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Windows Service Extension + The Windows Service extension specifies a default extension for capturing properties specific to Windows services. The key for this extension when used in the extensions dictionary MUST be windows-service-ext. Note that this predefined extension does not use the extension facility described in section 7.3. As all properties of this extension are optional, at least one of the properties defined below MUST be included when using this extension. + + + + service_name + Specifies the name of the service. + + + + + descriptions + Specifies the descriptions defined for the service. + + + + + display_name + Specifies the display name of the service in Windows GUI controls. + + + + + group_name + Specifies whether Address Space Layout Randomization (ASLR) is enabled for the process. + + + + + start_type + Specifies whether Address Space Layout Randomization (ASLR) is enabled for the process. + + + + + service_dll_refs + Specifies the DLLs loaded by the service, as a reference to one or more File objects. The objects referenced in this property MUST be of type file. + + + + + service_dll_refs_id + Specifies the DLLs loaded by the service, as a reference to one or more File objects. The objects referenced in this property MUST be of type file. + + + + + service_type + Specifies the type of the service. The values of this property MUST come from the windows-service-type-enum enumeration. + + + + + service_status + Specifies the current status of the service. The values of this property MUST come from the windows-service-status-enum enumeration. + + + + + windows-service-start-type-enum + + + + + SERVICE_AUTO_START + + + SERVICE_BOOT_START + + + SERVICE_DEMAND_START + + + SERVICE_DISABLED + + + SERVICE_SYSTEM_ALERT + + + + + + + + + + + + + + + + + windows-service-type-enum + + + + + SERVICE_KERNEL_DRIVER + + + SERVICE_FILE_SYSTEM_DRIVER + + + SERVICE_WIN32_OWN_PROCESS + + + SERVICE_WIN32_SHARE_PROCESS + + + + + + + + + + + + + + + windows-service-status-enum + + + + + SERVICE_CONTINUE_PENDING + + + SERVICE_PAUSE_PENDING + + + SERVICE_PAUSED + + + SERVICE_RUNNING + + + SERVICE_START_PENDING + + + SERVICE_STOP_PENDING + + + SERVICE_STOPPED + + + + + + + + + + + + + + + + + + + + + dep_enabled + Specifies whether Data Execution Prevention (DEP) is enabled for the process. + + + + + priority + Specifies the current priority class of the process in Windows. This value SHOULD be a string that ends in _CLASS. + + + + + owner_sid + Specifies the Security ID (SID) value of the owner of the process. + + + + + window_title + Specifies the title of the main window of the process. + + + + + startup_info + Specifies the STARTUP_INFO struct used by the process, as a dictionary. Each name/value pair in the struct MUST be represented as a key/value pair in the dictionary, where each key MUST be a case-preserved version of the original name. For example, given a name of "lpDesktop" the corresponding key would be lpDesktop. + + + + + integrity_level + Specifies the Windows integrity level, or trustworthiness, of the process. The values of this property MUST come from the windows-integrity-level-enum enumeration. + + + + + windows-integrity-level-enum + + + + + low + + + medium + + + high + + + system + + + + + + + + + + + + + child_refs - Specifies references to other Process objects that represent the other processes that were spawned by (i.e. children of) this process.\n\nThe objects referenced in this list MUST be of type process. + Specifies the other processes that were spawned by (i.e. children of) this process, as a reference to one or more other Process objects. The objects referenced in this list MUST be of type process. child_refs_id - Specifies the list of identifiers of Process objects that represent the other processes that were spawned by (i.e. children of) this process.\n\nThe identifiers of the objects specified MUST be of type process. + Specifies the other processes that were spawned by (i.e. children of) this process, as a reference to one or more other Process objects. The objects referenced in this list MUST be of type process. @@ -53,19 +482,19 @@ created_time - Specifies the date and time at which the process was created. + Specifies the date/time at which the process was created. creator_user_ref - Specifies a reference to a UserAccount object that represents the user that created the process.\n\nThe reference to the object specified MUST be of type user-account. + Specifies the user that created the process, as a reference to a User Account object. The object referenced in this property MUST be of type user-account. creator_user_ref_id - Specifies the idetifier of a UserAccount object that represents the user that created the process.\n\nThe idetntifier of the object specified MUST be of type user-account. + Specifies the user that created the process, as a reference to a User Account object. The object referenced in this property MUST be of type user-account. @@ -82,13 +511,13 @@ image_ref - Specifies a reference to a File object tha represents the executable binary that was executed as the process image.\n\nThe object referenced in this property MUST be of type file. + Specifies the executable binary that was executed as the process image, as a reference to a File object. The object referenced in this property MUST be of type file. image_ref_id - Specifies the identifier of a File object tha represents the executable binary that was executed as the process image.\n\nThe identifier of the object specified MUST be of type file. + Specifies the executable binary that was executed as the process image, as a reference to a File object. The object referenced in this property MUST be of type file. @@ -100,25 +529,25 @@ opened_connection_refs - Specifies a list of references to Network Traffic objects that represent the network connections opened by the process.\n\nThe objects referenced in this list MUST be of type network-traffic. + Specifies the list of network connections opened by the process, as a reference to one or more Network Traffic objects. The objects referenced in this list MUST be of type network-traffic. opened_connection_refs_id - Specifies a list of identifiers of Network Traffic objects that represent the network connections opened by the process.\n\nThe identifiers of the objects specified MUST be of type network-traffic. + Specifies the list of network connections opened by the process, as a reference to one or more Network Traffic objects. The objects referenced in this list MUST be of type network-traffic. parent_ref - Specifies a reference to the Process object that references the other process that spawned (i.e. is the parent of) this one.\n\nThe object referenced in this property MUST be of type process. + Specifies the other process that spawned (i.e. is the parent of) this one, as a reference to a Process object. The object referenced in this property MUST be of type process. parent_ref_id - Specifies the identifier of the Process object that references the other process that spawned (i.e. is the parent of) this one.\n\nThe identifier of the object specified MUST be of type process. + Specifies the other process that spawned (i.e. is the parent of) this one, as a reference to a Process object. The object referenced in this property MUST be of type process. diff --git a/stix/vocabularies/vocabulary-user-defs.owl b/stix/vocabularies/vocabulary-user-defs.owl index 5427c73..354004d 100644 --- a/stix/vocabularies/vocabulary-user-defs.owl +++ b/stix/vocabularies/vocabulary-user-defs.owl @@ -730,27 +730,7 @@ - - - windows-pebinary-type-ov-open - Defines an open-vocabulary used to capture the types of Windows PE files - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - + region-ov-open Defines an open-vocabulary that captures the world regions based on the United Nations geoscheme. From 4a6f4fe128198bdc6fa2995fb19d4609c61d5ef2 Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Sun, 8 Jan 2023 20:17:16 +0100 Subject: [PATCH 18/70] trying to run the rdf-toolkit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8985b7e..cd72ca7 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ As documented in [Public Participation Invited](https://github.com/oasis-open/ta ## Statement of Purpose -The OASIS Threat Actor Context Technical Committee (TAC-TC) is chartered to create an ontology for expressing the rich context around Threat Actors. +The OASIS Threat Actor Context Technical Committee (TAC-TC) is chartered to create an ontology for expressing the rich context around Threat Actors. *Additions to Statement of Purpose* From dca4b09148befe434ecef90278a9f51eb2247beb Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Thu, 12 Jan 2023 20:32:39 +0100 Subject: [PATCH 19/70] Added class definitions and all missing SCOs properties. --- README.md | 4 +- stix/catalog-v001.xml | 96 +++++++++---------- stix/core-objects/data-types.owl | 4 +- stix/core-objects/sco/artifact/artifact.owl | 39 ++++---- stix/core-objects/sco/directory/directory.owl | 33 ++++--- .../sco/domain-name/domain-name.owl | 16 ++-- .../sco/email-address/email-address.owl | 22 +++-- .../sco/email-message/email-message.owl | 88 +++++++++-------- stix/core-objects/sco/file/file.owl | 80 ++++++---------- .../sco/ipv4-address/ipv4-address.owl | 14 +-- .../sco/ipv6-address/ipv6-address.owl | 14 +-- .../sco/mac-address/mac-address.owl | 2 +- stix/core-objects/sco/mutex/mutex.owl | 3 +- .../sco/network-traffic/network-traffic.owl | 93 +++++++++++------- stix/core-objects/sco/process/process.owl | 55 ++++++----- stix/core-objects/sco/software/software.owl | 1 - stix/core-objects/sco/url/url.owl | 3 +- .../sco/user-account/user-account.owl | 21 ++-- .../windows-registry-key.owl | 41 ++++---- .../sco/x509-vertificate/x509-certificate.owl | 14 +-- 20 files changed, 338 insertions(+), 305 deletions(-) diff --git a/README.md b/README.md index cd72ca7..29f48bf 100644 --- a/README.md +++ b/README.md @@ -12,11 +12,11 @@ As documented in [Public Participation Invited](https://github.com/oasis-open/ta ## Statement of Purpose -The OASIS Threat Actor Context Technical Committee (TAC-TC) is chartered to create an ontology for expressing the rich context around Threat Actors. +The OASIS Threat Actor Context Technical Committee (TAC-TC) is chartered to create an ontology for expressing the rich context around Threat Actors. *Additions to Statement of Purpose* -*The TC may include additional content as descriptive text, reflecting project status, milestones, releases, modifications to statement of purpose, etc. +*The TC may include additional content as descriptive text, reflecting project status, milestones, releases, modifications to statement of purpose, etc. ## Maintainers diff --git a/stix/catalog-v001.xml b/stix/catalog-v001.xml index 93fe0d3..bbc954d 100644 --- a/stix/catalog-v001.xml +++ b/stix/catalog-v001.xml @@ -3,53 +3,53 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/stix/core-objects/data-types.owl b/stix/core-objects/data-types.owl index f4d5937..3b04d38 100644 --- a/stix/core-objects/data-types.owl +++ b/stix/core-objects/data-types.owl @@ -25,7 +25,7 @@ Used to describe pointers to information represented outside of STIX. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material. - + Hash Represents a cryptographic hashes, as a special set of key/value pairs. @@ -124,7 +124,7 @@ hashes Specifies a set of hashes for the contents of the url. This SHOULD be provided when the url property is present. Dictionary keys MUST come from one of the entries listed in the hash-algorithm-ov open vocabulary. - + diff --git a/stix/core-objects/sco/artifact/artifact.owl b/stix/core-objects/sco/artifact/artifact.owl index 009df9e..0fb7992 100644 --- a/stix/core-objects/sco/artifact/artifact.owl +++ b/stix/core-objects/sco/artifact/artifact.owl @@ -21,6 +21,7 @@ + @@ -42,7 +43,7 @@ - + @@ -57,9 +58,8 @@ - Artifact - The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload.\n\nOne of payload_bin or url MUST be provided. It is incumbent on object creators to ensure that the URL is accessible for downstream consumers. + The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. One of payload_bin or url MUST be provided. It is incumbent on object creators to ensure that the URL is accessible for downstream consumers. @@ -70,7 +70,7 @@ payload_bin - Specifies the binary data contained in the artifact as a base64-encoded string.\n\nThis property MUST NOT be present if url is provided. + Specifies the binary data contained in the artifact as a base64-encoded string. This property MUST NOT be present if url is provided. @@ -82,38 +82,43 @@ hashes - Specifies a dictionary of hashes for the contents of the url or the payload_bin. This property MUST be present when the url property is present. Dictionary keys MUST come from the hash-algorithm-ov open vocabulary. - + Specifies a dictionary of hashes for the contents of the url or the payload_bin. This property MUST be present when the url property is present. Dictionary keys MUST come from the hash-algorithm-ov open vocabulary. + encryption algorithm - Specifies the type of encryption algorithm the binary data (either via payload_bin or url) is encoded in, if the artifact is encrypted.\n\nIf both mime_type and encryption_algorithm are included, this signifies that the artifact represents an encrypted archive. - + If the artifact is encrypted, specifies the type of encryption algorithm the binary data (either via payload_bin or url) is encoded in. The value of this property MUST come from the encryption-algorithm-enum enumeration. If both mime_type and encryption_algorithm are included, this signifies that the artifact represents an encrypted archive. + + + + + encryption-algorithm-enum + - + AES-256-GCM - + ChaCha20-Poly1035 - + mime-type-indicated - + - + - + - - + + decryption_key - Specifies the decryption key for the encrypted binary data (either via payload_bin or url). For example, this may be useful in cases of sharing malware samples, which are often encoded in an encrypted archive.\n\nThis property MUST NOT be present when the encryption_algorithm property is absent. + Specifies the decryption key for the encrypted binary data (either via payload_bin or url). For example, this may be useful in cases of sharing malware samples, which are often encoded in an encrypted archive. This property MUST NOT be present when the encryption_algorithm property is absent. diff --git a/stix/core-objects/sco/directory/directory.owl b/stix/core-objects/sco/directory/directory.owl index 736ae78..3c847f2 100644 --- a/stix/core-objects/sco/directory/directory.owl +++ b/stix/core-objects/sco/directory/directory.owl @@ -17,7 +17,6 @@ - 2.1.0 @@ -57,34 +56,35 @@ - + + - + - Directory + Directory Object The Directory object represents the properties common to a file system directory. atime - Specifies the date and time the directory or file was last accessed. + Specifies the date/time the directory was last accessed. ctime - Specifies the date and time the file or directory was created. + Specifies the date/time the directory was created. mtime - Specifies the date and time the directory or file was last written to/modified. + Specifies the date/time the directory was last written to/modified. @@ -96,19 +96,28 @@ path_enc - Specifies the observed encoding for the path. The value MUST be specified if the path is stored in a non-Unicode encoding. This value MUST be specified using the corresponding name from the 2013-12-20 revision of the IANA character set registry. If the preferred MIME name for a character set is defined, this value MUST be used; if it is not defined, then the Name value from the registry MUST be used instead. + Specifies the observed encoding for the path. The value MUST be specified if the path is stored in a non-Unicode encoding. This value MUST be specified using the corresponding name from the 2013-12-20 revision of the IANA character set registry [Character Sets]. If the preferred MIME name for a character set is defined, this value MUST be used; if it is not defined, then the Name value from the registry MUST be used instead. contains_refs - Specifies a list of references to other STIX CyberObservable Objects contained within the file or directory, such as another file that is appended to the end of the file, or an IP address that is contained somewhere in the file.\n\nThis is intended for use cases other than those targeted by the Archive extension. - + Specifies a list of references to other File and/or Directory objects contained within the directory. The objects referenced in this list MUST be of type file or directory. + + + + + + + + + + - + contains_refs_id - Specifies a list of identifiers of other STIX Cyber Observable Objects contained within the file or directory, such as another file that is appended to the end of the file, or an IP address that is contained somewhere in the file.\n\nThis is intended for use cases other than those targeted by the Archive extension + Specifies a list of references to other File and/or Directory objects contained within the directory. The objects referenced in this list MUST be of type file or directory. diff --git a/stix/core-objects/sco/domain-name/domain-name.owl b/stix/core-objects/sco/domain-name/domain-name.owl index 65e6b4b..31e6a08 100644 --- a/stix/core-objects/sco/domain-name/domain-name.owl +++ b/stix/core-objects/sco/domain-name/domain-name.owl @@ -32,12 +32,14 @@ - + + + - + @@ -48,7 +50,7 @@ resolved_to_refs - Specifies a list of references to one or more IP addresses or domain names that the domain name resolves to.\n\nThe objects referenced in this list MUST be of type ipv4-addr or ipv6-addr or domain-name (for cases such as CNAME records). + Specifies a list of references to one or more IP addresses or domain names that the domain name resolves to. The objects referenced in this list MUST be of type ipv4-addr or ipv6-addr or domain-name (for cases such as CNAME records). @@ -63,15 +65,15 @@ - + resolved_to_refs_id - Specifies a list of identifiers to one or more SCO IP Address or Domain Name objectss that the domain name resolves to.\n\nThe object identifiers referenced in this list MUST be for objects of type ipv4-addr or ipv6-addr or domain-name (for cases such as CNAME records). + Specifies a list of references to one or more IP addresses or domain names that the domain name resolves to. The objects referenced in this list MUST be of type ipv4-addr or ipv6-addr or domain-name (for cases such as CNAME records). - value - Specifies the value of the subject as a string. + value + Specifies the value of the domain name. The value of this property MUST conform to [RFC1034], and each domain and sub-domain contained within the domain name MUST conform to [RFC5890]. diff --git a/stix/core-objects/sco/email-address/email-address.owl b/stix/core-objects/sco/email-address/email-address.owl index b15a6b9..b3c38c1 100644 --- a/stix/core-objects/sco/email-address/email-address.owl +++ b/stix/core-objects/sco/email-address/email-address.owl @@ -38,34 +38,40 @@ - + - Email Address - An Email Address object represents a single email address. + + + + + + + Email Address Object + The Email Address object represents a single email address. belongs_to_ref - Specifies the user account that the email address belongs to, as a reference to a User Account object.\n\nThe object referenced in this property MUST be of type user-account. + Specifies the user account that the email address belongs to, as a reference to a User Account object. The object referenced in this property MUST be of type user-account. - + belongs_to_ref_id - Specifies the identifier of the SCO UserAccount object that the email address belongs to.\n\nThe object referenced in this property MUST be of type user-account. + Specifies the user account that the email address belongs to, as a reference to a User Account object. The object referenced in this property MUST be of type user-account. display_name - Specifies a single email display name, i.e., the name that is displayed to the human user of a mail application. + Specifies a single email display name, i.e., the name that is displayed to the human user of a mail application. This property corresponds to the display-name construction in section 3.4 of [RFC5322], for example, Jane Smith. value - Specifies the value of the subject as a string. + Specifies the value of the email address. This MUST NOT include the display name. This property corresponds to the addr-spec construction in section 3.4 of [RFC5322], for example, jane.smith@example.com. diff --git a/stix/core-objects/sco/email-message/email-message.owl b/stix/core-objects/sco/email-message/email-message.owl index 78267a2..6bdf494 100644 --- a/stix/core-objects/sco/email-message/email-message.owl +++ b/stix/core-objects/sco/email-message/email-message.owl @@ -53,7 +53,7 @@ - + @@ -65,7 +65,7 @@ - + @@ -77,7 +77,7 @@ - + @@ -89,7 +89,7 @@ - + @@ -101,7 +101,7 @@ - + @@ -138,7 +138,7 @@ - + @@ -149,16 +149,16 @@ - + EmailMessage - The Email Message object represents an instance of an email message, corresponding to the internet message format described in [RFC5322] and related RFCs.\n\nHeader field values that have been encoded as described in section 2 of [RFC2047] MUST be decoded before inclusion in Email Message object properties. For example, this is some text MUST be used instead of =?iso-8859-1?q?this=20is=20some=20text?=. Any characters in the encoded value which cannot be decoded into Unicode SHOULD be replaced with the 'REPLACEMENT CHARACTER' (U+FFFD). If it is necessary to capture the header value as observed, this can be achieved by referencing an Artifact object through the raw_email_ref property. + The Email Message object represents an instance of an email message, corresponding to the internet message format described in [RFC5322] and related RFCs. Header field values that have been encoded as described in section 2 of [RFC2047] MUST be decoded before inclusion in Email Message object properties. For example, this is some text MUST be used instead of =?iso-8859-1?q?this=20is=20some=20text?=. Any characters in the encoded value which cannot be decoded into Unicode SHOULD be replaced with the 'REPLACEMENT CHARACTER' (U+FFFD). If it is necessary to capture the header value as observed, this can be achieved by referencing an Artifact object through the raw_email_ref property. - - + + @@ -173,7 +173,7 @@ - + @@ -189,30 +189,29 @@ - MimePart - Specifies one component of a multi-part body.\n\nThere is no property to capture the value of the “Content-Transfer-Encoding” header field, since the body MUST be decoded before being represented in the body property. + Email MIME Component Type + Specifies one component of a multi-part email body. There is no property to capture the value of the "Content-Transfer-Encoding" header field, since the body MUST be decoded before being represented in the body property. One of body OR body_raw_ref MUST be included. additional header fields - Specifies any other header fields (except for date, received_lines, content_type, from_ref, sender_ref, to_refs, cc_refs, bcc_refs, and subject) found in the email message, as a dictionary.\n\nEach key/value pair in the dictionary represents the name/value of a single header field or names/values of a header field that occurs more than once. Each dictionary key SHOULD be a case-preserved version of the header field name. The corresponding value for each dictionary key MUST always be a list of type string to support when a header field is repeated. + Specifies any other header fields (except for date, received_lines, content_type, from_ref, sender_ref, to_refs, cc_refs, bcc_refs, and subject) found in the email message, as a dictionary. Each key/value pair in the dictionary represents the name/value of a single header field or names/values of a header field that occurs more than once. Each dictionary key SHOULD be a case-preserved version of the header field name. The corresponding value for each dictionary key MUST always be a list of type string to support when a header field is repeated. bcc_refs - Specifies the mailboxes that are “BCC:” recipients of the email message.\n\nAs per [RFC5322], the absence of this property should not be interpreted as semantically equivalent to an absent BCC header on the message being characterized.\n\nThe objects referenced in this list MUST be of type email-address. + Specifies the mailboxes that are "BCC:" recipients of the email message. As per [RFC5322], the absence of this property should not be interpreted as semantically equivalent to an absent BCC header on the message being characterized. The objects referenced in this list MUST be of type email-address. - - bcc_refs_id - Specifies the mailboxes that are “BCC:” recipients of the email message.\n\nAs per [RFC5322], the absence of this property should not be interpreted as semantically equivalent to an absent BCC header on the message being characterized.\n\nThe identifiers specifed in this list MUST be of type email-address. + + bcc_refs_string + Specifies the mailboxes that are "BCC:" recipients of the email message. As per [RFC5322], the absence of this property should not be interpreted as semantically equivalent to an absent BCC header on the message being characterized. The objects referenced in this list MUST be of type email-address. body - Specifies the contents of the MIME part if the content_type is not provided or starts with text/ (e.g., in the case of plain text or HTML email). For inclusion in this property, the contents MUST be decoded to Unicode. Note that the charset provided in content_type is for informational usage and not for decoding of this property. @@ -229,33 +228,32 @@ - - body_raw_ref_id + + body_raw_ref_string Specifies the contents of non-textual MIME parts, that is those whose content_type does not start with text/, as a reference to an Artifact object or File object. The object referenced in this property MUST be of type artifact or file. For use cases where conveying the actual data contained in the MIME part is of primary importance, artifact SHOULD be used. Otherwise, for use cases where conveying metadata about the file-like properties of the MIME part is of primary importance, file SHOULD be used. cc_refs - Specifies the mailboxes that are “CC:” recipients of the email message.\n\nThe objects referenced in this list MUST be of type email-address. + Specifies the mailboxes that are "CC:" recipients of the email message. The objects referenced in this list MUST be of type email-address. - - cc_refs_id - Specifies the mailboxes that are “CC:” recipients of the email message.\n\nThe identifiers specified in this list MUST be for objects of type email-address. + + cc_refs_string + Specifies the mailboxes that are "CC:" recipients of the email message. The objects referenced in this list MUST be of type email-address. content_disposition - Specifies the value of the “Content-Disposition” header field of the MIME part. + Specifies the value of the "Content-Disposition" header field of the MIME part. content_type - @@ -267,13 +265,13 @@ from_ref - Specifies a reference to a SCO EmailAddress object of the “From:” header of the email message. The "From:" field specifies the author of the message, that is, the mailbox(es) of the person or system responsible for the writing of the message.\n\nThe object referenced in this property MUST be of type email-address. + Specifies the value of the "From:" header of the email message. The "From:" field specifies the author of the message, that is, the mailbox(es) of the person or system responsible for the writing of the message. The object referenced in this property MUST be of type email-address. - - from_ref_id - Specifies an identifier of a SCO EmailAddress object of the “From:” header of the email message. The "From:" field specifies the author of the message, that is, the mailbox(es) of the person or system responsible for the writing of the message.\n\nThe object referenced in this property MUST be of type email-address. + + from_ref_string + Specifies the value of the "From:" header of the email message. The "From:" field specifies the author of the message, that is, the mailbox(es) of the person or system responsible for the writing of the message. The object referenced in this property MUST be of type email-address. @@ -291,49 +289,49 @@ raw_email_ref - Specifies the raw binary contents of the email message, including both the headers and body, as a reference to an Artifact object.\n\nThe object referenced in this property MUST be of type artifact. + Specifies the raw binary contents of the email message, including both the headers and body, as a reference to an Artifact object. The object referenced in this property MUST be of type artifact. - - raw_email_ref_id - Specifies the raw binary contents of the email message, including both the headers and body, as the identifer of an Artifact object.\n\nThe object referenced in this property MUST be of type artifact. + + raw_email_ref_string + Specifies the raw binary contents of the email message, including both the headers and body, as a reference to an Artifact object. The object referenced in this property MUST be of type artifact. received_lines - Specifies one or more "Received" header fields that may be included in the email headers.\n\nList values MUST appear in the same order as present in the email message. + Specifies one or more "Received" header fields that may be included in the email headers. List values MUST appear in the same order as present in the email message. sender_ref - Specifies the value of the “Sender” field of the email message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message.\n\nThe object referenced in this property MUST be of type email-address. + Specifies the value of the "Sender" field of the email message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message. The object referenced in this property MUST be of type email-address. - - sender_ref_id - Specifies the value of the “Sender” field of the email message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message.\n\nThe identifier specified MUST be for an object of type email-address. + + sender_ref_string + Specifies the value of the "Sender" field of the email message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message. The object referenced in this property MUST be of type email-address. subject - Specifies the subject of the message. + Specifies the subject of the email message. to_refs - Specifies a list of references to SCO EmailAddress objects that represents the mailboxes that are “To:” recipients of the email message. + Specifies the mailboxes that are "To:" recipients of the email message. The objects referenced in this list MUST be of type email-address. - - to_refs_id - Specifies a list of identifiers of SCO EmailAddress objects that represents the mailboxes that are “To:” recipients of the email message + + to_refs_string + Specifies the mailboxes that are "To:" recipients of the email message. The objects referenced in this list MUST be of type email-address. diff --git a/stix/core-objects/sco/file/file.owl b/stix/core-objects/sco/file/file.owl index 1ac3517..f7458fa 100644 --- a/stix/core-objects/sco/file/file.owl +++ b/stix/core-objects/sco/file/file.owl @@ -38,7 +38,7 @@ - + @@ -97,7 +97,7 @@ - + @@ -109,7 +109,7 @@ - + @@ -121,7 +121,7 @@ - + @@ -130,7 +130,7 @@ - + @@ -139,7 +139,7 @@ - + @@ -154,7 +154,7 @@ - + @@ -172,7 +172,7 @@ - + @@ -182,7 +182,7 @@ - + @@ -196,7 +196,7 @@ - + @@ -231,8 +231,8 @@ The PDF file extension specifies a default extension for capturing properties specific to PDF files. The key for this extension when used in the extensions dictionary MUST be pdf-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the PDF File Extension MUST contain at least one property from this extension. - - + + @@ -262,11 +262,11 @@ - + - + @@ -320,7 +320,7 @@ - + @@ -332,13 +332,7 @@ - - - - - - - + Windows PE Binary File Extension @@ -346,7 +340,7 @@ - + @@ -499,7 +493,7 @@ - + @@ -530,7 +524,7 @@ - + Windows PE Optional Header Type @@ -538,7 +532,7 @@ - + @@ -560,7 +554,7 @@ - + Windows PE Section Type @@ -756,10 +750,10 @@ pe_type Specifies the type of the PE binary. This is an open vocabulary and values SHOULD come from the windows-pebinary-type-ov open vocabulary. - + - + windows-pebinary-type-ov-open Defines an open-vocabulary used to capture the types of Windows PE files @@ -830,7 +824,7 @@ file_header_hashes Specifies any hashes that were computed for the file header. Dictionary keys MUST come from the hash-algorithm-ov open vocabulary. - + @@ -839,24 +833,12 @@ - - optional_header_id - Specifies the PE optional header of the PE binary. When used, at least one property from the windows-pe-optional-header-type MUST be included. - - - sections Specifies metadata about the sections in the PE file. - - sections_id - Specifies metadata about the sections in the PE file. - - - image_height Specifies the height of the image in the image file, in pixels. @@ -866,7 +848,7 @@ image_width Specifies the width of the image in the image file, in pixels. - + @@ -981,8 +963,8 @@ - - parent_directory_ref_id + + parent_directory_ref_string Specifies the parent directory of the file, as a reference to a Directory object. The object referenced in this property MUST be of type directory. @@ -992,8 +974,8 @@ - - contains_refs_id + + contains_refs_string @@ -1003,8 +985,8 @@ - - content_ref_id + + content_ref_string Specifies the content of the file, represented as an Artifact object. The object referenced in this property MUST be of type artifact. diff --git a/stix/core-objects/sco/ipv4-address/ipv4-address.owl b/stix/core-objects/sco/ipv4-address/ipv4-address.owl index 993b857..8af6407 100644 --- a/stix/core-objects/sco/ipv4-address/ipv4-address.owl +++ b/stix/core-objects/sco/ipv4-address/ipv4-address.owl @@ -42,7 +42,7 @@ - + @@ -54,11 +54,11 @@ - + - IPv4Address + IPv4 Address Object The IPv4 Address object represents one or more IPv4 addresses expressed using CIDR notation. @@ -68,8 +68,8 @@ - - belongs_to_refs_id + + belongs_to_refs_string Specifies a list of references to one or more autonomous systems (AS) that the IPv4 address belongs to. The objects referenced in this list MUST be of type autonomous-system. @@ -80,8 +80,8 @@ - - resolved_to_refs_id + + resolved_to_refs_string Specifies a list of references to one or more Layer 2 Media Access Control (MAC) addresses that the IPv4 address resolves to. The objects referenced in this list MUST be of type mac-addr. diff --git a/stix/core-objects/sco/ipv6-address/ipv6-address.owl b/stix/core-objects/sco/ipv6-address/ipv6-address.owl index 943f5c4..02edc4c 100644 --- a/stix/core-objects/sco/ipv6-address/ipv6-address.owl +++ b/stix/core-objects/sco/ipv6-address/ipv6-address.owl @@ -42,7 +42,7 @@ - + @@ -54,11 +54,11 @@ - + - IPv6Address + IPv6 Address Object The IPv6 Address object represents one or more IPv6 addresses expressed using CIDR notation. @@ -68,8 +68,8 @@ - - belongs_to_refs_id + + belongs_to_refs_string Specifies a list of references to one or more autonomous systems (AS) that the IPv6 address belongs to. The objects referenced in this list MUST be of type autonomous-system. @@ -80,8 +80,8 @@ - - resolved_to_refs_id + + resolved_to_refs_string Specifies a list of references to one or more Layer 2 Media Access Control (MAC) addresses that the IPv6 address resolves to. The objects referenced in this list MUST be of type mac-addr. diff --git a/stix/core-objects/sco/mac-address/mac-address.owl b/stix/core-objects/sco/mac-address/mac-address.owl index a7c7f39..59a79be 100644 --- a/stix/core-objects/sco/mac-address/mac-address.owl +++ b/stix/core-objects/sco/mac-address/mac-address.owl @@ -28,7 +28,7 @@ - MACAddress + MAC Address Object The MAC Address object represents a single Media Access Control (MAC) address. diff --git a/stix/core-objects/sco/mutex/mutex.owl b/stix/core-objects/sco/mutex/mutex.owl index b43472e..2762227 100644 --- a/stix/core-objects/sco/mutex/mutex.owl +++ b/stix/core-objects/sco/mutex/mutex.owl @@ -17,7 +17,6 @@ - 2.1.0 @@ -29,7 +28,7 @@ - Mutex + Mutex Object The Mutex object represents the properties of a mutual exclusion (mutex) object. diff --git a/stix/core-objects/sco/network-traffic/network-traffic.owl b/stix/core-objects/sco/network-traffic/network-traffic.owl index 5f9f50f..1248f2a 100644 --- a/stix/core-objects/sco/network-traffic/network-traffic.owl +++ b/stix/core-objects/sco/network-traffic/network-traffic.owl @@ -51,13 +51,31 @@ - + + + + + + + + + + - + + + + + + + + + + @@ -111,48 +129,48 @@ - + - + - + - + - + - + - + - + @@ -161,7 +179,7 @@ - + @@ -195,12 +213,12 @@ - + - + @@ -209,7 +227,7 @@ - + @@ -227,7 +245,7 @@ - + @@ -274,8 +292,8 @@ The Network Socket extension specifies a default extension for capturing network traffic properties associated with network sockets. The key for this extension when used in the extensions dictionary MUST be socket-ext. Note that this predefined extension does not use the extension facility described in section 7.3. - - + + @@ -388,14 +406,14 @@ - + message_body_data_ref Specifies the data contained in the HTTP message body, if included. The object referenced in this property MUST be of type artifact. - - + + - - message_body_data_ref_id + + message_body_data_ref_string Specifies the data contained in the HTTP message body, if included. The object referenced in this property MUST be of type artifact. @@ -418,8 +436,8 @@ - - dst_payload_ref_id + + dst_payload_ref_string Specifies the bytes sent from the destination to the source. The object referenced in this property MUST be of type artifact. @@ -458,9 +476,9 @@ - - dst_ref_id - Specifies the destination of the network traffic, as the identifier of a Cyber-observable Object.\n\nThe identifier of object specified MUST be of type ipv4-addr, ipv6-addr, mac-addr, or domain-name (for cases where the IP address for a domain name is unknown). + + dst_ref_string + Specifies the destination of the network traffic, as a reference to a Cyber-observable Object. The object referenced MUST be of type ipv4-addr, ipv6-addr, mac-addr, or domain-name (for cases where the IP address for a domain name is unknown). @@ -470,8 +488,8 @@ - - encapsulated_by_ref_id + + encapsulated_by_ref_string Links to another network-traffic object which encapsulates this object. The object referenced in this property MUST be of type network-traffic. @@ -482,8 +500,8 @@ - - encapsulates_refs_id + + encapsulates_refs_string Links to other network-traffic objects encapsulated by this network-traffic object. The objects referenced in this property MUST be of type network-traffic. @@ -497,6 +515,7 @@ ipfix Specifies any IP Flow Information Export [IPFIX] data for the traffic, as a dictionary. Each key/value pair in the dictionary represents the name/value of a single IPFIX element. Accordingly, each dictionary key SHOULD be a case-preserved version of the IPFIX element name, e.g., octetDeltaCount. Each dictionary value MUST be either an integer or a string, as well as a valid IPFIX property. + @@ -507,7 +526,7 @@ protocols - Specifies the protocols observed in the network traffic, along with their corresponding state. Protocols MUST be listed in low to high order, from outer to inner in terms of packet encapsulation. That is, the protocols in the outer level of the packet, such as IP, MUST be listed first. The protocol names SHOULD come from the service names defined in the Service Name column of the IANA Service Name and Port Number Registry [Port Numbers]. In cases where there is variance in the name of a network protocol not included in the IANA Registry, content producers should exercise their best judgement, and it is recommended that lowercase names be used for consistency with the IANA registry. If the protocol extension is present, the corresponding protocol value for that extension SHOULD be listed in this property. Examples: ipv4, tcp, http + Specifies the protocols observed in the network traffic, along with their corresponding state. Protocols MUST be listed in low to high order, from outer to inner in terms of packet encapsulation. That is, the protocols in the outer level of the packet, such as IP, MUST be listed first. The protocol names SHOULD come from the service names defined in the Service Name column of the IANA Service Name and Port Number Registry [Port Numbers]. In cases where there is variance in the name of a network protocol not included in the IANA Registry, content producers should exercise their best judgement, and it is recommended that lowercase names be used for consistency with the IANA registry. If the protocol extension is present, the corresponding protocol value for that extension SHOULD be listed in this property. Example: ipv4, tcp, http @@ -529,8 +548,8 @@ - - src_payload_ref_id + + src_payload_ref_string Specifies the bytes sent from the source to the destination. The object referenced in this property MUST be of type artifact. @@ -569,9 +588,9 @@ - - src_ref_id - Specifies the identifier of a Cyber-observable object that is the source of the network traffic.\n\nThe identifier of the object specified MUST be of type ipv4-addr, ipv6-addr, mac-addr, or domain-name (for cases where the IP address for a domain name is unknown). + + src_ref_string + Specifies the source of the network traffic, as a reference to a Cyber-observable Object. The object referenced MUST be of type ipv4-addr, ipv6-addr, mac-addr, or domain-name (for cases where the IP address for a domain name is unknown). diff --git a/stix/core-objects/sco/process/process.owl b/stix/core-objects/sco/process/process.owl index b488587..09ae123 100644 --- a/stix/core-objects/sco/process/process.owl +++ b/stix/core-objects/sco/process/process.owl @@ -71,7 +71,7 @@ - + @@ -83,7 +83,7 @@ - + @@ -95,7 +95,7 @@ - + @@ -107,7 +107,7 @@ - + @@ -119,7 +119,7 @@ - + @@ -129,6 +129,7 @@ + @@ -138,7 +139,7 @@ - + @@ -150,7 +151,7 @@ - + @@ -162,7 +163,7 @@ - + @@ -171,12 +172,12 @@ - Windows Process Extension The Windows Process extension specifies a default extension for capturing properties specific to Windows processes. The key for this extension when used in the extensions dictionary MUST be windows-process-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the Windows Process Extension MUST contain at least one property from this extension. + @@ -215,7 +216,7 @@ - + @@ -231,7 +232,6 @@ - Windows Service Extension The Windows Service extension specifies a default extension for capturing properties specific to Windows services. The key for this extension when used in the extensions dictionary MUST be windows-service-ext. Note that this predefined extension does not use the extension facility described in section 7.3. As all properties of this extension are optional, at least one of the properties defined below MUST be included when using this extension. @@ -257,7 +257,7 @@ group_name Specifies whether Address Space Layout Randomization (ASLR) is enabled for the process. - + @@ -272,8 +272,8 @@ - - service_dll_refs_id + + service_dll_refs_string Specifies the DLLs loaded by the service, as a reference to one or more File objects. The objects referenced in this property MUST be of type file. @@ -397,6 +397,12 @@ + + aslr_enabled + Specifies whether Address Space Layout Randomization (ASLR) is enabled for the process. + + + dep_enabled Specifies whether Data Execution Prevention (DEP) is enabled for the process. @@ -468,8 +474,8 @@ - - child_refs_id + + child_refs_string Specifies the other processes that were spawned by (i.e. children of) this process, as a reference to one or more other Process objects. The objects referenced in this list MUST be of type process. @@ -492,8 +498,8 @@ - - creator_user_ref_id + + creator_user_ref_string Specifies the user that created the process, as a reference to a User Account object. The object referenced in this property MUST be of type user-account. @@ -507,6 +513,7 @@ environment_variables Specifies the list of environment variables associated with the process as a dictionary. Each key in the dictionary MUST be a case preserved version of the name of the environment variable, and each corresponding value MUST be the environment variable value as a string. + @@ -515,8 +522,8 @@ - - image_ref_id + + image_ref_string Specifies the executable binary that was executed as the process image, as a reference to a File object. The object referenced in this property MUST be of type file. @@ -533,8 +540,8 @@ - - opened_connection_refs_id + + opened_connection_refs_string Specifies the list of network connections opened by the process, as a reference to one or more Network Traffic objects. The objects referenced in this list MUST be of type network-traffic. @@ -545,8 +552,8 @@ - - parent_ref_id + + parent_ref_string Specifies the other process that spawned (i.e. is the parent of) this one, as a reference to a Process object. The object referenced in this property MUST be of type process. diff --git a/stix/core-objects/sco/software/software.owl b/stix/core-objects/sco/software/software.owl index 4ccfe4a..f5e8a1c 100644 --- a/stix/core-objects/sco/software/software.owl +++ b/stix/core-objects/sco/software/software.owl @@ -18,7 +18,6 @@ - 2.1.0 diff --git a/stix/core-objects/sco/url/url.owl b/stix/core-objects/sco/url/url.owl index b9b3388..45e7eac 100644 --- a/stix/core-objects/sco/url/url.owl +++ b/stix/core-objects/sco/url/url.owl @@ -17,7 +17,6 @@ - 2.1.0 @@ -29,7 +28,7 @@ - URL + URL Object The URL object represents the properties of a uniform resource locator (URL). diff --git a/stix/core-objects/sco/user-account/user-account.owl b/stix/core-objects/sco/user-account/user-account.owl index 47fa9f8..e953044 100644 --- a/stix/core-objects/sco/user-account/user-account.owl +++ b/stix/core-objects/sco/user-account/user-account.owl @@ -23,6 +23,7 @@ + @@ -44,7 +45,7 @@ - + @@ -107,12 +108,12 @@ - User Account The User Account object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts. As all properties of this object are optional, at least one of the properties defined below MUST be included when using this object. + @@ -137,7 +138,6 @@ - UNIX Account Extension The UNIX account extension specifies a default extension for capturing the additional information for an account on a UNIX system. The key for this extension when used in the extensions dictionary MUST be unix-account-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the UNIX Account Extension MUST contain at least one property from this extension. @@ -195,11 +195,16 @@ Specifies the account login string, used in cases where the user_id property specifies something other than what a user would type when they login. For example, in the case of a Unix account with user_id 0, the account_login might be "root". - + account_type Specifies the type of the account. This is an open vocabulary and values SHOULD come from the account-type-ov open vocabulary. - + + + + + account-type-ov + @@ -258,9 +263,9 @@ - - - + + + can_escalate_privs Specifies that the account has the ability to escalate privileges (i.e., in the case of sudo on Unix or a Windows Domain Admin account). diff --git a/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl b/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl index 186c0c2..3fca3fc 100644 --- a/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl +++ b/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl @@ -22,6 +22,7 @@ + @@ -31,7 +32,7 @@ - + @@ -43,12 +44,12 @@ - + - + @@ -58,13 +59,11 @@ - - - WindowsRegistryKey - The Windows Registry Key object represents the properties of a Windows registry key.\n\nAs all properties of this object are optional, at least one of the properties defined below MUST be included when using this object. + Windows Registry Key Object + The Registry Key object represents the properties of a Windows registry key. As all properties of this object are optional, at least one of the properties defined below MUST be included when using this object. - + @@ -81,12 +80,11 @@ - + - - RegistryValue - The Windows Registry Value type captures the properties of a Windows Registry Key Value.\n\nAs all properties of this type are optional, at least one of the properties defined below MUST be included when using this type. + Windows Registry Value Type + The Windows Registry Value type captures the properties of a Windows Registry Key Value. As all properties of this type are optional, at least one of the properties defined below MUST be included when using this type. @@ -101,8 +99,8 @@ - - creator_user_ref_id + + creator_user_ref_string Specifies a reference to the user account that created the registry key. The object referenced in this property MUST be of type user-account. @@ -112,11 +110,16 @@ Specifies the data contained in the registry value. - + data_type Specifies the registry (REG_*) data type used in the registry value.\n\nThe values of this property MUST come from the windows-registry-datatype-enum enumeration. - + + + + + windows-registry-datatype-enum + @@ -190,8 +193,8 @@ - - + + key @@ -214,7 +217,7 @@ values Specifies the number of subkeys contained under the registry key. - + \ No newline at end of file diff --git a/stix/core-objects/sco/x509-vertificate/x509-certificate.owl b/stix/core-objects/sco/x509-vertificate/x509-certificate.owl index 829a086..94f1820 100644 --- a/stix/core-objects/sco/x509-vertificate/x509-certificate.owl +++ b/stix/core-objects/sco/x509-vertificate/x509-certificate.owl @@ -31,7 +31,7 @@ - + @@ -97,14 +97,14 @@ - + - X509Certificate + X.509 Certificate Object The X.509 Certificate object represents the properties of an X.509 certificate, as defined by ITU recommendation X.509 [X.509]. An X.509 Certificate object MUST contain at least one object specific property (other than type) from this object. - + @@ -202,8 +202,8 @@ - X509v3Extensions - The X.509 v3 Extensions type captures properties associated with X.509 v3 extensions, which serve as a mechanism for specifying additional information such as alternative subject names. An object using the X.509 v3 Extensions type MUST contain at least one property from this type.\n\nNote that the use of the term "extensions" in this context refers to the X.509 v3 Extensions type and is not a STIX Cyber Observables extension. Therefore, it is a type that describes X.509 extensions. + X.509 v3 Extensions Type + The X.509 v3 Extensions type captures properties associated with X.509 v3 extensions, which serve as a mechanism for specifying additional information such as alternative subject names. An object using the X.509 v3 Extensions type MUST contain at least one property from this type. Note that the use of the term "extensions" in this context refers to the X.509 v3 Extensions type and is not a STIX Cyber Observables extension. Therefore, it is a type that describes X.509 extensions. @@ -371,7 +371,7 @@ x509_v3_extensions Specifies any standard X.509 v3 extensions that may be used in the certificate. - + \ No newline at end of file From 95bef5fcd6d9f14d5fa33cd2d962de2e1925e348 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Thu, 12 Jan 2023 19:57:04 -0800 Subject: [PATCH 20/70] touching the readme file --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 29f48bf..bd73c35 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# README +# README ## OASIS TC Open Repository: tac-ontology From 639fb15e60a320e719358462e49473124244b2d7 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Fri, 13 Jan 2023 07:28:33 -0800 Subject: [PATCH 21/70] Running the rdf-toolkit on the SCO changes --- json-dl-contexts/tac-kb-example.owl | 23 + stix/core-objects/sco/artifact/artifact.owl | 82 +- .../autonomus-system/autonomous-system.owl | 20 +- stix/core-objects/sco/directory/directory.owl | 66 +- .../sco/domain-name/domain-name.owl | 14 +- .../sco/email-address/email-address.owl | 14 +- .../sco/email-message/email-message.owl | 94 +- stix/core-objects/sco/file/file.owl | 942 +++++++++--------- .../sco/ipv4-address/ipv4-address.owl | 18 +- .../sco/ipv6-address/ipv6-address.owl | 18 +- .../sco/mac-address/mac-address.owl | 4 +- stix/core-objects/sco/mutex/mutex.owl | 2 +- .../sco/network-traffic/network-traffic.owl | 546 +++++----- stix/core-objects/sco/process/process.owl | 364 +++---- stix/core-objects/sco/software/software.owl | 12 +- stix/core-objects/sco/url/url.owl | 4 +- .../sco/user-account/user-account.owl | 266 ++--- .../windows-registry-key.owl | 192 ++-- .../sco/x509-vertificate/x509-certificate.owl | 88 +- stix/vocabularies/vocabulary-user-defs.owl | 2 +- 20 files changed, 1397 insertions(+), 1374 deletions(-) create mode 100644 json-dl-contexts/tac-kb-example.owl diff --git a/json-dl-contexts/tac-kb-example.owl b/json-dl-contexts/tac-kb-example.owl new file mode 100644 index 0000000..74d7e47 --- /dev/null +++ b/json-dl-contexts/tac-kb-example.owl @@ -0,0 +1,23 @@ + + + + + + +]> + + + + The TAC ontology is a knowledge representation framework focused on comprehensively representing the context around adversaries. The project comprises a set of concept definitions and their relationships encoded in Web Ontology Language (OWL) that altogether harmonise into what we call the Threat Actor Context ontology. + + + + + \ No newline at end of file diff --git a/stix/core-objects/sco/artifact/artifact.owl b/stix/core-objects/sco/artifact/artifact.owl index 0fb7992..75dfab0 100644 --- a/stix/core-objects/sco/artifact/artifact.owl +++ b/stix/core-objects/sco/artifact/artifact.owl @@ -24,19 +24,13 @@ - + - - - - - - - + @@ -48,13 +42,19 @@ - + - + + + + + + + @@ -62,36 +62,6 @@ The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. One of payload_bin or url MUST be provided. It is incumbent on object creators to ensure that the URL is accessible for downstream consumers. - - mime_type - Whenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types]. Maintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability. - - - - - payload_bin - Specifies the binary data contained in the artifact as a base64-encoded string. This property MUST NOT be present if url is provided. - - - - - url - The value of this property MUST be a valid URL that resolves to the unencoded content. This property MUST NOT be present if payload_bin is provided. - - - - - hashes - Specifies a dictionary of hashes for the contents of the url or the payload_bin. This property MUST be present when the url property is present. Dictionary keys MUST come from the hash-algorithm-ov open vocabulary. - - - - - encryption algorithm - If the artifact is encrypted, specifies the type of encryption algorithm the binary data (either via payload_bin or url) is encoded in. The value of this property MUST come from the encryption-algorithm-enum enumeration. If both mime_type and encryption_algorithm are included, this signifies that the artifact represents an encrypted archive. - - - encryption-algorithm-enum @@ -115,11 +85,41 @@ - + decryption_key Specifies the decryption key for the encrypted binary data (either via payload_bin or url). For example, this may be useful in cases of sharing malware samples, which are often encoded in an encrypted archive. This property MUST NOT be present when the encryption_algorithm property is absent. + + encryption algorithm + If the artifact is encrypted, specifies the type of encryption algorithm the binary data (either via payload_bin or url) is encoded in. The value of this property MUST come from the encryption-algorithm-enum enumeration. If both mime_type and encryption_algorithm are included, this signifies that the artifact represents an encrypted archive. + + + + + hashes + Specifies a dictionary of hashes for the contents of the url or the payload_bin. This property MUST be present when the url property is present. Dictionary keys MUST come from the hash-algorithm-ov open vocabulary. + + + + + mime_type + Whenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types]. Maintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability. + + + + + payload_bin + Specifies the binary data contained in the artifact as a base64-encoded string. This property MUST NOT be present if url is provided. + + + + + url + The value of this property MUST be a valid URL that resolves to the unencoded content. This property MUST NOT be present if payload_bin is provided. + + + \ No newline at end of file diff --git a/stix/core-objects/sco/autonomus-system/autonomous-system.owl b/stix/core-objects/sco/autonomus-system/autonomous-system.owl index eaa98dd..e1e4e85 100644 --- a/stix/core-objects/sco/autonomus-system/autonomous-system.owl +++ b/stix/core-objects/sco/autonomus-system/autonomous-system.owl @@ -24,14 +24,14 @@ - - + + - - + + @@ -44,18 +44,18 @@ This object represents the properties of an Autonomous System (AS). - - number - Specifies the number assigned to the AS. Such assignments are typically performed by a Regional Internet Registry (RIR). - - - name Specifies the name of the AS. + + number + Specifies the number assigned to the AS. Such assignments are typically performed by a Regional Internet Registry (RIR). + + + rir Specifies the name of the Regional Internet Registry (RIR) that assigned the number to the AS. diff --git a/stix/core-objects/sco/directory/directory.owl b/stix/core-objects/sco/directory/directory.owl index 3c847f2..8ecaa51 100644 --- a/stix/core-objects/sco/directory/directory.owl +++ b/stix/core-objects/sco/directory/directory.owl @@ -25,44 +25,44 @@ - - + + - - + + + - - + + - + - + - - - + + - + @@ -76,6 +76,27 @@ + + contains_refs + Specifies a list of references to other File and/or Directory objects contained within the directory. The objects referenced in this list MUST be of type file or directory. + + + + + + + + + + + + + + contains_refs_id + Specifies a list of references to other File and/or Directory objects contained within the directory. The objects referenced in this list MUST be of type file or directory. + + + ctime Specifies the date/time the directory was created. @@ -100,25 +121,4 @@ - - contains_refs - Specifies a list of references to other File and/or Directory objects contained within the directory. The objects referenced in this list MUST be of type file or directory. - - - - - - - - - - - - - - contains_refs_id - Specifies a list of references to other File and/or Directory objects contained within the directory. The objects referenced in this list MUST be of type file or directory. - - - \ No newline at end of file diff --git a/stix/core-objects/sco/domain-name/domain-name.owl b/stix/core-objects/sco/domain-name/domain-name.owl index 31e6a08..2f54cb3 100644 --- a/stix/core-objects/sco/domain-name/domain-name.owl +++ b/stix/core-objects/sco/domain-name/domain-name.owl @@ -23,12 +23,7 @@ - - - - - - + @@ -43,7 +38,12 @@ - + + + + + + Domain Name The Domain Name object represents the properties of a network domain name. diff --git a/stix/core-objects/sco/email-address/email-address.owl b/stix/core-objects/sco/email-address/email-address.owl index b3c38c1..583041e 100644 --- a/stix/core-objects/sco/email-address/email-address.owl +++ b/stix/core-objects/sco/email-address/email-address.owl @@ -25,25 +25,25 @@ - - + + - + - - + + - + @@ -68,7 +68,7 @@ Specifies a single email display name, i.e., the name that is displayed to the human user of a mail application. This property corresponds to the display-name construction in section 3.4 of [RFC5322], for example, Jane Smith. - + value Specifies the value of the email address. This MUST NOT include the display name. This property corresponds to the addr-spec construction in section 3.4 of [RFC5322], for example, jane.smith@example.com. diff --git a/stix/core-objects/sco/email-message/email-message.owl b/stix/core-objects/sco/email-message/email-message.owl index 6bdf494..6e33371 100644 --- a/stix/core-objects/sco/email-message/email-message.owl +++ b/stix/core-objects/sco/email-message/email-message.owl @@ -29,91 +29,91 @@ - - + + - - + + - + - - + + - - + + - + - + - - + + - - + + - + - + - - + + - + - - + + - + @@ -125,36 +125,36 @@ - - + + - + - - + + - - + + - + EmailMessage - The Email Message object represents an instance of an email message, corresponding to the internet message format described in [RFC5322] and related RFCs. Header field values that have been encoded as described in section 2 of [RFC2047] MUST be decoded before inclusion in Email Message object properties. For example, this is some text MUST be used instead of =?iso-8859-1?q?this=20is=20some=20text?=. Any characters in the encoded value which cannot be decoded into Unicode SHOULD be replaced with the 'REPLACEMENT CHARACTER' (U+FFFD). If it is necessary to capture the header value as observed, this can be achieved by referencing an Artifact object through the raw_email_ref property. + The Email Message object represents an instance of an email message, corresponding to the internet message format described in [RFC5322] and related RFCs. Header field values that have been encoded as described in section 2 of [RFC2047] MUST be decoded before inclusion in Email Message object properties. For example, this is some text MUST be used instead of =?iso-8859-1?q?this=20is=20some=20text?=. Any characters in the encoded value which cannot be decoded into Unicode SHOULD be replaced with the 'REPLACEMENT CHARACTER' (U+FFFD). If it is necessary to capture the header value as observed, this can be achieved by referencing an Artifact object through the raw_email_ref property. @@ -179,18 +179,18 @@ - + - + Email MIME Component Type - Specifies one component of a multi-part email body. There is no property to capture the value of the "Content-Transfer-Encoding" header field, since the body MUST be decoded before being represented in the body property. One of body OR body_raw_ref MUST be included. + Specifies one component of a multi-part email body. There is no property to capture the value of the "Content-Transfer-Encoding" header field, since the body MUST be decoded before being represented in the body property. One of body OR body_raw_ref MUST be included. @@ -200,13 +200,13 @@ bcc_refs - Specifies the mailboxes that are "BCC:" recipients of the email message. As per [RFC5322], the absence of this property should not be interpreted as semantically equivalent to an absent BCC header on the message being characterized. The objects referenced in this list MUST be of type email-address. + Specifies the mailboxes that are "BCC:" recipients of the email message. As per [RFC5322], the absence of this property should not be interpreted as semantically equivalent to an absent BCC header on the message being characterized. The objects referenced in this list MUST be of type email-address. bcc_refs_string - Specifies the mailboxes that are "BCC:" recipients of the email message. As per [RFC5322], the absence of this property should not be interpreted as semantically equivalent to an absent BCC header on the message being characterized. The objects referenced in this list MUST be of type email-address. + Specifies the mailboxes that are "BCC:" recipients of the email message. As per [RFC5322], the absence of this property should not be interpreted as semantically equivalent to an absent BCC header on the message being characterized. The objects referenced in this list MUST be of type email-address. @@ -236,19 +236,19 @@ cc_refs - Specifies the mailboxes that are "CC:" recipients of the email message. The objects referenced in this list MUST be of type email-address. + Specifies the mailboxes that are "CC:" recipients of the email message. The objects referenced in this list MUST be of type email-address. cc_refs_string - Specifies the mailboxes that are "CC:" recipients of the email message. The objects referenced in this list MUST be of type email-address. + Specifies the mailboxes that are "CC:" recipients of the email message. The objects referenced in this list MUST be of type email-address. content_disposition - Specifies the value of the "Content-Disposition" header field of the MIME part. + Specifies the value of the "Content-Disposition" header field of the MIME part. @@ -265,13 +265,13 @@ from_ref - Specifies the value of the "From:" header of the email message. The "From:" field specifies the author of the message, that is, the mailbox(es) of the person or system responsible for the writing of the message. The object referenced in this property MUST be of type email-address. + Specifies the value of the "From:" header of the email message. The "From:" field specifies the author of the message, that is, the mailbox(es) of the person or system responsible for the writing of the message. The object referenced in this property MUST be of type email-address. from_ref_string - Specifies the value of the "From:" header of the email message. The "From:" field specifies the author of the message, that is, the mailbox(es) of the person or system responsible for the writing of the message. The object referenced in this property MUST be of type email-address. + Specifies the value of the "From:" header of the email message. The "From:" field specifies the author of the message, that is, the mailbox(es) of the person or system responsible for the writing of the message. The object referenced in this property MUST be of type email-address. @@ -301,19 +301,19 @@ received_lines - Specifies one or more "Received" header fields that may be included in the email headers. List values MUST appear in the same order as present in the email message. + Specifies one or more "Received" header fields that may be included in the email headers. List values MUST appear in the same order as present in the email message. sender_ref - Specifies the value of the "Sender" field of the email message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message. The object referenced in this property MUST be of type email-address. + Specifies the value of the "Sender" field of the email message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message. The object referenced in this property MUST be of type email-address. sender_ref_string - Specifies the value of the "Sender" field of the email message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message. The object referenced in this property MUST be of type email-address. + Specifies the value of the "Sender" field of the email message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message. The object referenced in this property MUST be of type email-address. @@ -325,13 +325,13 @@ to_refs - Specifies the mailboxes that are "To:" recipients of the email message. The objects referenced in this list MUST be of type email-address. + Specifies the mailboxes that are "To:" recipients of the email message. The objects referenced in this list MUST be of type email-address. to_refs_string - Specifies the mailboxes that are "To:" recipients of the email message. The objects referenced in this list MUST be of type email-address. + Specifies the mailboxes that are "To:" recipients of the email message. The objects referenced in this list MUST be of type email-address. diff --git a/stix/core-objects/sco/file/file.owl b/stix/core-objects/sco/file/file.owl index f7458fa..0621f0a 100644 --- a/stix/core-objects/sco/file/file.owl +++ b/stix/core-objects/sco/file/file.owl @@ -33,8 +33,8 @@ 2.1.0 - - + + @@ -43,164 +43,164 @@ - - + + - - + + + Alternate Data Stream Type + The Alternate Data Stream type represents an NTFS alternate data stream. + + + + - + - - + + - + + Archive File Extension + The Archive File extension specifies a default extension for capturing properties specific to archive files. The key for this extension when used in the extensions dictionary MUST be archive-ext. Note that this predefined extension does not use the extension facility described in section 7.3. + + + + - + - - + + - - + + - - + + - + - - + + - - + + - - + + - + - File - The File object represents the properties of a file. A File object MUST contain at least one of hashes or name. - - - - - - + + - + - + - Archive File Extension - The Archive File extension specifies a default extension for capturing properties specific to archive files. The key for this extension when used in the extensions dictionary MUST be archive-ext. Note that this predefined extension does not use the extension facility described in section 7.3. - - - - - - + + - - + + - NTFS File Extension - The NTFS file extension specifies a default extension for capturing properties specific to the storage of the file on the NTFS file system. The key for this extension when used in the extensions dictionary MUST be ntfs-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the NTFS File Extension MUST contain at least one property from this extension. - - - - - - + + + File + The File object represents the properties of a file. A File object MUST contain at least one of hashes or name. + + + + - - + + - - + + - Alternate Data Stream Type - The Alternate Data Stream type represents an NTFS alternate data stream. + NTFS File Extension + The NTFS file extension specifies a default extension for capturing properties specific to the storage of the file on the NTFS file system. The key for this extension when used in the extensions dictionary MUST be ntfs-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the NTFS File Extension MUST contain at least one property from this extension. - + - - + + @@ -211,242 +211,256 @@ - - + + - + - + PDF File Extension The PDF file extension specifies a default extension for capturing properties specific to PDF files. The key for this extension when used in the extensions dictionary MUST be pdf-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the PDF File Extension MUST contain at least one property from this extension. - + - + - - + + - + - - + + Raster Image File Extension The Raster Image file extension specifies a default extension for capturing properties specific to raster image files. The key for this extension when used in the extensions dictionary MUST be raster-image-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the Raster Image File Extension MUST contain at least one property from this extension. - - - + + + windows-pebinary-type-ov-open + Defines an open-vocabulary used to capture the types of Windows PE files + + + + + user-definition-01 + + + user-definition-02 + + + + + + + + + + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - + - - + + - - + + - - + + - Windows PE Binary File Extension - The Windows PE Binary File extension specifies a default extension for capturing properties specific to Windows portable executable (PE) files. The key for this extension when used in the extensions dictionary MUST be windows-pebinary-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the Windows™ PE Binary File Extension MUST contain at least one property other than the required pe_type property from this extension. - - - - - - + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - - + + @@ -455,153 +469,117 @@ + Windows PE Optional Header Type + The Windows PE Optional Header type represents the properties of the PE optional header. An object using the Windows PE Optional Header Type MUST contain at least one property from this type. + + + + - - + + - - + + - - + + - - + + + Windows PE Section Type + The Windows PE Section type specifies metadata about a PE file section. + + + + - + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - Windows PE Optional Header Type - The Windows PE Optional Header type represents the properties of the PE optional header. An object using the Windows PE Optional Header Type MUST contain at least one property from this type. - - - - - - + + - - + + - - + + - - + + - Windows PE Section Type - The Windows PE Section type specifies metadata about a PE file section. + Windows PE Binary File Extension + The Windows PE Binary File extension specifies a default extension for capturing properties specific to Windows portable executable (PE) files. The key for this extension when used in the extensions dictionary MUST be windows-pebinary-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the Windows™ PE Binary File Extension MUST contain at least one property other than the required pe_type property from this extension. - - - entropy - Specifies the calculated entropy for the section, as calculated using the Shannon algorithm (https://en.wiktionary.org/wiki/Shannon_entropy). The size of each input character is defined as a byte, resulting in a possible range of 0 through 8. - - - - - magic_hex - Specifies the hex value that indicates the type of the PE binary. - - - - - major_linker_version - Specifies the linker major version number. - - - - - minor_linker_version - Specifies the linker minor version number. - - - - - size_of_code - Specifies the size of the code (text) section. If there are multiple such sections, this refers to the sum of the sizes of each section. The value of this property MUST NOT be negative. - - - - - size_of_initialized_data - Specifies the size of the initialized data section. If there are multiple such sections, this refers to the sum of the sizes of each section. The value of this property MUST NOT be negative. - - - - - size_of_uninitialized_data - Specifies the size of the uninitialized data section. If there are multiple such sections, this refers to the sum of the sizes of each section. The value of this property MUST NOT be negative. - - address_of_entry_point @@ -609,6 +587,18 @@ + + alternate_data_streams + Specifies a list of NTFS alternate data streams that exist for the file. + + + + + atime + Specifies the date/time the file was last accessed. + + + base_of_code Specifies the address that is relative to the image base of the beginning-of-code section when it is loaded into memory. @@ -621,118 +611,122 @@ - - image_base - Specifies the preferred address of the first byte of the image when loaded into memory. + + bits_per_pixel + Specifies the sum of bits used for each color channel in the image file, and thus the total number of pixels used for expressing the color depth of the image. - - section_alignment - Specifies the alignment (in bytes) of PE sections when they are loaded into memory. - + + characteristics_hex + Specifies the flags that indicate the file's characteristics. + - - file_alignment - Specifies the factor (in bytes) that is used to align the raw data of sections in the image file. - + + checksum_hex + Specifies the checksum of the PE binary. + - - major_os_version - Specifies the major version number of the required operating system. - + + comment + Specifies a comment included as part of the archive file. + - - minor_os_version - Specifies the minor version number of the required operating system. - - + + contains_refs + + - - major_image_version - Specifies the major version number of the image. - + + contains_refs_string + - - minor_image_version - Specifies the minor version number of the image. - - + + content_ref + Specifies the content of the file, represented as an Artifact object. The object referenced in this property MUST be of type artifact. + + - - major_subsystem_version - Specifies the major version number of the subsystem. - + + content_ref_string + Specifies the content of the file, represented as an Artifact object. The object referenced in this property MUST be of type artifact. + - - minor_subsystem_version - Specifies the minor version number of the subsystem. - + + ctime + Specifies the date/time the file was created. + - - win32_version_value_hex - Specifies the reserved win32 version value. + + dll_characteristics_hex + Specifies the flags that characterize the PE binary. - - size_of_image - Specifies the size of the image in bytes, including all headers, as the image is loaded in memory. The value of this property MUST NOT be negative. - - + + document_info_dict + Specifies details of the PDF document information dictionary (DID), which includes properties like the document creation data and producer, as a dictionary. Each key in the dictionary SHOULD be a case-preserved version of the corresponding entry in the document information dictionary without the prepended forward slash, e.g., Title. The corresponding value for the key MUST be the value specified for the document information dictionary entry, as a string. + + - - size_of_headers - Specifies the combined size of the MS-DOS, PE header, and section headers, rounded up to a multiple of the value specified in the file_alignment header. The value of this property MUST NOT be negative.. - + + entropy + Specifies the calculated entropy for the section, as calculated using the Shannon algorithm (https://en.wiktionary.org/wiki/Shannon_entropy). The size of each input character is defined as a byte, resulting in a possible range of 0 through 8. + - - checksum_hex - Specifies the checksum of the PE binary. - + + exif_tags + Specifies the set of EXIF tags found in the image file, as a dictionary. Each key/value pair in the dictionary represents the name/value of a single EXIF tag. Accordingly, each dictionary key MUST be a case-preserved version of the EXIF tag name, e.g., XResolution. Each dictionary value MUST be either an integer (for int* EXIF datatypes) or a string (for all other EXIF datatypes). + + + + + file_alignment + Specifies the factor (in bytes) that is used to align the raw data of sections in the image file. + - - subsystem_hex - Specifies the subsystem (e.g., GUI, device driver, etc.) that is required to run this image. - + + file_header_hashes + Specifies any hashes that were computed for the file header. Dictionary keys MUST come from the hash-algorithm-ov open vocabulary. + - - dll_characteristics_hex - Specifies the flags that characterize the PE binary. - + + image_base + Specifies the preferred address of the first byte of the image when loaded into memory. + - - size_of_stack_reserve - Specifies the size of the stack to reserve, in bytes. The value of this property MUST NOT be negative. - + + image_height + Specifies the height of the image in the image file, in pixels. + - - size_of_stack_commit - Specifies the size of the stack to commit, in bytes. The value of this property MUST NOT be negative. - + + image_width + Specifies the width of the image in the image file, in pixels. + - - size_of_heap_reserve - Specifies the size of the local heap space to reserve, in bytes. The value of this property MUST NOT be negative. - + + imphash + Specifies the special import hash, or 'imphash', calculated for the PE Binary based on its imported libraries and functions. For more information on the imphash algorithm, see the original article by Mandiant/FireEye [FireEye 2014]. + - - size_of_heap_commit - Specifies the size of the local heap space to commit, in bytes. The value of this property MUST NOT be negative. - + + is_optimized + Specifies whether the PDF file has been optimized. + @@ -741,254 +735,260 @@ - - number_of_rva_and_sizes - Specifies the number of data-directory entries in the remainder of the optional header. + + machine_hex + Specifies the type of target machine. + + + + + magic_hex + Specifies the hex value that indicates the type of the PE binary. + + + + + magic_number_hex + Specifies the hexadecimal constant ("magic number") associated with a specific file format that corresponds to the file, if applicable. + + + + + major_image_version + Specifies the major version number of the image. + + + + + major_linker_version + Specifies the linker major version number. + + + + + major_os_version + Specifies the major version number of the required operating system. + + + + + major_subsystem_version + Specifies the major version number of the subsystem. + + + + + mime_type + Specifies the MIME type name specified for the file, e.g., application/msword. Whenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types].Maintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability. - - pe_type - Specifies the type of the PE binary. This is an open vocabulary and values SHOULD come from the windows-pebinary-type-ov open vocabulary. - + + minor_image_version + Specifies the minor version number of the image. + - - - windows-pebinary-type-ov-open - Defines an open-vocabulary used to capture the types of Windows PE files - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - imphash - Specifies the special import hash, or 'imphash', calculated for the PE Binary based on its imported libraries and functions. For more information on the imphash algorithm, see the original article by Mandiant/FireEye [FireEye 2014]. + + minor_linker_version + Specifies the linker minor version number. + + + + + minor_os_version + Specifies the minor version number of the required operating system. + + + + + minor_subsystem_version + Specifies the minor version number of the subsystem. + + + + + mtime + Specifies the date/time the file was last written to/modified. + + + + + name - - - machine_hex - Specifies the type of target machine. - + + + name_enc + Specifies the observed encoding for the name of the file. This value MUST be specified using the corresponding name from the 2013-12-20 revision of the IANA character set registry [Character Sets]. If the value from the Preferred MIME Name column for a character set is defined, this value MUST be used; if it is not defined, then the value from the Name column in the registry MUST be used instead. This property allows for the capture of the original text encoding for the file name, which may be forensically relevant; for example, a file on an NTFS volume whose name was created using the windows-1251 encoding, commonly used for languages based on Cyrillic script. + - + + + number_of_rva_and_sizes + Specifies the number of data-directory entries in the remainder of the optional header. + + + number_of_sections Specifies the number of sections in the PE binary, as a non-negative integer. - - - time_date_stamp - Specifies the time when the PE binary was created. The timestamp value MUST be precise to the second. - - - - - pointer_to_symbol_table_hex - Specifies the file offset of the COFF symbol table. - - - + number_of_symbols Specifies the number of entries in the symbol table of the PE binary, as a non-negative integer. - - - size_of_optional_header - Specifies the size of the optional header of the PE binary. The value of this property MUST NOT be negative. - - - - - characteristics_hex - Specifies the flags that indicate the file's characteristics. - - - - - file_header_hashes - Specifies any hashes that were computed for the file header. Dictionary keys MUST come from the hash-algorithm-ov open vocabulary. - - - + optional_header Specifies the PE optional header of the PE binary. When used, at least one property from the windows-pe-optional-header-type MUST be included. - - - sections - Specifies metadata about the sections in the PE file. - - - - - image_height - Specifies the height of the image in the image file, in pixels. - - - - - image_width - Specifies the width of the image in the image file, in pixels. - - - - - bits_per_pixel - Specifies the sum of bits used for each color channel in the image file, and thus the total number of pixels used for expressing the color depth of the image. - - - - - exif_tags - Specifies the set of EXIF tags found in the image file, as a dictionary. Each key/value pair in the dictionary represents the name/value of a single EXIF tag. Accordingly, each dictionary key MUST be a case-preserved version of the EXIF tag name, e.g., XResolution. Each dictionary value MUST be either an integer (for int* EXIF datatypes) or a string (for all other EXIF datatypes). - + + + parent_directory_ref + Specifies the parent directory of the file, as a reference to a Directory object. The object referenced in this property MUST be of type directory. + - - - version - Specifies the decimal version number of the string from the PDF header that specifies the version of the PDF specification to which the PDF file conforms. E.g., 1.4. + + + parent_directory_ref_string + Specifies the parent directory of the file, as a reference to a Directory object. The object referenced in this property MUST be of type directory. - - - is_optimized - Specifies whether the PDF file has been optimized. - - - - - document_info_dict - Specifies details of the PDF document information dictionary (DID), which includes properties like the document creation data and producer, as a dictionary. Each key in the dictionary SHOULD be a case-preserved version of the corresponding entry in the document information dictionary without the prepended forward slash, e.g., Title. The corresponding value for the key MUST be the value specified for the document information dictionary entry, as a string. - - - + pdfid0 Specifies the first file identifier found for the PDF file. - + pdfid1 Specifies the second file identifier found for the PDF file. - + + + pe_type + Specifies the type of the PE binary. This is an open vocabulary and values SHOULD come from the windows-pebinary-type-ov open vocabulary. + + + + + pointer_to_symbol_table_hex + Specifies the file offset of the COFF symbol table. + + + + + section_alignment + Specifies the alignment (in bytes) of PE sections when they are loaded into memory. + + + + + sections + Specifies metadata about the sections in the PE file. + + + sid Specifies the security ID (SID) value assigned to the file. - - - alternate_data_streams - Specifies a list of NTFS alternate data streams that exist for the file. - - - - - comment - Specifies a comment included as part of the archive file. - - size - - - name - + + + size_of_code + Specifies the size of the code (text) section. If there are multiple such sections, this refers to the sum of the sizes of each section. The value of this property MUST NOT be negative. + - - - name_enc - Specifies the observed encoding for the name of the file. This value MUST be specified using the corresponding name from the 2013-12-20 revision of the IANA character set registry [Character Sets]. If the value from the Preferred MIME Name column for a character set is defined, this value MUST be used; if it is not defined, then the value from the Name column in the registry MUST be used instead. This property allows for the capture of the original text encoding for the file name, which may be forensically relevant; for example, a file on an NTFS volume whose name was created using the windows-1251 encoding, commonly used for languages based on Cyrillic script. - + + + size_of_headers + Specifies the combined size of the MS-DOS, PE header, and section headers, rounded up to a multiple of the value specified in the file_alignment header. The value of this property MUST NOT be negative.. + - - - magic_number_hex - Specifies the hexadecimal constant ("magic number") associated with a specific file format that corresponds to the file, if applicable. - + + + size_of_heap_commit + Specifies the size of the local heap space to commit, in bytes. The value of this property MUST NOT be negative. + - - - mime_type - Specifies the MIME type name specified for the file, e.g., application/msword. Whenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types].Maintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability. - + + + size_of_heap_reserve + Specifies the size of the local heap space to reserve, in bytes. The value of this property MUST NOT be negative. + - - - ctime - Specifies the date/time the file was created. - + + + size_of_image + Specifies the size of the image in bytes, including all headers, as the image is loaded in memory. The value of this property MUST NOT be negative. + - - mtime - Specifies the date/time the file was last written to/modified. - + + size_of_initialized_data + Specifies the size of the initialized data section. If there are multiple such sections, this refers to the sum of the sizes of each section. The value of this property MUST NOT be negative. + - - - atime - Specifies the date/time the file was last accessed. - + + + size_of_optional_header + Specifies the size of the optional header of the PE binary. The value of this property MUST NOT be negative. + - - - parent_directory_ref - Specifies the parent directory of the file, as a reference to a Directory object. The object referenced in this property MUST be of type directory. - - - - parent_directory_ref_string - Specifies the parent directory of the file, as a reference to a Directory object. The object referenced in this property MUST be of type directory. - + + size_of_stack_commit + Specifies the size of the stack to commit, in bytes. The value of this property MUST NOT be negative. + - - - contains_refs - - - - contains_refs_string - + + size_of_stack_reserve + Specifies the size of the stack to reserve, in bytes. The value of this property MUST NOT be negative. + - - - content_ref - Specifies the content of the file, represented as an Artifact object. The object referenced in this property MUST be of type artifact. - - - - content_ref_string - Specifies the content of the file, represented as an Artifact object. The object referenced in this property MUST be of type artifact. + + size_of_uninitialized_data + Specifies the size of the uninitialized data section. If there are multiple such sections, this refers to the sum of the sizes of each section. The value of this property MUST NOT be negative. + + + + + subsystem_hex + Specifies the subsystem (e.g., GUI, device driver, etc.) that is required to run this image. + + + + + time_date_stamp + Specifies the time when the PE binary was created. The timestamp value MUST be precise to the second. + + + + + version + Specifies the decimal version number of the string from the PDF header that specifies the version of the PDF specification to which the PDF file conforms. E.g., 1.4. + + win32_version_value_hex + Specifies the reserved win32 version value. + + + \ No newline at end of file diff --git a/stix/core-objects/sco/ipv4-address/ipv4-address.owl b/stix/core-objects/sco/ipv4-address/ipv4-address.owl index 8af6407..098de80 100644 --- a/stix/core-objects/sco/ipv4-address/ipv4-address.owl +++ b/stix/core-objects/sco/ipv4-address/ipv4-address.owl @@ -30,7 +30,13 @@ - + + + + + + + @@ -48,13 +54,7 @@ - - - - - - - + @@ -85,7 +85,7 @@ Specifies a list of references to one or more Layer 2 Media Access Control (MAC) addresses that the IPv4 address resolves to. The objects referenced in this list MUST be of type mac-addr. - + value Specifies the values of one or more IPv4 addresses expressed using CIDR notation. If a given IPv4 Address object represents a single IPv4 address, the CIDR /32 suffix MAY be omitted. Example: 10.2.4.5/24 diff --git a/stix/core-objects/sco/ipv6-address/ipv6-address.owl b/stix/core-objects/sco/ipv6-address/ipv6-address.owl index 02edc4c..e975c58 100644 --- a/stix/core-objects/sco/ipv6-address/ipv6-address.owl +++ b/stix/core-objects/sco/ipv6-address/ipv6-address.owl @@ -30,7 +30,13 @@ - + + + + + + + @@ -48,13 +54,7 @@ - - - - - - - + @@ -85,7 +85,7 @@ Specifies a list of references to one or more Layer 2 Media Access Control (MAC) addresses that the IPv6 address resolves to. The objects referenced in this list MUST be of type mac-addr. - + value Specifies the values of one or more IPv6 addresses expressed using CIDR notation. If a given IPv6 Address object represents a single IPv6 address, the CIDR /128 suffix MAY be omitted. diff --git a/stix/core-objects/sco/mac-address/mac-address.owl b/stix/core-objects/sco/mac-address/mac-address.owl index 59a79be..a8f793f 100644 --- a/stix/core-objects/sco/mac-address/mac-address.owl +++ b/stix/core-objects/sco/mac-address/mac-address.owl @@ -31,10 +31,10 @@ MAC Address Object The MAC Address object represents a single Media Access Control (MAC) address. - + value - Specifies the value of a single MAC address. The MAC address value MUST be represented as a single colon-delimited, lowercase MAC-48 address, which MUST include leading zeros for each octet. Example: 00:00:ab:cd:ef:01 + Specifies the value of a single MAC address. The MAC address value MUST be represented as a single colon-delimited, lowercase MAC-48 address, which MUST include leading zeros for each octet. Example: 00:00:ab:cd:ef:01 diff --git a/stix/core-objects/sco/mutex/mutex.owl b/stix/core-objects/sco/mutex/mutex.owl index 2762227..b288065 100644 --- a/stix/core-objects/sco/mutex/mutex.owl +++ b/stix/core-objects/sco/mutex/mutex.owl @@ -31,7 +31,7 @@ Mutex Object The Mutex object represents the properties of a mutual exclusion (mutex) object. - + name Specifies the name of the mutex object. diff --git a/stix/core-objects/sco/network-traffic/network-traffic.owl b/stix/core-objects/sco/network-traffic/network-traffic.owl index 1248f2a..c38669b 100644 --- a/stix/core-objects/sco/network-traffic/network-traffic.owl +++ b/stix/core-objects/sco/network-traffic/network-traffic.owl @@ -28,125 +28,211 @@ 2.1.0 - - + + - - + + - - + + - - + + - - - - - + + - + - - - - - - - - - - + - - + + + HTTP Request Extension + The HTTP request extension specifies a default extension for capturing network traffic properties specific to HTTP requests. The key for this extension when used in the extensions dictionary MUST be http-request-ext. Note that this predefined extension does not use the extension facility described in section 7.3. The corresponding protocol value for this extension is http. + + + + - - + + - - + + + ICMP Extension + The ICMP extension specifies a default extension for capturing network traffic properties specific to ICMP. The key for this extension when used in the extensions dictionary MUST be icmp-ext. Note that this predefined extension does not use the extension facility described in section 7.3. The corresponding protocol value for this extension is icmp. + + + + network-socket-address-family-enum + + + + + AF_UNSPEC + + + AF_INET + + + AF_IPX + + + AF_APPLETALK + + + AF_NETBIOS + + + AF_INET6 + + + AF_IRDA + + + AF_BTH + + + + + + + + + + + + + + + + + + + + + + + network-socket-type-enum + + + + + SOCK_STREAM + + + SOCK_DGRAM + + + SOCK_RAW + + + SOCK_RDM + + + SOCK_SEQPACKET + + + + + + + + + + + + + + + + + - + - + - - + + - - + + - - + + - - + + + + + - + - - + + - + @@ -164,84 +250,81 @@ - - + + - - + + - Network Traffic - The Network Traffic object represents arbitrary network traffic that originates from a source and is addressed to a destination. The network traffic MAY or MAY NOT constitute a valid unicast, multicast, or broadcast network connection. This MAY also include traffic that is not established, such as a SYN flood. To allow for use cases where a source or destination address may be sensitive and not suitable for sharing, such as addresses that are internal to an organization's network, the source and destination properties (src_ref and dst_ref, respectively) are defined as optional in the properties table below. However, a Network Traffic object MUST contain the protocols property and at least one of the src_ref or dst_ref properties and SHOULD contain the src_port and dst_port properties. - - - - - - + + - + - - + + - - + + - - + + - - + + - - + + - HTTP Request Extension - The HTTP request extension specifies a default extension for capturing network traffic properties specific to HTTP requests. The key for this extension when used in the extensions dictionary MUST be http-request-ext. Note that this predefined extension does not use the extension facility described in section 7.3. The corresponding protocol value for this extension is http. - - - - - - + + + + + - - + + - ICMP Extension - The ICMP extension specifies a default extension for capturing network traffic properties specific to ICMP. The key for this extension when used in the extensions dictionary MUST be icmp-ext. Note that this predefined extension does not use the extension facility described in section 7.3. The corresponding protocol value for this extension is icmp. + + + + + + + Network Traffic + The Network Traffic object represents arbitrary network traffic that originates from a source and is addressed to a destination. The network traffic MAY or MAY NOT constitute a valid unicast, multicast, or broadcast network connection. This MAY also include traffic that is not established, such as a SYN flood. To allow for use cases where a source or destination address may be sensitive and not suitable for sharing, such as addresses that are internal to an organization's network, the source and destination properties (src_ref and dst_ref, respectively) are defined as optional in the properties table below. However, a Network Traffic object MUST contain the protocols property and at least one of the src_ref or dst_ref properties and SHOULD contain the src_port and dst_port properties. @@ -272,37 +355,37 @@ - - + + - + - - + + Network Socket Extension The Network Socket extension specifies a default extension for capturing network traffic properties associated with network sockets. The key for this extension when used in the extensions dictionary MUST be socket-ext. Note that this predefined extension does not use the extension facility described in section 7.3. - + - + - + @@ -310,120 +393,24 @@ The TCP extension specifies a default extension for capturing network traffic properties specific to TCP. The key for this extension when used in the extensions dictionary MUST be tcp-ext. Note that this predefined extension does not use the extension facility described in section 7.3. The corresponding protocol value for this extension is tcp. An object using the TCP Extension MUST contain at least one property from this extension. - - src_flags_hex - Specifies the source TCP flags, as the union of all TCP flags observed between the start of the traffic (as defined by the start property) and the end of the traffic (as defined by the end property). If the start and end times of the traffic are not specified, this property SHOULD be interpreted as the union of all TCP flags observed over the entirety of the network traffic being reported upon. - - - - - dst_flags_hex - Specifies the destination TCP flags, as the union of all TCP flags observed between the start of the traffic (as defined by the start property) and the end of the traffic (as defined by the end property). If the start and end times of the traffic are not specified, this property SHOULD be interpreted as the union of all TCP flags observed over the entirety of the network traffic being reported upon. - - - address_family - Specifies the address family (AF_*) that the socket is configured for. The values of this property MUST come from the network-socket-address-family-enum enumeration. + Specifies the address family (AF_*) that the socket is configured for. The values of this property MUST come from the network-socket-address-family-enum enumeration. - - is_blocking - Specifies whether the socket is in blocking mode. - - - - - is_listening - Specifies whether the socket is in listening mode. - - - - - options - Specifies any options (e.g., SO_*) that may be used by the socket, as a dictionary. Each key in the dictionary SHOULD be a case-preserved version of the option name, e.g., SO_ACCEPTCONN. Each key value in the dictionary MUST be the value for the corresponding options key. Each dictionary value MUST be an integer. For SO_RCVTIMEO, SO_SNDTIMEO and SO_LINGER the value represents the number of milliseconds. If the SO_LINGER key is present, it indicates that the SO_LINGER option is active. - - - - - socket_type - Specifies the type of the socket. The values of this property MUST come from the network-socket-type-enum enumeration. - - - - - socket_descriptor - Specifies the socket file descriptor value associated with the socket, as a non-negative integer. - - - - - socket_handle - Specifies the handle or inode value associated with the socket. - - - - - icmp_type_hex - Specifies the ICMP type byte. - - - - - icmp_code_hex - Specifies the ICMP code byte. - - - - - request_method - Specifies the HTTP method portion of the HTTP request line, as a lowercase string. - - - - - request_value - Specifies the value (typically a resource path) portion of the HTTP request line. - - - - - request_version - Specifies the HTTP version portion of the HTTP request line, as a lowercase string. - - - - - request_header - Specifies all of the HTTP header fields that may be found in the HTTP client request, as a dictionary. Each key in the dictionary MUST be the name of the header field and SHOULD preserve case, e.g., User-Agent. The corresponding value for each dictionary key MUST always be a list of type string to support when a header field is repeated. - - - - - message_body_length - Specifies the length of the HTTP message body, if included, in bytes. - - - - - message_body_data_ref - Specifies the data contained in the HTTP message body, if included. The object referenced in this property MUST be of type artifact. - - - - - message_body_data_ref_string - Specifies the data contained in the HTTP message body, if included. The object referenced in this property MUST be of type artifact. - - - dst_byte_count Specifies the number of bytes, as a positive integer, sent from the destination to the source. + + dst_flags_hex + Specifies the destination TCP flags, as the union of all TCP flags observed between the start of the traffic (as defined by the start property) and the end of the traffic (as defined by the end property). If the start and end times of the traffic are not specified, this property SHOULD be interpreted as the union of all TCP flags observed over the entirety of the network traffic being reported upon. + + + dst_packets Specifies the number of packets, as a positive integer, sent from the destination to the source. @@ -512,6 +499,18 @@ + + icmp_code_hex + Specifies the ICMP code byte. + + + + + icmp_type_hex + Specifies the ICMP type byte. + + + ipfix Specifies any IP Flow Information Export [IPFIX] data for the traffic, as a dictionary. Each key/value pair in the dictionary represents the name/value of a single IPFIX element. Accordingly, each dictionary key SHOULD be a case-preserved version of the IPFIX element name, e.g., octetDeltaCount. Each dictionary value MUST be either an integer or a string, as well as a valid IPFIX property. @@ -524,18 +523,102 @@ + + is_blocking + Specifies whether the socket is in blocking mode. + + + + + is_listening + Specifies whether the socket is in listening mode. + + + + + message_body_data_ref + Specifies the data contained in the HTTP message body, if included. The object referenced in this property MUST be of type artifact. + + + + + message_body_data_ref_string + Specifies the data contained in the HTTP message body, if included. The object referenced in this property MUST be of type artifact. + + + + + message_body_length + Specifies the length of the HTTP message body, if included, in bytes. + + + + + options + Specifies any options (e.g., SO_*) that may be used by the socket, as a dictionary. Each key in the dictionary SHOULD be a case-preserved version of the option name, e.g., SO_ACCEPTCONN. Each key value in the dictionary MUST be the value for the corresponding options key. Each dictionary value MUST be an integer. For SO_RCVTIMEO, SO_SNDTIMEO and SO_LINGER the value represents the number of milliseconds. If the SO_LINGER key is present, it indicates that the SO_LINGER option is active. + + + protocols Specifies the protocols observed in the network traffic, along with their corresponding state. Protocols MUST be listed in low to high order, from outer to inner in terms of packet encapsulation. That is, the protocols in the outer level of the packet, such as IP, MUST be listed first. The protocol names SHOULD come from the service names defined in the Service Name column of the IANA Service Name and Port Number Registry [Port Numbers]. In cases where there is variance in the name of a network protocol not included in the IANA Registry, content producers should exercise their best judgement, and it is recommended that lowercase names be used for consistency with the IANA registry. If the protocol extension is present, the corresponding protocol value for that extension SHOULD be listed in this property. Example: ipv4, tcp, http + + request_header + Specifies all of the HTTP header fields that may be found in the HTTP client request, as a dictionary. Each key in the dictionary MUST be the name of the header field and SHOULD preserve case, e.g., User-Agent. The corresponding value for each dictionary key MUST always be a list of type string to support when a header field is repeated. + + + + + request_method + Specifies the HTTP method portion of the HTTP request line, as a lowercase string. + + + + + request_value + Specifies the value (typically a resource path) portion of the HTTP request line. + + + + + request_version + Specifies the HTTP version portion of the HTTP request line, as a lowercase string. + + + + + socket_descriptor + Specifies the socket file descriptor value associated with the socket, as a non-negative integer. + + + + + socket_handle + Specifies the handle or inode value associated with the socket. + + + + + socket_type + Specifies the type of the socket. The values of this property MUST come from the network-socket-type-enum enumeration. + + + src_type_count Specifies the number of bytes, as a positive integer, sent from the source to the destination. + + src_flags_hex + Specifies the source TCP flags, as the union of all TCP flags observed between the start of the traffic (as defined by the start property) and the end of the traffic (as defined by the end property). If the start and end times of the traffic are not specified, this property SHOULD be interpreted as the union of all TCP flags observed over the entirety of the network traffic being reported upon. + + + src_packets Specifies the number of packets, as a positive integer, sent from the source to the destination. @@ -600,87 +683,4 @@ - - network-socket-address-family-enum - - - - - AF_UNSPEC - - - AF_INET - - - AF_IPX - - - AF_APPLETALK - - - AF_NETBIOS - - - AF_INET6 - - - AF_IRDA - - - AF_BTH - - - - - - - - - - - - - - - - - - - - - - - network-socket-type-enum - - - - - SOCK_STREAM - - - SOCK_DGRAM - - - SOCK_RAW - - - SOCK_RDM - - - SOCK_SEQPACKET - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix/core-objects/sco/process/process.owl b/stix/core-objects/sco/process/process.owl index 09ae123..bdde030 100644 --- a/stix/core-objects/sco/process/process.owl +++ b/stix/core-objects/sco/process/process.owl @@ -27,16 +27,23 @@ + - - + + - - + + + + + + + + @@ -47,55 +54,55 @@ - - + + - + - - + + - - + + - - + + - - + + - - + + - - + + - + @@ -113,21 +120,43 @@ - - - - - - - - + + - Process The Process object represents common properties of an instance of a computer program as executed on an operating system. A Process object MUST contain at least one property (other than type) from this object (or one of its extensions). + + windows-integrity-level-enum + + + + + low + + + medium + + + high + + + system + + + + + + + + + + + + + @@ -144,8 +173,8 @@ - - + + @@ -156,7 +185,7 @@ - + @@ -168,8 +197,8 @@ - - + + Windows Process Extension @@ -178,12 +207,6 @@ - - - - - - @@ -204,22 +227,28 @@ - - + + - - + + - + + + + + + + @@ -228,68 +257,14 @@ - - + + Windows Service Extension The Windows Service extension specifies a default extension for capturing properties specific to Windows services. The key for this extension when used in the extensions dictionary MUST be windows-service-ext. Note that this predefined extension does not use the extension facility described in section 7.3. As all properties of this extension are optional, at least one of the properties defined below MUST be included when using this extension. - - - service_name - Specifies the name of the service. - - - - - descriptions - Specifies the descriptions defined for the service. - - - - - display_name - Specifies the display name of the service in Windows GUI controls. - - - - - group_name - Specifies whether Address Space Layout Randomization (ASLR) is enabled for the process. - - - - - start_type - Specifies whether Address Space Layout Randomization (ASLR) is enabled for the process. - - - - - service_dll_refs - Specifies the DLLs loaded by the service, as a reference to one or more File objects. The objects referenced in this property MUST be of type file. - - - - - service_dll_refs_string - Specifies the DLLs loaded by the service, as a reference to one or more File objects. The objects referenced in this property MUST be of type file. - - - - - service_type - Specifies the type of the service. The values of this property MUST come from the windows-service-type-enum enumeration. - - - - - service_status - Specifies the current status of the service. The values of this property MUST come from the windows-service-status-enum enumeration. - - - + windows-service-start-type-enum @@ -323,36 +298,7 @@ - - - windows-service-type-enum - - - - - SERVICE_KERNEL_DRIVER - - - SERVICE_FILE_SYSTEM_DRIVER - - - SERVICE_WIN32_OWN_PROCESS - - - SERVICE_WIN32_SHARE_PROCESS - - - - - - - - - - - - - + windows-service-status-enum @@ -396,65 +342,23 @@ - - - aslr_enabled - Specifies whether Address Space Layout Randomization (ASLR) is enabled for the process. - - - - - dep_enabled - Specifies whether Data Execution Prevention (DEP) is enabled for the process. - - - - - priority - Specifies the current priority class of the process in Windows. This value SHOULD be a string that ends in _CLASS. - - - - - owner_sid - Specifies the Security ID (SID) value of the owner of the process. - - - - - window_title - Specifies the title of the main window of the process. - - - - - startup_info - Specifies the STARTUP_INFO struct used by the process, as a dictionary. Each name/value pair in the struct MUST be represented as a key/value pair in the dictionary, where each key MUST be a case-preserved version of the original name. For example, given a name of "lpDesktop" the corresponding key would be lpDesktop. - - - - - integrity_level - Specifies the Windows integrity level, or trustworthiness, of the process. The values of this property MUST come from the windows-integrity-level-enum enumeration. - - - - - windows-integrity-level-enum + + + windows-service-type-enum - low + SERVICE_KERNEL_DRIVER - medium + SERVICE_FILE_SYSTEM_DRIVER - high + SERVICE_WIN32_OWN_PROCESS - system + SERVICE_WIN32_SHARE_PROCESS @@ -467,7 +371,13 @@ - + + + aslr_enabled + Specifies whether Address Space Layout Randomization (ASLR) is enabled for the process. + + + child_refs Specifies the other processes that were spawned by (i.e. children of) this process, as a reference to one or more other Process objects. The objects referenced in this list MUST be of type process. @@ -510,12 +420,36 @@ + + dep_enabled + Specifies whether Data Execution Prevention (DEP) is enabled for the process. + + + + + descriptions + Specifies the descriptions defined for the service. + + + + + display_name + Specifies the display name of the service in Windows GUI controls. + + + environment_variables Specifies the list of environment variables associated with the process as a dictionary. Each key in the dictionary MUST be a case preserved version of the name of the environment variable, and each corresponding value MUST be the environment variable value as a string. + + group_name + Specifies whether Address Space Layout Randomization (ASLR) is enabled for the process. + + + image_ref Specifies the executable binary that was executed as the process image, as a reference to a File object. The object referenced in this property MUST be of type file. @@ -528,6 +462,12 @@ + + integrity_level + Specifies the Windows integrity level, or trustworthiness, of the process. The values of this property MUST come from the windows-integrity-level-enum enumeration. + + + is_hidden Specifies whether the process is hidden. @@ -546,6 +486,12 @@ + + owner_sid + Specifies the Security ID (SID) value of the owner of the process. + + + parent_ref Specifies the other process that spawned (i.e. is the parent of) this one, as a reference to a Process object. The object referenced in this property MUST be of type process. @@ -563,5 +509,59 @@ Specifies the Process ID, or PID, of the process. + + + priority + Specifies the current priority class of the process in Windows. This value SHOULD be a string that ends in _CLASS. + + + + + service_dll_refs + Specifies the DLLs loaded by the service, as a reference to one or more File objects. The objects referenced in this property MUST be of type file. + + + + + service_dll_refs_string + Specifies the DLLs loaded by the service, as a reference to one or more File objects. The objects referenced in this property MUST be of type file. + + + + + service_name + Specifies the name of the service. + + + + + service_status + Specifies the current status of the service. The values of this property MUST come from the windows-service-status-enum enumeration. + + + + + service_type + Specifies the type of the service. The values of this property MUST come from the windows-service-type-enum enumeration. + + + + + start_type + Specifies whether Address Space Layout Randomization (ASLR) is enabled for the process. + + + + + startup_info + Specifies the STARTUP_INFO struct used by the process, as a dictionary. Each name/value pair in the struct MUST be represented as a key/value pair in the dictionary, where each key MUST be a case-preserved version of the original name. For example, given a name of "lpDesktop" the corresponding key would be lpDesktop. + + + + + window_title + Specifies the title of the main window of the process. + + \ No newline at end of file diff --git a/stix/core-objects/sco/software/software.owl b/stix/core-objects/sco/software/software.owl index f5e8a1c..dea2c12 100644 --- a/stix/core-objects/sco/software/software.owl +++ b/stix/core-objects/sco/software/software.owl @@ -25,25 +25,25 @@ - + - + - + - + @@ -74,7 +74,7 @@ Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to [RFC5646]. - + name Specifies the name of the software. @@ -92,7 +92,7 @@ Specifies the name of the vendor of the software. - + version Specifies the version of the software. diff --git a/stix/core-objects/sco/url/url.owl b/stix/core-objects/sco/url/url.owl index 45e7eac..2340eee 100644 --- a/stix/core-objects/sco/url/url.owl +++ b/stix/core-objects/sco/url/url.owl @@ -31,10 +31,10 @@ URL Object The URL object represents the properties of a uniform resource locator (URL). - + value - Specifies the value of the URL. The value of this property MUST conform to [RFC3986], more specifically section 1.1.3 with reference to the definition for "Uniform Resource Locator". + Specifies the value of the URL. The value of this property MUST conform to [RFC3986], more specifically section 1.1.3 with reference to the definition for "Uniform Resource Locator". diff --git a/stix/core-objects/sco/user-account/user-account.owl b/stix/core-objects/sco/user-account/user-account.owl index e953044..af11235 100644 --- a/stix/core-objects/sco/user-account/user-account.owl +++ b/stix/core-objects/sco/user-account/user-account.owl @@ -22,150 +22,190 @@ 2.1.0 - - + + account-type-ov + + + + + facebook + + + ldap + + + nis + + + openid + + + radius + + + skype + + + tacacs + + + twitter + + + unix + + + windows-local + + + windows-domain + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - - + + - + - + - - + + + UNIX Account Extension + The UNIX account extension specifies a default extension for capturing the additional information for an account on a UNIX system. The key for this extension when used in the extensions dictionary MUST be unix-account-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the UNIX Account Extension MUST contain at least one property from this extension. + + + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - - + + - + - - + + - User Account - The User Account object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts. As all properties of this object are optional, at least one of the properties defined below MUST be included when using this object. - - - - - - + + - - + + - - + + - + - UNIX Account Extension - The UNIX account extension specifies a default extension for capturing the additional information for an account on a UNIX system. The key for this extension when used in the extensions dictionary MUST be unix-account-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the UNIX Account Extension MUST contain at least one property from this extension. + User Account + The User Account object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts. As all properties of this object are optional, at least one of the properties defined below MUST be included when using this object. - - gid - Specifies the primary group ID of the account. - - - - - groups - Specifies a list of names of groups that the account is a member of. - - - - - home_dir - Specifies the home directory of the account. - - - - - shell - Specifies the account's command shell. - - - account_created Specifies when the account was created. @@ -192,80 +232,16 @@ account_login - Specifies the account login string, used in cases where the user_id property specifies something other than what a user would type when they login. For example, in the case of a Unix account with user_id 0, the account_login might be "root". + Specifies the account login string, used in cases where the user_id property specifies something other than what a user would type when they login. For example, in the case of a Unix account with user_id 0, the account_login might be "root". - + account_type Specifies the type of the account. This is an open vocabulary and values SHOULD come from the account-type-ov open vocabulary. - - - account-type-ov - - - - - facebook - - - ldap - - - nis - - - openid - - - radius - - - skype - - - tacacs - - - twitter - - - unix - - - windows-local - - - windows-domain - - - - - - - - - - - - - - - - - - - - - - - - - - - + can_escalate_privs Specifies that the account has the ability to escalate privileges (i.e., in the case of sudo on Unix or a Windows Domain Admin account). @@ -290,6 +266,24 @@ + + gid + Specifies the primary group ID of the account. + + + + + groups + Specifies a list of names of groups that the account is a member of. + + + + + home_dir + Specifies the home directory of the account. + + + is_disabled Specifies if the account is disabled. @@ -308,6 +302,12 @@ + + shell + Specifies the account's command shell. + + + user_id Specifies the identifier of the account. The format of the identifier depends on the system the user account is maintained in, and may be a numeric ID, a GUID, an account name, an email address, etc. The user_id property should be populated with whatever field is the unique identifier for the system the account is a member of. For example, on UNIX systems it would be populated with the UID. diff --git a/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl b/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl index 3fca3fc..66cf417 100644 --- a/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl +++ b/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl @@ -21,102 +21,6 @@ 2.1.0 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Windows Registry Key Object - The Registry Key object represents the properties of a Windows registry key. As all properties of this object are optional, at least one of the properties defined below MUST be included when using this object. - - - - - - - - - - - - - - - - - - - - - - - Windows Registry Value Type - The Windows Registry Value type captures the properties of a Windows Registry Key Value. As all properties of this type are optional, at least one of the properties defined below MUST be included when using this type. - - - - name - Specifies the name of the registry value. For specifying the default value in a registry key, an empty string MUST be used. - - - - - creator_user_ref - Specifies a reference to the user account that created the registry key. The object referenced in this property MUST be of type user-account. - - - - - creator_user_ref_string - Specifies a reference to the user account that created the registry key. The object referenced in this property MUST be of type user-account. - - - - - data - Specifies the data contained in the registry value. - - - - - data_type - Specifies the registry (REG_*) data type used in the registry value.