MalwareConfig¶
Extracted Malware Configuration
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| config_extractor | Keyword | Name of extractor | Yes |
None |
| family | List [Text] | What family is this associated to? | Yes |
None |
| version | Text | Version of the malware | Optional |
None |
| category | List [Enum] | Category of malware | Optional |
None |
| attack | List [Enum] | ATT&CK ID associated | Optional |
None |
| capability_enabled | List [Text] | Enabled Capabilities | Optional |
None |
| capability_disabled | List [Text] | Disabled Capabilities | Optional |
None |
| campaign_id | List [Text] | Campaign ID | Optional |
None |
| identifier | List [Text] | Identifier | Optional |
None |
| decoded_strings | List [Text] | Decoded Strings | Optional |
None |
| password | List [Text] | Passwords | Optional |
None |
| mutex | List [Text] | Mutex | Optional |
None |
| pipe | List [Text] | Pipe | Optional |
None |
| ipc | List [IPC] | IPC (similar to 'pipe' field but more detailed) | Optional |
None |
| sleep_delay | Integer | Sleep Delay | Optional |
None |
| sleep_delay_jitter | Integer | Sleep Delay Jitter | Optional |
None |
| inject_exe | List [Text] | Injected EXE | Optional |
None |
| binaries | List [Binary] | Binaries | Optional |
None |
| ftp | List [FTP] | FTPs | Optional |
None |
| smtp | List [SMTP] | SMTPs | Optional |
None |
| http | List [HTTP] | HTTPs | Optional |
None |
| ssh | List [SSH] | SSHs | Optional |
None |
| proxy | List [Proxy] | Proxies | Optional |
None |
| dns | List [DNS] | DNS | Optional |
None |
| icmp | List [ICMP] | ICMPs | Optional |
None |
| tcp | List [GeneralConnection] | TCPs | Optional |
None |
| udp | List [GeneralConnection] | UDPs | Optional |
None |
| encryption | List [Encryption] | Encryptions | Optional |
None |
| service | List [Service] | Services | Optional |
None |
| cryptocurrency | List [Cryptocurrency] | Cryptocurrencies | Optional |
None |
| paths | List [Path] | Paths | Optional |
None |
| registry | List [Registry] | Registry | Optional |
None |
| scheduled_tasks | List [ScheduledTask] | Scheduled Tasks | Optional |
None |
| other | Mapping [String, Any] | Other information | Optional |
None |
Binary¶
Binary data extracted by decoder
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| datatype | Enum | None Supported values are: "config", "other", "payload" |
Optional |
None |
| data | Text | None | Yes |
None |
| other | Mapping [String, Any] | Other information | Optional |
None |
| encryption | List [Encryption] | None | Optional |
None |
Encryption¶
Encryption details
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| algorithm | Text | Algorithm | Optional |
None |
| public_key | Text | Public Key | Optional |
None |
| key | Text | Key | Optional |
None |
| provider | Text | Provider | Optional |
None |
| mode | Text | Mode | Optional |
None |
| iv | Text | Initialization Vector | Optional |
None |
| seed | Text | Seed | Optional |
None |
| nonce | Text | Nonce value | Optional |
None |
| password | Text | Password | Optional |
None |
| salt | Text | Salt | Optional |
None |
| constants | List [Text] | Constants | Optional |
None |
| usage | Enum | Purpose of encryptions Supported values are: "binary", "communication", "config", "other", "ransom" |
Optional |
None |
Cryptocurrency¶
Cryptocoin usage (ransomware/miner)
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| coin | Text | Name of coin used | Optional |
None |
| address | Text | Wallet address | Optional |
None |
| ransom_amount | Float | Ransom amount | Optional |
None |
| usage | Enum | Use of cryptocurrency Supported values are: "miner", "other", "ransomware" |
Optional |
None |
DNS¶
Usage of DNS connection
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| ip | IP | IP of DNS server | Optional |
None |
| port | Integer | Port of DNS server | Optional |
None |
| hostname | Text | Hostname used in query | Optional |
None |
