add stix

2026-02-21 11:17:52 +00:00 · 2021-01-28 10:33:04 -05:00
parent e2f4576e50
commit 112c8e1905
1 changed files with 55 additions and 21 deletions
--- a/STIX_external_reference/readme.md
+++ b/STIX_external_reference/readme.md
@@ -36,10 +36,11 @@ The goal of the project is to customize STIX™ for facilitating the sharing of
  - [Browser History Event Object](#Browser-History-Event-Object)
  - [Plug and Play (PnP) Event Object](<#Plug-and-Play-(PnP)-Event-Object>)
  - [File Visit Event Object](#File-Visit-Event-Object)
-    - [Example 1: RecentFileCache](#example-1)
-    - [Example 2: Shimcache](#example-2)
-    - [Example 3: UserAssist](#example-3)
-    - [Example 4: Prefetch](#example-4)
+    - [Example 1: RecentFileCache](#Example-1:-RecentFileCache)
+    - [Example 2: Shimcache](#Example-2:-Shimcache)
+    - [Example 3: UserAssist](#Example-3:-UserAssist)
+    - [Example 4: Prefetch](#Example-4:-Prefetch)
+    - [Example 5: USNJournal](#Example-5:-USNJournal)
 - Property Extension for Windows™ Registry Key Object
 - Other extension
  - [threat-actor-type-ov external reference](#threat-actor-type-ov-external-reference])
@@ -48,6 +49,8 @@ The goal of the project is to customize STIX™ for facilitating the sharing of

 **Type Name:** x-windows-evt

+The WIndow Event object represents an event generated by Windows OS, including applicatioin, security, steup, system, and forwarded-events.
+
 ### Properties

 | Property Name             | Type       | Description                                                                            |
@@ -68,9 +71,9 @@ The goal of the project is to customize STIX™ for facilitating the sharing of
 | Source | Relationship Type | Target | Description |
 | ------ | ----------------- | ------ | ----------- |

-### Log Name Enumeration
+### Windows Event Log Name Enumeration

-**Enumeration Name:** log-name-enum
+**Enumeration Name:** windows-event-log-name-enum

 | Vocabulary Value | Description |
 | ---------------- | ----------- |
@@ -238,25 +241,27 @@ Vocabulary Name: file-visit-type-enum
 | updating         | The meta data of a file was visited for changing (e.g. permissions)  |
 | execution        | A file was visited for execution.                                    |
 | deletion         | A file was visited for deletion.                                     |
-| preloadomg       | A file was visited for preloading to memory.                         |
+| preloading       | A file was visited for preloading to memory.                         |
 | prefetching      | A file was visited for prefetching to memory.                        |
 | loading          | A file was visited for loading to memory.                            |
 | unloadeding      | A file was visited for unloadig from memory.                         |
+| other            |                                                                      |
 | unknown          |                                                                      |

 ### File Visit Event Common Name Vocabulary

-Vocabulary Name: file-visit-event-common-name-ov
+**Vocabulary Name:** file-visit-event-common-name-ov

-| Vocabulary Value | Description                                                                                              |
-| ---------------- | -------------------------------------------------------------------------------------------------------- |
-| userassist       | On a Windows System, every GUI-based programs launched from the desktop are tracked in this registry key |
-| shimcache        | Shimcache is created to identify application compatibility issues.                                       |
-| recentfilecache  | RecentFileCache.bcf only containes references to programs that recently executed.                        |
-| prefetch         |                                                                                                          |
-| muicache         | To support multiple language for software                                                                |
+| Vocabulary Value | Description                                                                              |
+| ---------------- | ---------------------------------------------------------------------------------------- |
+| userassist       | Track every GUI-based programs launched from the desktop in the userassist registry key. |
+| shimcache        | Shimcache is created to identify application compatibility issues.                       |
+| recentfilecache  | RecentFileCache.bcf only containes references to programs that recently executed.        |
+| prefetch         |                                                                                          |
+| muicache         | Support multiple language for software                                                   |
+| usnjournal       | Update Sequence Number Journal                                                           |

-### Example 1
+### Example 1: RecentFileCache

 RecentFileCache.bcf only containes references to programs that recently executed. setuputility.exe is recently executed.

@@ -292,7 +297,7 @@ RecentFileCache.bcf only containes references to programs that recently executed
 ]
 ```

-### Example 2
+### Example 2: Shimcache

 Shimcache is created to identify application compatibility issues. Two actions/events that can cause the Shimcache to record an entry:
 (1) A file is executed and (2) A user interactively browses a directory.
@@ -325,7 +330,7 @@ Shimcache is created to identify application compatibility issues. Two actions/e
 ]
 ```

-### Example 3
+### Example 3: UserAssist

 Windows System, every GUI-based programs launched from the desktop are tracked in this registry key HKEY_USERS\{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist.
 An example of Security ID (SID) is S-1-5-21-394942887-4226445097-2438273937-1001.
@@ -359,7 +364,7 @@ An example of Security ID (SID) is S-1-5-21-394942887-4226445097-2438273937-1001
 ]
 ```

-### Example 4
+### Example 4: Prefetch

 Prefetch preloads most frequently used software into memory. The example shows the chrome.exe-999b1ba.pf contains chrome.exe-999b1ba.exe, the time when the exe file is executed, last time executed, and how many times it was exeucted.

@@ -383,7 +388,7 @@ Prefetch preloads most frequently used software into memory. The example shows t
    "name": "chrome.exe-999b1ba.exe "
  },
  {
-    "type": "windows-registry-key",
+    "type": "file",
    "spec_version": "2.1",
    "id": "file--2ba37ae7-2745-5082-9dfd-9486dad41016",
    "name": "chrome.exe-999b1ba.pf "
@@ -391,7 +396,36 @@ Prefetch preloads most frequently used software into memory. The example shows t
 ]
 ```

---
+### Example 5: USNJournal
+
+USN (Update Sequence Number) Journal records all files changes (e.g.., rename) that are made to volume.
+
+```json
+[
+  {
+    "type": "x-file-visit-evt",
+    "spec_version": "2.1",
+    "id": "x-file-visit-evt--2bec785c-e1b0-4834-9a3a-9d04bd0749fe",
+    "visit_type": "modification",
+    "visit_time ": "2021-01-06T20:03:22.000Z",
+    "visit_file_ref": "file--674f8200-b56a-473b-9b1d-32a911ac5387",
+    "common_name": "usnjournal",
+    "belongs_to_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016"
+  },
+  {
+    "type": "file",
+    "spec_version": "2.1",
+    "id": "file--150c4200-02c6-475d-ac44-2d4e65de9f36",
+    "name": "Desert.jpg "
+  },
+  {
+    "type": "file",
+    "spec_version": "2.1",
+    "id": "file--2ba37ae7-2745-5082-9dfd-9486dad41016",
+    "name": "UsnJrnl_2020-11-28.csv"
+  }
+]
+```

 ## threat-actor-type-ov external reference