\n\nThe values of this property MUST come from the windows-registry-datatype-enum enumeration. - - - windows-registry-datatype-enum @@ -196,6 +100,96 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Windows Registry Key Object + The Registry Key object represents the properties of a Windows registry key. As all properties of this object are optional, at least one of the properties defined below MUST be included when using this object. + + + + + + + + + + + + + + + + + + + + + + + Windows Registry Value Type + The Windows Registry Value type captures the properties of a Windows Registry Key Value. As all properties of this type are optional, at least one of the properties defined below MUST be included when using this type. + + + + creator_user_ref + Specifies a reference to the user account that created the registry key. The object referenced in this property MUST be of type user-account. + + + + + creator_user_ref_string + Specifies a reference to the user account that created the registry key. The object referenced in this property MUST be of type user-account. + + + + + data + Specifies the data contained in the registry value. + + + + + data_type + Specifies the registry (REG_*) data type used in the registry value.\n\nThe values of this property MUST come from the windows-registry-datatype-enum enumeration. + + + key Specifies the full registry key including the hive. The value of the key, including the hive portion, SHOULD be case-preserved. The hive portion of the key MUST be fully expanded and not truncated; e.g., HKEY_LOCAL_MACHINE must be used instead of HKLM. @@ -208,6 +202,12 @@ + + name + Specifies the name of the registry value. For specifying the default value in a registry key, an empty string MUST be used. + + + number_of_subkeys Specifies the number of subkeys contained under the registry key. diff --git a/stix/core-objects/sco/x509-vertificate/x509-certificate.owl b/stix/core-objects/sco/x509-vertificate/x509-certificate.owl index 94f1820..8ef3c11 100644 --- a/stix/core-objects/sco/x509-vertificate/x509-certificate.owl +++ b/stix/core-objects/sco/x509-vertificate/x509-certificate.owl @@ -24,19 +24,19 @@ - - + + - - + + - + @@ -54,44 +54,44 @@ - + - - + + - - + + - + - - + + - - + + - - + + @@ -108,25 +108,25 @@ - + - + - + - + @@ -138,44 +138,44 @@ - + - + - + - + - + - + - - + + @@ -186,31 +186,25 @@ - - + + - + - + X.509 v3 Extensions Type - The X.509 v3 Extensions type captures properties associated with X.509 v3 extensions, which serve as a mechanism for specifying additional information such as alternative subject names. An object using the X.509 v3 Extensions type MUST contain at least one property from this type. Note that the use of the term "extensions" in this context refers to the X.509 v3 Extensions type and is not a STIX Cyber Observables extension. Therefore, it is a type that describes X.509 extensions. + The X.509 v3 Extensions type captures properties associated with X.509 v3 extensions, which serve as a mechanism for specifying additional information such as alternative subject names. An object using the X.509 v3 Extensions type MUST contain at least one property from this type. Note that the use of the term "extensions" in this context refers to the X.509 v3 Extensions type and is not a STIX Cyber Observables extension. Therefore, it is a type that describes X.509 extensions. - - - version - Specifies the version of the encoded certificate. - - authority_key_identifier @@ -250,7 +244,7 @@ is_self_signed - Specifies whether the certificate is self-signed, i.e., whether it is signed by the same entity whose identity it certifies. + Specifies whether the certificate is self-signed, i.e., whether it is signed by the same entity whose identity it certifies. @@ -286,7 +280,7 @@ policy_mappings - Specifies one or more pairs of OIDs; each pair includes an issuerDomainPolicy and a subjectDomainPolicy. The pairing indicates whether the issuing CA considers its issuerDomainPolicy equivalent to the subject CA's subjectDomainPolicy. Also equivalent to the object ID (OID) value of 2.5.29.33. + Specifies one or more pairs of OIDs; each pair includes an issuerDomainPolicy and a subjectDomainPolicy. The pairing indicates whether the issuing CA considers its issuerDomainPolicy equivalent to the subject CA's subjectDomainPolicy. Also equivalent to the object ID (OID) value of 2.5.29.33. @@ -346,13 +340,13 @@ subject_public_key_exponent - Specifies the exponent portion of the subject's public RSA key, as an integer. + Specifies the exponent portion of the subject's public RSA key, as an integer. subject_public_key_modulus - Specifies the modulus portion of the subject's public RSA key. + Specifies the modulus portion of the subject's public RSA key. @@ -368,6 +362,12 @@ + + version + Specifies the version of the encoded certificate. + + + x509_v3_extensions Specifies any standard X.509 v3 extensions that may be used in the certificate. diff --git a/stix/vocabularies/vocabulary-user-defs.owl b/stix/vocabularies/vocabulary-user-defs.owl index 354004d..24a7728 100644 --- a/stix/vocabularies/vocabulary-user-defs.owl +++ b/stix/vocabularies/vocabulary-user-defs.owl @@ -730,7 +730,7 @@ - + region-ov-open Defines an open-vocabulary that captures the world regions based on the United Nations geoscheme. From 23bcddf5fa21ae091cfcb8e5d26535c9528567fa Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Sat, 14 Jan 2023 19:36:09 +0100 Subject: [PATCH 22/70] Work in Progress. Added missing class definitons and specific properties in SDOs. --- .../sdo/attack-pattern/attack-pattern.owl | 33 ++++++-- stix/core-objects/sdo/campaign/campaign.owl | 31 ++++++-- .../sdo/course-of-action/course-of-action.owl | 15 +++- stix/core-objects/sdo/grouping/grouping.owl | 36 ++++++++- stix/core-objects/sdo/identity/identity.owl | 75 ++++++++----------- stix/core-objects/sdo/incident/incident.owl | 15 +++- stix/core-objects/sdo/indicator/indicator.owl | 69 ++++++++++++----- .../sdo/infrastructure/infrastructure.owl | 58 ++++++++++++-- .../sdo/intrusion-set/intrusion-set.owl | 62 ++++++++++++++- stix/core-objects/sdo/location/location.owl | 69 ++++++++--------- stix/core-objects/sdo/malware/malware.owl | 1 - 11 files changed, 337 insertions(+), 127 deletions(-) diff --git a/stix/core-objects/sdo/attack-pattern/attack-pattern.owl b/stix/core-objects/sdo/attack-pattern/attack-pattern.owl index 2b309a5..4611bb0 100644 --- a/stix/core-objects/sdo/attack-pattern/attack-pattern.owl +++ b/stix/core-objects/sdo/attack-pattern/attack-pattern.owl @@ -18,7 +18,6 @@ - 2.1.0 @@ -42,14 +41,38 @@ - AttackPattern - Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed. An example of an attack pattern is "spear phishing": a common type of attack where an attacker sends a carefully crafted e-mail message to a party with the intent of getting them to click a link or open an attachment to deliver malware. Attack Patterns can also be more specific; spear phishing as practiced by a particular threat actor (e.g., they might generally say that the target won a contest) can also be an Attack Pattern.\n\nThe Attack Pattern SDO contains textual descriptions of the pattern along with references to externally-defined taxonomies of attacks such as CAPEC [CAPEC]. + + + + + + + Attack Pattern + Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed. An example of an attack pattern is "spear phishing": a common type of attack where an attacker sends a carefully crafted e-mail message to a party with the intent of getting them to click a link or open an attachment to deliver malware. Attack Patterns can also be more specific; spear phishing as practiced by a particular threat actor (e.g., they might generally say that the target won a contest) can also be an Attack Pattern. The Attack Pattern SDO contains textual descriptions of the pattern along with references to externally-defined taxonomies of attacks such as CAPEC [CAPEC]. + + name + A name used to identify the Attack Pattern. + + + - aliases - Specifies a list of other names that this entity is believed to use or is referred to by. + aliases + Alternative names used to identify this Attack Pattern. + + + description + A description that provides more details and context about the Attack Pattern, potentially including its purpose and its key characteristics. + + + + + kill_chain_phases + The list of Kill Chain Phases for which this Attack Pattern is used. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/campaign/campaign.owl b/stix/core-objects/sdo/campaign/campaign.owl index ace89ff..3cea258 100644 --- a/stix/core-objects/sdo/campaign/campaign.owl +++ b/stix/core-objects/sdo/campaign/campaign.owl @@ -18,7 +18,6 @@ - 2.1.0 @@ -61,24 +60,42 @@ Campaign - A Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be part of an Intrusion Set.\n\nCampaigns are often attributed to an intrusion set and threat actors. The threat actors may reuse known infrastructure from the intrusion set or may set up new infrastructure specific for conducting that campaign.\n\nCampaigns can be characterized by their objectives and the incidents they cause, people or resources they target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. + A Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be part of an Intrusion Set. Campaigns are often attributed to an intrusion set and threat actors. The threat actors may reuse known infrastructure from the intrusion set or may set up new infrastructure specific for conducting that campaign. Campaigns can be characterized by their objectives and the incidents they cause, people or resources they target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. For example, a Campaign could be used to describe a crime syndicate's attack using a specific variant of malware and new C2 servers against the executives of ACME Bank during the summer of 2016 in order to gain secret information about an upcoming merger with another bank.ey target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. + + name + A name used to identify the Campaign. + + + + + description + A description that provides more details and context about the Campaign, potentially including its purpose and its key characteristics. + + + + + aliases + Alternative names used to identify this Campaign. + + + - first_seen - Specifies the date and time that this entity was first seen.\n\nA summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. + first_seen + The time that this Campaign was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. - last_seen - Specifies the date and time that this entity was last seen.\n\nA summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are later than the last seen timestamp, the object may be updated to account for the new data. This MUST be greater than or equal to the timestamp in the first_seen property. + last_seen + The time that this Campaign was last seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are later than the last seen timestamp, the object may be updated to account for the new data. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. objective - Specifies the Campaign’s primary goal, objective, desired outcome, or intended effect — what the Threat Actor or Intrusion Set hopes to accomplish with this Campaign. + Specifies the Campaign's primary goal, objective, desired outcome, or intended effect — what the Threat Actor or Intrusion Set hopes to accomplish with this Campaign. diff --git a/stix/core-objects/sdo/course-of-action/course-of-action.owl b/stix/core-objects/sdo/course-of-action/course-of-action.owl index ac7470e..1d7974c 100644 --- a/stix/core-objects/sdo/course-of-action/course-of-action.owl +++ b/stix/core-objects/sdo/course-of-action/course-of-action.owl @@ -18,7 +18,6 @@ - 2.1.0 @@ -37,7 +36,19 @@ Course Of Action - A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. It may describe technical, automatable responses (applying patches, reconfiguring firewalls) but can also describe higher level actions like employee training or policy changes. For example, a course of action to mitigate a vulnerability could describe applying the patch that fixes it. + Note: The Course of Action object in STIX 2.1 is a stub. It is included to support basic use cases (such as sharing prose courses of action) but does not support the ability to represent automated courses of action or contain properties to represent metadata about courses of action. Future STIX 2 releases will expand it to include these capabilities. A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. It may describe technical, automatable responses (applying patches, reconfiguring firewalls) but can also describe higher level actions like employee training or policy changes. For example, a course of action to mitigate a vulnerability could describe applying the patch that fixes it. The Course of Action SDO contains a textual description of the action; a reserved action property also serves as a placeholder for future inclusion of machine automatable courses of action. + + name + A name used to identify the Course of Action. + + + + + description + A description that provides more details and context about the Course of Action, potentially including its purpose and its key characteristics. + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/grouping/grouping.owl b/stix/core-objects/sdo/grouping/grouping.owl index e4fac62..4d3a3ca 100644 --- a/stix/core-objects/sdo/grouping/grouping.owl +++ b/stix/core-objects/sdo/grouping/grouping.owl @@ -18,7 +18,6 @@ - 2.1.0 @@ -48,14 +47,19 @@ + + + + + + Grouping - A Grouping object explicitly asserts that the referenced STIX Objects have a shared context, unlike a STIX Bundle (which explicitly conveys no context). A Grouping object should not be confused with an intelligence product, which should be conveyed via a STIX Report. + A Grouping object explicitly asserts that the referenced STIX Objects have a shared context, unlike a STIX Bundle (which explicitly conveys no context). A Grouping object should not be confused with an intelligence product, which should be conveyed via a STIX Report. A STIX Grouping object might represent a set of data that, in time, given sufficient analysis, would mature to convey an incident or threat report as a STIX Report object. For example, a Grouping could be used to characterize an ongoing investigation into a security event or incident. A Grouping object could also be used to assert that the referenced STIX Objects are related to an ongoing analysis process, such as when a threat analyst is collaborating with others in their trust community to examine a series of Campaigns and Indicators. The Grouping SDO contains a list of references to SDOs, SCOs, SROs, and SMOs, along with an explicit statement of the context shared by the content, a textual description, and the name of the grouping. context - context - A short descriptor of the particular context shared by the content referenced by the Grouping. + A short descriptor of the particular context shared by the content referenced by the Grouping. The value for this property SHOULD come from the grouping-context-ov open vocabulary. @@ -79,4 +83,28 @@ + + name + A name used to identify the Grouping. + + + + + description + A description that provides more details and context about the Grouping, potentially including its purpose and its key characteristics. + + + + + object_refs + Specifies the STIX Objects that are referred to by this Grouping. + + + + + object_refs_string + Specifies the STIX Objects that are referred to by this Grouping. + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/identity/identity.owl b/stix/core-objects/sdo/identity/identity.owl index 0a49d76..90c4416 100644 --- a/stix/core-objects/sdo/identity/identity.owl +++ b/stix/core-objects/sdo/identity/identity.owl @@ -18,19 +18,9 @@ - 2.1.0 - - - - Group - Identitfies an informal collection of people, without formal governance. - - - - - + @@ -69,29 +59,8 @@ - STIX Identity - Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). - - - - - Individual - Identitfies an actual individual. - - - - - - - Industy Sector - Identifies an industry sector. - - - - - - Organization - Identifies an actual formal organization of people, with governance, such as a company. + Identity + Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. @@ -102,8 +71,13 @@ identity_class - The type of entity that this Identity describes, e.g., an individual or organization.\n\nThe value for this property SHOULD come from the identity-class-ov open vocabulary. - + The type of entity that this Identity describes, e.g., an individual or organization. The value for this property SHOULD come from the identity-class-ov open vocabulary. + + + + + identity-class-ov + @@ -137,7 +111,19 @@ - + + + + + name + The name of this Identity. When referring to a specific entity (e.g., an individual or organization), this property SHOULD contain the canonical name of the specific entity. + + + + + description + A description that provides more details and context about the Identity, potentially including its purpose and its key characteristics. + @@ -145,11 +131,16 @@ The list of roles that this Identity performs (e.g., CEO, Domain Administrators, Doctors, Hospital, or Retailer). No open vocabulary is yet defined for this property. - + sectors - The list of industry sectors that this Identity belongs to.\n\nThe values for this property SHOULD come from the industry-sector-ov open vocabulary. - + The list of industry sectors that this Identity belongs to. The values for this property SHOULD come from the industry-sector-ov open vocabulary. + + + + + industry-sector-ov + @@ -323,7 +314,7 @@ - - + + \ No newline at end of file diff --git a/stix/core-objects/sdo/incident/incident.owl b/stix/core-objects/sdo/incident/incident.owl index 086dfee..75546ea 100644 --- a/stix/core-objects/sdo/incident/incident.owl +++ b/stix/core-objects/sdo/incident/incident.owl @@ -18,7 +18,6 @@ - 2.1.0 @@ -37,7 +36,19 @@ Incident - An Incident is a set of related security events affecting an organization, along with information discovered or decided during an incident response investigation. + Note: The Incident object in STIX 2.1 is a stub. It is included to support basic use cases but does not contain properties to represent metadata about incidents. Future STIX 2 releases will expand it to include these capabilities. It is suggested that it is used as an extension point for an Incident object defined using the extension facility described in section 7.3. + + name + A name used to identify the Incident. + + + + + description + A description that provides more details and context about the Incident, potentially including its purpose and its key characteristics. + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/indicator/indicator.owl b/stix/core-objects/sdo/indicator/indicator.owl index 006c571..fc4bf77 100644 --- a/stix/core-objects/sdo/indicator/indicator.owl +++ b/stix/core-objects/sdo/indicator/indicator.owl @@ -18,7 +18,6 @@ - 2.1.0 @@ -72,14 +71,37 @@ + + + + + + Indicator - Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity. For example, an Indicator may be used to represent a set of malicious domains and use the STIX Patterning Language to specify these domains.\n\nThe Indicator SDO contains a simple textual description, the Kill Chain Phases that it detects behavior in, a time window for when the Indicator is valid or useful, and a required pattern property to capture a structured detection pattern. Conforming STIX implementations MUST support the STIX Patterning Language.\n\nRelationships from the Indicator can describe the malicious or suspicious behavior that it directly detects (Malware, Tool, and Attack Pattern). In addition, it may also imply the presence of a Campaigns, Intrusion Sets, and Threat Actors, etc. + Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity. For example, an Indicator may be used to represent a set of malicious domains and use the STIX Patterning Language (see section 9) to specify these domains. The Indicator SDO contains a simple textual description, the Kill Chain Phases that it detects behavior in, a time window for when the Indicator is valid or useful, and a required pattern property to capture a structured detection pattern. Conforming STIX implementations MUST support the STIX Patterning Language as defined in section 9. Relationships from the Indicator can describe the malicious or suspicious behavior that it directly detects (Malware, Tool, and Attack Pattern). In addition, it may also imply the presence of a Campaigns, Intrusion Sets, and Threat Actors, etc. + + + name + A name used to identify the Indicator. Producers SHOULD provide this property to help products and analysts understand what this Indicator actually does. + + + + description + A description that provides more details and context about the Indicator, potentially including its purpose and its key characteristics. Producers SHOULD provide this property to help products and analysts understand what this Indicator actually does. + + + indicator types - Specifies A set of categorizations for this indicator.\n\nThe values for this property SHOULD come from the indicator-type-ov open vocabulary. - + A set of categorizations for this indicator. The values for this property SHOULD come from the indicator-type-ov open vocabulary. + + + + + indicator-type-ov + @@ -118,19 +140,24 @@ - - - + + + pattern - Specifies the detection pattern for this Indicator MAY be expressed as a STIX Pattern or another appropriate language such as SNORT, YARA, etc. + The detection pattern for this Indicator MAY be expressed as a STIX Pattern as specified in section 9 or another appropriate language such as SNORT, YARA, etc. - + pattern_type - Specifies the pattern language used in this indicator.\n\nThe value for this property SHOULD come from the pattern-type-ov open vocabulary.\n\nThe value of this property MUST match the type of pattern data included in the pattern property. - + The pattern language used in this indicator. The value for this property SHOULD come from the pattern-type-ov open vocabulary. The value of this property MUST match the type of pattern data included in the pattern property. + + + + + pattern-type-ov + @@ -164,25 +191,31 @@ - - + + pattern_version - Specifies the version of the pattern language that is used for the data in the pattern property which MUST match the type of pattern data included in the pattern property.\n\nFor patterns that do not have a formal specification, the build or code version that the pattern is known to work with SHOULD be used.\n\nFor the STIX Pattern language, the default value is determined by the specification version of the object.\n\nFor other languages, the default value SHOULD be the latest version of the patterning language at the time of this object's creation. + The version of the pattern language that is used for the data in the pattern property which MUST match the type of pattern data included in the pattern property. For patterns that do not have a formal specification, the build or code version that the pattern is known to work with SHOULD be used. For the STIX Pattern language, the default value is determined by the specification version of the object. For other languages, the default value SHOULD be the latest version of the patterning language at the time of this object's creation. - valid_from - Specifies the date and time from which this this entity is considered to be valid for the behaviors it is related or represents. + valid_from + The time from which this Indicator is considered a valid indicator of the behaviors it is related or represents. - valid_until - Specifies the date and time at which this entity should no longer be considered valid for the behaviors it is related to or represents.\n\nIf the valid_until property is omitted, then there is no constraint on the latest time for which the entity is valid.\n\nThis MUST be greater than the timestamp in the valid_from property. + valid_until + The time at which this Indicator should no longer be considered a valid indicator of the behaviors it is related to or represents. If the valid_until property is omitted, then there is no constraint on the latest time for which the Indicator is valid. This MUST be greater than the timestamp in the valid_from property. + + kill_chain_phases + The kill chain phase(s) to which this Indicator corresponds. + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/infrastructure/infrastructure.owl b/stix/core-objects/sdo/infrastructure/infrastructure.owl index 4339f13..84bf41d 100644 --- a/stix/core-objects/sdo/infrastructure/infrastructure.owl +++ b/stix/core-objects/sdo/infrastructure/infrastructure.owl @@ -18,7 +18,6 @@ - 2.1.0 @@ -60,14 +59,61 @@ + + + + + + Infrastructure The Infrastructure SDO represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defense, database servers targeted by an attack, etc.). While elements of an attack can be represented by other SDOs or SCOs, the Infrastructure SDO represents a named group of related data that constitutes the infrastructure. - + + + name + A name or characterizing text used to identify the Infrastructure. + + + + + description + A description that provides more details and context about the Infrastructure, potentially including its purpose, how it is being used, how it relates to other intelligence activities captured in related objects, and its key characteristics. + + + + + aliases + Alternative names used to identify this Infrastructure. + + + + + first_seen + The time that this Infrastructure was first seen performing malicious activities. + + + + + last_seen + The time that this Infrastructure was last seen performing malicious activities. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. + + + + + kill_chain_phases + The list of Kill Chain Phases for which this Infrastructure is used. + + + infrastructure_types - Specifies the type of infrastructure being described. The values for this property SHOULD come from the infrastructure-type-ov open vocabulary. - + The type of infrastructure being described. The values for this property SHOULD come from the infrastructure-type-ov open vocabulary. + + + + + infrastructure-type-ov + @@ -126,7 +172,7 @@ - - + + \ No newline at end of file diff --git a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl index 12c898c..7073bc2 100644 --- a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl +++ b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl @@ -6,6 +6,7 @@ + ]> + xmlns:xsd="http://www.w3.org/2001/XMLSchema#" + xmlns:vocab="http://docs.oasis-open.org/cti/ns/stix/vocabulary#"> - + 2.1.0 @@ -79,7 +81,61 @@ Intrusion Set - An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Threat Actor. New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets.\n\nWhere a Campaign is a set of attacks over a period of time against a specific set of targets to achieve some objective, an Intrusion Set is the entire attack package and may be used over a very long period of time in multiple Campaigns to achieve potentially multiple purposes. + An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Threat Actor. New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets. Where a Campaign is a set of attacks over a period of time against a specific set of targets to achieve some objective, an Intrusion Set is the entire attack package and may be used over a very long period of time in multiple Campaigns to achieve potentially multiple purposes. While sometimes an Intrusion Set is not active, or changes focus, it is usually difficult to know if it has truly disappeared or ended. Analysts may have varying level of fidelity on attributing an Intrusion Set back to Threat Actors and may be able to only attribute it back to a nation state or perhaps back to an organization within that nation state. + + name + A name used to identify this Intrusion Set. + + + + + description + A description that provides more details and context about the Intrusion Set, potentially including its purpose and its key characteristics. + + + + + aliases + Alternative names used to identify this Intrusion Set. + + + + + first_seen + The time that this Intrusion Set was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. + + + + + last_seen + The time that this Intrusion Set was last seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are later than the last seen timestamp, the object may be updated to account for the new data. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. + + + + + goals + The high-level goals of this Intrusion Set, namely, what are they trying to do. For example, they may be motivated by personal gain, but their goal is to steal credit card numbers. To do this, they may execute specific Campaigns that have detailed objectives like compromising point of sale systems at a large retailer. Another example: to gain information about latest merger and IPO information from ACME Bank. + + + + + resource_level + This property specifies the organizational level at which this Intrusion Set typically works, which in turn determines the resources available to this Intrusion Set for use in an attack. The value for this property SHOULD come from the attack-resource-level-ov open vocabulary. + + + + + primary_motivation + The time that this Intrusion Set was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. + + + + + secondary_motivations + The time that this Intrusion Set was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/location/location.owl b/stix/core-objects/sdo/location/location.owl index 88a9fb5..ceb8921 100644 --- a/stix/core-objects/sdo/location/location.owl +++ b/stix/core-objects/sdo/location/location.owl @@ -6,6 +6,7 @@ + ]> - + 2.1.0 - - - Civic Location - Identifies an actual civic location (e.g., street address, city, administrative area, postal code). - - - - - Country - Identifies an actual country. - - - - - Global Position - Identifies a physical position on the globe. - - @@ -112,15 +95,21 @@ A Location represents a geographic location. The location may be described as any, some or all of the following: region (e.g., North America), civic address (e.g. New York, US), latitude and longitude. - - - Region - Identifies an actual region in the world. - + + name + A name used to identify the Location. + + + + + description + A textual description of the Location. + + administrative_area - The state, province, or other sub-national administrative area that this Location describes. + The state, province, or other sub-national administrative area that this Location describes. This property SHOULD contain a valid ISO 3166-2 Code [ISO3166-2]. @@ -131,27 +120,27 @@ - city - The name of the city. + city + The city that this Location describes. - country - The valid ISO 3166-1 ALPHA-2 Code [ISO3166-1] that is asigned to the country. + country + The country that this Location describes. This property SHOULD contain a valid ISO 3166-1 ALPHA-2 Code [ISO3166-1]. latitude - The WGS84 latitude of a SpatialThing (decimal degrees).\n\nPositive numbers describe latitudes north of the equator, and negative numbers describe latitudes south of the equator. The value of this property MUST be between -90.0 and 90.0, inclusive.\n\nIf the longitude property is present, this property MUST be present. - + The latitude of the Location in decimal degrees. Positive numbers describe latitudes north of the equator, and negative numbers describe latitudes south of the equator. The value of this property MUST be between -90.0 and 90.0, inclusive. If the longitude property is present, this property MUST be present. + longitude - The WGS84 longitude of a SpatialThing (decimal degrees).\n\nPositive numbers describe longitudes east of the prime meridian and negative numbers describe longitudes west of the prime meridian. The value of this property MUST be between -180.0 and 180.0, inclusive.\n\nIf the latitude property is present, this property MUST be present. - + The longitude of the Location in decimal degrees. Positive numbers describe longitudes east of the prime meridian and negative numbers describe longitudes west of the prime meridian. The value of this property MUST be between -180.0 and 180.0, inclusive. If the latitude property is present, this property MUST be present. + @@ -162,20 +151,26 @@ postal_code - + The postal code for this Location. precision - Defines the precision of the coordinates specified by the latitude and longitude properties. This is measured in meters. The actual Location may be anywhere up to precision meters from the defined point.\n\nIf this property is not present, then the precision is unspecified.\n\nIf this property is present, the latitude and longitude properties MUST be present. - + Defines the precision of the coordinates specified by the latitude and longitude properties. This is measured in meters. The actual Location may be anywhere up to precision meters from the defined point. If this property is not present, then the precision is unspecified. If this property is present, the latitude and longitude properties MUST be present. + - street_address + street_address The street address that this Location describes. This property includes all aspects or parts of the street address. For example, some addresses may have multiple lines including a mailstop or apartment number. + + region + The region that this Location describes. The value for this property SHOULD come from the region-ov open vocabulary. + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/malware/malware.owl b/stix/core-objects/sdo/malware/malware.owl index 9344bbd..9d714fa 100644 --- a/stix/core-objects/sdo/malware/malware.owl +++ b/stix/core-objects/sdo/malware/malware.owl @@ -20,7 +20,6 @@ - 2.1.0 From 6db6a2b25844b2ff6cc9ee73a8bde2044173dc59 Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Mon, 16 Jan 2023 14:27:20 +0100 Subject: [PATCH 23/70] Work in progress. When through all SDOs and added missing class and properties definitions. --- .../sdo/malware-analysis/malware-analysis.owl | 198 ++++++++- stix/core-objects/sdo/malware/malware.owl | 410 +++++++++--------- stix/core-objects/sdo/note/note.owl | 37 +- .../sdo/observed-data/observed-data.owl | 70 ++- stix/core-objects/sdo/opinion/opinion.owl | 59 ++- stix/core-objects/sdo/report/report.owl | 59 ++- .../sdo/threat-actor/threat-actor.owl | 53 ++- stix/core-objects/sdo/tool/tool.owl | 70 ++- .../sdo/vulnerability/vulnerability.owl | 15 +- 9 files changed, 708 insertions(+), 263 deletions(-) diff --git a/stix/core-objects/sdo/malware-analysis/malware-analysis.owl b/stix/core-objects/sdo/malware-analysis/malware-analysis.owl index 893a47a..e114e71 100644 --- a/stix/core-objects/sdo/malware-analysis/malware-analysis.owl +++ b/stix/core-objects/sdo/malware-analysis/malware-analysis.owl @@ -20,7 +20,6 @@ - 2.1.0 @@ -45,6 +44,18 @@ + + + + + + + + + + + + @@ -57,12 +68,48 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -81,6 +128,18 @@ + + + + + + + + + + + + @@ -93,50 +152,163 @@ - MalwareAnalysis + Malware Analysis Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family. One of result or analysis_sco_refs properties MUST be provided. + + analysis_definition_version + The version of the analysis definitions used by the analysis tool (including AV tools). + + + analysis_ended - Specifies the date and time that the analysis ended. + The date and time that the malware analysis ended. + + analysis_engine_version + The version of the analysis engine or product (including AV engines) that was used to perform the analysis. + + + analysis_sco_refs - Specifies references to STIX Cyber-observable Objects that were captured during the analysis process. + This property contains the references to the STIX Cyber-observable Objects that were captured during the analysis process. - - analysis_sco_refs_id - Specifies the identifiers of STIX Cyber-observable Objects that were captured during the analysis process. + + analysis_sco_refs_string + This property contains the references to the STIX Cyber-observable Objects that were captured during the analysis process. analysis_started - Specifies the date and time that the analysis was initiated. + The date and time that the malware analysis was initiated. sample_ref - Specifies a reference to the Cyber Observable object that this analysis was performed against. + This property contains the reference to the SCO file, network traffic or artifact object that this malware analysis was performed against. Caution should be observed when creating an SRO between Malware and Malware Analysis objects when the Malware sample_refs property does not contain the SCO that is included in the Malware Analysis sample_ref property. Note, this property can also contain a reference to an SCO which is not associated with Malware (i.e., some SCO which was scanned and found to be benign.) - - sample_ref_id - Specifies the identifier of the Cyber Observable object that this analysis was performed against. + + sample_ref_string + This property contains the reference to the SCO file, network traffic or artifact object that this malware analysis was performed against. Caution should be observed when creating an SRO between Malware and Malware Analysis objects when the Malware sample_refs property does not contain the SCO that is included in the Malware Analysis sample_ref property. Note, this property can also contain a reference to an SCO which is not associated with Malware (i.e., some SCO which was scanned and found to be benign.) submitted - Specifies the date and time that the entity was first submitted for scanning or analysis. This value will stay constant while the scanned date can change. + The date and time that the malware was first submitted for scanning or analysis. This value will stay constant while the scanned date can change. For example, when Malware was submitted to a virus analysis tool. + + product + The name of the analysis engine or product that was used. Product names SHOULD be all lowercase with words separated by a dash "-". For cases where the name of a product cannot be specified, a value of "anonymized" MUST be used. + + + + + configuration_version + The named configuration of additional product configuration parameters for this analysis run. For example, when a product is configured to do full depth analysis of Window™ PE files. This configuration may have a named version and that named version can be captured in this property. This will ensure additional runs can be configured in the same way. + + + + + result + The classification result as determined by the scanner or tool analysis process. The value for this property SHOULD come from the malware-result-ov open vocabulary. + + + + + malware-result-ov + + + + + benign + + + malicious + + + suspicious + + + unknown + + + + + + + + + + + + + + + result_name + The classification result or name assigned to the malware instance by the scanner tool. + + + + + version + The version of the analysis product that was used to perform the analysis. + + + + + modules + The specific analysis modules that were used and configured in the product during this analysis run. For example, configuring a product to support analysis of Dridex. + + + + + installed_software_refs + Any non-standard software installed on the operating system (specified through the operating-system value) used for the dynamic analysis of the malware instance or family. The value of this property MUST be the identifier for a SCO software object. + + + + + installed_software_refs_string + Any non-standard software installed on the operating system (specified through the operating-system value) used for the dynamic analysis of the malware instance or family. The value of this property MUST be the identifier for a SCO software object. + + + + + host_vm_ref + A description of the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family. If this value is not included in conjunction with the operating_system_ref property, this means that the dynamic analysis may have been performed on bare metal (i.e. without virtualization) or the information was redacted. The value of this property MUST be the identifier for a SCO software object. + + + + + host_vm_ref_string + A description of the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family. If this value is not included in conjunction with the operating_system_ref property, this means that the dynamic analysis may have been performed on bare metal (i.e. without virtualization) or the information was redacted. The value of this property MUST be the identifier for a SCO software object. + + + + + operating_system_ref + The operating system used for the dynamic analysis of the malware instance or family. This applies to virtualized operating systems as well as those running on bare metal. The value of this property MUST be the identifier for a SCO software object. + + + + + operating_system_ref_string + The operating system used for the dynamic analysis of the malware instance or family. This applies to virtualized operating systems as well as those running on bare metal. The value of this property MUST be the identifier for a SCO software object. + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/malware/malware.owl b/stix/core-objects/sdo/malware/malware.owl index 9d714fa..21352f3 100644 --- a/stix/core-objects/sdo/malware/malware.owl +++ b/stix/core-objects/sdo/malware/malware.owl @@ -86,10 +86,71 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Malware - Malware is a type of TTP that represents malicious code. It generally refers to a program that is inserted into a system, usually covertly. The intent is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or otherwise annoy or disrupt the victim.\n\nThe Malware SDO characterizes, identifies, and categorizes malware instances and families from data that may be derived from analysis. This SDO captures detailed information about how the malware works and what it does. This SDO captures contextual data relevant to sharing Malware data without requiring the full analysis provided by the Malware Analysis SDO.\n\nTo minimize the risk of a consumer compromising their system in parsing malware samples, producers SHOULD consider sharing defanged content (archive and password-protected samples) instead of raw, base64-encoded malware samples. + Malware is a type of TTP that represents malicious code. It generally refers to a program that is inserted into a system, usually covertly. The intent is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or otherwise annoy or disrupt the victim. The Malware SDO characterizes, identifies, and categorizes malware instances and families from data that may be derived from analysis. This SDO captures detailed information about how the malware works and what it does. This SDO captures contextual data relevant to sharing Malware data without requiring the full analysis provided by the Malware Analysis SDO. The Indicator SDO provides intelligence producers with the ability to define, using the STIX Pattern Grammar in a standard way to identify and detect behaviors associated with malicious activities. Although the Malware SDO provides vital intelligence on a specific instance or malware family, it does not provide a standard grammar that the Indicator SDO provides to identify those properties in security detection systems designed to process the STIX Pattern grammar. We strongly encourage the use of STIX Indicators for the detection of actual malware, due to its use of the STIX Patterning language and the clear semantics that it provides. To minimize the risk of a consumer compromising their system in parsing malware samples, producers SHOULD consider sharing defanged content (archive and password-protected samples) instead of raw, base64-encoded malware samples. + + + name + A name used to identify the malware instance or family, as specified by the producer of the SDO. For a malware family the name MUST be defined. If a name for a malware instance is not available, the SHA-256 hash value or sample's filename MAY be used instead. + + + + + description + A description that provides more details and context about the malware instance or family, potentially including its purpose and its key characteristics. + + + + + aliases + Alternative names used to identify this malware or malware family. + + + + + first_seen + The time that the malware instance or family was first seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. + + + + last_seen + The time that the malware family or malware instance was last seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are later than the last_seen timestamp, the object may be updated to account for the new data. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. + + + analysis_defintion_version Specifies the version of the analysis definitions used by the analysis tool (including AV tools). @@ -104,167 +165,191 @@ architecture_execution_envs - Specifies the processor architectures (e.g., x86, ARM, etc.) that the malware instance or family is executable on.\n\nThe values for this property SHOULD come from the processor-architecture-ov open vocabulary. - - - - - alpha - - - arm - - - ia-64 - - - mips - - - powerpc - - - sparc - - - x86 - - - x86-64 - - - - - - - - - - - - - - - - - - - + The processor architectures (e.g., x86, ARM, etc.) that the malware instance or family is executable on. The values for this property SHOULD come from the processor-architecture-ov open vocabulary. + + + + kill_chain_phases + The list of Kill Chain Phases for which this malware can be used. + + + + operating_system_ref + The operating systems that the malware family or malware instance is executable on. This applies to virtualized operating systems as well as those running on bare metal. The value of this property MUST be the identifier for a SCO software object. + + + + + operating_system_ref_string + The operating systems that the malware family or malware instance is executable on. This applies to virtualized operating systems as well as those running on bare metal. The value of this property MUST be the identifier for a SCO software object. + + + + + is_family + Specifies whether the object represents a malware family (if true) or a malware instance (if false). + + + + + malware_types + A set of categorizations for the malware being described. The values for this property SHOULD come from the malware-type-ov open vocabulary. + + + + + implementation_languages + The programming language(s) used to implement the malware instance or family. The values for this property SHOULD come from the implementation-language-ov open vocabulary. + + + + + architecture_execution_envs + The processor architectures (e.g., x86, ARM, etc.) that the malware instance or family is executable on. The values for this property SHOULD come from the processor-architecture-ov open vocabulary. + + + capabilities - Specifies any of the capabilities identified for the malware instance or family.\n\nThe values for this property SHOULD come from the malware-capabilities-ov open vocabulary. + Any of the capabilities identified for the malware instance or family. The values for this property SHOULD come from the malware-capabilities-ov open vocabulary. + + + + + sample_refs + The sample_refs property specifies a list of identifiers of the SCO file or artifact objects associated with this malware instance(s) or family. If is_family is false, then all samples listed in sample_refs MUST refer to the same binary data. + + + + + + + + + + + + + sample_refs_string + The sample_refs property specifies a list of identifiers of the SCO file or artifact objects associated with this malware instance(s) or family. If is_family is false, then all samples listed in sample_refs MUST refer to the same binary data. + + + + + malware-capabilities-ov + - accesses-remote-machinesstix:Software + accesses-remote-machines - anti-debuggingstix:Software + anti-debugging - anti-disassemblystix:Software + anti-disassembly - anti-emulationstix:Software + anti-emulation - anti-sandboxstix:Software + anti-sandbox - anti-vmstix:Software + anti-vm - antimemory-forensicsstix:Software + antimemory-forensics - captures-input-peripheralsstix:Software + captures-input-peripherals - captures-outputperipheralsstix:Software + captures-outputperipherals - captures-system-state-datastix:Software + captures-system-state-data - cleans-traces-of-infectionstix:Software + cleans-traces-of-infection - commits-fraudstix:Software + commits-fraud - communicates-with-c2stix:Software + communicates-with-c2 - compromises-data-availabilitystix:Software + compromises-data-availability - compromises-data-integritystix:Software + compromises-data-integrity - compromises-system-availabilitystix:Software + compromises-system-availability - controls-local-machinestix:Software + controls-local-machine - degrades-security-softwarestix:Software + degrades-security-software - degrades-system-updatesstix:Software + degrades-system-updates - determines-c2-serverstix:Software + determines-c2-server - emails-spamstix:Software + emails-spam - escalates-privilegesstix:Software + escalates-privileges - evades-avstix:Software + evades-av - exfiltrates-datastix:Software + exfiltrates-data - fingerprints-hoststix:Software + fingerprints-host - hides-artifactsstix:Software + hides-artifacts - hides-executing-codestix:Software + hides-executing-code - infects-filesstix:Software + infects-files - infects-remote-machinesstix:Software + infects-remote-machines - installs-other-componentsstix:Software + installs-other-components - persists-aftersystem-rebootstix:Software + persists-aftersystem-reboot - prevents-artifact-accessstix:Software + prevents-artifact-access - prevents-artifact-deletionstix:Software + prevents-artifact-deletion - probes-networkenvironmentstix:Software + probes-networkenvironment - self-modifiesstix:Software + self-modifies - steals-authentication-credentialsstix:Software + steals-authentication-credentials violates-systemoperational-integrity @@ -344,31 +429,12 @@ - - - - - configuration_version - Specifies the named configuration of additional product configuration parameters for this analysis run. - - - - - host_vm_ref - Specifies a reference to a Software object used to describe the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family.\n\nIf this value is not included in conjunction with the operating_system_ref property, this means that the dynamic analysis may have been performed on bare metal (i.e. without virtualization) or the information was redacted.\n\nThe value of this property MUST be a reference to a SCO Software object. - - - - - host_vm_ref_id - Specifies the identifier to a Software object used to describe the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family.\n\nIf this value is not included in conjunction with the operating_system_ref property, this means that the dynamic analysis may have been performed on bare metal (i.e. without virtualization) or the information was redacted.\n\nThe value of this property MUST be the identifier of a SCO Software object. - - - - - implementation_languages - Specifies the programming language(s) used to implement the malware instance or family.\n\nThe values for this property SHOULD come from the implementation-language-ov open vocabulary. - + + + + + implementation-language-ov + @@ -477,31 +543,12 @@ - - - - - installed_software_refs - Specifies references to SCO Software objects that represents any non-standard software installed on the operating system (specified through the operating-system value) used for the dynamic analysis of the malware instance or family.\n\nThe value of this property MUST be references to SCO software objects. - - - - - installed_software_refs_id - Specifies identifiers of SCO Software objects that represents any non-standard software installed on the operating system (specified through the operating-system value) used for the dynamic analysis of the malware instance or family.\n\nThe value of this property MUST be identifiers of SCO software objects. - - - - - is_family - Specifies whether the object represents a malware family (if true) or a malware instance (if false). - - - - - malware_types - Specifies a set of categorizations for the malware being described.\n\nThe values for this property SHOULD come from the malware-type-ov open vocabulary. - + + + + + malware-type-ov + @@ -615,63 +662,46 @@ - - - - - modules - Specifies the specific analysis modules that were used and configured in the product during this analysis run. - - - - - operating_system_ref - Specifies a reference to a SCO Software object that represents the operating system used for the dynamic analysis of the malware instance or family. This applies to virtualized operating systems as well as those running on bare metal.\n\nThe value of this property MUST be a reference to a SCO Software object. - - - - - operating_system_ref_id - Specifies the identifier of a SCO Software object that represents the operating system used for the dynamic analysis of the malware instance or family. This applies to virtualized operating systems as well as those running on bare metal.\n\nThe value of this property MUST be the identifier a SCO Software object. - - - - - operating_system_refs - Specifies a reference to a SCO Software object that represents the operating systems that the malware family or malware instance is executable on. This applies to virtualized operating systems as well as those running on bare metal.\n\nThe value of this property MUST be a references to SCO Software objects. - - - - - operating_system_refs_id - Specifies identifiers of SCO Software objects that represents the operating systems that the malware family or malware instance is executable on. This applies to virtualized operating systems as well as those running on bare metal.\n\nThe value of this property MUST be identifiers of SCO Software objects. - - - - - product - Specifies the name of the analysis engine or product that was used. Product names SHOULD be all lowercase with words separated by a dash "-".\n\nFor cases where the name of a product cannot be specified, a value of "anonymized" MUST be used. - - - - - result - Specifies the classification result as determined by the scanner or tool analysis process.\n\nThe value for this property SHOULD come from the malware-result-ov open vocabulary. - + + + + + processor-architecture-ov + - benign + alpha - malicious + arm - suspicious + ia-64 - unknown - + mips + + + powerpc + + + sparc + + + x86 + + + x86-64 + + + + + + + + + @@ -681,19 +711,7 @@ - - - - - result_name - Specifies the classification result or name assigned to the malware instance by the scanner tool. - - - - - version - Specifies the version of the analysis product that was used to perform the analysis. - - + + \ No newline at end of file diff --git a/stix/core-objects/sdo/note/note.owl b/stix/core-objects/sdo/note/note.owl index 6b2e2a8..444ec05 100644 --- a/stix/core-objects/sdo/note/note.owl +++ b/stix/core-objects/sdo/note/note.owl @@ -18,7 +18,6 @@ - 2.1.0 @@ -42,32 +41,50 @@ + + + + + + + + + + + + Note - A Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to. Notes can be created by anyone (not just the original object creator). + A Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to. Notes can be created by anyone (not just the original object creator). For example, an analyst may add a Note to a Campaign object created by another organization indicating that they've seen posts related to that Campaign on a hacker forum. Because Notes are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst(s) that created the Note. This is distinct from the created_by_ref property, which is meant to capture the organization that created the object. - abstract - A brief summary of the content. + abstract + A brief summary of the note content. - authors - Specifies a list of the names of the author(s) of the content. + authors + The name of the author(s) of this note (e.g., the analyst(s) that created it). - content - Specifies the content of the note. + content + The content of the note. - object_refs - Specifies a list of STIX Objects that are referred to by this entity. + object_refs + The STIX Objects that the note is being applied to. + + object_refs_string + The STIX Objects that the note is being applied to. + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/observed-data/observed-data.owl b/stix/core-objects/sdo/observed-data/observed-data.owl index c2ef165..c34b6ad 100644 --- a/stix/core-objects/sdo/observed-data/observed-data.owl +++ b/stix/core-objects/sdo/observed-data/observed-data.owl @@ -18,38 +18,88 @@ - 2.1.0 - - ObservedData - Observed Data conveys information about cyber security related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs). + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Observed Data + Observed Data conveys information about cyber security related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs). For example, Observed Data can capture information about an IP address, a network connection, a file, or a registry key. Observed Data is not an intelligence assertion, it is simply the raw information without any context for what it means. \n\n Observed Data can capture that a piece of information was seen one or more times. Meaning, it can capture both a single observation of a single entity (file, network connection) as well as the aggregation of multiple observations of an entity. When the number_observed property is 1 the Observed Data represents a single entity. When the number_observed property is greater than 1, the Observed Data represents several instances of an entity potentially collected over a period of time. If a time window is known, that can be captured using the first_observed and last_observed properties. When used to collect aggregate data, it is likely that some properties in the SCO (e.g., timestamp properties) will be omitted because they would differ for each of the individual observations. \n\n Observed Data may be used by itself (without relationships) to convey raw data collected from any source including analyst reports, sandboxes, and network and host-based detection tools. An intelligence producer conveying Observed Data SHOULD include as much context (e.g. SCOs) as possible that supports the use of the observed data set in systems expecting to utilize the Observed Data for improved security. This includes all SCOs that matched on an Indicator pattern and are represented in the collected observed event (or events) being conveyed in the Observed Data object. For example, a firewall could emit a single Observed Data instance containing a single Network Traffic object for each connection it sees. The firewall could also aggregate data and instead send out an Observed Data instance every ten minutes with an IP address and an appropriate number_observed value to indicate the number of times that IP address was observed in that window. A sandbox could emit an Observed Data instance containing a file hash that it discovered. \n\n Observed Data may also be related to other SDOs to represent raw data that is relevant to those objects. For example, the Sighting Relationship object, can relate an Indicator, Malware, or other SDO to a specific Observed Data to represent the raw information that led to the creation of the Sighting (e.g., what was actually seen that suggested that a particular instance of malware was active).\n\nTo support backwards compatibility, related SCOs can still be specified using the objects properties, Either the objects property or the object_refs property MUST be provided, but both MUST NOT be present at the same time. first_observed - The beginning of the date and time window during which the data was seen. + The beginning of the time window during which the data was seen. last_observed - The end of the date and time window during which the data was seen. + The end of the time window during which the data was seen. This MUST be greater than or equal to the timestamp in the first_observed property. number_observed - The number of times that each Cyber-observable object represented in the objects or object_ref property was seen. If present, this MUST be an integer between 1 and 999,999,999 inclusive.\n\nIf the number_observed property is greater than 1, the data contained in the objects or object_refs property was seen multiple times. In these cases, object creators MAY omit properties of the SCO (such as timestamps) that are specific to a single instance of that observed data. + The number of times that each Cyber-observable object represented in the objects or object_ref property was seen. If present, this MUST be an integer between 1 and 999,999,999 inclusive. If the number_observed property is greater than 1, the data contained in the objects or object_refs property was seen multiple times. In these cases, object creators MAY omit properties of the SCO (such as timestamps) that are specific to a single instance of that observed data. - + objects - A dictionary of SCO representing the observation. The dictionary MUST contain at least one object.\n\nThe cyber observable content MAY include multiple objects if those objects are related as part of a single observation. Multiple objects not related to each other via cyber observable Relationships MUST NOT be contained within the same Observed Data instance.\n\nThis property MUST NOT be present if object_refs is provided. + A dictionary of SCO representing the observation. The dictionary MUST contain at least one object. The cyber observable content MAY include multiple objects if those objects are related as part of a single observation. Multiple objects not related to each other via cyber observable Relationships MUST NOT be contained within the same Observed Data instance. This property MUST NOT be present if object_refs is provided. For example, a Network Traffic object and two IPv4 Address objects related via the src_ref and dst_ref properties can be contained in the same Observed Data because they are all related and used to characterize that single entity. NOTE: this property is now deprecated in favor of object_refs and will be removed in a future version. true - + + + + + object_refs + A list of SCOs and SROs representing the observation. The object_refs MUST contain at least one SCO reference if defined. The object_refs MAY include multiple SCOs and their corresponding SROs, if those SCOs are related as part of a single observation. For example, a Network Traffic object and two IPv4 Address objects related via the src_ref and dst_ref properties can be contained in the same Observed Data because they are all related and used to characterize that single entity. This property MUST NOT be present if objects is provided. + + + + + + object_refs_string + A list of SCOs and SROs representing the observation. The object_refs MUST contain at least one SCO reference if defined. The object_refs MAY include multiple SCOs and their corresponding SROs, if those SCOs are related as part of a single observation. For example, a Network Traffic object and two IPv4 Address objects related via the src_ref and dst_ref properties can be contained in the same Observed Data because they are all related and used to characterize that single entity. This property MUST NOT be present if objects is provided. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/opinion/opinion.owl b/stix/core-objects/sdo/opinion/opinion.owl index 9d6c825..1bf1b7f 100644 --- a/stix/core-objects/sdo/opinion/opinion.owl +++ b/stix/core-objects/sdo/opinion/opinion.owl @@ -18,7 +18,6 @@ - 2.1.0 @@ -36,23 +35,61 @@ + + + + + + + + + + + + + + + + + + Opinion - An Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity. The primary property is the opinion property, which captures the level of agreement or disagreement using a fixed scale. That fixed scale also supports a numeric mapping to allow for consistent statistical operations across opinions. + An Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity. The primary property is the opinion property, which captures the level of agreement or disagreement using a fixed scale. That fixed scale also supports a numeric mapping to allow for consistent statistical operations across opinions. \n\n For example, an analyst from a consuming organization might say that they "strongly disagree" with a Campaign object and provide an explanation about why. In a more automated workflow, a SOC operator might give an Indicator "one star" in their TIP (expressing "strongly disagree") because it is considered to be a false positive within their environment. Opinions are subjective, and the specification does not address how best to interpret them. Sharing communities are encouraged to provide clear guidelines to their constituents regarding best practice for the use of Opinion objects within the community. \n\n Because Opinions are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst(s) that created the Opinion. This is distinct from the created_by_ref property, which is meant to capture the organization that created the object. explanation - An explanation of why the producer has this Opinion. + An explanation of why the producer has this Opinion. For example, if an Opinion of strongly-disagree is given, the explanation can contain an explanation of why the Opinion producer disagrees and what evidence they have for their disagreement. - + + + authors + The name of the author(s) of this Opinion (e.g., the analyst(s) that created it). + + + + + object_refs + The STIX Objects that the Opinion is being applied to. + + + + + object_refs_string + The STIX Objects that the Opinion is being applied to. + + + opinion - opinion - Specifies he opinion that the producer has about all of the STIX Object(s) listed in the object_refs property. - Specifies the opinion that the producer has about all of the STIX Object(s) listed in the object_refs property. - - + The opinion that the producer has about all of the STIX Object(s) listed in the object_refs property. The values of this property MUST come from the opinion-enum enumeration. + + + + + opinion-enum + @@ -81,7 +118,7 @@ - - + + \ No newline at end of file diff --git a/stix/core-objects/sdo/report/report.owl b/stix/core-objects/sdo/report/report.owl index 29adc23..55ee78c 100644 --- a/stix/core-objects/sdo/report/report.owl +++ b/stix/core-objects/sdo/report/report.owl @@ -18,7 +18,6 @@ - 2.1.0 @@ -48,14 +47,61 @@ + + + + + + + + + + + + Report Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story. - + + + name + A name used to identify the Report. + + + + + description + A description that provides more details and context about the Report, potentially including its purpose and its key characteristics. + + + report_types - Specifies the primary type(s) of content found in this report.\n\nThe values for this property SHOULD come from the report-type-ov open vocabulary. - + The primary type(s) of content found in this report. The values for this property SHOULD come from the report-type-ov open vocabulary. + + + + + published + The date that this Report object was officially published by the creator of this report. The publication date (public release, legal release, etc.) may be different than the date the report was created or shared internally (the date in the created property). + + + + + object_refs + Specifies the STIX Objects that are referred to by this Report. + + + + + object_refs_string + Specifies the STIX Objects that are referred to by this Report. + + + + + report-type-ov + @@ -114,7 +160,8 @@ - - + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/threat-actor/threat-actor.owl b/stix/core-objects/sdo/threat-actor/threat-actor.owl index de3672b..e190f98 100644 --- a/stix/core-objects/sdo/threat-actor/threat-actor.owl +++ b/stix/core-objects/sdo/threat-actor/threat-actor.owl @@ -6,6 +6,7 @@ + ]> + xmlns:xsd="http://www.w3.org/2001/XMLSchema#" + xmlns:vocab="http://docs.oasis-open.org/cti/ns/stix/vocabulary#"> - + 2.1.0 @@ -103,43 +105,86 @@ Threat Actor - Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. A Threat Actor is not an Intrusion Set but may support or be affiliated with various Intrusion Sets, groups, or organizations over time.\n\nThreat Actors leverage their resources, and possibly the resources of an Intrusion Set, to conduct attacks and run Campaigns against targets.\n\nThreat Actors can be characterized by their motives, capabilities, goals, sophistication level, past activities, resources they have access to, and their role in the organization. + + Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. A Threat Actor is not an Intrusion Set but may support or be affiliated with various Intrusion Sets, groups, or organizations over time. \n\nThreat Actors leverage their resources, and possibly the resources of an Intrusion Set, to conduct attacks and run Campaigns against targets. \n\nThreat Actors can be characterized by their motives, capabilities, goals, sophistication level, past activities, resources they have access to, and their role in the organization. + + + name + A name used to identify this Threat Actor or Threat Actor group. + + + + + description + A description that provides more details and context about the Threat Actor, potentially including its purpose and its key characteristics. + + + aliases + A list of other names that this Threat Actor is believed to use. + + first_seen + The time that this Threat Actor was first seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. + goals - Specifies the high-level goals of this Intrusion Set, namely, what are they trying to do. For example, they may be motivated by personal gain, but their goal is to steal credit card numbers. To do this, they may execute specific Campaigns that have detailed objectives like compromising point of sale systems at a large retailer. + The high-level goals of this Threat Actor, namely, what are they trying to do. For example, they may be motivated by personal gain, but their goal is to steal credit card numbers. To do this, they may execute specific Campaigns that have detailed objectives like compromising point of sale systems at a large retailer. + last_seen + The time that this Threat Actor was last seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are later than the last seen timestamp, the object may be updated to account for the new data. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. + + personal_motivations + The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals. Personal motivation, which is independent of the organization's goals, describes what impels an individual to carry out an attack. Personal motivation may align with the organization's motivation—as is common with activists—but more often it supports personal goals. For example, an individual analyst may join a Data Miner corporation because his or her skills may align with the corporation's objectives. But the analyst most likely performs his or her daily work toward those objectives for personal reward in the form of a paycheck. The motivation of personal reward may be even stronger for Threat Actors who commit illegal acts, as it is more difficult for someone to cross that line purely for altruistic reasons. The position in the list has no significance. The values for this property SHOULD come from the attack-motivation-ov open vocabulary. + + primary_motivation + The primary reason, motivation, or purpose behind this Threat Actor. The motivation is why the Threat Actor wishes to achieve the goal (what they are trying to achieve). For example, a Threat Actor with a goal to disrupt the finance sector in a country might be motivated by ideological hatred of capitalism. The value for this property SHOULD come from the attack-motivation-ov open vocabulary. + + resource_level + The organizational level at which this Threat Actor typically works, which in turn determines the resources available to this Threat Actor for use in an attack. This attribute is linked to the sophistication property — a specific resource level implies that the Threat Actor has access to at least a specific sophistication level. The value for this property SHOULD come from the attack-resource-level-ov open vocabulary. + + roles + A list of roles the Threat Actor plays. The values for this property SHOULD come from the threat-actor-role-ov open vocabulary. + + secondary_motivations + This property specifies the secondary reasons, motivations, or purposes behind this Threat Actor. These motivations can exist as an equal or near-equal cause to the primary motivation. However, it does not replace or necessarily magnify the primary motivation, but it might indicate additional context. The position in the list has no significance. The value for this property SHOULD come from the attack-motivation-ov open vocabulary. + + sophistication + The skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack. The value for this property SHOULD come from the threat-actor-sophistication-ov open vocabulary. + + threat_actor_types + The type(s) of this threat actor. The values for this property SHOULD come from the threat-actor-type-ov open vocabulary. + \ No newline at end of file diff --git a/stix/core-objects/sdo/tool/tool.owl b/stix/core-objects/sdo/tool/tool.owl index 1799b8b..a74f514 100644 --- a/stix/core-objects/sdo/tool/tool.owl +++ b/stix/core-objects/sdo/tool/tool.owl @@ -18,7 +18,6 @@ - 2.1.0 @@ -42,18 +41,67 @@ + + + + + + + + + + + + + + + + + + Tool - The Tool SDO characterizes the properties of these software tools and can be used as a basis for making an assertion about how a Threat Actor uses them during an attack. It contains properties to name and describe the tool, a list of Kill Chain Phases the tool can be used to carry out, and the version of the tool.\n\nTools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack. + Tools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack. \n\nThe Tool SDO characterizes the properties of these software tools and can be used as a basis for making an assertion about how a Threat Actor uses them during an attack. It contains properties to name and describe the tool, a list of Kill Chain Phases the tool can be used to carry out, and the version of the tool. \n\nThis SDO MUST NOT be used to characterize malware. Further, Tool MUST NOT be used to characterize tools used as part of a course of action in response to an attack. + + + name + The name used to identify the Tool. + + - - - - + + description + A description that provides more details and context about the Tool, potentially including its purpose and its key characteristics. + + + tool_types - Specifies the kind(s) of tool(s) being described.\n\nThe values for this property SHOULD come from the tool-type-ov open vocabulary. - + The kind(s) of tool(s) being described. The values for this property SHOULD come from the tool-type-ov open vocabulary. + + + + + aliases + Alternative names used to identify this Tool. + + + + + kill_chain_phases + The list of kill chain phases for which this Tool can be used. + + + + + tool_version + The version identifier associated with the Tool. + + + + + tool-type-ov + @@ -96,8 +144,8 @@ - - - + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/vulnerability/vulnerability.owl b/stix/core-objects/sdo/vulnerability/vulnerability.owl index 8558920..f0c2ef8 100644 --- a/stix/core-objects/sdo/vulnerability/vulnerability.owl +++ b/stix/core-objects/sdo/vulnerability/vulnerability.owl @@ -18,7 +18,6 @@ - 2.1.0 @@ -37,7 +36,19 @@ Vulnerability - A Vulnerability is a weakness or defect in the requirements, designs, or implementations of the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that can be directly exploited to negatively impact the confidentiality, integrity, or availability of that system.\n\nThe Vulnerability SDO is primarily used to link to external definitions of vulnerabilities or to describe 0-day vulnerabilities that do not yet have an external definition. Typically, other SDOs assert relationships to Vulnerability objects when a specific vulnerability is targeted and exploited as part of malicious cyber activity. As such, Vulnerability objects can be used as a linkage to the asset management and compliance process. + A Vulnerability is a weakness or defect in the requirements, designs, or implementations of the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that can be directly exploited to negatively impact the confidentiality, integrity, or availability of that system. \n\nCVE is a list of information security vulnerabilities and exposures that provides common names for publicly known problems [CVE]. For example, if a piece of malware exploits CVE-2015-12345, a Malware object could be linked to a Vulnerability object that references CVE-2015-12345. \n\nThe Vulnerability SDO is primarily used to link to external definitions of vulnerabilities or to describe 0-day vulnerabilities that do not yet have an external definition. Typically, other SDOs assert relationships to Vulnerability objects when a specific vulnerability is targeted and exploited as part of malicious cyber activity. As such, Vulnerability objects can be used as a linkage to the asset management and compliance process. + + name + A name used to identify the Vulnerability. + + + + + description + A description that provides more details and context about the Vulnerability, potentially including its purpose and its key characteristics. + + + \ No newline at end of file From bce02304c6f15bac564ca08bca59e9d3e2752eff Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Mon, 16 Jan 2023 15:27:06 +0100 Subject: [PATCH 24/70] Opened the STIX ontology in protege and corrected all issues regarding SDOs classes and properties. --- stix/catalog-v001.xml | 96 +++++++++---------- .../sco/email-message/email-message.owl | 5 +- stix/core-objects/sco/process/process.owl | 2 +- .../sdo/attack-pattern/attack-pattern.owl | 4 +- stix/core-objects/sdo/identity/identity.owl | 2 +- stix/core-objects/sdo/indicator/indicator.owl | 4 +- .../sdo/infrastructure/infrastructure.owl | 2 +- stix/core-objects/sdo/location/location.owl | 9 +- stix/core-objects/sdo/note/note.owl | 2 +- .../sdo/observed-data/observed-data.owl | 4 +- stix/core-objects/sdo/report/report.owl | 2 +- stix/vocabularies/vocab.owl | 39 ++++---- 12 files changed, 86 insertions(+), 85 deletions(-) diff --git a/stix/catalog-v001.xml b/stix/catalog-v001.xml index bbc954d..f2fcf6e 100644 --- a/stix/catalog-v001.xml +++ b/stix/catalog-v001.xml @@ -3,53 +3,53 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/stix/core-objects/sco/email-message/email-message.owl b/stix/core-objects/sco/email-message/email-message.owl index 6e33371..48cfe70 100644 --- a/stix/core-objects/sco/email-message/email-message.owl +++ b/stix/core-objects/sco/email-message/email-message.owl @@ -168,7 +168,8 @@ - + + @@ -218,7 +219,7 @@ body_multipart Specifies a list of the MIME parts that make up the email body. This property MUST NOT be used if is_multipart is false. - + diff --git a/stix/core-objects/sco/process/process.owl b/stix/core-objects/sco/process/process.owl index bdde030..62acfbc 100644 --- a/stix/core-objects/sco/process/process.owl +++ b/stix/core-objects/sco/process/process.owl @@ -73,7 +73,7 @@ - + diff --git a/stix/core-objects/sdo/attack-pattern/attack-pattern.owl b/stix/core-objects/sdo/attack-pattern/attack-pattern.owl index 4611bb0..2427626 100644 --- a/stix/core-objects/sdo/attack-pattern/attack-pattern.owl +++ b/stix/core-objects/sdo/attack-pattern/attack-pattern.owl @@ -44,7 +44,7 @@ - + Attack Pattern @@ -72,7 +72,7 @@ kill_chain_phases The list of Kill Chain Phases for which this Attack Pattern is used. - + \ No newline at end of file diff --git a/stix/core-objects/sdo/identity/identity.owl b/stix/core-objects/sdo/identity/identity.owl index 90c4416..0bf78c4 100644 --- a/stix/core-objects/sdo/identity/identity.owl +++ b/stix/core-objects/sdo/identity/identity.owl @@ -72,7 +72,7 @@ identity_class The type of entity that this Identity describes, e.g., an individual or organization. The value for this property SHOULD come from the identity-class-ov open vocabulary. - + diff --git a/stix/core-objects/sdo/indicator/indicator.owl b/stix/core-objects/sdo/indicator/indicator.owl index fc4bf77..cbb6692 100644 --- a/stix/core-objects/sdo/indicator/indicator.owl +++ b/stix/core-objects/sdo/indicator/indicator.owl @@ -74,7 +74,7 @@ - + Indicator @@ -215,7 +215,7 @@ kill_chain_phases The kill chain phase(s) to which this Indicator corresponds. - + \ No newline at end of file diff --git a/stix/core-objects/sdo/infrastructure/infrastructure.owl b/stix/core-objects/sdo/infrastructure/infrastructure.owl index 84bf41d..f2d4cde 100644 --- a/stix/core-objects/sdo/infrastructure/infrastructure.owl +++ b/stix/core-objects/sdo/infrastructure/infrastructure.owl @@ -62,7 +62,7 @@ - + Infrastructure diff --git a/stix/core-objects/sdo/location/location.owl b/stix/core-objects/sdo/location/location.owl index ceb8921..f72a9a6 100644 --- a/stix/core-objects/sdo/location/location.owl +++ b/stix/core-objects/sdo/location/location.owl @@ -15,7 +15,8 @@ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" xmlns:stix="http://docs.oasis-open.org/cti/ns/stix#" - xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> + xmlns:xsd="http://www.w3.org/2001/XMLSchema#" + xmlns:vocab="http://docs.oasis-open.org/cti/ns/stix/vocabulary#"> @@ -91,8 +92,8 @@ - STIX Location - A Location represents a geographic location. The location may be described as any, some or all of the following: region (e.g., North America), civic address (e.g. New York, US), latitude and longitude. + Location + A Location represents a geographic location. The location may be described as any, some or all of the following: region (e.g., North America), civic address (e.g. New York, US), latitude and longitude. \n\n Locations are primarily used to give context to other SDOs. For example, a Location could be used in a relationship to describe that the Bourgeois Swallow intrusion set originates from Eastern Europe. \n\n The Location SDO can be related to an Identity or Intrusion Set to indicate that the identity or intrusion set is located in that location. It can also be related from a malware or attack pattern to indicate that they target victims in that location. The Location object describes geographic areas, not governments, even in cases where that area might have a government. For example, a Location representing the United States describes the United States as a geographic area, not the federal government of the United States. \n\n At least one of the following properties/sets of properties MUST be provided: region, country, latitude and longitude. \n\n When a combination of properties is provided (e.g. a region and a latitude and longitude) the more precise properties are what the location describes. In other words, if a location contains both a region of northern-america and a country of us, then the location describes the United States, not all of North America. In cases where a latitude and longitude are specified without a precision, the location describes the most precise other value. \n\n If precision is specified, then the datum for latitude and longitude MUST be WGS 84 [WGS84]. Organizations specifying a designated location using latitude and longitude SHOULD specify the precision which is appropriate for the scope of the location being identified. The scope is defined by the boundary as outlined by the precision around the coordinates. @@ -170,7 +171,7 @@ region The region that this Location describes. The value for this property SHOULD come from the region-ov open vocabulary. - + \ No newline at end of file diff --git a/stix/core-objects/sdo/note/note.owl b/stix/core-objects/sdo/note/note.owl index 444ec05..bc114de 100644 --- a/stix/core-objects/sdo/note/note.owl +++ b/stix/core-objects/sdo/note/note.owl @@ -44,7 +44,7 @@ - + diff --git a/stix/core-objects/sdo/observed-data/observed-data.owl b/stix/core-objects/sdo/observed-data/observed-data.owl index c34b6ad..113f681 100644 --- a/stix/core-objects/sdo/observed-data/observed-data.owl +++ b/stix/core-objects/sdo/observed-data/observed-data.owl @@ -82,12 +82,12 @@ - + objects A dictionary of SCO representing the observation. The dictionary MUST contain at least one object. The cyber observable content MAY include multiple objects if those objects are related as part of a single observation. Multiple objects not related to each other via cyber observable Relationships MUST NOT be contained within the same Observed Data instance. This property MUST NOT be present if object_refs is provided. For example, a Network Traffic object and two IPv4 Address objects related via the src_ref and dst_ref properties can be contained in the same Observed Data because they are all related and used to characterize that single entity. NOTE: this property is now deprecated in favor of object_refs and will be removed in a future version. true - + object_refs diff --git a/stix/core-objects/sdo/report/report.owl b/stix/core-objects/sdo/report/report.owl index 55ee78c..cd8bc33 100644 --- a/stix/core-objects/sdo/report/report.owl +++ b/stix/core-objects/sdo/report/report.owl @@ -50,7 +50,7 @@ - + diff --git a/stix/vocabularies/vocab.owl b/stix/vocabularies/vocab.owl index 53d9ea6..ac51482 100644 --- a/stix/vocabularies/vocab.owl +++ b/stix/vocabularies/vocab.owl @@ -2105,7 +2105,7 @@ - + personal_motivations The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals.\n\nPersonal motivation, which is independent of the organization’s goals, describes what impels an individual to carry out an attack. Personal motivation may align with the organization’s motivation—as is common with activists—but more often it supports personal goals. For example, an individual analyst may join a Data Miner corporation because his or her skills may align with the corporation’s objectives. But the analyst most likely performs his or her daily work toward those objectives for personal reward in the form of a paycheck. The motivation of personal reward may be even stronger for Threat Actors who commit illegal acts, as it is more difficult for someone to cross that line purely for altruistic reasons. The position in the list has no significance.\n\nThe values for this property SHOULD come from the attack-motivation-ov open vocabulary. @@ -2163,9 +2163,9 @@ - + - + primary_motivation Specifies the primary reason, motivation, or purpose behind this Intrusion Set. The motivation is why the Intrusion Set wishes to achieve the goal (what they are trying to achieve).\n\nThe value for this property SHOULD come from the attack-motivation-ov open vocabulary. @@ -2223,12 +2223,11 @@ - + - - region - The region that this Location describes.\n\nThe value for this property SHOULD come from the region-ov open vocabulary. - + + region-ov + @@ -2377,10 +2376,10 @@ - - + + - + resource_level Specifies the organizational level at which this Intrusion Set typically works, which in turn determines the resources available to this Intrusion Set for use in an attack.\n\nThe value for this property SHOULD come from the attack-resource-level-ov open vocabulary. @@ -2418,9 +2417,9 @@ - + - + roles Specifies a list of roles the Threat Actor plays.\n\nThe values for this property SHOULD come from the threat-actor-role-ov open vocabulary. @@ -2463,9 +2462,9 @@ - + - + secondary_motivations Specifies the secondary reasons, motivations, or purposes behind this Intrusion Set. These motivations can exist as an equal or near-equal cause to the primary motivation. However, it does not replace or necessarily magnify the primary motivation, but it might indicate additional context. The position in the list has no significance.\n\nThe values for this property SHOULD come from the attack-motivation-ov open vocabulary. @@ -2523,9 +2522,9 @@ - + - + sophistication Specifies the skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack.\n\nThe value for this property SHOULD come from the threat-actor-sophistication-ov open vocabulary. @@ -2568,9 +2567,9 @@ - + - + threat_actor_types Specifies the type(s) of this threat actor.\n\nThe values for this property SHOULD come from the threat-actor-type-ov open vocabulary. @@ -2638,6 +2637,6 @@ - + \ No newline at end of file From cce2774eb5822d55ae918848bb66793c8a665eeb Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Tue, 17 Jan 2023 13:32:43 +0100 Subject: [PATCH 25/70] trying to run rdf-toolkit --- stix/core-objects/sdo/malware/malware.owl | 477 +++++++++++----------- 1 file changed, 236 insertions(+), 241 deletions(-) diff --git a/stix/core-objects/sdo/malware/malware.owl b/stix/core-objects/sdo/malware/malware.owl index 21352f3..8c7ee0e 100644 --- a/stix/core-objects/sdo/malware/malware.owl +++ b/stix/core-objects/sdo/malware/malware.owl @@ -24,6 +24,120 @@ 2.1.0 + + implementation-language-ov + + + + + applescript + + + bash + + + c + + + c# + + + c++ + + + go + + + java + + + javascript + + + lua + + + objective-c + + + perl + + + php + + + powershell + + + python + + + ruby + + + scala + + + swift + + + typescript + + + visual-basic + + + x86-32 + + + x86-64 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -68,6 +182,12 @@ + + + + + + @@ -86,12 +206,6 @@ - - - - - - @@ -107,8 +221,8 @@ - + @@ -118,126 +232,9 @@ Malware - Malware is a type of TTP that represents malicious code. It generally refers to a program that is inserted into a system, usually covertly. The intent is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or otherwise annoy or disrupt the victim. The Malware SDO characterizes, identifies, and categorizes malware instances and families from data that may be derived from analysis. This SDO captures detailed information about how the malware works and what it does. This SDO captures contextual data relevant to sharing Malware data without requiring the full analysis provided by the Malware Analysis SDO. The Indicator SDO provides intelligence producers with the ability to define, using the STIX Pattern Grammar in a standard way to identify and detect behaviors associated with malicious activities. Although the Malware SDO provides vital intelligence on a specific instance or malware family, it does not provide a standard grammar that the Indicator SDO provides to identify those properties in security detection systems designed to process the STIX Pattern grammar. We strongly encourage the use of STIX Indicators for the detection of actual malware, due to its use of the STIX Patterning language and the clear semantics that it provides. To minimize the risk of a consumer compromising their system in parsing malware samples, producers SHOULD consider sharing defanged content (archive and password-protected samples) instead of raw, base64-encoded malware samples. + Malware is a type of TTP that represents malicious code. It generally refers to a program that is inserted into a system, usually covertly. The intent is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or otherwise annoy or disrupt the victim. The Malware SDO characterizes, identifies, and categorizes malware instances and families from data that may be derived from analysis. This SDO captures detailed information about how the malware works and what it does. This SDO captures contextual data relevant to sharing Malware data without requiring the full analysis provided by the Malware Analysis SDO. The Indicator SDO provides intelligence producers with the ability to define, using the STIX Pattern Grammar in a standard way to identify and detect behaviors associated with malicious activities. Although the Malware SDO provides vital intelligence on a specific instance or malware family, it does not provide a standard grammar that the Indicator SDO provides to identify those properties in security detection systems designed to process the STIX Pattern grammar. We strongly encourage the use of STIX Indicators for the detection of actual malware, due to its use of the STIX Patterning language and the clear semantics that it provides. To minimize the risk of a consumer compromising their system in parsing malware samples, producers SHOULD consider sharing defanged content (archive and password-protected samples) instead of raw, base64-encoded malware samples. - - - name - A name used to identify the malware instance or family, as specified by the producer of the SDO. For a malware family the name MUST be defined. If a name for a malware instance is not available, the SHA-256 hash value or sample's filename MAY be used instead. - - - - - description - A description that provides more details and context about the malware instance or family, potentially including its purpose and its key characteristics. - - - - - aliases - Alternative names used to identify this malware or malware family. - - - - - first_seen - The time that the malware instance or family was first seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. - - - - - last_seen - The time that the malware family or malware instance was last seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are later than the last_seen timestamp, the object may be updated to account for the new data. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. - - - - - analysis_defintion_version - Specifies the version of the analysis definitions used by the analysis tool (including AV tools). - - - - - analysis_engine_version - Specifies the version of the analysis engine or product (including AV engines) that was used to perform the analysis. - - - - - architecture_execution_envs - The processor architectures (e.g., x86, ARM, etc.) that the malware instance or family is executable on. The values for this property SHOULD come from the processor-architecture-ov open vocabulary. - - - - - kill_chain_phases - The list of Kill Chain Phases for which this malware can be used. - - - - - operating_system_ref - The operating systems that the malware family or malware instance is executable on. This applies to virtualized operating systems as well as those running on bare metal. The value of this property MUST be the identifier for a SCO software object. - - - - - operating_system_ref_string - The operating systems that the malware family or malware instance is executable on. This applies to virtualized operating systems as well as those running on bare metal. The value of this property MUST be the identifier for a SCO software object. - - - - - is_family - Specifies whether the object represents a malware family (if true) or a malware instance (if false). - - - - - malware_types - A set of categorizations for the malware being described. The values for this property SHOULD come from the malware-type-ov open vocabulary. - - - - - implementation_languages - The programming language(s) used to implement the malware instance or family. The values for this property SHOULD come from the implementation-language-ov open vocabulary. - - - - - architecture_execution_envs - The processor architectures (e.g., x86, ARM, etc.) that the malware instance or family is executable on. The values for this property SHOULD come from the processor-architecture-ov open vocabulary. - - - - - capabilities - Any of the capabilities identified for the malware instance or family. The values for this property SHOULD come from the malware-capabilities-ov open vocabulary. - - - - - sample_refs - The sample_refs property specifies a list of identifiers of the SCO file or artifact objects associated with this malware instance(s) or family. If is_family is false, then all samples listed in sample_refs MUST refer to the same binary data. - - - - - - - - - - - - - sample_refs_string - The sample_refs property specifies a list of identifiers of the SCO file or artifact objects associated with this malware instance(s) or family. If is_family is false, then all samples listed in sample_refs MUST refer to the same binary data. - - - malware-capabilities-ov @@ -431,121 +428,7 @@ - - - implementation-language-ov - - - - - applescript - - - bash - - - c - - - c# - - - c++ - - - go - - - java - - - javascript - - - lua - - - objective-c - - - perl - - - php - - - powershell - - - python - - - ruby - - - scala - - - swift - - - typescript - - - visual-basic - - - x86-32 - - - x86-64 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + malware-type-ov @@ -664,7 +547,7 @@ - + processor-architecture-ov @@ -713,5 +596,117 @@ + + + aliases + Alternative names used to identify this malware or malware family. + + + + + analysis_defintion_version + Specifies the version of the analysis definitions used by the analysis tool (including AV tools). + + + + + analysis_engine_version + Specifies the version of the analysis engine or product (including AV engines) that was used to perform the analysis. + + + + + architecture_execution_envs + The processor architectures (e.g., x86, ARM, etc.) that the malware instance or family is executable on. The values for this property SHOULD come from the processor-architecture-ov open vocabulary. + + + + + + capabilities + Any of the capabilities identified for the malware instance or family. The values for this property SHOULD come from the malware-capabilities-ov open vocabulary. + + + + + description + A description that provides more details and context about the malware instance or family, potentially including its purpose and its key characteristics. + + + + + first_seen + The time that the malware instance or family was first seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. + + + + + implementation_languages + The programming language(s) used to implement the malware instance or family. The values for this property SHOULD come from the implementation-language-ov open vocabulary. + + + + + is_family + Specifies whether the object represents a malware family (if true) or a malware instance (if false). + + + + + kill_chain_phases + The list of Kill Chain Phases for which this malware can be used. + + + + + last_seen + The time that the malware family or malware instance was last seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are later than the last_seen timestamp, the object may be updated to account for the new data. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. + + + + + malware_types + A set of categorizations for the malware being described. The values for this property SHOULD come from the malware-type-ov open vocabulary. + + + + + name + A name used to identify the malware instance or family, as specified by the producer of the SDO. For a malware family the name MUST be defined. If a name for a malware instance is not available, the SHA-256 hash value or sample's filename MAY be used instead. + + + + + operating_system_ref_string + The operating systems that the malware family or malware instance is executable on. This applies to virtualized operating systems as well as those running on bare metal. The value of this property MUST be the identifier for a SCO software object. + + + + + operating_system_ref + The operating systems that the malware family or malware instance is executable on. This applies to virtualized operating systems as well as those running on bare metal. The value of this property MUST be the identifier for a SCO software object. + + + + + sample_refs + The sample_refs property specifies a list of identifiers of the SCO file or artifact objects associated with this malware instance(s) or family. If is_family is false, then all samples listed in sample_refs MUST refer to the same binary data. + + + + + + + + + + + + + + sample_refs_string + The sample_refs property specifies a list of identifiers of the SCO file or artifact objects associated with this malware instance(s) or family. If is_family is false, then all samples listed in sample_refs MUST refer to the same binary data. + + \ No newline at end of file From c33acd9ed2cb9208fd47cbd21114c9ce82c706bb Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Tue, 17 Jan 2023 14:47:23 +0100 Subject: [PATCH 26/70] Went through SROs. Added missing class and property definitions. --- .../sro/relationship/relationship.owl | 79 ++++++++++-- .../sro/relationship/sro-props.owl | 3 + stix/core-objects/sro/sighting/sighting.owl | 122 +++++++++++++++--- 3 files changed, 175 insertions(+), 29 deletions(-) diff --git a/stix/core-objects/sro/relationship/relationship.owl b/stix/core-objects/sro/relationship/relationship.owl index 34e0fb7..3b21a35 100644 --- a/stix/core-objects/sro/relationship/relationship.owl +++ b/stix/core-objects/sro/relationship/relationship.owl @@ -17,56 +17,113 @@ - 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Relationship - The Relationship object is used to link together two SDOs or SCOs in order to describe how they are related to each other. If SDOs and SCOs are considered "nodes" or "vertices" in the graph, the Relationship Objects (SROs) represent "edges". + The Relationship object is used to link together two SDOs or SCOs in order to describe how they are related to each other. If SDOs and SCOs are considered "nodes" or "vertices" in the graph, the Relationship Objects (SROs) represent "edges". \n\n STIX defines many relationship types to link together SDOs and SCOs. These relationships are contained in the "Relationships" table under each SDO and SCO definition. Relationship types defined in the specification SHOULD be used to ensure consistency. An example of a specification-defined relationship is that an indicator indicates a campaign. That relationship type is listed in the Relationships section of the Indicator SDO definition. \n\n STIX also allows relationships from any SDO or SCO to any SDO or SCO that have not been defined in this specification. These relationships MAY use the related-to relationship type or MAY use a user-defined relationship type. As an example, a user might want to link malware directly to a tool. They can do so using related-to to say that the Malware is related to the Tool but not describe how, or they could use delivered-by (a user-defined name they determined) to indicate more detail. \n\n Note that some relationships in STIX may seem like "shortcuts". For example, an Indicator doesn't really detect a Campaign: it detects activity (Attack Patterns, Malware, Infrastructure, etc.) that are often used by that campaign. While some analysts might want all of the source data and think that shortcuts are misleading, in many cases it's helpful to provide just the key points (shortcuts) and leave out the low-level details. In other cases, the low-level analysis may not be known or sharable, while the high-level analysis is. For these reasons, relationships that might appear to be "shortcuts" are not excluded from STIX. relationship_type - The name used to identify the type of Relationship. This value SHOULD be an exact value listed in the relationships for the source and target SDO, but MAY be any string. The value of this property MUST be in ASCII and is limited to characters a–z (lowercase ASCII), 0–9, and hyphen (-). + The name used to identify the type of Relationship. This value SHOULD be an exact value listed in the relationships for the source and target SDO, but MAY be any string. The value of this property MUST be in ASCII and is limited to characters a-z (lowercase ASCII), 0-9, and hyphen (-). + + + + + description + A description that provides more details and context about the Relationship, potentially including its purpose and its key characteristics. source_ref - Specifies a reference to the source (from) object. The value MUST be a reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). + The id of the source (from) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). + - - source_ref_id - Specifies the identifier of the source (from) object. The value MUST be the identifier of a SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). + + source_ref_string + The id of the source (from) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). start_time - Represents the earliest date and time at which the Relationship between the objects exists. If this property is a future timestamp, at the time the start_time property is defined, then this represents an estimate by the producer of the intelligence of the earliest time at which relationship will be asserted to be true.\n\nIf it is not specified, then the earliest time at which the relationship between the objects exists is not defined. + This optional timestamp represents the earliest time at which the Relationship between the objects exists. If this property is a future timestamp, at the time the start_time property is defined, then this represents an estimate by the producer of the intelligence of the earliest time at which relationship will be asserted to be true. If it is not specified, then the earliest time at which the relationship between the objects exists is not defined. stop_time - Specifies the latest date and time at which the Relationship between the objects exists. If this property is a future timestamp, at the time the stop_time property is defined, then this represents an estimate by the producer of the intelligence of the latest time at which relationship will be asserted to be true.\n\nIf start_time and stop_time are both defined, then stop_time MUST be later than the start_time value.\n\nIf stop_time is not specified, then the latest time at which the relationship between the objects exists is either not known, not disclosed, or has no defined stop time. + The latest time at which the Relationship between the objects exists. If this property is a future timestamp, at the time the stop_time property is defined, then this represents an estimate by the producer of the intelligence of the latest time at which relationship will be asserted to be true. If start_time and stop_time are both defined, then stop_time MUST be later than the start_time value. If stop_time is not specified, then the latest time at which the relationship between the objects exists is either not known, not disclosed, or has no defined stop time. target_ref - Specifies a reference to the target (to) object. The value MUST be reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). + The id of the target (to) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). + target_ref_id - Specifies the identifier of the target (to) object. The value MUST be the identifier of a SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). + The id of the target (to) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). diff --git a/stix/core-objects/sro/relationship/sro-props.owl b/stix/core-objects/sro/relationship/sro-props.owl index b6b8d23..2c10ad9 100644 --- a/stix/core-objects/sro/relationship/sro-props.owl +++ b/stix/core-objects/sro/relationship/sro-props.owl @@ -72,6 +72,9 @@ + + + diff --git a/stix/core-objects/sro/sighting/sighting.owl b/stix/core-objects/sro/sighting/sighting.owl index d8c410a..81536e9 100644 --- a/stix/core-objects/sro/sighting/sighting.owl +++ b/stix/core-objects/sro/sighting/sighting.owl @@ -17,7 +17,7 @@ - + 2.1.0 @@ -25,48 +25,134 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Sighting - A Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.) was seen. Sightings are used to track who and what are being targeted, how attacks are carried out, and to track trends in attack behavior.\n\nThe Sighting relationship object is a special type of SRO; it is a relationship that contains extra properties not present on the Generic Relationship object. These extra properties are included to represent data specific to sighting relationships (e.g., count, representing how many times something was seen), but for other purposes a Sighting can be thought of as a Relationship with a name of "sighting-of". Sighting is captured as a relationship because you cannot have a sighting unless you have something that has been sighted. Sighting does not make sense without the relationship to what was sighted. + A Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.) was seen. Sightings are used to track who and what are being targeted, how attacks are carried out, and to track trends in attack behavior. \n\n The Sighting relationship object is a special type of SRO; it is a relationship that contains extra properties not present on the Generic Relationship object. These extra properties are included to represent data specific to sighting relationships (e.g., count, representing how many times something was seen), but for other purposes a Sighting can be thought of as a Relationship with a name of "sighting-of". Sighting is captured as a relationship because you cannot have a sighting unless you have something that has been sighted. Sighting does not make sense without the relationship to what was sighted. \n\n Sighting relationships relate three aspects of the sighting: \n\n What was sighted, such as the Indicator, Malware, Campaign, or other SDO (sighting_of_ref). \n\n Who sighted it and/or where it was sighted, represented as an Identity (where_sighted_refs). \n\n What was actually seen on systems and networks, represented as Observed Data (observed_data_refs). \n\n What was sighted is required; a sighting does not make sense unless you say what you saw. Who sighted it, where it was sighted, and what was actually seen are optional. In many cases it is not necessary to provide that level of detail in order to provide value. \n\n Sightings are used whenever any SDO has been "seen". In some cases, the object creator wishes to convey very little information about the sighting; the details might be sensitive, but the fact that they saw a malware instance or threat actor could still be very useful. In other cases, providing the details may be helpful or even necessary; saying exactly which of the 1000 IP addresses in an indicator were sighted is helpful when tracking which of those IPs is still malicious. \n\n Sighting is distinct from Observed Data in that Sighting is an intelligence assertion ("I saw this threat actor") while Observed Data is simply information ("I saw this file"). When you combine them by including the linked Observed Data (observed_data_refs) from a Sighting, you can say "I saw this file, and that makes me think I saw this threat actor". + + description + A description that provides more details and context about the Sighting. + + + + + first_seen + The beginning of the time window during which the SDO referenced by the sighting_of_ref property was sighted. + + + + + last_seen + The end of the time window during which the SDO referenced by the sighting_of_ref property was sighted. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. + + + - count - Specifies a count of the number of times the something occurred. + count + If present, this MUST be an integer between 0 and 999,999,999 inclusive and represents the number of times the SDO referenced by the sighting_of_ref property was sighted. Observed Data has a similar property called number_observed, which refers to the number of times the data was observed. These counts refer to different concepts and are distinct. For example, a single sighting of a DDoS bot might have many millions of observations of the network traffic that it generates. Thus, the Sighting count would be 1 (the bot was observed once) but the Observed Data number_observed would be much higher. As another example, a sighting with a count of 0 can be used to express that an indicator was not seen at all. observed_data_refs - Specifies a list of references to the Observed Data objects that contain the raw cyber data for this Sighting. + A list of ID references to the Observed Data objects that contain the raw cyber data for this Sighting. For example, a Sighting of an Indicator with an IP address could include the Observed Data for the network connection that the Indicator was used to detect. This property MUST reference only Observed Data SDOs. - - observed_data_refs_id - Specifies a list of identifiers of the Observed Data objects that contain the raw cyber data for this Sighting. + + observed_data_refs_string + A list of ID references to the Observed Data objects that contain the raw cyber data for this Sighting. For example, a Sighting of an Indicator with an IP address could include the Observed Data for the network connection that the Indicator was used to detect. This property MUST reference only Observed Data SDOs. sighting_of_ref - Specifies a reference to the SDO that was sighted (e.g., Indicator or Malware). + An ID reference to the SDO that was sighted (e.g., Indicator or Malware). For example, if this is a Sighting of an Indicator, that Indicator's ID would be the value of this property. This property MUST reference only an SDO. + - - sighting_of_ref_id - Specifies the identifier of the SDO that was sighted (e.g., Indicator or Malware). + + sighting_of_ref_string + An ID reference to the SDO that was sighted (e.g., Indicator or Malware). For example, if this is a Sighting of an Indicator, that Indicator's ID would be the value of this property. This property MUST reference only an SDO. summary - Indicates whether the Sighting should be considered summary data. Summary data is an aggregation of previous Sightings reports and should not be considered primary source data. Default value is false. - + The summary property indicates whether the Sighting should be considered summary data. Summary data is an aggregation of previous Sightings reports and should not be considered primary source data. Default value is false. + false where_sighted_refs - Specifies a list of references to the Identity or Location objects describing the entities or types of entities that saw the sighting.\n\nOmitting the where_sighted_refs property does not imply that the sighting was seen by the object creator. To indicate that the sighting was seen by the object creator, an Identity representing the object creator should be listed in where_sighted_refs.\n\nThis property MUST reference only Identity or Location SDOs. + A list of ID references to the Identity or Location objects describing the entities or types of entities that saw the sighting. Omitting the where_sighted_refs property does not imply that the sighting was seen by the object creator. To indicate that the sighting was seen by the object creator, an Identity representing the object creator should be listed in where_sighted_refs. This property MUST reference only Identity or Location SDOs. @@ -79,9 +165,9 @@ - - where_sighted_refs_id - Specifies a list of identifiers of the Identity or Location objects describing the entities or types of entities that saw the sighting.\n\nOmitting the where_sighted_refs_id property does not imply that the sighting was seen by the object creator. To indicate that the sighting was seen by the object creator, an Identity representing the object creator should be listed in where_sighted_refs_id.\n\nThis property MUST refer to only Identity or Location SDOs + + where_sighted_refs_string + A list of ID references to the Identity or Location objects describing the entities or types of entities that saw the sighting. Omitting the where_sighted_refs_string property does not imply that the sighting was seen by the object creator. To indicate that the sighting was seen by the object creator, an Identity representing the object creator should be listed in where_sighted_refs_string. This property MUST reference only Identity or Location SDOs. From 69a44ad0abe368bd175af66f999e0e4102649c1f Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Wed, 18 Jan 2023 22:10:18 +0100 Subject: [PATCH 27/70] Touching every file to trigger rdf-toolkit --- .../sdo/attack-pattern/attack-pattern.owl | 22 +- stix/core-objects/sdo/campaign/campaign.owl | 22 +- .../sdo/course-of-action/course-of-action.owl | 12 +- stix/core-objects/sdo/grouping/grouping.owl | 12 +- stix/core-objects/sdo/identity/identity.owl | 74 ++--- stix/core-objects/sdo/incident/incident.owl | 12 +- stix/core-objects/sdo/indicator/indicator.owl | 88 ++--- .../sdo/infrastructure/infrastructure.owl | 98 +++--- .../sdo/intrusion-set/intrusion-set.owl | 56 ++-- stix/core-objects/sdo/location/location.owl | 42 +-- .../sdo/malware-analysis/malware-analysis.owl | 168 +++++----- stix/core-objects/sdo/note/note.owl | 4 +- .../sdo/observed-data/observed-data.owl | 28 +- stix/core-objects/sdo/opinion/opinion.owl | 74 ++--- stix/core-objects/sdo/report/report.owl | 87 +++-- .../sdo/threat-actor/threat-actor.owl | 31 +- stix/core-objects/sdo/tool/tool.owl | 88 ++--- .../sdo/vulnerability/vulnerability.owl | 12 +- stix/vocabularies/vocab.owl | 308 +++++++++--------- 19 files changed, 618 insertions(+), 620 deletions(-) diff --git a/stix/core-objects/sdo/attack-pattern/attack-pattern.owl b/stix/core-objects/sdo/attack-pattern/attack-pattern.owl index 2427626..6495732 100644 --- a/stix/core-objects/sdo/attack-pattern/attack-pattern.owl +++ b/stix/core-objects/sdo/attack-pattern/attack-pattern.owl @@ -37,26 +37,20 @@ - - + + - - + + Attack Pattern - Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed. An example of an attack pattern is "spear phishing": a common type of attack where an attacker sends a carefully crafted e-mail message to a party with the intent of getting them to click a link or open an attachment to deliver malware. Attack Patterns can also be more specific; spear phishing as practiced by a particular threat actor (e.g., they might generally say that the target won a contest) can also be an Attack Pattern. The Attack Pattern SDO contains textual descriptions of the pattern along with references to externally-defined taxonomies of attacks such as CAPEC [CAPEC]. + Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed. An example of an attack pattern is "spear phishing": a common type of attack where an attacker sends a carefully crafted e-mail message to a party with the intent of getting them to click a link or open an attachment to deliver malware. Attack Patterns can also be more specific; spear phishing as practiced by a particular threat actor (e.g., they might generally say that the target won a contest) can also be an Attack Pattern. The Attack Pattern SDO contains textual descriptions of the pattern along with references to externally-defined taxonomies of attacks such as CAPEC [CAPEC]. - - name - A name used to identify the Attack Pattern. - - - aliases Alternative names used to identify this Attack Pattern. @@ -74,5 +68,11 @@ The list of Kill Chain Phases for which this Attack Pattern is used. + + + name + A name used to identify the Attack Pattern. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/campaign/campaign.owl b/stix/core-objects/sdo/campaign/campaign.owl index 3cea258..c44415c 100644 --- a/stix/core-objects/sdo/campaign/campaign.owl +++ b/stix/core-objects/sdo/campaign/campaign.owl @@ -60,12 +60,12 @@ Campaign - A Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be part of an Intrusion Set. Campaigns are often attributed to an intrusion set and threat actors. The threat actors may reuse known infrastructure from the intrusion set or may set up new infrastructure specific for conducting that campaign. Campaigns can be characterized by their objectives and the incidents they cause, people or resources they target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. For example, a Campaign could be used to describe a crime syndicate's attack using a specific variant of malware and new C2 servers against the executives of ACME Bank during the summer of 2016 in order to gain secret information about an upcoming merger with another bank.ey target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. + A Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be part of an Intrusion Set. Campaigns are often attributed to an intrusion set and threat actors. The threat actors may reuse known infrastructure from the intrusion set or may set up new infrastructure specific for conducting that campaign. Campaigns can be characterized by their objectives and the incidents they cause, people or resources they target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. For example, a Campaign could be used to describe a crime syndicate's attack using a specific variant of malware and new C2 servers against the executives of ACME Bank during the summer of 2016 in order to gain secret information about an upcoming merger with another bank.ey target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. - - name - A name used to identify the Campaign. + + aliases + Alternative names used to identify this Campaign. @@ -75,12 +75,6 @@ - - aliases - Alternative names used to identify this Campaign. - - - first_seen The time that this Campaign was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. @@ -93,9 +87,15 @@ + + name + A name used to identify the Campaign. + + + objective - Specifies the Campaign's primary goal, objective, desired outcome, or intended effect — what the Threat Actor or Intrusion Set hopes to accomplish with this Campaign. + Specifies the Campaign's primary goal, objective, desired outcome, or intended effect — what the Threat Actor or Intrusion Set hopes to accomplish with this Campaign. diff --git a/stix/core-objects/sdo/course-of-action/course-of-action.owl b/stix/core-objects/sdo/course-of-action/course-of-action.owl index 1d7974c..04a4fc2 100644 --- a/stix/core-objects/sdo/course-of-action/course-of-action.owl +++ b/stix/core-objects/sdo/course-of-action/course-of-action.owl @@ -38,17 +38,17 @@ Course Of Action Note: The Course of Action object in STIX 2.1 is a stub. It is included to support basic use cases (such as sharing prose courses of action) but does not support the ability to represent automated courses of action or contain properties to represent metadata about courses of action. Future STIX 2 releases will expand it to include these capabilities. A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. It may describe technical, automatable responses (applying patches, reconfiguring firewalls) but can also describe higher level actions like employee training or policy changes. For example, a course of action to mitigate a vulnerability could describe applying the patch that fixes it. The Course of Action SDO contains a textual description of the action; a reserved action property also serves as a placeholder for future inclusion of machine automatable courses of action. - - - name - A name used to identify the Course of Action. - - description A description that provides more details and context about the Course of Action, potentially including its purpose and its key characteristics. + + + name + A name used to identify the Course of Action. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/grouping/grouping.owl b/stix/core-objects/sdo/grouping/grouping.owl index 4d3a3ca..4d1b93f 100644 --- a/stix/core-objects/sdo/grouping/grouping.owl +++ b/stix/core-objects/sdo/grouping/grouping.owl @@ -82,12 +82,6 @@ - - - name - A name used to identify the Grouping. - - description @@ -95,6 +89,12 @@ + + name + A name used to identify the Grouping. + + + object_refs Specifies the STIX Objects that are referred to by this Grouping. diff --git a/stix/core-objects/sdo/identity/identity.owl b/stix/core-objects/sdo/identity/identity.owl index 0bf78c4..4278472 100644 --- a/stix/core-objects/sdo/identity/identity.owl +++ b/stix/core-objects/sdo/identity/identity.owl @@ -20,7 +20,7 @@ 2.1.0 - + @@ -63,18 +63,6 @@ Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. - - contact_information - The contact information (e-mail, phone number, etc.) for this Identity. No format for this information is currently defined by this specification. - - - - - identity_class - The type of entity that this Identity describes, e.g., an individual or organization. The value for this property SHOULD come from the identity-class-ov open vocabulary. - - - identity-class-ov @@ -113,31 +101,7 @@ - - - name - The name of this Identity. When referring to a specific entity (e.g., an individual or organization), this property SHOULD contain the canonical name of the specific entity. - - - - description - A description that provides more details and context about the Identity, potentially including its purpose and its key characteristics. - - - - - roles - The list of roles that this Identity performs (e.g., CEO, Domain Administrators, Doctors, Hospital, or Retailer). No open vocabulary is yet defined for this property. - - - - - sectors - The list of industry sectors that this Identity belongs to. The values for this property SHOULD come from the industry-sector-ov open vocabulary. - - - industry-sector-ov @@ -316,5 +280,41 @@ + + + contact_information + The contact information (e-mail, phone number, etc.) for this Identity. No format for this information is currently defined by this specification. + + + + + description + A description that provides more details and context about the Identity, potentially including its purpose and its key characteristics. + + + + + identity_class + The type of entity that this Identity describes, e.g., an individual or organization. The value for this property SHOULD come from the identity-class-ov open vocabulary. + + + + + name + The name of this Identity. When referring to a specific entity (e.g., an individual or organization), this property SHOULD contain the canonical name of the specific entity. + + + + + roles + The list of roles that this Identity performs (e.g., CEO, Domain Administrators, Doctors, Hospital, or Retailer). No open vocabulary is yet defined for this property. + + + + + sectors + The list of industry sectors that this Identity belongs to. The values for this property SHOULD come from the industry-sector-ov open vocabulary. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/incident/incident.owl b/stix/core-objects/sdo/incident/incident.owl index 75546ea..766a2fa 100644 --- a/stix/core-objects/sdo/incident/incident.owl +++ b/stix/core-objects/sdo/incident/incident.owl @@ -38,17 +38,17 @@ Incident Note: The Incident object in STIX 2.1 is a stub. It is included to support basic use cases but does not contain properties to represent metadata about incidents. Future STIX 2 releases will expand it to include these capabilities. It is suggested that it is used as an extension point for an Incident object defined using the extension facility described in section 7.3. - - - name - A name used to identify the Incident. - - description A description that provides more details and context about the Incident, potentially including its purpose and its key characteristics. + + + name + A name used to identify the Incident. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/indicator/indicator.owl b/stix/core-objects/sdo/indicator/indicator.owl index cbb6692..29cf397 100644 --- a/stix/core-objects/sdo/indicator/indicator.owl +++ b/stix/core-objects/sdo/indicator/indicator.owl @@ -35,6 +35,12 @@ + + + + + + @@ -71,34 +77,10 @@ - - - - - - Indicator Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity. For example, an Indicator may be used to represent a set of malicious domains and use the STIX Patterning Language (see section 9) to specify these domains. The Indicator SDO contains a simple textual description, the Kill Chain Phases that it detects behavior in, a time window for when the Indicator is valid or useful, and a required pattern property to capture a structured detection pattern. Conforming STIX implementations MUST support the STIX Patterning Language as defined in section 9. Relationships from the Indicator can describe the malicious or suspicious behavior that it directly detects (Malware, Tool, and Attack Pattern). In addition, it may also imply the presence of a Campaigns, Intrusion Sets, and Threat Actors, etc. - - - name - A name used to identify the Indicator. Producers SHOULD provide this property to help products and analysts understand what this Indicator actually does. - - - - description - A description that provides more details and context about the Indicator, potentially including its purpose and its key characteristics. Producers SHOULD provide this property to help products and analysts understand what this Indicator actually does. - - - - - indicator types - A set of categorizations for this indicator. The values for this property SHOULD come from the indicator-type-ov open vocabulary. - - - indicator-type-ov @@ -142,19 +124,7 @@ - - - pattern - The detection pattern for this Indicator MAY be expressed as a STIX Pattern as specified in section 9 or another appropriate language such as SNORT, YARA, etc. - - - - - pattern_type - The pattern language used in this indicator. The value for this property SHOULD come from the pattern-type-ov open vocabulary. The value of this property MUST match the type of pattern data included in the pattern property. - - - + pattern-type-ov @@ -194,9 +164,45 @@ + + description + A description that provides more details and context about the Indicator, potentially including its purpose and its key characteristics. Producers SHOULD provide this property to help products and analysts understand what this Indicator actually does. + + + + + indicator types + A set of categorizations for this indicator. The values for this property SHOULD come from the indicator-type-ov open vocabulary. + + + + + kill_chain_phases + The kill chain phase(s) to which this Indicator corresponds. + + + + + name + A name used to identify the Indicator. Producers SHOULD provide this property to help products and analysts understand what this Indicator actually does. + + + + + pattern + The detection pattern for this Indicator MAY be expressed as a STIX Pattern as specified in section 9 or another appropriate language such as SNORT, YARA, etc. + + + + + pattern_type + The pattern language used in this indicator. The value for this property SHOULD come from the pattern-type-ov open vocabulary. The value of this property MUST match the type of pattern data included in the pattern property. + + + pattern_version - The version of the pattern language that is used for the data in the pattern property which MUST match the type of pattern data included in the pattern property. For patterns that do not have a formal specification, the build or code version that the pattern is known to work with SHOULD be used. For the STIX Pattern language, the default value is determined by the specification version of the object. For other languages, the default value SHOULD be the latest version of the patterning language at the time of this object's creation. + The version of the pattern language that is used for the data in the pattern property which MUST match the type of pattern data included in the pattern property. For patterns that do not have a formal specification, the build or code version that the pattern is known to work with SHOULD be used. For the STIX Pattern language, the default value is determined by the specification version of the object. For other languages, the default value SHOULD be the latest version of the patterning language at the time of this object's creation. @@ -212,10 +218,4 @@ - - kill_chain_phases - The kill chain phase(s) to which this Indicator corresponds. - - - \ No newline at end of file diff --git a/stix/core-objects/sdo/infrastructure/infrastructure.owl b/stix/core-objects/sdo/infrastructure/infrastructure.owl index f2d4cde..c751bc1 100644 --- a/stix/core-objects/sdo/infrastructure/infrastructure.owl +++ b/stix/core-objects/sdo/infrastructure/infrastructure.owl @@ -49,68 +49,26 @@ - - + + - - + + - - + + Infrastructure The Infrastructure SDO represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defense, database servers targeted by an attack, etc.). While elements of an attack can be represented by other SDOs or SCOs, the Infrastructure SDO represents a named group of related data that constitutes the infrastructure. - - - name - A name or characterizing text used to identify the Infrastructure. - - - - - description - A description that provides more details and context about the Infrastructure, potentially including its purpose, how it is being used, how it relates to other intelligence activities captured in related objects, and its key characteristics. - - - - - aliases - Alternative names used to identify this Infrastructure. - - - - - first_seen - The time that this Infrastructure was first seen performing malicious activities. - - - - - last_seen - The time that this Infrastructure was last seen performing malicious activities. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. - - - - - kill_chain_phases - The list of Kill Chain Phases for which this Infrastructure is used. - - - - - infrastructure_types - The type of infrastructure being described. The values for this property SHOULD come from the infrastructure-type-ov open vocabulary. - - - + infrastructure-type-ov @@ -174,5 +132,47 @@ + + + aliases + Alternative names used to identify this Infrastructure. + + + + + description + A description that provides more details and context about the Infrastructure, potentially including its purpose, how it is being used, how it relates to other intelligence activities captured in related objects, and its key characteristics. + + + + + first_seen + The time that this Infrastructure was first seen performing malicious activities. + + + + + infrastructure_types + The type of infrastructure being described. The values for this property SHOULD come from the infrastructure-type-ov open vocabulary. + + + + + kill_chain_phases + The list of Kill Chain Phases for which this Infrastructure is used. + + + + + last_seen + The time that this Infrastructure was last seen performing malicious activities. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. + + + + + name + A name or characterizing text used to identify the Infrastructure. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl index 7073bc2..4f71daa 100644 --- a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl +++ b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl @@ -5,8 +5,8 @@ - + ]> + xmlns:vocab="http://docs.oasis-open.org/cti/ns/stix/vocabulary#" + xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> @@ -83,55 +83,55 @@ Intrusion Set An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Threat Actor. New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets. Where a Campaign is a set of attacks over a period of time against a specific set of targets to achieve some objective, an Intrusion Set is the entire attack package and may be used over a very long period of time in multiple Campaigns to achieve potentially multiple purposes. While sometimes an Intrusion Set is not active, or changes focus, it is usually difficult to know if it has truly disappeared or ended. Analysts may have varying level of fidelity on attributing an Intrusion Set back to Threat Actors and may be able to only attribute it back to a nation state or perhaps back to an organization within that nation state. - - - name - A name used to identify this Intrusion Set. + + + aliases + Alternative names used to identify this Intrusion Set. - + description A description that provides more details and context about the Intrusion Set, potentially including its purpose and its key characteristics. - - - aliases - Alternative names used to identify this Intrusion Set. - - - + first_seen The time that this Intrusion Set was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. - + + + goals + The high-level goals of this Intrusion Set, namely, what are they trying to do. For example, they may be motivated by personal gain, but their goal is to steal credit card numbers. To do this, they may execute specific Campaigns that have detailed objectives like compromising point of sale systems at a large retailer. Another example: to gain information about latest merger and IPO information from ACME Bank. + + + last_seen The time that this Intrusion Set was last seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are later than the last seen timestamp, the object may be updated to account for the new data. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. - - - goals - The high-level goals of this Intrusion Set, namely, what are they trying to do. For example, they may be motivated by personal gain, but their goal is to steal credit card numbers. To do this, they may execute specific Campaigns that have detailed objectives like compromising point of sale systems at a large retailer. Another example: to gain information about latest merger and IPO information from ACME Bank. + + + name + A name used to identify this Intrusion Set. - - - resource_level - This property specifies the organizational level at which this Intrusion Set typically works, which in turn determines the resources available to this Intrusion Set for use in an attack. The value for this property SHOULD come from the attack-resource-level-ov open vocabulary. - - - + primary_motivation The time that this Intrusion Set was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. - + + + resource_level + This property specifies the organizational level at which this Intrusion Set typically works, which in turn determines the resources available to this Intrusion Set for use in an attack. The value for this property SHOULD come from the attack-resource-level-ov open vocabulary. + + + secondary_motivations The time that this Intrusion Set was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. diff --git a/stix/core-objects/sdo/location/location.owl b/stix/core-objects/sdo/location/location.owl index f72a9a6..cd470f5 100644 --- a/stix/core-objects/sdo/location/location.owl +++ b/stix/core-objects/sdo/location/location.owl @@ -5,8 +5,8 @@ - + ]> + xmlns:vocab="http://docs.oasis-open.org/cti/ns/stix/vocabulary#" + xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> @@ -96,18 +96,6 @@ A Location represents a geographic location. The location may be described as any, some or all of the following: region (e.g., North America), civic address (e.g. New York, US), latitude and longitude. \n\n Locations are primarily used to give context to other SDOs. For example, a Location could be used in a relationship to describe that the Bourgeois Swallow intrusion set originates from Eastern Europe. \n\n The Location SDO can be related to an Identity or Intrusion Set to indicate that the identity or intrusion set is located in that location. It can also be related from a malware or attack pattern to indicate that they target victims in that location. The Location object describes geographic areas, not governments, even in cases where that area might have a government. For example, a Location representing the United States describes the United States as a geographic area, not the federal government of the United States. \n\n At least one of the following properties/sets of properties MUST be provided: region, country, latitude and longitude. \n\n When a combination of properties is provided (e.g. a region and a latitude and longitude) the more precise properties are what the location describes. In other words, if a location contains both a region of northern-america and a country of us, then the location describes the United States, not all of North America. In cases where a latitude and longitude are specified without a precision, the location describes the most precise other value. \n\n If precision is specified, then the datum for latitude and longitude MUST be WGS 84 [WGS84]. Organizations specifying a designated location using latitude and longitude SHOULD specify the precision which is appropriate for the scope of the location being identified. The scope is defined by the boundary as outlined by the precision around the coordinates. - - name - A name used to identify the Location. - - - - - description - A textual description of the Location. - - - administrative_area The state, province, or other sub-national administrative area that this Location describes. This property SHOULD contain a valid ISO 3166-2 Code [ISO3166-2]. @@ -132,6 +120,12 @@ + + description + A textual description of the Location. + + + latitude The latitude of the Location in decimal degrees. Positive numbers describe latitudes north of the equator, and negative numbers describe latitudes south of the equator. The value of this property MUST be between -90.0 and 90.0, inclusive. If the longitude property is present, this property MUST be present. @@ -144,6 +138,12 @@ + + name + A name used to identify the Location. + + + network details Specifies additional details about this network location including things like wiring closet, rack number, rack location, and VLANs. @@ -162,16 +162,16 @@ - - street_address - The street address that this Location describes. This property includes all aspects or parts of the street address. For example, some addresses may have multiple lines including a mailstop or apartment number. - - - region The region that this Location describes. The value for this property SHOULD come from the region-ov open vocabulary. + + + street_address + The street address that this Location describes. This property includes all aspects or parts of the street address. For example, some addresses may have multiple lines including a mailstop or apartment number. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/malware-analysis/malware-analysis.owl b/stix/core-objects/sdo/malware-analysis/malware-analysis.owl index e114e71..262e6fe 100644 --- a/stix/core-objects/sdo/malware-analysis/malware-analysis.owl +++ b/stix/core-objects/sdo/malware-analysis/malware-analysis.owl @@ -156,6 +156,35 @@ Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family. One of result or analysis_sco_refs properties MUST be provided. + + malware-result-ov + + + + + benign + + + malicious + + + suspicious + + + unknown + + + + + + + + + + + + + analysis_definition_version The version of the analysis definitions used by the analysis tool (including AV tools). @@ -192,89 +221,24 @@ - - sample_ref - This property contains the reference to the SCO file, network traffic or artifact object that this malware analysis was performed against. Caution should be observed when creating an SRO between Malware and Malware Analysis objects when the Malware sample_refs property does not contain the SCO that is included in the Malware Analysis sample_ref property. Note, this property can also contain a reference to an SCO which is not associated with Malware (i.e., some SCO which was scanned and found to be benign.) - - - - - sample_ref_string - This property contains the reference to the SCO file, network traffic or artifact object that this malware analysis was performed against. Caution should be observed when creating an SRO between Malware and Malware Analysis objects when the Malware sample_refs property does not contain the SCO that is included in the Malware Analysis sample_ref property. Note, this property can also contain a reference to an SCO which is not associated with Malware (i.e., some SCO which was scanned and found to be benign.) - - - - - submitted - The date and time that the malware was first submitted for scanning or analysis. This value will stay constant while the scanned date can change. For example, when Malware was submitted to a virus analysis tool. - - - - - product - The name of the analysis engine or product that was used. Product names SHOULD be all lowercase with words separated by a dash "-". For cases where the name of a product cannot be specified, a value of "anonymized" MUST be used. - - - configuration_version The named configuration of additional product configuration parameters for this analysis run. For example, when a product is configured to do full depth analysis of Window™ PE files. This configuration may have a named version and that named version can be captured in this property. This will ensure additional runs can be configured in the same way. - - - result - The classification result as determined by the scanner or tool analysis process. The value for this property SHOULD come from the malware-result-ov open vocabulary. - - - - - malware-result-ov - - - - - benign - - - malicious - - - suspicious - - - unknown - - - - - - - - - - - - - - result_name - The classification result or name assigned to the malware instance by the scanner tool. - - + + host_vm_ref + A description of the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family. If this value is not included in conjunction with the operating_system_ref property, this means that the dynamic analysis may have been performed on bare metal (i.e. without virtualization) or the information was redacted. The value of this property MUST be the identifier for a SCO software object. + + - - version - The version of the analysis product that was used to perform the analysis. - - - - - modules - The specific analysis modules that were used and configured in the product during this analysis run. For example, configuring a product to support analysis of Dridex. + + host_vm_ref_string + A description of the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family. If this value is not included in conjunction with the operating_system_ref property, this means that the dynamic analysis may have been performed on bare metal (i.e. without virtualization) or the information was redacted. The value of this property MUST be the identifier for a SCO software object. - + installed_software_refs Any non-standard software installed on the operating system (specified through the operating-system value) used for the dynamic analysis of the malware instance or family. The value of this property MUST be the identifier for a SCO software object. @@ -286,19 +250,13 @@ Any non-standard software installed on the operating system (specified through the operating-system value) used for the dynamic analysis of the malware instance or family. The value of this property MUST be the identifier for a SCO software object. - - - host_vm_ref - A description of the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family. If this value is not included in conjunction with the operating_system_ref property, this means that the dynamic analysis may have been performed on bare metal (i.e. without virtualization) or the information was redacted. The value of this property MUST be the identifier for a SCO software object. - - - - host_vm_ref_string - A description of the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family. If this value is not included in conjunction with the operating_system_ref property, this means that the dynamic analysis may have been performed on bare metal (i.e. without virtualization) or the information was redacted. The value of this property MUST be the identifier for a SCO software object. + + modules + The specific analysis modules that were used and configured in the product during this analysis run. For example, configuring a product to support analysis of Dridex. - + operating_system_ref The operating system used for the dynamic analysis of the malware instance or family. This applies to virtualized operating systems as well as those running on bare metal. The value of this property MUST be the identifier for a SCO software object. @@ -311,4 +269,46 @@ + + product + The name of the analysis engine or product that was used. Product names SHOULD be all lowercase with words separated by a dash "-". For cases where the name of a product cannot be specified, a value of "anonymized" MUST be used. + + + + + result + The classification result as determined by the scanner or tool analysis process. The value for this property SHOULD come from the malware-result-ov open vocabulary. + + + + + result_name + The classification result or name assigned to the malware instance by the scanner tool. + + + + + sample_ref + This property contains the reference to the SCO file, network traffic or artifact object that this malware analysis was performed against. Caution should be observed when creating an SRO between Malware and Malware Analysis objects when the Malware sample_refs property does not contain the SCO that is included in the Malware Analysis sample_ref property. Note, this property can also contain a reference to an SCO which is not associated with Malware (i.e., some SCO which was scanned and found to be benign.) + + + + + sample_ref_string + This property contains the reference to the SCO file, network traffic or artifact object that this malware analysis was performed against. Caution should be observed when creating an SRO between Malware and Malware Analysis objects when the Malware sample_refs property does not contain the SCO that is included in the Malware Analysis sample_ref property. Note, this property can also contain a reference to an SCO which is not associated with Malware (i.e., some SCO which was scanned and found to be benign.) + + + + + submitted + The date and time that the malware was first submitted for scanning or analysis. This value will stay constant while the scanned date can change. For example, when Malware was submitted to a virus analysis tool. + + + + + version + The version of the analysis product that was used to perform the analysis. + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/note/note.owl b/stix/core-objects/sdo/note/note.owl index bc114de..ea76520 100644 --- a/stix/core-objects/sdo/note/note.owl +++ b/stix/core-objects/sdo/note/note.owl @@ -54,7 +54,7 @@ Note - A Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to. Notes can be created by anyone (not just the original object creator). For example, an analyst may add a Note to a Campaign object created by another organization indicating that they've seen posts related to that Campaign on a hacker forum. Because Notes are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst(s) that created the Note. This is distinct from the created_by_ref property, which is meant to capture the organization that created the object. + A Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to. Notes can be created by anyone (not just the original object creator). For example, an analyst may add a Note to a Campaign object created by another organization indicating that they've seen posts related to that Campaign on a hacker forum. Because Notes are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst(s) that created the Note. This is distinct from the created_by_ref property, which is meant to capture the organization that created the object. @@ -80,7 +80,7 @@ The STIX Objects that the note is being applied to. - + object_refs_string The STIX Objects that the note is being applied to. diff --git a/stix/core-objects/sdo/observed-data/observed-data.owl b/stix/core-objects/sdo/observed-data/observed-data.owl index 113f681..876831b 100644 --- a/stix/core-objects/sdo/observed-data/observed-data.owl +++ b/stix/core-objects/sdo/observed-data/observed-data.owl @@ -41,12 +41,6 @@ - - - - - - @@ -60,6 +54,12 @@ + + + + + + Observed Data Observed Data conveys information about cyber security related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs). For example, Observed Data can capture information about an IP address, a network connection, a file, or a registry key. Observed Data is not an intelligence assertion, it is simply the raw information without any context for what it means. \n\n Observed Data can capture that a piece of information was seen one or more times. Meaning, it can capture both a single observation of a single entity (file, network connection) as well as the aggregation of multiple observations of an entity. When the number_observed property is 1 the Observed Data represents a single entity. When the number_observed property is greater than 1, the Observed Data represents several instances of an entity potentially collected over a period of time. If a time window is known, that can be captured using the first_observed and last_observed properties. When used to collect aggregate data, it is likely that some properties in the SCO (e.g., timestamp properties) will be omitted because they would differ for each of the individual observations. \n\n Observed Data may be used by itself (without relationships) to convey raw data collected from any source including analyst reports, sandboxes, and network and host-based detection tools. An intelligence producer conveying Observed Data SHOULD include as much context (e.g. SCOs) as possible that supports the use of the observed data set in systems expecting to utilize the Observed Data for improved security. This includes all SCOs that matched on an Indicator pattern and are represented in the collected observed event (or events) being conveyed in the Observed Data object. For example, a firewall could emit a single Observed Data instance containing a single Network Traffic object for each connection it sees. The firewall could also aggregate data and instead send out an Observed Data instance every ten minutes with an IP address and an appropriate number_observed value to indicate the number of times that IP address was observed in that window. A sandbox could emit an Observed Data instance containing a file hash that it discovered. \n\n Observed Data may also be related to other SDOs to represent raw data that is relevant to those objects. For example, the Sighting Relationship object, can relate an Indicator, Malware, or other SDO to a specific Observed Data to represent the raw information that led to the creation of the Sighting (e.g., what was actually seen that suggested that a particular instance of malware was active).\n\nTo support backwards compatibility, related SCOs can still be specified using the objects properties, Either the objects property or the object_refs property MUST be provided, but both MUST NOT be present at the same time. @@ -82,24 +82,24 @@ - - objects - A dictionary of SCO representing the observation. The dictionary MUST contain at least one object. The cyber observable content MAY include multiple objects if those objects are related as part of a single observation. Multiple objects not related to each other via cyber observable Relationships MUST NOT be contained within the same Observed Data instance. This property MUST NOT be present if object_refs is provided. For example, a Network Traffic object and two IPv4 Address objects related via the src_ref and dst_ref properties can be contained in the same Observed Data because they are all related and used to characterize that single entity. NOTE: this property is now deprecated in favor of object_refs and will be removed in a future version. - true - - - object_refs A list of SCOs and SROs representing the observation. The object_refs MUST contain at least one SCO reference if defined. The object_refs MAY include multiple SCOs and their corresponding SROs, if those SCOs are related as part of a single observation. For example, a Network Traffic object and two IPv4 Address objects related via the src_ref and dst_ref properties can be contained in the same Observed Data because they are all related and used to characterize that single entity. This property MUST NOT be present if objects is provided. - + object_refs_string A list of SCOs and SROs representing the observation. The object_refs MUST contain at least one SCO reference if defined. The object_refs MAY include multiple SCOs and their corresponding SROs, if those SCOs are related as part of a single observation. For example, a Network Traffic object and two IPv4 Address objects related via the src_ref and dst_ref properties can be contained in the same Observed Data because they are all related and used to characterize that single entity. This property MUST NOT be present if objects is provided. + + + objects + A dictionary of SCO representing the observation. The dictionary MUST contain at least one object. The cyber observable content MAY include multiple objects if those objects are related as part of a single observation. Multiple objects not related to each other via cyber observable Relationships MUST NOT be contained within the same Observed Data instance. This property MUST NOT be present if object_refs is provided. For example, a Network Traffic object and two IPv4 Address objects related via the src_ref and dst_ref properties can be contained in the same Observed Data because they are all related and used to characterize that single entity. NOTE: this property is now deprecated in favor of object_refs and will be removed in a future version. + + true + \ No newline at end of file diff --git a/stix/core-objects/sdo/opinion/opinion.owl b/stix/core-objects/sdo/opinion/opinion.owl index 1bf1b7f..06fce12 100644 --- a/stix/core-objects/sdo/opinion/opinion.owl +++ b/stix/core-objects/sdo/opinion/opinion.owl @@ -35,12 +35,6 @@ - - - - - - @@ -53,40 +47,16 @@ + + + + + + Opinion - An Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity. The primary property is the opinion property, which captures the level of agreement or disagreement using a fixed scale. That fixed scale also supports a numeric mapping to allow for consistent statistical operations across opinions. \n\n For example, an analyst from a consuming organization might say that they "strongly disagree" with a Campaign object and provide an explanation about why. In a more automated workflow, a SOC operator might give an Indicator "one star" in their TIP (expressing "strongly disagree") because it is considered to be a false positive within their environment. Opinions are subjective, and the specification does not address how best to interpret them. Sharing communities are encouraged to provide clear guidelines to their constituents regarding best practice for the use of Opinion objects within the community. \n\n Because Opinions are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst(s) that created the Opinion. This is distinct from the created_by_ref property, which is meant to capture the organization that created the object. + An Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity. The primary property is the opinion property, which captures the level of agreement or disagreement using a fixed scale. That fixed scale also supports a numeric mapping to allow for consistent statistical operations across opinions. \n\n For example, an analyst from a consuming organization might say that they "strongly disagree" with a Campaign object and provide an explanation about why. In a more automated workflow, a SOC operator might give an Indicator "one star" in their TIP (expressing "strongly disagree") because it is considered to be a false positive within their environment. Opinions are subjective, and the specification does not address how best to interpret them. Sharing communities are encouraged to provide clear guidelines to their constituents regarding best practice for the use of Opinion objects within the community. \n\n Because Opinions are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst(s) that created the Opinion. This is distinct from the created_by_ref property, which is meant to capture the organization that created the object. - - explanation - An explanation of why the producer has this Opinion. For example, if an Opinion of strongly-disagree is given, the explanation can contain an explanation of why the Opinion producer disagrees and what evidence they have for their disagreement. - - - - - authors - The name of the author(s) of this Opinion (e.g., the analyst(s) that created it). - - - - - object_refs - The STIX Objects that the Opinion is being applied to. - - - - - object_refs_string - The STIX Objects that the Opinion is being applied to. - - - - - opinion - The opinion that the producer has about all of the STIX Object(s) listed in the object_refs property. The values of this property MUST come from the opinion-enum enumeration. - - - opinion-enum @@ -120,5 +90,35 @@ + + + authors + The name of the author(s) of this Opinion (e.g., the analyst(s) that created it). + + + + + explanation + An explanation of why the producer has this Opinion. For example, if an Opinion of strongly-disagree is given, the explanation can contain an explanation of why the Opinion producer disagrees and what evidence they have for their disagreement. + + + + + object_refs + The STIX Objects that the Opinion is being applied to. + + + + + object_refs_string + The STIX Objects that the Opinion is being applied to. + + + + + opinion + The opinion that the producer has about all of the STIX Object(s) listed in the object_refs property. The values of this property MUST come from the opinion-enum enumeration. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/report/report.owl b/stix/core-objects/sdo/report/report.owl index cd8bc33..ec167c1 100644 --- a/stix/core-objects/sdo/report/report.owl +++ b/stix/core-objects/sdo/report/report.owl @@ -37,68 +37,32 @@ - - + + - + - - + + - + Report Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story. - - - name - A name used to identify the Report. - - - - - description - A description that provides more details and context about the Report, potentially including its purpose and its key characteristics. - - - - - report_types - The primary type(s) of content found in this report. The values for this property SHOULD come from the report-type-ov open vocabulary. - - - - - published - The date that this Report object was officially published by the creator of this report. The publication date (public release, legal release, etc.) may be different than the date the report was created or shared internally (the date in the created property). - - - - - object_refs - Specifies the STIX Objects that are referred to by this Report. - - - - - object_refs_string - Specifies the STIX Objects that are referred to by this Report. - - - + report-type-ov @@ -162,6 +126,41 @@ - + + + description + A description that provides more details and context about the Report, potentially including its purpose and its key characteristics. + + + + + name + A name used to identify the Report. + + + + + object_refs + Specifies the STIX Objects that are referred to by this Report. + + + + + object_refs_string + Specifies the STIX Objects that are referred to by this Report. + + + + + published + The date that this Report object was officially published by the creator of this report. The publication date (public release, legal release, etc.) may be different than the date the report was created or shared internally (the date in the created property). + + + + + report_types + The primary type(s) of content found in this report. The values for this property SHOULD come from the report-type-ov open vocabulary. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/threat-actor/threat-actor.owl b/stix/core-objects/sdo/threat-actor/threat-actor.owl index e190f98..0b6ebfc 100644 --- a/stix/core-objects/sdo/threat-actor/threat-actor.owl +++ b/stix/core-objects/sdo/threat-actor/threat-actor.owl @@ -5,8 +5,8 @@ - + ]> + xmlns:vocab="http://docs.oasis-open.org/cti/ns/stix/vocabulary#" + xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> @@ -105,13 +105,12 @@ Threat Actor - - Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. A Threat Actor is not an Intrusion Set but may support or be affiliated with various Intrusion Sets, groups, or organizations over time. \n\nThreat Actors leverage their resources, and possibly the resources of an Intrusion Set, to conduct attacks and run Campaigns against targets. \n\nThreat Actors can be characterized by their motives, capabilities, goals, sophistication level, past activities, resources they have access to, and their role in the organization. + Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. A Threat Actor is not an Intrusion Set but may support or be affiliated with various Intrusion Sets, groups, or organizations over time. \n\nThreat Actors leverage their resources, and possibly the resources of an Intrusion Set, to conduct attacks and run Campaigns against targets. \n\nThreat Actors can be characterized by their motives, capabilities, goals, sophistication level, past activities, resources they have access to, and their role in the organization. - - - name - A name used to identify this Threat Actor or Threat Actor group. + + + aliases + A list of other names that this Threat Actor is believed to use. @@ -121,12 +120,6 @@ - - aliases - A list of other names that this Threat Actor is believed to use. - - - first_seen The time that this Threat Actor was first seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. @@ -145,9 +138,15 @@ + + name + A name used to identify this Threat Actor or Threat Actor group. + + + personal_motivations - The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals. Personal motivation, which is independent of the organization's goals, describes what impels an individual to carry out an attack. Personal motivation may align with the organization's motivation—as is common with activists—but more often it supports personal goals. For example, an individual analyst may join a Data Miner corporation because his or her skills may align with the corporation's objectives. But the analyst most likely performs his or her daily work toward those objectives for personal reward in the form of a paycheck. The motivation of personal reward may be even stronger for Threat Actors who commit illegal acts, as it is more difficult for someone to cross that line purely for altruistic reasons. The position in the list has no significance. The values for this property SHOULD come from the attack-motivation-ov open vocabulary. + The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals. Personal motivation, which is independent of the organization's goals, describes what impels an individual to carry out an attack. Personal motivation may align with the organization's motivation—as is common with activists—but more often it supports personal goals. For example, an individual analyst may join a Data Miner corporation because his or her skills may align with the corporation's objectives. But the analyst most likely performs his or her daily work toward those objectives for personal reward in the form of a paycheck. The motivation of personal reward may be even stronger for Threat Actors who commit illegal acts, as it is more difficult for someone to cross that line purely for altruistic reasons. The position in the list has no significance. The values for this property SHOULD come from the attack-motivation-ov open vocabulary. diff --git a/stix/core-objects/sdo/tool/tool.owl b/stix/core-objects/sdo/tool/tool.owl index a74f514..596f4af 100644 --- a/stix/core-objects/sdo/tool/tool.owl +++ b/stix/core-objects/sdo/tool/tool.owl @@ -25,32 +25,32 @@ - + - + - - + + - + - - + + @@ -62,43 +62,7 @@ Tool Tools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack. \n\nThe Tool SDO characterizes the properties of these software tools and can be used as a basis for making an assertion about how a Threat Actor uses them during an attack. It contains properties to name and describe the tool, a list of Kill Chain Phases the tool can be used to carry out, and the version of the tool. \n\nThis SDO MUST NOT be used to characterize malware. Further, Tool MUST NOT be used to characterize tools used as part of a course of action in response to an attack. - - - name - The name used to identify the Tool. - - - - - description - A description that provides more details and context about the Tool, potentially including its purpose and its key characteristics. - - - - - tool_types - The kind(s) of tool(s) being described. The values for this property SHOULD come from the tool-type-ov open vocabulary. - - - - - aliases - Alternative names used to identify this Tool. - - - - - kill_chain_phases - The list of kill chain phases for which this Tool can be used. - - - - tool_version - The version identifier associated with the Tool. - - - tool-type-ov @@ -144,8 +108,44 @@ - + + + + aliases + Alternative names used to identify this Tool. + + + + + description + A description that provides more details and context about the Tool, potentially including its purpose and its key characteristics. + + + + + kill_chain_phases + The list of kill chain phases for which this Tool can be used. + + + + + name + The name used to identify the Tool. + + + + + tool_types + The kind(s) of tool(s) being described. The values for this property SHOULD come from the tool-type-ov open vocabulary. + + + + + tool_version + The version identifier associated with the Tool. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/vulnerability/vulnerability.owl b/stix/core-objects/sdo/vulnerability/vulnerability.owl index f0c2ef8..337e79b 100644 --- a/stix/core-objects/sdo/vulnerability/vulnerability.owl +++ b/stix/core-objects/sdo/vulnerability/vulnerability.owl @@ -38,17 +38,17 @@ Vulnerability A Vulnerability is a weakness or defect in the requirements, designs, or implementations of the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that can be directly exploited to negatively impact the confidentiality, integrity, or availability of that system. \n\nCVE is a list of information security vulnerabilities and exposures that provides common names for publicly known problems [CVE]. For example, if a piece of malware exploits CVE-2015-12345, a Malware object could be linked to a Vulnerability object that references CVE-2015-12345. \n\nThe Vulnerability SDO is primarily used to link to external definitions of vulnerabilities or to describe 0-day vulnerabilities that do not yet have an external definition. Typically, other SDOs assert relationships to Vulnerability objects when a specific vulnerability is targeted and exploited as part of malicious cyber activity. As such, Vulnerability objects can be used as a linkage to the asset management and compliance process. - - - name - A name used to identify the Vulnerability. - - description A description that provides more details and context about the Vulnerability, potentially including its purpose and its key characteristics. + + + name + A name used to identify the Vulnerability. + + \ No newline at end of file diff --git a/stix/vocabularies/vocab.owl b/stix/vocabularies/vocab.owl index ac51482..38873bd 100644 --- a/stix/vocabularies/vocab.owl +++ b/stix/vocabularies/vocab.owl @@ -1737,6 +1737,160 @@ + + region-ov + + + + + africa + + + americas + + + antarctica + + + asia + + + australia-new-zealand + + + caribbean + + + central-america + + + central-asia + + + eastern-africa + + + eastern-asia + + + eastern-europe + + + europe + + + latin-america-caribbean + + + melanesia + + + micronesia + + + middle-africa + + + northern-africa + + + northern-america + + + northern-europe + + + oceana + + + polynesia + + + south-america + + + south-eastern-asia + + + southern-africa + + + southern-asia + + + southern-europe + + + western-africa + + + western-asia + + + western-europe + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + report-type-ov Defines an open-vocabulary used to capture the primary purpose or subject of a report. @@ -2225,160 +2379,6 @@ - - region-ov - - - - - africa - - - americas - - - antarctica - - - asia - - - australia-new-zealand - - - caribbean - - - central-america - - - central-asia - - - eastern-africa - - - eastern-asia - - - eastern-europe - - - europe - - - latin-america-caribbean - - - melanesia - - - micronesia - - - middle-africa - - - northern-africa - - - northern-america - - - northern-europe - - - oceana - - - polynesia - - - south-america - - - south-eastern-asia - - - southern-africa - - - southern-asia - - - southern-europe - - - western-africa - - - western-asia - - - western-europe - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - resource_level Specifies the organizational level at which this Intrusion Set typically works, which in turn determines the resources available to this Intrusion Set for use in an attack.\n\nThe value for this property SHOULD come from the attack-resource-level-ov open vocabulary. From a611f20f0d5369fbb59ccd614ec9117fa509232e Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Wed, 18 Jan 2023 23:33:22 +0100 Subject: [PATCH 28/70] Normalizing all files --- .../sdo/attack-pattern/attack-pattern.owl | 22 +- stix/core-objects/sdo/campaign/campaign.owl | 22 +- .../sdo/course-of-action/course-of-action.owl | 12 +- stix/core-objects/sdo/grouping/grouping.owl | 12 +- stix/core-objects/sdo/identity/identity.owl | 74 +-- stix/core-objects/sdo/incident/incident.owl | 12 +- stix/core-objects/sdo/indicator/indicator.owl | 88 ++-- .../sdo/infrastructure/infrastructure.owl | 98 ++-- .../sdo/intrusion-set/intrusion-set.owl | 56 +- stix/core-objects/sdo/location/location.owl | 42 +- .../sdo/malware-analysis/malware-analysis.owl | 168 +++--- stix/core-objects/sdo/malware/malware.owl | 477 +++++++++--------- stix/core-objects/sdo/note/note.owl | 4 +- .../sdo/observed-data/observed-data.owl | 28 +- stix/core-objects/sdo/opinion/opinion.owl | 74 +-- stix/core-objects/sdo/report/report.owl | 87 ++-- .../sdo/threat-actor/threat-actor.owl | 31 +- stix/core-objects/sdo/tool/tool.owl | 88 ++-- .../sdo/vulnerability/vulnerability.owl | 12 +- .../sro/relationship/relationship.owl | 36 +- stix/core-objects/sro/sighting/sighting.owl | 56 +- stix/vocabularies/vocab.owl | 308 +++++------ 22 files changed, 900 insertions(+), 907 deletions(-) diff --git a/stix/core-objects/sdo/attack-pattern/attack-pattern.owl b/stix/core-objects/sdo/attack-pattern/attack-pattern.owl index 2427626..6495732 100644 --- a/stix/core-objects/sdo/attack-pattern/attack-pattern.owl +++ b/stix/core-objects/sdo/attack-pattern/attack-pattern.owl @@ -37,26 +37,20 @@ - - + + - - + + Attack Pattern - Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed. An example of an attack pattern is "spear phishing": a common type of attack where an attacker sends a carefully crafted e-mail message to a party with the intent of getting them to click a link or open an attachment to deliver malware. Attack Patterns can also be more specific; spear phishing as practiced by a particular threat actor (e.g., they might generally say that the target won a contest) can also be an Attack Pattern. The Attack Pattern SDO contains textual descriptions of the pattern along with references to externally-defined taxonomies of attacks such as CAPEC [CAPEC]. + Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed. An example of an attack pattern is "spear phishing": a common type of attack where an attacker sends a carefully crafted e-mail message to a party with the intent of getting them to click a link or open an attachment to deliver malware. Attack Patterns can also be more specific; spear phishing as practiced by a particular threat actor (e.g., they might generally say that the target won a contest) can also be an Attack Pattern. The Attack Pattern SDO contains textual descriptions of the pattern along with references to externally-defined taxonomies of attacks such as CAPEC [CAPEC]. - - name - A name used to identify the Attack Pattern. - - - aliases Alternative names used to identify this Attack Pattern. @@ -74,5 +68,11 @@ The list of Kill Chain Phases for which this Attack Pattern is used. + + + name + A name used to identify the Attack Pattern. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/campaign/campaign.owl b/stix/core-objects/sdo/campaign/campaign.owl index 3cea258..c44415c 100644 --- a/stix/core-objects/sdo/campaign/campaign.owl +++ b/stix/core-objects/sdo/campaign/campaign.owl @@ -60,12 +60,12 @@ Campaign - A Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be part of an Intrusion Set. Campaigns are often attributed to an intrusion set and threat actors. The threat actors may reuse known infrastructure from the intrusion set or may set up new infrastructure specific for conducting that campaign. Campaigns can be characterized by their objectives and the incidents they cause, people or resources they target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. For example, a Campaign could be used to describe a crime syndicate's attack using a specific variant of malware and new C2 servers against the executives of ACME Bank during the summer of 2016 in order to gain secret information about an upcoming merger with another bank.ey target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. + A Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be part of an Intrusion Set. Campaigns are often attributed to an intrusion set and threat actors. The threat actors may reuse known infrastructure from the intrusion set or may set up new infrastructure specific for conducting that campaign. Campaigns can be characterized by their objectives and the incidents they cause, people or resources they target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. For example, a Campaign could be used to describe a crime syndicate's attack using a specific variant of malware and new C2 servers against the executives of ACME Bank during the summer of 2016 in order to gain secret information about an upcoming merger with another bank.ey target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. - - name - A name used to identify the Campaign. + + aliases + Alternative names used to identify this Campaign. @@ -75,12 +75,6 @@ - - aliases - Alternative names used to identify this Campaign. - - - first_seen The time that this Campaign was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. @@ -93,9 +87,15 @@ + + name + A name used to identify the Campaign. + + + objective - Specifies the Campaign's primary goal, objective, desired outcome, or intended effect — what the Threat Actor or Intrusion Set hopes to accomplish with this Campaign. + Specifies the Campaign's primary goal, objective, desired outcome, or intended effect — what the Threat Actor or Intrusion Set hopes to accomplish with this Campaign. diff --git a/stix/core-objects/sdo/course-of-action/course-of-action.owl b/stix/core-objects/sdo/course-of-action/course-of-action.owl index 1d7974c..04a4fc2 100644 --- a/stix/core-objects/sdo/course-of-action/course-of-action.owl +++ b/stix/core-objects/sdo/course-of-action/course-of-action.owl @@ -38,17 +38,17 @@ Course Of Action Note: The Course of Action object in STIX 2.1 is a stub. It is included to support basic use cases (such as sharing prose courses of action) but does not support the ability to represent automated courses of action or contain properties to represent metadata about courses of action. Future STIX 2 releases will expand it to include these capabilities. A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. It may describe technical, automatable responses (applying patches, reconfiguring firewalls) but can also describe higher level actions like employee training or policy changes. For example, a course of action to mitigate a vulnerability could describe applying the patch that fixes it. The Course of Action SDO contains a textual description of the action; a reserved action property also serves as a placeholder for future inclusion of machine automatable courses of action. - - - name - A name used to identify the Course of Action. - - description A description that provides more details and context about the Course of Action, potentially including its purpose and its key characteristics. + + + name + A name used to identify the Course of Action. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/grouping/grouping.owl b/stix/core-objects/sdo/grouping/grouping.owl index 4d3a3ca..4d1b93f 100644 --- a/stix/core-objects/sdo/grouping/grouping.owl +++ b/stix/core-objects/sdo/grouping/grouping.owl @@ -82,12 +82,6 @@ - - - name - A name used to identify the Grouping. - - description @@ -95,6 +89,12 @@ + + name + A name used to identify the Grouping. + + + object_refs Specifies the STIX Objects that are referred to by this Grouping. diff --git a/stix/core-objects/sdo/identity/identity.owl b/stix/core-objects/sdo/identity/identity.owl index 0bf78c4..4278472 100644 --- a/stix/core-objects/sdo/identity/identity.owl +++ b/stix/core-objects/sdo/identity/identity.owl @@ -20,7 +20,7 @@ 2.1.0 - + @@ -63,18 +63,6 @@ Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. - - contact_information - The contact information (e-mail, phone number, etc.) for this Identity. No format for this information is currently defined by this specification. - - - - - identity_class - The type of entity that this Identity describes, e.g., an individual or organization. The value for this property SHOULD come from the identity-class-ov open vocabulary. - - - identity-class-ov @@ -113,31 +101,7 @@ - - - name - The name of this Identity. When referring to a specific entity (e.g., an individual or organization), this property SHOULD contain the canonical name of the specific entity. - - - - description - A description that provides more details and context about the Identity, potentially including its purpose and its key characteristics. - - - - - roles - The list of roles that this Identity performs (e.g., CEO, Domain Administrators, Doctors, Hospital, or Retailer). No open vocabulary is yet defined for this property. - - - - - sectors - The list of industry sectors that this Identity belongs to. The values for this property SHOULD come from the industry-sector-ov open vocabulary. - - - industry-sector-ov @@ -316,5 +280,41 @@ + + + contact_information + The contact information (e-mail, phone number, etc.) for this Identity. No format for this information is currently defined by this specification. + + + + + description + A description that provides more details and context about the Identity, potentially including its purpose and its key characteristics. + + + + + identity_class + The type of entity that this Identity describes, e.g., an individual or organization. The value for this property SHOULD come from the identity-class-ov open vocabulary. + + + + + name + The name of this Identity. When referring to a specific entity (e.g., an individual or organization), this property SHOULD contain the canonical name of the specific entity. + + + + + roles + The list of roles that this Identity performs (e.g., CEO, Domain Administrators, Doctors, Hospital, or Retailer). No open vocabulary is yet defined for this property. + + + + + sectors + The list of industry sectors that this Identity belongs to. The values for this property SHOULD come from the industry-sector-ov open vocabulary. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/incident/incident.owl b/stix/core-objects/sdo/incident/incident.owl index 75546ea..766a2fa 100644 --- a/stix/core-objects/sdo/incident/incident.owl +++ b/stix/core-objects/sdo/incident/incident.owl @@ -38,17 +38,17 @@ Incident Note: The Incident object in STIX 2.1 is a stub. It is included to support basic use cases but does not contain properties to represent metadata about incidents. Future STIX 2 releases will expand it to include these capabilities. It is suggested that it is used as an extension point for an Incident object defined using the extension facility described in section 7.3. - - - name - A name used to identify the Incident. - - description A description that provides more details and context about the Incident, potentially including its purpose and its key characteristics. + + + name + A name used to identify the Incident. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/indicator/indicator.owl b/stix/core-objects/sdo/indicator/indicator.owl index cbb6692..29cf397 100644 --- a/stix/core-objects/sdo/indicator/indicator.owl +++ b/stix/core-objects/sdo/indicator/indicator.owl @@ -35,6 +35,12 @@ + + + + + + @@ -71,34 +77,10 @@ - - - - - - Indicator Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity. For example, an Indicator may be used to represent a set of malicious domains and use the STIX Patterning Language (see section 9) to specify these domains. The Indicator SDO contains a simple textual description, the Kill Chain Phases that it detects behavior in, a time window for when the Indicator is valid or useful, and a required pattern property to capture a structured detection pattern. Conforming STIX implementations MUST support the STIX Patterning Language as defined in section 9. Relationships from the Indicator can describe the malicious or suspicious behavior that it directly detects (Malware, Tool, and Attack Pattern). In addition, it may also imply the presence of a Campaigns, Intrusion Sets, and Threat Actors, etc. - - - name - A name used to identify the Indicator. Producers SHOULD provide this property to help products and analysts understand what this Indicator actually does. - - - - description - A description that provides more details and context about the Indicator, potentially including its purpose and its key characteristics. Producers SHOULD provide this property to help products and analysts understand what this Indicator actually does. - - - - - indicator types - A set of categorizations for this indicator. The values for this property SHOULD come from the indicator-type-ov open vocabulary. - - - indicator-type-ov @@ -142,19 +124,7 @@ - - - pattern - The detection pattern for this Indicator MAY be expressed as a STIX Pattern as specified in section 9 or another appropriate language such as SNORT, YARA, etc. - - - - - pattern_type - The pattern language used in this indicator. The value for this property SHOULD come from the pattern-type-ov open vocabulary. The value of this property MUST match the type of pattern data included in the pattern property. - - - + pattern-type-ov @@ -194,9 +164,45 @@ + + description + A description that provides more details and context about the Indicator, potentially including its purpose and its key characteristics. Producers SHOULD provide this property to help products and analysts understand what this Indicator actually does. + + + + + indicator types + A set of categorizations for this indicator. The values for this property SHOULD come from the indicator-type-ov open vocabulary. + + + + + kill_chain_phases + The kill chain phase(s) to which this Indicator corresponds. + + + + + name + A name used to identify the Indicator. Producers SHOULD provide this property to help products and analysts understand what this Indicator actually does. + + + + + pattern + The detection pattern for this Indicator MAY be expressed as a STIX Pattern as specified in section 9 or another appropriate language such as SNORT, YARA, etc. + + + + + pattern_type + The pattern language used in this indicator. The value for this property SHOULD come from the pattern-type-ov open vocabulary. The value of this property MUST match the type of pattern data included in the pattern property. + + + pattern_version - The version of the pattern language that is used for the data in the pattern property which MUST match the type of pattern data included in the pattern property. For patterns that do not have a formal specification, the build or code version that the pattern is known to work with SHOULD be used. For the STIX Pattern language, the default value is determined by the specification version of the object. For other languages, the default value SHOULD be the latest version of the patterning language at the time of this object's creation. + The version of the pattern language that is used for the data in the pattern property which MUST match the type of pattern data included in the pattern property. For patterns that do not have a formal specification, the build or code version that the pattern is known to work with SHOULD be used. For the STIX Pattern language, the default value is determined by the specification version of the object. For other languages, the default value SHOULD be the latest version of the patterning language at the time of this object's creation. @@ -212,10 +218,4 @@ - - kill_chain_phases - The kill chain phase(s) to which this Indicator corresponds. - - - \ No newline at end of file diff --git a/stix/core-objects/sdo/infrastructure/infrastructure.owl b/stix/core-objects/sdo/infrastructure/infrastructure.owl index f2d4cde..c751bc1 100644 --- a/stix/core-objects/sdo/infrastructure/infrastructure.owl +++ b/stix/core-objects/sdo/infrastructure/infrastructure.owl @@ -49,68 +49,26 @@ - - + + - - + + - - + + Infrastructure The Infrastructure SDO represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defense, database servers targeted by an attack, etc.). While elements of an attack can be represented by other SDOs or SCOs, the Infrastructure SDO represents a named group of related data that constitutes the infrastructure. - - - name - A name or characterizing text used to identify the Infrastructure. - - - - - description - A description that provides more details and context about the Infrastructure, potentially including its purpose, how it is being used, how it relates to other intelligence activities captured in related objects, and its key characteristics. - - - - - aliases - Alternative names used to identify this Infrastructure. - - - - - first_seen - The time that this Infrastructure was first seen performing malicious activities. - - - - - last_seen - The time that this Infrastructure was last seen performing malicious activities. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. - - - - - kill_chain_phases - The list of Kill Chain Phases for which this Infrastructure is used. - - - - - infrastructure_types - The type of infrastructure being described. The values for this property SHOULD come from the infrastructure-type-ov open vocabulary. - - - + infrastructure-type-ov @@ -174,5 +132,47 @@ + + + aliases + Alternative names used to identify this Infrastructure. + + + + + description + A description that provides more details and context about the Infrastructure, potentially including its purpose, how it is being used, how it relates to other intelligence activities captured in related objects, and its key characteristics. + + + + + first_seen + The time that this Infrastructure was first seen performing malicious activities. + + + + + infrastructure_types + The type of infrastructure being described. The values for this property SHOULD come from the infrastructure-type-ov open vocabulary. + + + + + kill_chain_phases + The list of Kill Chain Phases for which this Infrastructure is used. + + + + + last_seen + The time that this Infrastructure was last seen performing malicious activities. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. + + + + + name + A name or characterizing text used to identify the Infrastructure. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl index 7073bc2..4f71daa 100644 --- a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl +++ b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl @@ -5,8 +5,8 @@ - + ]> + xmlns:vocab="http://docs.oasis-open.org/cti/ns/stix/vocabulary#" + xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> @@ -83,55 +83,55 @@ Intrusion Set An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Threat Actor. New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets. Where a Campaign is a set of attacks over a period of time against a specific set of targets to achieve some objective, an Intrusion Set is the entire attack package and may be used over a very long period of time in multiple Campaigns to achieve potentially multiple purposes. While sometimes an Intrusion Set is not active, or changes focus, it is usually difficult to know if it has truly disappeared or ended. Analysts may have varying level of fidelity on attributing an Intrusion Set back to Threat Actors and may be able to only attribute it back to a nation state or perhaps back to an organization within that nation state. - - - name - A name used to identify this Intrusion Set. + + + aliases + Alternative names used to identify this Intrusion Set. - + description A description that provides more details and context about the Intrusion Set, potentially including its purpose and its key characteristics. - - - aliases - Alternative names used to identify this Intrusion Set. - - - + first_seen The time that this Intrusion Set was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. - + + + goals + The high-level goals of this Intrusion Set, namely, what are they trying to do. For example, they may be motivated by personal gain, but their goal is to steal credit card numbers. To do this, they may execute specific Campaigns that have detailed objectives like compromising point of sale systems at a large retailer. Another example: to gain information about latest merger and IPO information from ACME Bank. + + + last_seen The time that this Intrusion Set was last seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are later than the last seen timestamp, the object may be updated to account for the new data. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. - - - goals - The high-level goals of this Intrusion Set, namely, what are they trying to do. For example, they may be motivated by personal gain, but their goal is to steal credit card numbers. To do this, they may execute specific Campaigns that have detailed objectives like compromising point of sale systems at a large retailer. Another example: to gain information about latest merger and IPO information from ACME Bank. + + + name + A name used to identify this Intrusion Set. - - - resource_level - This property specifies the organizational level at which this Intrusion Set typically works, which in turn determines the resources available to this Intrusion Set for use in an attack. The value for this property SHOULD come from the attack-resource-level-ov open vocabulary. - - - + primary_motivation The time that this Intrusion Set was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. - + + + resource_level + This property specifies the organizational level at which this Intrusion Set typically works, which in turn determines the resources available to this Intrusion Set for use in an attack. The value for this property SHOULD come from the attack-resource-level-ov open vocabulary. + + + secondary_motivations The time that this Intrusion Set was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. diff --git a/stix/core-objects/sdo/location/location.owl b/stix/core-objects/sdo/location/location.owl index f72a9a6..cd470f5 100644 --- a/stix/core-objects/sdo/location/location.owl +++ b/stix/core-objects/sdo/location/location.owl @@ -5,8 +5,8 @@ - + ]> + xmlns:vocab="http://docs.oasis-open.org/cti/ns/stix/vocabulary#" + xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> @@ -96,18 +96,6 @@ A Location represents a geographic location. The location may be described as any, some or all of the following: region (e.g., North America), civic address (e.g. New York, US), latitude and longitude. \n\n Locations are primarily used to give context to other SDOs. For example, a Location could be used in a relationship to describe that the Bourgeois Swallow intrusion set originates from Eastern Europe. \n\n The Location SDO can be related to an Identity or Intrusion Set to indicate that the identity or intrusion set is located in that location. It can also be related from a malware or attack pattern to indicate that they target victims in that location. The Location object describes geographic areas, not governments, even in cases where that area might have a government. For example, a Location representing the United States describes the United States as a geographic area, not the federal government of the United States. \n\n At least one of the following properties/sets of properties MUST be provided: region, country, latitude and longitude. \n\n When a combination of properties is provided (e.g. a region and a latitude and longitude) the more precise properties are what the location describes. In other words, if a location contains both a region of northern-america and a country of us, then the location describes the United States, not all of North America. In cases where a latitude and longitude are specified without a precision, the location describes the most precise other value. \n\n If precision is specified, then the datum for latitude and longitude MUST be WGS 84 [WGS84]. Organizations specifying a designated location using latitude and longitude SHOULD specify the precision which is appropriate for the scope of the location being identified. The scope is defined by the boundary as outlined by the precision around the coordinates. - - name - A name used to identify the Location. - - - - - description - A textual description of the Location. - - - administrative_area The state, province, or other sub-national administrative area that this Location describes. This property SHOULD contain a valid ISO 3166-2 Code [ISO3166-2]. @@ -132,6 +120,12 @@ + + description + A textual description of the Location. + + + latitude The latitude of the Location in decimal degrees. Positive numbers describe latitudes north of the equator, and negative numbers describe latitudes south of the equator. The value of this property MUST be between -90.0 and 90.0, inclusive. If the longitude property is present, this property MUST be present. @@ -144,6 +138,12 @@ + + name + A name used to identify the Location. + + + network details Specifies additional details about this network location including things like wiring closet, rack number, rack location, and VLANs. @@ -162,16 +162,16 @@ - - street_address - The street address that this Location describes. This property includes all aspects or parts of the street address. For example, some addresses may have multiple lines including a mailstop or apartment number. - - - region The region that this Location describes. The value for this property SHOULD come from the region-ov open vocabulary. + + + street_address + The street address that this Location describes. This property includes all aspects or parts of the street address. For example, some addresses may have multiple lines including a mailstop or apartment number. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/malware-analysis/malware-analysis.owl b/stix/core-objects/sdo/malware-analysis/malware-analysis.owl index e114e71..262e6fe 100644 --- a/stix/core-objects/sdo/malware-analysis/malware-analysis.owl +++ b/stix/core-objects/sdo/malware-analysis/malware-analysis.owl @@ -156,6 +156,35 @@ Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family. One of result or analysis_sco_refs properties MUST be provided. + + malware-result-ov + + + + + benign + + + malicious + + + suspicious + + + unknown + + + + + + + + + + + + + analysis_definition_version The version of the analysis definitions used by the analysis tool (including AV tools). @@ -192,89 +221,24 @@ - - sample_ref - This property contains the reference to the SCO file, network traffic or artifact object that this malware analysis was performed against. Caution should be observed when creating an SRO between Malware and Malware Analysis objects when the Malware sample_refs property does not contain the SCO that is included in the Malware Analysis sample_ref property. Note, this property can also contain a reference to an SCO which is not associated with Malware (i.e., some SCO which was scanned and found to be benign.) - - - - - sample_ref_string - This property contains the reference to the SCO file, network traffic or artifact object that this malware analysis was performed against. Caution should be observed when creating an SRO between Malware and Malware Analysis objects when the Malware sample_refs property does not contain the SCO that is included in the Malware Analysis sample_ref property. Note, this property can also contain a reference to an SCO which is not associated with Malware (i.e., some SCO which was scanned and found to be benign.) - - - - - submitted - The date and time that the malware was first submitted for scanning or analysis. This value will stay constant while the scanned date can change. For example, when Malware was submitted to a virus analysis tool. - - - - - product - The name of the analysis engine or product that was used. Product names SHOULD be all lowercase with words separated by a dash "-". For cases where the name of a product cannot be specified, a value of "anonymized" MUST be used. - - - configuration_version The named configuration of additional product configuration parameters for this analysis run. For example, when a product is configured to do full depth analysis of Window™ PE files. This configuration may have a named version and that named version can be captured in this property. This will ensure additional runs can be configured in the same way. - - - result - The classification result as determined by the scanner or tool analysis process. The value for this property SHOULD come from the malware-result-ov open vocabulary. - - - - - malware-result-ov - - - - - benign - - - malicious - - - suspicious - - - unknown - - - - - - - - - - - - - - result_name - The classification result or name assigned to the malware instance by the scanner tool. - - + + host_vm_ref + A description of the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family. If this value is not included in conjunction with the operating_system_ref property, this means that the dynamic analysis may have been performed on bare metal (i.e. without virtualization) or the information was redacted. The value of this property MUST be the identifier for a SCO software object. + + - - version - The version of the analysis product that was used to perform the analysis. - - - - - modules - The specific analysis modules that were used and configured in the product during this analysis run. For example, configuring a product to support analysis of Dridex. + + host_vm_ref_string + A description of the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family. If this value is not included in conjunction with the operating_system_ref property, this means that the dynamic analysis may have been performed on bare metal (i.e. without virtualization) or the information was redacted. The value of this property MUST be the identifier for a SCO software object. - + installed_software_refs Any non-standard software installed on the operating system (specified through the operating-system value) used for the dynamic analysis of the malware instance or family. The value of this property MUST be the identifier for a SCO software object. @@ -286,19 +250,13 @@ Any non-standard software installed on the operating system (specified through the operating-system value) used for the dynamic analysis of the malware instance or family. The value of this property MUST be the identifier for a SCO software object. - - - host_vm_ref - A description of the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family. If this value is not included in conjunction with the operating_system_ref property, this means that the dynamic analysis may have been performed on bare metal (i.e. without virtualization) or the information was redacted. The value of this property MUST be the identifier for a SCO software object. - - - - host_vm_ref_string - A description of the virtual machine environment used to host the guest operating system (if applicable) that was used for the dynamic analysis of the malware instance or family. If this value is not included in conjunction with the operating_system_ref property, this means that the dynamic analysis may have been performed on bare metal (i.e. without virtualization) or the information was redacted. The value of this property MUST be the identifier for a SCO software object. + + modules + The specific analysis modules that were used and configured in the product during this analysis run. For example, configuring a product to support analysis of Dridex. - + operating_system_ref The operating system used for the dynamic analysis of the malware instance or family. This applies to virtualized operating systems as well as those running on bare metal. The value of this property MUST be the identifier for a SCO software object. @@ -311,4 +269,46 @@ + + product + The name of the analysis engine or product that was used. Product names SHOULD be all lowercase with words separated by a dash "-". For cases where the name of a product cannot be specified, a value of "anonymized" MUST be used. + + + + + result + The classification result as determined by the scanner or tool analysis process. The value for this property SHOULD come from the malware-result-ov open vocabulary. + + + + + result_name + The classification result or name assigned to the malware instance by the scanner tool. + + + + + sample_ref + This property contains the reference to the SCO file, network traffic or artifact object that this malware analysis was performed against. Caution should be observed when creating an SRO between Malware and Malware Analysis objects when the Malware sample_refs property does not contain the SCO that is included in the Malware Analysis sample_ref property. Note, this property can also contain a reference to an SCO which is not associated with Malware (i.e., some SCO which was scanned and found to be benign.) + + + + + sample_ref_string + This property contains the reference to the SCO file, network traffic or artifact object that this malware analysis was performed against. Caution should be observed when creating an SRO between Malware and Malware Analysis objects when the Malware sample_refs property does not contain the SCO that is included in the Malware Analysis sample_ref property. Note, this property can also contain a reference to an SCO which is not associated with Malware (i.e., some SCO which was scanned and found to be benign.) + + + + + submitted + The date and time that the malware was first submitted for scanning or analysis. This value will stay constant while the scanned date can change. For example, when Malware was submitted to a virus analysis tool. + + + + + version + The version of the analysis product that was used to perform the analysis. + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/malware/malware.owl b/stix/core-objects/sdo/malware/malware.owl index 21352f3..8c7ee0e 100644 --- a/stix/core-objects/sdo/malware/malware.owl +++ b/stix/core-objects/sdo/malware/malware.owl @@ -24,6 +24,120 @@ 2.1.0 + + implementation-language-ov + + + + + applescript + + + bash + + + c + + + c# + + + c++ + + + go + + + java + + + javascript + + + lua + + + objective-c + + + perl + + + php + + + powershell + + + python + + + ruby + + + scala + + + swift + + + typescript + + + visual-basic + + + x86-32 + + + x86-64 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -68,6 +182,12 @@ + + + + + + @@ -86,12 +206,6 @@ - - - - - - @@ -107,8 +221,8 @@ - + @@ -118,126 +232,9 @@ Malware - Malware is a type of TTP that represents malicious code. It generally refers to a program that is inserted into a system, usually covertly. The intent is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or otherwise annoy or disrupt the victim. The Malware SDO characterizes, identifies, and categorizes malware instances and families from data that may be derived from analysis. This SDO captures detailed information about how the malware works and what it does. This SDO captures contextual data relevant to sharing Malware data without requiring the full analysis provided by the Malware Analysis SDO. The Indicator SDO provides intelligence producers with the ability to define, using the STIX Pattern Grammar in a standard way to identify and detect behaviors associated with malicious activities. Although the Malware SDO provides vital intelligence on a specific instance or malware family, it does not provide a standard grammar that the Indicator SDO provides to identify those properties in security detection systems designed to process the STIX Pattern grammar. We strongly encourage the use of STIX Indicators for the detection of actual malware, due to its use of the STIX Patterning language and the clear semantics that it provides. To minimize the risk of a consumer compromising their system in parsing malware samples, producers SHOULD consider sharing defanged content (archive and password-protected samples) instead of raw, base64-encoded malware samples. + Malware is a type of TTP that represents malicious code. It generally refers to a program that is inserted into a system, usually covertly. The intent is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or otherwise annoy or disrupt the victim. The Malware SDO characterizes, identifies, and categorizes malware instances and families from data that may be derived from analysis. This SDO captures detailed information about how the malware works and what it does. This SDO captures contextual data relevant to sharing Malware data without requiring the full analysis provided by the Malware Analysis SDO. The Indicator SDO provides intelligence producers with the ability to define, using the STIX Pattern Grammar in a standard way to identify and detect behaviors associated with malicious activities. Although the Malware SDO provides vital intelligence on a specific instance or malware family, it does not provide a standard grammar that the Indicator SDO provides to identify those properties in security detection systems designed to process the STIX Pattern grammar. We strongly encourage the use of STIX Indicators for the detection of actual malware, due to its use of the STIX Patterning language and the clear semantics that it provides. To minimize the risk of a consumer compromising their system in parsing malware samples, producers SHOULD consider sharing defanged content (archive and password-protected samples) instead of raw, base64-encoded malware samples. - - - name - A name used to identify the malware instance or family, as specified by the producer of the SDO. For a malware family the name MUST be defined. If a name for a malware instance is not available, the SHA-256 hash value or sample's filename MAY be used instead. - - - - - description - A description that provides more details and context about the malware instance or family, potentially including its purpose and its key characteristics. - - - - - aliases - Alternative names used to identify this malware or malware family. - - - - - first_seen - The time that the malware instance or family was first seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. - - - - - last_seen - The time that the malware family or malware instance was last seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are later than the last_seen timestamp, the object may be updated to account for the new data. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. - - - - - analysis_defintion_version - Specifies the version of the analysis definitions used by the analysis tool (including AV tools). - - - - - analysis_engine_version - Specifies the version of the analysis engine or product (including AV engines) that was used to perform the analysis. - - - - - architecture_execution_envs - The processor architectures (e.g., x86, ARM, etc.) that the malware instance or family is executable on. The values for this property SHOULD come from the processor-architecture-ov open vocabulary. - - - - - kill_chain_phases - The list of Kill Chain Phases for which this malware can be used. - - - - - operating_system_ref - The operating systems that the malware family or malware instance is executable on. This applies to virtualized operating systems as well as those running on bare metal. The value of this property MUST be the identifier for a SCO software object. - - - - - operating_system_ref_string - The operating systems that the malware family or malware instance is executable on. This applies to virtualized operating systems as well as those running on bare metal. The value of this property MUST be the identifier for a SCO software object. - - - - - is_family - Specifies whether the object represents a malware family (if true) or a malware instance (if false). - - - - - malware_types - A set of categorizations for the malware being described. The values for this property SHOULD come from the malware-type-ov open vocabulary. - - - - - implementation_languages - The programming language(s) used to implement the malware instance or family. The values for this property SHOULD come from the implementation-language-ov open vocabulary. - - - - - architecture_execution_envs - The processor architectures (e.g., x86, ARM, etc.) that the malware instance or family is executable on. The values for this property SHOULD come from the processor-architecture-ov open vocabulary. - - - - - capabilities - Any of the capabilities identified for the malware instance or family. The values for this property SHOULD come from the malware-capabilities-ov open vocabulary. - - - - - sample_refs - The sample_refs property specifies a list of identifiers of the SCO file or artifact objects associated with this malware instance(s) or family. If is_family is false, then all samples listed in sample_refs MUST refer to the same binary data. - - - - - - - - - - - - - sample_refs_string - The sample_refs property specifies a list of identifiers of the SCO file or artifact objects associated with this malware instance(s) or family. If is_family is false, then all samples listed in sample_refs MUST refer to the same binary data. - - - malware-capabilities-ov @@ -431,121 +428,7 @@ - - - implementation-language-ov - - - - - applescript - - - bash - - - c - - - c# - - - c++ - - - go - - - java - - - javascript - - - lua - - - objective-c - - - perl - - - php - - - powershell - - - python - - - ruby - - - scala - - - swift - - - typescript - - - visual-basic - - - x86-32 - - - x86-64 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + malware-type-ov @@ -664,7 +547,7 @@ - + processor-architecture-ov @@ -713,5 +596,117 @@ + + + aliases + Alternative names used to identify this malware or malware family. + + + + + analysis_defintion_version + Specifies the version of the analysis definitions used by the analysis tool (including AV tools). + + + + + analysis_engine_version + Specifies the version of the analysis engine or product (including AV engines) that was used to perform the analysis. + + + + + architecture_execution_envs + The processor architectures (e.g., x86, ARM, etc.) that the malware instance or family is executable on. The values for this property SHOULD come from the processor-architecture-ov open vocabulary. + + + + + + capabilities + Any of the capabilities identified for the malware instance or family. The values for this property SHOULD come from the malware-capabilities-ov open vocabulary. + + + + + description + A description that provides more details and context about the malware instance or family, potentially including its purpose and its key characteristics. + + + + + first_seen + The time that the malware instance or family was first seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. + + + + + implementation_languages + The programming language(s) used to implement the malware instance or family. The values for this property SHOULD come from the implementation-language-ov open vocabulary. + + + + + is_family + Specifies whether the object represents a malware family (if true) or a malware instance (if false). + + + + + kill_chain_phases + The list of Kill Chain Phases for which this malware can be used. + + + + + last_seen + The time that the malware family or malware instance was last seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are later than the last_seen timestamp, the object may be updated to account for the new data. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. + + + + + malware_types + A set of categorizations for the malware being described. The values for this property SHOULD come from the malware-type-ov open vocabulary. + + + + + name + A name used to identify the malware instance or family, as specified by the producer of the SDO. For a malware family the name MUST be defined. If a name for a malware instance is not available, the SHA-256 hash value or sample's filename MAY be used instead. + + + + + operating_system_ref_string + The operating systems that the malware family or malware instance is executable on. This applies to virtualized operating systems as well as those running on bare metal. The value of this property MUST be the identifier for a SCO software object. + + + + + operating_system_ref + The operating systems that the malware family or malware instance is executable on. This applies to virtualized operating systems as well as those running on bare metal. The value of this property MUST be the identifier for a SCO software object. + + + + + sample_refs + The sample_refs property specifies a list of identifiers of the SCO file or artifact objects associated with this malware instance(s) or family. If is_family is false, then all samples listed in sample_refs MUST refer to the same binary data. + + + + + + + + + + + + + + sample_refs_string + The sample_refs property specifies a list of identifiers of the SCO file or artifact objects associated with this malware instance(s) or family. If is_family is false, then all samples listed in sample_refs MUST refer to the same binary data. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/note/note.owl b/stix/core-objects/sdo/note/note.owl index bc114de..ea76520 100644 --- a/stix/core-objects/sdo/note/note.owl +++ b/stix/core-objects/sdo/note/note.owl @@ -54,7 +54,7 @@ Note - A Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to. Notes can be created by anyone (not just the original object creator). For example, an analyst may add a Note to a Campaign object created by another organization indicating that they've seen posts related to that Campaign on a hacker forum. Because Notes are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst(s) that created the Note. This is distinct from the created_by_ref property, which is meant to capture the organization that created the object. + A Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to. Notes can be created by anyone (not just the original object creator). For example, an analyst may add a Note to a Campaign object created by another organization indicating that they've seen posts related to that Campaign on a hacker forum. Because Notes are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst(s) that created the Note. This is distinct from the created_by_ref property, which is meant to capture the organization that created the object. @@ -80,7 +80,7 @@ The STIX Objects that the note is being applied to. - + object_refs_string The STIX Objects that the note is being applied to. diff --git a/stix/core-objects/sdo/observed-data/observed-data.owl b/stix/core-objects/sdo/observed-data/observed-data.owl index 113f681..876831b 100644 --- a/stix/core-objects/sdo/observed-data/observed-data.owl +++ b/stix/core-objects/sdo/observed-data/observed-data.owl @@ -41,12 +41,6 @@ - - - - - - @@ -60,6 +54,12 @@ + + + + + + Observed Data Observed Data conveys information about cyber security related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs). For example, Observed Data can capture information about an IP address, a network connection, a file, or a registry key. Observed Data is not an intelligence assertion, it is simply the raw information without any context for what it means. \n\n Observed Data can capture that a piece of information was seen one or more times. Meaning, it can capture both a single observation of a single entity (file, network connection) as well as the aggregation of multiple observations of an entity. When the number_observed property is 1 the Observed Data represents a single entity. When the number_observed property is greater than 1, the Observed Data represents several instances of an entity potentially collected over a period of time. If a time window is known, that can be captured using the first_observed and last_observed properties. When used to collect aggregate data, it is likely that some properties in the SCO (e.g., timestamp properties) will be omitted because they would differ for each of the individual observations. \n\n Observed Data may be used by itself (without relationships) to convey raw data collected from any source including analyst reports, sandboxes, and network and host-based detection tools. An intelligence producer conveying Observed Data SHOULD include as much context (e.g. SCOs) as possible that supports the use of the observed data set in systems expecting to utilize the Observed Data for improved security. This includes all SCOs that matched on an Indicator pattern and are represented in the collected observed event (or events) being conveyed in the Observed Data object. For example, a firewall could emit a single Observed Data instance containing a single Network Traffic object for each connection it sees. The firewall could also aggregate data and instead send out an Observed Data instance every ten minutes with an IP address and an appropriate number_observed value to indicate the number of times that IP address was observed in that window. A sandbox could emit an Observed Data instance containing a file hash that it discovered. \n\n Observed Data may also be related to other SDOs to represent raw data that is relevant to those objects. For example, the Sighting Relationship object, can relate an Indicator, Malware, or other SDO to a specific Observed Data to represent the raw information that led to the creation of the Sighting (e.g., what was actually seen that suggested that a particular instance of malware was active).\n\nTo support backwards compatibility, related SCOs can still be specified using the objects properties, Either the objects property or the object_refs property MUST be provided, but both MUST NOT be present at the same time. @@ -82,24 +82,24 @@ - - objects - A dictionary of SCO representing the observation. The dictionary MUST contain at least one object. The cyber observable content MAY include multiple objects if those objects are related as part of a single observation. Multiple objects not related to each other via cyber observable Relationships MUST NOT be contained within the same Observed Data instance. This property MUST NOT be present if object_refs is provided. For example, a Network Traffic object and two IPv4 Address objects related via the src_ref and dst_ref properties can be contained in the same Observed Data because they are all related and used to characterize that single entity. NOTE: this property is now deprecated in favor of object_refs and will be removed in a future version. - true - - - object_refs A list of SCOs and SROs representing the observation. The object_refs MUST contain at least one SCO reference if defined. The object_refs MAY include multiple SCOs and their corresponding SROs, if those SCOs are related as part of a single observation. For example, a Network Traffic object and two IPv4 Address objects related via the src_ref and dst_ref properties can be contained in the same Observed Data because they are all related and used to characterize that single entity. This property MUST NOT be present if objects is provided. - + object_refs_string A list of SCOs and SROs representing the observation. The object_refs MUST contain at least one SCO reference if defined. The object_refs MAY include multiple SCOs and their corresponding SROs, if those SCOs are related as part of a single observation. For example, a Network Traffic object and two IPv4 Address objects related via the src_ref and dst_ref properties can be contained in the same Observed Data because they are all related and used to characterize that single entity. This property MUST NOT be present if objects is provided. + + + objects + A dictionary of SCO representing the observation. The dictionary MUST contain at least one object. The cyber observable content MAY include multiple objects if those objects are related as part of a single observation. Multiple objects not related to each other via cyber observable Relationships MUST NOT be contained within the same Observed Data instance. This property MUST NOT be present if object_refs is provided. For example, a Network Traffic object and two IPv4 Address objects related via the src_ref and dst_ref properties can be contained in the same Observed Data because they are all related and used to characterize that single entity. NOTE: this property is now deprecated in favor of object_refs and will be removed in a future version. + + true + \ No newline at end of file diff --git a/stix/core-objects/sdo/opinion/opinion.owl b/stix/core-objects/sdo/opinion/opinion.owl index 1bf1b7f..06fce12 100644 --- a/stix/core-objects/sdo/opinion/opinion.owl +++ b/stix/core-objects/sdo/opinion/opinion.owl @@ -35,12 +35,6 @@ - - - - - - @@ -53,40 +47,16 @@ + + + + + + Opinion - An Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity. The primary property is the opinion property, which captures the level of agreement or disagreement using a fixed scale. That fixed scale also supports a numeric mapping to allow for consistent statistical operations across opinions. \n\n For example, an analyst from a consuming organization might say that they "strongly disagree" with a Campaign object and provide an explanation about why. In a more automated workflow, a SOC operator might give an Indicator "one star" in their TIP (expressing "strongly disagree") because it is considered to be a false positive within their environment. Opinions are subjective, and the specification does not address how best to interpret them. Sharing communities are encouraged to provide clear guidelines to their constituents regarding best practice for the use of Opinion objects within the community. \n\n Because Opinions are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst(s) that created the Opinion. This is distinct from the created_by_ref property, which is meant to capture the organization that created the object. + An Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity. The primary property is the opinion property, which captures the level of agreement or disagreement using a fixed scale. That fixed scale also supports a numeric mapping to allow for consistent statistical operations across opinions. \n\n For example, an analyst from a consuming organization might say that they "strongly disagree" with a Campaign object and provide an explanation about why. In a more automated workflow, a SOC operator might give an Indicator "one star" in their TIP (expressing "strongly disagree") because it is considered to be a false positive within their environment. Opinions are subjective, and the specification does not address how best to interpret them. Sharing communities are encouraged to provide clear guidelines to their constituents regarding best practice for the use of Opinion objects within the community. \n\n Because Opinions are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst(s) that created the Opinion. This is distinct from the created_by_ref property, which is meant to capture the organization that created the object. - - explanation - An explanation of why the producer has this Opinion. For example, if an Opinion of strongly-disagree is given, the explanation can contain an explanation of why the Opinion producer disagrees and what evidence they have for their disagreement. - - - - - authors - The name of the author(s) of this Opinion (e.g., the analyst(s) that created it). - - - - - object_refs - The STIX Objects that the Opinion is being applied to. - - - - - object_refs_string - The STIX Objects that the Opinion is being applied to. - - - - - opinion - The opinion that the producer has about all of the STIX Object(s) listed in the object_refs property. The values of this property MUST come from the opinion-enum enumeration. - - - opinion-enum @@ -120,5 +90,35 @@ + + + authors + The name of the author(s) of this Opinion (e.g., the analyst(s) that created it). + + + + + explanation + An explanation of why the producer has this Opinion. For example, if an Opinion of strongly-disagree is given, the explanation can contain an explanation of why the Opinion producer disagrees and what evidence they have for their disagreement. + + + + + object_refs + The STIX Objects that the Opinion is being applied to. + + + + + object_refs_string + The STIX Objects that the Opinion is being applied to. + + + + + opinion + The opinion that the producer has about all of the STIX Object(s) listed in the object_refs property. The values of this property MUST come from the opinion-enum enumeration. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/report/report.owl b/stix/core-objects/sdo/report/report.owl index cd8bc33..ec167c1 100644 --- a/stix/core-objects/sdo/report/report.owl +++ b/stix/core-objects/sdo/report/report.owl @@ -37,68 +37,32 @@ - - + + - + - - + + - + Report Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story. - - - name - A name used to identify the Report. - - - - - description - A description that provides more details and context about the Report, potentially including its purpose and its key characteristics. - - - - - report_types - The primary type(s) of content found in this report. The values for this property SHOULD come from the report-type-ov open vocabulary. - - - - - published - The date that this Report object was officially published by the creator of this report. The publication date (public release, legal release, etc.) may be different than the date the report was created or shared internally (the date in the created property). - - - - - object_refs - Specifies the STIX Objects that are referred to by this Report. - - - - - object_refs_string - Specifies the STIX Objects that are referred to by this Report. - - - + report-type-ov @@ -162,6 +126,41 @@ - + + + description + A description that provides more details and context about the Report, potentially including its purpose and its key characteristics. + + + + + name + A name used to identify the Report. + + + + + object_refs + Specifies the STIX Objects that are referred to by this Report. + + + + + object_refs_string + Specifies the STIX Objects that are referred to by this Report. + + + + + published + The date that this Report object was officially published by the creator of this report. The publication date (public release, legal release, etc.) may be different than the date the report was created or shared internally (the date in the created property). + + + + + report_types + The primary type(s) of content found in this report. The values for this property SHOULD come from the report-type-ov open vocabulary. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/threat-actor/threat-actor.owl b/stix/core-objects/sdo/threat-actor/threat-actor.owl index e190f98..0b6ebfc 100644 --- a/stix/core-objects/sdo/threat-actor/threat-actor.owl +++ b/stix/core-objects/sdo/threat-actor/threat-actor.owl @@ -5,8 +5,8 @@ - + ]> + xmlns:vocab="http://docs.oasis-open.org/cti/ns/stix/vocabulary#" + xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> @@ -105,13 +105,12 @@ Threat Actor - - Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. A Threat Actor is not an Intrusion Set but may support or be affiliated with various Intrusion Sets, groups, or organizations over time. \n\nThreat Actors leverage their resources, and possibly the resources of an Intrusion Set, to conduct attacks and run Campaigns against targets. \n\nThreat Actors can be characterized by their motives, capabilities, goals, sophistication level, past activities, resources they have access to, and their role in the organization. + Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. A Threat Actor is not an Intrusion Set but may support or be affiliated with various Intrusion Sets, groups, or organizations over time. \n\nThreat Actors leverage their resources, and possibly the resources of an Intrusion Set, to conduct attacks and run Campaigns against targets. \n\nThreat Actors can be characterized by their motives, capabilities, goals, sophistication level, past activities, resources they have access to, and their role in the organization. - - - name - A name used to identify this Threat Actor or Threat Actor group. + + + aliases + A list of other names that this Threat Actor is believed to use. @@ -121,12 +120,6 @@ - - aliases - A list of other names that this Threat Actor is believed to use. - - - first_seen The time that this Threat Actor was first seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. @@ -145,9 +138,15 @@ + + name + A name used to identify this Threat Actor or Threat Actor group. + + + personal_motivations - The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals. Personal motivation, which is independent of the organization's goals, describes what impels an individual to carry out an attack. Personal motivation may align with the organization's motivation—as is common with activists—but more often it supports personal goals. For example, an individual analyst may join a Data Miner corporation because his or her skills may align with the corporation's objectives. But the analyst most likely performs his or her daily work toward those objectives for personal reward in the form of a paycheck. The motivation of personal reward may be even stronger for Threat Actors who commit illegal acts, as it is more difficult for someone to cross that line purely for altruistic reasons. The position in the list has no significance. The values for this property SHOULD come from the attack-motivation-ov open vocabulary. + The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals. Personal motivation, which is independent of the organization's goals, describes what impels an individual to carry out an attack. Personal motivation may align with the organization's motivation—as is common with activists—but more often it supports personal goals. For example, an individual analyst may join a Data Miner corporation because his or her skills may align with the corporation's objectives. But the analyst most likely performs his or her daily work toward those objectives for personal reward in the form of a paycheck. The motivation of personal reward may be even stronger for Threat Actors who commit illegal acts, as it is more difficult for someone to cross that line purely for altruistic reasons. The position in the list has no significance. The values for this property SHOULD come from the attack-motivation-ov open vocabulary. diff --git a/stix/core-objects/sdo/tool/tool.owl b/stix/core-objects/sdo/tool/tool.owl index a74f514..596f4af 100644 --- a/stix/core-objects/sdo/tool/tool.owl +++ b/stix/core-objects/sdo/tool/tool.owl @@ -25,32 +25,32 @@ - + - + - - + + - + - - + + @@ -62,43 +62,7 @@ Tool Tools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack. \n\nThe Tool SDO characterizes the properties of these software tools and can be used as a basis for making an assertion about how a Threat Actor uses them during an attack. It contains properties to name and describe the tool, a list of Kill Chain Phases the tool can be used to carry out, and the version of the tool. \n\nThis SDO MUST NOT be used to characterize malware. Further, Tool MUST NOT be used to characterize tools used as part of a course of action in response to an attack. - - - name - The name used to identify the Tool. - - - - - description - A description that provides more details and context about the Tool, potentially including its purpose and its key characteristics. - - - - - tool_types - The kind(s) of tool(s) being described. The values for this property SHOULD come from the tool-type-ov open vocabulary. - - - - - aliases - Alternative names used to identify this Tool. - - - - - kill_chain_phases - The list of kill chain phases for which this Tool can be used. - - - - tool_version - The version identifier associated with the Tool. - - - tool-type-ov @@ -144,8 +108,44 @@ - + + + + aliases + Alternative names used to identify this Tool. + + + + + description + A description that provides more details and context about the Tool, potentially including its purpose and its key characteristics. + + + + + kill_chain_phases + The list of kill chain phases for which this Tool can be used. + + + + + name + The name used to identify the Tool. + + + + + tool_types + The kind(s) of tool(s) being described. The values for this property SHOULD come from the tool-type-ov open vocabulary. + + + + + tool_version + The version identifier associated with the Tool. + + \ No newline at end of file diff --git a/stix/core-objects/sdo/vulnerability/vulnerability.owl b/stix/core-objects/sdo/vulnerability/vulnerability.owl index f0c2ef8..337e79b 100644 --- a/stix/core-objects/sdo/vulnerability/vulnerability.owl +++ b/stix/core-objects/sdo/vulnerability/vulnerability.owl @@ -38,17 +38,17 @@ Vulnerability A Vulnerability is a weakness or defect in the requirements, designs, or implementations of the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that can be directly exploited to negatively impact the confidentiality, integrity, or availability of that system. \n\nCVE is a list of information security vulnerabilities and exposures that provides common names for publicly known problems [CVE]. For example, if a piece of malware exploits CVE-2015-12345, a Malware object could be linked to a Vulnerability object that references CVE-2015-12345. \n\nThe Vulnerability SDO is primarily used to link to external definitions of vulnerabilities or to describe 0-day vulnerabilities that do not yet have an external definition. Typically, other SDOs assert relationships to Vulnerability objects when a specific vulnerability is targeted and exploited as part of malicious cyber activity. As such, Vulnerability objects can be used as a linkage to the asset management and compliance process. - - - name - A name used to identify the Vulnerability. - - description A description that provides more details and context about the Vulnerability, potentially including its purpose and its key characteristics. + + + name + A name used to identify the Vulnerability. + + \ No newline at end of file diff --git a/stix/core-objects/sro/relationship/relationship.owl b/stix/core-objects/sro/relationship/relationship.owl index 3b21a35..d36e3e3 100644 --- a/stix/core-objects/sro/relationship/relationship.owl +++ b/stix/core-objects/sro/relationship/relationship.owl @@ -25,13 +25,13 @@ - + - + @@ -50,45 +50,45 @@ - - - + + - - + + - - + + + - - + + Relationship - The Relationship object is used to link together two SDOs or SCOs in order to describe how they are related to each other. If SDOs and SCOs are considered "nodes" or "vertices" in the graph, the Relationship Objects (SROs) represent "edges". \n\n STIX defines many relationship types to link together SDOs and SCOs. These relationships are contained in the "Relationships" table under each SDO and SCO definition. Relationship types defined in the specification SHOULD be used to ensure consistency. An example of a specification-defined relationship is that an indicator indicates a campaign. That relationship type is listed in the Relationships section of the Indicator SDO definition. \n\n STIX also allows relationships from any SDO or SCO to any SDO or SCO that have not been defined in this specification. These relationships MAY use the related-to relationship type or MAY use a user-defined relationship type. As an example, a user might want to link malware directly to a tool. They can do so using related-to to say that the Malware is related to the Tool but not describe how, or they could use delivered-by (a user-defined name they determined) to indicate more detail. \n\n Note that some relationships in STIX may seem like "shortcuts". For example, an Indicator doesn't really detect a Campaign: it detects activity (Attack Patterns, Malware, Infrastructure, etc.) that are often used by that campaign. While some analysts might want all of the source data and think that shortcuts are misleading, in many cases it's helpful to provide just the key points (shortcuts) and leave out the low-level details. In other cases, the low-level analysis may not be known or sharable, while the high-level analysis is. For these reasons, relationships that might appear to be "shortcuts" are not excluded from STIX. + The Relationship object is used to link together two SDOs or SCOs in order to describe how they are related to each other. If SDOs and SCOs are considered "nodes" or "vertices" in the graph, the Relationship Objects (SROs) represent "edges". \n\n STIX defines many relationship types to link together SDOs and SCOs. These relationships are contained in the "Relationships" table under each SDO and SCO definition. Relationship types defined in the specification SHOULD be used to ensure consistency. An example of a specification-defined relationship is that an indicator indicates a campaign. That relationship type is listed in the Relationships section of the Indicator SDO definition. \n\n STIX also allows relationships from any SDO or SCO to any SDO or SCO that have not been defined in this specification. These relationships MAY use the related-to relationship type or MAY use a user-defined relationship type. As an example, a user might want to link malware directly to a tool. They can do so using related-to to say that the Malware is related to the Tool but not describe how, or they could use delivered-by (a user-defined name they determined) to indicate more detail. \n\n Note that some relationships in STIX may seem like "shortcuts". For example, an Indicator doesn't really detect a Campaign: it detects activity (Attack Patterns, Malware, Infrastructure, etc.) that are often used by that campaign. While some analysts might want all of the source data and think that shortcuts are misleading, in many cases it's helpful to provide just the key points (shortcuts) and leave out the low-level details. In other cases, the low-level analysis may not be known or sharable, while the high-level analysis is. For these reasons, relationships that might appear to be "shortcuts" are not excluded from STIX. - - relationship_type - The name used to identify the type of Relationship. This value SHOULD be an exact value listed in the relationships for the source and target SDO, but MAY be any string. The value of this property MUST be in ASCII and is limited to characters a-z (lowercase ASCII), 0-9, and hyphen (-). - - - description A description that provides more details and context about the Relationship, potentially including its purpose and its key characteristics. + + relationship_type + The name used to identify the type of Relationship. This value SHOULD be an exact value listed in the relationships for the source and target SDO, but MAY be any string. The value of this property MUST be in ASCII and is limited to characters a-z (lowercase ASCII), 0-9, and hyphen (-). + + + source_ref The id of the source (from) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). diff --git a/stix/core-objects/sro/sighting/sighting.owl b/stix/core-objects/sro/sighting/sighting.owl index 81536e9..362dc64 100644 --- a/stix/core-objects/sro/sighting/sighting.owl +++ b/stix/core-objects/sro/sighting/sighting.owl @@ -25,6 +25,12 @@ + + + + + + @@ -45,32 +51,32 @@ - - + + - - + + - - + + - - + + - - + + @@ -86,40 +92,34 @@ - - - - - - Sighting - A Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.) was seen. Sightings are used to track who and what are being targeted, how attacks are carried out, and to track trends in attack behavior. \n\n The Sighting relationship object is a special type of SRO; it is a relationship that contains extra properties not present on the Generic Relationship object. These extra properties are included to represent data specific to sighting relationships (e.g., count, representing how many times something was seen), but for other purposes a Sighting can be thought of as a Relationship with a name of "sighting-of". Sighting is captured as a relationship because you cannot have a sighting unless you have something that has been sighted. Sighting does not make sense without the relationship to what was sighted. \n\n Sighting relationships relate three aspects of the sighting: \n\n What was sighted, such as the Indicator, Malware, Campaign, or other SDO (sighting_of_ref). \n\n Who sighted it and/or where it was sighted, represented as an Identity (where_sighted_refs). \n\n What was actually seen on systems and networks, represented as Observed Data (observed_data_refs). \n\n What was sighted is required; a sighting does not make sense unless you say what you saw. Who sighted it, where it was sighted, and what was actually seen are optional. In many cases it is not necessary to provide that level of detail in order to provide value. \n\n Sightings are used whenever any SDO has been "seen". In some cases, the object creator wishes to convey very little information about the sighting; the details might be sensitive, but the fact that they saw a malware instance or threat actor could still be very useful. In other cases, providing the details may be helpful or even necessary; saying exactly which of the 1000 IP addresses in an indicator were sighted is helpful when tracking which of those IPs is still malicious. \n\n Sighting is distinct from Observed Data in that Sighting is an intelligence assertion ("I saw this threat actor") while Observed Data is simply information ("I saw this file"). When you combine them by including the linked Observed Data (observed_data_refs) from a Sighting, you can say "I saw this file, and that makes me think I saw this threat actor". + A Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.) was seen. Sightings are used to track who and what are being targeted, how attacks are carried out, and to track trends in attack behavior. \n\n The Sighting relationship object is a special type of SRO; it is a relationship that contains extra properties not present on the Generic Relationship object. These extra properties are included to represent data specific to sighting relationships (e.g., count, representing how many times something was seen), but for other purposes a Sighting can be thought of as a Relationship with a name of "sighting-of". Sighting is captured as a relationship because you cannot have a sighting unless you have something that has been sighted. Sighting does not make sense without the relationship to what was sighted. \n\n Sighting relationships relate three aspects of the sighting: \n\n What was sighted, such as the Indicator, Malware, Campaign, or other SDO (sighting_of_ref). \n\n Who sighted it and/or where it was sighted, represented as an Identity (where_sighted_refs). \n\n What was actually seen on systems and networks, represented as Observed Data (observed_data_refs). \n\n What was sighted is required; a sighting does not make sense unless you say what you saw. Who sighted it, where it was sighted, and what was actually seen are optional. In many cases it is not necessary to provide that level of detail in order to provide value. \n\n Sightings are used whenever any SDO has been "seen". In some cases, the object creator wishes to convey very little information about the sighting; the details might be sensitive, but the fact that they saw a malware instance or threat actor could still be very useful. In other cases, providing the details may be helpful or even necessary; saying exactly which of the 1000 IP addresses in an indicator were sighted is helpful when tracking which of those IPs is still malicious. \n\n Sighting is distinct from Observed Data in that Sighting is an intelligence assertion ("I saw this threat actor") while Observed Data is simply information ("I saw this file"). When you combine them by including the linked Observed Data (observed_data_refs) from a Sighting, you can say "I saw this file, and that makes me think I saw this threat actor". + + count + If present, this MUST be an integer between 0 and 999,999,999 inclusive and represents the number of times the SDO referenced by the sighting_of_ref property was sighted. Observed Data has a similar property called number_observed, which refers to the number of times the data was observed. These counts refer to different concepts and are distinct. For example, a single sighting of a DDoS bot might have many millions of observations of the network traffic that it generates. Thus, the Sighting count would be 1 (the bot was observed once) but the Observed Data number_observed would be much higher. As another example, a sighting with a count of 0 can be used to express that an indicator was not seen at all. + + + description A description that provides more details and context about the Sighting. - + first_seen The beginning of the time window during which the SDO referenced by the sighting_of_ref property was sighted. - + last_seen The end of the time window during which the SDO referenced by the sighting_of_ref property was sighted. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. - - count - If present, this MUST be an integer between 0 and 999,999,999 inclusive and represents the number of times the SDO referenced by the sighting_of_ref property was sighted. Observed Data has a similar property called number_observed, which refers to the number of times the data was observed. These counts refer to different concepts and are distinct. For example, a single sighting of a DDoS bot might have many millions of observations of the network traffic that it generates. Thus, the Sighting count would be 1 (the bot was observed once) but the Observed Data number_observed would be much higher. As another example, a sighting with a count of 0 can be used to express that an indicator was not seen at all. - - - observed_data_refs A list of ID references to the Observed Data objects that contain the raw cyber data for this Sighting. For example, a Sighting of an Indicator with an IP address could include the Observed Data for the network connection that the Indicator was used to detect. This property MUST reference only Observed Data SDOs. @@ -134,20 +134,20 @@ sighting_of_ref - An ID reference to the SDO that was sighted (e.g., Indicator or Malware). For example, if this is a Sighting of an Indicator, that Indicator's ID would be the value of this property. This property MUST reference only an SDO. + An ID reference to the SDO that was sighted (e.g., Indicator or Malware). For example, if this is a Sighting of an Indicator, that Indicator's ID would be the value of this property. This property MUST reference only an SDO. sighting_of_ref_string - An ID reference to the SDO that was sighted (e.g., Indicator or Malware). For example, if this is a Sighting of an Indicator, that Indicator's ID would be the value of this property. This property MUST reference only an SDO. + An ID reference to the SDO that was sighted (e.g., Indicator or Malware). For example, if this is a Sighting of an Indicator, that Indicator's ID would be the value of this property. This property MUST reference only an SDO. summary The summary property indicates whether the Sighting should be considered summary data. Summary data is an aggregation of previous Sightings reports and should not be considered primary source data. Default value is false. - false + diff --git a/stix/vocabularies/vocab.owl b/stix/vocabularies/vocab.owl index ac51482..38873bd 100644 --- a/stix/vocabularies/vocab.owl +++ b/stix/vocabularies/vocab.owl @@ -1737,6 +1737,160 @@ + + region-ov + + + + + africa + + + americas + + + antarctica + + + asia + + + australia-new-zealand + + + caribbean + + + central-america + + + central-asia + + + eastern-africa + + + eastern-asia + + + eastern-europe + + + europe + + + latin-america-caribbean + + + melanesia + + + micronesia + + + middle-africa + + + northern-africa + + + northern-america + + + northern-europe + + + oceana + + + polynesia + + + south-america + + + south-eastern-asia + + + southern-africa + + + southern-asia + + + southern-europe + + + western-africa + + + western-asia + + + western-europe + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + report-type-ov Defines an open-vocabulary used to capture the primary purpose or subject of a report. @@ -2225,160 +2379,6 @@ - - region-ov - - - - - africa - - - americas - - - antarctica - - - asia - - - australia-new-zealand - - - caribbean - - - central-america - - - central-asia - - - eastern-africa - - - eastern-asia - - - eastern-europe - - - europe - - - latin-america-caribbean - - - melanesia - - - micronesia - - - middle-africa - - - northern-africa - - - northern-america - - - northern-europe - - - oceana - - - polynesia - - - south-america - - - south-eastern-asia - - - southern-africa - - - southern-asia - - - southern-europe - - - western-africa - - - western-asia - - - western-europe - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - resource_level Specifies the organizational level at which this Intrusion Set typically works, which in turn determines the resources available to this Intrusion Set for use in an attack.\n\nThe value for this property SHOULD come from the attack-resource-level-ov open vocabulary. From a1d25618693259efcbe4a57c71e95fe1349bf0d0 Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Thu, 19 Jan 2023 14:29:10 +0100 Subject: [PATCH 29/70] Renamed sro-props to relationship-types.owl. Checked the SROs --- .../relationship/{sro-props.owl => relationship-types.owl} | 6 +++--- stix/core-objects/sro/relationship/relationship.owl | 2 +- stix/core-objects/sro/sighting/sighting.owl | 2 +- stix/stix.owl | 1 + 4 files changed, 6 insertions(+), 5 deletions(-) rename stix/core-objects/sro/relationship/{sro-props.owl => relationship-types.owl} (94%) diff --git a/stix/core-objects/sro/relationship/sro-props.owl b/stix/core-objects/sro/relationship/relationship-types.owl similarity index 94% rename from stix/core-objects/sro/relationship/sro-props.owl rename to stix/core-objects/sro/relationship/relationship-types.owl index 2c10ad9..99a3540 100644 --- a/stix/core-objects/sro/relationship/sro-props.owl +++ b/stix/core-objects/sro/relationship/relationship-types.owl @@ -6,15 +6,15 @@ ]> - - + diff --git a/stix/core-objects/sro/relationship/relationship.owl b/stix/core-objects/sro/relationship/relationship.owl index d36e3e3..468ddcc 100644 --- a/stix/core-objects/sro/relationship/relationship.owl +++ b/stix/core-objects/sro/relationship/relationship.owl @@ -17,7 +17,7 @@ - + 2.1.0 diff --git a/stix/core-objects/sro/sighting/sighting.owl b/stix/core-objects/sro/sighting/sighting.owl index 362dc64..77dd6cf 100644 --- a/stix/core-objects/sro/sighting/sighting.owl +++ b/stix/core-objects/sro/sighting/sighting.owl @@ -93,7 +93,7 @@ Sighting - A Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.) was seen. Sightings are used to track who and what are being targeted, how attacks are carried out, and to track trends in attack behavior. \n\n The Sighting relationship object is a special type of SRO; it is a relationship that contains extra properties not present on the Generic Relationship object. These extra properties are included to represent data specific to sighting relationships (e.g., count, representing how many times something was seen), but for other purposes a Sighting can be thought of as a Relationship with a name of "sighting-of". Sighting is captured as a relationship because you cannot have a sighting unless you have something that has been sighted. Sighting does not make sense without the relationship to what was sighted. \n\n Sighting relationships relate three aspects of the sighting: \n\n What was sighted, such as the Indicator, Malware, Campaign, or other SDO (sighting_of_ref). \n\n Who sighted it and/or where it was sighted, represented as an Identity (where_sighted_refs). \n\n What was actually seen on systems and networks, represented as Observed Data (observed_data_refs). \n\n What was sighted is required; a sighting does not make sense unless you say what you saw. Who sighted it, where it was sighted, and what was actually seen are optional. In many cases it is not necessary to provide that level of detail in order to provide value. \n\n Sightings are used whenever any SDO has been "seen". In some cases, the object creator wishes to convey very little information about the sighting; the details might be sensitive, but the fact that they saw a malware instance or threat actor could still be very useful. In other cases, providing the details may be helpful or even necessary; saying exactly which of the 1000 IP addresses in an indicator were sighted is helpful when tracking which of those IPs is still malicious. \n\n Sighting is distinct from Observed Data in that Sighting is an intelligence assertion ("I saw this threat actor") while Observed Data is simply information ("I saw this file"). When you combine them by including the linked Observed Data (observed_data_refs) from a Sighting, you can say "I saw this file, and that makes me think I saw this threat actor". + A Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.) was seen. Sightings are used to track who and what are being targeted, how attacks are carried out, and to track trends in attack behavior. \n\n The Sighting relationship object is a special type of SRO; it is a relationship that contains extra properties not present on the Generic Relationship object. These extra properties are included to represent data specific to sighting relationships (e.g., count, representing how many times something was seen), but for other purposes a Sighting can be thought of as a Relationship with a name of "sighting-of". Sighting is captured as a relationship because you cannot have a sighting unless you have something that has been sighted. Sighting does not make sense without the relationship to what was sighted. \n\n Sighting relationships relate three aspects of the sighting: \n\n What was sighted, such as the Indicator, Malware, Campaign, or other SDO (sighting_of_ref). \n\n Who sighted it and/or where it was sighted, represented as an Identity (where_sighted_refs). \n\n What was actually seen on systems and networks, represented as Observed Data (observed_data_refs). \n\n What was sighted is required; a sighting does not make sense unless you say what you saw. Who sighted it, where it was sighted, and what was actually seen are optional. In many cases it is not necessary to provide that level of detail in order to provide value. \n\n Sightings are used whenever any SDO has been "seen". In some cases, the object creator wishes to convey very little information about the sighting; the details might be sensitive, but the fact that they saw a malware instance or threat actor could still be very useful. In other cases, providing the details may be helpful or even necessary; saying exactly which of the 1000 IP addresses in an indicator were sighted is helpful when tracking which of those IPs is still malicious. \n\n Sighting is distinct from Observed Data in that Sighting is an intelligence assertion ("I saw this threat actor") while Observed Data is simply information ("I saw this file"). When you combine them by including the linked Observed Data (observed_data_refs) from a Sighting, you can say "I saw this file, and that makes me think I saw this threat actor". diff --git a/stix/stix.owl b/stix/stix.owl index c180cb8..37a391c 100644 --- a/stix/stix.owl +++ b/stix/stix.owl @@ -49,6 +49,7 @@ + From 43fc3a4ce22b28b9641f6b0991b0abd40f478f18 Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Sun, 22 Jan 2023 17:28:17 +0100 Subject: [PATCH 30/70] Corrected all vocabularies, removed duplicates and checked all values. Removed unused namespaces --- stix/core-objects/sco/artifact/artifact.owl | 27 +- .../autonomus-system/autonomous-system.owl | 2 - stix/core-objects/sco/directory/directory.owl | 2 - .../sco/domain-name/domain-name.owl | 2 - .../sco/email-address/email-address.owl | 2 - .../sco/email-message/email-message.owl | 2 - stix/core-objects/sco/file/file.owl | 35 +- .../sco/ipv4-address/ipv4-address.owl | 6 - .../sco/ipv6-address/ipv6-address.owl | 6 - .../sco/mac-address/mac-address.owl | 2 - stix/core-objects/sco/mutex/mutex.owl | 2 - .../sco/network-traffic/network-traffic.owl | 90 +- stix/core-objects/sco/process/process.owl | 145 +- stix/core-objects/sco/software/software.owl | 2 - stix/core-objects/sco/url/url.owl | 2 - .../sco/user-account/user-account.owl | 69 +- .../windows-registry-key.owl | 82 +- .../sco/x509-vertificate/x509-certificate.owl | 2 - .../sdo/attack-pattern/attack-pattern.owl | 2 - stix/core-objects/sdo/campaign/campaign.owl | 2 - .../sdo/course-of-action/course-of-action.owl | 2 - stix/core-objects/sdo/grouping/grouping.owl | 24 +- stix/core-objects/sdo/identity/identity.owl | 221 +-- stix/core-objects/sdo/incident/incident.owl | 2 - stix/core-objects/sdo/indicator/indicator.owl | 86 +- .../sdo/infrastructure/infrastructure.owl | 67 +- .../sdo/intrusion-set/intrusion-set.owl | 10 +- stix/core-objects/sdo/location/location.owl | 6 +- .../sdo/malware-analysis/malware-analysis.owl | 36 +- stix/core-objects/sdo/malware/malware.owl | 482 +----- stix/core-objects/sdo/note/note.owl | 2 - .../sdo/observed-data/observed-data.owl | 2 - stix/core-objects/sdo/opinion/opinion.owl | 37 +- stix/core-objects/sdo/report/report.owl | 69 +- .../sdo/threat-actor/threat-actor.owl | 18 +- stix/core-objects/sdo/tool/tool.owl | 52 +- .../sdo/vulnerability/vulnerability.owl | 2 - .../sro/relationship/relationship.owl | 2 - stix/core-objects/sro/sighting/sighting.owl | 2 - .../extension-definition.owl | 57 +- .../language-content/language-content.owl | 2 - .../{vocab.owl => vocabularies.owl} | 1302 ++++------------- stix/vocabularies/vocabulary-user-defs.owl | 754 ---------- 43 files changed, 361 insertions(+), 3360 deletions(-) rename stix/vocabularies/{vocab.owl => vocabularies.owl} (66%) delete mode 100644 stix/vocabularies/vocabulary-user-defs.owl diff --git a/stix/core-objects/sco/artifact/artifact.owl b/stix/core-objects/sco/artifact/artifact.owl index 75dfab0..133b0df 100644 --- a/stix/core-objects/sco/artifact/artifact.owl +++ b/stix/core-objects/sco/artifact/artifact.owl @@ -1,6 +1,5 @@ @@ -8,7 +7,6 @@ ]> + 2.1.0 @@ -62,30 +61,6 @@ The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. One of payload_bin or url MUST be provided. It is incumbent on object creators to ensure that the URL is accessible for downstream consumers. - - encryption-algorithm-enum - - - - - AES-256-GCM - - - ChaCha20-Poly1035 - - - mime-type-indicated - - - - - - - - - - - decryption_key Specifies the decryption key for the encrypted binary data (either via payload_bin or url). For example, this may be useful in cases of sharing malware samples, which are often encoded in an encrypted archive. This property MUST NOT be present when the encryption_algorithm property is absent. diff --git a/stix/core-objects/sco/autonomus-system/autonomous-system.owl b/stix/core-objects/sco/autonomus-system/autonomous-system.owl index e1e4e85..cfccd32 100644 --- a/stix/core-objects/sco/autonomus-system/autonomous-system.owl +++ b/stix/core-objects/sco/autonomus-system/autonomous-system.owl @@ -1,6 +1,5 @@ @@ -8,7 +7,6 @@ ]> @@ -8,7 +7,6 @@ ]> @@ -8,7 +7,6 @@ ]> @@ -8,7 +7,6 @@ ]> @@ -9,7 +8,6 @@ ]> - - - - - ]> + 2.1.0 @@ -261,26 +250,6 @@ The Raster Image file extension specifies a default extension for capturing properties specific to raster image files. The key for this extension when used in the extensions dictionary MUST be raster-image-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the Raster Image File Extension MUST contain at least one property from this extension. - - windows-pebinary-type-ov-open - Defines an open-vocabulary used to capture the types of Windows PE files - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - @@ -875,7 +844,7 @@ pe_type Specifies the type of the PE binary. This is an open vocabulary and values SHOULD come from the windows-pebinary-type-ov open vocabulary. - + diff --git a/stix/core-objects/sco/ipv4-address/ipv4-address.owl b/stix/core-objects/sco/ipv4-address/ipv4-address.owl index 098de80..059004c 100644 --- a/stix/core-objects/sco/ipv4-address/ipv4-address.owl +++ b/stix/core-objects/sco/ipv4-address/ipv4-address.owl @@ -1,8 +1,5 @@ - - @@ -10,9 +7,6 @@ ]> - - @@ -10,9 +7,6 @@ ]> @@ -8,7 +7,6 @@ ]> @@ -8,7 +7,6 @@ ]> - @@ -10,8 +8,6 @@ ]> + 2.1.0 @@ -93,90 +90,7 @@ ICMP Extension The ICMP extension specifies a default extension for capturing network traffic properties specific to ICMP. The key for this extension when used in the extensions dictionary MUST be icmp-ext. Note that this predefined extension does not use the extension facility described in section 7.3. The corresponding protocol value for this extension is icmp. - - - network-socket-address-family-enum - - - - - AF_UNSPEC - - - AF_INET - - - AF_IPX - - - AF_APPLETALK - - - AF_NETBIOS - - - AF_INET6 - - - AF_IRDA - - - AF_BTH - - - - - - - - - - - - - - - - - - - - - - - network-socket-type-enum - - - - - SOCK_STREAM - - - SOCK_DGRAM - - - SOCK_RAW - - - SOCK_RDM - - - SOCK_SEQPACKET - - - - - - - - - - - - - - - + diff --git a/stix/core-objects/sco/process/process.owl b/stix/core-objects/sco/process/process.owl index 62acfbc..392412b 100644 --- a/stix/core-objects/sco/process/process.owl +++ b/stix/core-objects/sco/process/process.owl @@ -1,8 +1,6 @@ - - @@ -11,8 +9,6 @@ + 2.1.0 @@ -128,35 +125,6 @@ The Process object represents common properties of an instance of a computer program as executed on an operating system. A Process object MUST contain at least one property (other than type) from this object (or one of its extensions). - - windows-integrity-level-enum - - - - - low - - - medium - - - high - - - system - - - - - - - - - - - - - @@ -264,114 +232,7 @@ Windows Service Extension The Windows Service extension specifies a default extension for capturing properties specific to Windows services. The key for this extension when used in the extensions dictionary MUST be windows-service-ext. Note that this predefined extension does not use the extension facility described in section 7.3. As all properties of this extension are optional, at least one of the properties defined below MUST be included when using this extension. - - - windows-service-start-type-enum - - - - - SERVICE_AUTO_START - - - SERVICE_BOOT_START - - - SERVICE_DEMAND_START - - - SERVICE_DISABLED - - - SERVICE_SYSTEM_ALERT - - - - - - - - - - - - - - - - - windows-service-status-enum - - - - - SERVICE_CONTINUE_PENDING - - - SERVICE_PAUSE_PENDING - - - SERVICE_PAUSED - - - SERVICE_RUNNING - - - SERVICE_START_PENDING - - - SERVICE_STOP_PENDING - - - SERVICE_STOPPED - - - - - - - - - - - - - - - - - - - - - windows-service-type-enum - - - - - SERVICE_KERNEL_DRIVER - - - SERVICE_FILE_SYSTEM_DRIVER - - - SERVICE_WIN32_OWN_PROCESS - - - SERVICE_WIN32_SHARE_PROCESS - - - - - - - - - - - - - + aslr_enabled Specifies whether Address Space Layout Randomization (ASLR) is enabled for the process. @@ -548,7 +409,7 @@ start_type - Specifies whether Address Space Layout Randomization (ASLR) is enabled for the process. + Specifies the start options defined for the service. The values of this property MUST come from the windows-service-start-type-enum enumeration. diff --git a/stix/core-objects/sco/software/software.owl b/stix/core-objects/sco/software/software.owl index dea2c12..a11503b 100644 --- a/stix/core-objects/sco/software/software.owl +++ b/stix/core-objects/sco/software/software.owl @@ -3,7 +3,6 @@ - ]> @@ -12,7 +11,6 @@ xmlns:owl="http://www.w3.org/2002/07/owl#" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" - xmlns:software="http://docs.oasis-open.org/cti/ns/stix/software#" xmlns:stix="http://docs.oasis-open.org/cti/ns/stix#" xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> diff --git a/stix/core-objects/sco/url/url.owl b/stix/core-objects/sco/url/url.owl index 2340eee..6daba29 100644 --- a/stix/core-objects/sco/url/url.owl +++ b/stix/core-objects/sco/url/url.owl @@ -4,7 +4,6 @@ - ]> diff --git a/stix/core-objects/sco/user-account/user-account.owl b/stix/core-objects/sco/user-account/user-account.owl index af11235..2766928 100644 --- a/stix/core-objects/sco/user-account/user-account.owl +++ b/stix/core-objects/sco/user-account/user-account.owl @@ -4,8 +4,6 @@ - - ]> + 2.1.0 - - account-type-ov - - - - - facebook - - - ldap - - - nis - - - openid - - - radius - - - skype - - - tacacs - - - twitter - - - unix - - - windows-local - - - windows-domain - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl b/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl index 66cf417..0bc4d56 100644 --- a/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl +++ b/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl @@ -4,7 +4,6 @@ - ]> + 2.1.0 - - windows-registry-datatype-enum - - - - - REG_NONE - - - REG_SZ - - - REG_EXPAND_SZ - - - REG_BINARY - - - REG_DWORD - - - REG_DWORD_BIG_ENDIAN - - - REG_DWORD_LITTLE_ENDIAN - - - REG_LINK - - - REG_MULTI_SZ - - - REG_RESOURCE_LIST - - - REG_FULL_RESOURCE_DESCRIPTION - - - REG_RESOURCE_REQUIREMENTS_LIST - - - REG_QWORD - - - REG_INVALID_TYPE - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/stix/core-objects/sco/x509-vertificate/x509-certificate.owl b/stix/core-objects/sco/x509-vertificate/x509-certificate.owl index 8ef3c11..44c8bc1 100644 --- a/stix/core-objects/sco/x509-vertificate/x509-certificate.owl +++ b/stix/core-objects/sco/x509-vertificate/x509-certificate.owl @@ -4,7 +4,6 @@ - ]> diff --git a/stix/core-objects/sdo/attack-pattern/attack-pattern.owl b/stix/core-objects/sdo/attack-pattern/attack-pattern.owl index 6495732..ba8867e 100644 --- a/stix/core-objects/sdo/attack-pattern/attack-pattern.owl +++ b/stix/core-objects/sdo/attack-pattern/attack-pattern.owl @@ -1,6 +1,5 @@ @@ -9,7 +8,6 @@ ]> @@ -9,7 +8,6 @@ ]> @@ -9,7 +8,6 @@ ]> @@ -9,7 +8,6 @@ ]> context A short descriptor of the particular context shared by the content referenced by the Grouping. The value for this property SHOULD come from the grouping-context-ov open vocabulary. - - - - - - malware-analysis - - - suspicious-activity - - - unspecified - - - - - - - - - + diff --git a/stix/core-objects/sdo/identity/identity.owl b/stix/core-objects/sdo/identity/identity.owl index 4278472..5cfe300 100644 --- a/stix/core-objects/sdo/identity/identity.owl +++ b/stix/core-objects/sdo/identity/identity.owl @@ -1,6 +1,5 @@ @@ -9,7 +8,6 @@ ]> + 2.1.0 @@ -63,224 +62,6 @@ Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. - - identity-class-ov - - - - - class - - - group - - - individual - - - organization - - - system - - - unknown - - - - - - - - - - - - - - - - - - - industry-sector-ov - - - - - aerospace - - - agriculture - - - automotive - - - chemical - - - commercial - - - communications - - - construction - - - dams - - - defense - - - education - - - emergency-services - - - energy - - - entertainment - - - financial-services - - - government - - - government-local - - - government-national - - - government-public-services - - - government-regional - - - healthcare - - - hospitality-leisure - - - infrastructure - - - insurance - - - manufacturing - - - mining - - - non-profit - - - nuclear - - - pharmaceuticals - - - retail - - - technology - - - telecommunications - - - transportation - - - utilities - - - water - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - contact_information The contact information (e-mail, phone number, etc.) for this Identity. No format for this information is currently defined by this specification. diff --git a/stix/core-objects/sdo/incident/incident.owl b/stix/core-objects/sdo/incident/incident.owl index 766a2fa..367a7ca 100644 --- a/stix/core-objects/sdo/incident/incident.owl +++ b/stix/core-objects/sdo/incident/incident.owl @@ -1,6 +1,5 @@ @@ -9,7 +8,6 @@ ]> @@ -9,7 +8,6 @@ ]> + 2.1.0 @@ -81,89 +80,6 @@ Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity. For example, an Indicator may be used to represent a set of malicious domains and use the STIX Patterning Language (see section 9) to specify these domains. The Indicator SDO contains a simple textual description, the Kill Chain Phases that it detects behavior in, a time window for when the Indicator is valid or useful, and a required pattern property to capture a structured detection pattern. Conforming STIX implementations MUST support the STIX Patterning Language as defined in section 9. Relationships from the Indicator can describe the malicious or suspicious behavior that it directly detects (Malware, Tool, and Attack Pattern). In addition, it may also imply the presence of a Campaigns, Intrusion Sets, and Threat Actors, etc. - - indicator-type-ov - - - - - anomalous-activity - - - anonymization - - - attribution - - - benign - - - compromised - - - malicious-activity - - - unknown - - - - - - - - - - - - - - - - - - - - - pattern-type-ov - - - - - pcre - - - sigma - - - snort - - - stix - - - suricata - - - yara - - - - - - - - - - - - - - - - - description A description that provides more details and context about the Indicator, potentially including its purpose and its key characteristics. Producers SHOULD provide this property to help products and analysts understand what this Indicator actually does. diff --git a/stix/core-objects/sdo/infrastructure/infrastructure.owl b/stix/core-objects/sdo/infrastructure/infrastructure.owl index c751bc1..974d25f 100644 --- a/stix/core-objects/sdo/infrastructure/infrastructure.owl +++ b/stix/core-objects/sdo/infrastructure/infrastructure.owl @@ -1,6 +1,5 @@ @@ -9,7 +8,6 @@ ]> + 2.1.0 @@ -69,70 +68,6 @@ The Infrastructure SDO represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defense, database servers targeted by an attack, etc.). While elements of an attack can be represented by other SDOs or SCOs, the Infrastructure SDO represents a named group of related data that constitutes the infrastructure. - - infrastructure-type-ov - - - - - amplification - - - anonymization - - - botnet - - - command-and-control - - - exfiltration - - - hostig-malware - - - hosting-target-lists - - - phishing - - - reconnaissance - - - staging - - - undefined - - - - - - - - - - - - - - - - - - - - - - - - - - - aliases Alternative names used to identify this Infrastructure. diff --git a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl index 4f71daa..98c1475 100644 --- a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl +++ b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl @@ -1,21 +1,17 @@ - ]> @@ -123,19 +119,19 @@ primary_motivation The time that this Intrusion Set was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. - + resource_level This property specifies the organizational level at which this Intrusion Set typically works, which in turn determines the resources available to this Intrusion Set for use in an attack. The value for this property SHOULD come from the attack-resource-level-ov open vocabulary. - + secondary_motivations The time that this Intrusion Set was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. - + \ No newline at end of file diff --git a/stix/core-objects/sdo/location/location.owl b/stix/core-objects/sdo/location/location.owl index cd470f5..e638f38 100644 --- a/stix/core-objects/sdo/location/location.owl +++ b/stix/core-objects/sdo/location/location.owl @@ -1,21 +1,17 @@ - ]> @@ -165,7 +161,7 @@ region The region that this Location describes. The value for this property SHOULD come from the region-ov open vocabulary. - + diff --git a/stix/core-objects/sdo/malware-analysis/malware-analysis.owl b/stix/core-objects/sdo/malware-analysis/malware-analysis.owl index 262e6fe..f341c15 100644 --- a/stix/core-objects/sdo/malware-analysis/malware-analysis.owl +++ b/stix/core-objects/sdo/malware-analysis/malware-analysis.owl @@ -1,26 +1,23 @@ - ]> + 2.1.0 @@ -155,36 +152,7 @@ Malware Analysis Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family. One of result or analysis_sco_refs properties MUST be provided. - - - malware-result-ov - - - - - benign - - - malicious - - - suspicious - - - unknown - - - - - - - - - - - - - + analysis_definition_version The version of the analysis definitions used by the analysis tool (including AV tools). diff --git a/stix/core-objects/sdo/malware/malware.owl b/stix/core-objects/sdo/malware/malware.owl index 8c7ee0e..80d073d 100644 --- a/stix/core-objects/sdo/malware/malware.owl +++ b/stix/core-objects/sdo/malware/malware.owl @@ -1,143 +1,26 @@ - ]> + 2.1.0 - - implementation-language-ov - - - - - applescript - - - bash - - - c - - - c# - - - c++ - - - go - - - java - - - javascript - - - lua - - - objective-c - - - perl - - - php - - - powershell - - - python - - - ruby - - - scala - - - swift - - - typescript - - - visual-basic - - - x86-32 - - - x86-64 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -235,368 +118,6 @@ Malware is a type of TTP that represents malicious code. It generally refers to a program that is inserted into a system, usually covertly. The intent is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or otherwise annoy or disrupt the victim. The Malware SDO characterizes, identifies, and categorizes malware instances and families from data that may be derived from analysis. This SDO captures detailed information about how the malware works and what it does. This SDO captures contextual data relevant to sharing Malware data without requiring the full analysis provided by the Malware Analysis SDO. The Indicator SDO provides intelligence producers with the ability to define, using the STIX Pattern Grammar in a standard way to identify and detect behaviors associated with malicious activities. Although the Malware SDO provides vital intelligence on a specific instance or malware family, it does not provide a standard grammar that the Indicator SDO provides to identify those properties in security detection systems designed to process the STIX Pattern grammar. We strongly encourage the use of STIX Indicators for the detection of actual malware, due to its use of the STIX Patterning language and the clear semantics that it provides. To minimize the risk of a consumer compromising their system in parsing malware samples, producers SHOULD consider sharing defanged content (archive and password-protected samples) instead of raw, base64-encoded malware samples. - - malware-capabilities-ov - - - - - accesses-remote-machines - - - anti-debugging - - - anti-disassembly - - - anti-emulation - - - anti-sandbox - - - anti-vm - - - antimemory-forensics - - - captures-input-peripherals - - - captures-outputperipherals - - - captures-system-state-data - - - cleans-traces-of-infection - - - commits-fraud - - - communicates-with-c2 - - - compromises-data-availability - - - compromises-data-integrity - - - compromises-system-availability - - - controls-local-machine - - - degrades-security-software - - - degrades-system-updates - - - determines-c2-server - - - emails-spam - - - escalates-privileges - - - evades-av - - - exfiltrates-data - - - fingerprints-host - - - hides-artifacts - - - hides-executing-code - - - infects-files - - - infects-remote-machines - - - installs-other-components - - - persists-aftersystem-reboot - - - prevents-artifact-access - - - prevents-artifact-deletion - - - probes-networkenvironment - - - self-modifies - - - steals-authentication-credentials - - - violates-systemoperational-integrity - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - malware-type-ov - - - - - adware - - - backdoor - - - bootkit - - - bot - - - ddos - - - downloader - - - dropper - - - exploit-kit - - - keylogger - - - ransomware - - - remote-access-trojan - - - resource-exploitation - - - rogue-security-software - - - rootkit - - - screen-capture - - - spyware - - - trojan - - - unknown - - - virus - - - webshell - - - wiper - - - worm - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - processor-architecture-ov - - - - - alpha - - - arm - - - ia-64 - - - mips - - - powerpc - - - sparc - - - x86 - - - x86-64 - - - - - - - - - - - - - - - - - - - - - aliases Alternative names used to identify this malware or malware family. @@ -618,7 +139,6 @@ architecture_execution_envs The processor architectures (e.g., x86, ARM, etc.) that the malware instance or family is executable on. The values for this property SHOULD come from the processor-architecture-ov open vocabulary. - diff --git a/stix/core-objects/sdo/note/note.owl b/stix/core-objects/sdo/note/note.owl index ea76520..5b3f73f 100644 --- a/stix/core-objects/sdo/note/note.owl +++ b/stix/core-objects/sdo/note/note.owl @@ -1,6 +1,5 @@ @@ -9,7 +8,6 @@ ]> @@ -9,7 +8,6 @@ ]> @@ -9,7 +8,6 @@ ]> + 2.1.0 @@ -57,40 +56,6 @@ An Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity. The primary property is the opinion property, which captures the level of agreement or disagreement using a fixed scale. That fixed scale also supports a numeric mapping to allow for consistent statistical operations across opinions. \n\n For example, an analyst from a consuming organization might say that they "strongly disagree" with a Campaign object and provide an explanation about why. In a more automated workflow, a SOC operator might give an Indicator "one star" in their TIP (expressing "strongly disagree") because it is considered to be a false positive within their environment. Opinions are subjective, and the specification does not address how best to interpret them. Sharing communities are encouraged to provide clear guidelines to their constituents regarding best practice for the use of Opinion objects within the community. \n\n Because Opinions are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst(s) that created the Opinion. This is distinct from the created_by_ref property, which is meant to capture the organization that created the object. - - opinion-enum - - - - - agree - - - disagree - - - neutral - - - strongly-agree - - - strongly-disagree - - - - - - - - - - - - - - - authors The name of the author(s) of this Opinion (e.g., the analyst(s) that created it). diff --git a/stix/core-objects/sdo/report/report.owl b/stix/core-objects/sdo/report/report.owl index ec167c1..a31c9c1 100644 --- a/stix/core-objects/sdo/report/report.owl +++ b/stix/core-objects/sdo/report/report.owl @@ -3,7 +3,6 @@ - ]> @@ -12,12 +11,12 @@ xmlns:owl="http://www.w3.org/2002/07/owl#" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" - xmlns:report="http://docs.oasis-open.org/cti/ns/stix/report#" xmlns:stix="http://docs.oasis-open.org/cti/ns/stix#" xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> + 2.1.0 @@ -62,71 +61,7 @@ Report Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story. - - - report-type-ov - - - - - attack-pattern - - - campaign - - - identity - - - indicator - - - intrusion-set - - - malware - - - observed-data - - - threat-actor - - - threat-report - - - tool - - - vulnerability - - - - - - - - - - - - - - - - - - - - - - - - - - - + description A description that provides more details and context about the Report, potentially including its purpose and its key characteristics. diff --git a/stix/core-objects/sdo/threat-actor/threat-actor.owl b/stix/core-objects/sdo/threat-actor/threat-actor.owl index 0b6ebfc..6924d55 100644 --- a/stix/core-objects/sdo/threat-actor/threat-actor.owl +++ b/stix/core-objects/sdo/threat-actor/threat-actor.owl @@ -4,8 +4,6 @@ - - ]> @@ -147,43 +143,43 @@ personal_motivations The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals. Personal motivation, which is independent of the organization's goals, describes what impels an individual to carry out an attack. Personal motivation may align with the organization's motivation—as is common with activists—but more often it supports personal goals. For example, an individual analyst may join a Data Miner corporation because his or her skills may align with the corporation's objectives. But the analyst most likely performs his or her daily work toward those objectives for personal reward in the form of a paycheck. The motivation of personal reward may be even stronger for Threat Actors who commit illegal acts, as it is more difficult for someone to cross that line purely for altruistic reasons. The position in the list has no significance. The values for this property SHOULD come from the attack-motivation-ov open vocabulary. - + primary_motivation The primary reason, motivation, or purpose behind this Threat Actor. The motivation is why the Threat Actor wishes to achieve the goal (what they are trying to achieve). For example, a Threat Actor with a goal to disrupt the finance sector in a country might be motivated by ideological hatred of capitalism. The value for this property SHOULD come from the attack-motivation-ov open vocabulary. - + resource_level The organizational level at which this Threat Actor typically works, which in turn determines the resources available to this Threat Actor for use in an attack. This attribute is linked to the sophistication property — a specific resource level implies that the Threat Actor has access to at least a specific sophistication level. The value for this property SHOULD come from the attack-resource-level-ov open vocabulary. - + roles A list of roles the Threat Actor plays. The values for this property SHOULD come from the threat-actor-role-ov open vocabulary. - + secondary_motivations This property specifies the secondary reasons, motivations, or purposes behind this Threat Actor. These motivations can exist as an equal or near-equal cause to the primary motivation. However, it does not replace or necessarily magnify the primary motivation, but it might indicate additional context. The position in the list has no significance. The value for this property SHOULD come from the attack-motivation-ov open vocabulary. - + sophistication The skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack. The value for this property SHOULD come from the threat-actor-sophistication-ov open vocabulary. - + threat_actor_types The type(s) of this threat actor. The values for this property SHOULD come from the threat-actor-type-ov open vocabulary. - + \ No newline at end of file diff --git a/stix/core-objects/sdo/tool/tool.owl b/stix/core-objects/sdo/tool/tool.owl index 596f4af..07745a3 100644 --- a/stix/core-objects/sdo/tool/tool.owl +++ b/stix/core-objects/sdo/tool/tool.owl @@ -4,7 +4,6 @@ - ]> + 2.1.0 @@ -63,55 +62,6 @@ Tools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack. \n\nThe Tool SDO characterizes the properties of these software tools and can be used as a basis for making an assertion about how a Threat Actor uses them during an attack. It contains properties to name and describe the tool, a list of Kill Chain Phases the tool can be used to carry out, and the version of the tool. \n\nThis SDO MUST NOT be used to characterize malware. Further, Tool MUST NOT be used to characterize tools used as part of a course of action in response to an attack. - - tool-type-ov - - - - - credential-exploitation - - - denial-of-service - - - exploitation - - - information-gathering - - - network-capture - - - remote-access - - - unknown - - - vulnerability-scanning - - - - - - - - - - - - - - - - - - - - - aliases Alternative names used to identify this Tool. diff --git a/stix/core-objects/sdo/vulnerability/vulnerability.owl b/stix/core-objects/sdo/vulnerability/vulnerability.owl index 337e79b..c34cf19 100644 --- a/stix/core-objects/sdo/vulnerability/vulnerability.owl +++ b/stix/core-objects/sdo/vulnerability/vulnerability.owl @@ -4,7 +4,6 @@ - ]> diff --git a/stix/core-objects/sro/relationship/relationship.owl b/stix/core-objects/sro/relationship/relationship.owl index 468ddcc..7355401 100644 --- a/stix/core-objects/sro/relationship/relationship.owl +++ b/stix/core-objects/sro/relationship/relationship.owl @@ -3,7 +3,6 @@ - ]> @@ -11,7 +10,6 @@ xmlns:owl="http://www.w3.org/2002/07/owl#" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" - xmlns:relationship="http://docs.oasis-open.org/cti/ns/stix/relationship#" xmlns:stix="http://docs.oasis-open.org/cti/ns/stix#" xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> diff --git a/stix/core-objects/sro/sighting/sighting.owl b/stix/core-objects/sro/sighting/sighting.owl index 77dd6cf..c9de18d 100644 --- a/stix/core-objects/sro/sighting/sighting.owl +++ b/stix/core-objects/sro/sighting/sighting.owl @@ -3,7 +3,6 @@ - ]> @@ -11,7 +10,6 @@ xmlns:owl="http://www.w3.org/2002/07/owl#" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" - xmlns:sighting="http://docs.oasis-open.org/cti/ns/stix/sighting#" xmlns:stix="http://docs.oasis-open.org/cti/ns/stix#" xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> diff --git a/stix/meta-objects/extension-definition/extension-definition.owl b/stix/meta-objects/extension-definition/extension-definition.owl index 6134b6f..a8d13f1 100644 --- a/stix/meta-objects/extension-definition/extension-definition.owl +++ b/stix/meta-objects/extension-definition/extension-definition.owl @@ -1,6 +1,5 @@ @@ -8,7 +7,6 @@ ]> - 2.1.0 - - - - Extension - Characterizes the base of all extensions to Cyber Observable objects. - - + @@ -54,53 +45,13 @@ extension_properties This property contains the list of new property names that are added to an object by an extension.\n\nThis property MUST only be used when the extension_types property includes a value of toplevel-property-extension. In other words, when new properties are being added at the top-level of an existing object - - - - - - - - legacy - - - new-sco - - - new-sdo - - - new-sro - - - property-extension - - - toplevel-property-extension - - - - - - - - - - - - - - - - - + extension types - This property specifies one or more extension types contained within this extension.\n\The values for this property MUST come from the extension-type-enum enumeration.\n\nWhen this property includes toplevel-property-extension then the extension_properties property SHOULD include one or more property names. - - + This property specifies one or more extension types contained within this extension.\n\nThe values for this property MUST come from the extension-type-enum enumeration.\n\nWhen this property includes toplevel-property-extension then the extension_properties property SHOULD include one or more property names. + \ No newline at end of file diff --git a/stix/meta-objects/language-content/language-content.owl b/stix/meta-objects/language-content/language-content.owl index 9e6e67b..cbea089 100644 --- a/stix/meta-objects/language-content/language-content.owl +++ b/stix/meta-objects/language-content/language-content.owl @@ -1,6 +1,5 @@ @@ -9,7 +8,6 @@ ]> - + ]> STIX Vocabulary - Contains the various vocabularies defined by STIX as custom RDF datatypes + STIX vocabularies that have type names ending in '-ov', are "open": they provide a listing of common and industry accepted terms as a guide to the user but do not limit the user to that defined list. These vocabularies are referenced from the STIX Objects as type open-vocab and have a statement indicating which vocabulary should be used. \n\n STIX vocabularies that have type names ending in '-enum' are "closed": the only valid values are those in the vocabulary. These vocabularies are referenced from the STIX Objects as type enum and have a statement indicating which enumeration must be used. 2.1.0 - + account-type-ov Defines an open vocabulary for types of user account. @@ -84,37 +84,8 @@ - - - activity-outcome-enum - - - - - blocked - - - failed - - - successful - - - unknown - - - - - - - - - - - - - - + + attack-motivation-ov Defines an open-vocabulary for capturing a Threat Actor or Intrusion Set's motivation for attacking. @@ -174,9 +145,8 @@ - + attack-resource-level-ov - Defines an open-vocabulary that captures the general level of resources that a threat actor, intrusion set, or campaign might have access to. @@ -213,31 +183,21 @@ - - - detection-methods-ov + + + encryption-algorithm-enum - automated-tool + AES-256-GCM - human-review + ChaCha20-Poly1035 - message-from-attacker - - - system-outage - - - user-reporting - - - - - + mime-type-indicated + @@ -247,32 +207,27 @@ - - - external-impact-ov + + + extension-type-enum - civil-liberties + new-sco - economic + new-sdo - foreign-relations + new-sro - national-security + property-extension - public-confidence - - - public-health - - - + toplevel-property-extension + @@ -287,9 +242,8 @@ - + grouping-context-ov - Defines an open-vocabulary that captures the type of context for the grouping. @@ -312,9 +266,8 @@ - + hash-algorithm-ov - Defines an open vocabulary of hashing algorithms. @@ -362,7 +315,7 @@ - + identity-class-ov Defines an open-vocabulary that captures tthe type of entity that the Identity represents. @@ -397,9 +350,8 @@ - + implementation-language-ov - Defines an open-vocabulary of implementation programming languages. @@ -512,234 +464,8 @@ - - incident-action-stage-enum - - - - - containment - - - detection - - - eradication - - - mitigation - - - post-incident - - - prevention - - - recovery - - - - - - - - - - - - - - - - - - - - - incident-confidentiality-loss-enum - - - - - contained - - - exploited-loss - - - exploited-major-loss - - - major-loss - - - none - - - some-loss - - - suspected-loss - - - suspected-major-loss - - - - - - - - - - - - - - - - - - - - - - - incident-determination-enum - - - - - blocked - - - failed-attempt - - - false-positive - - - low-value - - - successful-attempt - - - suspected - - - - - - - - - - - - - - - - - - - incident-investigation-enum - - - - - closed - - - new - - - open - - - - - - - - - - - - - incident-type-ov - - - - - compromised-system - - - denial-of-service - - - destruction - - - equipment-loss - - - equipment-theft - - - major - - - supply-chain-customer - - - supply-chain-vendor - - - unauthorized-access - - - unauthorized-equipment - - - unauthorized-release - - - unauthorized-use - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + indicator-type-ov - Defines an open-vocabulary used to categorize Indicators. It is intended to be high-level to promote consistent practices. @@ -782,9 +508,8 @@ - + industry-sector-ov - Defines an open-vocabulary that captures the types of industrial, commercial, and government sectors. It is intended to be holistic; it has been derived from serveral other lists and is not limited to critical infrastructure sectors. @@ -961,47 +686,72 @@ - - - information-type-ov + + + infrastructure-type-ov - classified-material + amplification - communication + anonymization - credentials-admin + botnet - credentials-user + command-and-control - financial + control-system - legal + exfiltration - payment - - - phi - - - pii - - - proprietary - - - - - - + firewall + + + hosting-malware + + + hosting-target-lists + + + phishing + + + reconnaissance + + + routers-switches + + + staging + + + workstation + + + unknown + + + + + + + + + + + + + + + + @@ -1020,104 +770,24 @@ - - - infrastructure-type-ov - Defines an open-vocabulary used to categorize Indicators. It is intended to be high-level to promote consistent practices. + + + malware-result-ov - amplification + benign - anonymization + malicious - botnet + suspicious - command-and-control - - - exfiltration - - - hosting-malware - - - hosting-target-lists - - - phishing - - - reconnaissance - - - staging - - - unknown - - - - - - - - - - - - - - - - - - - - - - - - - - - - - integrity-alteration-enum - - - - - full-destruction - - - full-modification - - - none - - - partial-destruction - - - partial-modification - - - potential-destruction - - - potential-modification - - - - - - - + unknown + @@ -1129,10 +799,9 @@ - - + + malware-capabilities-ov - Defines an open-vocabulary used to capturing capabilities that may be exhibited by a malware instance or family. @@ -1325,74 +994,8 @@ - - malware-result-ov - Defines an open-vocabulary used to ccommon types of scanner or tool analysis process results. - - - - - amplification - - - anonymization - - - botnet - - - command-and-control - - - exfiltration - - - hosting-malware - - - hosting-target-lists - - - phishing - - - reconnaissance - - - staging - - - unknown - - - - - - - - - - - - - - - - - - - - - - - - - - - - + malware-type-ov - Defines an open-vocbulary that captures the different types and functions of malware. @@ -1454,13 +1057,18 @@ virus - wiper + webshell + wiper + + worm + + @@ -1504,55 +1112,35 @@ - - - marking-definition-type-ov - Defines an open-vocabulary used to capture the type of the marking definition. - - - - - statement - - - tlp - - - - - - - - - - - monetary-impact-type-ov + + + network-socket-address-family-enum - asset-and-fraud + AF_UNSPEC - brand-damage + AF_INET - business-disruption + AF_IPX - competitive-advantage + AF_APPLETALK - legal-and-regulatory + AF_NETBIOS - operating-costs + AF_INET6 - response-and-recovery + AF_IRDA - uncategorized + AF_BTH @@ -1573,33 +1161,27 @@ - - - pattern-type-ov - Defines an open-vocabulary used to capture common pattern languages and is intended to characterize the pattern language that the indicator pattern is expressed in. + + + network-socket-type-enum - pcre + SOCK_STREAM - sigma + SOCK_DGRAM - snort + SOCK_RAW - stix + SOCK_RDM - suricata - - - yara - - - + SOCK_SEQPACKET + @@ -1613,32 +1195,27 @@ - - - physical-impact-enum + + + opinion-enum - damaged-complete + agree - damaged-limited + disagree - destruction-complete + neutral - destruction-limited + strongly-agree - none - - - unknown - - - + strongly-disagree + @@ -1653,40 +1230,29 @@ - - processor-architecture-ov - Defines an open vocabulary for capturing common processor architectures and is intended to characterize the architectures that a malware instance or family may be able to execute on. + + pattern-type-ov - alpha + pcre - arm + sigma - ia-64 + snort - mips + stix - powerpc + suricata - sparc - - - x86 - - - x86-64 - - - - - + yara + @@ -1703,26 +1269,41 @@ - - recoverability-enum + + processor-architecture-ov - extended + alpha - not-applicable + arm - not-recoverable + ia-64 - regular + mips - supplemented - + powerpc + + + sparc + + + x86 + + + x86-64 + + + + + + + @@ -1737,7 +1318,7 @@ - + region-ov @@ -1800,7 +1381,7 @@ northern-europe - oceana + oceania polynesia @@ -1891,9 +1472,8 @@ - + report-type-ov - Defines an open-vocabulary used to capture the primary purpose or subject of a report. @@ -1955,34 +1535,58 @@ - - - threat-actor-role-ov - Defines an open-vocabulary used to capture the different roles that a threat actor can play. + + + threat-actor-type-ov - agent + activist - director + competitor - independent + crime-syndicate - infrastructure-architect + criminal - infrastructure-operator + hacker - malware-author + insider-accidental - sponsor - + insider-disgruntled + + + nation-state + + + sensationalist + + + spy + + + terrorist + + + unknown + + + + + + + + + + + @@ -2001,32 +1605,31 @@ - - threat-actor-sophistication-ov - Defines an open-vocabulary used to capture the skill level of a threat actor. + + threat-actor-role-ov - advanced + agent - expert + director - innovator + independent - intermediate + infrastructure-architect - minimal + infrastructure-operator - none + malware-author - strategic + sponsor @@ -2046,58 +1649,32 @@ - - threat-actor-type-ov - Defines an open-vocabulary used to capture what type of threat actor the individual or group is. + + threat-actor-sophistication-ov - activist + advanced - competitor + expert - crime-syndicate + innovator - criminal + intermediate - hacker + minimal - insider-accidental + none - insider-disgruntled - - - nation-state - - - sensationalist - - - spy - - - terrorist - - - unknown - - - - - - - - - - - + strategic + @@ -2115,49 +1692,9 @@ - - - timestamp-fidelity-enum - - - - - day - - - hour - - - minute - - - month - - - second - - - year - - - - - - - - - - - - - - - - - - - tool-label-ov - Defines an open-vocabulary used to capture the categories of tools that can be used to perform attacks. + + + tool-type-ov @@ -2204,21 +1741,26 @@ - - - traceability-enum + + + windows-integrity-level-enum - accountability-lost + low - partial-accountability + medium - provable-accountability - + high + + + system + + + @@ -2228,8 +1770,8 @@ - - + + windows-pebinary-type-ov Defines an open-vocabulary used to capture the types of Windows PE files @@ -2258,198 +1800,106 @@ - - - personal_motivations - The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals.\n\nPersonal motivation, which is independent of the organization’s goals, describes what impels an individual to carry out an attack. Personal motivation may align with the organization’s motivation—as is common with activists—but more often it supports personal goals. For example, an individual analyst may join a Data Miner corporation because his or her skills may align with the corporation’s objectives. But the analyst most likely performs his or her daily work toward those objectives for personal reward in the form of a paycheck. The motivation of personal reward may be even stronger for Threat Actors who commit illegal acts, as it is more difficult for someone to cross that line purely for altruistic reasons. The position in the list has no significance.\n\nThe values for this property SHOULD come from the attack-motivation-ov open vocabulary. - - - - - accidental - - - coercion - - - dominance - - - ideology - - - notoriety - - - organizational-gain - - - personal-gain - - - personal-satisfaction - - - revenge - - - unpredictable - - - - - - - - - - - - - - - - - - - - - - - - - - - primary_motivation - Specifies the primary reason, motivation, or purpose behind this Intrusion Set. The motivation is why the Intrusion Set wishes to achieve the goal (what they are trying to achieve).\n\nThe value for this property SHOULD come from the attack-motivation-ov open vocabulary. - + + + windows-registry-datatype-enum + - - accidental + + REG_NONE - - coercion + + REG_SZ - - dominance + + REG_EXPAND_SZ - - ideology + + REG_BINARY - - notoriety + + REG_DWORD - - organizational-gain + + REG_DWORD_BIG_ENDIAN - - personal-gain + + REG_DWORD_LITTLE_ENDIAN - - personal-satisfaction + + REG_LINK - - revenge + + REG_MULTI_SZ - - unpredictable - - + + REG_RESOURCE_LIST + + + REG_FULL_RESOURCE_DESCRIPTION + + + REG_RESOURCE_REQUIREMENTS_LIST + + + REG_QWORD + + + REG_INVALID_TYPE + + + + + + + + + + - + - + - + - - - - - - - - - - - - - - - - - - resource_level - Specifies the organizational level at which this Intrusion Set typically works, which in turn determines the resources available to this Intrusion Set for use in an attack.\n\nThe value for this property SHOULD come from the attack-resource-level-ov open vocabulary. - - - - - club - - - contest - - - government - - - individual - - - organization - - - team - - + - + - + - + - + - + - - - - - roles - Specifies a list of roles the Threat Actor plays.\n\nThe values for this property SHOULD come from the threat-actor-role-ov open vocabulary. - + + + + + windows-service-start-type-enum + - agent + SERVICE_AUTO_START - director + SERVICE_BOOT_START - independent + SERVICE_DEMAND_START - infrastructure-architect + SERVICE_DISABLED - infrastructure-operator - - - malware-author - - - sponsor - - - - - + SERVICE_SYSTEM_ALERT + @@ -2461,57 +1911,26 @@ - - - - - secondary_motivations - Specifies the secondary reasons, motivations, or purposes behind this Intrusion Set. These motivations can exist as an equal or near-equal cause to the primary motivation. However, it does not replace or necessarily magnify the primary motivation, but it might indicate additional context. The position in the list has no significance.\n\nThe values for this property SHOULD come from the attack-motivation-ov open vocabulary. - + + + + + windows-service-type-enum + - accidental + SERVICE_KERNEL_DRIVER - coercion + SERVICE_FILE_SYSTEM_DRIVER - dominance + SERVICE_WIN32_OWN_PROCESS - ideology - - - notoriety - - - organizational-gain - - - personal-gain - - - personal-satisfaction - - - revenge - - - unpredictable - - - - - - - - - - - - - + SERVICE_WIN32_SHARE_PROCESS + @@ -2521,35 +1940,34 @@ - - - - - sophistication - Specifies the skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack.\n\nThe value for this property SHOULD come from the threat-actor-sophistication-ov open vocabulary. - + + + + + windows-service-status-enum + - advanced + SERVICE_CONTINUE_PENDING - expert + SERVICE_PAUSE_PENDING - innovator + SERVICE_PAUSED - intermediate + SERVICE_RUNNING - minimal + SERVICE_START_PENDING - none + SERVICE_STOP_PENDING - strategic + SERVICE_STOPPED @@ -2566,77 +1984,7 @@ - - - - - threat_actor_types - Specifies the type(s) of this threat actor.\n\nThe values for this property SHOULD come from the threat-actor-type-ov open vocabulary. - - - - - activist - - - competitor - - - crime-syndicate - - - criminal - - - hacker - - - insider-accidential - - - insider-disgruntled - - - nation-state - - - sensationalist - - - spy - - - terrorist - - - unknown - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + \ No newline at end of file diff --git a/stix/vocabularies/vocabulary-user-defs.owl b/stix/vocabularies/vocabulary-user-defs.owl deleted file mode 100644 index 24a7728..0000000 --- a/stix/vocabularies/vocabulary-user-defs.owl +++ /dev/null @@ -1,754 +0,0 @@ - - - - - - - -]> - - - - User Open Vocabulary - Contains the various vocabularies defined by users as custom RDF datatypes - 2.1.0 - - - - account-type-ov-open - Defines an open vocabulary for types of user account. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - attack-motivation-ov-open - Defines an open-vocabulary for capturing a Threat Actor or Intrusion Set's motivation for attacking. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - attack-resource-level-ov-open - Defines an open-vocabulary that captures the general level of resources that a threat actor, intrusion set, or campaign might have access to. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - defender-activity-ov - Defines an open vocabulary for defender activities associated with an Incident. - - - - - containment-completed - - - containment-started - - - declared - - - detected - - - eradication-completed - - - eradication-started - - - escalated - - - recovery-completed - - - recovery-started - - - reported - - - - - - - - - - - - - - - - - - - - - - - - - - - dectection-methods-ov - - - - - automated-tool - - - human-review - - - message-from-attacker - - - system-outage - - - user-reporting - - - - - - - - - - - - - - - - - external-impact-ov - - - - - civil-liberties - - - economic - - - foreign-relations - - - national-security - - - public-confidence - - - public-health - - - - - - - - - - - - - - - - - - - grouping-context-ov-open - Defines an open-vocabulary that captures the type of context for the grouping. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - hash-algorithm-ov-open - Defines an open vocabulary of hashing algorithms. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - identity-class-ov-open - Defines an open-vocabulary that captures the type of entity that the Identity represents. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - implementation-language-ov-open - Defines an open-vocabulary of implementation programming languages. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - incident-action-status-ov - - - - - failed - - - new-control - - - planned - - - successful - - - unused - - - - - - - - - - - - - - - - - incident-type-ov - - - - - blocked - - - compromised-system - - - destruction - - - equipment-loss - - - failed-attempt - - - major - - - supply-chain-customer - - - supply-chain-vendor - - - unauthorized-access - - - unauthorized-release - - - under-investigation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - indicator-type-ov-open - Defines an open-vocabulary used to categorize Indicators. It is intended to be high-level to promote consistent practices. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - industry-sector-ov-open - Defines an open-vocabulary that captures the types of industrial, commercial, and government sectors. It is intended to be holistic; it has been derived from serveral other lists and is not limited to critical infrastructure sectors. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - - - - - classified-material - - - communication - - - credentials-admin - - - credentials-user - - - financial - - - legal - - - payment - - - phi - - - pii - - - proprietary - - - - - - - - - - - - - - - - - - - - - - - - - - - infrastructure-type-ov-open - Defines an open-vocabulary used to categorize Indicators. It is intended to be high-level to promote consistent practices. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - malware-capabilities-ov-open - Defines an open-vocabulary used to capturing capabilities that may be exhibited by a malware instance or family. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - malware-result-ov-open - Defines an open-vocabulary used to ccommon types of scanner or tool analysis process results. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - malware-type-ov-open - Defines an open-vocbulary that captures the different types and functions of malware. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - marking-definition-type-ov-open - Defines an open-vocabulary used to capture the type of the marking definition. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - pattern-type-ov-open - Defines an open-vocabulary used to capture common pattern languages and is intended to characterize the pattern language that the indicator pattern is expressed in. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - processor-architecture-ov-open - Defines an open vocabulary for capturing common processor architectures and is intended to characterize the architectures that a malware instance or family may be able to execute on. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - report-type-ov-open - Defines an open-vocabulary used to capture the primary purpose or subject of a report. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - threat-actor-role-ov-open - Defines an open-vocabulary used to capture the different roles that a threat actor can play. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - threat-actor-sophistication-ov-open - Defines an open-vocabulary used to capture the skill level of a threat actor. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - threat-actor-type-ov-open - Defines an open-vocabulary used to capture what type of threat actor the individual or group is. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - tool-label-ov-open - Defines an open-vocabulary used to capture the categories of tools that can be used to perform attacks. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - - region-ov-open - Defines an open-vocabulary that captures the world regions based on the United Nations geoscheme. - - - - - user-definition-01 - - - user-definition-02 - - - - - - - - - - \ No newline at end of file From 67c50ae7aefd63983a00030aadb5d210e92dfa59 Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Sun, 22 Jan 2023 17:34:35 +0100 Subject: [PATCH 31/70] Normalizing the branch --- .../sco/network-traffic/network-traffic.owl | 2 +- stix/core-objects/sco/process/process.owl | 2 +- .../sdo/malware-analysis/malware-analysis.owl | 2 +- stix/core-objects/sdo/report/report.owl | 2 +- stix/core-objects/sro/sighting/sighting.owl | 2 +- .../extension-definition.owl | 4 +- stix/vocabularies/vocabularies.owl | 348 +++++++++--------- 7 files changed, 181 insertions(+), 181 deletions(-) diff --git a/stix/core-objects/sco/network-traffic/network-traffic.owl b/stix/core-objects/sco/network-traffic/network-traffic.owl index c389d71..967fa2c 100644 --- a/stix/core-objects/sco/network-traffic/network-traffic.owl +++ b/stix/core-objects/sco/network-traffic/network-traffic.owl @@ -90,7 +90,7 @@ ICMP Extension The ICMP extension specifies a default extension for capturing network traffic properties specific to ICMP. The key for this extension when used in the extensions dictionary MUST be icmp-ext. Note that this predefined extension does not use the extension facility described in section 7.3. The corresponding protocol value for this extension is icmp. - + diff --git a/stix/core-objects/sco/process/process.owl b/stix/core-objects/sco/process/process.owl index 392412b..94665b3 100644 --- a/stix/core-objects/sco/process/process.owl +++ b/stix/core-objects/sco/process/process.owl @@ -232,7 +232,7 @@ Windows Service Extension The Windows Service extension specifies a default extension for capturing properties specific to Windows services. The key for this extension when used in the extensions dictionary MUST be windows-service-ext. Note that this predefined extension does not use the extension facility described in section 7.3. As all properties of this extension are optional, at least one of the properties defined below MUST be included when using this extension. - + aslr_enabled Specifies whether Address Space Layout Randomization (ASLR) is enabled for the process. diff --git a/stix/core-objects/sdo/malware-analysis/malware-analysis.owl b/stix/core-objects/sdo/malware-analysis/malware-analysis.owl index f341c15..4311e6b 100644 --- a/stix/core-objects/sdo/malware-analysis/malware-analysis.owl +++ b/stix/core-objects/sdo/malware-analysis/malware-analysis.owl @@ -152,7 +152,7 @@ Malware Analysis Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family. One of result or analysis_sco_refs properties MUST be provided. - + analysis_definition_version The version of the analysis definitions used by the analysis tool (including AV tools). diff --git a/stix/core-objects/sdo/report/report.owl b/stix/core-objects/sdo/report/report.owl index a31c9c1..987c539 100644 --- a/stix/core-objects/sdo/report/report.owl +++ b/stix/core-objects/sdo/report/report.owl @@ -61,7 +61,7 @@ Report Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story. - + description A description that provides more details and context about the Report, potentially including its purpose and its key characteristics. diff --git a/stix/core-objects/sro/sighting/sighting.owl b/stix/core-objects/sro/sighting/sighting.owl index c9de18d..452a79b 100644 --- a/stix/core-objects/sro/sighting/sighting.owl +++ b/stix/core-objects/sro/sighting/sighting.owl @@ -91,7 +91,7 @@ Sighting - A Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.) was seen. Sightings are used to track who and what are being targeted, how attacks are carried out, and to track trends in attack behavior. \n\n The Sighting relationship object is a special type of SRO; it is a relationship that contains extra properties not present on the Generic Relationship object. These extra properties are included to represent data specific to sighting relationships (e.g., count, representing how many times something was seen), but for other purposes a Sighting can be thought of as a Relationship with a name of "sighting-of". Sighting is captured as a relationship because you cannot have a sighting unless you have something that has been sighted. Sighting does not make sense without the relationship to what was sighted. \n\n Sighting relationships relate three aspects of the sighting: \n\n What was sighted, such as the Indicator, Malware, Campaign, or other SDO (sighting_of_ref). \n\n Who sighted it and/or where it was sighted, represented as an Identity (where_sighted_refs). \n\n What was actually seen on systems and networks, represented as Observed Data (observed_data_refs). \n\n What was sighted is required; a sighting does not make sense unless you say what you saw. Who sighted it, where it was sighted, and what was actually seen are optional. In many cases it is not necessary to provide that level of detail in order to provide value. \n\n Sightings are used whenever any SDO has been "seen". In some cases, the object creator wishes to convey very little information about the sighting; the details might be sensitive, but the fact that they saw a malware instance or threat actor could still be very useful. In other cases, providing the details may be helpful or even necessary; saying exactly which of the 1000 IP addresses in an indicator were sighted is helpful when tracking which of those IPs is still malicious. \n\n Sighting is distinct from Observed Data in that Sighting is an intelligence assertion ("I saw this threat actor") while Observed Data is simply information ("I saw this file"). When you combine them by including the linked Observed Data (observed_data_refs) from a Sighting, you can say "I saw this file, and that makes me think I saw this threat actor". + A Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.) was seen. Sightings are used to track who and what are being targeted, how attacks are carried out, and to track trends in attack behavior. \n\n The Sighting relationship object is a special type of SRO; it is a relationship that contains extra properties not present on the Generic Relationship object. These extra properties are included to represent data specific to sighting relationships (e.g., count, representing how many times something was seen), but for other purposes a Sighting can be thought of as a Relationship with a name of "sighting-of". Sighting is captured as a relationship because you cannot have a sighting unless you have something that has been sighted. Sighting does not make sense without the relationship to what was sighted. \n\n Sighting relationships relate three aspects of the sighting: \n\n What was sighted, such as the Indicator, Malware, Campaign, or other SDO (sighting_of_ref). \n\n Who sighted it and/or where it was sighted, represented as an Identity (where_sighted_refs). \n\n What was actually seen on systems and networks, represented as Observed Data (observed_data_refs). \n\n What was sighted is required; a sighting does not make sense unless you say what you saw. Who sighted it, where it was sighted, and what was actually seen are optional. In many cases it is not necessary to provide that level of detail in order to provide value. \n\n Sightings are used whenever any SDO has been "seen". In some cases, the object creator wishes to convey very little information about the sighting; the details might be sensitive, but the fact that they saw a malware instance or threat actor could still be very useful. In other cases, providing the details may be helpful or even necessary; saying exactly which of the 1000 IP addresses in an indicator were sighted is helpful when tracking which of those IPs is still malicious. \n\n Sighting is distinct from Observed Data in that Sighting is an intelligence assertion ("I saw this threat actor") while Observed Data is simply information ("I saw this file"). When you combine them by including the linked Observed Data (observed_data_refs) from a Sighting, you can say "I saw this file, and that makes me think I saw this threat actor". diff --git a/stix/meta-objects/extension-definition/extension-definition.owl b/stix/meta-objects/extension-definition/extension-definition.owl index a8d13f1..bd0d54d 100644 --- a/stix/meta-objects/extension-definition/extension-definition.owl +++ b/stix/meta-objects/extension-definition/extension-definition.owl @@ -18,7 +18,7 @@ 2.1.0 - + @@ -47,7 +47,7 @@ This property contains the list of new property names that are added to an object by an extension.\n\nThis property MUST only be used when the extension_types property includes a value of toplevel-property-extension. In other words, when new properties are being added at the top-level of an existing object - + extension types This property specifies one or more extension types contained within this extension.\n\nThe values for this property MUST come from the extension-type-enum enumeration.\n\nWhen this property includes toplevel-property-extension then the extension_properties property SHOULD include one or more property names. diff --git a/stix/vocabularies/vocabularies.owl b/stix/vocabularies/vocabularies.owl index 2bd2412..0e3aebc 100644 --- a/stix/vocabularies/vocabularies.owl +++ b/stix/vocabularies/vocabularies.owl @@ -16,7 +16,7 @@ STIX Vocabulary - STIX vocabularies that have type names ending in '-ov', are "open": they provide a listing of common and industry accepted terms as a guide to the user but do not limit the user to that defined list. These vocabularies are referenced from the STIX Objects as type open-vocab and have a statement indicating which vocabulary should be used. \n\n STIX vocabularies that have type names ending in '-enum' are "closed": the only valid values are those in the vocabulary. These vocabularies are referenced from the STIX Objects as type enum and have a statement indicating which enumeration must be used. + STIX vocabularies that have type names ending in '-ov', are "open": they provide a listing of common and industry accepted terms as a guide to the user but do not limit the user to that defined list. These vocabularies are referenced from the STIX Objects as type open-vocab and have a statement indicating which vocabulary should be used. \n\n STIX vocabularies that have type names ending in '-enum' are "closed": the only valid values are those in the vocabulary. These vocabularies are referenced from the STIX Objects as type enum and have a statement indicating which enumeration must be used. 2.1.0 @@ -84,7 +84,7 @@ - + attack-motivation-ov Defines an open-vocabulary for capturing a Threat Actor or Intrusion Set's motivation for attacking. @@ -183,7 +183,7 @@ - + encryption-algorithm-enum @@ -207,7 +207,7 @@ - + extension-type-enum @@ -686,7 +686,7 @@ - + infrastructure-type-ov @@ -711,47 +711,47 @@ exfiltration - firewall - - - hosting-malware - - - hosting-target-lists - - - phishing - - - reconnaissance - - - routers-switches - - - staging - - - workstation - - - unknown - - - - - - - - - - - - - - - - + firewall + + + hosting-malware + + + hosting-target-lists + + + phishing + + + reconnaissance + + + routers-switches + + + staging + + + workstation + + + unknown + + + + + + + + + + + + + + + + @@ -770,36 +770,7 @@ - - - malware-result-ov - - - - - benign - - - malicious - - - suspicious - - - unknown - - - - - - - - - - - - - + malware-capabilities-ov @@ -994,6 +965,35 @@ + + malware-result-ov + + + + + benign + + + malicious + + + suspicious + + + unknown + + + + + + + + + + + + + malware-type-ov @@ -1062,11 +1062,11 @@ wiper - - worm - - - + + worm + + + @@ -1112,7 +1112,7 @@ - + network-socket-address-family-enum @@ -1161,7 +1161,7 @@ - + network-socket-type-enum @@ -1195,7 +1195,7 @@ - + opinion-enum @@ -1535,58 +1535,33 @@ - - - threat-actor-type-ov + + + threat-actor-role-ov - activist + agent - competitor + director - crime-syndicate + independent - criminal + infrastructure-architect - hacker + infrastructure-operator - insider-accidental + malware-author - insider-disgruntled - - - nation-state - - - sensationalist - - - spy - - - terrorist - - - unknown - - - - - - - - - - - + sponsor + @@ -1605,31 +1580,31 @@ - - threat-actor-role-ov + + threat-actor-sophistication-ov - agent + advanced - director + expert - independent + innovator - infrastructure-architect + intermediate - infrastructure-operator + minimal - malware-author + none - sponsor + strategic @@ -1649,32 +1624,57 @@ - - threat-actor-sophistication-ov + + threat-actor-type-ov - advanced + activist - expert + competitor - innovator + crime-syndicate - intermediate + criminal - minimal + hacker - none + insider-accidental - strategic - + insider-disgruntled + + + nation-state + + + sensationalist + + + spy + + + terrorist + + + unknown + + + + + + + + + + + @@ -1692,7 +1692,7 @@ - + tool-type-ov @@ -1741,7 +1741,7 @@ - + windows-integrity-level-enum @@ -1770,7 +1770,7 @@ - + windows-pebinary-type-ov Defines an open-vocabulary used to capture the types of Windows PE files @@ -1800,7 +1800,7 @@ - + windows-registry-datatype-enum @@ -1879,7 +1879,7 @@ - + windows-service-start-type-enum @@ -1913,36 +1913,7 @@ - - - windows-service-type-enum - - - - - SERVICE_KERNEL_DRIVER - - - SERVICE_FILE_SYSTEM_DRIVER - - - SERVICE_WIN32_OWN_PROCESS - - - SERVICE_WIN32_SHARE_PROCESS - - - - - - - - - - - - - + windows-service-status-enum @@ -1986,5 +1957,34 @@ + + + windows-service-type-enum + + + + + SERVICE_KERNEL_DRIVER + + + SERVICE_FILE_SYSTEM_DRIVER + + + SERVICE_WIN32_OWN_PROCESS + + + SERVICE_WIN32_SHARE_PROCESS + + + + + + + + + + + + \ No newline at end of file From 83eac4623c141f3cd6c765304a9a44ad38a9da25 Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Mon, 23 Jan 2023 15:30:12 +0100 Subject: [PATCH 32/70] Work in progress. Added missing common properties. --- stix/core-objects/common-properties.owl | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/stix/core-objects/common-properties.owl b/stix/core-objects/common-properties.owl index 012812c..4d3951c 100644 --- a/stix/core-objects/common-properties.owl +++ b/stix/core-objects/common-properties.owl @@ -46,7 +46,7 @@ - + @@ -63,7 +63,7 @@ - + @@ -103,6 +103,18 @@ + + + + + + + + + + + + From 9fd8a2cc5491432c669a0a76d9ea2079a1ac4f06 Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Tue, 24 Jan 2023 14:06:57 +0100 Subject: [PATCH 33/70] Work in progress. Checked and fixed common-properties.owl. changed keyvaluepait to be dictionary. --- stix/core-objects/common-properties.owl | 140 ++++++-------- stix/core-objects/data-types.owl | 180 +++++++++--------- .../sco/email-message/email-message.owl | 2 +- stix/core-objects/sco/file/file.owl | 8 +- .../sco/network-traffic/network-traffic.owl | 12 +- stix/core-objects/sco/process/process.owl | 8 +- .../data-marking/data-marking.owl | 4 + stix/vocabularies/vocabularies.owl | 2 +- 8 files changed, 174 insertions(+), 182 deletions(-) diff --git a/stix/core-objects/common-properties.owl b/stix/core-objects/common-properties.owl index 4d3951c..c62918a 100644 --- a/stix/core-objects/common-properties.owl +++ b/stix/core-objects/common-properties.owl @@ -19,26 +19,22 @@ 2.1.0 - - - - STIX Cyber-Observable Object - Abstract base class from which all STIX Cyber-observable Object (SCOs) derive.\n\nSTIX Cyber Observables characterize observed facts about a network or host that may be used and related to higher level intelligence to form a more complete understanding of the threat landscape. + Objects that represent observed facts about a network or host that may be used and related to higher level intelligence to form a more complete understanding of the threat landscape. STIX Domain Object - Abstract based class from which all STIX Domain Objects (SDOs) derive.\n\nSTIX Domain Objects characterize higher-level intelligence objects that represent behaviors and constructs that threat analysts would typically create or work with while understanding the threat landscape. + Higher Level Intelligence Objects that represent behaviors and constructs that threat analysts would typically create or work with while understanding the threat landscape. STIX Meta Object - Abstract base class from which all STIX Meta Objects (SMO) derive.\n\nSTIX Meta Objects characterize the necessary glue and associated metadata to enrich or extend STIX Core Objects to support user and system workflows. + A STIX Object that provides the necessary glue and associated metadata to enrich or extend STIX Core Objects to support user and system workflows. @@ -46,7 +42,7 @@ - + @@ -76,12 +72,12 @@ - + - + @@ -129,20 +125,20 @@ - + - - + + - - + + @@ -158,130 +154,120 @@ STIX Object - Abstract base class from which all STIX objects are derived. + STIX Domain Objects (SDOs) and Relationship Objects (SROs) all share a common set of properties which provide core capabilities such as versioning and data markings (representing how data can be shared and used). All STIX Cyber-observable Objects (SCOs) likewise share a common set of properties that are applicable for all SCOs. Similarly, STIX Meta Objects (SMOs) use some but not all of the common properties. - STIX Relationship Object - A bstract base class from which all STIX Relationship objects (SROs) derive.\n\nSTIX Relationship Objects STIX Relationship Objects connect STIX Domain Objects together, STIX Cyber-observable Objects together, and connect STIX Domain Objects and STIX Cyber-observable Objects together to form a more complete understanding of the threat landscape. + STIX Relationship Object + Objects that connect STIX Domain Objects together, STIX Cyber-observable Objects together, and connect STIX Domain Objects and STIX Cyber-observable Objects together to form a more complete understanding of the threat landscape. - confidence - Identifies the confidence that the creator has in the correctness of their data. The confidence value MUST be a number in the range of 0-100. - + confidence + The confidence property identifies the confidence that the creator has in the correctness of their data. The confidence value MUST be a number in the range of 0-100. \n\n Appendix A contains a table of normative mappings to other confidence scales that MUST be used when presenting the confidence value in one of those scales. \n\n If the confidence property is not present, then the confidence of the content is unspecified. + - created - Idicates the date and time at which the object was originally created.\n\nThe object creator can use the time it deems most appropriate as the time the object was created. The minimum precision MUST be milliseconds (three digits after the decimal place in seconds), but MAY be more precise. + created + The created property represents the time at which the object was originally created. The object creator can use the time it deems most appropriate as the time the object was created. The minimum precision MUST be milliseconds (three digits after the decimal place in seconds), but MAY be more precise. The created property MUST NOT be changed when creating a new version of the object. See section 3.6 for further definition of versioning. + + external_references + The external_references property specifies a list of external references which refers to non-STIX information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. + + + - created_by_ref - Specifies the id property of the identity object that describes the entity that created this object.\n\nIf this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous. + created_by_ref + The created_by_ref property specifies the id property of the identity object that describes the entity that created this object. \n\n If this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous. - - created_by_ref_id - Specifies the identifier of the Identity object that describes the entity that created this object.\n\nIf this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous. + + created_by_ref_string + The created_by_ref property specifies the id property of the identity object that describes the entity that created this object. \n\n If this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous. - defanged - Specifies whether or not the data contained within the object has been defanged.\n\nThis property MUST NOT be used on any STIX Objects other than SCOs. + defanged + This property defines whether or not the data contained within the object has been defanged. The default value for this property is false. This property MUST NOT be used on any STIX Objects other than SCOs. - extensions - Specifies any extensions of the object - + extensions + Specifies any extensions of the object, as a dictionary. \n\n Dictionary keys SHOULD be the id of a STIX Extension object or the name of a predefined object extension found in this specification, depending on the type of extension being used. \n\n The corresponding dictionary values MUST contain the contents of the extension instance. \n\n Each extension dictionary MAY contain the property extension_type. The value of this property MUST come from the extension-type-enum enumeration. If the extension_type property is not present, then this is a predefined extension which does not use the extension facility described in section 7.3. When this extension facility is used the extension_type property MUST be present. + - id - Uniquely identifies this object. + id + The id property uniquely identifies this object. For objects that support versioning, all objects with the same id are considered different versions of the same object and the version of the object is identified by its modified property. - labels - Specifies a set of terms used to describe this object. The terms are user-defined or trust-group defined and their meaning is outside the scope of this specification and MAY be ignored. + labels + The labels property specifies a set of terms used to describe this object. The terms are user-defined or trust-group defined and their meaning is outside the scope of this specification and MAY be ignored. \n\n Where an object has a specific property defined in the specification for characterizing subtypes of that object, the labels property MUST NOT be used for that purpose. \n\n For example, the Malware SDO has a property malware_types that contains a list of Malware subtypes (dropper, RAT, etc.). In this example, the labels property cannot be used to describe these Malware subtypes. - lang - Identifies the language of the text content in this object. When present, it MUST be a language code conformant to [RFC5646]. If the property is not present, then the language of the content is en (English).\n\nThis property SHOULD be present if the object type contains translatable text properties (e.g. name, description). + lang + The lang property identifies the language of the text content in this object. When present, it MUST be a language code conformant to [RFC5646]. If the property is not present, then the language of the content is en (English). \n\n This property SHOULD be present if the object type contains translatable text properties (e.g. name, description). \n\n The language of individual fields in this object MAY be overridden by the lang property in granular markings (see section 7.2.3). - modified - Represents the date and time that this particular version of the object was last modified.\n\nThe object creator can use the time it deems most appropriate as the time this version of the object was modified. The minimum precision MUST be milliseconds (three digits after the decimal place in seconds), but MAY be more precise.\n\nObject creators MUST set the modified property when creating a new version of an object if the created property was set. + modified + The modified property is only used by STIX Objects that support versioning and represents the time that this particular version of the object was last modified. \n\n The object creator can use the time it deems most appropriate as the time this version of the object was modified. The minimum precision MUST be milliseconds (three digits after the decimal place in seconds), but MAY be more precise. \n\n If the created property is defined, then the value of the modified property for a given object version MUST be later than or equal to the value of the created property. \n\n Object creators MUST set the modified property when creating a new version of an object if the created property was set. \n\n See section 3.6 for further definition of versioning. - name + name Specifies the name used to identity the entity. - - object_ref - Specifies a reference to a STIX Object that is referred to by this entity. - + + object_marking_refs + The object_marking_refs property specifies a list of id properties of marking-definition objects that apply to this object. \n\n In some cases, though uncommon, marking definitions themselves may be marked with sharing or handling guidance. In this case, this property MUST NOT contain any references to the same Marking Definition object (i.e., it cannot contain any circular references). \n\n See section 7.2 for further definition of data markings. + + + + + granular_markings + The granular_markings property specifies a list of granular markings applied to this object. \n\n In some cases, though uncommon, marking definitions themselves may be marked with sharing or handling guidance. In this case, this property MUST NOT contain any references to the same Marking Definition object (i.e., it cannot contain any circular references). \n\n See section 7.2 for further definition of data markings. + - - object_ref_id - Specifies the identifier of a STIX Object that is referred to by this entity. - - - - - object_refs_id - Specifies a list of identifiers of STIX Objects that are referred to by this entity. + + object_marking_refs_string + The object_marking_refs_string property specifies a list of id properties of marking-definition objects that apply to this object. \n\n In some cases, though uncommon, marking definitions themselves may be marked with sharing or handling guidance. In this case, this property MUST NOT contain any references to the same Marking Definition object (i.e., it cannot contain any circular references). \n\n See section 7.2 for further definition of data markings. - revoked - Indicates whether the object has been revoked.\n\nRevoked objects are no longer considered valid by the object creator. Revoking an object is permanent; future versions of the object with this id MUST NOT be created. + revoked + The revoked property is only used by STIX Objects that support versioning and indicates whether the object has been revoked. \n\n Revoked objects are no longer considered valid by the object creator. Revoking an object is permanent; future versions of the object with this id MUST NOT be created. \n\n The default value of this property is false. \n\n See section 3.6 for further definition of versioning. - - sample_refs - Specifies a list of references to the Cyber Observable objects associated with this entity. - - - - - sample_refs_id - Specifies a list of identifiers to the Cyber Observable objects associated with this entity. - - - - spec_version - Identifies the version of the STIX specification used to represent this object. - - - - + spec_version + The version of the STIX specification used to represent this object. \n\n The value of this property MUST be 2.1 for STIX Objects defined according to this specification. \n\n If objects are found where this property is not present, the implicit value for all STIX Objects other than SCOs is 2.0. Since SCOs are now top-level objects in STIX 2.1, the default value for SCOs is 2.1. - type - Identifies the type of STIX Object. The value of the type property MUST be the name of one of the types of STIX Objectsor the name of a Custom Object. + type + The type property identifies the type of STIX Object. The value of the type property MUST be the name of one of the types of STIX Objects defined in sections 4, 5, 6, and 7 (e.g., indicator) or the name of a Custom Object as defined by section 11.2. diff --git a/stix/core-objects/data-types.owl b/stix/core-objects/data-types.owl index 3b04d38..62a4553 100644 --- a/stix/core-objects/data-types.owl +++ b/stix/core-objects/data-types.owl @@ -21,120 +21,120 @@ - external_reference - Used to describe pointers to information represented outside of STIX. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + External Reference + External references are used to describe pointers to information represented outside of STIX. For example, a Malware object could use an external reference to indicate an ID for that malware in an external database or a report could use references to represent source material. \n\n The JSON MTI serialization uses the JSON Object type [RFC8259] when representing external-reference. - Hash + Hash Represents a cryptographic hashes, as a special set of key/value pairs. - + - KeyValue - A key-value pair (KVP) is a set of two linked data items: a key, which is a unique identifier for some item of data, and the value, which is either the data that is identified or a pointer to the location of that data. The key MUST be unique in each dictionary, MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). Dictionary keys MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase. + + + + + + + + + + + + + Dictionary + A dictionary captures an arbitrary set of key/value pairs. Dictionary keys MUST be unique in each dictionary, MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). Dictionary keys MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase. \n\n Empty dictionaries are prohibited in STIX and MUST NOT be used as a substitute for omitting the property if it is optional. If the property is required, the dictionary MUST be present and MUST have at least one key-value pair. \n\n dictionary values MUST be valid property base types. - KillChainPhase - Represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives. + + + + + + + + + + + + + Kill Chain Phase + The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives. \n\n The JSON MTI serialization uses the JSON Object type [RFC8259] when representing kill-chain-phase. - - MD5 Hash Value - Specifies the MD5 message digest algorithm. The corresponding hash string for this value MUST be a valid MD5 message digest as defined in [RFC1321]. - - - - - SHA-1 Hash Value - Specifies the SHA-1 (secure-hash algorithm 1) cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA-1 message digest as defined in [RFC3174]. - - - - - SHA-256 Hash Value - Specifies the SHA-256 cryptographic hash function (part of the SHA2 family). The corresponding hash string for this value MUST be a valid SHA-256 message digest as defined in [RFC6234]. - - - - - SHA-512 Hash Value - Specifies the SHA-512 cryptographic hash function (part of the SHA2 family). The corresponding hash string for this value MUST be a valid SHA-512 message digest as defined in [RFC6234]. - - - - - SHA3-256 Hash Value - Specifies the SHA3-256 cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA3-256 message digest as defined in [FIPS202]. - - - - - SHA3-512 Hash Value - Specifies the SHA3-512 cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA3-512 message digest as defined in [FIPS202]. - - - - - SSDEEP Hash Value - Specifies the ssdeep fuzzy hashing algorithm. The corresponding hash string for this value MUST be a valid piecewise hash as defined in the [SSDEEP] specification. - - - - - TLSH Hash Value - Specifies the TLSH fuzzy hashing algorithm. The corresponding hash string for this value MUST be a valid 35 byte long hash as defined in the [TLSH] specification. - - - - - description - Specifies a human readable description. - - - - external id + external_id An identifier for the external reference content. - external_references + external_references Specifies a list of external references which refers to non-STIX information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. - hash_algorithm + hash_algorithm Represents the cryptographic hash algorithm used.\n\nThe name of the cryptographic hash algorithm used SHOULD come from one of the values defined in the hash-algorithm-ov open vocabulary. - hash_value + hash_value Represents the cryptographic hash value. - hashes - Specifies a set of hashes for the contents of the url. This SHOULD be provided when the url property is present. Dictionary keys MUST come from one of the entries listed in the hash-algorithm-ov open vocabulary. + hashes + Specifies a dictionary of hashes for the contents of the url. This SHOULD be provided when the url property is present. \n\n Dictionary keys MUST come from one of the entries listed in the hash-algorithm-ov open vocabulary. \n\n As stated in Section 2.7, to ensure interoperability, a SHA-256 hash SHOULD be included whenever possible. - key_identifier + key_identifier Specifies a unique identifer for some item of data. The key MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). A key identifier MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase. - key_value + key_value A key value is the data that is associated with the key identified. The values MUST be valid property base types. @@ -144,36 +144,38 @@ kill_chain_name - Specifies the name of the kill chain.\n\nThe value of this property SHOULD be all lowercase and SHOULD use hyphens instead of spaces or underscores as word separators.@{en-US} - - - - - kill chain phases - Specifies the kill chain phase(s) to which this indicator corresponds. - - - - + The name of the kill chain. The value of this property SHOULD be all lowercase and SHOULD use hyphens instead of spaces or underscores as word separators. phase_name - Specifies the name of the phase in the kill chain.\n\nThe value of this property SHOULD be all lowercase and SHOULD use hyphens instead of spaces or underscores as word separators. + The name of the phase in the kill chain. The value of this property SHOULD be all lowercase and SHOULD use hyphens instead of spaces or underscores as word separators. - + - source name - + source_name + The name of the source that the external-reference is defined within (system, registry, organization, etc.). - + + + description + A human readable description. + + + - url - Specifies a URL reference to an external resource - + url + A URL reference to an external resource [RFC3986]. + + + + + identifier + An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way. A deterministic identifier means that the identifier generated by more than one producer for the exact same STIX Object using the same namespace, "ID Contributing Properties", and UUID method will have the exact same identifier value. \n\n All identifiers, excluding those used in the deprecated Cyber Observable Container, MUST follow the form object-type--UUID, where object-type is the exact value (all type names are lowercase strings, by definition) from the type property of the object being identified or referenced and where the UUID MUST be an RFC 4122-compliant UUID [RFC4122]. + \ No newline at end of file diff --git a/stix/core-objects/sco/email-message/email-message.owl b/stix/core-objects/sco/email-message/email-message.owl index bc9f0f9..a774ca8 100644 --- a/stix/core-objects/sco/email-message/email-message.owl +++ b/stix/core-objects/sco/email-message/email-message.owl @@ -28,7 +28,7 @@ - + diff --git a/stix/core-objects/sco/file/file.owl b/stix/core-objects/sco/file/file.owl index 4e16450..88beb84 100644 --- a/stix/core-objects/sco/file/file.owl +++ b/stix/core-objects/sco/file/file.owl @@ -189,7 +189,7 @@ - + @@ -231,7 +231,7 @@ - + @@ -641,7 +641,7 @@ document_info_dict Specifies details of the PDF document information dictionary (DID), which includes properties like the document creation data and producer, as a dictionary. Each key in the dictionary SHOULD be a case-preserved version of the corresponding entry in the document information dictionary without the prepended forward slash, e.g., Title. The corresponding value for the key MUST be the value specified for the document information dictionary entry, as a string. - + @@ -653,7 +653,7 @@ exif_tags Specifies the set of EXIF tags found in the image file, as a dictionary. Each key/value pair in the dictionary represents the name/value of a single EXIF tag. Accordingly, each dictionary key MUST be a case-preserved version of the EXIF tag name, e.g., XResolution. Each dictionary value MUST be either an integer (for int* EXIF datatypes) or a string (for all other EXIF datatypes). - + diff --git a/stix/core-objects/sco/network-traffic/network-traffic.owl b/stix/core-objects/sco/network-traffic/network-traffic.owl index 967fa2c..8cdc899 100644 --- a/stix/core-objects/sco/network-traffic/network-traffic.owl +++ b/stix/core-objects/sco/network-traffic/network-traffic.owl @@ -48,7 +48,7 @@ - + @@ -171,7 +171,7 @@ - + @@ -264,7 +264,7 @@ - + @@ -428,7 +428,7 @@ ipfix Specifies any IP Flow Information Export [IPFIX] data for the traffic, as a dictionary. Each key/value pair in the dictionary represents the name/value of a single IPFIX element. Accordingly, each dictionary key SHOULD be a case-preserved version of the IPFIX element name, e.g., octetDeltaCount. Each dictionary value MUST be either an integer or a string, as well as a valid IPFIX property. - + @@ -470,7 +470,7 @@ options Specifies any options (e.g., SO_*) that may be used by the socket, as a dictionary. Each key in the dictionary SHOULD be a case-preserved version of the option name, e.g., SO_ACCEPTCONN. Each key value in the dictionary MUST be the value for the corresponding options key. Each dictionary value MUST be an integer. For SO_RCVTIMEO, SO_SNDTIMEO and SO_LINGER the value represents the number of milliseconds. If the SO_LINGER key is present, it indicates that the SO_LINGER option is active. - + @@ -482,7 +482,7 @@ request_header Specifies all of the HTTP header fields that may be found in the HTTP client request, as a dictionary. Each key in the dictionary MUST be the name of the header field and SHOULD preserve case, e.g., User-Agent. The corresponding value for each dictionary key MUST always be a list of type string to support when a header field is repeated. - + diff --git a/stix/core-objects/sco/process/process.owl b/stix/core-objects/sco/process/process.owl index 94665b3..c9960e1 100644 --- a/stix/core-objects/sco/process/process.owl +++ b/stix/core-objects/sco/process/process.owl @@ -70,7 +70,7 @@ - + @@ -160,7 +160,7 @@ - + @@ -302,7 +302,7 @@ environment_variables Specifies the list of environment variables associated with the process as a dictionary. Each key in the dictionary MUST be a case preserved version of the name of the environment variable, and each corresponding value MUST be the environment variable value as a string. - + @@ -416,7 +416,7 @@ startup_info Specifies the STARTUP_INFO struct used by the process, as a dictionary. Each name/value pair in the struct MUST be represented as a key/value pair in the dictionary, where each key MUST be a case-preserved version of the original name. For example, given a name of "lpDesktop" the corresponding key would be lpDesktop. - + diff --git a/stix/meta-objects/data-marking/data-marking.owl b/stix/meta-objects/data-marking/data-marking.owl index 919831f..5b76855 100644 --- a/stix/meta-objects/data-marking/data-marking.owl +++ b/stix/meta-objects/data-marking/data-marking.owl @@ -23,6 +23,10 @@ Specifies how the marking-definition object referenced by the marking_ref property or a language specified by the lang property applies to a set of content identified by the list of selectors in the selectors property. + + + + Marking Definition diff --git a/stix/vocabularies/vocabularies.owl b/stix/vocabularies/vocabularies.owl index 0e3aebc..7499df0 100644 --- a/stix/vocabularies/vocabularies.owl +++ b/stix/vocabularies/vocabularies.owl @@ -16,7 +16,7 @@ STIX Vocabulary - STIX vocabularies that have type names ending in '-ov', are "open": they provide a listing of common and industry accepted terms as a guide to the user but do not limit the user to that defined list. These vocabularies are referenced from the STIX Objects as type open-vocab and have a statement indicating which vocabulary should be used. \n\n STIX vocabularies that have type names ending in '-enum' are "closed": the only valid values are those in the vocabulary. These vocabularies are referenced from the STIX Objects as type enum and have a statement indicating which enumeration must be used. + Some STIX properties are defined using open vocabularies or enumerations. Enumerations and open vocabularies are defined in STIX in order to enhance interoperability by increasing the likelihood that different entities use the same exact string to represent the same concept. If used consistently, open vocabularies make it less likely that one entity refers to the energy sector as "Energy" and another as "Energy Sector", thereby making comparison and correlation easier. \n\n While using predefined values from STIX vocabularies is strongly encouraged, in some cases this may not be feasible. To address this, producers are permitted to use values outside of the open vocabulary. In the case of enumerations, producers are required to use only the values defined within the STIX specification. \n\n STIX open vocabularies and enumerations are defined in section 10. Properties that are defined as open vocabularies identify a suggested vocabulary from that section. For example, the Threat Actor sophistication property, as defined in section 4.17, uses the Threat Actor Sophistication vocabulary as defined in section 10.25. 2.1.0 From 0ce0e3ef78ef395c128fd1fc376e8ff83679cb9b Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Tue, 24 Jan 2023 16:20:40 +0100 Subject: [PATCH 34/70] Checked and fixed all datatypes and common properties. --- stix/core-objects/data-types.owl | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/stix/core-objects/data-types.owl b/stix/core-objects/data-types.owl index 62a4553..c2d2490 100644 --- a/stix/core-objects/data-types.owl +++ b/stix/core-objects/data-types.owl @@ -57,6 +57,18 @@ + + + + + + + + + + + + Hash Represents a cryptographic hashes, as a special set of key/value pairs. @@ -65,13 +77,13 @@ - + - + @@ -112,7 +124,7 @@ hash_algorithm Represents the cryptographic hash algorithm used.\n\nThe name of the cryptographic hash algorithm used SHOULD come from one of the values defined in the hash-algorithm-ov open vocabulary. - + @@ -127,19 +139,20 @@ - - key_identifier + + dictionary_key Specifies a unique identifer for some item of data. The key MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). A key identifier MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase. - - key_value + + dictionary_value A key value is the data that is associated with the key identified. The values MUST be valid property base types. + From d1671a6863067b5a3804df02e810a59717e7403a Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Tue, 24 Jan 2023 17:37:27 +0100 Subject: [PATCH 35/70] Added voacbulary import to datatype.owl --- stix/core-objects/data-types.owl | 1 + 1 file changed, 1 insertion(+) diff --git a/stix/core-objects/data-types.owl b/stix/core-objects/data-types.owl index c2d2490..6b4e673 100644 --- a/stix/core-objects/data-types.owl +++ b/stix/core-objects/data-types.owl @@ -16,6 +16,7 @@ + 2.1.0 From 844112b04011ffef3f3624eb507a1f360008591e Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Tue, 24 Jan 2023 21:33:39 +0100 Subject: [PATCH 36/70] Normalizing all files. --- stix/core-objects/common-properties.owl | 36 +++---- stix/core-objects/data-types.owl | 98 +++++++++---------- .../data-marking/data-marking.owl | 5 +- stix/vocabularies/vocabularies.owl | 2 +- 4 files changed, 69 insertions(+), 72 deletions(-) diff --git a/stix/core-objects/common-properties.owl b/stix/core-objects/common-properties.owl index c62918a..d747a5f 100644 --- a/stix/core-objects/common-properties.owl +++ b/stix/core-objects/common-properties.owl @@ -89,25 +89,25 @@ - - + + - + - - + + - + @@ -175,12 +175,6 @@ - - external_references - The external_references property specifies a list of external references which refers to non-STIX information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. - - - created_by_ref The created_by_ref property specifies the id property of the identity object that describes the entity that created this object. \n\n If this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous. @@ -205,6 +199,18 @@ + + external_references + The external_references property specifies a list of external references which refers to non-STIX information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. + + + + + granular_markings + The granular_markings property specifies a list of granular markings applied to this object. \n\n In some cases, though uncommon, marking definitions themselves may be marked with sharing or handling guidance. In this case, this property MUST NOT contain any references to the same Marking Definition object (i.e., it cannot contain any circular references). \n\n See section 7.2 for further definition of data markings. + + + id The id property uniquely identifies this object. For objects that support versioning, all objects with the same id are considered different versions of the same object and the version of the object is identified by its modified property. @@ -240,12 +246,6 @@ The object_marking_refs property specifies a list of id properties of marking-definition objects that apply to this object. \n\n In some cases, though uncommon, marking definitions themselves may be marked with sharing or handling guidance. In this case, this property MUST NOT contain any references to the same Marking Definition object (i.e., it cannot contain any circular references). \n\n See section 7.2 for further definition of data markings. - - - granular_markings - The granular_markings property specifies a list of granular markings applied to this object. \n\n In some cases, though uncommon, marking definitions themselves may be marked with sharing or handling guidance. In this case, this property MUST NOT contain any references to the same Marking Definition object (i.e., it cannot contain any circular references). \n\n See section 7.2 for further definition of data markings. - - object_marking_refs_string diff --git a/stix/core-objects/data-types.owl b/stix/core-objects/data-types.owl index 6b4e673..9236ca0 100644 --- a/stix/core-objects/data-types.owl +++ b/stix/core-objects/data-types.owl @@ -20,14 +20,26 @@ 2.1.0 - + - + + + + + + + + Dictionary + A dictionary captures an arbitrary set of key/value pairs. Dictionary keys MUST be unique in each dictionary, MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). Dictionary keys MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase. \n\n Empty dictionaries are prohibited in STIX and MUST NOT be used as a substitute for omitting the property if it is optional. If the property is required, the dictionary MUST be present and MUST have at least one key-value pair. \n\n dictionary values MUST be valid property base types. + + + + @@ -36,7 +48,7 @@ - + @@ -48,7 +60,13 @@ - + + + + + + + @@ -74,24 +92,6 @@ Represents a cryptographic hashes, as a special set of key/value pairs. - - - - - - - - - - - - - - - Dictionary - A dictionary captures an arbitrary set of key/value pairs. Dictionary keys MUST be unique in each dictionary, MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). Dictionary keys MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase. \n\n Empty dictionaries are prohibited in STIX and MUST NOT be used as a substitute for omitting the property if it is optional. If the property is required, the dictionary MUST be present and MUST have at least one key-value pair. \n\n dictionary values MUST be valid property base types. - - @@ -110,6 +110,28 @@ The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives. \n\n The JSON MTI serialization uses the JSON Object type [RFC8259] when representing kill-chain-phase. + + description + A human readable description. + + + + + dictionary_key + Specifies a unique identifer for some item of data. The key MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). A key identifier MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase. + + + + + dictionary_value + A key value is the data that is associated with the key identified. The values MUST be valid property base types. + + + + + + + external_id An identifier for the external reference content. @@ -140,20 +162,10 @@ - - dictionary_key - Specifies a unique identifer for some item of data. The key MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). A key identifier MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase. - - - - - dictionary_value - A key value is the data that is associated with the key identified. The values MUST be valid property base types. - - - + + identifier + An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way. A deterministic identifier means that the identifier generated by more than one producer for the exact same STIX Object using the same namespace, "ID Contributing Properties", and UUID method will have the exact same identifier value. \n\n All identifiers, excluding those used in the deprecated Cyber Observable Container, MUST follow the form object-type--UUID, where object-type is the exact value (all type names are lowercase strings, by definition) from the type property of the object being identified or referenced and where the UUID MUST be an RFC 4122-compliant UUID [RFC4122]. - @@ -167,29 +179,17 @@ The name of the phase in the kill chain. The value of this property SHOULD be all lowercase and SHOULD use hyphens instead of spaces or underscores as word separators. - + source_name The name of the source that the external-reference is defined within (system, registry, organization, etc.). - - - description - A human readable description. - - - + url A URL reference to an external resource [RFC3986]. - - identifier - An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way. A deterministic identifier means that the identifier generated by more than one producer for the exact same STIX Object using the same namespace, "ID Contributing Properties", and UUID method will have the exact same identifier value. \n\n All identifiers, excluding those used in the deprecated Cyber Observable Container, MUST follow the form object-type--UUID, where object-type is the exact value (all type names are lowercase strings, by definition) from the type property of the object being identified or referenced and where the UUID MUST be an RFC 4122-compliant UUID [RFC4122]. - - - \ No newline at end of file diff --git a/stix/meta-objects/data-marking/data-marking.owl b/stix/meta-objects/data-marking/data-marking.owl index 5b76855..324d241 100644 --- a/stix/meta-objects/data-marking/data-marking.owl +++ b/stix/meta-objects/data-marking/data-marking.owl @@ -19,14 +19,11 @@ + Granular Marking Specifies how the marking-definition object referenced by the marking_ref property or a language specified by the lang property applies to a set of content identified by the list of selectors in the selectors property. - - - - Marking Definition diff --git a/stix/vocabularies/vocabularies.owl b/stix/vocabularies/vocabularies.owl index 7499df0..07f3a70 100644 --- a/stix/vocabularies/vocabularies.owl +++ b/stix/vocabularies/vocabularies.owl @@ -16,7 +16,7 @@ STIX Vocabulary - Some STIX properties are defined using open vocabularies or enumerations. Enumerations and open vocabularies are defined in STIX in order to enhance interoperability by increasing the likelihood that different entities use the same exact string to represent the same concept. If used consistently, open vocabularies make it less likely that one entity refers to the energy sector as "Energy" and another as "Energy Sector", thereby making comparison and correlation easier. \n\n While using predefined values from STIX vocabularies is strongly encouraged, in some cases this may not be feasible. To address this, producers are permitted to use values outside of the open vocabulary. In the case of enumerations, producers are required to use only the values defined within the STIX specification. \n\n STIX open vocabularies and enumerations are defined in section 10. Properties that are defined as open vocabularies identify a suggested vocabulary from that section. For example, the Threat Actor sophistication property, as defined in section 4.17, uses the Threat Actor Sophistication vocabulary as defined in section 10.25. + Some STIX properties are defined using open vocabularies or enumerations. Enumerations and open vocabularies are defined in STIX in order to enhance interoperability by increasing the likelihood that different entities use the same exact string to represent the same concept. If used consistently, open vocabularies make it less likely that one entity refers to the energy sector as "Energy" and another as "Energy Sector", thereby making comparison and correlation easier. \n\n While using predefined values from STIX vocabularies is strongly encouraged, in some cases this may not be feasible. To address this, producers are permitted to use values outside of the open vocabulary. In the case of enumerations, producers are required to use only the values defined within the STIX specification. \n\n STIX open vocabularies and enumerations are defined in section 10. Properties that are defined as open vocabularies identify a suggested vocabulary from that section. For example, the Threat Actor sophistication property, as defined in section 4.17, uses the Threat Actor Sophistication vocabulary as defined in section 10.25. 2.1.0 From 9f28025b2d12d3ce2755106d22bfd9286a43f3d6 Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Tue, 24 Jan 2023 22:24:49 +0100 Subject: [PATCH 37/70] Checked all meta objects. Added missing properties and class definitions. Added bundle.owl --- stix/bundle-object/bundle.fowl | 0 stix/bundle-object/bundle.owl | 75 +++++++++++++ stix/core-objects/common-properties.owl | 2 +- .../data-marking/data-marking.owl | 102 +++++++++++++----- .../extension-definition.owl | 50 +++++++-- .../language-content/language-content.owl | 46 +++++++- 6 files changed, 235 insertions(+), 40 deletions(-) delete mode 100644 stix/bundle-object/bundle.fowl create mode 100644 stix/bundle-object/bundle.owl diff --git a/stix/bundle-object/bundle.fowl b/stix/bundle-object/bundle.fowl deleted file mode 100644 index e69de29..0000000 diff --git a/stix/bundle-object/bundle.owl b/stix/bundle-object/bundle.owl new file mode 100644 index 0000000..d8a4775 --- /dev/null +++ b/stix/bundle-object/bundle.owl @@ -0,0 +1,75 @@ + + + + + + +]> + + + + + 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + STIX Bundle Object + A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and the objects contained within the Bundle are not considered related by virtue of being in the same Bundle. \n\n A STIX Bundle Object is not a STIX Object but makes use of the type and id Common Properties. A Bundle is transient, and implementations SHOULD NOT assume that other implementations will treat it as a persistent object or keep any custom properties found on the bundle itself. \n\n The JSON MTI serialization uses the JSON Object type [RFC8259] when representing bundle. + + + + type + The type property identifies the type of object. The value of this property MUST be bundle. + + + + + id + An identifier for this Bundle. The id property for the Bundle is designed to help tools that may need it for processing, however, tools are not required to store or track it. Tools that consume STIX should not rely on the ability to refer to bundles by ID. + + + + + id_string + An identifier for this Bundle. The id property for the Bundle is designed to help tools that may need it for processing, however, tools are not required to store or track it. Tools that consume STIX should not rely on the ability to refer to bundles by ID. + + + + + objects + Specifies a set of one or more STIX Objects. Objects in this list MUST be a STIX Object. + + + + \ No newline at end of file diff --git a/stix/core-objects/common-properties.owl b/stix/core-objects/common-properties.owl index c62918a..edb8683 100644 --- a/stix/core-objects/common-properties.owl +++ b/stix/core-objects/common-properties.owl @@ -102,7 +102,7 @@ - + diff --git a/stix/meta-objects/data-marking/data-marking.owl b/stix/meta-objects/data-marking/data-marking.owl index 5b76855..207d3de 100644 --- a/stix/meta-objects/data-marking/data-marking.owl +++ b/stix/meta-objects/data-marking/data-marking.owl @@ -15,34 +15,87 @@ xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> + 2.1.0 - Granular Marking - Specifies how the marking-definition object referenced by the marking_ref property or a language specified by the lang property applies to a set of content identified by the list of selectors in the selectors property. + + + + + + + + + + + + + + + + + + + + + + + + + + Granular Marking Type + The granular-marking type defines how the marking-definition object referenced by the marking_ref property or a language specified by the lang property applies to a set of content identified by the list of selectors in the selectors property. - - - - + + + + + + + + + + + + + + + + + + + Marking Definition Represents a specific marking. Data markings typically represent handling or sharing requirements for data and are applied in the object_marking_refs and granular_markings properties on Objects. - Statement Marking - The Statement marking type defines the representation of a textual marking statement (e.g., copyright, terms of use, etc.) in a definition.@[en-US} + + + + + + + Statement Marking Object Type + The Statement marking type defines the representation of a textual marking statement (e.g., copyright, terms of use, etc.) in a definition. The value of the definition_type property MUST be statement when using this marking type. Statement markings are generally not machine-readable, and this specification does not define any behavior or actions based on their values. \n\n Content may be marked with multiple statements of use. In other words, the same content can be marked both with a statement saying "Copyright 2019" and a statement saying, "Terms of use are ..." and both statements apply. - TLP Marking - Represent a Traffic Light Protocol (TLP) marking in a definition property. The value of the definition_type property MUST be tlp when using this marking type. + + + + + + + TLP Marking Object Type + The TLP marking type defines how you would represent a Traffic Light Protocol (TLP) marking in a definition property. The value of the definition_type property MUST be tlp when using this marking type. @@ -65,10 +118,11 @@ - - granular_markings - Specifies a list of granular markings applied to this object.\n\nIn some cases, though uncommon, marking definitions themselves may be marked with sharing or handling guidance. In this case, this property MUST NOT contain any references to the same Marking Definition object (i.e., it cannot contain any circular references). - + + definition + Specifies a reference to the marking-definition object that describes the marking.\n\nIf the lang property is not present, this property MUST be present. If the lang property is present, this property MUST NOT be present.@[en-US} + + @@ -77,24 +131,18 @@ - - marking_ref_id + + marking_ref_string Specifies an identifier to the marking-definition object that describes the marking.\n\nIf the lang property is not present, this property MUST be present. If the lang property is present, this property MUST NOT be present. - - object_marking_refs - Specifies a list of references to marking-definition objects that apply to this object.\n\nIn some cases, though uncommon, marking definitions themselves may be marked with sharing or handling guidance. In this case, this property MUST NOT contain any references to the same Marking Definition object (i.e., it cannot contain any circular references). - - - - - object marking_refs_id - Specifies a list of identifiers to marking-definition objects that apply to this object.\n\nIn some cases, though uncommon, marking definitions themselves may be marked with sharing or handling guidance. In this case, this property MUST NOT contain any references to the same Marking Definition object (i.e., it cannot contain any circular references). + + name + A name used to identify the Marking Definition. - + selectors Specifies a list of selectors for content contained within the Object in which this property appears.\n\nThe marking-definition referenced in the marking_ref property is applied to the content selected by the selectors in this list.\n\nThe [RFC5646] language code specified by the lang property is applied to the content selected by the selectors in this list. @@ -109,7 +157,7 @@ tlp - Specifies the TLP level [TLP] of the content marked by this marking definition. + The TLP level [TLP] of the content marked by this marking definition. diff --git a/stix/meta-objects/extension-definition/extension-definition.owl b/stix/meta-objects/extension-definition/extension-definition.owl index bd0d54d..ffa1f8a 100644 --- a/stix/meta-objects/extension-definition/extension-definition.owl +++ b/stix/meta-objects/extension-definition/extension-definition.owl @@ -14,7 +14,6 @@ xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> - 2.1.0 @@ -23,13 +22,13 @@ - + - + @@ -39,19 +38,56 @@ + + + + + + + + + + + + + + + + + + Extension Definition + The STIX Extension Definition object allows producers of threat intelligence to extend existing STIX objects or to create entirely new STIX objects in a standardized way. This object contains detailed information about the extension and any additional properties and or objects that it defines. This extension mechanism MUST NOT be used to redefine existing standardized objects or properties. + + description + A detailed explanation of what data the extension conveys and how it is intended to be used. \n\n While the description property is optional this property SHOULD be populated. \n\n Note that the schema property is the normative definition of the extension, and this property, if present, is for documentation purposes only. + + + + + schema + The normative definition of the extension, either as a URL or as plain text explaining the definition. \n\n A URL SHOULD point to a JSON schema or a location that contains information about the schema. \n\n NOTE: It is recommended that an external reference be provided to the comprehensive documentation of the extension-definition. + + + + + version + The version of this extension. Producers of STIX extensions are encouraged to follow standard semantic versioning procedures where the version number follows the pattern, MAJOR.MINOR.PATCH. This will allow consumers to distinguish between the three different levels of compatibility typically identified by such versioning strings. \n\n As with all STIX Objects, changing a STIX extension definition could involve STIX versioning. See section 3.6.2 for more information on versioning an object versus creating a new one. + + + extension_properties - This property contains the list of new property names that are added to an object by an extension.\n\nThis property MUST only be used when the extension_types property includes a value of toplevel-property-extension. In other words, when new properties are being added at the top-level of an existing object + This property contains the list of new property names that are added to an object by an extension. \n\n This property MUST only be used when the extension_types property includes a value of toplevel-property-extension. In other words, when new properties are being added at the top-level of an existing object. - extension types - This property specifies one or more extension types contained within this extension.\n\nThe values for this property MUST come from the extension-type-enum enumeration.\n\nWhen this property includes toplevel-property-extension then the extension_properties property SHOULD include one or more property names. - + extension_types + This property specifies one or more extension types contained within this extension. \n\n The values for this property MUST come from the extension-type-enum enumeration. \n\n When this property includes toplevel-property-extension then the extension_properties property SHOULD include one or more property names. + \ No newline at end of file diff --git a/stix/meta-objects/language-content/language-content.owl b/stix/meta-objects/language-content/language-content.owl index cbea089..2204eca 100644 --- a/stix/meta-objects/language-content/language-content.owl +++ b/stix/meta-objects/language-content/language-content.owl @@ -16,25 +16,61 @@ - 2.1.0 - LanguageContent - The Language Content object represents text content for STIX Objects represented in languages other than that of the original object. Language content may be a translation of the original object by a third-party, a first-source translation by the original publisher, or additional official language content provided at the time of creation.\n\nFor each key in the nested dictionary:\n * If the original property is a string, the corresponding property in the language content object MUST contain a string with the content for that property in the language of the top-level key\n. * If the original property is a list, the corresponding property in the translation object must also be a list. Each item in this list recursively maps to the item at the same position in the list contained in the target object. The lists MUST have the same length.\n * In the event that translations are only provided for some list items, the untranslated list items MUST be represented by an empty string (""). This indicates to a consumer of the Language Content object that they should interpolate the translated list items in the Language Content object with the corresponding (untranslated) list items from the original object as indicated by the object_ref property.\n * If the original property is an object (including dictionaries), the corresponding location in the translation object must also be an object. Each key/value field in this object recursively maps to the object with the same key in the original. + + + + + + + + + + + + + + + + + + + + + + + + + Language Content + The Language Content object represents text content for STIX Objects represented in languages other than that of the original object. Language content may be a translation of the original object by a third-party, a first-source translation by the original publisher, or additional official language content provided at the time of creation. \n\n Language Content contains two important sets of properties: \n\n The object_ref and object_modified properties specify the target object that the language content applies to. \n\n For example, to provide additional language content for a Campaign, the object_ref property should be set to the id of the Campaign and the object_modified property set to its modified time. Most relationships in STIX are not specific to a particular version of a STIX object, but because language content provides the translation of specific text, the object_modified property is necessary to provide that specificity. \n\n The content property is a dictionary which maps to properties in the target object in order to provide a translation of them. contents - Specifies the contains the actual Language Content (translation).\n\nThe keys in the dictionary MUST be RFC 5646 language codes for which language content is being provided [RFC5646]. The values each consist of a dictionary that mirrors the properties in the target object (identified by object_ref and object_modified). For example, to provide a translation of the name property on the target object the key in the dictionary would be name. + The contents property contains the actual Language Content (translation). \n\n The keys in the dictionary MUST be RFC 5646 language codes for which language content is being provided [RFC5646]. The values each consist of a dictionary that mirrors the properties in the target object (identified by object_ref and object_modified). For example, to provide a translation of the name property on the target object the key in the dictionary would be name. \n\n For each key in the nested dictionary: \n\n If the original property is a string, the corresponding property in the language content object MUST contain a string with the content for that property in the language of the top-level key. \n\n If the original property is a list, the corresponding property in the translation object must also be a list. Each item in this list recursively maps to the item at the same position in the list contained in the target object. The lists MUST have the same length. \n\n In the event that translations are only provided for some list items, the untranslated list items MUST be represented by an empty string (""). This indicates to a consumer of the Language Content object that they should interpolate the translated list items in the Language Content object with the corresponding (untranslated) list items from the original object as indicated by the object_ref property. \n\n If the original property is an object (including dictionaries), the corresponding location in the translation object must also be an object. Each key/value field in this object recursively maps to the object with the same key in the original. \n\n The translation object MAY contain only a subset of the translatable fields of the original. Keys that point to non-translatable properties in the target or to properties that do not exist in the target object MUST be ignored. + object_modified - Identifies the modified data and time of the object that this Language Content applies to. It MUST be an exact match for the modified time of the STIX Object being referenced. + The object_modified property identifies the modified time of the object that this Language Content applies to. It MUST be an exact match for the modified time of the STIX Object being referenced. + + object_ref + The object_ref property identifies the id of the object that this Language Content applies to. It MUST be the identifier for a STIX Object. + + + + + object_ref_string + The object_ref property identifies the id of the object that this Language Content applies to. It MUST be the identifier for a STIX Object. + + + \ No newline at end of file From 1d171c165af54fb63c033eb13d82acd0c66a8099 Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Tue, 24 Jan 2023 22:40:44 +0100 Subject: [PATCH 38/70] Checked imports. --- stix/core-objects/common-properties.owl | 3 ++- stix/core-objects/data-types.owl | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/stix/core-objects/common-properties.owl b/stix/core-objects/common-properties.owl index edb8683..ffe74ce 100644 --- a/stix/core-objects/common-properties.owl +++ b/stix/core-objects/common-properties.owl @@ -16,6 +16,7 @@ + 2.1.0 @@ -208,7 +209,7 @@ id The id property uniquely identifies this object. For objects that support versioning, all objects with the same id are considered different versions of the same object and the version of the object is identified by its modified property. - + diff --git a/stix/core-objects/data-types.owl b/stix/core-objects/data-types.owl index 6b4e673..41e1483 100644 --- a/stix/core-objects/data-types.owl +++ b/stix/core-objects/data-types.owl @@ -15,7 +15,6 @@ xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> - 2.1.0 From e722fdefdf48db0e23437c90301429611aa4cd27 Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Tue, 24 Jan 2023 23:02:30 +0100 Subject: [PATCH 39/70] Valitated through protege. --- stix/catalog-v001.xml | 98 ++++++++++--------- stix/core-objects/data-types.owl | 15 +-- stix/core-objects/sco/file/file.owl | 2 +- stix/core-objects/sdo/grouping/grouping.owl | 2 +- .../sdo/intrusion-set/intrusion-set.owl | 4 +- .../data-marking/data-marking.owl | 6 +- .../language-content/language-content.owl | 4 +- stix/stix.owl | 3 +- 8 files changed, 69 insertions(+), 65 deletions(-) diff --git a/stix/catalog-v001.xml b/stix/catalog-v001.xml index f2fcf6e..c5a095c 100644 --- a/stix/catalog-v001.xml +++ b/stix/catalog-v001.xml @@ -1,55 +1,57 @@ + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/stix/core-objects/data-types.owl b/stix/core-objects/data-types.owl index 41e1483..e1a234c 100644 --- a/stix/core-objects/data-types.owl +++ b/stix/core-objects/data-types.owl @@ -108,6 +108,13 @@ Kill Chain Phase The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives. \n\n The JSON MTI serialization uses the JSON Object type [RFC8259] when representing kill-chain-phase. + + + + identifier + An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way. A deterministic identifier means that the identifier generated by more than one producer for the exact same STIX Object using the same namespace, "ID Contributing Properties", and UUID method will have the exact same identifier value. \n\n All identifiers, excluding those used in the deprecated Cyber Observable Container, MUST follow the form object-type--UUID, where object-type is the exact value (all type names are lowercase strings, by definition) from the type property of the object being identified or referenced and where the UUID MUST be an RFC 4122-compliant UUID [RFC4122]. + + external_id @@ -124,7 +131,7 @@ hash_algorithm Represents the cryptographic hash algorithm used.\n\nThe name of the cryptographic hash algorithm used SHOULD come from one of the values defined in the hash-algorithm-ov open vocabulary. - + @@ -185,10 +192,4 @@ - - identifier - An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way. A deterministic identifier means that the identifier generated by more than one producer for the exact same STIX Object using the same namespace, "ID Contributing Properties", and UUID method will have the exact same identifier value. \n\n All identifiers, excluding those used in the deprecated Cyber Observable Container, MUST follow the form object-type--UUID, where object-type is the exact value (all type names are lowercase strings, by definition) from the type property of the object being identified or referenced and where the UUID MUST be an RFC 4122-compliant UUID [RFC4122]. - - - \ No newline at end of file diff --git a/stix/core-objects/sco/file/file.owl b/stix/core-objects/sco/file/file.owl index 88beb84..56e767f 100644 --- a/stix/core-objects/sco/file/file.owl +++ b/stix/core-objects/sco/file/file.owl @@ -519,7 +519,7 @@ - + diff --git a/stix/core-objects/sdo/grouping/grouping.owl b/stix/core-objects/sdo/grouping/grouping.owl index e3c3f6c..5fdec64 100644 --- a/stix/core-objects/sdo/grouping/grouping.owl +++ b/stix/core-objects/sdo/grouping/grouping.owl @@ -58,7 +58,7 @@ context A short descriptor of the particular context shared by the content referenced by the Grouping. The value for this property SHOULD come from the grouping-context-ov open vocabulary. - + diff --git a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl index 98c1475..b0b6d84 100644 --- a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl +++ b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl @@ -119,7 +119,7 @@ primary_motivation The time that this Intrusion Set was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. - + @@ -131,7 +131,7 @@ secondary_motivations The time that this Intrusion Set was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. - + \ No newline at end of file diff --git a/stix/meta-objects/data-marking/data-marking.owl b/stix/meta-objects/data-marking/data-marking.owl index 207d3de..f7df167 100644 --- a/stix/meta-objects/data-marking/data-marking.owl +++ b/stix/meta-objects/data-marking/data-marking.owl @@ -6,15 +6,15 @@ ]> - - + 2.1.0 diff --git a/stix/meta-objects/language-content/language-content.owl b/stix/meta-objects/language-content/language-content.owl index 2204eca..cdec893 100644 --- a/stix/meta-objects/language-content/language-content.owl +++ b/stix/meta-objects/language-content/language-content.owl @@ -42,7 +42,7 @@ - + Language Content @@ -52,7 +52,7 @@ contents The contents property contains the actual Language Content (translation). \n\n The keys in the dictionary MUST be RFC 5646 language codes for which language content is being provided [RFC5646]. The values each consist of a dictionary that mirrors the properties in the target object (identified by object_ref and object_modified). For example, to provide a translation of the name property on the target object the key in the dictionary would be name. \n\n For each key in the nested dictionary: \n\n If the original property is a string, the corresponding property in the language content object MUST contain a string with the content for that property in the language of the top-level key. \n\n If the original property is a list, the corresponding property in the translation object must also be a list. Each item in this list recursively maps to the item at the same position in the list contained in the target object. The lists MUST have the same length. \n\n In the event that translations are only provided for some list items, the untranslated list items MUST be represented by an empty string (""). This indicates to a consumer of the Language Content object that they should interpolate the translated list items in the Language Content object with the corresponding (untranslated) list items from the original object as indicated by the object_ref property. \n\n If the original property is an object (including dictionaries), the corresponding location in the translation object must also be an object. Each key/value field in this object recursively maps to the object with the same key in the original. \n\n The translation object MAY contain only a subset of the translatable fields of the original. Keys that point to non-translatable properties in the target or to properties that do not exist in the target object MUST be ignored. - + diff --git a/stix/stix.owl b/stix/stix.owl index 37a391c..d182111 100644 --- a/stix/stix.owl +++ b/stix/stix.owl @@ -16,13 +16,14 @@ This ontology is the master ontology for the STIX 2.1.0. It imports all the various STIX ontologies files to create an unified ontology based on the various component ontologies that make up STIX. - + + From 47c26b2b8b85a7a286a60830e6cbbd6c3e0659c2 Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Tue, 24 Jan 2023 23:03:48 +0100 Subject: [PATCH 40/70] Normalizing all files --- stix/bundle-object/bundle.owl | 26 ++--- stix/core-objects/common-properties.owl | 38 ++++---- stix/core-objects/data-types.owl | 96 +++++++++---------- .../data-marking/data-marking.owl | 28 +++--- .../extension-definition.owl | 40 ++++---- .../language-content/language-content.owl | 20 ++-- stix/vocabularies/vocabularies.owl | 2 +- 7 files changed, 125 insertions(+), 125 deletions(-) diff --git a/stix/bundle-object/bundle.owl b/stix/bundle-object/bundle.owl index d8a4775..361212e 100644 --- a/stix/bundle-object/bundle.owl +++ b/stix/bundle-object/bundle.owl @@ -20,12 +20,6 @@ - - - - - - @@ -44,22 +38,22 @@ + + + + + + STIX Bundle Object A Bundle is a collection of arbitrary STIX Objects grouped together in a single container. A Bundle does not have any semantic meaning and the objects contained within the Bundle are not considered related by virtue of being in the same Bundle. \n\n A STIX Bundle Object is not a STIX Object but makes use of the type and id Common Properties. A Bundle is transient, and implementations SHOULD NOT assume that other implementations will treat it as a persistent object or keep any custom properties found on the bundle itself. \n\n The JSON MTI serialization uses the JSON Object type [RFC8259] when representing bundle. - - type - The type property identifies the type of object. The value of this property MUST be bundle. - - - id An identifier for this Bundle. The id property for the Bundle is designed to help tools that may need it for processing, however, tools are not required to store or track it. Tools that consume STIX should not rely on the ability to refer to bundles by ID. - + id_string An identifier for this Bundle. The id property for the Bundle is designed to help tools that may need it for processing, however, tools are not required to store or track it. Tools that consume STIX should not rely on the ability to refer to bundles by ID. @@ -71,5 +65,11 @@ Specifies a set of one or more STIX Objects. Objects in this list MUST be a STIX Object. + + + type + The type property identifies the type of object. The value of this property MUST be bundle. + + \ No newline at end of file diff --git a/stix/core-objects/common-properties.owl b/stix/core-objects/common-properties.owl index ffe74ce..67943ff 100644 --- a/stix/core-objects/common-properties.owl +++ b/stix/core-objects/common-properties.owl @@ -15,8 +15,8 @@ xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> - + 2.1.0 @@ -90,25 +90,25 @@ - - + + - + - - + + - + @@ -176,12 +176,6 @@ - - external_references - The external_references property specifies a list of external references which refers to non-STIX information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. - - - created_by_ref The created_by_ref property specifies the id property of the identity object that describes the entity that created this object. \n\n If this attribute is omitted, the source of this information is undefined. This may be used by object creators who wish to remain anonymous. @@ -206,6 +200,18 @@ + + external_references + The external_references property specifies a list of external references which refers to non-STIX information. This property is used to provide one or more URLs, descriptions, or IDs to records in other systems. + + + + + granular_markings + The granular_markings property specifies a list of granular markings applied to this object. \n\n In some cases, though uncommon, marking definitions themselves may be marked with sharing or handling guidance. In this case, this property MUST NOT contain any references to the same Marking Definition object (i.e., it cannot contain any circular references). \n\n See section 7.2 for further definition of data markings. + + + id The id property uniquely identifies this object. For objects that support versioning, all objects with the same id are considered different versions of the same object and the version of the object is identified by its modified property. @@ -241,12 +247,6 @@ The object_marking_refs property specifies a list of id properties of marking-definition objects that apply to this object. \n\n In some cases, though uncommon, marking definitions themselves may be marked with sharing or handling guidance. In this case, this property MUST NOT contain any references to the same Marking Definition object (i.e., it cannot contain any circular references). \n\n See section 7.2 for further definition of data markings. - - - granular_markings - The granular_markings property specifies a list of granular markings applied to this object. \n\n In some cases, though uncommon, marking definitions themselves may be marked with sharing or handling guidance. In this case, this property MUST NOT contain any references to the same Marking Definition object (i.e., it cannot contain any circular references). \n\n See section 7.2 for further definition of data markings. - - object_marking_refs_string diff --git a/stix/core-objects/data-types.owl b/stix/core-objects/data-types.owl index e1a234c..a9619f3 100644 --- a/stix/core-objects/data-types.owl +++ b/stix/core-objects/data-types.owl @@ -19,14 +19,26 @@ 2.1.0 - + - + + + + + + + + Dictionary + A dictionary captures an arbitrary set of key/value pairs. Dictionary keys MUST be unique in each dictionary, MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). Dictionary keys MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase. \n\n Empty dictionaries are prohibited in STIX and MUST NOT be used as a substitute for omitting the property if it is optional. If the property is required, the dictionary MUST be present and MUST have at least one key-value pair. \n\n dictionary values MUST be valid property base types. + + + + @@ -35,7 +47,7 @@ - + @@ -47,7 +59,13 @@ - + + + + + + + @@ -73,24 +91,6 @@ Represents a cryptographic hashes, as a special set of key/value pairs. - - - - - - - - - - - - - - - Dictionary - A dictionary captures an arbitrary set of key/value pairs. Dictionary keys MUST be unique in each dictionary, MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). Dictionary keys MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase. \n\n Empty dictionaries are prohibited in STIX and MUST NOT be used as a substitute for omitting the property if it is optional. If the property is required, the dictionary MUST be present and MUST have at least one key-value pair. \n\n dictionary values MUST be valid property base types. - - @@ -108,11 +108,26 @@ Kill Chain Phase The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives. \n\n The JSON MTI serialization uses the JSON Object type [RFC8259] when representing kill-chain-phase. - - - - identifier - An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way. A deterministic identifier means that the identifier generated by more than one producer for the exact same STIX Object using the same namespace, "ID Contributing Properties", and UUID method will have the exact same identifier value. \n\n All identifiers, excluding those used in the deprecated Cyber Observable Container, MUST follow the form object-type--UUID, where object-type is the exact value (all type names are lowercase strings, by definition) from the type property of the object being identified or referenced and where the UUID MUST be an RFC 4122-compliant UUID [RFC4122]. + + + description + A human readable description. + + + + + dictionary_key + Specifies a unique identifer for some item of data. The key MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). A key identifier MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase. + + + + + dictionary_value + A key value is the data that is associated with the key identified. The values MUST be valid property base types. + + + + @@ -146,22 +161,13 @@ - - dictionary_key - Specifies a unique identifer for some item of data. The key MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). A key identifier MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase. + + + identifier + An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way. A deterministic identifier means that the identifier generated by more than one producer for the exact same STIX Object using the same namespace, "ID Contributing Properties", and UUID method will have the exact same identifier value. \n\n All identifiers, excluding those used in the deprecated Cyber Observable Container, MUST follow the form object-type--UUID, where object-type is the exact value (all type names are lowercase strings, by definition) from the type property of the object being identified or referenced and where the UUID MUST be an RFC 4122-compliant UUID [RFC4122]. - - dictionary_value - A key value is the data that is associated with the key identified. The values MUST be valid property base types. - - - - - - - kill_chain_name The name of the kill chain. The value of this property SHOULD be all lowercase and SHOULD use hyphens instead of spaces or underscores as word separators. @@ -173,19 +179,13 @@ The name of the phase in the kill chain. The value of this property SHOULD be all lowercase and SHOULD use hyphens instead of spaces or underscores as word separators. - + source_name The name of the source that the external-reference is defined within (system, registry, organization, etc.). - - - description - A human readable description. - - - + url A URL reference to an external resource [RFC3986]. diff --git a/stix/meta-objects/data-marking/data-marking.owl b/stix/meta-objects/data-marking/data-marking.owl index f7df167..b5c3052 100644 --- a/stix/meta-objects/data-marking/data-marking.owl +++ b/stix/meta-objects/data-marking/data-marking.owl @@ -53,8 +53,9 @@ - - + + + @@ -65,9 +66,8 @@ - - - + + Marking Definition @@ -83,7 +83,7 @@ Statement Marking Object Type - The Statement marking type defines the representation of a textual marking statement (e.g., copyright, terms of use, etc.) in a definition. The value of the definition_type property MUST be statement when using this marking type. Statement markings are generally not machine-readable, and this specification does not define any behavior or actions based on their values. \n\n Content may be marked with multiple statements of use. In other words, the same content can be marked both with a statement saying "Copyright 2019" and a statement saying, "Terms of use are ..." and both statements apply. + The Statement marking type defines the representation of a textual marking statement (e.g., copyright, terms of use, etc.) in a definition. The value of the definition_type property MUST be statement when using this marking type. Statement markings are generally not machine-readable, and this specification does not define any behavior or actions based on their values. \n\n Content may be marked with multiple statements of use. In other words, the same content can be marked both with a statement saying "Copyright 2019" and a statement saying, "Terms of use are ..." and both statements apply. @@ -98,6 +98,13 @@ The TLP marking type defines how you would represent a Traffic Light Protocol (TLP) marking in a definition property. The value of the definition_type property MUST be tlp when using this marking type. + + definition + Specifies a reference to the marking-definition object that describes the marking.\n\nIf the lang property is not present, this property MUST be present. If the lang property is present, this property MUST NOT be present.@[en-US} + + + + definition_type Specifies the type of Marking Definition. @@ -118,13 +125,6 @@ - - definition - Specifies a reference to the marking-definition object that describes the marking.\n\nIf the lang property is not present, this property MUST be present. If the lang property is present, this property MUST NOT be present.@[en-US} - - - - marking_ref Specifies a reference to the marking-definition object that describes the marking.\n\nIf the lang property is not present, this property MUST be present. If the lang property is present, this property MUST NOT be present.@[en-US} @@ -142,7 +142,7 @@ A name used to identify the Marking Definition. - + selectors Specifies a list of selectors for content contained within the Object in which this property appears.\n\nThe marking-definition referenced in the marking_ref property is applied to the content selected by the selectors in this list.\n\nThe [RFC5646] language code specified by the lang property is applied to the content selected by the selectors in this list. diff --git a/stix/meta-objects/extension-definition/extension-definition.owl b/stix/meta-objects/extension-definition/extension-definition.owl index ffa1f8a..2f05a4e 100644 --- a/stix/meta-objects/extension-definition/extension-definition.owl +++ b/stix/meta-objects/extension-definition/extension-definition.owl @@ -22,37 +22,37 @@ - + - + - - + + - + - - + + - + @@ -66,18 +66,6 @@ - - schema - The normative definition of the extension, either as a URL or as plain text explaining the definition. \n\n A URL SHOULD point to a JSON schema or a location that contains information about the schema. \n\n NOTE: It is recommended that an external reference be provided to the comprehensive documentation of the extension-definition. - - - - - version - The version of this extension. Producers of STIX extensions are encouraged to follow standard semantic versioning procedures where the version number follows the pattern, MAJOR.MINOR.PATCH. This will allow consumers to distinguish between the three different levels of compatibility typically identified by such versioning strings. \n\n As with all STIX Objects, changing a STIX extension definition could involve STIX versioning. See section 3.6.2 for more information on versioning an object versus creating a new one. - - - extension_properties This property contains the list of new property names that are added to an object by an extension. \n\n This property MUST only be used when the extension_types property includes a value of toplevel-property-extension. In other words, when new properties are being added at the top-level of an existing object. @@ -89,5 +77,17 @@ This property specifies one or more extension types contained within this extension. \n\n The values for this property MUST come from the extension-type-enum enumeration. \n\n When this property includes toplevel-property-extension then the extension_properties property SHOULD include one or more property names. + + + schema + The normative definition of the extension, either as a URL or as plain text explaining the definition. \n\n A URL SHOULD point to a JSON schema or a location that contains information about the schema. \n\n NOTE: It is recommended that an external reference be provided to the comprehensive documentation of the extension-definition. + + + + + version + The version of this extension. Producers of STIX extensions are encouraged to follow standard semantic versioning procedures where the version number follows the pattern, MAJOR.MINOR.PATCH. This will allow consumers to distinguish between the three different levels of compatibility typically identified by such versioning strings. \n\n As with all STIX Objects, changing a STIX extension definition could involve STIX versioning. See section 3.6.2 for more information on versioning an object versus creating a new one. + + \ No newline at end of file diff --git a/stix/meta-objects/language-content/language-content.owl b/stix/meta-objects/language-content/language-content.owl index cdec893..aea40de 100644 --- a/stix/meta-objects/language-content/language-content.owl +++ b/stix/meta-objects/language-content/language-content.owl @@ -23,26 +23,26 @@ - - + + - - + + - - + + - - + + Language Content @@ -51,7 +51,7 @@ contents - The contents property contains the actual Language Content (translation). \n\n The keys in the dictionary MUST be RFC 5646 language codes for which language content is being provided [RFC5646]. The values each consist of a dictionary that mirrors the properties in the target object (identified by object_ref and object_modified). For example, to provide a translation of the name property on the target object the key in the dictionary would be name. \n\n For each key in the nested dictionary: \n\n If the original property is a string, the corresponding property in the language content object MUST contain a string with the content for that property in the language of the top-level key. \n\n If the original property is a list, the corresponding property in the translation object must also be a list. Each item in this list recursively maps to the item at the same position in the list contained in the target object. The lists MUST have the same length. \n\n In the event that translations are only provided for some list items, the untranslated list items MUST be represented by an empty string (""). This indicates to a consumer of the Language Content object that they should interpolate the translated list items in the Language Content object with the corresponding (untranslated) list items from the original object as indicated by the object_ref property. \n\n If the original property is an object (including dictionaries), the corresponding location in the translation object must also be an object. Each key/value field in this object recursively maps to the object with the same key in the original. \n\n The translation object MAY contain only a subset of the translatable fields of the original. Keys that point to non-translatable properties in the target or to properties that do not exist in the target object MUST be ignored. + The contents property contains the actual Language Content (translation). \n\n The keys in the dictionary MUST be RFC 5646 language codes for which language content is being provided [RFC5646]. The values each consist of a dictionary that mirrors the properties in the target object (identified by object_ref and object_modified). For example, to provide a translation of the name property on the target object the key in the dictionary would be name. \n\n For each key in the nested dictionary: \n\n If the original property is a string, the corresponding property in the language content object MUST contain a string with the content for that property in the language of the top-level key. \n\n If the original property is a list, the corresponding property in the translation object must also be a list. Each item in this list recursively maps to the item at the same position in the list contained in the target object. The lists MUST have the same length. \n\n In the event that translations are only provided for some list items, the untranslated list items MUST be represented by an empty string (""). This indicates to a consumer of the Language Content object that they should interpolate the translated list items in the Language Content object with the corresponding (untranslated) list items from the original object as indicated by the object_ref property. \n\n If the original property is an object (including dictionaries), the corresponding location in the translation object must also be an object. Each key/value field in this object recursively maps to the object with the same key in the original. \n\n The translation object MAY contain only a subset of the translatable fields of the original. Keys that point to non-translatable properties in the target or to properties that do not exist in the target object MUST be ignored. @@ -60,7 +60,7 @@ The object_modified property identifies the modified time of the object that this Language Content applies to. It MUST be an exact match for the modified time of the STIX Object being referenced. - + object_ref The object_ref property identifies the id of the object that this Language Content applies to. It MUST be the identifier for a STIX Object. diff --git a/stix/vocabularies/vocabularies.owl b/stix/vocabularies/vocabularies.owl index 7499df0..07f3a70 100644 --- a/stix/vocabularies/vocabularies.owl +++ b/stix/vocabularies/vocabularies.owl @@ -16,7 +16,7 @@ STIX Vocabulary - Some STIX properties are defined using open vocabularies or enumerations. Enumerations and open vocabularies are defined in STIX in order to enhance interoperability by increasing the likelihood that different entities use the same exact string to represent the same concept. If used consistently, open vocabularies make it less likely that one entity refers to the energy sector as "Energy" and another as "Energy Sector", thereby making comparison and correlation easier. \n\n While using predefined values from STIX vocabularies is strongly encouraged, in some cases this may not be feasible. To address this, producers are permitted to use values outside of the open vocabulary. In the case of enumerations, producers are required to use only the values defined within the STIX specification. \n\n STIX open vocabularies and enumerations are defined in section 10. Properties that are defined as open vocabularies identify a suggested vocabulary from that section. For example, the Threat Actor sophistication property, as defined in section 4.17, uses the Threat Actor Sophistication vocabulary as defined in section 10.25. + Some STIX properties are defined using open vocabularies or enumerations. Enumerations and open vocabularies are defined in STIX in order to enhance interoperability by increasing the likelihood that different entities use the same exact string to represent the same concept. If used consistently, open vocabularies make it less likely that one entity refers to the energy sector as "Energy" and another as "Energy Sector", thereby making comparison and correlation easier. \n\n While using predefined values from STIX vocabularies is strongly encouraged, in some cases this may not be feasible. To address this, producers are permitted to use values outside of the open vocabulary. In the case of enumerations, producers are required to use only the values defined within the STIX specification. \n\n STIX open vocabularies and enumerations are defined in section 10. Properties that are defined as open vocabularies identify a suggested vocabulary from that section. For example, the Threat Actor sophistication property, as defined in section 4.17, uses the Threat Actor Sophistication vocabulary as defined in section 10.25. 