| record_type | Enum | Type of DNS record Supported values are: "A", "AAAA", "AFSDB", "APL", "CAA", "CDNSKEY", "CDS", "CERT", "CNAME", "CSYNC", "DHCID", "DLV", "DNAME", "DNSKEY", "DS", "EUI48", "EUI64", "HINFO", "HIP", "HTTPS", "IPSECKEY", "KEY", "KX", "LOC", "MX", "NAPTR", "NS", "NSEC", "NSEC3", "NSEC3PARAM", "OPENPGPKEY", "PTR", "RP", "RRSIG", "SIG", "SMIMEA", "SOA", "SRV", "SSHFP", "SVCB", "TA", "TKEY", "TLSA", "TSIG", "TXT", "URI", "ZONEMD" |
Optional |
None |
| usage | Enum | Purpose of DNS connection Supported values are: "c2", "dead_drop_resolver", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
Encryption¶
Encryption details
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| algorithm | Text | Algorithm | Optional |
None |
| public_key | Text | Public Key | Optional |
None |
| key | Text | Key | Optional |
None |
| provider | Text | Provider | Optional |
None |
| mode | Text | Mode | Optional |
None |
| iv | Text | Initialization Vector | Optional |
None |
| seed | Text | Seed | Optional |
None |
| nonce | Text | Nonce value | Optional |
None |
| password | Text | Password | Optional |
None |
| salt | Text | Salt | Optional |
None |
| constants | List [Text] | Constants | Optional |
None |
| usage | Enum | Purpose of encryptions Supported values are: "binary", "communication", "config", "other", "ransom" |
Optional |
None |
FTP¶
Usage of FTP connection
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| username | Text | Username | Optional |
None |
| password | Text | Password | Optional |
None |
| hostname | Text | FTP Host | Optional |
None |
| port | Integer | FTP Port | Optional |
None |
| path | Text | FTP Path | Optional |
None |
| usage | Enum | Purpose of FTP connection Supported values are: "c2", "dead_drop_resolver", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
GeneralConnection¶
Usage of General TCP/UDP connection
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| client_ip | IP | Client IP | Optional |
None |
| client_port | Integer | Client Port | Optional |
None |
| server_ip | IP | Server IP | Optional |
None |
| server_domain | Domain | Server Domain | Optional |
None |
| server_port | Integer | Server Port | Optional |
None |
| usage | Enum | Purpose of TCP/UDP connection Supported values are: "c2", "dead_drop_resolver", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
HTTP¶
Usage of HTTP connection
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| uri | URI | URI | Optional |
None |
| protocol | Enum | Protocol Supported values are: "http", "https" |
Optional |
None |
| username | Text | Username | Optional |
None |
| password | Text | Password | Optional |
None |
| hostname | Text | HTTP server | Optional |
None |
| port | Integer | HTTP Port | Optional |
None |
| path | URIPath | URI Path | Optional |
None |
| query | Text | Query parameters | Optional |
None |
| fragment | Text | Fragment | Optional |
None |
| user_agent | Text | User Agent | Optional |
None |
| method | Enum | Method Supported values are: "BCOPY", "BDELETE", "BMOVE", "BPROPFIND", "BPROPPATCH", "CONNECT", "COPY", "DELETE", "GET", "HEAD", "LOCK", "MKCOL", "MOVE", "NOTIFY", "OPTIONS", "PATCH", "POLL", "POST", "PROPFIND", "PROPPATCH", "PUT", "SEARCH", "SUBSCRIBE", "TRACE", "UNLOCK", "UNSUBSCRIBE", "X-MS-ENUMATTS" |
Optional |
None |
| headers | Mapping [String, Text] | HTTP Headers | Optional |
None |
| max_size | Integer | Maximum size | Optional |
None |
| usage | Enum | Purpose of HTTP connection Supported values are: "c2", "dead_drop_resolver", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
ICMP¶
Usage of ICMP
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| type | Integer | ICMP type | Optional |
None |
| code | Integer | ICMP code | Optional |
None |
| header | Text | Non-standard header fields | Optional |
None |
| hostname | Text | Hostname | Optional |
None |
| usage | Enum | Purpose of ICMP connection Supported values are: "c2", "dead_drop_resolver", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
IPC¶
Inter-Process Communications
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| file | List [Text] | A record stored on disk, or a record synthesized on demand by a file server, which can be accessed by multiple processes. | Optional |
None |
| socket | List [Text] | Data sent over a network interface, either to a different process on the same computer or to another computer on the network. Stream oriented (TCP; data written through a socket requires formatting to preserve message boundaries) or more rarely message-oriented (UDP, SCTP). | Optional |
None |
| unix_domain_socket | List [Text] | Similar to an internet socket, but all communication occurs within the kernel. Domain sockets use the file system as their address space. Processes reference a domain socket as an inode, and multiple processes can communicate with one socket. | Optional |
None |
| memory_mapped_file | List [Text] | A file mapped to RAM and can be modified by changing memoryaddresses directly instead of outputting to a stream. This shares the same benefits as a standard file. | Optional |
None |
| message_queue | List [Text] | A data stream similar to a socket, but which usually preserves message boundaries. Typically implemented by the operating system, they allow multiple processes to read and write to the message queue without being directly connected to each other. | Optional |
None |
| anonymous_pipe | List [Text] | A unidirectional data channel using standard input and output. Data written to the write-end of the pipe is buffered by the operating system until it is read from the read-end of the pipe. Two-way communication between processes can be achieved by using two pipes in opposite "directions". | Optional |
None |
| named_pipe | List [Text] | A pipe that is treated like a file. Instead of using standard input and output as with an anonymous pipe, processes write to and read from a named pipe, as if it were a regular file. | Optional |
None |
| process_names | List [Text] | The process names involved in the IPC communication | Optional |
None |
| shared_memory | Text | Multiple processes are given access to the same block of memory, which creates a shared buffer for the processes to communicate with each other. | Optional |
None |
| usage | Enum | Purpose of connection Supported values are: "c2", "dead_drop_resolver", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
Path¶
File Paths
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| path | Text | Path | Optional |
None |
| usage | Enum | Use of path Supported values are: "c2", "config", "install", "logs", "other", "plugins", "storage" |
Optional |
None |
Proxy¶
Usage of Proxy connection
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| username | Text | Username | Optional |
None |
| password | Text | Password | Optional |
None |
| hostname | Text | Proxy Host | Optional |
None |
| port | Integer | Proxy Port | Optional |
None |
| usage | Enum | Purpose of proxy connection Supported values are: "c2", "dead_drop_resolver", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
| protocol | Text | Protocol used | Optional |
None |
Registry¶
Registry
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| key | Text | Registry key | Yes |
None |
| value | Text | Registry | Optional |
None |
| usage | Enum | Use of registry key Supported values are: "other", "persistence", "read", "store_data", "store_payload" |
Optional |
None |
SMTP¶
Usage of SMTP connection
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| username | Text | Username | Optional |
None |
| password | Text | Password | Optional |
None |
| hostname | Text | SMTP Host | Optional |
None |
| port | Integer | SMTP Port | Optional |
None |
| mail_to | List [Text] | Sent to | Optional |
None |
| mail_from | Text | Sent from | Optional |
None |
| subject | Text | Subject | Optional |
None |
| usage | Enum | Purpose of SMTP connection Supported values are: "c2", "dead_drop_resolver", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
SSH¶
Usage of SSH connection
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| username | Text | Username | Optional |
None |
| password | Text | Password | Optional |
None |
| public_key | Text | SSH Public Key | Optional |
None |
| hostname | Text | SSH Host | Optional |
None |