2.1.0 From c3278ef021af27a5dbc2323b80902e96a02a2742 Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Thu, 26 Jan 2023 14:43:37 +0100 Subject: [PATCH 41/70] Updated the catalog.xml with imports. --- catalog-v001.xml | 63 ++++++++++++++++++++++++++++ stix/catalog-v001.xml | 96 +++++++++++++++++++++---------------------- 2 files changed, 111 insertions(+), 48 deletions(-) create mode 100644 catalog-v001.xml diff --git a/catalog-v001.xml b/catalog-v001.xml new file mode 100644 index 0000000..dbb664f --- /dev/null +++ b/catalog-v001.xml @@ -0,0 +1,63 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/stix/catalog-v001.xml b/stix/catalog-v001.xml index c5a095c..bb068e9 100644 --- a/stix/catalog-v001.xml +++ b/stix/catalog-v001.xml @@ -5,53 +5,53 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 3b01ca5466b08dffd52abcbd6cc1aa73bcd136eb Mon Sep 17 00:00:00 2001 From: Mateusz Zych Date: Thu, 26 Jan 2023 16:10:48 +0100 Subject: [PATCH 42/70] Adding a file where i have gathered all parts from the old stix ontology that was not part of stix specification. I have noted from which .owl file all these properties and class definitions were originally belonging. This file need to be reviewed and later removed. --- remaning parts of old-ontology.xml | 948 +++++++++++++++++++++++++++++ 1 file changed, 948 insertions(+) create mode 100644 remaning parts of old-ontology.xml diff --git a/remaning parts of old-ontology.xml b/remaning parts of old-ontology.xml new file mode 100644 index 0000000..4bc3043 --- /dev/null +++ b/remaning parts of old-ontology.xml @@ -0,0 +1,948 @@ + + + MD5 Hash Value + Specifies the MD5 message digest algorithm. The corresponding hash string for this value MUST be a valid MD5 message digest as defined in [RFC1321]. + + + + + SHA-1 Hash Value + Specifies the SHA-1 (secure-hash algorithm 1) cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA-1 message digest as defined in [RFC3174]. + + + + + SHA-256 Hash Value + Specifies the SHA-256 cryptographic hash function (part of the SHA2 family). The corresponding hash string for this value MUST be a valid SHA-256 message digest as defined in [RFC6234]. + + + + + SHA-512 Hash Value + Specifies the SHA-512 cryptographic hash function (part of the SHA2 family). The corresponding hash string for this value MUST be a valid SHA-512 message digest as defined in [RFC6234]. + + + + + SHA3-256 Hash Value + Specifies the SHA3-256 cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA3-256 message digest as defined in [FIPS202]. + + + + + SHA3-512 Hash Value + Specifies the SHA3-512 cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA3-512 message digest as defined in [FIPS202]. + + + + + SSDEEP Hash Value + Specifies the ssdeep fuzzy hashing algorithm. The corresponding hash string for this value MUST be a valid piecewise hash as defined in the [SSDEEP] specification. + + + + + TLSH Hash Value + Specifies the TLSH fuzzy hashing algorithm. The corresponding hash string for this value MUST be a valid 35 byte long hash as defined in the [TLSH] specification. + + + + + + + + + + Group + Identitfies an informal collection of people, without formal governance. + + + + + + + + Individual + Identitfies an actual individual. + + + + + + + Industy Sector + Identifies an industry sector. + + + + + + Organization + Identifies an actual formal organization of people, with governance, such as a company. + + + + + + + + + Civic Location + Identifies an actual civic location (e.g., street address, city, administrative area, postal code). + + + + + Country + Identifies an actual country. + + + + + Global Position + Identifies a physical position on the globe. + + + + + Region + Identifies an actual region in the world. + + + + + +extension-definition.owl + + + + Extension + Characterizes the base of all extensions to Cyber Observable objects. + + + + + + + + activity-outcome-enum + + + + + blocked + + + failed + + + successful + + + unknown + + + + + + + + + + + + + + + detection-methods-ov + + + + + automated-tool + + + human-review + + + message-from-attacker + + + system-outage + + + user-reporting + + + + + + + + + + + + + + + + + defender-activity-ov + Defines an open vocabulary for defender activities associated with an Incident. + + + + + containment-completed + + + containment-started + + + declared + + + detected + + + eradication-completed + + + eradication-started + + + escalated + + + recovery-completed + + + recovery-started + + + reported + + + + + + + + + + + + + + + + + + + + + + + + + + + dectection-methods-ov + + + + + automated-tool + + + human-review + + + message-from-attacker + + + system-outage + + + user-reporting + + + + + + + + + + + + + + + + + external-impact-ov + + + + + civil-liberties + + + economic + + + foreign-relations + + + national-security + + + public-confidence + + + public-health + + + + + + + + + + + + + + + + + + + incident-action-status-ov + + + + + failed + + + new-control + + + planned + + + successful + + + unused + + + + + + + + + + + + + + + + + information-impact-type-ov + + + + + classified-material + + + communication + + + credentials-admin + + + credentials-user + + + financial + + + legal + + + payment + + + phi + + + pii + + + proprietary + + + + + + + + + + + + + + + + + + + + + + + + + + + incident-action-stage-enum + + + + + containment + + + detection + + + eradication + + + mitigation + + + post-incident + + + prevention + + + recovery + + + + + + + + + + + + + + + + + + + + + incident-confidentiality-loss-enum + + + + + contained + + + exploited-loss + + + exploited-major-loss + + + major-loss + + + none + + + some-loss + + + suspected-loss + + + suspected-major-loss + + + + + + + + + + + + + + + + + + + + + + + incident-determination-enum + + + + + blocked + + + failed-attempt + + + false-positive + + + low-value + + + successful-attempt + + + suspected + + + + + + + + + + + + + + + + + + + incident-investigation-enum + + + + + closed + + + new + + + open + + + + + + + + + + + + + incident-type-ov + + + + + compromised-system + + + denial-of-service + + + destruction + + + equipment-loss + + + equipment-theft + + + major + + + supply-chain-customer + + + supply-chain-vendor + + + unauthorized-access + + + unauthorized-equipment + + + unauthorized-release + + + unauthorized-use + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + information-type-ov + + + + + classified-material + + + communication + + + credentials-admin + + + credentials-user + + + financial + + + legal + + + payment + + + phi + + + pii + + + proprietary + + + + + + + + + + + + + + + + + + + + + + + + + + + integrity-alteration-enum + + + + + full-destruction + + + full-modification + + + none + + + partial-destruction + + + partial-modification + + + potential-destruction + + + potential-modification + + + + + + + + + + + + + + + + + + + + + marking-definition-type-ov + + + + + statement + + + tlp + + + + + + + + + + + monetary-impact-type-ov + + + + + asset-and-fraud + + + brand-damage + + + business-disruption + + + competitive-advantage + + + legal-and-regulatory + + + operating-costs + + + response-and-recovery + + + uncategorized + + + + + + + + + + + + + + + + + + + + + + + physical-impact-enum + + + + + damaged-complete + + + damaged-limited + + + destruction-complete + + + destruction-limited + + + none + + + unknown + + + + + + + + + + + + + + + + + + + recoverability-enum + + + + + extended + + + not-applicable + + + not-recoverable + + + regular + + + supplemented + + + + + + + + + + + + + + + + + timestamp-fidelity-enum + + + + + day + + + hour + + + minute + + + month + + + second + + + year + + + + + + + + + + + + + + + + + + + traceability-enum + + + + + accountability-lost + + + partial-accountability + + + provable-accountability + + + + + + + + + + + + From 12038207c27f5b96c6c3fb269f20284f1f634dc4 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Mon, 30 Jan 2023 17:20:13 -0800 Subject: [PATCH 43/70] updating the Protege catalog files. --- stix/catalog-v001.xml | 96 +++++++++++++++---------------- tac/catalog-v001.xml | 12 ++-- threat-agent-lib/catalog-v001.xml | 7 ++- 3 files changed, 61 insertions(+), 54 deletions(-) diff --git a/stix/catalog-v001.xml b/stix/catalog-v001.xml index c5a095c..45e6809 100644 --- a/stix/catalog-v001.xml +++ b/stix/catalog-v001.xml @@ -5,53 +5,53 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/tac/catalog-v001.xml b/tac/catalog-v001.xml index 11b46e1..b264c66 100644 --- a/tac/catalog-v001.xml +++ b/tac/catalog-v001.xml @@ -1,5 +1,8 @@ + + + @@ -47,9 +50,10 @@ - - - - + + + + + diff --git a/threat-agent-lib/catalog-v001.xml b/threat-agent-lib/catalog-v001.xml index 81139fd..1d360a1 100644 --- a/threat-agent-lib/catalog-v001.xml +++ b/threat-agent-lib/catalog-v001.xml @@ -1,5 +1,8 @@ + + + @@ -50,7 +53,7 @@ - - + + From 3baecc1ef523b65149f861a67e38f2cf924a8ac2 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Sat, 4 Feb 2023 09:29:11 -0800 Subject: [PATCH 44/70] Adding Open Vocabularies as Category objects --- stix/core-objects/data-types.owl | 8 +- stix/core-objects/sco/artifact/artifact.owl | 29 +- stix/core-objects/sco/file/file.owl | 17 +- .../sco/network-traffic/network-traffic.owl | 22 +- stix/core-objects/sco/process/process.owl | 28 - .../sco/user-account/user-account.owl | 89 +- .../windows-registry-key.owl | 51 +- stix/core-objects/sdo/grouping/grouping.owl | 1 - stix/core-objects/sdo/identity/identity.owl | 2 - stix/core-objects/sdo/indicator/indicator.owl | 5 +- .../sdo/infrastructure/infrastructure.owl | 4 +- .../sdo/intrusion-set/intrusion-set.owl | 3 - stix/core-objects/sdo/location/location.owl | 1 - stix/core-objects/sdo/malware/malware.owl | 21 +- stix/core-objects/sdo/opinion/opinion.owl | 7 - stix/core-objects/sdo/report/report.owl | 1 - .../sdo/threat-actor/threat-actor.owl | 7 - stix/core-objects/sdo/tool/tool.owl | 5 +- .../extension-definition.owl | 8 +- stix/stix.owl | 184 ++ stix/vocabularies/vocabularies.owl | 1967 ----------------- 21 files changed, 310 insertions(+), 2150 deletions(-) diff --git a/stix/core-objects/data-types.owl b/stix/core-objects/data-types.owl index a9619f3..cdef950 100644 --- a/stix/core-objects/data-types.owl +++ b/stix/core-objects/data-types.owl @@ -109,6 +109,12 @@ The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives. \n\n The JSON MTI serialization uses the JSON Object type [RFC8259] when representing kill-chain-phase. + + + + + + description A human readable description. @@ -146,7 +152,6 @@ hash_algorithm Represents the cryptographic hash algorithm used.\n\nThe name of the cryptographic hash algorithm used SHOULD come from one of the values defined in the hash-algorithm-ov open vocabulary. - @@ -162,6 +167,7 @@ + identifier An identifier uniquely identifies a STIX Object and MAY do so in a deterministic way. A deterministic identifier means that the identifier generated by more than one producer for the exact same STIX Object using the same namespace, "ID Contributing Properties", and UUID method will have the exact same identifier value. \n\n All identifiers, excluding those used in the deprecated Cyber Observable Container, MUST follow the form object-type--UUID, where object-type is the exact value (all type names are lowercase strings, by definition) from the type property of the object being identified or referenced and where the UUID MUST be an RFC 4122-compliant UUID [RFC4122]. diff --git a/stix/core-objects/sco/artifact/artifact.owl b/stix/core-objects/sco/artifact/artifact.owl index 133b0df..a70e6ca 100644 --- a/stix/core-objects/sco/artifact/artifact.owl +++ b/stix/core-objects/sco/artifact/artifact.owl @@ -7,6 +7,7 @@ ]> - Artifact - The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. One of payload_bin or url MUST be provided. It is incumbent on object creators to ensure that the URL is accessible for downstream consumers. + Artifact + The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. One of payload_bin or url MUST be provided. It is incumbent on object creators to ensure that the URL is accessible for downstream consumers. + + + - decryption_key - Specifies the decryption key for the encrypted binary data (either via payload_bin or url). For example, this may be useful in cases of sharing malware samples, which are often encoded in an encrypted archive. This property MUST NOT be present when the encryption_algorithm property is absent. + decryption_key + Specifies the decryption key for the encrypted binary data (either via payload_bin or url). For example, this may be useful in cases of sharing malware samples, which are often encoded in an encrypted archive. This property MUST NOT be present when the encryption_algorithm property is absent. - encryption algorithm - If the artifact is encrypted, specifies the type of encryption algorithm the binary data (either via payload_bin or url) is encoded in. The value of this property MUST come from the encryption-algorithm-enum enumeration. If both mime_type and encryption_algorithm are included, this signifies that the artifact represents an encrypted archive. - + encryption algorithm + If the artifact is encrypted, specifies the type of encryption algorithm the binary data (either via payload_bin or url) is encoded in. The value of this property MUST come from the encryption-algorithm-enum enumeration. If both mime_type and encryption_algorithm are included, this signifies that the artifact represents an encrypted archive. @@ -80,20 +83,20 @@ - mime_type - Whenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types]. Maintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability. + mime_type + Whenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types]. Maintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability. - payload_bin - Specifies the binary data contained in the artifact as a base64-encoded string. This property MUST NOT be present if url is provided. + payload_bin + Specifies the binary data contained in the artifact as a base64-encoded string. This property MUST NOT be present if url is provided. - url - The value of this property MUST be a valid URL that resolves to the unencoded content. This property MUST NOT be present if payload_bin is provided. + url + The value of this property MUST be a valid URL that resolves to the unencoded content. This property MUST NOT be present if payload_bin is provided. diff --git a/stix/core-objects/sco/file/file.owl b/stix/core-objects/sco/file/file.owl index 56e767f..ab00a9f 100644 --- a/stix/core-objects/sco/file/file.owl +++ b/stix/core-objects/sco/file/file.owl @@ -70,6 +70,9 @@ The Archive File extension specifies a default extension for capturing properties specific to archive files. The key for this extension when used in the extensions dictionary MUST be archive-ext. Note that this predefined extension does not use the extension facility described in section 7.3. + + + @@ -166,6 +169,9 @@ The File object represents the properties of a file. A File object MUST contain at least one of hashes or name. + + + @@ -250,6 +256,9 @@ The Raster Image file extension specifies a default extension for capturing properties specific to raster image files. The key for this extension when used in the extensions dictionary MUST be raster-image-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the Raster Image File Extension MUST contain at least one property from this extension. + + + @@ -516,12 +525,6 @@ - - - - - - @@ -663,6 +666,7 @@ + file_header_hashes Specifies any hashes that were computed for the file header. Dictionary keys MUST come from the hash-algorithm-ov open vocabulary. @@ -844,7 +848,6 @@ pe_type Specifies the type of the PE binary. This is an open vocabulary and values SHOULD come from the windows-pebinary-type-ov open vocabulary. - diff --git a/stix/core-objects/sco/network-traffic/network-traffic.owl b/stix/core-objects/sco/network-traffic/network-traffic.owl index 8cdc899..ec1c8cb 100644 --- a/stix/core-objects/sco/network-traffic/network-traffic.owl +++ b/stix/core-objects/sco/network-traffic/network-traffic.owl @@ -126,9 +126,6 @@ - - - @@ -219,9 +216,6 @@ - - - @@ -243,12 +237,6 @@ - - - - - - @@ -279,12 +267,6 @@ - - - - - - Network Socket Extension The Network Socket extension specifies a default extension for capturing network traffic properties associated with network sockets. The key for this extension when used in the extensions dictionary MUST be socket-ext. Note that this predefined extension does not use the extension facility described in section 7.3. @@ -310,7 +292,6 @@ address_family Specifies the address family (AF_*) that the socket is configured for. The values of this property MUST come from the network-socket-address-family-enum enumeration. - @@ -468,6 +449,7 @@ + options Specifies any options (e.g., SO_*) that may be used by the socket, as a dictionary. Each key in the dictionary SHOULD be a case-preserved version of the option name, e.g., SO_ACCEPTCONN. Each key value in the dictionary MUST be the value for the corresponding options key. Each dictionary value MUST be an integer. For SO_RCVTIMEO, SO_SNDTIMEO and SO_LINGER the value represents the number of milliseconds. If the SO_LINGER key is present, it indicates that the SO_LINGER option is active. @@ -480,6 +462,7 @@ + request_header Specifies all of the HTTP header fields that may be found in the HTTP client request, as a dictionary. Each key in the dictionary MUST be the name of the header field and SHOULD preserve case, e.g., User-Agent. The corresponding value for each dictionary key MUST always be a list of type string to support when a header field is repeated. @@ -518,7 +501,6 @@ socket_type Specifies the type of the socket. The values of this property MUST come from the network-socket-type-enum enumeration. - diff --git a/stix/core-objects/sco/process/process.owl b/stix/core-objects/sco/process/process.owl index c9960e1..ea5aa7c 100644 --- a/stix/core-objects/sco/process/process.owl +++ b/stix/core-objects/sco/process/process.owl @@ -139,12 +139,6 @@ - - - - - - @@ -211,24 +205,6 @@ - - - - - - - - - - - - - - - - - - Windows Service Extension The Windows Service extension specifies a default extension for capturing properties specific to Windows services. The key for this extension when used in the extensions dictionary MUST be windows-service-ext. Note that this predefined extension does not use the extension facility described in section 7.3. As all properties of this extension are optional, at least one of the properties defined below MUST be included when using this extension. @@ -326,7 +302,6 @@ integrity_level Specifies the Windows integrity level, or trustworthiness, of the process. The values of this property MUST come from the windows-integrity-level-enum enumeration. - @@ -398,19 +373,16 @@ service_status Specifies the current status of the service. The values of this property MUST come from the windows-service-status-enum enumeration. - service_type Specifies the type of the service. The values of this property MUST come from the windows-service-type-enum enumeration. - start_type Specifies the start options defined for the service. The values of this property MUST come from the windows-service-start-type-enum enumeration. - diff --git a/stix/core-objects/sco/user-account/user-account.owl b/stix/core-objects/sco/user-account/user-account.owl index 2766928..b52da62 100644 --- a/stix/core-objects/sco/user-account/user-account.owl +++ b/stix/core-objects/sco/user-account/user-account.owl @@ -7,6 +7,7 @@ ]> - UNIX Account Extension - The UNIX account extension specifies a default extension for capturing the additional information for an account on a UNIX system. The key for this extension when used in the extensions dictionary MUST be unix-account-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the UNIX Account Extension MUST contain at least one property from this extension. + UNIX Account Extension + The UNIX account extension specifies a default extension for capturing the additional information for an account on a UNIX system. The key for this extension when used in the extensions dictionary MUST be unix-account-ext. Note that this predefined extension does not use the extension facility described in section 7.3. An object using the UNIX Account Extension MUST contain at least one property from this extension. @@ -81,12 +82,6 @@ - - - - - - @@ -135,115 +130,115 @@ - User Account - The User Account object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts. As all properties of this object are optional, at least one of the properties defined below MUST be included when using this object. + User Account + The User Account object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts. As all properties of this object are optional, at least one of the properties defined below MUST be included when using this object. - account_created - Specifies when the account was created. + account_created + Specifies when the account was created. - account_expires - Specifies the expiration date of the account. + account_expires + Specifies the expiration date of the account. - account_first_login - Specifies when the account was first accessed. + account_first_login + Specifies when the account was first accessed. - account_last_login - Specifies when the account was last accessed. + account_last_login + Specifies when the account was last accessed. - account_login - Specifies the account login string, used in cases where the user_id property specifies something other than what a user would type when they login. For example, in the case of a Unix account with user_id 0, the account_login might be "root". + account_login + Specifies the account login string, used in cases where the user_id property specifies something other than what a user would type when they login. For example, in the case of a Unix account with user_id 0, the account_login might be "root". - account_type - Specifies the type of the account. This is an open vocabulary and values SHOULD come from the account-type-ov open vocabulary. - + account_type + Specifies the type of the account. This is an open vocabulary and values SHOULD come from the account-type-ov open vocabulary. + - can_escalate_privs - Specifies that the account has the ability to escalate privileges (i.e., in the case of sudo on Unix or a Windows Domain Admin account). + can_escalate_privs + Specifies that the account has the ability to escalate privileges (i.e., in the case of sudo on Unix or a Windows Domain Admin account). - credential - Specifies a cleartext credential. This is only intended to be used in capturing metadata from malware analysis (e.g., a hard-coded domain administrator password that the malware attempts to use for lateral movement) and SHOULD NOT be used for sharing of PII. + credential + Specifies a cleartext credential. This is only intended to be used in capturing metadata from malware analysis (e.g., a hard-coded domain administrator password that the malware attempts to use for lateral movement) and SHOULD NOT be used for sharing of PII. - credential_last_changed - Specifies when the account credential was last changed. + credential_last_changed + Specifies when the account credential was last changed. - display_name - Specifies the display name of the account, to be shown in user interfaces, if applicable. On Unix, this is equivalent to the GECOS field. + display_name + Specifies the display name of the account, to be shown in user interfaces, if applicable. On Unix, this is equivalent to the GECOS field. - gid - Specifies the primary group ID of the account. + gid + Specifies the primary group ID of the account. - groups - Specifies a list of names of groups that the account is a member of. + groups + Specifies a list of names of groups that the account is a member of. - home_dir - Specifies the home directory of the account. + home_dir + Specifies the home directory of the account. - is_disabled - Specifies if the account is disabled. + is_disabled + Specifies if the account is disabled. - is_privileged - Specifies that the account has elevated privileges (i.e., in the case of root on Unix or the Windows Administrator account). + is_privileged + Specifies that the account has elevated privileges (i.e., in the case of root on Unix or the Windows Administrator account). - is_service_account - Indicates that the account is associated with a network service or system process (daemon), not a specific individual. + is_service_account + Indicates that the account is associated with a network service or system process (daemon), not a specific individual. - shell - Specifies the account's command shell. + shell + Specifies the account's command shell. - user_id - Specifies the identifier of the account. The format of the identifier depends on the system the user account is maintained in, and may be a numeric ID, a GUID, an account name, an email address, etc. The user_id property should be populated with whatever field is the unique identifier for the system the account is a member of. For example, on UNIX systems it would be populated with the UID. + user_id + Specifies the identifier of the account. The format of the identifier depends on the system the user account is maintained in, and may be a numeric ID, a GUID, an account name, an email address, etc. The user_id property should be populated with whatever field is the unique identifier for the system the account is a member of. For example, on UNIX systems it would be populated with the UID. diff --git a/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl b/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl index 0bc4d56..3ff1d10 100644 --- a/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl +++ b/stix/core-objects/sco/windows-registry-key/windows-registry-key.owl @@ -7,6 +7,7 @@ ]> 2.1.0 + + + @@ -58,8 +62,8 @@ - Windows Registry Key Object - The Registry Key object represents the properties of a Windows registry key. As all properties of this object are optional, at least one of the properties defined below MUST be included when using this object. + Windows Registry Key Object + The Registry Key object represents the properties of a Windows registry key. As all properties of this object are optional, at least one of the properties defined below MUST be included when using this object. @@ -70,55 +74,48 @@ - - - - - - - Windows Registry Value Type - The Windows Registry Value type captures the properties of a Windows Registry Key Value. As all properties of this type are optional, at least one of the properties defined below MUST be included when using this type. + Windows Registry Value Type + The Windows Registry Value type captures the properties of a Windows Registry Key Value. As all properties of this type are optional, at least one of the properties defined below MUST be included when using this type. - creator_user_ref - Specifies a reference to the user account that created the registry key. The object referenced in this property MUST be of type user-account. + creator_user_ref + Specifies a reference to the user account that created the registry key. The object referenced in this property MUST be of type user-account. - creator_user_ref_string - Specifies a reference to the user account that created the registry key. The object referenced in this property MUST be of type user-account. + creator_user_ref_string + Specifies a reference to the user account that created the registry key. The object referenced in this property MUST be of type user-account. - data - Specifies the data contained in the registry value. + data + Specifies the data contained in the registry value. - data_type - Specifies the registry (REG_*) data type used in the registry value.\n\nThe values of this property MUST come from the windows-registry-datatype-enum enumeration. - + data_type + Specifies the registry (REG_*) data type used in the registry value.\n\nThe values of this property MUST come from the windows-registry-datatype-enum enumeration. - key - Specifies the full registry key including the hive. The value of the key, including the hive portion, SHOULD be case-preserved. The hive portion of the key MUST be fully expanded and not truncated; e.g., HKEY_LOCAL_MACHINE must be used instead of HKLM. + key + Specifies the full registry key including the hive. The value of the key, including the hive portion, SHOULD be case-preserved. The hive portion of the key MUST be fully expanded and not truncated; e.g., HKEY_LOCAL_MACHINE must be used instead of HKLM. - modified_time - Specifies the last date/time that the registry key was modified. + modified_time + Specifies the last date/time that the registry key was modified. @@ -129,14 +126,14 @@ - number_of_subkeys - Specifies the number of subkeys contained under the registry key. + number_of_subkeys + Specifies the number of subkeys contained under the registry key. - values - Specifies the number of subkeys contained under the registry key. + values + Specifies the number of subkeys contained under the registry key. diff --git a/stix/core-objects/sdo/grouping/grouping.owl b/stix/core-objects/sdo/grouping/grouping.owl index 5fdec64..d6d18c5 100644 --- a/stix/core-objects/sdo/grouping/grouping.owl +++ b/stix/core-objects/sdo/grouping/grouping.owl @@ -58,7 +58,6 @@ context A short descriptor of the particular context shared by the content referenced by the Grouping. The value for this property SHOULD come from the grouping-context-ov open vocabulary. - diff --git a/stix/core-objects/sdo/identity/identity.owl b/stix/core-objects/sdo/identity/identity.owl index 5cfe300..f61d405 100644 --- a/stix/core-objects/sdo/identity/identity.owl +++ b/stix/core-objects/sdo/identity/identity.owl @@ -77,7 +77,6 @@ identity_class The type of entity that this Identity describes, e.g., an individual or organization. The value for this property SHOULD come from the identity-class-ov open vocabulary. - @@ -95,7 +94,6 @@ sectors The list of industry sectors that this Identity belongs to. The values for this property SHOULD come from the industry-sector-ov open vocabulary. - \ No newline at end of file diff --git a/stix/core-objects/sdo/indicator/indicator.owl b/stix/core-objects/sdo/indicator/indicator.owl index aeff545..c9c5cd5 100644 --- a/stix/core-objects/sdo/indicator/indicator.owl +++ b/stix/core-objects/sdo/indicator/indicator.owl @@ -80,6 +80,9 @@ Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity. For example, an Indicator may be used to represent a set of malicious domains and use the STIX Patterning Language (see section 9) to specify these domains. The Indicator SDO contains a simple textual description, the Kill Chain Phases that it detects behavior in, a time window for when the Indicator is valid or useful, and a required pattern property to capture a structured detection pattern. Conforming STIX implementations MUST support the STIX Patterning Language as defined in section 9. Relationships from the Indicator can describe the malicious or suspicious behavior that it directly detects (Malware, Tool, and Attack Pattern). In addition, it may also imply the presence of a Campaigns, Intrusion Sets, and Threat Actors, etc. + + + description A description that provides more details and context about the Indicator, potentially including its purpose and its key characteristics. Producers SHOULD provide this property to help products and analysts understand what this Indicator actually does. @@ -89,7 +92,6 @@ indicator types A set of categorizations for this indicator. The values for this property SHOULD come from the indicator-type-ov open vocabulary. - @@ -113,7 +115,6 @@ pattern_type The pattern language used in this indicator. The value for this property SHOULD come from the pattern-type-ov open vocabulary. The value of this property MUST match the type of pattern data included in the pattern property. - diff --git a/stix/core-objects/sdo/infrastructure/infrastructure.owl b/stix/core-objects/sdo/infrastructure/infrastructure.owl index 974d25f..c50a245 100644 --- a/stix/core-objects/sdo/infrastructure/infrastructure.owl +++ b/stix/core-objects/sdo/infrastructure/infrastructure.owl @@ -68,6 +68,9 @@ The Infrastructure SDO represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defense, database servers targeted by an attack, etc.). While elements of an attack can be represented by other SDOs or SCOs, the Infrastructure SDO represents a named group of related data that constitutes the infrastructure. + + + aliases Alternative names used to identify this Infrastructure. @@ -89,7 +92,6 @@ infrastructure_types The type of infrastructure being described. The values for this property SHOULD come from the infrastructure-type-ov open vocabulary. - diff --git a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl index b0b6d84..f4281e2 100644 --- a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl +++ b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl @@ -119,19 +119,16 @@ primary_motivation The time that this Intrusion Set was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. - resource_level This property specifies the organizational level at which this Intrusion Set typically works, which in turn determines the resources available to this Intrusion Set for use in an attack. The value for this property SHOULD come from the attack-resource-level-ov open vocabulary. - secondary_motivations The time that this Intrusion Set was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. - \ No newline at end of file diff --git a/stix/core-objects/sdo/location/location.owl b/stix/core-objects/sdo/location/location.owl index e638f38..839c1e7 100644 --- a/stix/core-objects/sdo/location/location.owl +++ b/stix/core-objects/sdo/location/location.owl @@ -161,7 +161,6 @@ region The region that this Location describes. The value for this property SHOULD come from the region-ov open vocabulary. - diff --git a/stix/core-objects/sdo/malware/malware.owl b/stix/core-objects/sdo/malware/malware.owl index 80d073d..7c3a9aa 100644 --- a/stix/core-objects/sdo/malware/malware.owl +++ b/stix/core-objects/sdo/malware/malware.owl @@ -21,6 +21,15 @@ 2.1.0 + + + + + + + + + @@ -104,7 +113,6 @@ - @@ -139,13 +147,11 @@ architecture_execution_envs The processor architectures (e.g., x86, ARM, etc.) that the malware instance or family is executable on. The values for this property SHOULD come from the processor-architecture-ov open vocabulary. - capabilities Any of the capabilities identified for the malware instance or family. The values for this property SHOULD come from the malware-capabilities-ov open vocabulary. - @@ -163,7 +169,6 @@ implementation_languages The programming language(s) used to implement the malware instance or family. The values for this property SHOULD come from the implementation-language-ov open vocabulary. - @@ -187,7 +192,6 @@ malware_types A set of categorizations for the malware being described. The values for this property SHOULD come from the malware-type-ov open vocabulary. - @@ -208,16 +212,19 @@ + + + sample_refs The sample_refs property specifies a list of identifiers of the SCO file or artifact objects associated with this malware instance(s) or family. If is_family is false, then all samples listed in sample_refs MUST refer to the same binary data. - - + + diff --git a/stix/core-objects/sdo/opinion/opinion.owl b/stix/core-objects/sdo/opinion/opinion.owl index 446bea2..34f1a42 100644 --- a/stix/core-objects/sdo/opinion/opinion.owl +++ b/stix/core-objects/sdo/opinion/opinion.owl @@ -46,12 +46,6 @@ - - - - - - Opinion An Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity. The primary property is the opinion property, which captures the level of agreement or disagreement using a fixed scale. That fixed scale also supports a numeric mapping to allow for consistent statistical operations across opinions. \n\n For example, an analyst from a consuming organization might say that they "strongly disagree" with a Campaign object and provide an explanation about why. In a more automated workflow, a SOC operator might give an Indicator "one star" in their TIP (expressing "strongly disagree") because it is considered to be a false positive within their environment. Opinions are subjective, and the specification does not address how best to interpret them. Sharing communities are encouraged to provide clear guidelines to their constituents regarding best practice for the use of Opinion objects within the community. \n\n Because Opinions are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst(s) that created the Opinion. This is distinct from the created_by_ref property, which is meant to capture the organization that created the object. @@ -83,7 +77,6 @@ opinion The opinion that the producer has about all of the STIX Object(s) listed in the object_refs property. The values of this property MUST come from the opinion-enum enumeration. - \ No newline at end of file diff --git a/stix/core-objects/sdo/report/report.owl b/stix/core-objects/sdo/report/report.owl index 987c539..8c011b8 100644 --- a/stix/core-objects/sdo/report/report.owl +++ b/stix/core-objects/sdo/report/report.owl @@ -95,7 +95,6 @@ report_types The primary type(s) of content found in this report. The values for this property SHOULD come from the report-type-ov open vocabulary. - \ No newline at end of file diff --git a/stix/core-objects/sdo/threat-actor/threat-actor.owl b/stix/core-objects/sdo/threat-actor/threat-actor.owl index 6924d55..3808baa 100644 --- a/stix/core-objects/sdo/threat-actor/threat-actor.owl +++ b/stix/core-objects/sdo/threat-actor/threat-actor.owl @@ -143,43 +143,36 @@ personal_motivations The personal reasons, motivations, or purposes of the Threat Actor regardless of organizational goals. Personal motivation, which is independent of the organization's goals, describes what impels an individual to carry out an attack. Personal motivation may align with the organization's motivation—as is common with activists—but more often it supports personal goals. For example, an individual analyst may join a Data Miner corporation because his or her skills may align with the corporation's objectives. But the analyst most likely performs his or her daily work toward those objectives for personal reward in the form of a paycheck. The motivation of personal reward may be even stronger for Threat Actors who commit illegal acts, as it is more difficult for someone to cross that line purely for altruistic reasons. The position in the list has no significance. The values for this property SHOULD come from the attack-motivation-ov open vocabulary. - primary_motivation The primary reason, motivation, or purpose behind this Threat Actor. The motivation is why the Threat Actor wishes to achieve the goal (what they are trying to achieve). For example, a Threat Actor with a goal to disrupt the finance sector in a country might be motivated by ideological hatred of capitalism. The value for this property SHOULD come from the attack-motivation-ov open vocabulary. - resource_level The organizational level at which this Threat Actor typically works, which in turn determines the resources available to this Threat Actor for use in an attack. This attribute is linked to the sophistication property — a specific resource level implies that the Threat Actor has access to at least a specific sophistication level. The value for this property SHOULD come from the attack-resource-level-ov open vocabulary. - roles A list of roles the Threat Actor plays. The values for this property SHOULD come from the threat-actor-role-ov open vocabulary. - secondary_motivations This property specifies the secondary reasons, motivations, or purposes behind this Threat Actor. These motivations can exist as an equal or near-equal cause to the primary motivation. However, it does not replace or necessarily magnify the primary motivation, but it might indicate additional context. The position in the list has no significance. The value for this property SHOULD come from the attack-motivation-ov open vocabulary. - sophistication The skill, specific knowledge, special training, or expertise a Threat Actor must have to perform the attack. The value for this property SHOULD come from the threat-actor-sophistication-ov open vocabulary. - threat_actor_types The type(s) of this threat actor. The values for this property SHOULD come from the threat-actor-type-ov open vocabulary. - \ No newline at end of file diff --git a/stix/core-objects/sdo/tool/tool.owl b/stix/core-objects/sdo/tool/tool.owl index 07745a3..532eb96 100644 --- a/stix/core-objects/sdo/tool/tool.owl +++ b/stix/core-objects/sdo/tool/tool.owl @@ -20,6 +20,9 @@ 2.1.0 + + + @@ -75,6 +78,7 @@ + kill_chain_phases The list of kill chain phases for which this Tool can be used. @@ -89,7 +93,6 @@ tool_types The kind(s) of tool(s) being described. The values for this property SHOULD come from the tool-type-ov open vocabulary. - diff --git a/stix/meta-objects/extension-definition/extension-definition.owl b/stix/meta-objects/extension-definition/extension-definition.owl index 2f05a4e..53ae67f 100644 --- a/stix/meta-objects/extension-definition/extension-definition.owl +++ b/stix/meta-objects/extension-definition/extension-definition.owl @@ -7,6 +7,7 @@ ]> - - - - - - @@ -75,7 +70,6 @@ extension_types This property specifies one or more extension types contained within this extension. \n\n The values for this property MUST come from the extension-type-enum enumeration. \n\n When this property includes toplevel-property-extension then the extension_properties property SHOULD include one or more property names. - diff --git a/stix/stix.owl b/stix/stix.owl index d182111..cd2dad2 100644 --- a/stix/stix.owl +++ b/stix/stix.owl @@ -63,5 +63,189 @@ 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/stix/vocabularies/vocabularies.owl b/stix/vocabularies/vocabularies.owl index 07f3a70..7bb84eb 100644 --- a/stix/vocabularies/vocabularies.owl +++ b/stix/vocabularies/vocabularies.owl @@ -19,1972 +19,5 @@ Some STIX properties are defined using open vocabularies or enumerations. Enumerations and open vocabularies are defined in STIX in order to enhance interoperability by increasing the likelihood that different entities use the same exact string to represent the same concept. If used consistently, open vocabularies make it less likely that one entity refers to the energy sector as "Energy" and another as "Energy Sector", thereby making comparison and correlation easier. \n\n While using predefined values from STIX vocabularies is strongly encouraged, in some cases this may not be feasible. To address this, producers are permitted to use values outside of the open vocabulary. In the case of enumerations, producers are required to use only the values defined within the STIX specification. \n\n STIX open vocabularies and enumerations are defined in section 10. Properties that are defined as open vocabularies identify a suggested vocabulary from that section. For example, the Threat Actor sophistication property, as defined in section 4.17, uses the Threat Actor Sophistication vocabulary as defined in section 10.25. 2.1.0 - - - account-type-ov - Defines an open vocabulary for types of user account. - - - - - facebook - - - ldap - - - nis - - - openid - - - radius - - - skype - - - tacacs - - - twitter - - - unix - - - windows-domain - - - windows-local - - - - - - - - - - - - - - - - - - - - - - - - - - - - - attack-motivation-ov - Defines an open-vocabulary for capturing a Threat Actor or Intrusion Set's motivation for attacking. - - - - - accidental - - - coercion - - - dominance - - - ideology - - - notoriety - - - organizational-gain - - - personal-gain - - - personal-satisfaction - - - revenge - - - unpredictable - - - - - - - - - - - - - - - - - - - - - - - - - - - attack-resource-level-ov - - - - - club - - - contest - - - government - - - individual - - - organization - - - team - - - - - - - - - - - - - - - - - - - encryption-algorithm-enum - - - - - AES-256-GCM - - - ChaCha20-Poly1035 - - - mime-type-indicated - - - - - - - - - - - - - extension-type-enum - - - - - new-sco - - - new-sdo - - - new-sro - - - property-extension - - - toplevel-property-extension - - - - - - - - - - - - - - - - - grouping-context-ov - - - - - malware-analysis - - - suspicious-activity - - - upsecified - - - - - - - - - - - - - hash-algorithm-ov - - - - - MD5 - - - SHA-1 - - - SHA-256 - - - SHA-512 - - - SHA3-256 - - - SHA3-512 - - - SSDEEP - - - TLSH - - - - - - - - - - - - - - - - - - - - - - - identity-class-ov - Defines an open-vocabulary that captures tthe type of entity that the Identity represents. - - - - - class - - - individual - - - organization - - - system - - - unknown - - - - - - - - - - - - - - - - - implementation-language-ov - - - - - applescript - - - bash - - - c - - - c# - - - c++ - - - go - - - java - - - javascript - - - lua - - - objective-c - - - perl - - - php - - - powershell - - - python - - - ruby - - - scala - - - swift - - - typescript - - - visual-basic - - - x86-32 - - - x86-64 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - indicator-type-ov - - - - - anomalous-activity - - - anonymization - - - attribution - - - benign - - - compromised - - - malicious-activity - - - unknown - - - - - - - - - - - - - - - - - - - - - industry-sector-ov - - - - - aerospace - - - agriculture - - - automotive - - - chemical - - - commercial - - - communications - - - construction - - - dams - - - defense - - - education - - - emergency-services - - - energy - - - entertainment - - - financial-services - - - government - - - government-local - - - government-national - - - government-public-services - - - government-regional - - - healthcare - - - hospitality-leisure - - - infrastructure - - - insurance - - - manufacturing - - - mining - - - non-profit - - - nuclear - - - pharmaceuticals - - - retail - - - technology - - - telecommunications - - - transportation - - - utilities - - - water - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - infrastructure-type-ov - - - - - amplification - - - anonymization - - - botnet - - - command-and-control - - - control-system - - - exfiltration - - - firewall - - - hosting-malware - - - hosting-target-lists - - - phishing - - - reconnaissance - - - routers-switches - - - staging - - - workstation - - - unknown - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - malware-capabilities-ov - - - - - accesses-remote-machines - - - anti-debugging - - - anti-disassembly - - - anti-emulation - - - anti-memory-forensics - - - anti-sandbox - - - anti-vm - - - captures-input-peripherals - - - captures-output-peripherals - - - captures-system-state-data - - - cleans-traces-of-infection - - - commits-fraud - - - communicates-with-c2 - - - compromises-data-availability - - - compromises-data-integrity - - - compromises-system-availability - - - controls-local-machine - - - degrades-security-software - - - degrades-system-updates - - - determines-c2-server - - - emails-spam - - - escalates-privileges - - - evades-av - - - exfiltrates-data - - - fingerprints-hosts - - - hides-artifacts - - - hides-executing-code - - - infects-files - - - infects-remote-machines - - - installs-other-components - - - persists-after-system-reboot - - - prevents-artifact-access - - - prevents-artifact-deletion - - - probes-network-environment - - - self-modifies - - - steals-authenticaion-credentials - - - violates-system-operation-integrity - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - malware-result-ov - - - - - benign - - - malicious - - - suspicious - - - unknown - - - - - - - - - - - - - - - malware-type-ov - - - - - adware - - - backdoor - - - bootkit - - - bot - - - ddos - - - downloader - - - dropper - - - exploit-kit - - - keylogger - - - ransomware - - - remote-access-trojan - - - resource-exploitation - - - rogue-security-software - - - rootkit - - - screen-capture - - - spyware - - - trojan - - - unknown - - - virus - - - webshell - - - wiper - - - worm - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - network-socket-address-family-enum - - - - - AF_UNSPEC - - - AF_INET - - - AF_IPX - - - AF_APPLETALK - - - AF_NETBIOS - - - AF_INET6 - - - AF_IRDA - - - AF_BTH - - - - - - - - - - - - - - - - - - - - - - - network-socket-type-enum - - - - - SOCK_STREAM - - - SOCK_DGRAM - - - SOCK_RAW - - - SOCK_RDM - - - SOCK_SEQPACKET - - - - - - - - - - - - - - - - - opinion-enum - - - - - agree - - - disagree - - - neutral - - - strongly-agree - - - strongly-disagree - - - - - - - - - - - - - - - - - pattern-type-ov - - - - - pcre - - - sigma - - - snort - - - stix - - - suricata - - - yara - - - - - - - - - - - - - - - - - - - processor-architecture-ov - - - - - alpha - - - arm - - - ia-64 - - - mips - - - powerpc - - - sparc - - - x86 - - - x86-64 - - - - - - - - - - - - - - - - - - - - - - - region-ov - - - - - africa - - - americas - - - antarctica - - - asia - - - australia-new-zealand - - - caribbean - - - central-america - - - central-asia - - - eastern-africa - - - eastern-asia - - - eastern-europe - - - europe - - - latin-america-caribbean - - - melanesia - - - micronesia - - - middle-africa - - - northern-africa - - - northern-america - - - northern-europe - - - oceania - - - polynesia - - - south-america - - - south-eastern-asia - - - southern-africa - - - southern-asia - - - southern-europe - - - western-africa - - - western-asia - - - western-europe - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - report-type-ov - - - - - attack-pattern - - - campaign - - - identity - - - indicator - - - intrusion-set - - - malware - - - observed-data - - - threat-actor - - - threat-report - - - tool - - - vulnerability - - - - - - - - - - - - - - - - - - - - - - - - - - - - - threat-actor-role-ov - - - - - agent - - - director - - - independent - - - infrastructure-architect - - - infrastructure-operator - - - malware-author - - - sponsor - - - - - - - - - - - - - - - - - - - - - threat-actor-sophistication-ov - - - - - advanced - - - expert - - - innovator - - - intermediate - - - minimal - - - none - - - strategic - - - - - - - - - - - - - - - - - - - - - threat-actor-type-ov - - - - - activist - - - competitor - - - crime-syndicate - - - criminal - - - hacker - - - insider-accidental - - - insider-disgruntled - - - nation-state - - - sensationalist - - - spy - - - terrorist - - - unknown - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - tool-type-ov - - - - - credential-exploitation - - - denial-of-service - - - exploitation - - - information-gathering - - - network-capture - - - remote-access - - - unknown - - - vulnerability-scanning - - - - - - - - - - - - - - - - - - - - - - - windows-integrity-level-enum - - - - - low - - - medium - - - high - - - system - - - - - - - - - - - - - - - windows-pebinary-type-ov - Defines an open-vocabulary used to capture the types of Windows PE files - - - - - dll - - - exe - - - invalid - - - sys - - - - - - - - - - - - - - - windows-registry-datatype-enum - - - - - REG_NONE - - - REG_SZ - - - REG_EXPAND_SZ - - - REG_BINARY - - - REG_DWORD - - - REG_DWORD_BIG_ENDIAN - - - REG_DWORD_LITTLE_ENDIAN - - - REG_LINK - - - REG_MULTI_SZ - - - REG_RESOURCE_LIST - - - REG_FULL_RESOURCE_DESCRIPTION - - - REG_RESOURCE_REQUIREMENTS_LIST - - - REG_QWORD - - - REG_INVALID_TYPE - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - windows-service-start-type-enum - - - - - SERVICE_AUTO_START - - - SERVICE_BOOT_START - - - SERVICE_DEMAND_START - - - SERVICE_DISABLED - - - SERVICE_SYSTEM_ALERT - - - - - - - - - - - - - - - - - windows-service-status-enum - - - - - SERVICE_CONTINUE_PENDING - - - SERVICE_PAUSE_PENDING - - - SERVICE_PAUSED - - - SERVICE_RUNNING - - - SERVICE_START_PENDING - - - SERVICE_STOP_PENDING - - - SERVICE_STOPPED - - - - - - - - - - - - - - - - - - - - - windows-service-type-enum - - - - - SERVICE_KERNEL_DRIVER - - - SERVICE_FILE_SYSTEM_DRIVER - - - SERVICE_WIN32_OWN_PROCESS - - - SERVICE_WIN32_SHARE_PROCESS - - - - - - - - - - - - \ No newline at end of file From 06c0210a5ab9033a9de4943b68fb25b11ec92b33 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Sat, 4 Feb 2023 10:57:27 -0800 Subject: [PATCH 45/70] Removed Punning Problems --- stix/core-objects/data-types.owl | 3 -- stix/core-objects/sco/file/file.owl | 10 ---- .../sco/network-traffic/network-traffic.owl | 20 -------- .../sdo/attack-pattern/attack-pattern.owl | 12 ----- stix/core-objects/sdo/campaign/campaign.owl | 4 -- stix/core-objects/sdo/indicator/indicator.owl | 12 ----- .../sdo/infrastructure/infrastructure.owl | 16 ------- .../sdo/intrusion-set/intrusion-set.owl | 4 -- stix/core-objects/sdo/malware/malware.owl | 16 ------- .../sdo/observed-data/observed-data.owl | 7 --- .../sdo/threat-actor/threat-actor.owl | 4 -- stix/core-objects/sdo/tool/tool.owl | 10 ---- stix/core-objects/sro/sighting/sighting.owl | 46 +++++++++---------- threat-agent-lib/catalog-v001.xml | 4 +- 14 files changed, 23 insertions(+), 145 deletions(-) diff --git a/stix/core-objects/data-types.owl b/stix/core-objects/data-types.owl index cdef950..366db06 100644 --- a/stix/core-objects/data-types.owl +++ b/stix/core-objects/data-types.owl @@ -112,9 +112,6 @@ - - - description A human readable description. diff --git a/stix/core-objects/sco/file/file.owl b/stix/core-objects/sco/file/file.owl index ab00a9f..361078a 100644 --- a/stix/core-objects/sco/file/file.owl +++ b/stix/core-objects/sco/file/file.owl @@ -489,12 +489,6 @@ - - - - - - @@ -666,10 +660,6 @@ - - file_header_hashes - Specifies any hashes that were computed for the file header. Dictionary keys MUST come from the hash-algorithm-ov open vocabulary. - diff --git a/stix/core-objects/sco/network-traffic/network-traffic.owl b/stix/core-objects/sco/network-traffic/network-traffic.owl index ec1c8cb..415fceb 100644 --- a/stix/core-objects/sco/network-traffic/network-traffic.owl +++ b/stix/core-objects/sco/network-traffic/network-traffic.owl @@ -45,12 +45,6 @@ - - - - - - @@ -249,12 +243,6 @@ - - - - - - @@ -449,10 +437,6 @@ - - options - Specifies any options (e.g., SO_*) that may be used by the socket, as a dictionary. Each key in the dictionary SHOULD be a case-preserved version of the option name, e.g., SO_ACCEPTCONN. Each key value in the dictionary MUST be the value for the corresponding options key. Each dictionary value MUST be an integer. For SO_RCVTIMEO, SO_SNDTIMEO and SO_LINGER the value represents the number of milliseconds. If the SO_LINGER key is present, it indicates that the SO_LINGER option is active. - @@ -462,10 +446,6 @@ - - request_header - Specifies all of the HTTP header fields that may be found in the HTTP client request, as a dictionary. Each key in the dictionary MUST be the name of the header field and SHOULD preserve case, e.g., User-Agent. The corresponding value for each dictionary key MUST always be a list of type string to support when a header field is repeated. - diff --git a/stix/core-objects/sdo/attack-pattern/attack-pattern.owl b/stix/core-objects/sdo/attack-pattern/attack-pattern.owl index ba8867e..2bfb353 100644 --- a/stix/core-objects/sdo/attack-pattern/attack-pattern.owl +++ b/stix/core-objects/sdo/attack-pattern/attack-pattern.owl @@ -33,12 +33,6 @@ - - - - - - @@ -61,12 +55,6 @@ - - kill_chain_phases - The list of Kill Chain Phases for which this Attack Pattern is used. - - - name A name used to identify the Attack Pattern. diff --git a/stix/core-objects/sdo/campaign/campaign.owl b/stix/core-objects/sdo/campaign/campaign.owl index 6107109..0c980d6 100644 --- a/stix/core-objects/sdo/campaign/campaign.owl +++ b/stix/core-objects/sdo/campaign/campaign.owl @@ -74,14 +74,10 @@ - first_seen - The time that this Campaign was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. - last_seen - The time that this Campaign was last seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are later than the last seen timestamp, the object may be updated to account for the new data. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. diff --git a/stix/core-objects/sdo/indicator/indicator.owl b/stix/core-objects/sdo/indicator/indicator.owl index c9c5cd5..60dc5aa 100644 --- a/stix/core-objects/sdo/indicator/indicator.owl +++ b/stix/core-objects/sdo/indicator/indicator.owl @@ -34,12 +34,6 @@ - - - - - - @@ -94,12 +88,6 @@ A set of categorizations for this indicator. The values for this property SHOULD come from the indicator-type-ov open vocabulary. - - kill_chain_phases - The kill chain phase(s) to which this Indicator corresponds. - - - name A name used to identify the Indicator. Producers SHOULD provide this property to help products and analysts understand what this Indicator actually does. diff --git a/stix/core-objects/sdo/infrastructure/infrastructure.owl b/stix/core-objects/sdo/infrastructure/infrastructure.owl index c50a245..9335734 100644 --- a/stix/core-objects/sdo/infrastructure/infrastructure.owl +++ b/stix/core-objects/sdo/infrastructure/infrastructure.owl @@ -46,12 +46,6 @@ - - - - - - @@ -84,8 +78,6 @@ - first_seen - The time that this Infrastructure was first seen performing malicious activities. @@ -94,15 +86,7 @@ The type of infrastructure being described. The values for this property SHOULD come from the infrastructure-type-ov open vocabulary. - - kill_chain_phases - The list of Kill Chain Phases for which this Infrastructure is used. - - - - last_seen - The time that this Infrastructure was last seen performing malicious activities. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. diff --git a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl index f4281e2..4e69125 100644 --- a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl +++ b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl @@ -93,8 +93,6 @@ - first_seen - The time that this Intrusion Set was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. @@ -105,8 +103,6 @@ - last_seen - The time that this Intrusion Set was last seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are later than the last seen timestamp, the object may be updated to account for the new data. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. diff --git a/stix/core-objects/sdo/malware/malware.owl b/stix/core-objects/sdo/malware/malware.owl index 7c3a9aa..d0c6849 100644 --- a/stix/core-objects/sdo/malware/malware.owl +++ b/stix/core-objects/sdo/malware/malware.owl @@ -74,12 +74,6 @@ - - - - - - @@ -161,8 +155,6 @@ - first_seen - The time that the malware instance or family was first seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. @@ -177,15 +169,7 @@ - - kill_chain_phases - The list of Kill Chain Phases for which this malware can be used. - - - - last_seen - The time that the malware family or malware instance was last seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are later than the last_seen timestamp, the object may be updated to account for the new data. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. diff --git a/stix/core-objects/sdo/observed-data/observed-data.owl b/stix/core-objects/sdo/observed-data/observed-data.owl index 46ad186..46b9325 100644 --- a/stix/core-objects/sdo/observed-data/observed-data.owl +++ b/stix/core-objects/sdo/observed-data/observed-data.owl @@ -92,12 +92,5 @@ A list of SCOs and SROs representing the observation. The object_refs MUST contain at least one SCO reference if defined. The object_refs MAY include multiple SCOs and their corresponding SROs, if those SCOs are related as part of a single observation. For example, a Network Traffic object and two IPv4 Address objects related via the src_ref and dst_ref properties can be contained in the same Observed Data because they are all related and used to characterize that single entity. This property MUST NOT be present if objects is provided. - - - objects - A dictionary of SCO representing the observation. The dictionary MUST contain at least one object. The cyber observable content MAY include multiple objects if those objects are related as part of a single observation. Multiple objects not related to each other via cyber observable Relationships MUST NOT be contained within the same Observed Data instance. This property MUST NOT be present if object_refs is provided. For example, a Network Traffic object and two IPv4 Address objects related via the src_ref and dst_ref properties can be contained in the same Observed Data because they are all related and used to characterize that single entity. NOTE: this property is now deprecated in favor of object_refs and will be removed in a future version. - - true - \ No newline at end of file diff --git a/stix/core-objects/sdo/threat-actor/threat-actor.owl b/stix/core-objects/sdo/threat-actor/threat-actor.owl index 3808baa..bb756e0 100644 --- a/stix/core-objects/sdo/threat-actor/threat-actor.owl +++ b/stix/core-objects/sdo/threat-actor/threat-actor.owl @@ -117,8 +117,6 @@ - first_seen - The time that this Threat Actor was first seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. @@ -129,8 +127,6 @@ - last_seen - The time that this Threat Actor was last seen. This property is a summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are later than the last seen timestamp, the object may be updated to account for the new data. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. diff --git a/stix/core-objects/sdo/tool/tool.owl b/stix/core-objects/sdo/tool/tool.owl index 532eb96..66d550b 100644 --- a/stix/core-objects/sdo/tool/tool.owl +++ b/stix/core-objects/sdo/tool/tool.owl @@ -37,12 +37,6 @@ - - - - - - @@ -78,10 +72,6 @@ - - kill_chain_phases - The list of kill chain phases for which this Tool can be used. - diff --git a/stix/core-objects/sro/sighting/sighting.owl b/stix/core-objects/sro/sighting/sighting.owl index 452a79b..cced023 100644 --- a/stix/core-objects/sro/sighting/sighting.owl +++ b/stix/core-objects/sro/sighting/sighting.owl @@ -7,6 +7,7 @@ ]> - @@ -90,8 +90,8 @@ - Sighting - A Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.) was seen. Sightings are used to track who and what are being targeted, how attacks are carried out, and to track trends in attack behavior. \n\n The Sighting relationship object is a special type of SRO; it is a relationship that contains extra properties not present on the Generic Relationship object. These extra properties are included to represent data specific to sighting relationships (e.g., count, representing how many times something was seen), but for other purposes a Sighting can be thought of as a Relationship with a name of "sighting-of". Sighting is captured as a relationship because you cannot have a sighting unless you have something that has been sighted. Sighting does not make sense without the relationship to what was sighted. \n\n Sighting relationships relate three aspects of the sighting: \n\n What was sighted, such as the Indicator, Malware, Campaign, or other SDO (sighting_of_ref). \n\n Who sighted it and/or where it was sighted, represented as an Identity (where_sighted_refs). \n\n What was actually seen on systems and networks, represented as Observed Data (observed_data_refs). \n\n What was sighted is required; a sighting does not make sense unless you say what you saw. Who sighted it, where it was sighted, and what was actually seen are optional. In many cases it is not necessary to provide that level of detail in order to provide value. \n\n Sightings are used whenever any SDO has been "seen". In some cases, the object creator wishes to convey very little information about the sighting; the details might be sensitive, but the fact that they saw a malware instance or threat actor could still be very useful. In other cases, providing the details may be helpful or even necessary; saying exactly which of the 1000 IP addresses in an indicator were sighted is helpful when tracking which of those IPs is still malicious. \n\n Sighting is distinct from Observed Data in that Sighting is an intelligence assertion ("I saw this threat actor") while Observed Data is simply information ("I saw this file"). When you combine them by including the linked Observed Data (observed_data_refs) from a Sighting, you can say "I saw this file, and that makes me think I saw this threat actor". + Sighting + A Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.) was seen. Sightings are used to track who and what are being targeted, how attacks are carried out, and to track trends in attack behavior. \n\n The Sighting relationship object is a special type of SRO; it is a relationship that contains extra properties not present on the Generic Relationship object. These extra properties are included to represent data specific to sighting relationships (e.g., count, representing how many times something was seen), but for other purposes a Sighting can be thought of as a Relationship with a name of "sighting-of". Sighting is captured as a relationship because you cannot have a sighting unless you have something that has been sighted. Sighting does not make sense without the relationship to what was sighted. \n\n Sighting relationships relate three aspects of the sighting: \n\n What was sighted, such as the Indicator, Malware, Campaign, or other SDO (sighting_of_ref). \n\n Who sighted it and/or where it was sighted, represented as an Identity (where_sighted_refs). \n\n What was actually seen on systems and networks, represented as Observed Data (observed_data_refs). \n\n What was sighted is required; a sighting does not make sense unless you say what you saw. Who sighted it, where it was sighted, and what was actually seen are optional. In many cases it is not necessary to provide that level of detail in order to provide value. \n\n Sightings are used whenever any SDO has been "seen". In some cases, the object creator wishes to convey very little information about the sighting; the details might be sensitive, but the fact that they saw a malware instance or threat actor could still be very useful. In other cases, providing the details may be helpful or even necessary; saying exactly which of the 1000 IP addresses in an indicator were sighted is helpful when tracking which of those IPs is still malicious. \n\n Sighting is distinct from Observed Data in that Sighting is an intelligence assertion ("I saw this threat actor") while Observed Data is simply information ("I saw this file"). When you combine them by including the linked Observed Data (observed_data_refs) from a Sighting, you can say "I saw this file, and that makes me think I saw this threat actor". @@ -106,51 +106,47 @@ - - first_seen - The beginning of the time window during which the SDO referenced by the sighting_of_ref property was sighted. + - + - - last_seen - The end of the time window during which the SDO referenced by the sighting_of_ref property was sighted. If this property and the first_seen property are both defined, then this property MUST be greater than or equal to the timestamp in the first_seen property. + - + - observed_data_refs - A list of ID references to the Observed Data objects that contain the raw cyber data for this Sighting. For example, a Sighting of an Indicator with an IP address could include the Observed Data for the network connection that the Indicator was used to detect. This property MUST reference only Observed Data SDOs. + observed_data_refs + A list of ID references to the Observed Data objects that contain the raw cyber data for this Sighting. For example, a Sighting of an Indicator with an IP address could include the Observed Data for the network connection that the Indicator was used to detect. This property MUST reference only Observed Data SDOs. - observed_data_refs_string - A list of ID references to the Observed Data objects that contain the raw cyber data for this Sighting. For example, a Sighting of an Indicator with an IP address could include the Observed Data for the network connection that the Indicator was used to detect. This property MUST reference only Observed Data SDOs. + observed_data_refs_string + A list of ID references to the Observed Data objects that contain the raw cyber data for this Sighting. For example, a Sighting of an Indicator with an IP address could include the Observed Data for the network connection that the Indicator was used to detect. This property MUST reference only Observed Data SDOs. - sighting_of_ref - An ID reference to the SDO that was sighted (e.g., Indicator or Malware). For example, if this is a Sighting of an Indicator, that Indicator's ID would be the value of this property. This property MUST reference only an SDO. + sighting_of_ref + An ID reference to the SDO that was sighted (e.g., Indicator or Malware). For example, if this is a Sighting of an Indicator, that Indicator's ID would be the value of this property. This property MUST reference only an SDO. - sighting_of_ref_string - An ID reference to the SDO that was sighted (e.g., Indicator or Malware). For example, if this is a Sighting of an Indicator, that Indicator's ID would be the value of this property. This property MUST reference only an SDO. + sighting_of_ref_string + An ID reference to the SDO that was sighted (e.g., Indicator or Malware). For example, if this is a Sighting of an Indicator, that Indicator's ID would be the value of this property. This property MUST reference only an SDO. - summary - The summary property indicates whether the Sighting should be considered summary data. Summary data is an aggregation of previous Sightings reports and should not be considered primary source data. Default value is false. + summary + The summary property indicates whether the Sighting should be considered summary data. Summary data is an aggregation of previous Sightings reports and should not be considered primary source data. Default value is false. - where_sighted_refs - A list of ID references to the Identity or Location objects describing the entities or types of entities that saw the sighting. Omitting the where_sighted_refs property does not imply that the sighting was seen by the object creator. To indicate that the sighting was seen by the object creator, an Identity representing the object creator should be listed in where_sighted_refs. This property MUST reference only Identity or Location SDOs. + where_sighted_refs + A list of ID references to the Identity or Location objects describing the entities or types of entities that saw the sighting. Omitting the where_sighted_refs property does not imply that the sighting was seen by the object creator. To indicate that the sighting was seen by the object creator, an Identity representing the object creator should be listed in where_sighted_refs. This property MUST reference only Identity or Location SDOs. @@ -164,8 +160,8 @@ - where_sighted_refs_string - A list of ID references to the Identity or Location objects describing the entities or types of entities that saw the sighting. Omitting the where_sighted_refs_string property does not imply that the sighting was seen by the object creator. To indicate that the sighting was seen by the object creator, an Identity representing the object creator should be listed in where_sighted_refs_string. This property MUST reference only Identity or Location SDOs. + where_sighted_refs_string + A list of ID references to the Identity or Location objects describing the entities or types of entities that saw the sighting. Omitting the where_sighted_refs_string property does not imply that the sighting was seen by the object creator. To indicate that the sighting was seen by the object creator, an Identity representing the object creator should be listed in where_sighted_refs_string. This property MUST reference only Identity or Location SDOs. diff --git a/threat-agent-lib/catalog-v001.xml b/threat-agent-lib/catalog-v001.xml index 1d360a1..5d00dd6 100644 --- a/threat-agent-lib/catalog-v001.xml +++ b/threat-agent-lib/catalog-v001.xml @@ -53,7 +53,7 @@ - - + + From 5175452b8b8c5cb6a51ce756d1a18e5be8f32294 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Sat, 4 Feb 2023 15:58:04 -0800 Subject: [PATCH 46/70] Removing owl:someValuesFrom on stix:StixObject from data-types.owl, grouping.owl, note.owl, opinion.owl, and language-content.owl --- stix/bundle-object/bundle.owl | 6 ------ stix/core-objects/data-types.owl | 6 ------ stix/core-objects/sdo/grouping/grouping.owl | 6 ------ stix/core-objects/sdo/note/note.owl | 6 ------ stix/core-objects/sdo/opinion/opinion.owl | 6 ------ stix/core-objects/sdo/report/report.owl | 6 ------ stix/meta-objects/language-content/language-content.owl | 6 ------ 7 files changed, 42 deletions(-) diff --git a/stix/bundle-object/bundle.owl b/stix/bundle-object/bundle.owl index 361212e..15fcc67 100644 --- a/stix/bundle-object/bundle.owl +++ b/stix/bundle-object/bundle.owl @@ -32,12 +32,6 @@ - - - - - - diff --git a/stix/core-objects/data-types.owl b/stix/core-objects/data-types.owl index 366db06..4984037 100644 --- a/stix/core-objects/data-types.owl +++ b/stix/core-objects/data-types.owl @@ -27,12 +27,6 @@ - - - - - - Dictionary A dictionary captures an arbitrary set of key/value pairs. Dictionary keys MUST be unique in each dictionary, MUST be in ASCII, and are limited to the characters a-z (lowercase ASCII), A-Z (uppercase ASCII), numerals 0-9, hyphen (-), and underscore (_). Dictionary keys MUST be no longer than 250 ASCII characters in length and SHOULD be lowercase. \n\n Empty dictionaries are prohibited in STIX and MUST NOT be used as a substitute for omitting the property if it is optional. If the property is required, the dictionary MUST be present and MUST have at least one key-value pair. \n\n dictionary values MUST be valid property base types. diff --git a/stix/core-objects/sdo/grouping/grouping.owl b/stix/core-objects/sdo/grouping/grouping.owl index d6d18c5..999aa0d 100644 --- a/stix/core-objects/sdo/grouping/grouping.owl +++ b/stix/core-objects/sdo/grouping/grouping.owl @@ -39,12 +39,6 @@ - - - - - - diff --git a/stix/core-objects/sdo/note/note.owl b/stix/core-objects/sdo/note/note.owl index 5b3f73f..c38b28e 100644 --- a/stix/core-objects/sdo/note/note.owl +++ b/stix/core-objects/sdo/note/note.owl @@ -39,12 +39,6 @@ - - - - - - diff --git a/stix/core-objects/sdo/opinion/opinion.owl b/stix/core-objects/sdo/opinion/opinion.owl index 34f1a42..d2d0e75 100644 --- a/stix/core-objects/sdo/opinion/opinion.owl +++ b/stix/core-objects/sdo/opinion/opinion.owl @@ -34,12 +34,6 @@ - - - - - - diff --git a/stix/core-objects/sdo/report/report.owl b/stix/core-objects/sdo/report/report.owl index 8c011b8..a757836 100644 --- a/stix/core-objects/sdo/report/report.owl +++ b/stix/core-objects/sdo/report/report.owl @@ -34,12 +34,6 @@ - - - - - - diff --git a/stix/meta-objects/language-content/language-content.owl b/stix/meta-objects/language-content/language-content.owl index aea40de..2c46572 100644 --- a/stix/meta-objects/language-content/language-content.owl +++ b/stix/meta-objects/language-content/language-content.owl @@ -33,12 +33,6 @@ - - - - - - From 6ff8f699f34afc901e2e7673a0130c94a53c60f8 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Sat, 4 Feb 2023 16:05:56 -0800 Subject: [PATCH 47/70] forgot to save language-content.owl From d85ba76a3744d1ad76676dc49e81583182866d13 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Sat, 11 Feb 2023 17:51:40 -0800 Subject: [PATCH 48/70] Open Vocabularies as Category instances --- stix/core-objects/common-properties.owl | 6 + .../sdo/threat-actor/threat-actor.owl | 53 +- stix/stix.owl | 185 +- stix/vocabularies/vocabularies.owl | 195 + threat-agent-lib/catalog-v001.xml | 4 +- threat-agent-lib/ta-library.owl | 39 - threat-agent-lib/tal-kb-example.owl | 20596 +++++++++++++++- 7 files changed, 20851 insertions(+), 227 deletions(-) diff --git a/stix/core-objects/common-properties.owl b/stix/core-objects/common-properties.owl index 67943ff..747d276 100644 --- a/stix/core-objects/common-properties.owl +++ b/stix/core-objects/common-properties.owl @@ -164,6 +164,12 @@ Objects that connect STIX Domain Objects together, STIX Cyber-observable Objects together, and connect STIX Domain Objects and STIX Cyber-observable Objects together to form a more complete understanding of the threat landscape. + + categorizedBy + the categorized by property specifies the instance of a category + + + confidence The confidence property identifies the confidence that the creator has in the correctness of their data. The confidence value MUST be a number in the range of 0-100. \n\n Appendix A contains a table of normative mappings to other confidence scales that MUST be used when presenting the confidence value in one of those scales. \n\n If the confidence property is not present, then the confidence of the content is unspecified. diff --git a/stix/core-objects/sdo/threat-actor/threat-actor.owl b/stix/core-objects/sdo/threat-actor/threat-actor.owl index bb756e0..207bda6 100644 --- a/stix/core-objects/sdo/threat-actor/threat-actor.owl +++ b/stix/core-objects/sdo/threat-actor/threat-actor.owl @@ -4,6 +4,9 @@ + + + ]> @@ -170,5 +176,50 @@ threat_actor_types The type(s) of this threat actor. The values for this property SHOULD come from the threat-actor-type-ov open vocabulary. - + + + + + + + + + competitor-tat-ov-rule + + true + + + + + + + + + + + + + + competitor + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/stix/stix.owl b/stix/stix.owl index cd2dad2..8c33fd4 100644 --- a/stix/stix.owl +++ b/stix/stix.owl @@ -58,194 +58,11 @@ + 2.1.0 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/stix/vocabularies/vocabularies.owl b/stix/vocabularies/vocabularies.owl index 7bb84eb..ef4517d 100644 --- a/stix/vocabularies/vocabularies.owl +++ b/stix/vocabularies/vocabularies.owl @@ -19,5 +19,200 @@ Some STIX properties are defined using open vocabularies or enumerations. Enumerations and open vocabularies are defined in STIX in order to enhance interoperability by increasing the likelihood that different entities use the same exact string to represent the same concept. If used consistently, open vocabularies make it less likely that one entity refers to the energy sector as "Energy" and another as "Energy Sector", thereby making comparison and correlation easier. \n\n While using predefined values from STIX vocabularies is strongly encouraged, in some cases this may not be feasible. To address this, producers are permitted to use values outside of the open vocabulary. In the case of enumerations, producers are required to use only the values defined within the STIX specification. \n\n STIX open vocabularies and enumerations are defined in section 10. Properties that are defined as open vocabularies identify a suggested vocabulary from that section. For example, the Threat Actor sophistication property, as defined in section 4.17, uses the Threat Actor Sophistication vocabulary as defined in section 10.25. 2.1.0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/threat-agent-lib/catalog-v001.xml b/threat-agent-lib/catalog-v001.xml index 5d00dd6..ce55177 100644 --- a/threat-agent-lib/catalog-v001.xml +++ b/threat-agent-lib/catalog-v001.xml @@ -53,7 +53,7 @@ - - + + diff --git a/threat-agent-lib/ta-library.owl b/threat-agent-lib/ta-library.owl index 52d1ca9..233b53c 100644 --- a/threat-agent-lib/ta-library.owl +++ b/threat-agent-lib/ta-library.owl @@ -24,9 +24,6 @@ - - - @@ -456,22 +453,6 @@ - - - - - - - - nation-state - - - - spy - - - - @@ -536,26 +517,6 @@ - - - - - - - - - - insider-disgruntled - - - - spy - - - - - - diff --git a/threat-agent-lib/tal-kb-example.owl b/threat-agent-lib/tal-kb-example.owl index 21711bf..429058e 100644 --- a/threat-agent-lib/tal-kb-example.owl +++ b/threat-agent-lib/tal-kb-example.owl @@ -4,6 +4,7 @@ + @@ -14,6 +15,7 @@ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" xmlns:stix="http://docs.oasis-open.org/cti/ns/stix#" + xmlns:swrla="http://swrl.stanford.edu/ontologies/3.3/swrla.owl#" xmlns:tac="http://docs.oasis-open.org/tac/ns/tac#" xmlns:tal="http://www.intel.com/ns/ta-library#" xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> @@ -23,8 +25,17164 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + competitor @@ -32,14 +17190,3450 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file From e60d460f562539fac52b2bc408fc5bbd3c8b1d39 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Sun, 19 Feb 2023 17:19:02 -0800 Subject: [PATCH 49/70] Added the threat_actor_types open vocabulary terms --- .../sdo/threat-actor/threat-actor.owl | 678 +- stix/vocabularies/vocabularies.owl | 41 +- threat-agent-lib/catalog-v001.xml | 4 +- threat-agent-lib/tal-kb-example.owl | 20612 +--------------- 4 files changed, 720 insertions(+), 20615 deletions(-) diff --git a/stix/core-objects/sdo/threat-actor/threat-actor.owl b/stix/core-objects/sdo/threat-actor/threat-actor.owl index 207bda6..f37804d 100644 --- a/stix/core-objects/sdo/threat-actor/threat-actor.owl +++ b/stix/core-objects/sdo/threat-actor/threat-actor.owl @@ -180,11 +180,14 @@ + + + - competitor-tat-ov-rule + competitor-contains-tatov-rule true @@ -200,11 +203,31 @@ - competitor + - + + + + + + + + + + competitor + + + + + + + + + + + @@ -222,4 +245,653 @@ + + crime-syndicate-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + crime-syndicate + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + criminal-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + criminal + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + hacker-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + hacker + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + insider-accidental-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + insider-accidental + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + insider-disgruntled + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + insider-disgruntled + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + nation-state-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + nation-state + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + sensationalist-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + sensationalist + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + spy-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + spy + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + terrorist-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + competitor + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + unknown-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + unknown + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + activist-contains-tatov-rule + Rule to recognize the "activist" STIX open vocabulary term in the threat-actor-types ov + true + + + + + + + + + + + + + + + + + + + + + + + + + + + activist + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/stix/vocabularies/vocabularies.owl b/stix/vocabularies/vocabularies.owl index ef4517d..aa45387 100644 --- a/stix/vocabularies/vocabularies.owl +++ b/stix/vocabularies/vocabularies.owl @@ -109,7 +109,6 @@ - @@ -171,6 +170,46 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/threat-agent-lib/catalog-v001.xml b/threat-agent-lib/catalog-v001.xml index ce55177..4fce95c 100644 --- a/threat-agent-lib/catalog-v001.xml +++ b/threat-agent-lib/catalog-v001.xml @@ -53,7 +53,7 @@ - - + + diff --git a/threat-agent-lib/tal-kb-example.owl b/threat-agent-lib/tal-kb-example.owl index 429058e..bac9053 100644 --- a/threat-agent-lib/tal-kb-example.owl +++ b/threat-agent-lib/tal-kb-example.owl @@ -25,20615 +25,9 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - competitor - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + competitor, government-spy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + \ No newline at end of file From 1bf1d8862ac3db97e8addc935fa76f9e5b6bc9a6 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Sun, 19 Feb 2023 17:55:43 -0800 Subject: [PATCH 50/70] added threat_actor_types open vocabulary --- stix/core-objects/sdo/threat-actor/threat-actor.owl | 2 +- threat-agent-lib/catalog-v001.xml | 5 +++-- threat-agent-lib/ta-library.owl | 5 ++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/stix/core-objects/sdo/threat-actor/threat-actor.owl b/stix/core-objects/sdo/threat-actor/threat-actor.owl index f37804d..c67f55d 100644 --- a/stix/core-objects/sdo/threat-actor/threat-actor.owl +++ b/stix/core-objects/sdo/threat-actor/threat-actor.owl @@ -747,7 +747,7 @@ - competitor + terrorist diff --git a/threat-agent-lib/catalog-v001.xml b/threat-agent-lib/catalog-v001.xml index 4fce95c..4fd3e9e 100644 --- a/threat-agent-lib/catalog-v001.xml +++ b/threat-agent-lib/catalog-v001.xml @@ -53,7 +53,8 @@ - - + + + diff --git a/threat-agent-lib/ta-library.owl b/threat-agent-lib/ta-library.owl index 233b53c..07f47f2 100644 --- a/threat-agent-lib/ta-library.owl +++ b/threat-agent-lib/ta-library.owl @@ -3,6 +3,7 @@ + @@ -12,6 +13,7 @@ xmlns:owl="http://www.w3.org/2002/07/owl#" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" + xmlns:swrla="http://swrl.stanford.edu/ontologies/3.3/swrla.owl#" xmlns:tac="http://docs.oasis-open.org/tac/ns/tac#" xmlns:tal="http://www.intel.com/ns/ta-library#" xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> @@ -743,9 +745,6 @@ - - - From f4cce4c0ab71b9506da1c84337702b0c23e580e1 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Mon, 20 Feb 2023 16:13:09 -0800 Subject: [PATCH 51/70] added the account_type open vocabulary --- .../sco/user-account/user-account.owl | 666 +++++++++++++++++- stix/vocabularies/vocabularies.owl | 52 +- threat-agent-lib/catalog-v001.xml | 5 +- threat-agent-lib/tal-kb-example.owl | 5 + 4 files changed, 698 insertions(+), 30 deletions(-) diff --git a/stix/core-objects/sco/user-account/user-account.owl b/stix/core-objects/sco/user-account/user-account.owl index b52da62..ccf9ff4 100644 --- a/stix/core-objects/sco/user-account/user-account.owl +++ b/stix/core-objects/sco/user-account/user-account.owl @@ -4,6 +4,9 @@ + + + ]> @@ -241,5 +247,663 @@ Specifies the identifier of the account. The format of the identifier depends on the system the user account is maintained in, and may be a numeric ID, a GUID, an account name, an email address, etc. The user_id property should be populated with whatever field is the unique identifier for the system the account is a member of. For example, on UNIX systems it would be populated with the UID. - + + + + + + + + + + + + facebook-contains-uaov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + facebook + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ldap-contains-uaov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + ldap + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + nis-contains-uaov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + nis + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + openid-contains-uaov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + openid + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + radius-contains-uaov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + radius + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + skype-contains-uaov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + skype + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + tacacs-contains-uaov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + tacacs + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + twitter-contains-uaov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + twitter + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + unix-contains-uaov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + unix + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + windows-domain-contains-uaov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + windows-domain + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + windows-local-contains-uaov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + windows-local + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/stix/vocabularies/vocabularies.owl b/stix/vocabularies/vocabularies.owl index aa45387..15d1ae2 100644 --- a/stix/vocabularies/vocabularies.owl +++ b/stix/vocabularies/vocabularies.owl @@ -178,6 +178,10 @@ + + + + @@ -190,67 +194,63 @@ - - - - - - + + - + - - + + - - + + - + - - + + - + - - + + - + - - + + - + - + - - + + - + - + diff --git a/threat-agent-lib/catalog-v001.xml b/threat-agent-lib/catalog-v001.xml index 4fd3e9e..18f31b6 100644 --- a/threat-agent-lib/catalog-v001.xml +++ b/threat-agent-lib/catalog-v001.xml @@ -53,8 +53,7 @@ - - - + + diff --git a/threat-agent-lib/tal-kb-example.owl b/threat-agent-lib/tal-kb-example.owl index bac9053..d98e91b 100644 --- a/threat-agent-lib/tal-kb-example.owl +++ b/threat-agent-lib/tal-kb-example.owl @@ -29,5 +29,10 @@ competitor, government-spy + + + + twitter + \ No newline at end of file From d53e54f4fab35bac8acd1d42c02c87354d358c96 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Tue, 21 Feb 2023 17:34:14 -0800 Subject: [PATCH 52/70] adding the attack motivation open vocabulary --- .../sdo/intrusion-set/intrusion-set.owl | 1197 +++++++++++++++- .../sdo/threat-actor/threat-actor.owl | 1234 ++++++++++++++++- stix/vocabularies/vocabularies.owl | 40 + threat-agent-lib/catalog-v001.xml | 5 +- threat-agent-lib/tal-kb-example.owl | 2 + 5 files changed, 2447 insertions(+), 31 deletions(-) diff --git a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl index 4e69125..a73fcdf 100644 --- a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl +++ b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl @@ -4,6 +4,9 @@ + + + ]> @@ -126,5 +132,1194 @@ secondary_motivations The time that this Intrusion Set was first seen. A summary property of data from sightings and other data that may or may not be available in STIX. If new sightings are received that are earlier than the first seen timestamp, the object may be updated to account for the new data. - + + + + + + + + + + + + accidental-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + accidental + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + accidental-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + accidental + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + coercion-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + coercion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + coercion-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + coercion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + dominance-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + dominance + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + dominance-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + dominance + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ideology-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + ideology + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ideology-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + ideology + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + notoriety-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + notoriety + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + notoriety-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + notoriety + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + organizational-gain-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + organizational-gain + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + organizational-gain-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + organizational-gain + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-gain-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-gain + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-gain-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-gain + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-satisfaction-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-satisfaction + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-satisfaction-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + personal-satisfaction + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + revenge-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + revenge + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + revenge-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + revenge + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + unpredictable-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + unpredictable + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + unpredictable-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + unpredictable + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/threat-actor/threat-actor.owl b/stix/core-objects/sdo/threat-actor/threat-actor.owl index c67f55d..55e063a 100644 --- a/stix/core-objects/sdo/threat-actor/threat-actor.owl +++ b/stix/core-objects/sdo/threat-actor/threat-actor.owl @@ -186,6 +186,242 @@ + + accidental-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + accidental + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + accidental-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + accidental + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + coercion-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + coercion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + coercion-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + coercion + + + + + + + + + + + + + + + + + + + + + + + + + + + + competitor-contains-tatov-rule @@ -204,7 +440,715 @@ - + + + + + + + + + + + + + competitor + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + crime-syndicate-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + crime-syndicate + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + criminal-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + criminal + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + dominance-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + dominance + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + dominance-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + dominance + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + hacker-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + hacker + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ideology-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + ideology + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ideology-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + ideology + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + insider-accidental-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + insider-accidental + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + insider-disgruntled-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + insider-disgruntled + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + nation-state-contains-tatov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + nation-state + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + notoriety-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + notoriety + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + notoriety-secondary-amov-rule + + true + + + + + + + + + + + + + + + @@ -216,7 +1160,7 @@ - competitor + notoriety @@ -237,7 +1181,7 @@ - + @@ -246,7 +1190,7 @@ - crime-syndicate-contains-tatov-rule + organizational-gain-amov-rule true @@ -263,7 +1207,7 @@ - + @@ -275,7 +1219,7 @@ - crime-syndicate + organizational-gain @@ -296,7 +1240,7 @@ - + @@ -305,7 +1249,7 @@ - criminal-contains-tatov-rule + organizational-gain-secondary-amov-rule true @@ -322,7 +1266,7 @@ - + @@ -334,7 +1278,7 @@ - criminal + organizational-gain @@ -355,7 +1299,7 @@ - + @@ -364,7 +1308,7 @@ - hacker-contains-tatov-rule + personal-gain-amov-rule true @@ -381,7 +1325,7 @@ - + @@ -393,7 +1337,7 @@ - hacker + personal-gain @@ -414,7 +1358,7 @@ - + @@ -423,7 +1367,7 @@ - insider-accidental-contains-tatov-rule + personal-gain-secondary-amov-rule true @@ -440,7 +1384,7 @@ - + @@ -452,7 +1396,7 @@ - insider-accidental + personal-gain @@ -473,7 +1417,7 @@ - + @@ -482,7 +1426,7 @@ - insider-disgruntled + personal-satisfaction-amov-rule true @@ -499,7 +1443,7 @@ - + @@ -511,7 +1455,7 @@ - insider-disgruntled + personal-satisfaction @@ -532,7 +1476,7 @@ - + @@ -541,7 +1485,7 @@ - nation-state-contains-tatov-rule + personal-satisfaction-secondary-amov-rule true @@ -558,7 +1502,7 @@ - + @@ -570,7 +1514,7 @@ - nation-state + personal-satisfaction @@ -591,7 +1535,125 @@ - + + + + + + + + + + revenge-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + revenge + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + revenge-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + revenge + + + + + + + + + + + + + + + + + + + + + @@ -835,6 +1897,124 @@ + + unpredicatable-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + unpredicatable + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + unpredicatable-secondary-amov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + unpredicatable + + + + + + + + + + + + + + + + + + + + + + + + + + + + activist-contains-tatov-rule Rule to recognize the "activist" STIX open vocabulary term in the threat-actor-types ov diff --git a/stix/vocabularies/vocabularies.owl b/stix/vocabularies/vocabularies.owl index aa45387..3e98046 100644 --- a/stix/vocabularies/vocabularies.owl +++ b/stix/vocabularies/vocabularies.owl @@ -162,10 +162,18 @@ + + + + + + + + @@ -178,10 +186,18 @@ + + + + + + + + @@ -194,6 +210,26 @@ + + + + + + + + + + + + + + + + + + + + @@ -210,6 +246,10 @@ + + + + diff --git a/threat-agent-lib/catalog-v001.xml b/threat-agent-lib/catalog-v001.xml index 4fd3e9e..72b4a9e 100644 --- a/threat-agent-lib/catalog-v001.xml +++ b/threat-agent-lib/catalog-v001.xml @@ -53,8 +53,7 @@ - - - + + diff --git a/threat-agent-lib/tal-kb-example.owl b/threat-agent-lib/tal-kb-example.owl index bac9053..499badb 100644 --- a/threat-agent-lib/tal-kb-example.owl +++ b/threat-agent-lib/tal-kb-example.owl @@ -27,6 +27,8 @@ + revenge + personal-gain competitor, government-spy From a4613685677f259313087e4994d6d389950d2080 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Sun, 5 Mar 2023 09:12:44 -0800 Subject: [PATCH 53/70] changing open vocabulary instance IRIs to have *-aov instead of *-uaov --- .../sco/user-account/user-account.owl | 382 +++++++++--------- stix/vocabularies/vocabularies.owl | 22 +- threat-agent-lib/catalog-v001.xml | 6 +- 3 files changed, 206 insertions(+), 204 deletions(-) diff --git a/stix/core-objects/sco/user-account/user-account.owl b/stix/core-objects/sco/user-account/user-account.owl index ccf9ff4..b3a1635 100644 --- a/stix/core-objects/sco/user-account/user-account.owl +++ b/stix/core-objects/sco/user-account/user-account.owl @@ -264,10 +264,20 @@ - - - - + + + + + + + facebook + + + + + + + @@ -281,20 +291,10 @@ - - - - - - - facebook - - - - - - - + + + + @@ -308,7 +308,7 @@ - + @@ -323,10 +323,20 @@ - - - - + + + + + + + ldap + + + + + + + @@ -340,20 +350,10 @@ - - - - - - - ldap - - - - - - - + + + + @@ -367,7 +367,7 @@ - + @@ -382,19 +382,19 @@ - + - - + + + - + - - - + + @@ -426,7 +426,7 @@ - + @@ -441,10 +441,20 @@ - - - - + + + + + + + openid + + + + + + + @@ -458,20 +468,10 @@ - - - - - - - openid - - - - - - - + + + + @@ -485,7 +485,7 @@ - + @@ -500,10 +500,20 @@ - - - - + + + + + + + radius + + + + + + + @@ -517,20 +527,10 @@ - - - - - - - radius - - - - - - - + + + + @@ -544,7 +544,7 @@ - + @@ -559,10 +559,20 @@ - - - - + + + + + + + skype + + + + + + + @@ -576,20 +586,10 @@ - - - - - - - skype - - - - - - - + + + + @@ -603,7 +603,7 @@ - + @@ -618,37 +618,37 @@ - + - - + + + - - - - - + + + + + + + tacacs + + + + + + + - - - - - - - tacacs - - - - - - - + + + + @@ -662,7 +662,7 @@ - + @@ -677,10 +677,20 @@ - - - - + + + + + + + twitter + + + + + + + @@ -694,20 +704,10 @@ - - - - - - - twitter - - - - - - - + + + + @@ -721,7 +721,7 @@ - + @@ -736,19 +736,19 @@ - + - - + + + - + - - - + + @@ -780,7 +780,7 @@ - + @@ -795,10 +795,20 @@ - - - - + + + + + + + windows-domain + + + + + + + @@ -812,20 +822,10 @@ - - - - - - - windows-domain - - - - - - - + + + + @@ -839,7 +839,7 @@ - + @@ -854,10 +854,20 @@ - - - - + + + + + + + windows-local + + + + + + + @@ -871,20 +881,10 @@ - - - - - - - windows-local - - - - - - - + + + + @@ -898,7 +898,7 @@ - + diff --git a/stix/vocabularies/vocabularies.owl b/stix/vocabularies/vocabularies.owl index 15d1ae2..a70d1ed 100644 --- a/stix/vocabularies/vocabularies.owl +++ b/stix/vocabularies/vocabularies.owl @@ -178,7 +178,7 @@ - + @@ -194,7 +194,7 @@ - + @@ -202,15 +202,15 @@ - + - + - + @@ -218,7 +218,7 @@ - + @@ -226,7 +226,7 @@ - + @@ -234,11 +234,11 @@ - + - + @@ -246,11 +246,11 @@ - + - + diff --git a/threat-agent-lib/catalog-v001.xml b/threat-agent-lib/catalog-v001.xml index 18f31b6..bcc9cb0 100644 --- a/threat-agent-lib/catalog-v001.xml +++ b/threat-agent-lib/catalog-v001.xml @@ -53,7 +53,9 @@ - - + + + + From 8f3aa9f78d31f5c7644ccec85a8ee6c593203703 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Sun, 5 Mar 2023 10:01:35 -0800 Subject: [PATCH 54/70] fixes #39 --- stix/vocabularies/vocabularies.owl | 45 +++++++++++++----------------- 1 file changed, 20 insertions(+), 25 deletions(-) diff --git a/stix/vocabularies/vocabularies.owl b/stix/vocabularies/vocabularies.owl index 385ee25..59f44d2 100644 --- a/stix/vocabularies/vocabularies.owl +++ b/stix/vocabularies/vocabularies.owl @@ -185,7 +185,7 @@ - + @@ -193,8 +193,8 @@ - - + + @@ -210,19 +210,26 @@ - - - + + + + + + + + + + @@ -235,30 +242,14 @@ - - - - - - - - - - - - - - - - - - + + - + @@ -291,6 +282,10 @@ + + + + From e44fadb77d1c66eeae3fbb8b18b36723427b8d6c Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Mon, 27 Mar 2023 18:40:45 -0700 Subject: [PATCH 55/70] working issue-47 --- .../sdo/threat-actor/threat-actor.owl | 74 +++++++++++++++++++ stix/vocabularies/vocabularies.owl | 24 ++++++ threat-agent-lib/tal-kb-example.owl | 2 +- 3 files changed, 99 insertions(+), 1 deletion(-) diff --git a/stix/core-objects/sdo/threat-actor/threat-actor.owl b/stix/core-objects/sdo/threat-actor/threat-actor.owl index 55e063a..ec4e2cd 100644 --- a/stix/core-objects/sdo/threat-actor/threat-actor.owl +++ b/stix/core-objects/sdo/threat-actor/threat-actor.owl @@ -108,6 +108,18 @@ Threat Actor Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. A Threat Actor is not an Intrusion Set but may support or be affiliated with various Intrusion Sets, groups, or organizations over time. \n\nThreat Actors leverage their resources, and possibly the resources of an Intrusion Set, to conduct attacks and run Campaigns against targets. \n\nThreat Actors can be characterized by their motives, capabilities, goals, sophistication level, past activities, resources they have access to, and their role in the organization. + + + + + + + + threat-actor + + + + @@ -177,6 +189,9 @@ The type(s) of this threat actor. The values for this property SHOULD come from the threat-actor-type-ov open vocabulary. + + + @@ -894,6 +909,65 @@ + + individual-arlov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + individual + + + + + + + + + + + + + + + + + + + + + + + + + + + + insider-accidental-contains-tatov-rule diff --git a/stix/vocabularies/vocabularies.owl b/stix/vocabularies/vocabularies.owl index 59f44d2..61f4668 100644 --- a/stix/vocabularies/vocabularies.owl +++ b/stix/vocabularies/vocabularies.owl @@ -170,6 +170,10 @@ + + + + @@ -178,6 +182,10 @@ + + + + @@ -194,6 +202,10 @@ + + + + @@ -202,6 +214,10 @@ + + + + @@ -230,6 +246,10 @@ + + + + @@ -266,6 +286,10 @@ + + + + diff --git a/threat-agent-lib/tal-kb-example.owl b/threat-agent-lib/tal-kb-example.owl index 3c34126..a43ca13 100644 --- a/threat-agent-lib/tal-kb-example.owl +++ b/threat-agent-lib/tal-kb-example.owl @@ -27,7 +27,7 @@ - revenge + rebenge personal-gain competitor, government-spy From a79cf7658e214e92a33cf5ca1d7945a579aa9b29 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Mon, 24 Apr 2023 16:33:20 -0700 Subject: [PATCH 56/70] adding the attack-resource-level open vocabulary --- .../sdo/intrusion-set/intrusion-set.owl | 357 +++++++++++++++ .../sdo/threat-actor/threat-actor.owl | 413 +++++++++++++++--- threat-agent-lib/catalog-v001.xml | 7 +- threat-agent-lib/tal-kb-example.owl | 6 + 4 files changed, 722 insertions(+), 61 deletions(-) diff --git a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl index a73fcdf..bb534fd 100644 --- a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl +++ b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl @@ -139,6 +139,9 @@ + + + @@ -1322,4 +1325,358 @@ + + club-arlov-intrusion-set-rule + Rule to recognize "club" term asserted on an IntrusionSet + true + + + + + + + + + + + + + + + + + + + + + + + + + + + club + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + contest-arlov-intrusion-set-rule + Rule to recognize "contest" term asserted on an IntrusionSet + true + + + + + + + + + + + + + + + + + + + + + + + + + + + contest + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + government-arlov-intrusion-set-rule + Rule to recognize "government" term asserted on an IntrusionSet + true + + + + + + + + + + + + + + + + + + + + + + + + + + + government + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + individual-arlov-intrustion-set-rule + Rule to recognize "individual" term asserted on an IntrusionSet + true + + + + + + + + + + + + + + + + + + + + + + + + + + + individual + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + organization-arlov-intrusion-set-rule + Rule to recognize "organization" term asserted on an IntrusionSet + true + + + + + + + + + + + + + + + + + + + + + + + + + + + organization + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + team-arlov-intrusion-set-rule + Rule to recognize "team" term asserted on an IntrusionSet + true + + + + + + + + + + + + + + + + + + + + + + + + + + + team + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/threat-actor/threat-actor.owl b/stix/core-objects/sdo/threat-actor/threat-actor.owl index ec4e2cd..2795986 100644 --- a/stix/core-objects/sdo/threat-actor/threat-actor.owl +++ b/stix/core-objects/sdo/threat-actor/threat-actor.owl @@ -909,65 +909,6 @@ - - individual-arlov-rule - - true - - - - - - - - - - - - - - - - - - - - - - - - - - - individual - - - - - - - - - - - - - - - - - - - - - - - - - - - - insider-accidental-contains-tatov-rule @@ -2148,4 +2089,358 @@ + + club-arlov-rule + Rule to recognize the term "club" asserted as a value to resource_level. + true + + + + + + + + + + + + + + + + + + + + + + + + + + + club + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + contest-arlov-rule + Rule to recognize the term "contest" asserted as a value to resource_level. + true + + + + + + + + + + + + + + + + + + + + + + + + + + + contest + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + government-arlov-rule + Rule to recognize the term "government" asserted as a value to resource_level. + true + + + + + + + + + + + + + + + + + + + + + + + + + + + government + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + individual-arlov-rule + Rule to recognize the term "individual" asserted as a value to resource_level. + true + + + + + + + + + + + + + + + + + + + + + + + + + + + individual + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + organization-arlov-rule + Rule to recognize the term "organization" asserted as a value to resource_level. + true + + + + + + + + + + + + + + + + + + + + + + + + + + + organization + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + team-arlov-rule + Rule to recognize the term "team" asserted as a value to resource_level. + true + + + + + + + + + + + + + + + + + + + + + + + + + + + team + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/threat-agent-lib/catalog-v001.xml b/threat-agent-lib/catalog-v001.xml index 72b4a9e..3a5c730 100644 --- a/threat-agent-lib/catalog-v001.xml +++ b/threat-agent-lib/catalog-v001.xml @@ -53,7 +53,10 @@ - - + + + + + diff --git a/threat-agent-lib/tal-kb-example.owl b/threat-agent-lib/tal-kb-example.owl index a43ca13..109f484 100644 --- a/threat-agent-lib/tal-kb-example.owl +++ b/threat-agent-lib/tal-kb-example.owl @@ -25,9 +25,15 @@ + + + team + + rebenge + individual personal-gain competitor, government-spy From 15d42001cb7d2e811801fad5552a16b8301aab60 Mon Sep 17 00:00:00 2001 From: TCReg <54412483+TCReg@users.noreply.github.com> Date: Wed, 3 May 2023 16:53:21 -0700 Subject: [PATCH 57/70] Update vocabularies.owl Completed entry of OV terms for Grouping Context --- stix/vocabularies/vocabularies.owl | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/stix/vocabularies/vocabularies.owl b/stix/vocabularies/vocabularies.owl index 59f44d2..df8e391 100644 --- a/stix/vocabularies/vocabularies.owl +++ b/stix/vocabularies/vocabularies.owl @@ -214,6 +214,10 @@ + + + + @@ -262,6 +266,10 @@ + + + + @@ -286,6 +294,10 @@ + + + + From c58d872e54df2e9f51969fd6749b03cc520ffe68 Mon Sep 17 00:00:00 2001 From: TCReg <54412483+TCReg@users.noreply.github.com> Date: Fri, 9 Jun 2023 15:12:04 -0700 Subject: [PATCH 58/70] Trivial change testing file management --- stix/vocabularies/vocabularies.owl | 3 +++ threat-agent-lib/catalog-v001.xml | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/stix/vocabularies/vocabularies.owl b/stix/vocabularies/vocabularies.owl index df8e391..26c9cad 100644 --- a/stix/vocabularies/vocabularies.owl +++ b/stix/vocabularies/vocabularies.owl @@ -250,6 +250,9 @@ + + + diff --git a/threat-agent-lib/catalog-v001.xml b/threat-agent-lib/catalog-v001.xml index 72b4a9e..592bcea 100644 --- a/threat-agent-lib/catalog-v001.xml +++ b/threat-agent-lib/catalog-v001.xml @@ -53,7 +53,7 @@ - - + + From 3956e50af25724fde18b24597cdecbbbe83dd6eb Mon Sep 17 00:00:00 2001 From: TCReg <54412483+TCReg@users.noreply.github.com> Date: Fri, 9 Jun 2023 16:16:43 -0700 Subject: [PATCH 59/70] Added SWRL rules for Grouping context OV --- .../sdo/grouping/catalog-v001.xml | 7 + stix/core-objects/sdo/grouping/grouping.owl | 195 +++++++++++++++++- 2 files changed, 201 insertions(+), 1 deletion(-) create mode 100644 stix/core-objects/sdo/grouping/catalog-v001.xml diff --git a/stix/core-objects/sdo/grouping/catalog-v001.xml b/stix/core-objects/sdo/grouping/catalog-v001.xml new file mode 100644 index 0000000..f145293 --- /dev/null +++ b/stix/core-objects/sdo/grouping/catalog-v001.xml @@ -0,0 +1,7 @@ + + + + + + + diff --git a/stix/core-objects/sdo/grouping/grouping.owl b/stix/core-objects/sdo/grouping/grouping.owl index 999aa0d..8bbc213 100644 --- a/stix/core-objects/sdo/grouping/grouping.owl +++ b/stix/core-objects/sdo/grouping/grouping.owl @@ -4,6 +4,9 @@ + + + ]> + 2.1.0 @@ -77,5 +84,191 @@ Specifies the STIX Objects that are referred to by this Grouping. - + + + + + + + + + + + + malware-analayis-gcov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + malware-analysis + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + suspicious-activity-gcov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + suspicious-activity + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + unspecified-gcov-rule + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + unspecified + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file From 9e3846a696561f073a2d2edb9dda3d4c15f41315 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Tue, 13 Jun 2023 08:45:38 -0700 Subject: [PATCH 60/70] adding utilities for convertion STIX JSON to a Knowledge Graph --- .../stix-2.1/stix2-1_context.json | 270 ++++++++++++++++++ utilities/json-dl-contexts/tac-kb-example.owl | 23 ++ utilities/sparql-anything/apt1.sparql | 173 +++++++++++ 3 files changed, 466 insertions(+) create mode 100644 utilities/json-dl-contexts/stix-2.1/stix2-1_context.json create mode 100644 utilities/json-dl-contexts/tac-kb-example.owl create mode 100644 utilities/sparql-anything/apt1.sparql diff --git a/utilities/json-dl-contexts/stix-2.1/stix2-1_context.json b/utilities/json-dl-contexts/stix-2.1/stix2-1_context.json new file mode 100644 index 0000000..fc11ebe --- /dev/null +++ b/utilities/json-dl-contexts/stix-2.1/stix2-1_context.json @@ -0,0 +1,270 @@ + "@context": { + + "xsd": "http://www.w3.org/2001/XMLSchema#", + "stix-ns": "http://docs.oasis-open.org/cti/ns/stix#", + "adversary-ns": "http://docs.oasis-open.org/cti/ns/stix/adversary#", + "attack-ns": "http://attack.mitre.org/ns/attack#", + "identity-ns": "http://docs.oasis-open.org/cti/ns/stix/identity#", + "indicator-ns": "http://docs.oasis-open.org/cti/ns/stix/indicator#", + "malware-ns": "http://docs.oasis-open.org/cti/ns/stix/malware#", + "marking-ns": "http://docs.oasis-open.org/cti/ns/data-marking#", + "tool-ns": "http://docs.oasis-open.org/cti/ns/stix/tool#", + "relationship-ns": "http://docs.oasis-open.org/cti/ns/stix/relationship#", + "kb": "http://myKnowledgeGraph.com/kb#", + "@base": "http://myKnowledgeGraph.com/kb", + + "objects": "@graph", + "id": "@id", + "type": "@type", + + "threat-actor": "stix-ns:ThreatActor", + "intrusion-set": "stix-ns:IntrusionSet", + "indicator": "stix-ns:Indicator", + "identity": "stix-ns:Identity", + "malware": "stix-ns:Malware", + "report": "stix-ns:Report", + "tool": "stix-ns:Tool", + "relationship": "stix-ns:Relationship", + "attack-pattern": "stix-ns:AttackPattern", + "marking-definition": "marking-ns:MarkingDefinition", + "course-of-action": "stix-ns:CourseOfAction", + + "aliases":{ + "@id": "stix-ns:aliases", + "@type": "xsd:string" + }, + "contact_information": { + "@id": "identity-ns:contact_information", + "@type": "xsd:string" + }, + "created": { + "@id": "stix-ns:created", + "@type": "xsd:dateTime" + }, + "description": { + "@id": "stix-ns:description", + "@type": "xsd:string" + }, + "first_seen": { + "@id": "stix-ns:first_seen", + "@type": "xsd:dateTime" + }, + "identity_class": { + "@id": "identity-ns:identity_class", + "@type": "xsd:string" + }, + "is_family": { + "@id": "malware-ns:is_family", + "@type": "xsd:boolean" + }, + "labels": { + "@id": "stix-ns:labels", + "@type": "xsd:string" + }, + "last_seen": { + "@id": "stix-ns:last_seen", + "@type": "xsd:dateTime" + }, + "malware_types": { + "@id": "malware-ns:malware_types", + "@type": "xsd:string" + }, + "modified": { + "@id": "stix-ns:modified", + "@type": "xsd:dateTime" + }, + "name": { + "@id": "stix-ns:name", + "@type": "xsd:string" + }, + "pattern": { + "@id": "indicator-ns:pattern", + "@type": "xsd:string" + }, + "pattern_type": { + "@id": "indicator-ns:pattern_type", + "@type": "xsd:string" + }, + "primary_motivation":{ + "@id": "adversary-ns:primary_motivation", + "@type": "xsd:string" + }, + "relationship_type": { + "@id": "relationship-ns:relationship_type", + "@type": "xsd:string" + }, + "resource_level": { + "@id": "adversary-ns:resource_level", + "@type": "xsd:string" + }, + "roles": { + "@id": "adversary-ns:roles", + "@type": "xsd:string" + }, + "sectors": { + "@id": "identity-ns:sectors", + "@type": "xsd:string" + }, + "spec_version": { + "@id": "stix-ns:spec_version", + "@type": "xsd:string" + }, + "threat_actor_types": { + "@id": "adversary-ns:threat_actor_types", + "@type": "xsd:string" + }, + "tool_types": { + "@id": "tool-ns:tool_types", + "@type": "xsd:string" + }, + "valid_from": { + "@id": "stix-ns:valid_from", + "@type": "xsd:dateTime" + }, + + "source_name": { + "@id": "stix-ns:source-name", + "@type": "xsd:string" + }, + "url": { + "@id": "stix-ns:url", + "@type": "xsd:anyURI" + }, + "external_id": { + "@id": "stix-ns:external_id", + "@type": "xsd:string" + }, + + + "hashes": { + "@id": "stix-ns:hashes", + "@type": "@id" + }, + + + + "external_references": { + "@id": "stix-ns:external_references", + "@type": "@id" + }, + + + "object_marking_refs": { + "@id": "marking-ns:object_marking_refs", + "@type": "@id" + }, + "source_ref": { + "@id": "relationship-ns:source_ref", + "@type": "@id" + }, + "target_ref": { + "@id": "relationship-ns:target_ref", + "@type": "@id" + }, + "object_ref": { + "@id": "stix-ns:object_ref", + "@type": "@id" + }, + "object_modified": { + "@id": "stix-ns:object_modified", + "@type": "xsd:dateTime" + }, + + + "x_mitre_contents": { + "@id": "attack-ns:x_mitre_contents", + "@type": "stix-ns:StixObject" + }, + "x_mitre_contributors": { + "@id": "attack-ns:x_mitre_contributors", + "@type": "xsd:string" + }, + "x_mitre_modified_by_ref": { + "@id": "relationship-ns:x_mitre_modified_by_ref", + "@type": "@id" + }, + "x_mitre_domains": { + "@id": "attack-ns:x_mitre_domains", + "@type": "xsd:string" + }, + "x_mitre_detection": { + "@id": "attack-ns:x_mitre_detection", + "@type": "xsd:string" + }, + "x_mitre_is_subtechnique": { + "@id": "attack-ns:x_mitre_is_subtechnique", + "@type": "xsd:boolean" + }, + "x_mitre_platforms": { + "@id": "attack-ns:x_mitre_platforms", + "@type": "xsd:string" + }, + "x_mitre_permissions_required": { + "@id": "attack-ns:x_mitre_permissions_required", + "@type": "xsd:string" + }, + "x_mitre_data_sources": { + "@id": "attack-ns:x_mitre_data_sources", + "@type": "xsd:string" + }, + "x_mitre_version": { + "@id": "attack-ns:x_mitre_version", + "@type": "xsd:string" + }, + "x_mitre_attack_spec_version": { + "@id": "attack-ns:x_mitre_attack_spec_version", + "@type": "xsd:string" + }, + + "x-mitre-matrix": "attack-ns:Matrix", + "x-mitre-tactic": "attack-ns:Tactic", + "x-mitre-data-component": "attack-ns:DataComponent", + "x-mitre-data-source": "attack-ns:DataSource", + + "x_mitre_data_source_ref": { + "@id": "attack-ns:x_mitre_data_source_ref", + "@type": "@id" + }, + "tactic_refs": { + "@id": "attack-ns:tactic_refs", + "@type": "@id" + }, + "x_mitre_collection_layers": { + "@id": "attack-ns:x_mitre_collection_layers", + "@type": "xsd:string" + }, + "x_mitre_shortname": { + "@id": "attack-ns:x_mitre_shortname", + "@type": "xsd:string" + }, + "x_mitre_deprecated": { + "@id": "attack-ns:x_mitre_deprecated", + "@type": "xsd:boolean" + }, + "x_mitre_defense_bypassed": { + "@id": "attack-ns:x_mitre_defense_bypassed", + "@type": "xsd:string" + }, + "x_mitre_effective_permissions": { + "@id": "attack-ns:x_mitre_effective_permissions", + "@type": "xsd:string" + }, + "x_mitre_impact_type": { + "@id": "attack-ns:x_mitre_impact_type", + "@type": "xsd:string" + }, + "x_mitre_network_requirements": { + "@id": "attack-ns:x_mitre_network_requirements", + "@type": "xsd:boolean" + }, + "x_mitre_remote_support": { + "@id": "attack-ns:x_mitre_remote_support", + "@type": "xsd:boolean" + }, + "x_mitre_system_requirements": { + "@id": "attack-ns:x_mitre_system_requirements", + "@type": "xsd:string" + } + + + }, \ No newline at end of file diff --git a/utilities/json-dl-contexts/tac-kb-example.owl b/utilities/json-dl-contexts/tac-kb-example.owl new file mode 100644 index 0000000..74d7e47 --- /dev/null +++ b/utilities/json-dl-contexts/tac-kb-example.owl @@ -0,0 +1,23 @@ + + + + + + +]> + + + + The TAC ontology is a knowledge representation framework focused on comprehensively representing the context around adversaries. The project comprises a set of concept definitions and their relationships encoded in Web Ontology Language (OWL) that altogether harmonise into what we call the Threat Actor Context ontology. + + + + + \ No newline at end of file diff --git a/utilities/sparql-anything/apt1.sparql b/utilities/sparql-anything/apt1.sparql new file mode 100644 index 0000000..d7251ba --- /dev/null +++ b/utilities/sparql-anything/apt1.sparql @@ -0,0 +1,173 @@ +PREFIX xyz: +PREFIX rdf: +PREFIX fx: +PREFIX hohimer: +PREFIX stix: +PREFIX xsd: + +CONSTRUCT { + + + ?object_iri a ?stixType ; + stix:alias ?alias; + stix:id ?id; + stix:type ?type; + stix:spec_version ?spec_version; + stix:created ?dt_created; + stix:modified ?dt_modified; + stix:name ?name; + stix:description ?description; + stix:first_seen ?dt_first_seen; + stix:resource_level ?resource_level; + stix:primary_motivation ?primary_motivation; + stix:roles ?role_list; + stix:identity_class ?identity_class; + stix:sectors ?sector_list; +# stix:contact_information ?contact_information_string; + stix:pattern_type ?pattern_type; + stix:pattern ?pattern; + stix:indicator_types ?indicator_list; + stix:valid_from ?dt_valid_from; + stix:kill_chain_phases ?chains; + stix:tool_types ?tool_types_list; + stix:relationship_type ?relationship_type; + stix:source_ref ?source_ref_iri; + stix:target_ref ?target_ref_iri; + . + + + ?object_iri stix:external_reference ?exref_iri . + ?exref_iri stix:source_name ?ex_ref_source_name . + ?exref_iri stix:url ?ex_ref_url . + ?exref_iri stix:description ?ex_ref_description . + ?exref_iri stix:external-id ?ex_ref_external_id . + + + + +} +WHERE { + SERVICE { + fx:properties fx:location "./apt1.json" . + + + # root array of objects + ?root xyz:objects ?objects . + + # individual objects from the objects array + ?objects ?object_slot ?object . + + # the type and id of the object + ?object xyz:type ?type . + ?object xyz:id ?id . + + + ### OPTIONAL ### + # aliases + OPTIONAL { + ?object xyz:aliases ?aliases . + ?aliases fx:anySlot ?alias . + } + + # contact_information + OPTIONAL {?object xyz:contact_information ?contact_information .} + BIND(xsd:string(?contact_information) AS ?contact_information_string ) + + # created + OPTIONAL {?object xyz:created ?created . } + + # description + OPTIONAL {?object xyz:description ?description . } + + # external_references + OPTIONAL { + ?object xyz:external_references ?external_references . + ?external_references fx:anySlot ?external_reference . + ?external_reference xyz:source_name ?ex_ref_source_name . + OPTIONAL { ?external_reference xyz:description ?ex_ref_description . } + OPTIONAL { ?external_reference xyz:external_id ?ex_ref_external_id . } + OPTIONAL { ?external_reference xyz:url ?ex_ref_url . } + BIND (IRI(CONCAT("http://docs.oasis-open.org/cti/ns/stix#ExternalReference-", STRUUID() )) AS ?exref_iri ) . + } + + # first_seen + OPTIONAL {?object xyz:first_seen ?first_seen . } + + # identity_class + OPTIONAL {?object xyz:identity_class ?identity_class .} + + # indicator_types + OPTIONAL {?object xyz:indicator_types ?indicator_types . + ?indicator_types ?indicator_slot ?indicator_list . } + + # kill_chain_phases + OPTIONAL {?object xyz:kill_chain_phases ?kill_chain_phases . + ?kill_chain_phases ?kill_slot ?chain_list . + ?chain_list ?chain_slot ?chains . + } + + # modified + OPTIONAL {?object xyz:modified ?modified . } + + # name + OPTIONAL {?object xyz:name ?name . } + + # pattern + OPTIONAL {?object xyz:pattern ?pattern . } + + # pattern_type + OPTIONAL {?object xyz:pattern_type ?pattern_type . } + + # primary_motivation + OPTIONAL {?object xyz:primary_motivation ?primary_motivation . } + + # relationship_type + OPTIONAL {?object xyz:relationship_type ?relationship_type . } + + # resource_level + OPTIONAL {?object xyz:resource_level ?resource_level . } + + # roles + OPTIONAL {?object xyz:roles ?roles . + ?roles ?roles_slot ?role_list . } + + # sectors + OPTIONAL {?object xyz:sectors ?sectors . + ?sectors ?sectors_slot ?sector_list . } + + # source_ref + OPTIONAL {?object xyz:source_ref ?source_ref . } + + # spec_version + OPTIONAL {?object xyz:spec_version ?spec_version . } + + # target_ref + OPTIONAL {?object xyz:target_ref ?target_ref . } + + # tool_types + OPTIONAL {?object xyz:tool_types ?tool_types . + ?tool_types ?tool_types_slot ?tool_types_list . } + + # valid_from + OPTIONAL {?object xyz:valid_from ?valid_from . } + + } + + + # Reformat dates to allow ingestion into xsd:dateTime + BIND(xsd:dateTime(?created) AS ?dt_created ) + BIND(xsd:dateTime(?modified) AS ?dt_modified ) + BIND(xsd:dateTime(?first_seen) AS ?dt_first_seen ) + BIND(xsd:dateTime(?valid_from) AS ?dt_valid_from ) + + + # Form the IRI for the stixBundle + BIND(IRI(CONCAT("http://hohimer.net/ns/", ?id)) AS ?object_iri ) + BIND(IRI(CONCAT("http://hohimer.net/ns/", ?source_ref)) AS ?source_ref_iri ) + BIND(IRI(CONCAT("http://hohimer.net/ns/", ?target_ref)) AS ?target_ref_iri ) + + BIND( IF(?relationship_type = "uses", stix:uses, ?nothing ) AS ?relation_iri ) + + # Form the stix type of either stix:Bundle or stix:StixObject + BIND ((IF(?type = "bundle", IRI("http://docs.oasis-open.org/cti/ns/stix#Bundle"), IRI("http://docs.oasis-open.org/cti/ns/stix#StixObject"))) AS ?stixType ) +} From 7fa585b9a5da5cb8982f84a3225803ad776141b4 Mon Sep 17 00:00:00 2001 From: TCReg <54412483+TCReg@users.noreply.github.com> Date: Thu, 22 Jun 2023 16:01:16 -0700 Subject: [PATCH 61/70] Update tal-kb-example.owl Updated TAL KB Example file to contain a Grouping object for testing OV --- threat-agent-lib/tal-kb-example.owl | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/threat-agent-lib/tal-kb-example.owl b/threat-agent-lib/tal-kb-example.owl index 3c34126..c9ddc91 100644 --- a/threat-agent-lib/tal-kb-example.owl +++ b/threat-agent-lib/tal-kb-example.owl @@ -32,6 +32,13 @@ competitor, government-spy + + + malware-analysis + suspicious-activity + unspecified + + twitter From 4020dcce20c9b41dd56c05e791d14b4032584f06 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Sat, 24 Jun 2023 13:49:09 -0700 Subject: [PATCH 62/70] deleting json-dl-contexts folder --- .../stix-2.1/stix2-1_context.json | 270 ------------------ json-dl-contexts/tac-kb-example.owl | 23 -- 2 files changed, 293 deletions(-) delete mode 100644 json-dl-contexts/stix-2.1/stix2-1_context.json delete mode 100644 json-dl-contexts/tac-kb-example.owl diff --git a/json-dl-contexts/stix-2.1/stix2-1_context.json b/json-dl-contexts/stix-2.1/stix2-1_context.json deleted file mode 100644 index fc11ebe..0000000 --- a/json-dl-contexts/stix-2.1/stix2-1_context.json +++ /dev/null @@ -1,270 +0,0 @@ - "@context": { - - "xsd": "http://www.w3.org/2001/XMLSchema#", - "stix-ns": "http://docs.oasis-open.org/cti/ns/stix#", - "adversary-ns": "http://docs.oasis-open.org/cti/ns/stix/adversary#", - "attack-ns": "http://attack.mitre.org/ns/attack#", - "identity-ns": "http://docs.oasis-open.org/cti/ns/stix/identity#", - "indicator-ns": "http://docs.oasis-open.org/cti/ns/stix/indicator#", - "malware-ns": "http://docs.oasis-open.org/cti/ns/stix/malware#", - "marking-ns": "http://docs.oasis-open.org/cti/ns/data-marking#", - "tool-ns": "http://docs.oasis-open.org/cti/ns/stix/tool#", - "relationship-ns": "http://docs.oasis-open.org/cti/ns/stix/relationship#", - "kb": "http://myKnowledgeGraph.com/kb#", - "@base": "http://myKnowledgeGraph.com/kb", - - "objects": "@graph", - "id": "@id", - "type": "@type", - - "threat-actor": "stix-ns:ThreatActor", - "intrusion-set": "stix-ns:IntrusionSet", - "indicator": "stix-ns:Indicator", - "identity": "stix-ns:Identity", - "malware": "stix-ns:Malware", - "report": "stix-ns:Report", - "tool": "stix-ns:Tool", - "relationship": "stix-ns:Relationship", - "attack-pattern": "stix-ns:AttackPattern", - "marking-definition": "marking-ns:MarkingDefinition", - "course-of-action": "stix-ns:CourseOfAction", - - "aliases":{ - "@id": "stix-ns:aliases", - "@type": "xsd:string" - }, - "contact_information": { - "@id": "identity-ns:contact_information", - "@type": "xsd:string" - }, - "created": { - "@id": "stix-ns:created", - "@type": "xsd:dateTime" - }, - "description": { - "@id": "stix-ns:description", - "@type": "xsd:string" - }, - "first_seen": { - "@id": "stix-ns:first_seen", - "@type": "xsd:dateTime" - }, - "identity_class": { - "@id": "identity-ns:identity_class", - "@type": "xsd:string" - }, - "is_family": { - "@id": "malware-ns:is_family", - "@type": "xsd:boolean" - }, - "labels": { - "@id": "stix-ns:labels", - "@type": "xsd:string" - }, - "last_seen": { - "@id": "stix-ns:last_seen", - "@type": "xsd:dateTime" - }, - "malware_types": { - "@id": "malware-ns:malware_types", - "@type": "xsd:string" - }, - "modified": { - "@id": "stix-ns:modified", - "@type": "xsd:dateTime" - }, - "name": { - "@id": "stix-ns:name", - "@type": "xsd:string" - }, - "pattern": { - "@id": "indicator-ns:pattern", - "@type": "xsd:string" - }, - "pattern_type": { - "@id": "indicator-ns:pattern_type", - "@type": "xsd:string" - }, - "primary_motivation":{ - "@id": "adversary-ns:primary_motivation", - "@type": "xsd:string" - }, - "relationship_type": { - "@id": "relationship-ns:relationship_type", - "@type": "xsd:string" - }, - "resource_level": { - "@id": "adversary-ns:resource_level", - "@type": "xsd:string" - }, - "roles": { - "@id": "adversary-ns:roles", - "@type": "xsd:string" - }, - "sectors": { - "@id": "identity-ns:sectors", - "@type": "xsd:string" - }, - "spec_version": { - "@id": "stix-ns:spec_version", - "@type": "xsd:string" - }, - "threat_actor_types": { - "@id": "adversary-ns:threat_actor_types", - "@type": "xsd:string" - }, - "tool_types": { - "@id": "tool-ns:tool_types", - "@type": "xsd:string" - }, - "valid_from": { - "@id": "stix-ns:valid_from", - "@type": "xsd:dateTime" - }, - - "source_name": { - "@id": "stix-ns:source-name", - "@type": "xsd:string" - }, - "url": { - "@id": "stix-ns:url", - "@type": "xsd:anyURI" - }, - "external_id": { - "@id": "stix-ns:external_id", - "@type": "xsd:string" - }, - - - "hashes": { - "@id": "stix-ns:hashes", - "@type": "@id" - }, - - - - "external_references": { - "@id": "stix-ns:external_references", - "@type": "@id" - }, - - - "object_marking_refs": { - "@id": "marking-ns:object_marking_refs", - "@type": "@id" - }, - "source_ref": { - "@id": "relationship-ns:source_ref", - "@type": "@id" - }, - "target_ref": { - "@id": "relationship-ns:target_ref", - "@type": "@id" - }, - "object_ref": { - "@id": "stix-ns:object_ref", - "@type": "@id" - }, - "object_modified": { - "@id": "stix-ns:object_modified", - "@type": "xsd:dateTime" - }, - - - "x_mitre_contents": { - "@id": "attack-ns:x_mitre_contents", - "@type": "stix-ns:StixObject" - }, - "x_mitre_contributors": { - "@id": "attack-ns:x_mitre_contributors", - "@type": "xsd:string" - }, - "x_mitre_modified_by_ref": { - "@id": "relationship-ns:x_mitre_modified_by_ref", - "@type": "@id" - }, - "x_mitre_domains": { - "@id": "attack-ns:x_mitre_domains", - "@type": "xsd:string" - }, - "x_mitre_detection": { - "@id": "attack-ns:x_mitre_detection", - "@type": "xsd:string" - }, - "x_mitre_is_subtechnique": { - "@id": "attack-ns:x_mitre_is_subtechnique", - "@type": "xsd:boolean" - }, - "x_mitre_platforms": { - "@id": "attack-ns:x_mitre_platforms", - "@type": "xsd:string" - }, - "x_mitre_permissions_required": { - "@id": "attack-ns:x_mitre_permissions_required", - "@type": "xsd:string" - }, - "x_mitre_data_sources": { - "@id": "attack-ns:x_mitre_data_sources", - "@type": "xsd:string" - }, - "x_mitre_version": { - "@id": "attack-ns:x_mitre_version", - "@type": "xsd:string" - }, - "x_mitre_attack_spec_version": { - "@id": "attack-ns:x_mitre_attack_spec_version", - "@type": "xsd:string" - }, - - "x-mitre-matrix": "attack-ns:Matrix", - "x-mitre-tactic": "attack-ns:Tactic", - "x-mitre-data-component": "attack-ns:DataComponent", - "x-mitre-data-source": "attack-ns:DataSource", - - "x_mitre_data_source_ref": { - "@id": "attack-ns:x_mitre_data_source_ref", - "@type": "@id" - }, - "tactic_refs": { - "@id": "attack-ns:tactic_refs", - "@type": "@id" - }, - "x_mitre_collection_layers": { - "@id": "attack-ns:x_mitre_collection_layers", - "@type": "xsd:string" - }, - "x_mitre_shortname": { - "@id": "attack-ns:x_mitre_shortname", - "@type": "xsd:string" - }, - "x_mitre_deprecated": { - "@id": "attack-ns:x_mitre_deprecated", - "@type": "xsd:boolean" - }, - "x_mitre_defense_bypassed": { - "@id": "attack-ns:x_mitre_defense_bypassed", - "@type": "xsd:string" - }, - "x_mitre_effective_permissions": { - "@id": "attack-ns:x_mitre_effective_permissions", - "@type": "xsd:string" - }, - "x_mitre_impact_type": { - "@id": "attack-ns:x_mitre_impact_type", - "@type": "xsd:string" - }, - "x_mitre_network_requirements": { - "@id": "attack-ns:x_mitre_network_requirements", - "@type": "xsd:boolean" - }, - "x_mitre_remote_support": { - "@id": "attack-ns:x_mitre_remote_support", - "@type": "xsd:boolean" - }, - "x_mitre_system_requirements": { - "@id": "attack-ns:x_mitre_system_requirements", - "@type": "xsd:string" - } - - - }, \ No newline at end of file diff --git a/json-dl-contexts/tac-kb-example.owl b/json-dl-contexts/tac-kb-example.owl deleted file mode 100644 index 74d7e47..0000000 --- a/json-dl-contexts/tac-kb-example.owl +++ /dev/null @@ -1,23 +0,0 @@ - - - - - - -]> - - - - The TAC ontology is a knowledge representation framework focused on comprehensively representing the context around adversaries. The project comprises a set of concept definitions and their relationships encoded in Web Ontology Language (OWL) that altogether harmonise into what we call the Threat Actor Context ontology. - - - - - \ No newline at end of file From 7654cf7b8ad35bf728de9a1d7b80b5960f12ee10 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Sat, 29 Jul 2023 14:18:58 -0700 Subject: [PATCH 63/70] adding the CuriousHealthcareWorker concepts --- health-agent-lib/catalog-v001.xml | 61 + health-agent-lib/hal-example.owl | 27 + health-agent-lib/hal-library.owl | 63 + threat-agent-lib/catalog-v001.xml | 8 +- threat-agent-lib/ta-library.owl | 48 +- utilities/json-dl-contexts/tac-kb-example.owl | 23 - utilities/sparql-anything/input/apt1.json | 1206 +++++++++++++++++ .../{ => mappings}/apt1.sparql | 0 .../sparql-anything/mappings/j2kb.sparql | 238 ++++ 9 files changed, 1636 insertions(+), 38 deletions(-) create mode 100644 health-agent-lib/catalog-v001.xml create mode 100644 health-agent-lib/hal-example.owl create mode 100644 health-agent-lib/hal-library.owl delete mode 100644 utilities/json-dl-contexts/tac-kb-example.owl create mode 100644 utilities/sparql-anything/input/apt1.json rename utilities/sparql-anything/{ => mappings}/apt1.sparql (100%) create mode 100644 utilities/sparql-anything/mappings/j2kb.sparql diff --git a/health-agent-lib/catalog-v001.xml b/health-agent-lib/catalog-v001.xml new file mode 100644 index 0000000..8cd5331 --- /dev/null +++ b/health-agent-lib/catalog-v001.xml @@ -0,0 +1,61 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/health-agent-lib/hal-example.owl b/health-agent-lib/hal-example.owl new file mode 100644 index 0000000..43c7574 --- /dev/null +++ b/health-agent-lib/hal-example.owl @@ -0,0 +1,27 @@ + + + + + + + + + +]> + + + + + + + \ No newline at end of file diff --git a/health-agent-lib/hal-library.owl b/health-agent-lib/hal-library.owl new file mode 100644 index 0000000..9620e5b --- /dev/null +++ b/health-agent-lib/hal-library.owl @@ -0,0 +1,63 @@ + + + + + + + + + +]> + + + + The Health Care Threat Actor Library is and extending ontology of the Threat Agent Library from Intel.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/threat-agent-lib/catalog-v001.xml b/threat-agent-lib/catalog-v001.xml index 0d0a1d8..daf6df5 100644 --- a/threat-agent-lib/catalog-v001.xml +++ b/threat-agent-lib/catalog-v001.xml @@ -53,8 +53,10 @@ - - - + + + + + diff --git a/threat-agent-lib/ta-library.owl b/threat-agent-lib/ta-library.owl index 07f47f2..2f3218a 100644 --- a/threat-agent-lib/ta-library.owl +++ b/threat-agent-lib/ta-library.owl @@ -161,18 +161,38 @@ - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -193,6 +213,10 @@ + + + + diff --git a/utilities/json-dl-contexts/tac-kb-example.owl b/utilities/json-dl-contexts/tac-kb-example.owl deleted file mode 100644 index 74d7e47..0000000 --- a/utilities/json-dl-contexts/tac-kb-example.owl +++ /dev/null @@ -1,23 +0,0 @@ - - - - - - -]> - - - - The TAC ontology is a knowledge representation framework focused on comprehensively representing the context around adversaries. The project comprises a set of concept definitions and their relationships encoded in Web Ontology Language (OWL) that altogether harmonise into what we call the Threat Actor Context ontology. - - - - - \ No newline at end of file diff --git a/utilities/sparql-anything/input/apt1.json b/utilities/sparql-anything/input/apt1.json new file mode 100644 index 0000000..d3f235f --- /dev/null +++ b/utilities/sparql-anything/input/apt1.json @@ -0,0 +1,1206 @@ +{ + "type": "bundle", + "id": "bundle--cf20f99b-3ed2-4a9f-b4f1-d660a7fc8241", + "objects": [ + { + "type": "intrusion-set", + "spec_version": "2.1", + "id": "intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "APT1", + "description": "APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006.", + "first_seen": "2006-06-01T18:13:15.684Z", + "resource_level": "government", + "primary_motivation": "organizational-gain", + "aliases": [ + "Comment Crew", + "Comment Group", + "Shady Rat" + ] + }, + { + "type": "threat-actor", + "spec_version": "2.1", + "id": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Ugly Gorilla", + "threat_actor_types": [ + "nation-state", + "spy" + ], + "roles": [ + "malware-author", + "agent", + "infrastructure-operator" + ], + "resource_level": "government", + "aliases": [ + "Greenfield", + "JackWang", + "Wang Dong" + ], + "primary_motivation": "organizational-gain" + }, + { + "type": "threat-actor", + "spec_version": "2.1", + "id": "threat-actor--d84cf283-93be-4ca7-890d-76c63eff3636", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "DOTA", + "threat_actor_types": [ + "nation-state", + "spy" + ], + "aliases": [ + "dota", + "Rodney", + "Raith" + ], + "resource_level": "government", + "roles": [ + "agent", + "infrastructure-operator" + ], + "primary_motivation": "organizational-gain" + }, + { + "type": "threat-actor", + "spec_version": "2.1", + "id": "threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "SuperHard", + "threat_actor_types": [ + "nation-state" + ], + "sophistication": "expert", + "aliases": [ + "dota", + "Rodney", + "Raith" + ], + "resource_level": "government", + "roles": [ + "malware-author" + ], + "primary_motivation": "organizational-gain" + }, + { + "type": "threat-actor", + "spec_version": "2.1", + "id": "threat-actor--d5b62b58-df7c-46b1-a435-4d01945fe21d", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Communist Party of China", + "description": " The CPC is the ultimate authority in Mainland China and tasks the PLA to commit cyber espionage and data theft against organizations around the world.", + "threat_actor_types": [ + "nation-state" + ], + "resource_level": "government", + "roles": [ + "sponsor", + "director" + ], + "aliases": [ + "CPC" + ], + "primary_motivation": "organizational-gain" + }, + { + "type": "threat-actor", + "spec_version": "2.1", + "id": "threat-actor--94624865-2709-443f-9b4c-2891985fd69b", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Unit 61398", + "description": "Unit 61398 functions as the Third Department's premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence.", + "threat_actor_types": [ + "nation-state" + ], + "resource_level": "government", + "roles": [ + "agent" + ], + "aliases": [ + "PLA GSD's 3rd Department, 2nd Bureau", + "Military Unit Cover Designator (MUCD) 61398" + ], + "primary_motivation": "organizational-gain" + }, + { + "type": "identity", + "spec_version": "2.1", + "id": "identity--a9119a87-6576-46af-bfd7-4fbe55926671", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "JackWang", + "identity_class": "individual", + "sectors": [ + "government-national" + ], + "contact_information": "uglygorilla@163.com" + }, + { + "type": "identity", + "spec_version": "2.1", + "id": "identity--e88ab115-7768-4630-baa3-3d49a7d946ea", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Wang Dong", + "identity_class": "individual", + "sectors": [ + "government-national" + ], + "contact_information": "uglygorilla@163.com" + }, + { + "type": "identity", + "spec_version": "2.1", + "id": "identity--0e9d20d9-fb11-42e3-94bc-b89fb5b007ca", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "dota", + "identity_class": "individual", + "sectors": [ + "government-national" + ], + "contact_information": "dota.d013@gmail.com" + }, + { + "type": "identity", + "spec_version": "2.1", + "id": "identity--ecf1c7de-d96c-41c6-a510-b9c65cdc9e3b", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Mei Qiang", + "identity_class": "individual", + "sectors": [ + "government-national" + ], + "contact_information": "mei_qiang_82@sohu.com" + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--031778a4-057f-48e6-9db9-c8d72b81ccd5", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "HTRAN Hop Point Accessor", + "description": "Test description.", + "pattern": "[ipv4-addr:value = '223.166.0.0/15']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "establish-foothold" + } + ] + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--da1d061b-2bc9-467a-b16f-8d14f468e1f0", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "HTRAN Hop Point Accessor", + "description": "Test description.", + "pattern": "[ipv4-addr:value = '58.246.0.0/15']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "establish-foothold" + } + ] + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--2173d108-5714-42fd-8213-4f3790259fda", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "HTRAN Hop Point Accessor", + "description": "Test description.", + "pattern": "[ipv4-addr:value = '112.64.0.0/15']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "establish-foothold" + } + ] + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--8ce03314-dfea-4498-ac9b-136e41ab00e4", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "HTRAN Hop Point Accessor", + "description": "Test description.", + "pattern": "[ipv4-addr:value = '139.226.0.0/15']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "establish-foothold" + } + ] + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--3f3ff9f1-bb4e-4392-89e5-1991179042ba", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "FQDN hugesoft.org", + "description": "Test description.", + "pattern": "[domain-name:value = 'hugesoft.org']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z" + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--8390fd29-24ed-45d4-84d7-c5e5feaf195d", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "FQDN arrowservice.net", + "description": "Test description.", + "pattern": "[domain-name:value = 'arrowservice.net']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z" + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--1002c58e-cbde-4930-b5ee-490037fd4f7e", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "FQDN msnhome.org", + "description": "Test description.", + "pattern": "[domain-name:value = 'msnhome.org']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z" + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--8d12f44f-8ac0-4b12-8b4a-3699ca8c9691", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Appendix E MD5 hash '001dd76872d80801692ff942308c64e6'", + "description": "Test description.", + "pattern": "[file:hashes.md5 = '001dd76872d80801692ff942308c64e6']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z" + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--745e1537-b4f3-49da-9f64-df6b1b5df190", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Appendix E MD5 hash '002325a0a67fded0381b5648d7fe9b8e'", + "description": "Test description.", + "pattern": "[file:hashes.md5 = '002325a0a67fded0381b5648d7fe9b8e']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z" + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--1dbe6ed0-c305-458f-9cce-f83c678f5afd", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Appendix E MD5 hash '00dbb9e1c09dbdafb360f3163ba5a3de'", + "description": "Test description.", + "pattern": "[file:hashes.md5 = '00dbb9e1c09dbdafb360f3163ba5a3de']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z" + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--b3b6b540-d838-41e2-853b-005056c00008", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Appendix F SSL Certificate for serial number '(Negative)4c:0b:1d:19:74:86:a7:66:b4:1a:bf:40:27:21:76:28'", + "description": "Test description.", + "pattern": "[x509-certificate:issuer = 'CN=WEBMAIL' AND x509-certificate:serial_number = '4c:0b:1d:19:74:86:a7:66:b4:1a:bf:40:27:21:76:28']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z" + }, + { + "type": "indicator", + "spec_version": "2.1", + "pattern_type": "stix", + "id": "indicator--b3b7035e-d838-41e2-8d38-005056c00008", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Appendix F SSL Certificate for serial number '0e:97:88:1c:6c:a1:37:96:42:03:bc:45:42:24:75:6c'", + "description": "Test description.", + "pattern": "[x509-certificate:issuer = 'CN=LM-68AB71FBD8F5' AND x509-certificate:serial_number = '0e:97:88:1c:6c:a1:37:96:42:03:bc:45:42:24:75:6c']", + "indicator_types": [ + "malicious-activity" + ], + "valid_from": "2015-05-15T09:12:16.432678Z" + }, + { + "type": "malware", + "spec_version": "2.1", + "is_family": false, + "id": "malware--2485b844-4efe-4343-84c8-eb33312dd56f", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "MANITSME", + "malware_types": [ + "backdoor", + "dropper", + "remote-access-trojan" + ], + "description": "This malware will beacon out at random intervals to the remote attacker. The attacker can run programs, execute arbitrary commands, and easily upload and download files." + }, + { + "type": "malware", + "spec_version": "2.1", + "is_family": false, + "id": "malware--c0217091-9d3d-42a1-8952-ccc12d4ad8d0", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "WEBC2-UGX", + "malware_types": [ + "backdoor", + "remote-access-trojan" + ], + "description": "A WEBC2 backdoor is designed to retrieve a Web page from a C2 server. It expects the page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands." + }, + { + "type": "malware", + "spec_version": "2.1", + "is_family": false, + "id": "malware--0f01c5a3-f516-4450-9381-4dd9f2279411", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "WEBC2 Backdoor", + "malware_types": [ + "backdoor", + "remote-access-trojan" + ], + "description": "A WEBC2 backdoor is designed to retrieve a Web page from a C2 server. It expects the page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands.", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "establish-foothold" + } + ] + }, + { + "type": "malware", + "spec_version": "2.1", + "is_family": false, + "id": "malware--33159b98-3264-4e10-a968-d67975b6272f", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "HUC Packet Transmit Tool (HTRAN)", + "malware_types": [ + "backdoor", + "remote-access-trojan" + ], + "description": "When APT1 attackers are not using WEBC2, they require a “command and control” (C2) user interface so they can issue commands to the backdoor. This interface sometimes runs on their personal attack system, which is typically in Shanghai. In these instances, when a victim backdoor makes contact with a hop, the communications need to be forwarded from the hop to the intruder’s Shanghai system so the backdoor can talk to the C2 server software. We have observed 767 separate instances in which APT1 intruders used the publicly available “HUC Packet Transmit Tool” or HTRAN on a hopThe HTRAN utility is merely a middle-man, facilitating connections between the victim and the attacker who is using the hop point.", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "establish-foothold" + } + ] + }, + { + "type": "malware", + "spec_version": "2.1", + "is_family": true, + "id": "malware--fb490cdb-6760-41eb-a79b-0b930a50c017", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "AURIGA", + "malware_types": [ + "backdoor", + "keylogger" + ], + "description": "Malware family that contains functionality for keystroke logging, creating and killing processes, performing file system and registry modifications, etc." + }, + { + "type": "malware", + "spec_version": "2.1", + "is_family": false, + "id": "malware--ea50ecb7-2cd4-4895-bd08-31cd591ed0ca", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "BANGAT", + "malware_types": [ + "backdoor", + "keylogger" + ], + "description": "Malware family that contains functionality for keylogging, creating and killing processes, performing filesystem and registry modifications, etc." + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--ce45f721-af14-4fc0-938c-000c16186418", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "cachedump", + "tool_types": [ + "credential-exploitation" + ], + "description": "This program extracts cached password hashes from a system’s registry.", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "escalate-privileges" + } + ] + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--e9778c42-bc2f-4eda-9fb4-6a931834f68c", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "fgdump", + "tool_types": [ + "credential-exploitation" + ], + "description": "Windows password hash dumper", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "escalate-privileges" + } + ], + "external_references": [ + { + "source_name": "fgdump", + "url": "http://www.foofus.net/fizzgig/fgdump/" + } + ] + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--1cf6a3b8-be43-4c1a-b042-546a890c31b2", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "gsecdump", + "tool_types": [ + "credential-exploitation" + ], + "description": "Obtains password hashes from the Windows registry, including the SAM file, cached domain credentials, and LSA secrets", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "escalate-privileges" + } + ], + "external_references": [ + { + "source_name": "gsecdump", + "url": "http://www.truesec.se" + } + ] + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "lslsass", + "tool_types": [ + "credential-exploitation" + ], + "description": "Dump active logon session password hashes from the lsass process", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "escalate-privileges" + } + ], + "external_references": [ + { + "source_name": "lslsass", + "url": "http://www.truesec.se" + } + ] + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--7de5dfcc-6809-4772-9f11-cf26c2be53aa", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "mimikatz", + "tool_types": [ + "credential-exploitation" + ], + "description": "A utility primarily used for dumping password hashes", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "escalate-privileges" + } + ], + "external_references": [ + { + "source_name": "mimikatz", + "url": "http://blog.gentilkiwi.com/mimikatz" + } + ] + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--266b12f2-aa16-4607-809e-f2d33eebb52e", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "pass-the-hash toolkit", + "tool_types": [ + "credential-exploitation" + ], + "description": "Allows an intruder to “pass” a password hash (without knowing the original password) to log in to systems", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "escalate-privileges" + } + ], + "external_references": [ + { + "source_name": "pass-the-hash toolkit", + "url": "http://oss.coresecurity.com/projects/pshtoolkit.htm" + } + ] + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--98fd8dc1-6cc7-4908-899f-07473f55149a", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "pwdump7", + "tool_types": [ + "credential-exploitation" + ], + "description": "Dumps password hashes from the Windows registry", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "escalate-privileges" + } + ], + "external_references": [ + { + "source_name": "pwdump7", + "url": "http://www.tarasco.org/security/pwdump_7/" + } + ] + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--4215b0e5-928e-4b2a-9b5f-64819f287f48", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "pwdumpX", + "tool_types": [ + "credential-exploitation" + ], + "description": "Dumps password hashes from the Windows registry", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "escalate-privileges" + } + ] + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--a6dd62d0-9683-48bf-a9cd-61e7eceae57e", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "GETMAIL", + "tool_types": [ + "information-gathering" + ], + "description": "GETMAIL was designed specifically to extract email messages, attachments, and folders from within Microsoft Outlook archive (“PST”) files.", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "complete-mission" + } + ] + }, + { + "type": "tool", + "spec_version": "2.1", + "id": "tool--806a8f83-4913-4216-bb19-02b48ae25da5", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "MAPIGET", + "tool_types": [ + "information-gathering" + ], + "description": "MAPIGET was designed specifically to steal email that has not yet been archived and still resides on a Microsoft Exchange Server.", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "complete-mission" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--3098c57b-d623-4c11-92f4-5905da66658b", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Initial Compromise", + "description": "As with most other APT groups, spear phishing is APT1’s most commonly used technique. The spear phishing emails contain either a malicious attachment or a hyperlink to a malicious file. The subject line and the text in the email body are usually relevant to the recipient. APT1 also creates webmail accounts using real peoples’ names — names that are familiar to the recipient, such as a colleague, a company executive, an IT department employee, or company counsel. The files they use contain malicious executables that install a custom APT1 backdoor that we call WEBC2-TABLE.", + "external_references": [ + { + "source_name": "capec", + "description": "spear phishing", + "external_id": "CAPEC-163" + } + ], + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "initial-compromise" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Establishing a Foothold", + "description": "APT1 establishes a foothold once email recipients open a malicious file and a backdoor is subsequently installed. In almost every case, APT backdoors initiate outbound connections to the intruder’s 'command and control' (C2) server. While APT1 intruders occasionally use publicly available backdoors such as Poison Ivy and Gh0st RAT, the vast majority of the time they use what appear to be their own custom backdoors. APT1’s backdoors are in two categories: 'Beachhead Backdoors' and 'Standard Backdoors.' Beachhead Backdoors offer the attacker a toe-hold to perform simple tasks like retrieve files, gather basic system information and trigger the execution of other more significant capabilities such as a standard backdoor. APT1’s beachhead backdoors are usually what we call WEBC2 backdoors. WEBC2 backdoors are probably the most well-known kind of APT1 backdoor, and are the reason why some security companies refer to APT1 as the Comment Crew. A WEBC2 backdoor is designed to retrieve a webpage from a C2 server. It expects the webpage to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. WEBC2 backdoors are often packaged with spear phishing emails. Once installed, APT1 intruders have the option to tell victim systems to download and execute additional malicious software of their choice. The standard, non-WEBC2 APT1 backdoor typically communicates using the HTTP protocol (to blend in with legitimate web traffic) or a custom protocol that the malware authors designed themselves. The BISCUIT backdoor (so named for the command “bdkzt”) is an illustrative example of the range of commands that APT1 has built into its “standard” backdoors. APT1 has used and steadily modified BISCUIT since as early as 2007 and continues to use it presently. Some APT backdoors attempt to mimic legitimate Internet traffic other than the HTTP protocol. When network defenders see the communications between these backdoors and their C2 servers, they might easily dismiss them as legitimate network traffic. Additionally, many of APT1’s backdoors use SSL encryption so that communications are hidden in an encrypted SSL tunnel.", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "establish-foothold" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Privilege Escalation", + "description": "Escalating privileges involves acquiring items (most often usernames and passwords) that will allow access to more resources within the network. APT1 predominantly uses publicly available tools to dump password hashes from victim systems in order to obtain legitimate user credentials.", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "escalate-privileges" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--5728f45b-2eca-4942-a7f6-bc4267c1ab8d", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Internal Reconnaisance", + "description": "In the Internal Reconnaissance stage, the intruder collects information about the victim environment. Like most APT (and non-APT) intruders, APT1 primarily uses built-in operating system commands to explore a compromised system and its networked environment. Although they usually simply type these commands into a command shell, sometimes intruders may use batch scripts to speed up the process.", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "internal-recon" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--0bea2358-c244-4905-a664-a5cdce7bb767", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Lateral Movement", + "description": "Once an APT intruder has a foothold inside the network and a set of legitimate credentials, it is simple for the intruder to move around the network undetected. They can connect to shared resources on other systems. They can execute commands on other systems using the publicly available 'psexec' tool from Microsoft Sysinternals or the built-in Windows Task Scheduler ('at.exe').", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "move-laterally" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--7151c6d0-7e97-47ce-9290-087315ea3db7", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Maintain Presence", + "description": "In this stage, the intruder takes actions to ensure continued, long-term control over key systems in the network environment from outside of the network. APT1 does this in three ways: Install new backdoors on multiple systems, use legitimate VPN credentials, and log in to web portals.", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "maintain-presence" + } + ] + }, + { + "type": "attack-pattern", + "spec_version": "2.1", + "id": "attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "Completing the Mission", + "description": "Similar to other APT groups we track, once APT1 finds files of interest they pack them into archive files before stealing them. APT intruders most commonly use the RAR archiving utility for this task and ensure that the archives are password protected. Sometimes APT1 intruders use batch scripts to assist them in the process. After creating files compressed via RAR, the APT1 attackers will transfer files out of the network in ways that are consistent with other APT groups, including using the File Transfer Protocol (FTP) or their existing backdoors. Many times their RAR files are so large that the attacker splits them into chunks before transferring them. Unlike most other APT groups we track, APT1 uses two email-stealing utilities that we believe are unique to APT1. The first, GETMAIL, was designed specifically to extract email messages, attachments, and folders from within Microsoft Outlook archive ('PST') files. The GETMAIL utility allows APT1 intruders the flexibility to take only the emails between dates of their choice. In one case, we observed an APT1 intruder return to a compromised system once a week for four weeks in a row to steal only the past week’s emails. Whereas GETMAIL steals email in Outlook archive files, the second utility, MAPIGET, was designed specifically to steal email that has not yet been archived and still resides on a Microsoft Exchange Server. In order to operate successfully, MAPIGET requires username/password combinations that the Exchange server will accept. MAPIGET extracts email from specified accounts into text files (for the email body) and separate attachments, if there are any.", + "kill_chain_phases": [ + { + "kill_chain_name": "mandiant-attack-lifecycle-model", + "phase_name": "complete-mission" + } + ] + }, + { + "type": "report", + "spec_version": "2.1", + "id": "report--e33ffe07-2f4c-48d8-b0af-ee2619d765cf", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "name": "APT1: Exposing One of China's Cyber Espionage Units", + "report_types": [ + "threat-report", + "threat-actor" + ], + "published": "2013-02-19T00:00:00.000000Z", + "description": "Since 2004, Mandiant has investigated computer security breaches at hundreds of organizations around the world. The majority of these security breaches are attributed to advanced threat actors referred to as the 'Advanced Persistent Threat' (APT). We first published details about the APT in our January 2010 M-Trends report. As we stated in the report, our position was that 'The Chinese government may authorize this activity, but theres no way to determine the\textent of its involvement.' Now, three years later, we have the evidence required to change our assessment. The details\twe have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them. Mandiant continues to track dozens of APT groups around the world; however, this report is focused on the most prolific of these groups. We refer to this group as 'APT1' and it is one of more than 20 APT groups with origins in China. APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006. From our observations, it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen. The scale and impact of APT1's operations compelled us to write this report. The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted. Though our visibility of APT1's activities is incomplete, we have analyzed the group's intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1's attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures). In an effort to underscore there are actual individuals behind the keyboard, Mandiant is revealing three personas we have attributed to APT1. These operators, like soldiers, may merely be following orders given to them by others. Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China's cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People's Liberation Army (PLA's) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate.", + "object_refs": [ + "attack-pattern--3098c57b-d623-4c11-92f4-5905da66658b", + "attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49", + "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827", + "attack-pattern--5728f45b-2eca-4942-a7f6-bc4267c1ab8d", + "attack-pattern--0bea2358-c244-4905-a664-a5cdce7bb767", + "attack-pattern--7151c6d0-7e97-47ce-9290-087315ea3db7", + "attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4", + "identity--a9119a87-6576-46af-bfd7-4fbe55926671", + "identity--e88ab115-7768-4630-baa3-3d49a7d946ea", + "identity--0e9d20d9-fb11-42e3-94bc-b89fb5b007ca", + "identity--ecf1c7de-d96c-41c6-a510-b9c65cdc9e3b", + "indicator--031778a4-057f-48e6-9db9-c8d72b81ccd5", + "indicator--da1d061b-2bc9-467a-b16f-8d14f468e1f0", + "indicator--2173d108-5714-42fd-8213-4f3790259fda", + "indicator--8ce03314-dfea-4498-ac9b-136e41ab00e4", + "indicator--3f3ff9f1-bb4e-4392-89e5-1991179042ba", + "indicator--8390fd29-24ed-45d4-84d7-c5e5feaf195d", + "indicator--1002c58e-cbde-4930-b5ee-490037fd4f7e", + "indicator--8d12f44f-8ac0-4b12-8b4a-3699ca8c9691", + "indicator--745e1537-b4f3-49da-9f64-df6b1b5df190", + "indicator--1dbe6ed0-c305-458f-9cce-f83c678f5afd", + "indicator--b3b6b540-d838-41e2-853b-005056c00008", + "indicator--b3b7035e-d838-41e2-8d38-005056c00008", + "intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a", + "malware--2485b844-4efe-4343-84c8-eb33312dd56f", + "malware--c0217091-9d3d-42a1-8952-ccc12d4ad8d0", + "malware--0f01c5a3-f516-4450-9381-4dd9f2279411", + "malware--33159b98-3264-4e10-a968-d67975b6272f", + "malware--fb490cdb-6760-41eb-a79b-0b930a50c017", + "malware--ea50ecb7-2cd4-4895-bd08-31cd591ed0ca", + "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65", + "threat-actor--d84cf283-93be-4ca7-890d-76c63eff3636", + "threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21", + "threat-actor--d5b62b58-df7c-46b1-a435-4d01945fe21d", + "threat-actor--94624865-2709-443f-9b4c-2891985fd69b", + "tool--ce45f721-af14-4fc0-938c-000c16186418", + "tool--e9778c42-bc2f-4eda-9fb4-6a931834f68c", + "tool--1cf6a3b8-be43-4c1a-b042-546a890c31b2", + "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9", + "tool--7de5dfcc-6809-4772-9f11-cf26c2be53aa", + "tool--266b12f2-aa16-4607-809e-f2d33eebb52e", + "tool--4215b0e5-928e-4b2a-9b5f-64819f287f48", + "tool--a6dd62d0-9683-48bf-a9cd-61e7eceae57e", + "tool--806a8f83-4913-4216-bb19-02b48ae25da5", + "tool--98fd8dc1-6cc7-4908-899f-07473f55149a", + "relationship--6598bf44-1c10-4218-af9f-75b5b71c23a7", + "relationship--35f7a2bb-e4e2-4e56-8693-665bbb64162c", + "relationship--fd5cda8b-f45f-43bd-a9da-e521ddd7126e", + "relationship--a20b8626-a15e-41f0-bcb1-c05321e126f0", + "relationship--d84cf283-93be-4ca7-890d-76c63eff3636", + "relationship--71e6832f-17ee-42fd-938d-c7f881be2028", + "relationship--9dd881a7-6e9b-4c35-bef5-7a777bca65d3", + "relationship--306ce398-f708-47f9-88a1-38aa5b9985fc", + "relationship--8668d82a-1c97-4bea-a367-e391b025e00e", + "relationship--e0ca2caa-7fa0-4f36-ad19-96f107eb6023", + "relationship--765815fb-d993-4a1d-959f-7f7bcc4a5eb3", + "relationship--85b2a834-e4b5-4299-9a6b-bf2ac26dde7b", + "relationship--61f4fd3b-f581-4497-9149-e624c317287b", + "relationship--7cede760-b866-490e-ad5b-1df34bc14f8d", + "relationship--b2806dec-6f20-4a0d-ae9a-d4b1f7be71e3", + "relationship--3921b161-5872-4c21-8ab0-b5b84233f3dc", + "relationship--81827b05-8c20-4247-b5d8-674295a1c611", + "relationship--066593e1-49a4-4a3d-a5bb-2e0b4ce1a63c", + "relationship--b385d984-ba8a-4180-8e0e-af7b9987bcb8", + "relationship--6ffbec81-fa01-4b98-8726-c9d9fb2ef6b6", + "relationship--25586f60-bc27-47d6-9a8e-d1c6456c2f28", + "relationship--d080c1ea-1dd7-4da9-b64b-e68bb1c5887e", + "relationship--c9c66478-c9cf-49cd-bca2-66ce34a9c56d", + "relationship--44686fda-311c-4cdb-abef-80e922e7a3fb", + "relationship--340cb676-79ff-49e9-b6ba-cd27e06772c4", + "relationship--9908520f-b25d-44a8-900b-d4e0825dcd0d", + "relationship--1fbd9a8d-4c14-431c-9520-3ccc50b748c1", + "relationship--389a8dcd-8663-4f18-8584-d69a77bd71aa", + "relationship--b345f1d0-09c5-4a71-bfc6-a52bd5923a01", + "relationship--912b31d0-09c5-4a71-bfc6-a52bd5989a1b" + ] + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--6598bf44-1c10-4218-af9f-75b5b71c23a7", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65", + "target_ref": "malware--2485b844-4efe-4343-84c8-eb33312dd56f" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--35f7a2bb-e4e2-4e56-8693-665bbb64162c", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65", + "target_ref": "malware--c0217091-9d3d-42a1-8952-ccc12d4ad8d0" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--fd5cda8b-f45f-43bd-a9da-e521ddd7126e", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "attributed-to", + "source_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65", + "target_ref": "identity--a9119a87-6576-46af-bfd7-4fbe55926671" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--a20b8626-a15e-41f0-bcb1-c05321e126f0", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "attributed-to", + "source_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65", + "target_ref": "identity--e88ab115-7768-4630-baa3-3d49a7d946ea" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--d84cf283-93be-4ca7-890d-76c63eff3636", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "attributed-to", + "source_ref": "threat-actor--d84cf283-93be-4ca7-890d-76c63eff3636", + "target_ref": "identity--0e9d20d9-fb11-42e3-94bc-b89fb5b007ca" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--71e6832f-17ee-42fd-938d-c7f881be2028", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "attributed-to", + "source_ref": "threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21", + "target_ref": "identity--ecf1c7de-d96c-41c6-a510-b9c65cdc9e3b" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--9dd881a7-6e9b-4c35-bef5-7a777bca65d3", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21", + "target_ref": "malware--fb490cdb-6760-41eb-a79b-0b930a50c017" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--306ce398-f708-47f9-88a1-38aa5b9985fc", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21", + "target_ref": "malware--ea50ecb7-2cd4-4895-bd08-31cd591ed0ca" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--8668d82a-1c97-4bea-a367-e391b025e00e", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "attributed-to", + "source_ref": "intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a", + "target_ref": "threat-actor--94624865-2709-443f-9b4c-2891985fd69b" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--e0ca2caa-7fa0-4f36-ad19-96f107eb6023", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "attributed-to", + "source_ref": "intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a", + "target_ref": "threat-actor--d5b62b58-df7c-46b1-a435-4d01945fe21d" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--765815fb-d993-4a1d-959f-7f7bcc4a5eb3", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "attributed-to", + "source_ref": "intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a", + "target_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--85b2a834-e4b5-4299-9a6b-bf2ac26dde7b", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49", + "target_ref": "malware--0f01c5a3-f516-4450-9381-4dd9f2279411" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--61f4fd3b-f581-4497-9149-e624c317287b", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49", + "target_ref": "malware--33159b98-3264-4e10-a968-d67975b6272f" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--7cede760-b866-490e-ad5b-1df34bc14f8d", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "indicates", + "source_ref": "indicator--031778a4-057f-48e6-9db9-c8d72b81ccd5", + "target_ref": "malware--33159b98-3264-4e10-a968-d67975b6272f" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b2806dec-6f20-4a0d-ae9a-d4b1f7be71e3", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "indicates", + "source_ref": "indicator--da1d061b-2bc9-467a-b16f-8d14f468e1f0", + "target_ref": "malware--33159b98-3264-4e10-a968-d67975b6272f" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--3921b161-5872-4c21-8ab0-b5b84233f3dc", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "indicates", + "source_ref": "indicator--2173d108-5714-42fd-8213-4f3790259fda", + "target_ref": "malware--33159b98-3264-4e10-a968-d67975b6272f" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--81827b05-8c20-4247-b5d8-674295a1c611", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "indicates", + "source_ref": "indicator--8ce03314-dfea-4498-ac9b-136e41ab00e4", + "target_ref": "malware--33159b98-3264-4e10-a968-d67975b6272f" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--066593e1-49a4-4a3d-a5bb-2e0b4ce1a63c", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827", + "target_ref": "tool--ce45f721-af14-4fc0-938c-000c16186418" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b385d984-ba8a-4180-8e0e-af7b9987bcb8", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827", + "target_ref": "tool--e9778c42-bc2f-4eda-9fb4-6a931834f68c" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--6ffbec81-fa01-4b98-8726-c9d9fb2ef6b6", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827", + "target_ref": "tool--1cf6a3b8-be43-4c1a-b042-546a890c31b2" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--25586f60-bc27-47d6-9a8e-d1c6456c2f28", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827", + "target_ref": "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--d080c1ea-1dd7-4da9-b64b-e68bb1c5887e", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827", + "target_ref": "tool--7de5dfcc-6809-4772-9f11-cf26c2be53aa" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--c9c66478-c9cf-49cd-bca2-66ce34a9c56d", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827", + "target_ref": "tool--266b12f2-aa16-4607-809e-f2d33eebb52e" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--44686fda-311c-4cdb-abef-80e922e7a3fb", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827", + "target_ref": "tool--98fd8dc1-6cc7-4908-899f-07473f55149a" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--340cb676-79ff-49e9-b6ba-cd27e06772c4", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827", + "target_ref": "tool--4215b0e5-928e-4b2a-9b5f-64819f287f48" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--9908520f-b25d-44a8-900b-d4e0825dcd0d", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4", + "target_ref": "tool--a6dd62d0-9683-48bf-a9cd-61e7eceae57e" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--1fbd9a8d-4c14-431c-9520-3ccc50b748c1", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "uses", + "source_ref": "attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4", + "target_ref": "tool--806a8f83-4913-4216-bb19-02b48ae25da5" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--389a8dcd-8663-4f18-8584-d69a77bd71aa", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "indicates", + "source_ref": "indicator--3f3ff9f1-bb4e-4392-89e5-1991179042ba", + "target_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--b345f1d0-09c5-4a71-bfc6-a52bd5923a01", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "indicates", + "source_ref": "indicator--8390fd29-24ed-45d4-84d7-c5e5feaf195d", + "target_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65" + }, + { + "type": "relationship", + "spec_version": "2.1", + "id": "relationship--912b31d0-09c5-4a71-bfc6-a52bd5989a1b", + "created": "2015-05-15T09:12:16.432Z", + "modified": "2015-05-15T09:12:16.432Z", + "relationship_type": "indicates", + "source_ref": "indicator--1002c58e-cbde-4930-b5ee-490037fd4f7e", + "target_ref": "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65" + } + ] +} diff --git a/utilities/sparql-anything/apt1.sparql b/utilities/sparql-anything/mappings/apt1.sparql similarity index 100% rename from utilities/sparql-anything/apt1.sparql rename to utilities/sparql-anything/mappings/apt1.sparql diff --git a/utilities/sparql-anything/mappings/j2kb.sparql b/utilities/sparql-anything/mappings/j2kb.sparql new file mode 100644 index 0000000..4469a42 --- /dev/null +++ b/utilities/sparql-anything/mappings/j2kb.sparql @@ -0,0 +1,238 @@ +PREFIX xyz: +PREFIX rdf: +PREFIX fx: +PREFIX example: +PREFIX owl: +PREFIX stix: +PREFIX xsd: + +CONSTRUCT { + + ?object_iri a ?stixType ; + stix:id ?id; + stix:type ?type; + + stix:alias ?alias; +# stix:contact_information ?contact_information_string; + stix:created ?dt_created; + stix:description ?description; + stix:first_seen ?dt_first_seen; + stix:identity_class ?identity_class; + stix:kill_chain_phases ?chains; + stix:indicator_types ?indicator_list; + stix:malware_types ?malware_type; + stix:modified ?dt_modified; + stix:name ?name; + stix:resource_level ?resource_level; + stix:pattern_type ?pattern_type; + stix:pattern ?pattern; + stix:primary_motivation ?primary_motivation; + stix:relationship_type ?relationship_type; + stix:roles ?role_list; + stix:sectors ?sector_list; + stix:source_ref ?source_ref_iri; + stix:spec_version ?spec_version; + stix:target_ref ?target_ref_iri; + stix:tool_types ?tool_types_list; + stix:valid_from ?dt_valid_from; + . + +# ========================== + + stix:id a owl:DatatypeProperty . + stix:type a owl:DatatypeProperty . + + stix:alias a owl:DatatypeProperty . +# stix:contact_information a owl:DatatypeProperty . + stix:created a owl:DatatypeProperty . + stix:description a owl:DatatypeProperty . + stix:first_seen a owl:DatatypeProperty . + + stix:identity_class a owl:DatatypeProperty . + stix:kill_chain_phases a owl:DatatypeProperty . + + stix:indicator_types a owl:DatatypeProperty . + stix:malware_types a owl:DatatypeProperty . + stix:modified a owl:DatatypeProperty . + stix:name a owl:DatatypeProperty . + + stix:resource_level a owl:DatatypeProperty . + + stix:pattern_type a owl:DatatypeProperty . + stix:pattern a owl:DatatypeProperty . + stix:primary_motivation a owl:DatatypeProperty . + stix:relationship_type a owl:DatatypeProperty . + + stix:roles a owl:DatatypeProperty . + stix:sectors a owl:DatatypeProperty . + + stix:source_ref a owl:ObjectProperty . + stix:spec_version a owl:DatatypeProperty . + stix:target_ref a owl:ObjectProperty . + stix:tool_types a owl:DatatypeProperty . + stix:valid_from a owl:DatatypeProperty . + + stix:external_reference a owl:ObjectProperty . + stix:source_name a owl:DatatypeProperty . + stix:url a owl:DatatypeProperty . + stix:description a owl:DatatypeProperty . + stix:external-id a owl:DatatypeProperty . + + stix:kill_chain_phase a owl:ObjectProperty . + stix:kill_chain_name a owl:DatatypeProperty . + stix:kill_chain_phase_name a owl:DatatypeProperty . + +# ========================== + + + ?object_iri stix:external_reference ?exref_iri . + ?exref_iri a stix:StixObject . + ?exref_iri stix:source_name ?ex_ref_source_name . + ?exref_iri stix:url ?ex_ref_url . + ?exref_iri stix:description ?ex_ref_description . + ?exref_iri stix:external-id ?ex_ref_external_id . + + ?object_iri stix:kill_chain_phase ?kill_chain_phase_iri . + ?kill_chain_phase_iri a stix:StixObject . + ?kill_chain_phase_iri stix:kill_chain_name ?kill_name . + ?kill_chain_phase_iri stix:kill_chain_phase_name ?phase_name . + + + +} +WHERE { + SERVICE { + fx:properties fx:location "./apt1.json" . + + + # root array of objects + ?root xyz:objects ?objects . + + # individual objects from the objects array + ?objects ?object_slot ?object . + + # the type and id of the object + ?object xyz:type ?type . + ?object xyz:id ?id . + + + ### OPTIONAL ### + # aliases + OPTIONAL { + ?object xyz:aliases ?aliases . + ?aliases fx:anySlot ?alias . + } + + # contact_information + OPTIONAL {?object xyz:contact_information ?contact_information .} + BIND(xsd:string(?contact_information) AS ?contact_information_string ) + + # created + OPTIONAL {?object xyz:created ?created . } + + # description + OPTIONAL {?object xyz:description ?description . } + + # external_references + OPTIONAL { + ?object xyz:external_references ?external_references . + ?external_references fx:anySlot ?external_reference . + ?external_reference xyz:source_name ?ex_ref_source_name . + OPTIONAL { ?external_reference xyz:description ?ex_ref_description . } + OPTIONAL { ?external_reference xyz:external_id ?ex_ref_external_id . } + OPTIONAL { ?external_reference xyz:url ?ex_ref_url . } + BIND (IRI(CONCAT("http://docs.oasis-open.org/cti/ns/stix#ExternalReference-", STRUUID() )) AS ?exref_iri ) . + } + + # first_seen + OPTIONAL {?object xyz:first_seen ?first_seen . } + + # identity_class + OPTIONAL {?object xyz:identity_class ?identity_class .} + + # indicator_types + OPTIONAL {?object xyz:indicator_types ?indicator_types . + ?indicator_types ?indicator_slot ?indicator_list . } + + # kill_chain_phases + OPTIONAL { + ?object xyz:kill_chain_phases ?kill_chain_phases . + ?kill_chain_phases ?anySlot ?chain_list . + ?chain_list xyz:kill_chain_name ?kill_name . + OPTIONAL { ?chain_list xyz:phase_name ?phase_name . } + BIND (IRI(CONCAT("http://docs.oasis-open.org/cti/ns/stix#KillChainPhase-", STRUUID() )) AS ?kill_chain_phase_iri ) . + } + + # malware_types + OPTIONAL { + ?object xyz:malware_types ?malware_types . + ?malware_types ?malware_types_slot ?malware_type . + } + + # modified + OPTIONAL {?object xyz:modified ?modified . } + + # name + OPTIONAL {?object xyz:name ?name . } + + # pattern + OPTIONAL {?object xyz:pattern ?pattern . } + + # pattern_type + OPTIONAL {?object xyz:pattern_type ?pattern_type . } + + # primary_motivation + OPTIONAL {?object xyz:primary_motivation ?primary_motivation . } + + # relationship_type + OPTIONAL {?object xyz:relationship_type ?relationship_type . } + + # resource_level + OPTIONAL {?object xyz:resource_level ?resource_level . } + + # roles + OPTIONAL { + ?object xyz:roles ?roles . + ?roles ?roles_slot ?role_list . + } + + # sectors + OPTIONAL {?object xyz:sectors ?sectors . + ?sectors ?sectors_slot ?sector_list . } + + # source_ref + OPTIONAL {?object xyz:source_ref ?source_ref . } + + # spec_version + OPTIONAL {?object xyz:spec_version ?spec_version . } + + # target_ref + OPTIONAL {?object xyz:target_ref ?target_ref . } + + # tool_types + OPTIONAL {?object xyz:tool_types ?tool_types . + ?tool_types ?tool_types_slot ?tool_types_list . } + + # valid_from + OPTIONAL {?object xyz:valid_from ?valid_from . } + + } + + + # Reformat dates to allow ingestion into xsd:dateTime + BIND(xsd:dateTime(?created) AS ?dt_created ) + BIND(xsd:dateTime(?modified) AS ?dt_modified ) + BIND(xsd:dateTime(?first_seen) AS ?dt_first_seen ) + BIND(xsd:dateTime(?valid_from) AS ?dt_valid_from ) + + + # Form the IRI for the stixBundle + BIND(IRI(CONCAT("http://example/ns/", ?id)) AS ?object_iri ) + BIND(IRI(CONCAT("http://example/ns/", ?source_ref)) AS ?source_ref_iri ) + BIND(IRI(CONCAT("http://example/ns/", ?target_ref)) AS ?target_ref_iri ) + + BIND( IF(?relationship_type = "uses", stix:uses, ?nothing ) AS ?relation_iri ) + + # Form the stix type of either stix:Bundle or stix:StixObject + BIND ((IF(?type = "bundle", IRI("http://docs.oasis-open.org/cti/ns/stix#Bundle"), IRI("http://docs.oasis-open.org/cti/ns/stix#StixObject"))) AS ?stixType ) +} From 5a5df727497b07bb91ac46bdd5619b015ce37622 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Wed, 16 Aug 2023 15:24:03 -0700 Subject: [PATCH 64/70] updating issue-53-reference-implementation branch --- health-agent-lib/catalog-v001.xml | 10 +- knowledgebase-examples/apt1-bcc.ttl | 1347 +++++++++++++++++ knowledgebase-examples/catalog-v001.xml | 61 + .../hal-example.owl | 2 + .../tal-kb-example.owl | 0 stix/catalog-v001.xml | 196 ++- stix/catalog-v001.xml.huh | 101 ++ stix/catalog-v001.xml.save | 54 + stix/core-objects/common-properties.owl | 4 +- stix/core-objects/data-types.owl | 2 +- stix/core-objects/sco/artifact/artifact.owl | 12 + .../autonomus-system/autonomous-system.owl | 29 +- stix/core-objects/sco/directory/directory.owl | 28 +- .../sco/domain-name/domain-name.owl | 29 +- .../sco/email-address/email-address.owl | 31 +- .../sco/email-message/email-message.owl | 15 +- stix/core-objects/sco/file/file.owl | 12 + .../sdo/attack-pattern/attack-pattern.owl | 12 + stix/core-objects/sdo/campaign/campaign.owl | 12 + .../sdo/course-of-action/course-of-action.owl | 12 + stix/core-objects/sdo/grouping/grouping.owl | 12 + stix/core-objects/sdo/identity/identity.owl | 12 + stix/core-objects/sdo/incident/incident.owl | 12 + stix/core-objects/sdo/indicator/indicator.owl | 12 + .../sdo/infrastructure/infrastructure.owl | 12 + .../sdo/intrusion-set/intrusion-set.owl | 12 + stix/core-objects/sdo/location/location.owl | 12 + stix/core-objects/sdo/malware/malware.owl | 12 + stix/core-objects/sdo/note/note.owl | 12 + .../sdo/observed-data/observed-data.owl | 16 +- stix/core-objects/sdo/opinion/opinion.owl | 12 + stix/core-objects/sdo/report/report.owl | 12 + stix/core-objects/sdo/tool/tool.owl | 12 + .../sdo/vulnerability/vulnerability.owl | 12 + .../sro/relationship/relationship.owl | 52 +- stix/core-objects/sro/sighting/sighting.owl | 12 + stix/stix.owl | 2 + tac/catalog-v001.xml | 6 +- threat-agent-lib/catalog-v001.xml | 13 +- 39 files changed, 2049 insertions(+), 177 deletions(-) create mode 100644 knowledgebase-examples/apt1-bcc.ttl create mode 100644 knowledgebase-examples/catalog-v001.xml rename {health-agent-lib => knowledgebase-examples}/hal-example.owl (89%) rename {threat-agent-lib => knowledgebase-examples}/tal-kb-example.owl (100%) create mode 100644 stix/catalog-v001.xml.huh create mode 100644 stix/catalog-v001.xml.save diff --git a/health-agent-lib/catalog-v001.xml b/health-agent-lib/catalog-v001.xml index 8cd5331..2d36ecd 100644 --- a/health-agent-lib/catalog-v001.xml +++ b/health-agent-lib/catalog-v001.xml @@ -4,7 +4,7 @@ - + @@ -50,12 +50,12 @@ - + - + - - + + diff --git a/knowledgebase-examples/apt1-bcc.ttl b/knowledgebase-examples/apt1-bcc.ttl new file mode 100644 index 0000000..80d6124 --- /dev/null +++ b/knowledgebase-examples/apt1-bcc.ttl @@ -0,0 +1,1347 @@ +@prefix example: . +@prefix fx: . +@prefix owl: . +@prefix rdf: . +@prefix rdfs: . +@prefix stix: . +@prefix xsd: . +@prefix xyz: . + +stix:ExternalReference-4d686c74-4694-46e3-a7c8-c621f91b9763 + a stix:StixObject ; + stix:source_name "lslsass" ; + stix:url "http://www.truesec.se" ; + . + +stix:ExternalReference-5607e771-932f-4a16-8f91-f588cd6888d3 + a stix:StixObject ; + stix:source_name "pwdump7" ; + stix:url "http://www.tarasco.org/security/pwdump_7/" ; + . + +stix:ExternalReference-5a5791ff-82bd-472f-a4c9-a46ad7f86be0 + a stix:StixObject ; + stix:source_name "gsecdump" ; + stix:url "http://www.truesec.se" ; + . + +stix:ExternalReference-7ac7a8ec-7de5-4a0d-87fd-d4719a8424c6 + a stix:StixObject ; + stix:description "spear phishing" ; + stix:external-id "CAPEC-163" ; + stix:source_name "capec" ; + . + +stix:ExternalReference-7ec52cf2-d6bc-4e58-9b72-dc847e9ae31e + a stix:StixObject ; + stix:source_name "mimikatz" ; + stix:url "http://blog.gentilkiwi.com/mimikatz" ; + . + +stix:ExternalReference-f51760fb-d00d-43df-8ae8-2a5b2fddca57 + a stix:StixObject ; + stix:source_name "pass-the-hash toolkit" ; + stix:url "http://oss.coresecurity.com/projects/pshtoolkit.htm" ; + . + +stix:ExternalReference-fbcae96f-6f0e-46f5-ad78-463d320b6219 + a stix:StixObject ; + stix:source_name "fgdump" ; + stix:url "http://www.foofus.net/fizzgig/fgdump/" ; + . + +stix:KillChainPhase-086982fc-52bc-4348-9efa-05d4f21e7887 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:KillChainPhase-115f3970-2ec7-41d9-bfeb-4ae6af9348cd + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-1fa91ebf-cbe6-405b-8505-cb3a94068f00 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:KillChainPhase-4ffe816d-1299-4755-b051-736aa0fdb41f + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "complete-mission" ; + . + +stix:KillChainPhase-50dabf71-d5b3-4331-9842-2d520725bda8 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-6238957b-50c1-4b22-87b6-c3a4cbf9a66a + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "initial-compromise" ; + . + +stix:KillChainPhase-731e8fe7-e6b9-4b0c-9409-5ff45bab266f + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-734c65d1-9447-4e24-ac91-6aa236d882ed + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-8744e75c-a658-4d18-98bc-e3af2e1466e2 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:KillChainPhase-8797b1af-7dd8-4422-bcbc-ea055041e735 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "internal-recon" ; + . + +stix:KillChainPhase-8a16cec9-9683-4616-b73f-52cd2379990c + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-90226c7d-5db6-4edd-8397-862f483cb440 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "move-laterally" ; + . + +stix:KillChainPhase-ab5907f8-d9aa-4b8d-bf1a-d5f436c213e5 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-b6a6d1f7-006f-47db-b33e-28f38bdcbaef + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "maintain-presence" ; + . + +stix:KillChainPhase-b9dca787-2fd8-43a6-848b-011cdb86928f + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-bc693e69-aa3e-48f6-8894-b9b8b0a70b4a + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:KillChainPhase-bcdca901-5f5a-45a5-8b02-024d96c68c65 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "complete-mission" ; + . + +stix:KillChainPhase-bce0274c-bd48-45b2-b52c-5707fa98f6e3 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:KillChainPhase-cacf23a3-3581-4e89-83d3-8047f9da005d + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:KillChainPhase-dfd987a0-4aa9-4c9f-8fbc-5d2522324a91 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "complete-mission" ; + . + +stix:KillChainPhase-ed279c70-9ecc-4ef6-a3d6-15053ddc1f10 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-ef7ad8dd-c46f-49e2-8970-f04507699ff9 + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "escalate-privileges" ; + . + +stix:KillChainPhase-f3c00de1-9a80-4a3a-ac92-feacb2fd2bab + a stix:StixObject ; + stix:kill_chain_name "mandiant-attack-lifecycle-model" ; + stix:kill_chain_phase_name "establish-foothold" ; + . + +stix:alias + a owl:DatatypeProperty ; + . + +stix:created + a owl:DatatypeProperty ; + . + +stix:description + a owl:DatatypeProperty ; + . + +stix:external-id + a owl:DatatypeProperty ; + . + +stix:external_reference + a owl:ObjectProperty ; + . + +stix:first_seen + a owl:DatatypeProperty ; + . + +stix:id + a owl:DatatypeProperty ; + . + +stix:identity_class + a owl:DatatypeProperty ; + . + +stix:indicator_types + a owl:DatatypeProperty ; + . + +stix:kill_chain_name + a owl:DatatypeProperty ; + . + +stix:kill_chain_phase + a owl:ObjectProperty ; + . + +stix:kill_chain_phase_name + a owl:DatatypeProperty ; + . + +stix:kill_chain_phases + a owl:DatatypeProperty ; + . + +stix:malware_types + a owl:DatatypeProperty ; + . + +stix:modified + a owl:DatatypeProperty ; + . + +stix:name + a owl:DatatypeProperty ; + . + +stix:pattern + a owl:DatatypeProperty ; + . + +stix:pattern_type + a owl:DatatypeProperty ; + . + +stix:primary_motivation + a owl:DatatypeProperty ; + . + +stix:relationship_type + a owl:DatatypeProperty ; + . + +stix:resource_level + a owl:DatatypeProperty ; + . + +stix:roles + a owl:DatatypeProperty ; + . + +stix:sectors + a owl:DatatypeProperty ; + . + +stix:source_name + a owl:DatatypeProperty ; + . + +stix:source_ref + a owl:ObjectProperty ; + . + +stix:spec_version + a owl:DatatypeProperty ; + . + +stix:target_ref + a owl:ObjectProperty ; + . + +stix:tool_types + a owl:DatatypeProperty ; + . + +stix:type + a owl:DatatypeProperty ; + . + +stix:url + a owl:DatatypeProperty ; + . + +stix:valid_from + a owl:DatatypeProperty ; + . + +example:attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Similar to other APT groups we track, once APT1 finds files of interest they pack them into archive files before stealing them. APT intruders most commonly use the RAR archiving utility for this task and ensure that the archives are password protected. Sometimes APT1 intruders use batch scripts to assist them in the process. After creating files compressed via RAR, the APT1 attackers will transfer files out of the network in ways that are consistent with other APT groups, including using the File Transfer Protocol (FTP) or their existing backdoors. Many times their RAR files are so large that the attacker splits them into chunks before transferring them. Unlike most other APT groups we track, APT1 uses two email-stealing utilities that we believe are unique to APT1. The first, GETMAIL, was designed specifically to extract email messages, attachments, and folders from within Microsoft Outlook archive ('PST') files. The GETMAIL utility allows APT1 intruders the flexibility to take only the emails between dates of their choice. In one case, we observed an APT1 intruder return to a compromised system once a week for four weeks in a row to steal only the past week’s emails. Whereas GETMAIL steals email in Outlook archive files, the second utility, MAPIGET, was designed specifically to steal email that has not yet been archived and still resides on a Microsoft Exchange Server. In order to operate successfully, MAPIGET requires username/password combinations that the Exchange server will accept. MAPIGET extracts email from specified accounts into text files (for the email body) and separate attachments, if there are any." ; + stix:id "attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4" ; + stix:kill_chain_phase stix:KillChainPhase-dfd987a0-4aa9-4c9f-8fbc-5d2522324a91 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Completing the Mission" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:attack-pattern--0bea2358-c244-4905-a664-a5cdce7bb767 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Once an APT intruder has a foothold inside the network and a set of legitimate credentials, it is simple for the intruder to move around the network undetected. They can connect to shared resources on other systems. They can execute commands on other systems using the publicly available 'psexec' tool from Microsoft Sysinternals or the built-in Windows Task Scheduler ('at.exe')." ; + stix:id "attack-pattern--0bea2358-c244-4905-a664-a5cdce7bb767" ; + stix:kill_chain_phase stix:KillChainPhase-90226c7d-5db6-4edd-8397-862f483cb440 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Lateral Movement" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "APT1 establishes a foothold once email recipients open a malicious file and a backdoor is subsequently installed. In almost every case, APT backdoors initiate outbound connections to the intruder’s 'command and control' (C2) server. While APT1 intruders occasionally use publicly available backdoors such as Poison Ivy and Gh0st RAT, the vast majority of the time they use what appear to be their own custom backdoors. APT1’s backdoors are in two categories: 'Beachhead Backdoors' and 'Standard Backdoors.' Beachhead Backdoors offer the attacker a toe-hold to perform simple tasks like retrieve files, gather basic system information and trigger the execution of other more significant capabilities such as a standard backdoor. APT1’s beachhead backdoors are usually what we call WEBC2 backdoors. WEBC2 backdoors are probably the most well-known kind of APT1 backdoor, and are the reason why some security companies refer to APT1 as the Comment Crew. A WEBC2 backdoor is designed to retrieve a webpage from a C2 server. It expects the webpage to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. WEBC2 backdoors are often packaged with spear phishing emails. Once installed, APT1 intruders have the option to tell victim systems to download and execute additional malicious software of their choice. The standard, non-WEBC2 APT1 backdoor typically communicates using the HTTP protocol (to blend in with legitimate web traffic) or a custom protocol that the malware authors designed themselves. The BISCUIT backdoor (so named for the command “bdkzt”) is an illustrative example of the range of commands that APT1 has built into its “standard” backdoors. APT1 has used and steadily modified BISCUIT since as early as 2007 and continues to use it presently. Some APT backdoors attempt to mimic legitimate Internet traffic other than the HTTP protocol. When network defenders see the communications between these backdoors and their C2 servers, they might easily dismiss them as legitimate network traffic. Additionally, many of APT1’s backdoors use SSL encryption so that communications are hidden in an encrypted SSL tunnel." ; + stix:id "attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49" ; + stix:kill_chain_phase stix:KillChainPhase-bce0274c-bd48-45b2-b52c-5707fa98f6e3 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Establishing a Foothold" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:attack-pattern--3098c57b-d623-4c11-92f4-5905da66658b + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "As with most other APT groups, spear phishing is APT1’s most commonly used technique. The spear phishing emails contain either a malicious attachment or a hyperlink to a malicious file. The subject line and the text in the email body are usually relevant to the recipient. APT1 also creates webmail accounts using real peoples’ names — names that are familiar to the recipient, such as a colleague, a company executive, an IT department employee, or company counsel. The files they use contain malicious executables that install a custom APT1 backdoor that we call WEBC2-TABLE." ; + stix:external_reference stix:ExternalReference-7ac7a8ec-7de5-4a0d-87fd-d4719a8424c6 ; + stix:id "attack-pattern--3098c57b-d623-4c11-92f4-5905da66658b" ; + stix:kill_chain_phase stix:KillChainPhase-6238957b-50c1-4b22-87b6-c3a4cbf9a66a ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Initial Compromise" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:attack-pattern--5728f45b-2eca-4942-a7f6-bc4267c1ab8d + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "In the Internal Reconnaissance stage, the intruder collects information about the victim environment. Like most APT (and non-APT) intruders, APT1 primarily uses built-in operating system commands to explore a compromised system and its networked environment. Although they usually simply type these commands into a command shell, sometimes intruders may use batch scripts to speed up the process." ; + stix:id "attack-pattern--5728f45b-2eca-4942-a7f6-bc4267c1ab8d" ; + stix:kill_chain_phase stix:KillChainPhase-8797b1af-7dd8-4422-bcbc-ea055041e735 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Internal Reconnaisance" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:attack-pattern--7151c6d0-7e97-47ce-9290-087315ea3db7 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "In this stage, the intruder takes actions to ensure continued, long-term control over key systems in the network environment from outside of the network. APT1 does this in three ways: Install new backdoors on multiple systems, use legitimate VPN credentials, and log in to web portals." ; + stix:id "attack-pattern--7151c6d0-7e97-47ce-9290-087315ea3db7" ; + stix:kill_chain_phase stix:KillChainPhase-b6a6d1f7-006f-47db-b33e-28f38bdcbaef ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Maintain Presence" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Escalating privileges involves acquiring items (most often usernames and passwords) that will allow access to more resources within the network. APT1 predominantly uses publicly available tools to dump password hashes from victim systems in order to obtain legitimate user credentials." ; + stix:id "attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827" ; + stix:kill_chain_phase stix:KillChainPhase-731e8fe7-e6b9-4b0c-9409-5ff45bab266f ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Privilege Escalation" ; + stix:spec_version "2.1" ; + stix:type "attack-pattern" ; + . + +example:identity--0e9d20d9-fb11-42e3-94bc-b89fb5b007ca + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "identity--0e9d20d9-fb11-42e3-94bc-b89fb5b007ca" ; + stix:identity_class "individual" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "dota" ; + stix:sectors "government-national" ; + stix:spec_version "2.1" ; + stix:type "identity" ; + . + +example:identity--a9119a87-6576-46af-bfd7-4fbe55926671 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "identity--a9119a87-6576-46af-bfd7-4fbe55926671" ; + stix:identity_class "individual" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "JackWang" ; + stix:sectors "government-national" ; + stix:spec_version "2.1" ; + stix:type "identity" ; + . + +example:identity--e88ab115-7768-4630-baa3-3d49a7d946ea + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "identity--e88ab115-7768-4630-baa3-3d49a7d946ea" ; + stix:identity_class "individual" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Wang Dong" ; + stix:sectors "government-national" ; + stix:spec_version "2.1" ; + stix:type "identity" ; + . + +example:identity--ecf1c7de-d96c-41c6-a510-b9c65cdc9e3b + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "identity--ecf1c7de-d96c-41c6-a510-b9c65cdc9e3b" ; + stix:identity_class "individual" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Mei Qiang" ; + stix:sectors "government-national" ; + stix:spec_version "2.1" ; + stix:type "identity" ; + . + +example:indicator--031778a4-057f-48e6-9db9-c8d72b81ccd5 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--031778a4-057f-48e6-9db9-c8d72b81ccd5" ; + stix:indicator_types "malicious-activity" ; + stix:kill_chain_phase stix:KillChainPhase-cacf23a3-3581-4e89-83d3-8047f9da005d ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "HTRAN Hop Point Accessor" ; + stix:pattern "[ipv4-addr:value = '223.166.0.0/15']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--1002c58e-cbde-4930-b5ee-490037fd4f7e + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--1002c58e-cbde-4930-b5ee-490037fd4f7e" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "FQDN msnhome.org" ; + stix:pattern "[domain-name:value = 'msnhome.org']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--1dbe6ed0-c305-458f-9cce-f83c678f5afd + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--1dbe6ed0-c305-458f-9cce-f83c678f5afd" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Appendix E MD5 hash '00dbb9e1c09dbdafb360f3163ba5a3de'" ; + stix:pattern "[file:hashes.md5 = '00dbb9e1c09dbdafb360f3163ba5a3de']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--2173d108-5714-42fd-8213-4f3790259fda + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--2173d108-5714-42fd-8213-4f3790259fda" ; + stix:indicator_types "malicious-activity" ; + stix:kill_chain_phase stix:KillChainPhase-f3c00de1-9a80-4a3a-ac92-feacb2fd2bab ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "HTRAN Hop Point Accessor" ; + stix:pattern "[ipv4-addr:value = '112.64.0.0/15']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--3f3ff9f1-bb4e-4392-89e5-1991179042ba + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--3f3ff9f1-bb4e-4392-89e5-1991179042ba" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "FQDN hugesoft.org" ; + stix:pattern "[domain-name:value = 'hugesoft.org']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--745e1537-b4f3-49da-9f64-df6b1b5df190 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--745e1537-b4f3-49da-9f64-df6b1b5df190" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Appendix E MD5 hash '002325a0a67fded0381b5648d7fe9b8e'" ; + stix:pattern "[file:hashes.md5 = '002325a0a67fded0381b5648d7fe9b8e']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--8390fd29-24ed-45d4-84d7-c5e5feaf195d + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--8390fd29-24ed-45d4-84d7-c5e5feaf195d" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "FQDN arrowservice.net" ; + stix:pattern "[domain-name:value = 'arrowservice.net']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--8ce03314-dfea-4498-ac9b-136e41ab00e4 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--8ce03314-dfea-4498-ac9b-136e41ab00e4" ; + stix:indicator_types "malicious-activity" ; + stix:kill_chain_phase stix:KillChainPhase-8744e75c-a658-4d18-98bc-e3af2e1466e2 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "HTRAN Hop Point Accessor" ; + stix:pattern "[ipv4-addr:value = '139.226.0.0/15']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--8d12f44f-8ac0-4b12-8b4a-3699ca8c9691 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--8d12f44f-8ac0-4b12-8b4a-3699ca8c9691" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Appendix E MD5 hash '001dd76872d80801692ff942308c64e6'" ; + stix:pattern "[file:hashes.md5 = '001dd76872d80801692ff942308c64e6']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--b3b6b540-d838-41e2-853b-005056c00008 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--b3b6b540-d838-41e2-853b-005056c00008" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Appendix F SSL Certificate for serial number '(Negative)4c:0b:1d:19:74:86:a7:66:b4:1a:bf:40:27:21:76:28'" ; + stix:pattern "[x509-certificate:issuer = 'CN=WEBMAIL' AND x509-certificate:serial_number = '4c:0b:1d:19:74:86:a7:66:b4:1a:bf:40:27:21:76:28']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--b3b7035e-d838-41e2-8d38-005056c00008 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--b3b7035e-d838-41e2-8d38-005056c00008" ; + stix:indicator_types "malicious-activity" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Appendix F SSL Certificate for serial number '0e:97:88:1c:6c:a1:37:96:42:03:bc:45:42:24:75:6c'" ; + stix:pattern "[x509-certificate:issuer = 'CN=LM-68AB71FBD8F5' AND x509-certificate:serial_number = '0e:97:88:1c:6c:a1:37:96:42:03:bc:45:42:24:75:6c']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:indicator--da1d061b-2bc9-467a-b16f-8d14f468e1f0 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Test description." ; + stix:id "indicator--da1d061b-2bc9-467a-b16f-8d14f468e1f0" ; + stix:indicator_types "malicious-activity" ; + stix:kill_chain_phase stix:KillChainPhase-1fa91ebf-cbe6-405b-8505-cb3a94068f00 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "HTRAN Hop Point Accessor" ; + stix:pattern "[ipv4-addr:value = '58.246.0.0/15']" ; + stix:pattern_type "stix" ; + stix:spec_version "2.1" ; + stix:type "indicator" ; + stix:valid_from "2015-05-15T09:12:16.432678Z"^^xsd:dateTime ; + . + +example:intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a + a stix:StixObject ; + stix:alias + "Comment Crew" , + "Comment Group" , + "Shady Rat" + ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006." ; + stix:first_seen "2006-06-01T18:13:15.684Z"^^xsd:dateTime ; + stix:id "intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "APT1" ; + stix:primary_motivation "organizational-gain" ; + stix:resource_level "government" ; + stix:spec_version "2.1" ; + stix:type "intrusion-set" ; + . + +example:malware--0f01c5a3-f516-4450-9381-4dd9f2279411 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "A WEBC2 backdoor is designed to retrieve a Web page from a C2 server. It expects the page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands." ; + stix:id "malware--0f01c5a3-f516-4450-9381-4dd9f2279411" ; + stix:kill_chain_phase stix:KillChainPhase-bc693e69-aa3e-48f6-8894-b9b8b0a70b4a ; + stix:malware_types + "backdoor" , + "remote-access-trojan" + ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "WEBC2 Backdoor" ; + stix:spec_version "2.1" ; + stix:type "malware" ; + . + +example:malware--2485b844-4efe-4343-84c8-eb33312dd56f + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "This malware will beacon out at random intervals to the remote attacker. The attacker can run programs, execute arbitrary commands, and easily upload and download files." ; + stix:id "malware--2485b844-4efe-4343-84c8-eb33312dd56f" ; + stix:malware_types + "backdoor" , + "dropper" , + "remote-access-trojan" + ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "MANITSME" ; + stix:spec_version "2.1" ; + stix:type "malware" ; + . + +example:malware--33159b98-3264-4e10-a968-d67975b6272f + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "When APT1 attackers are not using WEBC2, they require a “command and control” (C2) user interface so they can issue commands to the backdoor. This interface sometimes runs on their personal attack system, which is typically in Shanghai. In these instances, when a victim backdoor makes contact with a hop, the communications need to be forwarded from the hop to the intruder’s Shanghai system so the backdoor can talk to the C2 server software. We have observed 767 separate instances in which APT1 intruders used the publicly available “HUC Packet Transmit Tool” or HTRAN on a hopThe HTRAN utility is merely a middle-man, facilitating connections between the victim and the attacker who is using the hop point." ; + stix:id "malware--33159b98-3264-4e10-a968-d67975b6272f" ; + stix:kill_chain_phase stix:KillChainPhase-086982fc-52bc-4348-9efa-05d4f21e7887 ; + stix:malware_types + "backdoor" , + "remote-access-trojan" + ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "HUC Packet Transmit Tool (HTRAN)" ; + stix:spec_version "2.1" ; + stix:type "malware" ; + . + +example:malware--c0217091-9d3d-42a1-8952-ccc12d4ad8d0 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "A WEBC2 backdoor is designed to retrieve a Web page from a C2 server. It expects the page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands." ; + stix:id "malware--c0217091-9d3d-42a1-8952-ccc12d4ad8d0" ; + stix:malware_types + "backdoor" , + "remote-access-trojan" + ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "WEBC2-UGX" ; + stix:spec_version "2.1" ; + stix:type "malware" ; + . + +example:malware--ea50ecb7-2cd4-4895-bd08-31cd591ed0ca + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Malware family that contains functionality for keylogging, creating and killing processes, performing filesystem and registry modifications, etc." ; + stix:id "malware--ea50ecb7-2cd4-4895-bd08-31cd591ed0ca" ; + stix:malware_types + "backdoor" , + "keylogger" + ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "BANGAT" ; + stix:spec_version "2.1" ; + stix:type "malware" ; + . + +example:malware--fb490cdb-6760-41eb-a79b-0b930a50c017 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Malware family that contains functionality for keystroke logging, creating and killing processes, performing file system and registry modifications, etc." ; + stix:id "malware--fb490cdb-6760-41eb-a79b-0b930a50c017" ; + stix:malware_types + "backdoor" , + "keylogger" + ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "AURIGA" ; + stix:spec_version "2.1" ; + stix:type "malware" ; + . + +example:relationship--066593e1-49a4-4a3d-a5bb-2e0b4ce1a63c + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--066593e1-49a4-4a3d-a5bb-2e0b4ce1a63c" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--ce45f721-af14-4fc0-938c-000c16186418 ; + stix:type "relationship" ; + . + +example:relationship--1fbd9a8d-4c14-431c-9520-3ccc50b748c1 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--1fbd9a8d-4c14-431c-9520-3ccc50b748c1" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--806a8f83-4913-4216-bb19-02b48ae25da5 ; + stix:type "relationship" ; + . + +example:relationship--25586f60-bc27-47d6-9a8e-d1c6456c2f28 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--25586f60-bc27-47d6-9a8e-d1c6456c2f28" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9 ; + stix:type "relationship" ; + . + +example:relationship--306ce398-f708-47f9-88a1-38aa5b9985fc + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--306ce398-f708-47f9-88a1-38aa5b9985fc" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--ea50ecb7-2cd4-4895-bd08-31cd591ed0ca ; + stix:type "relationship" ; + . + +example:relationship--340cb676-79ff-49e9-b6ba-cd27e06772c4 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--340cb676-79ff-49e9-b6ba-cd27e06772c4" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--4215b0e5-928e-4b2a-9b5f-64819f287f48 ; + stix:type "relationship" ; + . + +example:relationship--35f7a2bb-e4e2-4e56-8693-665bbb64162c + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--35f7a2bb-e4e2-4e56-8693-665bbb64162c" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--c0217091-9d3d-42a1-8952-ccc12d4ad8d0 ; + stix:type "relationship" ; + . + +example:relationship--389a8dcd-8663-4f18-8584-d69a77bd71aa + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--389a8dcd-8663-4f18-8584-d69a77bd71aa" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--3f3ff9f1-bb4e-4392-89e5-1991179042ba ; + stix:spec_version "2.1" ; + stix:target_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:type "relationship" ; + . + +example:relationship--3921b161-5872-4c21-8ab0-b5b84233f3dc + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--3921b161-5872-4c21-8ab0-b5b84233f3dc" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--2173d108-5714-42fd-8213-4f3790259fda ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--33159b98-3264-4e10-a968-d67975b6272f ; + stix:type "relationship" ; + . + +example:relationship--44686fda-311c-4cdb-abef-80e922e7a3fb + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--44686fda-311c-4cdb-abef-80e922e7a3fb" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--98fd8dc1-6cc7-4908-899f-07473f55149a ; + stix:type "relationship" ; + . + +example:relationship--61f4fd3b-f581-4497-9149-e624c317287b + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--61f4fd3b-f581-4497-9149-e624c317287b" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--33159b98-3264-4e10-a968-d67975b6272f ; + stix:type "relationship" ; + . + +example:relationship--6598bf44-1c10-4218-af9f-75b5b71c23a7 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--6598bf44-1c10-4218-af9f-75b5b71c23a7" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--2485b844-4efe-4343-84c8-eb33312dd56f ; + stix:type "relationship" ; + . + +example:relationship--6ffbec81-fa01-4b98-8726-c9d9fb2ef6b6 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--6ffbec81-fa01-4b98-8726-c9d9fb2ef6b6" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--1cf6a3b8-be43-4c1a-b042-546a890c31b2 ; + stix:type "relationship" ; + . + +example:relationship--71e6832f-17ee-42fd-938d-c7f881be2028 