| port | Integer | SSH Port | Optional |
None |
| usage | Enum | Purpose of SSH connection Supported values are: "c2", "dead_drop_resolver", "decoy", "download", "other", "propagate", "ransom", "tunnel", "upload" |
Optional |
None |
ScheduledTask¶
Scheduled task usage by malware
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| usage | Enum | Scheduled task usage Supported values are: "defense_evasion", "lateral_movement", "other", "persistence", "privilege_escalation", "staging_data" |
Optional |
None |
| raw_command | Text | Raw command used for the scheduled task | Optional |
None |
| task_type | Enum | Task operation type Supported values are: "CHANGE", "CREATE", "DELETE", "END", "QUERY", "RUN" |
Optional |
None |
| schedule_type | Enum | Task schedule type Supported values are: "DAILY", "HOURLY", "MINUTE", "MONTHLY", "ONCE", "ONEVENT", "ONIDLE", "ONLOGON", "ONSTART", "OTHER", "WEEKLY" |
Optional |
None |
| task_name | Text | Name of the scheduled task | Optional |
None |
| task_run | Text | Program or command that the task runs | Optional |
None |
| remote_computer | Text | Name or IP of a remote computer | Optional |
None |
| user_domain | Text | User account domain | Optional |
None |
| user_account | Text | User account to use when running the task | Optional |
None |
| user_password | Text | Password for the user account | Optional |
None |
| run_as | Enum | Account to run the task as Supported values are: "SYSTEM", "USER" |
Optional |
None |
| run_as_domain | Text | Domain of the account to run the task as | Optional |
None |
| run_as_user | Text | User of the account to run the task as | Optional |
None |
| run_as_password | Text | Password of the account to run the task as | Optional |
None |
| modifier | Text | Modifier for the schedule type | Optional |
None |
| day | Text | How often the task runs within its schedule type | Optional |
None |
| month | Text | Month(s) during which the scheduled task should run | Optional |
None |
| idle_time | Text | Idle time to wait before running the task | Optional |
None |
| start_time | Text | Start time to run the task (HH:mm 24-hour) | Optional |
None |
| interval | Text | Repetition interval for the task | Optional |
None |
| end_time | Text | End time for the task | Optional |
None |
| duration | Text | Duration for which the task should run | Optional |
None |
| kill | Boolean | Terminate task if it runs longer than end time or duration | Optional |
None |
| start_date | Text | Start date to run the task (MM/dd/yyyy) | Optional |
None |
| end_date | Text | End date to run the task (MM/dd/yyyy) | Optional |
None |
| channel_name | Text | Event log channel for event-based task | Optional |
None |
| interactive | Boolean | Task runs only when user is logged on interactively | Optional |
None |
| no_password | Boolean | Task does not require a password | Optional |
None |
| auto_delete | Boolean | Task will be deleted after it runs | Optional |
None |
| xml | Text | XML file containing the task definition | Optional |
None |
| v1 | Boolean | Create using version 1 task scheduler | Optional |
None |
| force | Boolean | Create/delete the task and suppress warnings | Optional |
None |
| run_level | Enum | Run level for the task Supported values are: "HIGHEST", "LIMITED" |
Optional |
None |
| delay_time | Text | Wait time to delay running the task after trigger | Optional |
None |
| hresult | Text | Process exit code in HRESULT format | Optional |
None |
| output_format | Enum | Query output format Supported values are: "CSV", "LIST", "TABLE" |
Optional |
None |
| no_header | Boolean | Display column headers in output | Optional |
None |
| add_advanced_properties | Boolean | Display all properties in output | Optional |
None |
Service¶
Operating System services affected
| Field | Type | Description | Required | Default |
|---|---|---|---|---|
| dll | Text | DLL associated to service | Optional |
None |
| name | Text | Name of service | Optional |
None |
| display_name | Text | Display Name of service | Optional |
None |
| description | Text | Service Description | Optional |
None |