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--71e6832f-17ee-42fd-938d-c7f881be2028" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21 ; + stix:spec_version "2.1" ; + stix:target_ref example:identity--ecf1c7de-d96c-41c6-a510-b9c65cdc9e3b ; + stix:type "relationship" ; + . + +example:relationship--765815fb-d993-4a1d-959f-7f7bcc4a5eb3 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--765815fb-d993-4a1d-959f-7f7bcc4a5eb3" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a ; + stix:spec_version "2.1" ; + stix:target_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:type "relationship" ; + . + +example:relationship--7cede760-b866-490e-ad5b-1df34bc14f8d + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--7cede760-b866-490e-ad5b-1df34bc14f8d" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--031778a4-057f-48e6-9db9-c8d72b81ccd5 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--33159b98-3264-4e10-a968-d67975b6272f ; + stix:type "relationship" ; + . + +example:relationship--81827b05-8c20-4247-b5d8-674295a1c611 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--81827b05-8c20-4247-b5d8-674295a1c611" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--8ce03314-dfea-4498-ac9b-136e41ab00e4 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--33159b98-3264-4e10-a968-d67975b6272f ; + stix:type "relationship" ; + . + +example:relationship--85b2a834-e4b5-4299-9a6b-bf2ac26dde7b + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--85b2a834-e4b5-4299-9a6b-bf2ac26dde7b" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--1e2c4237-d469-4144-9c0b-9e5c0c513c49 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--0f01c5a3-f516-4450-9381-4dd9f2279411 ; + stix:type "relationship" ; + . + +example:relationship--8668d82a-1c97-4bea-a367-e391b025e00e + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--8668d82a-1c97-4bea-a367-e391b025e00e" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a ; + stix:spec_version "2.1" ; + stix:target_ref example:threat-actor--94624865-2709-443f-9b4c-2891985fd69b ; + stix:type "relationship" ; + . + +example:relationship--912b31d0-09c5-4a71-bfc6-a52bd5989a1b + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--912b31d0-09c5-4a71-bfc6-a52bd5989a1b" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--1002c58e-cbde-4930-b5ee-490037fd4f7e ; + stix:spec_version "2.1" ; + stix:target_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:type "relationship" ; + . + +example:relationship--9908520f-b25d-44a8-900b-d4e0825dcd0d + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--9908520f-b25d-44a8-900b-d4e0825dcd0d" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--0781fe70-4c94-4300-8865-4b08b98611b4 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--a6dd62d0-9683-48bf-a9cd-61e7eceae57e ; + stix:type "relationship" ; + . + +example:relationship--9dd881a7-6e9b-4c35-bef5-7a777bca65d3 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--9dd881a7-6e9b-4c35-bef5-7a777bca65d3" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--fb490cdb-6760-41eb-a79b-0b930a50c017 ; + stix:type "relationship" ; + . + +example:relationship--a20b8626-a15e-41f0-bcb1-c05321e126f0 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--a20b8626-a15e-41f0-bcb1-c05321e126f0" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:spec_version "2.1" ; + stix:target_ref example:identity--e88ab115-7768-4630-baa3-3d49a7d946ea ; + stix:type "relationship" ; + . + +example:relationship--b2806dec-6f20-4a0d-ae9a-d4b1f7be71e3 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--b2806dec-6f20-4a0d-ae9a-d4b1f7be71e3" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--da1d061b-2bc9-467a-b16f-8d14f468e1f0 ; + stix:spec_version "2.1" ; + stix:target_ref example:malware--33159b98-3264-4e10-a968-d67975b6272f ; + stix:type "relationship" ; + . + +example:relationship--b345f1d0-09c5-4a71-bfc6-a52bd5923a01 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--b345f1d0-09c5-4a71-bfc6-a52bd5923a01" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "indicates" ; + stix:source_ref example:indicator--8390fd29-24ed-45d4-84d7-c5e5feaf195d ; + stix:spec_version "2.1" ; + stix:target_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:type "relationship" ; + . + +example:relationship--b385d984-ba8a-4180-8e0e-af7b9987bcb8 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--b385d984-ba8a-4180-8e0e-af7b9987bcb8" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--e9778c42-bc2f-4eda-9fb4-6a931834f68c ; + stix:type "relationship" ; + . + +example:relationship--c9c66478-c9cf-49cd-bca2-66ce34a9c56d + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--c9c66478-c9cf-49cd-bca2-66ce34a9c56d" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--266b12f2-aa16-4607-809e-f2d33eebb52e ; + stix:type "relationship" ; + . + +example:relationship--d080c1ea-1dd7-4da9-b64b-e68bb1c5887e + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--d080c1ea-1dd7-4da9-b64b-e68bb1c5887e" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "uses" ; + stix:source_ref example:attack-pattern--e13f3e6d-4f9c-4265-b1cf-f997a1bf7827 ; + stix:spec_version "2.1" ; + stix:target_ref example:tool--7de5dfcc-6809-4772-9f11-cf26c2be53aa ; + stix:type "relationship" ; + . + +example:relationship--d84cf283-93be-4ca7-890d-76c63eff3636 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--d84cf283-93be-4ca7-890d-76c63eff3636" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:threat-actor--d84cf283-93be-4ca7-890d-76c63eff3636 ; + stix:spec_version "2.1" ; + stix:target_ref example:identity--0e9d20d9-fb11-42e3-94bc-b89fb5b007ca ; + stix:type "relationship" ; + . + +example:relationship--e0ca2caa-7fa0-4f36-ad19-96f107eb6023 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--e0ca2caa-7fa0-4f36-ad19-96f107eb6023" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:intrusion-set--da1065ce-972c-4605-8755-9cd1074e3b5a ; + stix:spec_version "2.1" ; + stix:target_ref example:threat-actor--d5b62b58-df7c-46b1-a435-4d01945fe21d ; + stix:type "relationship" ; + . + +example:relationship--fd5cda8b-f45f-43bd-a9da-e521ddd7126e + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "relationship--fd5cda8b-f45f-43bd-a9da-e521ddd7126e" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:relationship_type "attributed-to" ; + stix:source_ref example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 ; + stix:spec_version "2.1" ; + stix:target_ref example:identity--a9119a87-6576-46af-bfd7-4fbe55926671 ; + stix:type "relationship" ; + . + +example:report--e33ffe07-2f4c-48d8-b0af-ee2619d765cf + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Since 2004, Mandiant has investigated computer security breaches at hundreds of organizations around the world. The majority of these security breaches are attributed to advanced threat actors referred to as the 'Advanced Persistent Threat' (APT). We first published details about the APT in our January 2010 M-Trends report. As we stated in the report, our position was that 'The Chinese government may authorize this activity, but theres no way to determine the extent of its involvement.' Now, three years later, we have the evidence required to change our assessment. The details we have analyzed during hundreds of investigations convince us that the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them. Mandiant continues to track dozens of APT groups around the world; however, this report is focused on the most prolific of these groups. We refer to this group as 'APT1' and it is one of more than 20 APT groups with origins in China. APT1 is a single organization of operators that has conducted a cyber espionage campaign against a broad range of victims since at least 2006. From our observations, it is one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen. The scale and impact of APT1's operations compelled us to write this report. The activity we have directly observed likely represents only a small fraction of the cyber espionage that APT1 has conducted. Though our visibility of APT1's activities is incomplete, we have analyzed the group's intrusions against nearly 150 victims over seven years. From our unique vantage point responding to victims, we tracked APT1 back to four large networks in Shanghai, two of which are allocated directly to the Pudong New Area. We uncovered a substantial amount of APT1's attack infrastructure, command and control, and modus operandi (tools, tactics, and procedures). In an effort to underscore there are actual individuals behind the keyboard, Mandiant is revealing three personas we have attributed to APT1. These operators, like soldiers, may merely be following orders given to them by others. Our analysis has led us to conclude that APT1 is likely government-sponsored and one of the most persistent of China's cyber threat actors. We believe that APT1 is able to wage such a long-running and extensive cyber espionage campaign in large part because it receives direct government support. In seeking to identify the organization behind this activity, our research found that People's Liberation Army (PLA's) Unit 61398 is similar to APT1 in its mission, capabilities, and resources. PLA Unit 61398 is also located in precisely the same area from which APT1 activity appears to originate." ; + stix:id "report--e33ffe07-2f4c-48d8-b0af-ee2619d765cf" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "APT1: Exposing One of China's Cyber Espionage Units" ; + stix:spec_version "2.1" ; + stix:type "report" ; + . + +example:threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21 + a stix:StixObject ; + stix:alias + "Raith" , + "Rodney" , + "dota" + ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "threat-actor--02e7c48f-0301-4c23-b3e4-02e5a0114c21" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "SuperHard" ; + stix:primary_motivation "organizational-gain" ; + stix:resource_level "government" ; + stix:roles "malware-author" ; + stix:spec_version "2.1" ; + stix:type "threat-actor" ; + . + +example:threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65 + a stix:StixObject ; + stix:alias + "Greenfield" , + "JackWang" , + "Wang Dong" + ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "threat-actor--6d179234-61fc-40c4-ae86-3d53308d8e65" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Ugly Gorilla" ; + stix:primary_motivation "organizational-gain" ; + stix:resource_level "government" ; + stix:roles + "agent" , + "infrastructure-operator" , + "malware-author" + ; + stix:spec_version "2.1" ; + stix:type "threat-actor" ; + . + +example:threat-actor--94624865-2709-443f-9b4c-2891985fd69b + a stix:StixObject ; + stix:alias + "Military Unit Cover Designator (MUCD) 61398" , + "PLA GSD's 3rd Department, 2nd Bureau" + ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Unit 61398 functions as the Third Department's premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence." ; + stix:id "threat-actor--94624865-2709-443f-9b4c-2891985fd69b" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Unit 61398" ; + stix:primary_motivation "organizational-gain" ; + stix:resource_level "government" ; + stix:roles "agent" ; + stix:spec_version "2.1" ; + stix:type "threat-actor" ; + . + +example:threat-actor--d5b62b58-df7c-46b1-a435-4d01945fe21d + a stix:StixObject ; + stix:alias "CPC" ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description " The CPC is the ultimate authority in Mainland China and tasks the PLA to commit cyber espionage and data theft against organizations around the world." ; + stix:id "threat-actor--d5b62b58-df7c-46b1-a435-4d01945fe21d" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "Communist Party of China" ; + stix:primary_motivation "organizational-gain" ; + stix:resource_level "government" ; + stix:roles + "director" , + "sponsor" + ; + stix:spec_version "2.1" ; + stix:type "threat-actor" ; + . + +example:threat-actor--d84cf283-93be-4ca7-890d-76c63eff3636 + a stix:StixObject ; + stix:alias + "Raith" , + "Rodney" , + "dota" + ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:id "threat-actor--d84cf283-93be-4ca7-890d-76c63eff3636" ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "DOTA" ; + stix:primary_motivation "organizational-gain" ; + stix:resource_level "government" ; + stix:roles + "agent" , + "infrastructure-operator" + ; + stix:spec_version "2.1" ; + stix:type "threat-actor" ; + . + +example:tool--1cf6a3b8-be43-4c1a-b042-546a890c31b2 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Obtains password hashes from the Windows registry, including the SAM file, cached domain credentials, and LSA secrets" ; + stix:external_reference stix:ExternalReference-5a5791ff-82bd-472f-a4c9-a46ad7f86be0 ; + stix:id "tool--1cf6a3b8-be43-4c1a-b042-546a890c31b2" ; + stix:kill_chain_phase stix:KillChainPhase-ed279c70-9ecc-4ef6-a3d6-15053ddc1f10 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "gsecdump" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--266b12f2-aa16-4607-809e-f2d33eebb52e + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Allows an intruder to “pass” a password hash (without knowing the original password) to log in to systems" ; + stix:external_reference stix:ExternalReference-f51760fb-d00d-43df-8ae8-2a5b2fddca57 ; + stix:id "tool--266b12f2-aa16-4607-809e-f2d33eebb52e" ; + stix:kill_chain_phase stix:KillChainPhase-ab5907f8-d9aa-4b8d-bf1a-d5f436c213e5 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "pass-the-hash toolkit" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--4215b0e5-928e-4b2a-9b5f-64819f287f48 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Dumps password hashes from the Windows registry" ; + stix:id "tool--4215b0e5-928e-4b2a-9b5f-64819f287f48" ; + stix:kill_chain_phase stix:KillChainPhase-50dabf71-d5b3-4331-9842-2d520725bda8 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "pwdumpX" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Dump active logon session password hashes from the lsass process" ; + stix:external_reference stix:ExternalReference-4d686c74-4694-46e3-a7c8-c621f91b9763 ; + stix:id "tool--4d82bd3e-24a3-4f9d-b8f3-b57267fe06a9" ; + stix:kill_chain_phase stix:KillChainPhase-734c65d1-9447-4e24-ac91-6aa236d882ed ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "lslsass" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--7de5dfcc-6809-4772-9f11-cf26c2be53aa + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "A utility primarily used for dumping password hashes" ; + stix:external_reference stix:ExternalReference-7ec52cf2-d6bc-4e58-9b72-dc847e9ae31e ; + stix:id "tool--7de5dfcc-6809-4772-9f11-cf26c2be53aa" ; + stix:kill_chain_phase stix:KillChainPhase-b9dca787-2fd8-43a6-848b-011cdb86928f ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "mimikatz" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--806a8f83-4913-4216-bb19-02b48ae25da5 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "MAPIGET was designed specifically to steal email that has not yet been archived and still resides on a Microsoft Exchange Server." ; + stix:id "tool--806a8f83-4913-4216-bb19-02b48ae25da5" ; + stix:kill_chain_phase stix:KillChainPhase-4ffe816d-1299-4755-b051-736aa0fdb41f ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "MAPIGET" ; + stix:spec_version "2.1" ; + stix:tool_types "information-gathering" ; + stix:type "tool" ; + . + +example:tool--98fd8dc1-6cc7-4908-899f-07473f55149a + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Dumps password hashes from the Windows registry" ; + stix:external_reference stix:ExternalReference-5607e771-932f-4a16-8f91-f588cd6888d3 ; + stix:id "tool--98fd8dc1-6cc7-4908-899f-07473f55149a" ; + stix:kill_chain_phase stix:KillChainPhase-115f3970-2ec7-41d9-bfeb-4ae6af9348cd ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "pwdump7" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--a6dd62d0-9683-48bf-a9cd-61e7eceae57e + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "GETMAIL was designed specifically to extract email messages, attachments, and folders from within Microsoft Outlook archive (“PST”) files." ; + stix:id "tool--a6dd62d0-9683-48bf-a9cd-61e7eceae57e" ; + stix:kill_chain_phase stix:KillChainPhase-bcdca901-5f5a-45a5-8b02-024d96c68c65 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "GETMAIL" ; + stix:spec_version "2.1" ; + stix:tool_types "information-gathering" ; + stix:type "tool" ; + . + +example:tool--ce45f721-af14-4fc0-938c-000c16186418 + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "This program extracts cached password hashes from a system’s registry." ; + stix:id "tool--ce45f721-af14-4fc0-938c-000c16186418" ; + stix:kill_chain_phase stix:KillChainPhase-8a16cec9-9683-4616-b73f-52cd2379990c ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "cachedump" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + +example:tool--e9778c42-bc2f-4eda-9fb4-6a931834f68c + a stix:StixObject ; + stix:created "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:description "Windows password hash dumper" ; + stix:external_reference stix:ExternalReference-fbcae96f-6f0e-46f5-ad78-463d320b6219 ; + stix:id "tool--e9778c42-bc2f-4eda-9fb4-6a931834f68c" ; + stix:kill_chain_phase stix:KillChainPhase-ef7ad8dd-c46f-49e2-8970-f04507699ff9 ; + stix:modified "2015-05-15T09:12:16.432Z"^^xsd:dateTime ; + stix:name "fgdump" ; + stix:spec_version "2.1" ; + stix:tool_types "credential-exploitation" ; + stix:type "tool" ; + . + diff --git a/knowledgebase-examples/catalog-v001.xml b/knowledgebase-examples/catalog-v001.xml new file mode 100644 index 0000000..06713e3 --- /dev/null +++ b/knowledgebase-examples/catalog-v001.xml @@ -0,0 +1,61 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/health-agent-lib/hal-example.owl b/knowledgebase-examples/hal-example.owl similarity index 89% rename from health-agent-lib/hal-example.owl rename to knowledgebase-examples/hal-example.owl index 43c7574..9ca0bd5 100644 --- a/health-agent-lib/hal-example.owl +++ b/knowledgebase-examples/hal-example.owl @@ -21,7 +21,9 @@ xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> + + \ No newline at end of file diff --git a/threat-agent-lib/tal-kb-example.owl b/knowledgebase-examples/tal-kb-example.owl similarity index 100% rename from threat-agent-lib/tal-kb-example.owl rename to knowledgebase-examples/tal-kb-example.owl diff --git a/stix/catalog-v001.xml b/stix/catalog-v001.xml index 1388af9..1268d81 100644 --- a/stix/catalog-v001.xml +++ b/stix/catalog-v001.xml @@ -1,108 +1,98 @@ - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + -<<<<<<< HEAD - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -======= - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ->>>>>>> 3b01ca5466b08dffd52abcbd6cc1aa73bcd136eb + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/stix/catalog-v001.xml.huh b/stix/catalog-v001.xml.huh new file mode 100644 index 0000000..f518c20 --- /dev/null +++ b/stix/catalog-v001.xml.huh @@ -0,0 +1,101 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/stix/catalog-v001.xml.save b/stix/catalog-v001.xml.save new file mode 100644 index 0000000..7ffab8e --- /dev/null +++ b/stix/catalog-v001.xml.save @@ -0,0 +1,54 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/stix/core-objects/common-properties.owl b/stix/core-objects/common-properties.owl index 747d276..71488eb 100644 --- a/stix/core-objects/common-properties.owl +++ b/stix/core-objects/common-properties.owl @@ -15,8 +15,8 @@ xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> - - + + 2.1.0 diff --git a/stix/core-objects/data-types.owl b/stix/core-objects/data-types.owl index 4984037..afb574c 100644 --- a/stix/core-objects/data-types.owl +++ b/stix/core-objects/data-types.owl @@ -15,7 +15,7 @@ xmlns:xsd="http://www.w3.org/2001/XMLSchema#"> - + 2.1.0 diff --git a/stix/core-objects/sco/artifact/artifact.owl b/stix/core-objects/sco/artifact/artifact.owl index a70e6ca..355d504 100644 --- a/stix/core-objects/sco/artifact/artifact.owl +++ b/stix/core-objects/sco/artifact/artifact.owl @@ -60,6 +60,18 @@ Artifact The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. One of payload_bin or url MUST be provided. It is incumbent on object creators to ensure that the URL is accessible for downstream consumers. + + + + + + + + artifact + + + + diff --git a/stix/core-objects/sco/autonomus-system/autonomous-system.owl b/stix/core-objects/sco/autonomus-system/autonomous-system.owl index cfccd32..495093e 100644 --- a/stix/core-objects/sco/autonomus-system/autonomous-system.owl +++ b/stix/core-objects/sco/autonomus-system/autonomous-system.owl @@ -7,6 +7,7 @@ ]> - AutonomousSystem - This object represents the properties of an Autonomous System (AS). + AutonomousSystem + This object represents the properties of an Autonomous System (AS). + + + + + + + + autonomous-system + + + + - name - Specifies the name of the AS. + name + Specifies the name of the AS. - number - Specifies the number assigned to the AS. Such assignments are typically performed by a Regional Internet Registry (RIR). + number + Specifies the number assigned to the AS. Such assignments are typically performed by a Regional Internet Registry (RIR). - rir - Specifies the name of the Regional Internet Registry (RIR) that assigned the number to the AS. + rir + Specifies the name of the Regional Internet Registry (RIR) that assigned the number to the AS. diff --git a/stix/core-objects/sco/directory/directory.owl b/stix/core-objects/sco/directory/directory.owl index 94b8795..71bff94 100644 --- a/stix/core-objects/sco/directory/directory.owl +++ b/stix/core-objects/sco/directory/directory.owl @@ -7,6 +7,7 @@ ]> - @@ -65,7 +65,19 @@ Directory Object - The Directory object represents the properties common to a file system directory. + The Directory object represents the properties common to a file system directory. + + + + + + + + directory + + + + @@ -80,10 +92,10 @@ - - + + @@ -108,14 +120,14 @@ - path - Specifies the path, as originally observed, to the directory on the file system. + path + Specifies the path, as originally observed, to the directory on the file system. - path_enc - Specifies the observed encoding for the path. The value MUST be specified if the path is stored in a non-Unicode encoding. This value MUST be specified using the corresponding name from the 2013-12-20 revision of the IANA character set registry [Character Sets]. If the preferred MIME name for a character set is defined, this value MUST be used; if it is not defined, then the Name value from the registry MUST be used instead. + path_enc + Specifies the observed encoding for the path. The value MUST be specified if the path is stored in a non-Unicode encoding. This value MUST be specified using the corresponding name from the 2013-12-20 revision of the IANA character set registry [Character Sets]. If the preferred MIME name for a character set is defined, this value MUST be used; if it is not defined, then the Name value from the registry MUST be used instead. diff --git a/stix/core-objects/sco/domain-name/domain-name.owl b/stix/core-objects/sco/domain-name/domain-name.owl index 5188abb..f568524 100644 --- a/stix/core-objects/sco/domain-name/domain-name.owl +++ b/stix/core-objects/sco/domain-name/domain-name.owl @@ -7,6 +7,7 @@ ]> - - @@ -42,13 +41,25 @@ - Domain Name - The Domain Name object represents the properties of a network domain name. + Domain Name + The Domain Name object represents the properties of a network domain name. + + + + + + + + domain-name + + + + - resolved_to_refs - Specifies a list of references to one or more IP addresses or domain names that the domain name resolves to. The objects referenced in this list MUST be of type ipv4-addr or ipv6-addr or domain-name (for cases such as CNAME records). + resolved_to_refs + Specifies a list of references to one or more IP addresses or domain names that the domain name resolves to. The objects referenced in this list MUST be of type ipv4-addr or ipv6-addr or domain-name (for cases such as CNAME records). @@ -64,13 +75,13 @@ - resolved_to_refs_id - Specifies a list of references to one or more IP addresses or domain names that the domain name resolves to. The objects referenced in this list MUST be of type ipv4-addr or ipv6-addr or domain-name (for cases such as CNAME records). + resolved_to_refs_id + Specifies a list of references to one or more IP addresses or domain names that the domain name resolves to. The objects referenced in this list MUST be of type ipv4-addr or ipv6-addr or domain-name (for cases such as CNAME records). - value + value Specifies the value of the domain name. The value of this property MUST conform to [RFC1034], and each domain and sub-domain contained within the domain name MUST conform to [RFC5890]. diff --git a/stix/core-objects/sco/email-address/email-address.owl b/stix/core-objects/sco/email-address/email-address.owl index 04caaa4..db405b0 100644 --- a/stix/core-objects/sco/email-address/email-address.owl +++ b/stix/core-objects/sco/email-address/email-address.owl @@ -4,13 +4,16 @@ + ]> @@ -45,25 +48,37 @@ - Email Address Object - The Email Address object represents a single email address. + Email Address Object + The Email Address object represents a single email address. + + + + + + + + email-addr + + + + - belongs_to_ref - Specifies the user account that the email address belongs to, as a reference to a User Account object. The object referenced in this property MUST be of type user-account. + belongs_to_ref + Specifies the user account that the email address belongs to, as a reference to a User Account object. The object referenced in this property MUST be of type user-account. - belongs_to_ref_id - Specifies the user account that the email address belongs to, as a reference to a User Account object. The object referenced in this property MUST be of type user-account. + belongs_to_ref_id + Specifies the user account that the email address belongs to, as a reference to a User Account object. The object referenced in this property MUST be of type user-account. - display_name - Specifies a single email display name, i.e., the name that is displayed to the human user of a mail application. This property corresponds to the display-name construction in section 3.4 of [RFC5322], for example, Jane Smith. + display_name + Specifies a single email display name, i.e., the name that is displayed to the human user of a mail application. This property corresponds to the display-name construction in section 3.4 of [RFC5322], for example, Jane Smith. diff --git a/stix/core-objects/sco/email-message/email-message.owl b/stix/core-objects/sco/email-message/email-message.owl index a774ca8..4fed757 100644 --- a/stix/core-objects/sco/email-message/email-message.owl +++ b/stix/core-objects/sco/email-message/email-message.owl @@ -4,6 +4,7 @@ + ]> @@ -153,6 +155,18 @@ EmailMessage The Email Message object represents an instance of an email message, corresponding to the internet message format described in [RFC5322] and related RFCs. Header field values that have been encoded as described in section 2 of [RFC2047] MUST be decoded before inclusion in Email Message object properties. For example, this is some text MUST be used instead of =?iso-8859-1?q?this=20is=20some=20text?=. Any characters in the encoded value which cannot be decoded into Unicode SHOULD be replaced with the 'REPLACEMENT CHARACTER' (U+FFFD). If it is necessary to capture the header value as observed, this can be achieved by referencing an Artifact object through the raw_email_ref property. + + + + + + + + email-message + + + + @@ -166,7 +180,6 @@ - diff --git a/stix/core-objects/sco/file/file.owl b/stix/core-objects/sco/file/file.owl index 361078a..8e617f0 100644 --- a/stix/core-objects/sco/file/file.owl +++ b/stix/core-objects/sco/file/file.owl @@ -167,6 +167,18 @@ File The File object represents the properties of a file. A File object MUST contain at least one of hashes or name. + + + + + + + + file + + + + diff --git a/stix/core-objects/sdo/attack-pattern/attack-pattern.owl b/stix/core-objects/sdo/attack-pattern/attack-pattern.owl index 2bfb353..48fe548 100644 --- a/stix/core-objects/sdo/attack-pattern/attack-pattern.owl +++ b/stix/core-objects/sdo/attack-pattern/attack-pattern.owl @@ -41,6 +41,18 @@ Attack Pattern Attack Patterns are a type of TTP that describe ways that adversaries attempt to compromise targets. Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed. An example of an attack pattern is "spear phishing": a common type of attack where an attacker sends a carefully crafted e-mail message to a party with the intent of getting them to click a link or open an attachment to deliver malware. Attack Patterns can also be more specific; spear phishing as practiced by a particular threat actor (e.g., they might generally say that the target won a contest) can also be an Attack Pattern. The Attack Pattern SDO contains textual descriptions of the pattern along with references to externally-defined taxonomies of attacks such as CAPEC [CAPEC]. + + + + + + + + attack-pattern + + + + diff --git a/stix/core-objects/sdo/campaign/campaign.owl b/stix/core-objects/sdo/campaign/campaign.owl index 0c980d6..b5dea58 100644 --- a/stix/core-objects/sdo/campaign/campaign.owl +++ b/stix/core-objects/sdo/campaign/campaign.owl @@ -59,6 +59,18 @@ Campaign A Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be part of an Intrusion Set. Campaigns are often attributed to an intrusion set and threat actors. The threat actors may reuse known infrastructure from the intrusion set or may set up new infrastructure specific for conducting that campaign. Campaigns can be characterized by their objectives and the incidents they cause, people or resources they target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. For example, a Campaign could be used to describe a crime syndicate's attack using a specific variant of malware and new C2 servers against the executives of ACME Bank during the summer of 2016 in order to gain secret information about an upcoming merger with another bank.ey target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use. + + + + + + + + campaign + + + + diff --git a/stix/core-objects/sdo/course-of-action/course-of-action.owl b/stix/core-objects/sdo/course-of-action/course-of-action.owl index ebb2410..bca51dd 100644 --- a/stix/core-objects/sdo/course-of-action/course-of-action.owl +++ b/stix/core-objects/sdo/course-of-action/course-of-action.owl @@ -35,6 +35,18 @@ Course Of Action Note: The Course of Action object in STIX 2.1 is a stub. It is included to support basic use cases (such as sharing prose courses of action) but does not support the ability to represent automated courses of action or contain properties to represent metadata about courses of action. Future STIX 2 releases will expand it to include these capabilities. A Course of Action is an action taken either to prevent an attack or to respond to an attack that is in progress. It may describe technical, automatable responses (applying patches, reconfiguring firewalls) but can also describe higher level actions like employee training or policy changes. For example, a course of action to mitigate a vulnerability could describe applying the patch that fixes it. The Course of Action SDO contains a textual description of the action; a reserved action property also serves as a placeholder for future inclusion of machine automatable courses of action. + + + + + + + + course-of-action + + + + diff --git a/stix/core-objects/sdo/grouping/grouping.owl b/stix/core-objects/sdo/grouping/grouping.owl index 8bbc213..07a2038 100644 --- a/stix/core-objects/sdo/grouping/grouping.owl +++ b/stix/core-objects/sdo/grouping/grouping.owl @@ -54,6 +54,18 @@ Grouping A Grouping object explicitly asserts that the referenced STIX Objects have a shared context, unlike a STIX Bundle (which explicitly conveys no context). A Grouping object should not be confused with an intelligence product, which should be conveyed via a STIX Report. A STIX Grouping object might represent a set of data that, in time, given sufficient analysis, would mature to convey an incident or threat report as a STIX Report object. For example, a Grouping could be used to characterize an ongoing investigation into a security event or incident. A Grouping object could also be used to assert that the referenced STIX Objects are related to an ongoing analysis process, such as when a threat analyst is collaborating with others in their trust community to examine a series of Campaigns and Indicators. The Grouping SDO contains a list of references to SDOs, SCOs, SROs, and SMOs, along with an explicit statement of the context shared by the content, a textual description, and the name of the grouping. + + + + + + + + grouping + + + + diff --git a/stix/core-objects/sdo/identity/identity.owl b/stix/core-objects/sdo/identity/identity.owl index f61d405..589548a 100644 --- a/stix/core-objects/sdo/identity/identity.owl +++ b/stix/core-objects/sdo/identity/identity.owl @@ -60,6 +60,18 @@ Identity Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. + + + + + + + + identity + + + + diff --git a/stix/core-objects/sdo/incident/incident.owl b/stix/core-objects/sdo/incident/incident.owl index 367a7ca..039face 100644 --- a/stix/core-objects/sdo/incident/incident.owl +++ b/stix/core-objects/sdo/incident/incident.owl @@ -35,6 +35,18 @@ Incident Note: The Incident object in STIX 2.1 is a stub. It is included to support basic use cases but does not contain properties to represent metadata about incidents. Future STIX 2 releases will expand it to include these capabilities. It is suggested that it is used as an extension point for an Incident object defined using the extension facility described in section 7.3. + + + + + + + + incident + + + + diff --git a/stix/core-objects/sdo/indicator/indicator.owl b/stix/core-objects/sdo/indicator/indicator.owl index 60dc5aa..90aa05f 100644 --- a/stix/core-objects/sdo/indicator/indicator.owl +++ b/stix/core-objects/sdo/indicator/indicator.owl @@ -72,6 +72,18 @@ Indicator Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity. For example, an Indicator may be used to represent a set of malicious domains and use the STIX Patterning Language (see section 9) to specify these domains. The Indicator SDO contains a simple textual description, the Kill Chain Phases that it detects behavior in, a time window for when the Indicator is valid or useful, and a required pattern property to capture a structured detection pattern. Conforming STIX implementations MUST support the STIX Patterning Language as defined in section 9. Relationships from the Indicator can describe the malicious or suspicious behavior that it directly detects (Malware, Tool, and Attack Pattern). In addition, it may also imply the presence of a Campaigns, Intrusion Sets, and Threat Actors, etc. + + + + + + + + indicator + + + + diff --git a/stix/core-objects/sdo/infrastructure/infrastructure.owl b/stix/core-objects/sdo/infrastructure/infrastructure.owl index 9335734..594e729 100644 --- a/stix/core-objects/sdo/infrastructure/infrastructure.owl +++ b/stix/core-objects/sdo/infrastructure/infrastructure.owl @@ -60,6 +60,18 @@ Infrastructure The Infrastructure SDO represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defense, database servers targeted by an attack, etc.). While elements of an attack can be represented by other SDOs or SCOs, the Infrastructure SDO represents a named group of related data that constitutes the infrastructure. + + + + + + + + infrastructure + + + + diff --git a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl index bb534fd..ce0a2c4 100644 --- a/stix/core-objects/sdo/intrusion-set/intrusion-set.owl +++ b/stix/core-objects/sdo/intrusion-set/intrusion-set.owl @@ -84,6 +84,18 @@ Intrusion Set An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Threat Actor. New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets. Where a Campaign is a set of attacks over a period of time against a specific set of targets to achieve some objective, an Intrusion Set is the entire attack package and may be used over a very long period of time in multiple Campaigns to achieve potentially multiple purposes. While sometimes an Intrusion Set is not active, or changes focus, it is usually difficult to know if it has truly disappeared or ended. Analysts may have varying level of fidelity on attributing an Intrusion Set back to Threat Actors and may be able to only attribute it back to a nation state or perhaps back to an organization within that nation state. + + + + + + + + intrusion-set + + + + diff --git a/stix/core-objects/sdo/location/location.owl b/stix/core-objects/sdo/location/location.owl index 839c1e7..9c36142 100644 --- a/stix/core-objects/sdo/location/location.owl +++ b/stix/core-objects/sdo/location/location.owl @@ -90,6 +90,18 @@ Location A Location represents a geographic location. The location may be described as any, some or all of the following: region (e.g., North America), civic address (e.g. New York, US), latitude and longitude. \n\n Locations are primarily used to give context to other SDOs. For example, a Location could be used in a relationship to describe that the Bourgeois Swallow intrusion set originates from Eastern Europe. \n\n The Location SDO can be related to an Identity or Intrusion Set to indicate that the identity or intrusion set is located in that location. It can also be related from a malware or attack pattern to indicate that they target victims in that location. The Location object describes geographic areas, not governments, even in cases where that area might have a government. For example, a Location representing the United States describes the United States as a geographic area, not the federal government of the United States. \n\n At least one of the following properties/sets of properties MUST be provided: region, country, latitude and longitude. \n\n When a combination of properties is provided (e.g. a region and a latitude and longitude) the more precise properties are what the location describes. In other words, if a location contains both a region of northern-america and a country of us, then the location describes the United States, not all of North America. In cases where a latitude and longitude are specified without a precision, the location describes the most precise other value. \n\n If precision is specified, then the datum for latitude and longitude MUST be WGS 84 [WGS84]. Organizations specifying a designated location using latitude and longitude SHOULD specify the precision which is appropriate for the scope of the location being identified. The scope is defined by the boundary as outlined by the precision around the coordinates. + + + + + + + + location + + + + diff --git a/stix/core-objects/sdo/malware/malware.owl b/stix/core-objects/sdo/malware/malware.owl index d0c6849..5b693d1 100644 --- a/stix/core-objects/sdo/malware/malware.owl +++ b/stix/core-objects/sdo/malware/malware.owl @@ -118,6 +118,18 @@ Malware Malware is a type of TTP that represents malicious code. It generally refers to a program that is inserted into a system, usually covertly. The intent is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS) or otherwise annoy or disrupt the victim. The Malware SDO characterizes, identifies, and categorizes malware instances and families from data that may be derived from analysis. This SDO captures detailed information about how the malware works and what it does. This SDO captures contextual data relevant to sharing Malware data without requiring the full analysis provided by the Malware Analysis SDO. The Indicator SDO provides intelligence producers with the ability to define, using the STIX Pattern Grammar in a standard way to identify and detect behaviors associated with malicious activities. Although the Malware SDO provides vital intelligence on a specific instance or malware family, it does not provide a standard grammar that the Indicator SDO provides to identify those properties in security detection systems designed to process the STIX Pattern grammar. We strongly encourage the use of STIX Indicators for the detection of actual malware, due to its use of the STIX Patterning language and the clear semantics that it provides. To minimize the risk of a consumer compromising their system in parsing malware samples, producers SHOULD consider sharing defanged content (archive and password-protected samples) instead of raw, base64-encoded malware samples. + + + + + + + + malware + + + + diff --git a/stix/core-objects/sdo/note/note.owl b/stix/core-objects/sdo/note/note.owl index c38b28e..0ae41ba 100644 --- a/stix/core-objects/sdo/note/note.owl +++ b/stix/core-objects/sdo/note/note.owl @@ -47,6 +47,18 @@ Note A Note is intended to convey informative text to provide further context and/or to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to. Notes can be created by anyone (not just the original object creator). For example, an analyst may add a Note to a Campaign object created by another organization indicating that they've seen posts related to that Campaign on a hacker forum. Because Notes are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst(s) that created the Note. This is distinct from the created_by_ref property, which is meant to capture the organization that created the object. + + + + + + + + note + + + + diff --git a/stix/core-objects/sdo/observed-data/observed-data.owl b/stix/core-objects/sdo/observed-data/observed-data.owl index 46b9325..5cc1a25 100644 --- a/stix/core-objects/sdo/observed-data/observed-data.owl +++ b/stix/core-objects/sdo/observed-data/observed-data.owl @@ -42,7 +42,6 @@ - @@ -60,6 +59,18 @@ Observed Data Observed Data conveys information about cyber security related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs). For example, Observed Data can capture information about an IP address, a network connection, a file, or a registry key. Observed Data is not an intelligence assertion, it is simply the raw information without any context for what it means. \n\n Observed Data can capture that a piece of information was seen one or more times. Meaning, it can capture both a single observation of a single entity (file, network connection) as well as the aggregation of multiple observations of an entity. When the number_observed property is 1 the Observed Data represents a single entity. When the number_observed property is greater than 1, the Observed Data represents several instances of an entity potentially collected over a period of time. If a time window is known, that can be captured using the first_observed and last_observed properties. When used to collect aggregate data, it is likely that some properties in the SCO (e.g., timestamp properties) will be omitted because they would differ for each of the individual observations. \n\n Observed Data may be used by itself (without relationships) to convey raw data collected from any source including analyst reports, sandboxes, and network and host-based detection tools. An intelligence producer conveying Observed Data SHOULD include as much context (e.g. SCOs) as possible that supports the use of the observed data set in systems expecting to utilize the Observed Data for improved security. This includes all SCOs that matched on an Indicator pattern and are represented in the collected observed event (or events) being conveyed in the Observed Data object. For example, a firewall could emit a single Observed Data instance containing a single Network Traffic object for each connection it sees. The firewall could also aggregate data and instead send out an Observed Data instance every ten minutes with an IP address and an appropriate number_observed value to indicate the number of times that IP address was observed in that window. A sandbox could emit an Observed Data instance containing a file hash that it discovered. \n\n Observed Data may also be related to other SDOs to represent raw data that is relevant to those objects. For example, the Sighting Relationship object, can relate an Indicator, Malware, or other SDO to a specific Observed Data to represent the raw information that led to the creation of the Sighting (e.g., what was actually seen that suggested that a particular instance of malware was active).\n\nTo support backwards compatibility, related SCOs can still be specified using the objects properties, Either the objects property or the object_refs property MUST be provided, but both MUST NOT be present at the same time. + + + + + + + + observed-data + + + + @@ -92,5 +103,8 @@ A list of SCOs and SROs representing the observation. The object_refs MUST contain at least one SCO reference if defined. The object_refs MAY include multiple SCOs and their corresponding SROs, if those SCOs are related as part of a single observation. For example, a Network Traffic object and two IPv4 Address objects related via the src_ref and dst_ref properties can be contained in the same Observed Data because they are all related and used to characterize that single entity. This property MUST NOT be present if objects is provided. + + + \ No newline at end of file diff --git a/stix/core-objects/sdo/opinion/opinion.owl b/stix/core-objects/sdo/opinion/opinion.owl index d2d0e75..1380622 100644 --- a/stix/core-objects/sdo/opinion/opinion.owl +++ b/stix/core-objects/sdo/opinion/opinion.owl @@ -42,6 +42,18 @@ Opinion An Opinion is an assessment of the correctness of the information in a STIX Object produced by a different entity. The primary property is the opinion property, which captures the level of agreement or disagreement using a fixed scale. That fixed scale also supports a numeric mapping to allow for consistent statistical operations across opinions. \n\n For example, an analyst from a consuming organization might say that they "strongly disagree" with a Campaign object and provide an explanation about why. In a more automated workflow, a SOC operator might give an Indicator "one star" in their TIP (expressing "strongly disagree") because it is considered to be a false positive within their environment. Opinions are subjective, and the specification does not address how best to interpret them. Sharing communities are encouraged to provide clear guidelines to their constituents regarding best practice for the use of Opinion objects within the community. \n\n Because Opinions are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst(s) that created the Opinion. This is distinct from the created_by_ref property, which is meant to capture the organization that created the object. + + + + + + + + opinion + + + + diff --git a/stix/core-objects/sdo/report/report.owl b/stix/core-objects/sdo/report/report.owl index a757836..e4140e3 100644 --- a/stix/core-objects/sdo/report/report.owl +++ b/stix/core-objects/sdo/report/report.owl @@ -54,6 +54,18 @@ Report Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story. + + + + + + + + report + + + + diff --git a/stix/core-objects/sdo/tool/tool.owl b/stix/core-objects/sdo/tool/tool.owl index 66d550b..7063928 100644 --- a/stix/core-objects/sdo/tool/tool.owl +++ b/stix/core-objects/sdo/tool/tool.owl @@ -57,6 +57,18 @@ Tool Tools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack. \n\nThe Tool SDO characterizes the properties of these software tools and can be used as a basis for making an assertion about how a Threat Actor uses them during an attack. It contains properties to name and describe the tool, a list of Kill Chain Phases the tool can be used to carry out, and the version of the tool. \n\nThis SDO MUST NOT be used to characterize malware. Further, Tool MUST NOT be used to characterize tools used as part of a course of action in response to an attack. + + + + + + + + tool + + + + diff --git a/stix/core-objects/sdo/vulnerability/vulnerability.owl b/stix/core-objects/sdo/vulnerability/vulnerability.owl index c34cf19..8e330a3 100644 --- a/stix/core-objects/sdo/vulnerability/vulnerability.owl +++ b/stix/core-objects/sdo/vulnerability/vulnerability.owl @@ -35,6 +35,18 @@ Vulnerability A Vulnerability is a weakness or defect in the requirements, designs, or implementations of the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that can be directly exploited to negatively impact the confidentiality, integrity, or availability of that system. \n\nCVE is a list of information security vulnerabilities and exposures that provides common names for publicly known problems [CVE]. For example, if a piece of malware exploits CVE-2015-12345, a Malware object could be linked to a Vulnerability object that references CVE-2015-12345. \n\nThe Vulnerability SDO is primarily used to link to external definitions of vulnerabilities or to describe 0-day vulnerabilities that do not yet have an external definition. Typically, other SDOs assert relationships to Vulnerability objects when a specific vulnerability is targeted and exploited as part of malicious cyber activity. As such, Vulnerability objects can be used as a linkage to the asset management and compliance process. + + + + + + + + vulnerability + + + + diff --git a/stix/core-objects/sro/relationship/relationship.owl b/stix/core-objects/sro/relationship/relationship.owl index 7355401..e7ff103 100644 --- a/stix/core-objects/sro/relationship/relationship.owl +++ b/stix/core-objects/sro/relationship/relationship.owl @@ -4,13 +4,16 @@ + ]> @@ -36,7 +39,6 @@ - @@ -61,7 +63,6 @@ - @@ -71,32 +72,42 @@ - Relationship - The Relationship object is used to link together two SDOs or SCOs in order to describe how they are related to each other. If SDOs and SCOs are considered "nodes" or "vertices" in the graph, the Relationship Objects (SROs) represent "edges". \n\n STIX defines many relationship types to link together SDOs and SCOs. These relationships are contained in the "Relationships" table under each SDO and SCO definition. Relationship types defined in the specification SHOULD be used to ensure consistency. An example of a specification-defined relationship is that an indicator indicates a campaign. That relationship type is listed in the Relationships section of the Indicator SDO definition. \n\n STIX also allows relationships from any SDO or SCO to any SDO or SCO that have not been defined in this specification. These relationships MAY use the related-to relationship type or MAY use a user-defined relationship type. As an example, a user might want to link malware directly to a tool. They can do so using related-to to say that the Malware is related to the Tool but not describe how, or they could use delivered-by (a user-defined name they determined) to indicate more detail. \n\n Note that some relationships in STIX may seem like "shortcuts". For example, an Indicator doesn't really detect a Campaign: it detects activity (Attack Patterns, Malware, Infrastructure, etc.) that are often used by that campaign. While some analysts might want all of the source data and think that shortcuts are misleading, in many cases it's helpful to provide just the key points (shortcuts) and leave out the low-level details. In other cases, the low-level analysis may not be known or sharable, while the high-level analysis is. For these reasons, relationships that might appear to be "shortcuts" are not excluded from STIX. + Relationship + The Relationship object is used to link together two SDOs or SCOs in order to describe how they are related to each other. If SDOs and SCOs are considered "nodes" or "vertices" in the graph, the Relationship Objects (SROs) represent "edges". \n\n STIX defines many relationship types to link together SDOs and SCOs. These relationships are contained in the "Relationships" table under each SDO and SCO definition. Relationship types defined in the specification SHOULD be used to ensure consistency. An example of a specification-defined relationship is that an indicator indicates a campaign. That relationship type is listed in the Relationships section of the Indicator SDO definition. \n\n STIX also allows relationships from any SDO or SCO to any SDO or SCO that have not been defined in this specification. These relationships MAY use the related-to relationship type or MAY use a user-defined relationship type. As an example, a user might want to link malware directly to a tool. They can do so using related-to to say that the Malware is related to the Tool but not describe how, or they could use delivered-by (a user-defined name they determined) to indicate more detail. \n\n Note that some relationships in STIX may seem like "shortcuts". For example, an Indicator doesn't really detect a Campaign: it detects activity (Attack Patterns, Malware, Infrastructure, etc.) that are often used by that campaign. While some analysts might want all of the source data and think that shortcuts are misleading, in many cases it's helpful to provide just the key points (shortcuts) and leave out the low-level details. In other cases, the low-level analysis may not be known or sharable, while the high-level analysis is. For these reasons, relationships that might appear to be "shortcuts" are not excluded from STIX. + + + + + + + + relationship + + + + - description - A description that provides more details and context about the Relationship, potentially including its purpose and its key characteristics. + description + A description that provides more details and context about the Relationship, potentially including its purpose and its key characteristics. - relationship_type - The name used to identify the type of Relationship. This value SHOULD be an exact value listed in the relationships for the source and target SDO, but MAY be any string. The value of this property MUST be in ASCII and is limited to characters a-z (lowercase ASCII), 0-9, and hyphen (-). + relationship_type + The name used to identify the type of Relationship. This value SHOULD be an exact value listed in the relationships for the source and target SDO, but MAY be any string. The value of this property MUST be in ASCII and is limited to characters a-z (lowercase ASCII), 0-9, and hyphen (-). - source_ref - The id of the source (from) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). - - + source_ref + The id of the source (from) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). - source_ref_string - The id of the source (from) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). + source_ref_string + The id of the source (from) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). @@ -113,16 +124,17 @@ - target_ref - The id of the target (to) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). - - + target_ref + The id of the target (to) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). - target_ref_id - The id of the target (to) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). + target_ref_id + The id of the target (to) object. The value MUST be an ID reference to an SDO or SCO (i.e., it cannot point to an SRO, Bundle, Language Content, or Marking Definition). + + + \ No newline at end of file diff --git a/stix/core-objects/sro/sighting/sighting.owl b/stix/core-objects/sro/sighting/sighting.owl index cced023..36e3ebe 100644 --- a/stix/core-objects/sro/sighting/sighting.owl +++ b/stix/core-objects/sro/sighting/sighting.owl @@ -92,6 +92,18 @@ Sighting A Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.) was seen. Sightings are used to track who and what are being targeted, how attacks are carried out, and to track trends in attack behavior. \n\n The Sighting relationship object is a special type of SRO; it is a relationship that contains extra properties not present on the Generic Relationship object. These extra properties are included to represent data specific to sighting relationships (e.g., count, representing how many times something was seen), but for other purposes a Sighting can be thought of as a Relationship with a name of "sighting-of". Sighting is captured as a relationship because you cannot have a sighting unless you have something that has been sighted. Sighting does not make sense without the relationship to what was sighted. \n\n Sighting relationships relate three aspects of the sighting: \n\n What was sighted, such as the Indicator, Malware, Campaign, or other SDO (sighting_of_ref). \n\n Who sighted it and/or where it was sighted, represented as an Identity (where_sighted_refs). \n\n What was actually seen on systems and networks, represented as Observed Data (observed_data_refs). \n\n What was sighted is required; a sighting does not make sense unless you say what you saw. Who sighted it, where it was sighted, and what was actually seen are optional. In many cases it is not necessary to provide that level of detail in order to provide value. \n\n Sightings are used whenever any SDO has been "seen". In some cases, the object creator wishes to convey very little information about the sighting; the details might be sensitive, but the fact that they saw a malware instance or threat actor could still be very useful. In other cases, providing the details may be helpful or even necessary; saying exactly which of the 1000 IP addresses in an indicator were sighted is helpful when tracking which of those IPs is still malicious. \n\n Sighting is distinct from Observed Data in that Sighting is an intelligence assertion ("I saw this threat actor") while Observed Data is simply information ("I saw this file"). When you combine them by including the linked Observed Data (observed_data_refs) from a Sighting, you can say "I saw this file, and that makes me think I saw this threat actor". + + + + + + + + sighting + + + + diff --git a/stix/stix.owl b/stix/stix.owl index 8c33fd4..321e9e4 100644 --- a/stix/stix.owl +++ b/stix/stix.owl @@ -4,6 +4,7 @@ + ]> diff --git a/tac/catalog-v001.xml b/tac/catalog-v001.xml index b264c66..4bc8c75 100644 --- a/tac/catalog-v001.xml +++ b/tac/catalog-v001.xml @@ -2,7 +2,7 @@ - + @@ -45,10 +45,10 @@ - + - + diff --git a/threat-agent-lib/catalog-v001.xml b/threat-agent-lib/catalog-v001.xml index daf6df5..61f2f36 100644 --- a/threat-agent-lib/catalog-v001.xml +++ b/threat-agent-lib/catalog-v001.xml @@ -2,7 +2,7 @@ - + @@ -48,15 +48,12 @@ - + - + - - - - - + + From 43dd67bdf75461cdd7d8bfd2c3d116ee8eaae949 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Mon, 4 Sep 2023 15:49:23 -0700 Subject: [PATCH 65/70] preparing the hal and tal libraries for Borderless Cyber conference --- health-agent-lib/hal-library.owl | 7 +++++-- knowledgebase-examples/hal-example.owl | 16 ++++++++++++++++ threat-agent-lib/ta-library.owl | 4 ---- 3 files changed, 21 insertions(+), 6 deletions(-) diff --git a/health-agent-lib/hal-library.owl b/health-agent-lib/hal-library.owl index 9620e5b..385fde9 100644 --- a/health-agent-lib/hal-library.owl +++ b/health-agent-lib/hal-library.owl @@ -25,6 +25,10 @@ + + + + @@ -34,7 +38,7 @@ - + @@ -50,7 +54,6 @@ - diff --git a/knowledgebase-examples/hal-example.owl b/knowledgebase-examples/hal-example.owl index 9ca0bd5..7baf00b 100644 --- a/knowledgebase-examples/hal-example.owl +++ b/knowledgebase-examples/hal-example.owl @@ -1,5 +1,6 @@ @@ -11,6 +12,7 @@ ]> + + + + + + + + + + + + + + \ No newline at end of file diff --git a/threat-agent-lib/ta-library.owl b/threat-agent-lib/ta-library.owl index 2f3218a..4af7e67 100644 --- a/threat-agent-lib/ta-library.owl +++ b/threat-agent-lib/ta-library.owl @@ -848,10 +848,6 @@ - - - - From b4e4180668c42bccd2ed5b7b50d6647673f684e9 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Mon, 4 Sep 2023 17:38:39 -0700 Subject: [PATCH 66/70] adding documentation to readme files --- README.md | 9 +++++++-- docs/ontologies/stix/stix-ontology-readme.md | 4 ++++ docs/ontologies/stix/stix-ontology-readment.md | 4 ++++ docs/ontologies/tac/tac-ontology-readment.md | 0 docs/ontologies/tal/tal-ontology-readment.md | 0 5 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 docs/ontologies/stix/stix-ontology-readme.md create mode 100644 docs/ontologies/stix/stix-ontology-readment.md create mode 100644 docs/ontologies/tac/tac-ontology-readment.md create mode 100644 docs/ontologies/tal/tal-ontology-readment.md diff --git a/README.md b/README.md index bd73c35..b720e6d 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,11 @@ The OASIS Threat Actor Context Technical Committee (TAC-TC) is chartered to crea *The TC may include additional content as descriptive text, reflecting project status, milestones, releases, modifications to statement of purpose, etc. +## Documentation + +[The STIX 2.1 Ontology](docs/stix/stix-ontology-readme.md) + + ## Maintainers TC Open Repository [Maintainers](https://www.oasis-open.org/resources/open-repositories/maintainers-guide) are responsible for oversight of this project's community development activities, including evaluation of GitHub [pull requests](https://github.com/oasis-open/tac-ontology/blob/master/CONTRIBUTING.md#fork-and-pull-collaboration-model) and [preserving](https://www.oasis-open.org/policies-guidelines/open-repositories#repositoryManagement) open source principles of openness and fairness. Maintainers are recognized and trusted experts who serve to implement community goals and consensus design preferences. @@ -28,9 +33,9 @@ Initially, the TC members have designated one or more persons to serve as Mainta Vasileios Mavroeidis, vasileim@ifi.uio.no, Vasileios-Mavroeidis, University of Oslo -Ryan Hohimer, ryan.hohimer@darklight.ai, rhohimer, Darklight Inc. +Ryan Hohimer, ryan.hohimer@semanticarts.com, rhohimer, Semantic Arts Inc. + -Paul Patrick, ppatrick@darklight.ai, CyberDaedalus00, Darklight Inc. ## About OASIS TC Open Repositories diff --git a/docs/ontologies/stix/stix-ontology-readme.md b/docs/ontologies/stix/stix-ontology-readme.md new file mode 100644 index 0000000..709d4cd --- /dev/null +++ b/docs/ontologies/stix/stix-ontology-readme.md @@ -0,0 +1,4 @@ +# STIX 2.1 Ontology _(not the STIX 2.1 specification)_ + +## The STIX 2.1 Ontology +The STIX 2.1 Ontology is based on the STIX 2.1 Standard Specification. It is a binding of the specification in formal ontological language. \ No newline at end of file diff --git a/docs/ontologies/stix/stix-ontology-readment.md b/docs/ontologies/stix/stix-ontology-readment.md new file mode 100644 index 0000000..709d4cd --- /dev/null +++ b/docs/ontologies/stix/stix-ontology-readment.md @@ -0,0 +1,4 @@ +# STIX 2.1 Ontology _(not the STIX 2.1 specification)_ + +## The STIX 2.1 Ontology +The STIX 2.1 Ontology is based on the STIX 2.1 Standard Specification. It is a binding of the specification in formal ontological language. \ No newline at end of file diff --git a/docs/ontologies/tac/tac-ontology-readment.md b/docs/ontologies/tac/tac-ontology-readment.md new file mode 100644 index 0000000..e69de29 diff --git a/docs/ontologies/tal/tal-ontology-readment.md b/docs/ontologies/tal/tal-ontology-readment.md new file mode 100644 index 0000000..e69de29 From 82ab0c5a0d4ea32d1aa6700465394cb7cdf18880 Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Mon, 4 Sep 2023 17:45:14 -0700 Subject: [PATCH 67/70] testing relative links --- README.md | 4 +- .../ontologies/stix/stix-ontology-readment.md | 4 - remaning parts of old-ontology.xml | 948 ------------------ tac-kb-example.owl | 23 - 4 files changed, 2 insertions(+), 977 deletions(-) delete mode 100644 docs/ontologies/stix/stix-ontology-readment.md delete mode 100644 remaning parts of old-ontology.xml delete mode 100644 tac-kb-example.owl diff --git a/README.md b/README.md index b720e6d..31429f6 100644 --- a/README.md +++ b/README.md @@ -20,8 +20,8 @@ The OASIS Threat Actor Context Technical Committee (TAC-TC) is chartered to crea ## Documentation -[The STIX 2.1 Ontology](docs/stix/stix-ontology-readme.md) - +[The STIX 2.1 Ontology](./docs/stix/stix-ontology-readme.md) + ## Maintainers diff --git a/docs/ontologies/stix/stix-ontology-readment.md b/docs/ontologies/stix/stix-ontology-readment.md deleted file mode 100644 index 709d4cd..0000000 --- a/docs/ontologies/stix/stix-ontology-readment.md +++ /dev/null @@ -1,4 +0,0 @@ -# STIX 2.1 Ontology _(not the STIX 2.1 specification)_ - -## The STIX 2.1 Ontology -The STIX 2.1 Ontology is based on the STIX 2.1 Standard Specification. It is a binding of the specification in formal ontological language. \ No newline at end of file diff --git a/remaning parts of old-ontology.xml b/remaning parts of old-ontology.xml deleted file mode 100644 index 4bc3043..0000000 --- a/remaning parts of old-ontology.xml +++ /dev/null @@ -1,948 +0,0 @@ - - - MD5 Hash Value - Specifies the MD5 message digest algorithm. The corresponding hash string for this value MUST be a valid MD5 message digest as defined in [RFC1321]. - - - - - SHA-1 Hash Value - Specifies the SHA-1 (secure-hash algorithm 1) cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA-1 message digest as defined in [RFC3174]. - - - - - SHA-256 Hash Value - Specifies the SHA-256 cryptographic hash function (part of the SHA2 family). The corresponding hash string for this value MUST be a valid SHA-256 message digest as defined in [RFC6234]. - - - - - SHA-512 Hash Value - Specifies the SHA-512 cryptographic hash function (part of the SHA2 family). The corresponding hash string for this value MUST be a valid SHA-512 message digest as defined in [RFC6234]. - - - - - SHA3-256 Hash Value - Specifies the SHA3-256 cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA3-256 message digest as defined in [FIPS202]. - - - - - SHA3-512 Hash Value - Specifies the SHA3-512 cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA3-512 message digest as defined in [FIPS202]. - - - - - SSDEEP Hash Value - Specifies the ssdeep fuzzy hashing algorithm. The corresponding hash string for this value MUST be a valid piecewise hash as defined in the [SSDEEP] specification. - - - - - TLSH Hash Value - Specifies the TLSH fuzzy hashing algorithm. The corresponding hash string for this value MUST be a valid 35 byte long hash as defined in the [TLSH] specification. - - - - - - - - - - Group - Identitfies an informal collection of people, without formal governance. - - - - - - - - Individual - Identitfies an actual individual. - - - - - - - Industy Sector - Identifies an industry sector. - - - - - - Organization - Identifies an actual formal organization of people, with governance, such as a company. - - - - - - - - - Civic Location - Identifies an actual civic location (e.g., street address, city, administrative area, postal code). - - - - - Country - Identifies an actual country. - - - - - Global Position - Identifies a physical position on the globe. - - - - - Region - Identifies an actual region in the world. - - - - - -extension-definition.owl - - - - Extension - Characterizes the base of all extensions to Cyber Observable objects. - - - - - - - - activity-outcome-enum - - - - - blocked - - - failed - - - successful - - - unknown - - - - - - - - - - - - - - - detection-methods-ov - - - - - automated-tool - - - human-review - - - message-from-attacker - - - system-outage - - - user-reporting - - - - - - - - - - - - - - - - - defender-activity-ov - Defines an open vocabulary for defender activities associated with an Incident. - - - - - containment-completed - - - containment-started - - - declared - - - detected - - - eradication-completed - - - eradication-started - - - escalated - - - recovery-completed - - - recovery-started - - - reported - - - - - - - - - - - - - - - - - - - - - - - - - - - dectection-methods-ov - - - - - automated-tool - - - human-review - - - message-from-attacker - - - system-outage - - - user-reporting - - - - - - - - - - - - - - - - - external-impact-ov - - - - - civil-liberties - - - economic - - - foreign-relations - - - national-security - - - public-confidence - - - public-health - - - - - - - - - - - - - - - - - - - incident-action-status-ov - - - - - failed - - - new-control - - - planned - - - successful - - - unused - - - - - - - - - - - - - - - - - information-impact-type-ov - - - - - classified-material - - - communication - - - credentials-admin - - - credentials-user - - - financial - - - legal - - - payment - - - phi - - - pii - - - proprietary - - - - - - - - - - - - - - - - - - - - - - - - - - - incident-action-stage-enum - - - - - containment - - - detection - - - eradication - - - mitigation - - - post-incident - - - prevention - - - recovery - - - - - - - - - - - - - - - - - - - - - incident-confidentiality-loss-enum - - - - - contained - - - exploited-loss - - - exploited-major-loss - - - major-loss - - - none - - - some-loss - - - suspected-loss - - - suspected-major-loss - - - - - - - - - - - - - - - - - - - - - - - incident-determination-enum - - - - - blocked - - - failed-attempt - - - false-positive - - - low-value - - - successful-attempt - - - suspected - - - - - - - - - - - - - - - - - - - incident-investigation-enum - - - - - closed - - - new - - - open - - - - - - - - - - - - - incident-type-ov - - - - - compromised-system - - - denial-of-service - - - destruction - - - equipment-loss - - - equipment-theft - - - major - - - supply-chain-customer - - - supply-chain-vendor - - - unauthorized-access - - - unauthorized-equipment - - - unauthorized-release - - - unauthorized-use - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - information-type-ov - - - - - classified-material - - - communication - - - credentials-admin - - - credentials-user - - - financial - - - legal - - - payment - - - phi - - - pii - - - proprietary - - - - - - - - - - - - - - - - - - - - - - - - - - - integrity-alteration-enum - - - - - full-destruction - - - full-modification - - - none - - - partial-destruction - - - partial-modification - - - potential-destruction - - - potential-modification - - - - - - - - - - - - - - - - - - - - - marking-definition-type-ov - - - - - statement - - - tlp - - - - - - - - - - - monetary-impact-type-ov - - - - - asset-and-fraud - - - brand-damage - - - business-disruption - - - competitive-advantage - - - legal-and-regulatory - - - operating-costs - - - response-and-recovery - - - uncategorized - - - - - - - - - - - - - - - - - - - - - - - physical-impact-enum - - - - - damaged-complete - - - damaged-limited - - - destruction-complete - - - destruction-limited - - - none - - - unknown - - - - - - - - - - - - - - - - - - - recoverability-enum - - - - - extended - - - not-applicable - - - not-recoverable - - - regular - - - supplemented - - - - - - - - - - - - - - - - - timestamp-fidelity-enum - - - - - day - - - hour - - - minute - - - month - - - second - - - year - - - - - - - - - - - - - - - - - - - traceability-enum - - - - - accountability-lost - - - partial-accountability - - - provable-accountability - - - - - - - - - - - - diff --git a/tac-kb-example.owl b/tac-kb-example.owl deleted file mode 100644 index 74d7e47..0000000 --- a/tac-kb-example.owl +++ /dev/null @@ -1,23 +0,0 @@ - - - - - - -]> - - - - The TAC ontology is a knowledge representation framework focused on comprehensively representing the context around adversaries. The project comprises a set of concept definitions and their relationships encoded in Web Ontology Language (OWL) that altogether harmonise into what we call the Threat Actor Context ontology. - - - - - \ No newline at end of file From 40c44a2eea7e81cb6ff8c8f5b90de93ec866e01a Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Mon, 4 Sep 2023 17:56:56 -0700 Subject: [PATCH 68/70] adding relative links to documentation --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 31429f6..863cdd9 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ The OASIS Threat Actor Context Technical Committee (TAC-TC) is chartered to crea ## Documentation -[The STIX 2.1 Ontology](./docs/stix/stix-ontology-readme.md) +[The STIX 2.1 Ontology](./docs/ontologies/stix/stix-ontology-readme.md) ## Maintainers From 957b1310c7cd4a8ea3df787929fb715b6d20835c Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Mon, 4 Sep 2023 18:13:09 -0700 Subject: [PATCH 69/70] continuing to add documentation --- README.md | 2 ++ docs/ontologies/tac/tac-ontology-readme.md | 4 ++++ docs/ontologies/tac/tac-ontology-readment.md | 0 docs/ontologies/tal/tal-ontology-readme.md | 8 ++++++++ docs/ontologies/tal/tal-ontology-readment.md | 0 5 files changed, 14 insertions(+) create mode 100644 docs/ontologies/tac/tac-ontology-readme.md delete mode 100644 docs/ontologies/tac/tac-ontology-readment.md create mode 100644 docs/ontologies/tal/tal-ontology-readme.md delete mode 100644 docs/ontologies/tal/tal-ontology-readment.md diff --git a/README.md b/README.md index 863cdd9..229a8b1 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,8 @@ The OASIS Threat Actor Context Technical Committee (TAC-TC) is chartered to crea ## Documentation [The STIX 2.1 Ontology](./docs/ontologies/stix/stix-ontology-readme.md) +[The TAC Ontology](./docs/ontologies/tac/tac-ontology-readme.md) +[The TAL Ontology](./docs/ontologies/tal/tal-ontology-readme.md) ## Maintainers diff --git a/docs/ontologies/tac/tac-ontology-readme.md b/docs/ontologies/tac/tac-ontology-readme.md new file mode 100644 index 0000000..a3db8ba --- /dev/null +++ b/docs/ontologies/tac/tac-ontology-readme.md @@ -0,0 +1,4 @@ +# The Threat Actor Context (TAC) Ontology + +## TAC Ontology +The TAC Ontology is an extension of the STIX 2.1 Ontology (aka stix.owl). \ No newline at end of file diff --git a/docs/ontologies/tac/tac-ontology-readment.md b/docs/ontologies/tac/tac-ontology-readment.md deleted file mode 100644 index e69de29..0000000 diff --git a/docs/ontologies/tal/tal-ontology-readme.md b/docs/ontologies/tal/tal-ontology-readme.md new file mode 100644 index 0000000..4712827 --- /dev/null +++ b/docs/ontologies/tal/tal-ontology-readme.md @@ -0,0 +1,8 @@ +# The Threat Agent Library + +## The TAL Ontology +The Threat Agent Library is a contribution from Intel Corp. It is an extension of the TAC Ontology. As stated before: + +### STIX 2.1 Standard Specification is extended by the STIX Ontology (stix.owl) +### STIX Ontology is extended by the TAC Ontology (tac.owl) +### TAC Ontology is extended by the TAL Ontology (ta-library.owl) diff --git a/docs/ontologies/tal/tal-ontology-readment.md b/docs/ontologies/tal/tal-ontology-readment.md deleted file mode 100644 index e69de29..0000000 From 182613477af6aae25a6d895c7fb47eb0a9fd4aae Mon Sep 17 00:00:00 2001 From: Ryan Hohimer Date: Mon, 4 Sep 2023 19:05:15 -0700 Subject: [PATCH 70/70] adding document content --- docs/ontologies/tal/competitor-heritage.png | Bin 0 -> 43996 bytes docs/ontologies/tal/tal-ontology-readme.md | 3 +++ threat-agent-lib/catalog-v001.xml | 3 +-- 3 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 docs/ontologies/tal/competitor-heritage.png diff --git a/docs/ontologies/tal/competitor-heritage.png b/docs/ontologies/tal/competitor-heritage.png new file mode 100644 index 0000000000000000000000000000000000000000..ee1dbb53b5ddfd46bdc92453439b953522ceb41b GIT binary patch literal 43996 zcmZU41yB`i*DZ>Kba#l9G$J64f^>IxN_U4KA>AM?-OZsTrAxXyq(i#zbNs&lzjx+3 z^Ugasp2HLS*?aA^)((-E6+=ZLLV|&TL6s2yqzD7^;tLGSvyX_+!QXrl6>bLqd*-Mp zCInMHLb3~fcwzQY<|7PDRTT2Q0UY@GrJcBjBMb~$7xcepy|#tM;4iV9MAV&>Y)ze9 z4IE5h#2idaY#hyPopeQbHPzJcWr&~)@qa_`dzCLkjY4+6NPy`~Ls74v@#zu~HT|Gs?yZ)_t{e*XOF?CdPU%8VxF<>lq(*08R?tPeS=om&nnIdvP?chJ;|y1evoW`1MN z!KFSncjGtvuHloLh+9oVgHD(0gcaw);ibR7e@aS9c{%ge4)hiRq~X~00~od85fHRA zH3tR<-?6b}=j7l%**}{t3lDeI@3pYdwzd`#7Ea)idS^R1w&ut1wZw@FD?8_c)LTJ8 z!7f*~qQ0o;v%dZZZWricDdPO$!=vHEz#n^idri$08=LTefbT;?n_$08Oo0y%c|1wg zb^+eOYo+A^n+}IElA);RE9E4wR@|g=mTa!v_^hq12ga!W?Hm!hI>g)CTMG+|G}(eF z3zeaO4t=%`*%lq;O>?WE{e9l7Gm3abAC$<+Lm%|s0jtN(YEco9j$f*3Y8$ikV#&}Y z8S{YyOdhSRugAy5{j9fxguZfQM-`uBR#!)s-kXC|Aa{6pR9swITgyN1j=!a~UVbukZNGJNFBT^aB&37kVKKbFvz z1CRYjYi_(eJn`>7LO<;A7W!dwumedcDQs+P-1l}Ju2nUbO;gj`seFq2zrcmtF>@91 zL!;U0_ZLhya&ueTQE(AN5#zV-Qz>=Ie}Z4M(`>2^4$s}4Gfc!?g^`bskC!)<)DU_` z3g8_X+e|Djrp3m-9`@F+?^RPHPw5{eSL%XW(b7syPplJ5|A_eq(M*!t4Eh0$cIdBB zD=I5f5hE5AYuj>Zo0(E6b$mW~P+ahbYb0!*A~8Dp_wV07(gdL)!YB?sJdvislWq*Y(;0tsCW`$*C5OuG!gYNFb(o#MyF7+(S6{QXq0@F0!WEM=bnx-ZX zb8~U-j(=;0fqn!5WEfYT^v6hSVc8J@&5FiyKfh}K=grb%F)=Y?GcyHgpP>sLas?}S z>B7Uqv%cY)lSf8sZS$FKl4Gl=v1EEWhpT|AM%7XpoQy;3OX&4hfCHo|{QUWImHM&} zF+Y>_X!5(pyG!c{j&<;f@84y}z2l?ag`HV)9=A8Dj_^=8ruq5#*$5sU9uDIxsi~=X z`xO@#udf@9e*Y1!*wjQcNDtA5xfl$s6g622z`!~OOUG)dg+Q`&BB$LA)*cfR7mt0e zD(b8~b!Wa6Y?o)aZ=1QUJd}-$WM{ud7^xmJHx?v#DfCMQQd`@8GC4h+n3&j!kBf)b zq+LEVB%L~(m;&wq-wdLelbvlxJ<5z12B-C0QBkqdTDAatA*8IE(`ayQ9lY~ON*x`Y zbE|;pIq0K&l~+@vblbXkbd{1?W7~Se!rXkoMpSu2MZlV-bgJLoy~{OovOr2oI)MA3 zFZ}n+OmGQWU2cAU&;A7-4vw*j$=u;(K){RS3tGGIo^Lzm*O}?r@$pNX3k%U*RkREY z-COev^o)zgr@1o94cNsT9}1P|7JgXCzz{@;s&h1msdIdnP=|oMUbB;g zUS3`)i>8$57#Ptn-=#~8le&! zWa~;ivM5?!UgAX9WmvRd$Dc$+QB<@S%O@w@3f|3aNd~(9^*~ovBQGu+wy_ZyA6J~6 zQdwN`W<)fD-`nM0UOws(r>JGVI{l&{Mj=lCBBu#01N)0pO(DGzvmYVl$4l%_<8TVw|HI|ucM%# zI5|6Wu(QX<$8Tdcm^eA9tgb;Y5B`jd$VPsq3V4AC zD*HzSBDuA-HJZ3nIbWVqXFYu^cxk*z>d1T;te++|}no>dWR8>jXIu>3qtEW{j<2~h7K`V!M(+TcUP*zq}QJI>b z=i%ZiOrsS-9Qyzw=XXr{VdvNTc0VrX%`7C;@2ZsLM;lSdcuY-RQ^gf%Xo(ftH@E?U zH^$E$ucFlduuGV=!|LQJ_4myiB64A)Y$wkfVZ|yUjB>)(cpP%p0P&g#beigjH z6lNkODVa8y5c=BLIoO~U9)7@ShRk`_-#hSaNyTVUDc|=bv#$)q%Q`_dao|p3ViXh= z$7g5zd`mHepb*7BtfS*&9Nk~Y4Cm99-tv#y0S@WOFLYr#AF$G8&xFyvZRe`s5hO5T9!BNZ6*0mt@sM1dLF2=jgz~r+DLp_W72w@ zL498uAK|_cVK((Qd#p~?LP=pTb$B0BBpoq_wUb8aTMC0ewddoF?=Mq*%HyVeEzZ=B z;}0C(epDH}e|)wQATxSTW_$3jM5-r6oOp461QD}-Idnf8ULlOY#3mYXdc3~@sRZQp z%F4<=51ZTD^zI!2R;gGN&nD*PUiJbIWCGDl$bW#7rpXz;tUI@a)Z##KND?7O+}=L# z*z!>jbr+#M7gkW4k!h9s`1p8>F3VjnqDCJyF>14Oa@s7n-1HE)<=6JIY>%UUzs4pV z<-ht~*AfscrV^3H|^>UUqDGwdwHBy&*y)t1_&{ zFY&>xH^ao3Wo7(dSQ%e-)-V2b=D@!_pUAOOdJJrR#leB1A-VZn+;67ou+H|)De|Jv zoea-l@lsJcNA@$=_secwmK8szLEY2F&H+Hx>Gu3HL0Ms8VRSUcDJMNOHML};zEGV^ zNc7n5;bB=x$>89il(_hBROhg$sF5LQm*y2qt07@WJy!*Vj{J;_4N$j3!zMrh2jRW8 zwvd3mOUum6%*)#hLaU%ajQc7e8V&}$ua3Z(eVw10f`8?=#)Drm>v+IrqlpE4PYXrj z%^pl*iPQF-!%Rz%&B2X3zdL@q1l6ffkLQPKX@hF&-9e3@+JlPQHBT`7J`sUn{WwFg{m271ZyUu|Ut zw-)4o@UuO19OVy+UuxD$Tz%SJPvPODLAwrP`V*#F@Udp$NxGFHv@+&Ba8WU2^qh;P-xC?zhn!6~)#0+px;m z%q+)*b3N(XNIGvY+sTO}UthG2{Oe3#pX-yg_bXm!f%v-ZXerY9V>}PavKf4Yq@)p@ z>MzKqcAYv?=-nMd0nF*?=>d?V<|a%4qlSBY*Q=m~FD~EG0O`-qVtNKp@(pj+Q=f_E zjM>z06m<9&VX$TX0BEY=Lk$Z0(&S{r_V&S4Nrjr`7Jh>h?B%4ApwM~ULTi=%#snc@ zeozpj^)qWXln7NTw_lC6x3aZ$+cGzsf17s)6<8|O8jLa3dy&!^Nn;CUmHm8rw57c5K#;HqMWhoKEB~}b&Fo%a+2F-t zu@_JAZC=U^zZ*HYV-lGyI&Z0mzNG5v0@BmV=urTia%oCQv5*5kbTC4vS-bAN4Cx`coc70Se%!doGbC@%^{vYmtj^0<>cggUsF&}h((fgDB|McqN1Wk zL_`3sOG{qSl{4JCaCyI`aKwa`?a1=-@{57Q1=}`>ah3Ac zTS;f4sH%F^X3L6}YP@I8X<4$KmsTR>4f&V_S#nZg@v%)^flN4O`EU!RE&~#w;0UI^ zEP3qjO{->Zf%evbQ*0f8CoaeB@UFGlCg+lsn(J>-Q5D6-M0YCD-@g;&o$pvJw-8Qg zGA7Q>s;3USthW0d930%=d#S_8>*%14PESt0P-5T8km3B$Nh_BTFUwTv^Kk3$|J=Ft znS^r8ucyc3C%lO~VTZ2~)6=R+gL!Bi(%@w*Ye>K0&qjSE5bvgMVa-S-V;Cqzjc{rcRsN>NcOC8qs z^uU`gTQhe3+JW5nKDh6q@mWOrZxI!^jB=T=AeDZz$Tb%L)JUfHiwb;l(-rIv%BGHp z!m%GEM`!IQNE-pXS6SZXaiqbYV%BR#VfYE^nS7b1qHDt|tFE31IU^0LE&zi9!h}OL zm+Pe{NkczS!Al?B`LnTM*)JOe$M3g~29x_Brq+IrV`G0yMfE~qHg{CuPMR*uU@(#C z&DZCJFGi4_VQkSdGNQCf!9U92l;R8;F368A|MWa`;oU>%?(Qx&v$V7%zREmROvO4K zJ#t(B6_U>DDtSA|(&lx4ZJ#TpEP_N!OH0{ey}-%-9%M(sn@wzMn-iGhP@^MD{JXZ; zv?R0rJ;eha5t*!}<|tfT?ny#kKmeS)Q!W=061Nln-~Q+L4uLkK;%_M~^hibF%Jkdy zFO{!Aryl&y2GSGGHE)NwT$TNNTg+L$(ioKA0@-v$$?Jz99>EP4EwHGggSnbYB=f2c zfsRidk{$Am+RWb>u7g2G zwwF^pIO80jV!s<-FP@1c(kZFv9frP!ugOQ_cKwfl+Vi$HSoss11Gpg)3vrqHpdkAF zJ+uvvIAj)TYQW=(G`@aG(SZbQ9VE@n3cA-l_lXW2+<({AZ67Yw%Xl9tI_kWAn>xP` zCEn1$MfzvnYI$sIEKB=Y4onhUTYPjhOb#{L3snT!gIe-WU7elr*-A)!#C2s=RhY{! zRe!(N9NQlr9u6$)obRp?5fwEwsy%xTkI0wmrFOgWc(|g^rqV@YTP=aUfXveJ0Ay^C&pFEG+27B|F-eHxIIHCuu4rrP~denHA79;k$oy3Kx_cga6LUYj!95ZZ`l|?)!->* zy@1p=^RBaohK50|)g9zM*K5J*6)52-b|Vrv!u*BP=HVx9Ot)nAn3c9><@_c@LaFIA+rp5ZS_GOLn`W zhNYvb0*SQuKQvwzK=E`#esMAV_csT;Chb6+L;ZK1)G9!AP~skVhQcV5s*D=4IC8! ziOS{5^_43MFD$RADTU?pi+6ziE;cJED#9Ff+4-F{qvuO1z{J3?h2U5YPL{RUr;m4I)zlwa5y=~9oE!=yHDTdnV||j+ z4^xw|Mi>Y>X+6xzk zr_*XNrG|hos8)WD)S2nU=2vegR_fTqvG~O=H+My%qS>q44})zV$`-196qbL)M$gU} zCX>^Y8?|5R`ktb*7QWh|&Pc;8^YZ0O03YsY&(lPGoGvc7n;iLH(v@u>i)T-K_Swlg zX40y2>W}RiY>6P@wIyOpUfvQ zD|pVo09~2X5K=AaP2h{K&m!na?zvcG6ODcG>+4I}!uxfHPSFAFEge(y^JyUOQMgE6 za&R!Wl5sW@5fzt~@TSGYn6r!axp#0|*w~m(n3YeAkNejoM`Hl7Bra~8y%k0=x4UAa z@ekQVVp1h@G3tKqu#n>u0PhrZ^z|z~aeJrwobk%2AdOFYC{N;O$P))0`Z>noBydS(P^OOu zj?F;ZZ~Sj2DzEWB3^X9=ns`9Fz2$l{H@3I21ORZh@m8MR*%Y=-cup|JwxiHg# zJK&mTVGyZWl#@c7UIz+v3+_7N0R$86hJA){}85mW25DH)`)Fj4uItH-3at zw(!|J%$VwBiJhGfc5qF>>>LmaTUUHs?oB4-XJ%Qoweb^HL+|*=&}GYevav~1P&_$}^4Gs|9m^i1_Wsogcve_C8h%z<+1z5}PD={7@(=0B{sy;LAXn$3DsQ;0GuDHscXLwxcMIwuyDQ5*a!L?yIrUd!hV$?y+ zAjgX-HOXgXR8mQZsB$y;=3UwLYCKs+3p1|T{AfJU<*k}D3@S&kVhtYShTcD0%RTtO_jpy^g# zw1;=^PN&@h0$6sSvixPLxEY>og@u>cP>&F}n2f^s3HT~2kcLEqin1uAv_23|)3uk5 z@xe$3ri?Fm4w=5=yIys@AJlOf=1|MaZK2bM%}$&Yg{+OWMDMZJ#xm->X8#YV0HQ4* z@(_?E6m*pS+I0Wf08)tp9bZq!6+Stn4hAq`U+;ue4GmGsbz7lu6rlV*{~r|<6-`Y% zl$4Y_JoC1MUf-o-Ts-|39(0wIKI*OXImRmhJOcD7GC88~lDX2BML3|^lAwtJq+@Ga z;Sk^dTp!8oV?eHVsc7Cz-v84uJ0r15iFSNmF&vNZpD50!;b%X8-$y!30gWkW2fYSk zW;MfHICbJ=9m>f_^(VpWR}wOq6mYwJ356}csE?gclPW}I(l^Mwd{4t% zEU<`d+Ktf?dV2V@>(k(3qF+H-csMan&*t6@KX=yT)=KPG6dfta$%-287(Palt@i9< zf!?;348>4QGLMG3J1{ty0ijQyl_-KUb@ZYcq zN=Zq9Lc(kE+jl9gJeYa{AO-oaUm!JvOUs0weAj*ebU&pVGNCrCB6L@MCFLFS{&iv9F|j<{Ce5 zJ!%t7{4YS^x14!224y3WQRDvMcxBfqC87sEh5@f{rSLJ^uROw{i)XjGGBkoXQx~#V zqTUT{Nn?KdAQMzCbOGwxWmCv?+1(KolF8>yWmD6osKV+mIN^JYK*nA3&+yn2%aJ)M z(31a8xR+WSB)oPFH!4};AfUaU8WG6G9ghiveUlylB$e#>t-&ONysKqT;$ju4Jv96P zYl4l{JD1P7!fz>xpsnvf|6H&ou9}sYSg->ewvZ_?z@&YBfR^QW|6WaX{U$vwC50!O z8aq3CSyCb-IMWYmBA{nL@7%1d#p%o#-pmbC$Df{^R-K&vuBPKHuB~dit!tG!MZ~da z{?a@tH#ZmXi$-$5HZa>O@;nOyQQ`YOT$g$*r`SRHR-f0kHQdhEw`l1o)$ipDz0LLj zL<;fcbC3}!{GL0G1IZ7xk=oiQy|F;L{r(+5K!~jbDnjGf7_WgJ7FH?e0$C~(#XHB$ z!He?2z_z=;e=j}x5co2jxazAClFX7s(nfHUpXcSblH%7Rb6EcAAwXsSSP7Zk1_lS9 zFx=jH93UU!C9?x^=&xQ#K)}xBWf)J)8;iOZur!WjE>3R7^TOJBKouNN0qa78u1o0y z;FqMNkhM`;B6>Ia`}^&A(m7L^1Ox==_rgYvWw1e4CV;WuNmQl#UATUMiMgb)v9Y8i ztP8Q<30irj(A0j65v-l&o>F=$vjUx~I+v=;m~DMPT0){jrC7TnAo|BY^N4VJuCuGF ztCLeZj$cz#(;hNVjN0oW5Ub;brlw?MWU3iI@E1nts2fjrP}6r|Zfv*$0&n}&i9`9M zr2MGT$tzi!Mmza_1)HMdC4hLqWFT>VdC8M5TkG*rF&0v#knEn8Z7L1q2Sufg&DTy` zBuh(615*-+F9o3c42Y)tQC7yp!J(qretN0^fy_CYN6K47T7VUoAK3|YGB=(8FdBWvN=h38gYWJ@XHbhHf~w|iwk=2cje9JxqDbB>8+Uh#Q(N=jPU+k0qf zVK#TaQR#g;(<%F^2w`*Bs(1Az4zjS`o*#xwbtPGd@nX9<@g*z2FRX5CZuC6~8+BN$ zx%spyZc^a< z0X1UD##K=wX?4Fz) z4uqWNq?Bi5kZmnSeLDVdEXB>T+tf)`$IqADIImr)p@q_9bVVx1of*oFxpBi1b;pmle98;?yw5d3s@5=zQYJF-{&t;EN7 z?@F?cTpeObSuvGJSe|NR6GXn??)7I(ko53iUpX<2(>PCZ^K2B=ri-bnp7AZC243qy ztLu@}!<90%5l&h`8v3CpVqjHYalNYb&k&5gGLc2WGhcgyzU^@cJhw zseBj(1a#Bo6}k=I7UZ|4r&|lhG&Oalr<0?g#P51Ncitr;Dc#wlw=wT4`zL3+axGVB zCZM+#tsea9?gp$L=rw>=>*DMT`er&>2gP=l&nw4R9Wu^Wu2OzWCe6;kuW(w|UE*5i z^LitMwAaP$ad2XJf%!t3qWbkqTe`*Ua!r+?5Q2Wv$eZsPY6Ko57iqElxWB(B#9{x7 z^6C#CzqW#u3>+sLr$4eXzke?zu6_fsCLP@=Az{CbD^a)x0GwjM!PqMZg-1t5Aj1`x zpsx}9*=*Ujqw48CWFw-C|620QWpK?7h(7>*0tXFvIdA@amh>BJqF<*kqiy8gHl3w4 z{%n@17uRHJy{&o8z(I|XMeo+~4gEEmx0|`-ZEvpTOO`10$djsx-k`@(jLky(SD{St zi))NatvGPIIIN4JgS86T|=QE$CQ zTQL75A_A0j6H`+>JUmrZRZezxV9P^C8`(~Rytrn#&K_HwB&ZoR`lw!X{*>N2{PPg= zj`ICM%g6cy0?mu*VvZuq%H@Zrsy0Z0N|C*^@yD0Ea@=`J$eLtTi(W%~Cr@jh881%^#dv5Rz|L9}spaL>(ru`qEw2B~0Gpcn zFsL7so8-8?rN}?*D}G90u90NfC+YY%bab*h75z9x|C~%cJ3Bjoyq;B1XS^N<-3|a9 z;A`vZI7yPFyi6?Nxo!(`x)2C;aqSasRn=d$OOig0cBLY7c11<-1_!I27zsMx! z>a>Hs3>Lh`qLXCM#%WlcHP&xEz12%U)~%*0&D)Mk`JF9q z%(T?1EI}0Hlys4%MsqK)EUG1g+Q6i4&mTOjoZmr=<`Ehm--_XnqPYoq>IS6#64 z*=iJpRZm$}y+GVW_^0luB^+<;&daCD!Caz7)W&bj$a>p)qln+0@t&_y1ndixH6N$n z<#IZ&uIB-<zg~Py>-}VF z?OP%hOeW{4UF1P9O6H-ertXw``b}{?7WfDK{)0I%giJFZJ08d1<=s7cugniYR%Gsv zUi2^o>0J5-KIk#HlwK#CsXdK7l1n;waa}#}2B#$1=r#SSeDOH!KJfXz{abhMi4`_b znqU0)MiF1~cp!MJ^~TE42*#ZL8h-m8L15)!Pp4#S!|29$C^I%H3U1^%yZ*z&1Djnv zV4MLat*TNW+|bfFyzoeo|s1-RoOeI`kI;>h_?Pfa7CM?5vKv!#bZG z(t!;UBWpp;$ogjze@936a@*{HudG}~ z|850|&?$ZI!7n^HE5P?#UTV(Hh=&ZKUQ1aypx495$jHp>PudQD4sfFnp`CEDWoZZt z!)nXh+rRaKR{g;(VBD>lyU*l+Xwu%U{rKEz%yvVQU8h;4GRqm<<##wVGJ?merlJz~ zv%R$s$KuTA-~~m%3*rc!h~_~T+r9-D-@JD^MmwP31K`1^N0u7f5$f3erK50iYHIBU z?h1>XTrg!UlUg16NoU0r~gf%Odb{^h7K_eURCJu%oWfG*pThkhDYNrNx$u+_q7vyo*b*ri7?yc2nr}^&5?f75J2R zR3wxe7mQ0a%PHXXIAv`&0yK~uw;~9d{FIKYj)5q8BiUbkaTh};$C6R`-3xd*C!hu$ z6wNAm>0(L*N^4ivWw zmp6!0T2|&vC+_c}y8d7(8KElho|mIsvQbmRp|Ah_>u_Dw(XmS!L}*8S^9%_>CoWEKc&HWDjYCcj$M9VEx!H4Htou3(9(LfX zTJkQ<%abonneqJKm9j*Z8C_`^&I|$57^%ZF>87mp>FMbY4{tBAR;#6<#JjyVWlC1>~N zg@Za>y?Z+f32i>J6B+cJ)LL6wDn+h_LzCbbY%?%sYJ%p?rP&@kc!sD-Y0w-+PO>^b z@6fN}4U;o4(bm;BBOow12?P)c+vUp0z-?_M1K4w7I_}B2?%8{Kdg>;QgM$Mso`9+t zofbR<4VJ)LE_QW~d?&f?3`nviXg)Yjl8=sOy?d2L3N9b+T5m@@4)wb=-s%I34;Us% zPEJ-WQE@lDHtVzdbqBu<*(AP|IuA0Yux#J=EGnfMet#Iut;ntYik=>+x3aFz1-|Fa zIDm0pPpp>a=Fv~dSy_UeJ9c4o)YN!r&s4KOUn~}Ew&r9!+yYEAO--S|&jz>>peEET zY~Sjm?dNg@6^*1B7~+$}U45_Cp7>gZe_9K@Thha|p8|=^s&Aq4N$`@q zbL|012s#jA z#6Jbv)oKhv0s?azn@cx7^A7Y()8AH+U?c-XaF@-0y_aZyDee~+>E{1hlE$TD6Jsh- zkwf{BX<*Wf8#et)ZfRw;87(4&*yv=Oe+N3zwTkBlB+azoY31A>ATU5ITEH}7s zQ-cw_eWYEz5F9N4F+C(C zWPpEZHFd6nKF-!frg_!M5}oj%+1rRWu%V#=fIul3!63Nrj}IN`3ei$ z=&iieSx8UuB_eoZX+dw-ydotNG2s%~5pH5^+@9#_BHKYL1_lzo^py8Np)UX+N}ec9 zL6GS$yR~~|D$q9d`qgt?n_nYu+0UgUB_|8qYv-=g%Oi6?II=>EBd#IoXed2Qp5DcLZ2^_SiuHgZG}Dy;2LHp!|R} z)cw2HzGY`RIlJ56Q`dSy_dPa0!NbbB>e8&TpFp&~AG#*rrJ*KVS0OCTnmTOmDr2K) z2%5}o&J!ItIJmK~=J-25U$?A5NPT`!cmKP>HGkZSvf+{bxq@^J%o+4Fb-=Er1E8vn z)I~h~bT?_1XC~>Ibf}x!=n|gPTie8QzxO_SxqX=1tNBQ2X{P~?J{eK*B&3nf;*+y8Zc@DQtX1=r zO%*`uVAw!gXTTXC9^=>H3zdmUy{`qnx&3TP@yB>Z9^W;h=Rp zckCZCAt50k7&t`2g0?8S@fUa$fMfw}gImL2RXISDMbSp2>rCbqRvf=bQwQ@&+RCr! z=!&2c+Z?t~U%+?suBNII`<1rih3NVmMK7f0&8QFO*Vny{ZBeBIV4DL(()# zva)ErzrY~f2b!76qut%Ag+p6{m!&(o$09r>64K zX2zh?F0-F4ErBc$$6NslCUhzxHOelHf}_mBnm?35CS3rN=_}OW5(3%tK!{b@H>vs#+|JyS(J2yu-f{nlV0U;! zMhE}3YwZUrWkB>>=y9~RE}NgrY)6A4C_V<+Eo#i`z-~Q51k)ryUD_gvdI8c&M_+sU z2N##R#rT|@VKBeI9_Sol6q-VaimIZjVxm!&`1`lKb~JNR3BV$afFcVp|1RIvl$G`I zu~#$Y;}wT*Kn>kH$95eCGYh2qFnH`J>B2?Y%eu&j%bU0wC~ zII}kw#`J}or!9_iCP`&FcMZ~7nK3bM8`0&lg!;Uw+k>3JI6=#m%I;+S5^eDr?&6GmCJ&oUbnr zO>5kLadShD8PAS4GVE*^7CO&lLH`@#O=mGp4UbZ)_vGZ&Qn9NK(S%Jt3c(P~>z!Mr~57?Rvr1z^1eIBlhT3pJ~*0 zjxGo44XQiSD#ei|D9`5qyw-3mu^WBLbb-I@o%Q65S+T(uO)2=0$ zSUHgrQ5+R{SAgp-n^e4w#g)`e*kqVHUU2g~i z13H8Kx05UUHn%r|g0gC+ix$01tQ4O|`>1k>SWkep!mz$~BQzp15=@iImm7hZvDp{n z(EE9bj{cso-qrJ5<}yUmrVsdI*j)_l_1>2^^|T(I`o+GF`D;JIur~T+H@1~T`SbOK z9whLqNds|Om$}?0qRJ=Ibc5z3?8iykmsJ02ED)GsWEeAopLP1mA(fp}YNSo<3 z>q^^%p<*MQ^88tG`H1_HvtD91q*T}Yfi@FIGFhTRN)qi4ux=C=R_-H>em5p|0&W># zjdk(msx)|bpq-43Effv5Tzu{)$Qa=WVBL-OHTiT;Wo}wen;dFCQ5u)sj9BP+obr0gEMW2u5RY;k&e*hYmHqhZbNYTW;WIoXbM7s|)pzcG5T>6c}XO~^2 zSJX2Lu31z|-DQj|i%vB` z$S9vjebcvi@;B~hjhVh;4w(;g{5<5}bY}mKqAynd9jxwopK+7<&?`hOg{P*VBs%2( zeD2yPFpzl}f_Wx<0(YGA^tRWv)(y%t*$v`{%%AZvRX zX_J5Lli_=?{C1$?@yt?1??r|4ik`Pje?xo9aVZ&3m5h$Ihz#LdhW3cwJv<#BZtZL; z-Ry&A`%b{|;7E&(ZkGjG>2tHiAjr&qH|jfDl@;mCv`v~)(WKia{=M19C_`C##V6dct-%E1MN}#h+O&+UeRIg?a*VvR5;ao%pz>rx26)I(9VLYqL z$LF257j5y{gl4m|ZsOTI92`HRw7JwnZt*V~C0`JWO(D1FI$Hlo(#Wb7D`03a7TX;rIyf%j5iLvgBr3z5c+Dd2R}xcbOPV6V3;(kf z9#+2KYjAxGPKYGe``f3OH%@%J8o7%;6OtjzH%U*h3g6#D+IzVx!06Dik8pPD76)+! z5cB1~5DP-y&1`7jjWqP;{Ld-JKLuZvmy%R@oB zA8V)n{g~X-&W3|y_nWF(!ID#)?KdH)S)dapG7k(<1b3QyVUFcVRk)pW9H()|h2g}} zy`bYVR3y{*w*D<7vxDZdBPRTOrKTL12m7RA_U1y|?GuIC60)9%k06a0jHe&JP^b+H z6(fTOa2W#Q%D2wJwMt46(!`s+k~UEsv@_sqsWdPYuvZ7;V6WEtKcm3b8Fs7b`aWF5 z#$s&^fLsOF4{{YUzy5;rf9}KLe8OL?+i4eStQyC3numN$V)hSF>@u9HCH-Vr2srE& z9%klObQa1Nth5KCV_LxX5fUQ$l;AbydkwmcthY8@n(hcz zuDRvO0^I#F>JbClMD=BlH4$yMAA?Rq;0xHQjed1%@`D#04Y^Cm+!@az>O~G?Zo9v8 zU3@h*#y6zMH**g?Mcu(!IxI5XHBd;Ycv7Ab4|9A5*?>JHqRnY;gVL_&1`YV_e+81U zrk3aNe&$X$-SvA0#s}Y}&LGS(z+GID#mVLZbEXP5EY484(_8+BbIRED3QxBE@dV`y zV2_K5tZV(WW`L2fOdmr)pI$$P7mdSFEcNjL=qM;GMX2aD8WOVczpbI%ww1yAJy0x%J+GZ?UJo^j~-d~J-U?wS)1lVV&eA#=`jWt=6&Pak$7Yo ze}~=)3cLLoNt)6w1EpvwoU-f6@K+bt|6%N}qq5whwr^NOIt2tIMM@fJr9@gnDGBKk zX^@fz328wj1*E&ALApUuy1S%7I)ry#?)$l)_Z#0B-}v^Qy4joSywFT2oXA{KzlABQ`dC8iWjPvL2LYa$&p>ejDU&uO${snQgw z9#FrGDT$_FkDs{tvaR$lwaE_yI7&o?Tv!P9)!7&hG^P(LHjSyUF5BvlSA_J z@k5r4*}a-?yZbsk&;9hc$F^>%^CS=DpNTCz@qUML(%+}GdBf8KEv+iXWapbj7k~CN z??>LJE_um6)i@1Bw4Q@c50?G7rWF!K?;+LXBLc@LMag$e*43B1I^`3DpZmQFbv^1s z*I-iG!TTjHu1gai1D4SfvQd~}fE7Kf>q9c$;r3CG`HExjN&xndZ%!y3MStYDm()Ka z*1&Tt-Ouan4ws98UYVW_SQ|&*Y5vM+SvS7PoZMz$GC#9Zp}YJmX#LUK_BzQcwZSET zH_elN=_XWU<;V3Tnch41WL(+`WI@7W)?`t#wHGF8X>I+o|1S#SoHc`KKLhQV+>Wwo_^Iru;wt zJDV4y4-A-caU$aGC+Y8L)j2mZ==h(8lvHy#Ml&qy^`CUaZlQ#~57k#y$R+w%GQJKk z{O7Ts^LOYaJu(Lym z`<6@hqGSnAe;1<(@oDGSbb$7C-vyR)YRFS$dYc`nW8zXw!F8E(_xO;1bZljinEI?71Hj zSgyAdB{7q?TeC)75t<=GS{F(gP4qdxxZzvnu{Ti@4W$TZV6K0YFDV;qw~)UMZnw*ozdbkx2wx{^ibHd`qob zox$vOR5{Z%!b0wK?S|k?SNpGgH%)17ZjO#7n*J~lLrHPD==im}+ZwNNw_z%lRTF#W z-C7@~+{T3#8lKk6;sz?`$8mQhKG)6qN6^x$2aEk_8R7nUDW7)bOQIQW)ESim+Qb|* z3(eK*#jPYi~aqhI|`QToRAMCdNO)&_B}wB+k?x*XhS?h2neH9N($V+ z-mUPsz5s5EY5Yrxt^CRiJ|Qj4TWhFwDDVAP!9w!=%gb-~wuqgm^E*oaSs|#D*}h7Z zMk4%@xaRQsC^0JfJkCu=4*2*8@M*)0+4N z)l&o3Z_sNdKj1&c4dr}lIVfLl0OBEIp1b^a`TQlXH)oNr$G7gDsdOD^z{~tnw3T-Z z=61H<>nU*_r4I-kt3<$an@=k#`E`;)_@0K>(OIrH=U_(ZKo@~@xYXNQ2;3bq=_^S{ zu;;h&d?X^m#cVz$$5H=4S8n|KySD(g0#OLGd8MU0Ka|~T`JB33^L8y-fF||{JdvuD z(a}*;QJ8X%kUU^#KMuY5PcjJ}V1#5+nPzS83yT@fcuWf$!3guJMCdYZr~8ir7Hr`) zSHlQ~n z!~}nCXn44k0qaffb%)1~G`m=R^HB6bF+1!AVl9^)2%DJl|>969B>x~o=6ok>{iUEo~4d(mzp9VeW{igQ6ru>CK zZY~%XJfp!e+hLh7cKyA%`Mx)=s3@ScyT8BxAHL0R4Fm7w@0tttkI1P)o4a3$@|%g* z2(^TYj3xbd$%Mka{h~IMk7pWOU!)FW`(J3iSkmW9EbSY&ALov{1Pu#pn_IEp0*w=H zL)G#BkMgN|aAHhzN-6QGaflWM14s4swE;)M3yo1$xDvfBF;<+GoQW-RgV6R43TL!2Y$UUF)~X2 z!G+h-(o$(P#lUXT8h~?lcIM+i4D6ItA+7vp?s<{hk$bQ{Zi8d$`qb+ZBz@L1%r&j= z_9f?RpAm^0NPtN5wj_O&T$Ud^Bsc^BP!!wi->V<0TaZH;kU^S4+w+WzXdFB9ZotO- zfDQ_A3!l`r_wm+2$He5d(+x8HZtig`bGgVeag4eyjXg9%PkQ`6RDd=o^H zPO%DThN^U1LMvbqH+$D+e*j9M>ud)RnKWkE%fsuxs`9alQRL_wq%CoT4}Tg9m%(rh zN6_ZiOO(1y3ylb?CSsdc?iO2x&y9sj+1+M#zRg^pb$cy#-Y=uoVq2JX5cdkYI?wPG zd(Viyf`)A;=rPIyAhV`$jys5MGvzpEL?z=?n}z4XeP2opC$2-I#}Niz|bk z^w06#U*8Jep2;h&QM)VL)mdWbLJ1soYODG?j%@H0)*Ro+YlY84J|?g&Xjh+*vod7XQAFSgjYV^laPsIITQAvouzirtK|@0u@N^WQ z*m#nZL1&?+_EK+-MDHjwM{c0$iKapr3-|&rTR2%0`(WSY{XXKdG0arTau0NQ08Z#8 z?EnLOW?VQ9U{Gdi@944venD6mE-*zHo4(EOoiQ&ZS#uTsKe+;z=5%rdYIOUJ*B6Z= z^}p`d&^-Zo9(d=a9kk5^7}`&z&hIp?ZT4!Rv&n4H9+%VgjYR}{P|vC}cw+M(93MNa zphsccHk zx7B5L{CK9l=}DqN-4MQ7(Q!kRoo8pIr&;HbQN-@XppN~peBPtyvqw>H4NIoBVVmrk zNVtc1Qe`*D<-sWc+9}hrvx+fYw}U?ZftQsNi}ka}m#!f3JUXNZ`~>Cz9x~eHRKp6b z1>Fv-do3KPC6}nM&;QC&<>Kk0IE1wa!h@2x;2nU0-UHTFlumtEWUneMeZ=4Ui@&eP z$wAKteL>U9Hy6_xB?M=eZw0Cd85OstYg7jHJkM4D-9oFA#;i&h|+mzTTD)!U4)|VsB%i*tuLBy{e9giYurMH{}$%+&CZDLICKM{ZQ__0ThJCH^DSunm zcLO$+ zvDq4Ibm<;J0a-klYNN$^)Bp^fZ$biF%C?q3c}vUFLPBmb+O6X%Si!*W1bbd>2Y-eB z$i$i0yLYA_^U@qTB%B+Wo-V*0Pkc~qZP%Vx#Kgdmm79yP9?OOH_v~QJ&Y%_NrK&0s z2}!F$b28YamZWc!k=0tyJk}ih&~+-cMb`2l$V!~P)$M1ScdEksy-sQ`ORo4!IZ@H| zB~FfJN{p(6Het76T;*~}OS=XoCxx1~yEBDf2`RQ>cZkL}x=mUu|Kn<*~@h+T?-Cvg)?1NhQYWmOG3FFN5 z$?nx(XTnCo8YI8Gl2gz}UJvgNjbZ7{=~R;IVmaYvDQa&1mj8sLvJOWF+e3DC#Tr9w z5$=dNBMYCao9PVM$4^ssTXYnUbjNMn<%JTr4bD zY;u=ffP&+p9}uaWu!I8~gpY7=7?qn0G)P!IDDWUejyQlF76^}^eoiR$&jLDSR@Tj` z3*qd8q~E`*qAglPO;nye3+`MJqqQN}F_YMv>hA0N%+3KEmk;^3ecmLzr^;8kDELLu z9AVZOPDwyXuEC`t@X-F*U^}PMG)u~1O zF2cP!d)>~-h+ofw+1Fs#`1`TiA@1SMb;MuiMvtogV36jeN5@%Bx=mFGYk{ByVShmK z)V9EGHZGd2I5(I=D3m+DeCWP5^0bn+x}K+dEgx@e{uQS1q%c13_X+!^AjTuVI#2as4c=;n8oOf~P_5SMT1u z$?Z0FZGNty0osg>Qlm~=!X}39`3|VfaIg6TaWAo#mX=0x#T1hs`|GL9r-&pDb%~CF z*@}fEta%MBc&p*=wZrxu^K-w^xBG4lZ|~Q z2jKDuipMP1*mX2UVfp~Y{8=rOK#Voi;);XQ{?_Yv)wT7mgK)5${_w`wLxn{HBuW|@ zu^R2mCK+S;vsKx(@%e$_?T4x+=iyPujZ`;Iyo7jRnv>lFvNsLQr5cgQEq0%o+(!hnGY`+vmetG znH@_P>$&#jW7|4XBU{=pZHUk&>!Ce|k^L28D0#1%=Kh z{{-38b?lS;q}tZ2od%5h%t!2>snuF$yUbb#4q+#Jww{YjjMdM09dQOK=@f_8!ZF9= zC!ZP`UB@=yosY6cW?*zF+-2}o|2}$kJ+22kCBXr{qVHWkeJ!~70txufpFh9Ke|b)5 z&yKWJ(3LIyW-s$kXRj(w?5)?kMrDwZaS>!>%mxZ)$IjY+Z!;~%&rx-6+g?GBbDji4 zGqaw?uL0K~luR-tb!wm>t?ZYt45(-dT|nJ-s&k~hgOWc20t6D`o#MQnr)3SqYOS9#MuG%HZ6Tl`PGk`RJFjd@b~w3`S_z`oh%&Nh};e}{40tywsQo4(>6BD zEiZkL(e~0i`V3C5UzC5~4+#!_rl=UeFKEBq_2DfaDh-lr$&19hckT!}WJx--_LJ*t4gUs#d5Z zOcJTM?r00yrr;*>J57s(I7#FzNz|5kO`EEz3UQhz!?-EP-BW9u*KY*5Y(x)3|F+Dk zQS%Tr2)0mUxV)U)-d$vfAU`Vj;VzC$j4!}H;|YuJmu}}oOPOXdi-5Sp_ z^YgLP_Jwzu#I!^SlH-eSbYJ(|smOuSB`i#B&1=ZFBC*f(ogLOTXZf0G6{QfFfJil& zop7(dWd2CrbUaU7UnE!#}Sz~~> z9K`0;lMDF^MemH_UoO`x)ExAdhxv?`^(FGZy3`YTpVWHLP*8v^TC3T}1{TQ0Z$Xo} z-}k*y?`jzxR50<0^2{GqFj$c==y6JtVPQqcI|$fWJl_oXjsq`fX4%6usQ#(X_g-A< zivqHic=X;|>^x)?1JC4cS5)@jKGA5_;Wh8f*<#T9trRxM3QQ8+5)aLIop=?ue>XGH z$Y95X!)3Kx%HG~SDr)wjr0(>^(zUmrM->gD+L@56Tk397&Z9%UxLHGSxrW^_rOV`> z8n{)jZm{z#Y**>9tG{`(PSkKI^v0~o{d$+^HRzE8Uo(@9g2)~!6rhR&Kbv6)oh_M( z4pgdzv(U=}y?O7=pQ|v8duR!AUQ4;KkaC;oE*^Ij^e{S}%K3C#U)WwvqSM1+m+NS2 zYl`S@R9-!F$!KU0na;A~*%NOn)<2C^^Uukl+(X8dermAbS$uLMR1fYCfyDyTh&0HKQM)=Kg^ojdP zCVK{HP{~)Fu4(Yeoxr3>E$3z_Vd2;2II+nrnx`6kJ`m%#Cgvl(714APal<#e+8(Sh z>x=b6h1Mabwv*%GP=yX;YIOebm19lTxYj)RInt-<-+r1HOi7(rWki4`F363b z#JQS0U5V1~I!XHpsyw^E7gQk^{ZcLfiVgUMhL7TYq70v~{HC=KnWn5VS2^+P@LlK1 z%^Fm82tuMfJHatW;NlePkw%p9piA@cTaRiC+^D{`au^#Oz@~CfImcZJ4ep`V}>QarpgkJR-ihn&9C3@tyYD#&Y-V>)bif@y2Y!pKu$? zFMFH@cE<42dubJ~{ep-)Js(;Q`WC;cx2V7-oBmj3&{<0PN33vlXZ7Azf5NS1n@-h1cSiVOF)4X(QWf2Jx2K5 z6~caYd6)gEAj!}B21LY+dI6)iZBXOc*f<+yn&tHzn(VpYN*iiVvkN>i5$EVwOi2)8 zWJFVkDq_mF!gx?Qa*y2RyAP)|HCHYw81qZyqwxxaeeW0sYy?#e)wmypGeB4>3+920Ol*$N_!BM< z=QVuKj>;Mu2*;m-(?own6O5%L(wdq~PHyf`TZ(Q=V{bI!-L3#fuw(Dt z!@deci)XgwFgG)M00c4*)aUuj%f{1@(0c0FGt~#Ws%e>~sk~#|3=rcUzg_(?UObhm z6qOJ~N21$7rB(bc%{rpEkGa@4i-FNxR893viM}Ab|2jwOQ!Q%$>(FF+owKG)tpeCL zi~F=$icSAQ?fBm5*ZeS-G|sr${5!vFWe*Qws^?r5N>Wk*R(j@($yJ2|O6Jn%JU-{8 z#M9N5xlEdxXdrOi`-;G1o0~tyGFB92S&Kk=kL-gdw)E<%M&MHPkW&lV>H~aF1!WUl z5f)Vt<|Vuo%elHz9_Qxy1BSy#j}W;D?(XG9jieXkBqV{<0ijlsOB#>Z#coXAl9ZGj zI=ps!6Cy*Z_#{p1cx&IIDWkX;Pjn2n&T<<=Bclab&NSMLoa$W4=%V+vm1wW3Wa#PWj5kLM z4Y!o2@KDwtwnhLkz>T#-)1CYAZ?b(*oys-XBnaX+c(}>#qnUkJxL;@;Rid+Jb7?tw=S$|XWAB1|vG->u@w*MFe%;dJ86(#xT`8jpl^OQ`qq zfX<-``l0;%=_n{w4D*p|DR&Hv!O!#A-m~N$u{5m{&5zHVRXC(niXZ|rn_haD?gk%a z!l0}^DfTrB$4|ep1VSl`G`N2ckD8_rtUEAtwr?vRU*6m^`eRO*JlC_IU}x*QcN%Mo zq_yyDBlLWQZaR4eNE>VjJjMdFII-Q@pyJs%gih9y+sAr>q`r4#DuMR3UX?>)Lw8{AEJ) zJ2|s>CB^QJ2iITOB)dU#aF{_|bOP5XUv~4S-eJlKc)01i%gpU93pq_+%c=`?Cgv<-HG|}$>%1_#9#M+ zi614I?&e9oiooe=oVYbkHP_hBeuE?9(#A^Ymy24=zzaRS;^C?3>45>7{Pe{8Z_%gM zRs{WkObL`fyN3;4Kif4=m5R@bah`izcTN55RX3^Hn#`HZeo_vnCcLw~jAeOK`DlTt zVICOjE;FcH8peaEn-u7c$_MoNsTOO*T$bHC2ck<+JTWD1Hz6{7iP;Uj&_TtwIJ&8KUthT2t0m zS9=6E#jYr+VEly(jrp{6_viAj7k?;dO7*2BzdPKqD83pDs{i@AVaaW}cy7N%ukm0E zv9f2{cEbhE7DxyCn(W|e@Hsy?6b*+I!%v@IA1*#nK7pCtBfIxMvO|%`Fa%hXQ4E_Q zycK3$j^M43dC^db@x!!iXuY7YFe&ePr_~hVopDGi;N- zO9U#nr2TS6t-CeaN?-q0j(l!Yqg~|Z=Lav@vn1vmOuir1RjpCYadwcvk1 zt6>`S|3DT7{}Fo=!j)6e=0*9k2wbP}%T1hJGBi=|ZC4Yw3R0}x4^di!c{5@Jx&NIqP%L6}A8f(=WoY_*{!Y+zuZ{66@5v*U8tZPLmCW`w!oJ}hRJfQ0+lI@TV@9+>on z?mCN^X62aDFgpsXtW6QN#TwK*?c819Xn~KjQf!}vL+XvjqUfr-D*2_&y~~_L(@MH9 zO5)~?J~N%x1ei9-lb6iS&cdXyO!JJ>3*eJcQK4{)c>L)}pSPA4=3D#YTx!8!00`&j ztMm`G1Dy|+SXmhANL^0qHX1|U!wWG z+xh6(@Uw)|+BUfXvpeB2A_`=7j?`=4zy1ExtL|}>CuTF=vl&BsDLZSb6aSFMFlmS; z36TTgMw`-k^l@EYy$Fx14*`7``f-<2gQL6`yhSim&CT@|$9b)TjBEny#yl`?#C)XT z*T}#?sq?OGsqUU48ZHHT#wP^Kc`N1yUcj?(ibpN6)u6D$yh}mBv-^Q3;CWwpV8Ghw zG^oSmh&i+X-{|3WR5AR^>!U-aqZiUY+43^`tuK+!pUI*d0Avr;4Ybvfr9*DQHcdLL zI^Rwc@*58Sa5T<&v8pDzvF_`AylT?ne|8_!=4=hkTI0;b@{#rs`OnMe72nYl4}Uo~ z`Xoi&1OW>&tFJ?@f+U*_?mN=|fi=1=*o)~s{^a1Lpm#6m zf3)qzdUh4HNHUSEj<;tNQPLJrv9;YsVs%~j-x)~=G+v5u|9eRCq?|%Du#VbX?}jY^ zgto3OV%_ov@1`$x080#i8;q!fLqbNLyWgL;6}b6D6}ic*+ZPVb{nUAD zSi@t;oxpeQMZzALA)k;hE4@8D4J1;G)8IQ}x=bDt@a@^pjPy2uZuw4NI$Q40_`2v- zGe7;k0cQmz*Q zsgF_j?AGMI1SR7?mAMxk8@uF`^eN9K;rY|vSRJ3r3(yz&IQmdbUEdxU@$xKOJ|{oc z(;%`sl-Uxcy~M+t4c-G!0;;xz!-fF_$y{P9=)z4Dr$S6fsg zdj6ot&JeO43v*nj`M^i%ezveX;}>0}=b?%TONLZwE1cEWN}NcLr3M`tBLpOiA<=F& z^|}f*n~C`!eI0mLMk>6*h%A?-1Nl?6-l=V673(mV_ zD&fAc7NgbA{~No2P-*-0O8#%^!VQqly3NnNf?=Ai)dO{mctuxNceXdd2|2ba+L-BN z2ut!=QEay{WQJuRVxo$nFC4+B&_D%QNavlRSET@t0OqoYi08p--(uS>m%_NXIAk>3 z=+B>_aV1+kHqJdjh_Jh6m7x8&dzRrq>;vL`&Ojld7k{!6Sk}`eVHc1o?gyj9OTx~W zB2=~3p$ewS67*Sl0!M9+6=kNqH_iE=gq11c!#)Bj+R?q=PioK2;|o-Eo-r~NOJ$Z+ zI%64R{MOD)Ag`9<(Ua=L zsvNmz<&`ds9!n;`oVwWN2XP}uZf1kIoK1pPy!2_z(?LHMRXSB5cx6XLYmFZs1Bzw-asaSLl|at7&KXQ+PD#^z?`6rG@8MPZ@- zT!U3DpD?ews#fjp-a_2f)gate1X88a?aJS60N=>An1h-5+k_>I);BJUY|Wlw09ivN z%!XLvAUrn#MM*7e$^VzvJA9n;0eN3`WYTotr2k;>l2z^= zD9Rmi47#r6u2&^$Y1umDmyV&@3xA!jP|~Qk-bwu*?xVv=x1dfdf)|>NEjHZnly4DV zf|uWR9eaFIx&a4Ec%C@gLK6JL=n%C4Jc7FC%xsR8<;$KYbzT)#QwO!C@QJ{~ zcaX`U6PZFCXbbTV@*mOP7k=3qINK`w+5hDcRO$p>p_K4tFogB4v?QGkHX<`*wKQzo zt><@#U3uZ_R5}DLpT9bd^>A?c#K&wEdSdhhT(jrDAl z;zip+*o&o9`7r`r3ycYHmxB#j_2NzTVRtEH<5<7|3)6f9YQ2HXVb+p8r?IIi^B5Yq z=ItYqEWp&*0C52Ykj0T`bNrVv2-R{26BYY4KGoLV0;xoPK3?uSf_?7eu+B2kI%(PZINH+dQ0;Bc`ag$%(Q}rt9VZVa zpGUG3y=i;%d#J^WhTgFg^VNe@1*}TV?dVTL7|&($kler__VHxMHN;~^?`wLxc#Q}; z%|Rpwwg%ApRHJuIQh~0Wlq6X-TdTE$rD6eVmV2aRxLArYBSNGHp>yS*IjjKR1;?w( z!(=z>hos4(&O2%E$T&=NY*`~juUbKuNpQ3TT;2VThqP~at&^6B<35(x5q@p+MjCk! zaTr%srhJKYwYAIN5sya)?xl9G6~`TOk#BE#9tI?Tay2BBGmrG8&xO$ld_`lrzI)j*H}=W z9S_onl&Z`%E}_0&{sdN`RD%7O$-lmKEqdF-v|5NPga+5ohxje#2n1wN)3aTW#BXQk zz>{m?vjk^d32Ws-z-PUH5EVSu<*Cd_-1ce$`m~Wt}^M7 zat0cSdLDxt-h3{W(;pE^=8>YJny%bPhNJE1*bmC>Z>&WoM;n`>XBjVgaTKi23;gp@tRN>Ae#>FW@5j^$|}YK`EwLh4sq z#`oX^-=^_R*W-y4S_;B4S#Wc#cS+t2x{p1NT)H)wsjmIDPmSaIp5J3sgbr89zBlF? zg(UEO8GzUSe_H4|M{JQ%i8*u~PD@5C!+FTUDAu092YhN{W22(-X>79(G>nRhK+~;# zzPuYjx2qwJH55RLn$c%Z6%s(4qXg&Ks zOB(vZg1NaXbxnyE!IApA34|%}W(xqkPYxfX6vYr>v|2QWKMU>wByS%1HJD*a4G_Mx z1_Y-3>vq8>D$Ok50ig0v^1zEZ=P;Fg_kqZNKcfsp4uu<$3T)tIi11op#ICYaL zDQ2HlPPwOq-U355#5r6XZ%sVre33`|vEX*PQGo?8YljVKF>5rE$WZr;zPUI$l7&(z zKNa^%XS=tsx95m1`akJm3o9jk;5Xc6Q=T7D_X_(B4u%VGh1ver1>U~|!tosy!uip5 zo~+N?C%>rn&(WCPiEF(*WoX~8U-$)DrlzJ65`H{Hr#_}!kCxAs?)&|qb#--ZGfRDF zRW<>66Hmp(M(UNMdHx1Hv*(}X?!V?ph3NWhZ)TP!hCK{e{+saCG zZ@o8GP@}GZ{Q}+#sihDNV4+h-5_!!K>c)Q8IR?V~q=Z^Ybk_)um})2B&}b#se$jm8wbB8Ct%XFWLq*4|%-3OK?zTIiVbMo|k-Di-=m4nXWl7u}Wjk zpjGGR?XpGYTjUFc;IS$`BUJf@F3YM55rMP@WT)dT%~Qni#OgH(83phcb>##(r7-uv zHPxk!#*THuZ>NbHNQAm&gyu&X@RbZ%VT(>TX zt0bAgfi4eW3Z|l?8@7NR=TG}{TdG6|1U-0$u9@=y^@nlr|BV(Kac(j<9~2k&dQYYw zPbbN&iuF5<%O}u%sn^V1NnuP@H;GI{s_b7!(%=8 z(1CCe3_w3tWq4>sF89PWScM46lXOZ9pg&Ek1<4ovsR#)V=jL_TFu8y!qNy6jISly^mRI>Y~Wsd{}-KHOMn{|FgpeGmoD>3` z#e&S4n33iDlzqwN9+ z=+kxt%1Jd+iwT(ho8M&C)lDt!cc~}(bXN-tw*UIl8T8m!lI<+ui>itJJMa9`l9G?e zxEM5AM98CqgAg=o&2<+7&eFq*Am9uhB4OJmem-&`#HGqcj^)sWK7ss`jC&-r$OCZI zDXv+~dzh6=o`PnY%&CmPJ3G$?380G_R#9@{m=|D%6Vr^pBrl!t#7#EGg58B zr+4HJk7`SvTdwlDw7j?m08dVYG3q{@wq74y&+uf#ID!&@m!>7EhL@| z(0p)mJM}o3X@D%s-~EC%0h-ElV~<^a-EXjl+vx41SI8-%k^i}>IH_dbt;VN7p5Y!A zGAgBD%q1cbQCK6yeSg9jbA9umMtUG)jQ%m4@lIH%7@DUcoXX`W_w>SIbx`a4O=8*W zZ?gPzNKqrHVC5)L1gh(5Vxd*QB_M}zibL2XZyps;9o>IcdSA@Xy4ehQvT0QbB0a+% zk8N=9|9(RMOfh^kydJtkvNAFPjvK1?*rE;(9WkxV9sK z=XS*yK8U~hwK^bP@ALmFO7BeH_94q%<044h4m`jm@wtG|L|JR=9gsTB7cVY(*yOYX zFTGr9)Ri)UfipBUh(jc^?mE=X?7gYxXf9JYk<)BOo;(5h_FbDZ^3a8VP+?S? z+SK|NyM#HpYOzx<5)8VYDX&JOfh`I*Fg-61Gq%b;0Ge2&a1wx8@bpw*S_BAe&*XH3 z#xv%S()B&{GaZ7snI7r~;!5T+A;PTNP0N7Kjx~#6Md_%^aqHLlBaicPZ9G~6LPA=9 zX=7*f&}Pp%ye4|Qw{uhd$2aWhg?|YmtoM~{fQCyvITmL4PU=L z`Kw+^mnXC6b$#NMua`Ci(smgEIJC!^*DHOQS`_XH3wywESnV^viVqV{H-Gy-9THRi z{&j>KVpg2w)t{OS`yzA;m~P?i17RdI6niAdMAbh zrOe}pP0AX?U#-IO2nYyXu;Cw|mOLDPDmJNmqi+7hP6RG-(c83Q5nmkW7i|hs1ndmq z+8cHCrNbx_!xj-(`tX8??N zP7P|c*=sQ7cYO5NcgRogL`=P=pI47a#2{|=1sQh^S_O>hV47>d=0Z?|Es53u!UTZg1*SRAf(Gx}-5$Ktf`TKq6@5&gk#cb0Nhdah;B(Qi zbLro}6RjzXjyYcq{>qTOmh6VTgCzv~h1!A%Wm#ENs6j1tbdv19aje3g11-2os({ne z({JCn92a4|Sl%>>*cKBuD_ZdJv%mCa3h&*Li%_*>9ev+@4hXQMRlwKx# z+Ez82pXQgw;j5=66bvtfX;RvZ?q$mcnVDHxwcqhAAklMI`p3l0onvcHJyw@O=EFU0 z?kQHbNXsz7Bx(G^T{4m3#>~Z~>?tzIp?oX+P&1WkoOw9tZE%X{OGaAcQV2?Sy6QA$ z@VT20^nO-W`Df3R=ZFc@oKB^fT`3TbpPy(V+57R%iJRLB9_^Xz zzHPS49U{G%{_y6QlbD#8f&z}sk>5wzbbkG>wY6GW8xs?`kWNJAzu{uQeP@-y?WK#+iUQ> z@MZqo3wN=$N`Ahp(J`NR{mEMw1Fs6I=nvF@nu)?Ds{g=!Z2rRu&gAf8cKwQu`S38T zhMJmqZgc3z`rXDReZoCs$+y(-DcX2@dU)IY~+zD;dWGXaYqx63YpZ`}I$@(PF~&_Lau53qL0u z73)OC8|drbV5EF~J>UGkxbdo1o0FsQl8d!!&iRz#K&F(8Yi{2|x_WT^EmM+LTx&?!oRZ{YCqG}tk6#fO5_ z*rCsr`IMJORa5&5JI7IGRu%x{nX;XH5pqoo%DZ=&B3?t}sPRW{rJ1jjx1`<1#?Bi! z39xgLNN;+23>uCe@9I1gcjqa8&!?uxn6tZtw0?rG>dYuJrL*!Qp8H#w*086LX0D&u z|H!?69&bj0~4gcLGN=PvNFn7}JH< zewVP-YfFghuz!$!Xq?;eN@}DfwL5PF$#Wit(&PH^MwEgr7|b%>^Y>$~iU006H?nYW z1g?CPqkN8YCJN0ktpb~~@A2FNACnAicTf6mXu=n%U=0J;6Udl2V?v7~n#3D)9D?5Nn0+-x9*WL^cxJgnNSWgFlsMJ^>t*^4K zUMF558Pk)OZOX{dRL4>MDE zhQN1U78TjATLSSu!;rs?kpd$eqNAS=!)*p*;Q)^91>d&cHmGgin47l{mekcHipoBf zDS6m{gbdp3>ZI;l&#EWx5bx~nh-6uusFW40uF?WAF{6_UvM>ANpHo5;Ppdy!*rHTp znVJwc(5P1LY;$)v5ap(=MW3gB*!+aw;-cZt-!P(NSz*8N+@B1d6)0g|FlM*i^ZTK6 zlS?1bAp_vyxql~YwB@IcRNe{i0HLU+X42kyVLEx^Wqw6oUT_3G;{OBzqkj$#Oss!= z`0$}rv<@-WJCE~5BGhk%51YY{-PXQ+=!$oEl=Q3Sra3C)aq@8dH05Jy6t*f;(4qDI__55x210}o`EhRya6;-9j~SNA42c3vVCYQI!=ry*-@l*k zg$kr-EP)}z&(G}9X_ILg+}#FT!P7oq2W*1CR+>*k&(p7csZjPL~m)9G|BbvIuR`Hs%Ugd1>-n|1sRL|Kx_(>ip`MX#T zK#L$?zl?tUTpFFGxrzQR=V#C_7mu;b;Sd&#CczLqF);#>S`m7Sm&VbVIzQJA__p~C zy=FYne`-005h*+>T6^e$LExE zAp&QN4q%EcB_-A33gryDsAvivPysQXX7zgK&hN}YW;0e~LPFlr9R`(*zL*!P%Q^Xi z-#JBhrpKJqYR=HNa)#m!E0{lZVZF?UBDia=y^lo$X) zyW*UXvofKt*3i&UQi5+P|2H{KzckLOvg+W^tUrwpTYT(aBT7oh(6X!�iHXs+5Ja zn6@^BygGb2urpo1mWBU}ZBI`RpVj28%?iiOQDE1JNWdS)#Va9aAyNk*w*!dL5IQdC z7WfPzFF?Op_U)LMBztVQ`hPOG2s;WI8_Vlwbkv>4H-$fbIw)$5M6b(KOr>e^XtpzX z{dx%<0!HAT!`$f)eJG4L?$`ZY#^ir|iVxO)vLIHL?`KVJ{m1YQz*!Ef84C*w_=66I zB-Ay7NJcRU=T1^m_F~PR5sZa-%=rx>XaQ))mS#E1YyMfXpxP4J3dT0o{)mE?!Y3`%z)%y*rt=#N(u`Vy5Ys;%8pChnH*G@81t&NRg3~ zL&o5WBL~EoL;vmHUup;Z_m}KInI$A71Qrq);Pg&F-g1V(#X<+375<-~AqzR0taY?- zbmaZ_m+uf94fxG2An^>2i0(~Y=*gqM4Solglvwbm!Y@H+Adl>z|>* zXL|=KL&T3+KnZde8&!kjNp1-M3b!u2D2$!jUX>>Y!rd<*2f)J4N`iM2 zH7^OJ{I1;$7-wvi-Z|k zM$g>}^%`dvY=0p(W{?{q{i<*Smxp7$g=>doDx|g$ zN+N_rnUypc5=kPNLR8x>k-4b6NNl~KjZlfqbH*)%G9@Z=$dDmZ2uYN4ueWoqbIx~t z*Y*AV^-o>#uJ`v_>sf0(!~NX1?OCv6V_aR{YztsV5uaO^qCuB@Bc~LY9k3u9SB($N zdjgE{(sQz>q>!vK8IDN4d>S={uWqlIFVZc%bNWT$9Wcq#UcolO=7 zq~`p75Yb>=>2mL%o}=?90ol=hqW=5MMb!ZyyjTjjuzg_{ntC&6gMKI~MNrz=LR6{hrTHZ`;}m01#{S#1ez{U7Y-|_R#NIJcSBO+zttzBKwj~-=}ea=S`6~UHc2rNvfnaHh^XT26e;Sf|6GmruZ zK2#;<)-C#{)HNkNnYQ{=9Gs-AS#4w?Ap5^%+^}kqT2d%77CwTOlR|ht&c^DBekCevW1f7^_RTA6@k8`g=;;Koasu&Fd5q97;oEjjsD` z+vtO`z>rhNa~DBU^qWMz?3=H0EWCAz2uQt6JH@gCL2VX^eCa1jNNdZyu(0*Na~0|7>C1y*`gz6VRzXX|eUObw6ZfHlc79+!pHsQsz5VcE z%&C~xJ}#kMMg5WsaA+V(R&AD1Wd-;kM9Ysw%WHqZ8Z|dJlbpT-hOjN58Ncko+v1_L zei26mDY~f!XU+tj#}W^+YpylHaaD=jbPm?Lb$)qP)-k8F)Lf;c`d^oEYa1Jb?_47( zAi~s0d;6*gA-yLKh>2d2dVl@x0>IWbD809OP;IX5TnK9%h`}Nk^ z|NNBuc9N@yDv)T{DC7RF!pm;OW;V~`{nB9$W#0#a#Dbspl>igdtL+EkhmAqbuEeA& zIA|tST!ChAlyi_5YDwA4sh*dbI`*t-pCK#R{T1tIzw>y_a4IOgm6SZN5(6cJf9%R? ze{K96heZS7u7)6ru_`y^h7u$ zxsMtctOvUf`HdLp;oz?cXHt^MjEv-&Tr!79#GE;PILu2svFrkHjA0?VySs1SX5MYC zKHQp|oXlf$Y`M@`!_t&AHeNHN1hE61=OV zI_;Hpc>#V%!ja}Qc-vKZ-PTxhbTGix)iEH?bbuz1ql9Sykv-9*`q=`?^(CkuEr8Z2 zAsBi&%`GjIa|SG_d?*hC;&3NY+9Z8`ynW|CulL8oziVu2(v(&qU&u+5mE4P)E+3s9 zd-l8#MULCv-X1N|oel-4zoqT1KEH=Ak*Ov4hvA9PoJ_nV5W*eu4h+}$bot6VRE{O9 znO7Z)cx7EzUq5h_kIedQvW-NmL5|?%LkTA5uC3(DORX&}kgu|XKEj{k1;f@L#fOeTeXUkQ zqaHB+Y3ZsR9g*!&D24P%dHLLIlfGV|r)P+bIiz03#@KBptve>ZeSi7#eAtD-MunnW zIH(iGc!V=&HcNHho|~INWX(=gzi8vLRS;&UF{Sbm~si~^eywou<6X$1EQ#&74eRiyi*jm;-;V_fYWrH6xe(}iFKJwJ_YC$~)BoK|(*r?^Y!{oIXb9MJ*!h|?~P1TkT|z$JKf1=0eDe=be_8#^aq1J&O~et>>2q zGUP$`UD$Qjz^dA=fl}0S$)&cJuw1!nuoa0fO3Lb$W=8*s6G5gQ$#uAcF_o|^<|rrf zO(rOFgHkKbBV(_*XxKZuE^{b2yg$LS{E5Z>h_CM-ihP*R0O1OUkdqG~lZoRX3$wP~MvuI*&bNfmqoX(DDn0H72ENlXW$r7YMm~IKVP z$A+sjIjm@RBpZERYCkWWiu|doB2dMUaC%|akaW|p8BYD4hc_1t5YGW;*55WRN3K0$Zya;#g|$}YK< zg{9(K)s?tauMf_dkKFdWTi_DvEgk9^oS_`O6Eo5(&c*~c3NH~SSj zbUyLA&-M!@BB10%k$Xi9=o#5Svtf86*c+^VQDf6JV;!CJcCS^x4vdH;*Rg2k=CxdS zHhC&GvgZ<70iw+Ucp3>ZEK)>KBvupcgX*3pCXvefI2nYTzJ_Q9(S<;N0%38>#d2Qu*kwtqV_||YSSNoK=k$s zy|{P|0yw0qm8;Z`1vth)hG*iNyVCa~@i~tlZ>0t*qoWW34eJKKr^G=`V2?+7`}sel z=&{?z(F~_?B7pI@Hdx7;FyY3)ZXDcTL2^{Nki2DefpQLSeqqU#<#U!^74G;D5aYRF6}( z9sa1T-ib43c82|>$j^d+*+t4*qNAnVZJY3?*j{8lv-LspJq~)x+#R(j_Swz=5Fj2w zj}L1MZzL0{hS{|3I12_8>?Pn$zg%M97sJ3cwMPWyCvjtj|NhP0ePvdq!PU&Xt{t7H zua0M=^;hJryDp*VGTgA+7co^cR;BKJ_HN-4iNxlo=%bIex2v{ z%;?L%f?i9P1g~*mPs!P>uV?MzlJ8_e-Y3_JyiX%&lSHPjx3>M5IAw2tuV@!vwo(#= zHWlw?pM}R>-zh@ouaYRdDEan4drNIcjX$?4e|tt@Ciem(y@D0Qr2Y+0X@yTvf8Vk~ zG{bb>h~iQ#tmAqhLUGFIc%MpiOcNCgdHOsKZCM4#G9B?!Q~r^GKKiyc)%>ZW%x`a~ zEe=+Rr5}wkEnV@>bKp|EDy9>m@+2W!`pQQX&MPnWpv)te76Y9Ncn_o@IRx!Z2$+zJ$7w@Z7WgS_tp#tY-?quz|)%RTpcMT5sk$U)ZcJe&F> zZ_hbU^cO(~#9$=L=cm}Ik*wid$R>Q6nk?*1*y#hlZB0+Z<|XEM8HsY>S#$F*Kc8{% zSz*afD1Y!eMBr%k8Uk4hJujnrm+!dXl6&vJQH>|J4-U!ghXLa6+;H^QG0|`T0zonJLGtcWwza$(y^0ULT||iahv}lY|*UU54K+ngm}SF&ByD3 zsrePPLY~u)4?D$mbiC2JX>VvKDin2xVZ>Oe8H>RjHAQTTY1&;CM>^1+5xpCOUkv(h zl{WWee8R3tagV&is`3P6-(lUxmH>G!^sY<-{d|zlBZKXmwo}0P_nA^L$Eni76mhqn zAur=~qZf5dI?A^(X6owlEw}!ykg36{KKC|GY&8%pPfdRfMfmuIgRz*Cox?Iz~*_6`Abail(Q zL&`b?u*UM)G%t@TpyYY6Uv*NILh%6 zsKIRerZyN}+NkN@1xvr`rBkK$%qeKyj6GOXzOq`UGNUe0&vb&8P2uJv=MUYW0HA1! zc}tpeR$+2hu;i0w0qk|=xwbicg2s?id3x}IqLy)QOQ>>wBI8+cQ3Kx5gf{$!y?SHZvZ8$x}!Uuwk||L-O3R{zP) z!}q0XsX}^4Ap7A%>%e+d%0;>;srW=u^Cvdrzn04XuH15sns8K;_5Hn_2E0d-r9>}V z(Cr#4ZZlOTpFT#gRw-1fk13$Q zkq2Em>$J;&eH@74BDZoJBDLD?$G`;rJ^%Uq>;g2-BO)Dm^Rw|YhbflFtR zS-&HrqJlN8_16D+&dYT;$mg}AD^r`zV!Q&1K0A%Q57$@G3;mdQwm%{{L|Aj+p316Kn#`3PK742~vlgr$+=7m$&jsA`6i?`~?Ecx=< zWS4~I$+36R+vFOjKI9ujGoSU%k(}TyU}_srN%BsJed_40M(q*w#^G+m6bG#bCG5@Q zL%G!-f3E-2H(Mq2srmdNKRF)3GBs7z=cLM5LXOMRJmk2HNY2POoF?$sLR(w>`|toJ zufcmu4126vo{oQhx4I~+>(Y|Hw3=gnK0M1KJfk3M8hTDMpbBC@{PEyw{LAf`64#{r zg|}6{2QDr>d?31x{hvo_OH3X{4R&&$ofuAfm2_FpxY&IC^qS^HP;g}y2XsvyVf$z+ z+txnv`NKlXT;2ZZw>1!&c=DR{I8;a-8x`FYed~*n9t7YUxeuyRVEg!C6+uW8a;!5N zyDRtj{U{d-` zQN?%{gw%?fiiVy#OA`%HkKiGhH_E?c)M`d?)lsj$DJA7T7Q$ zutA9Wu8m2)>kEkQzWKj-!nb+Wk$doJ-}CHGB$yVGAP47`2hq{UK0NJ#GHF`w*FF+I zZ$93fR8esUs3kPUDKP>^rYKxrOa^D3A-BUd#9u=DEJnR^OmrdV+Stf(_0-J=rcn3W z^oPov1%1*0pc8_YhMyp6|5k}<>;#G#r;XhdrT)6x zuxo06qbrYU)mr%SRc z(w3}(uda1~M@Iy$m_+pd<~;yYt*{t9JMq#TA6f9#0ZB_)M~k5R~8 z@_-7Vb3L+w)F263!LxeW91Erwr7!0w`w^3BTM4)x5t5qYV`8UMxUak~k z)z{IHkd_|K`$`6h+JkkFJP$Ue)U-6L8L45|F|)9gfDaCBU@orS+3NemiI8l8{ATVw z;&rKdsdSFEG#XNo8eXzH2H%sMrdS?S4kIFvUplPmGZV5wCR!MRui)%MX$?$XBQ;is zi|W6*x)~X9^GEauX6YpfnMiUcc$R(y#}7ophE|bqoMI-6=b^6uJTU>1gZjEUZAh|n z7+3eDm}E@vn8~)qOd_Qh!mclK*ObyeHnF^_D=_1gyb3=HNW?zulSch)w~ESU?u|=& z%_P#MUZ80o??ZTwrcYo#(Ti`LBlgdbwXUd*we_Ch(_n9@2|IP#BO8LQB=NQs*|`2# z05*+@v7zCCV}GY5Y!}{P|EPJ9y=YLVbG84@qgq?f<$#b0vnKb@JmPyFgj!d#HFNzf?tD>%f%&nu!v?}acX8)-)7Y8p_@fVhH-sz0v zm3%0qWxF~YMC=C^w%l{H0V?QV)waVo4vzosYx-sg=Ay}@=g;~5|2jk!ImgGxXDfb# z?>I-zI@*!f_`BRfzFY2hQH?B511FY;{2%t#LD(+sUnm&-fBwsrBac>A=op1^Y;uxW RH>|=R?ZbM9GBvDj{Rg(!%Yy&_ literal 0 HcmV?d00001 diff --git a/docs/ontologies/tal/tal-ontology-readme.md b/docs/ontologies/tal/tal-ontology-readme.md index 4712827..7893220 100644 --- a/docs/ontologies/tal/tal-ontology-readme.md +++ b/docs/ontologies/tal/tal-ontology-readme.md @@ -6,3 +6,6 @@ The Threat Agent Library is a contribution from Intel Corp. It is an extension o ### STIX 2.1 Standard Specification is extended by the STIX Ontology (stix.owl) ### STIX Ontology is extended by the TAC Ontology (tac.owl) ### TAC Ontology is extended by the TAL Ontology (ta-library.owl) + + +![Heritage of a TAL Competitor](competitor-heritage.png) diff --git a/threat-agent-lib/catalog-v001.xml b/threat-agent-lib/catalog-v001.xml index 61f2f36..b40bb11 100644 --- a/threat-agent-lib/catalog-v001.xml +++ b/threat-agent-lib/catalog-v001.xml @@ -53,7 +53,6 @@ - - +