digital-forensics-labs/digital-forensics-lab
1
0
Fork 0
mirror of https://github.com/frankwxu/digital-forensics-lab.git synced 2026-04-10 12:13:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

add stix

Browse Source
This commit is contained in:
Frank Xu
2021-01-29 14:26:12 -05:00
parent 444151f7b4
commit 31bae1667f
1 changed files with 85 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

122
STIX_for_digital_forensics/readme.md
View File

@@ -42,7 +42,8 @@ The goal of the project is to customize STIX™ for facilitating the sharing of
- [Example 4: Prefetch](#Example-4-Prefetch)
- [Example 5: USNJournal](#Example-5-USNJournal)
- [Example 6: Shellbags](#Example-6-Shellbags)
- [Example 6: Jumplist](#Example-7-Jumplist)
- [Example 7: Jumplist](#Example-7-Jumplist)
- [Example 8: Lnk]($Example-8-Lnk)
- Property Extension for Windows™ Registry Key Object
- Other extension
- [threat-actor-type-ov external reference](#threat-actor-type-ov-external-reference])
@@ -107,14 +108,16 @@ The WIndow Event object represents an event generated by Windows OS, including a
**Type Name:** x-browser-history-evt
The Browser History Event object represent a single visit to a URL.
### Properties
| Property Name | Type | Description |
| ------------------------- | ---------- | -------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be browser-history. |
| id (required) | identifier | The ID of a browser history event object. |
| url | string | |
| title | string | The title of a web page has been visited. |
| url_ref | identifier | Specify a visit to a url. |
| title | string | Speify the title of a web page (if a URL is a webpage) that has been visited. |
| visit_time | timestamp | The last time visited. |
| visit_count | integer | The number of times visited |
| browser_name | string | The values for this property SHOULD come from the browser-name-ov open vocabulary. |
@@ -131,20 +134,28 @@ The WIndow Event object represents an event generated by Windows OS, including a
### Examples
```json
{
"type": "x-browser-history-evt",
"spec_version": "2.1",
"id": "x-browser-history-evt--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"url": "https://www.ubalt.edu/cpa/undergraduate-majors-and-minors/majors/cyber-forensics/",
"title": "B.S. in Cyber Forensics | University of Baltimore",
"visit-time": "2021-01-06T20:03:22.000Z",
"visit-count": 2,
"browser_name": "chrome",
"browser_ref": "software--db997c40-458d-4da6-a339-6eef90cf325e",
"file_requested_ref ": "file--10624790-0e43-4498-89da-8979ab4215ae",
"user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb",
"belongs_to_ref": "file--843f6a43-0603-4e0d-84a4-198386eecf4f"
}
[
{
"type": "x-browser-history-evt",
"spec_version": "2.1",
"id": "x-browser-history-evt--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"url_ref": "url--9cc5a5dc-0acd-46f5-ae3f-724370087622",
"title": "B.S. in Cyber Forensics | University of Baltimore",
"visit-time": "2021-01-06T20:03:22.000Z",
"visit-count": 2,
"browser_name": "chrome",
"browser_ref": "software--db997c40-458d-4da6-a339-6eef90cf325e",
"file_requested_ref ": "file--10624790-0e43-4498-89da-8979ab4215ae",
"user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb",
"belongs_to_ref": "file--843f6a43-0603-4e0d-84a4-198386eecf4f"
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--9cc5a5dc-0acd-46f5-ae3f-724370087622",
"value": "https://www.ubalt.edu/cpa/undergraduate-majors-and-minors/majors/cyber-forensics/"
}
]
```
### Browser Name Open Vocabulary
@@ -170,7 +181,7 @@ Vocabulary Name: browser-name-ov
**Type Name:** x-pnp-evt
The Windows Kernel-Mode Plug (pnp) and Play Manager SDO represents an event recorded by Plug and Play Manager. PnP is a combination of hardware technology and software techniques that enables a PC to recognize when a device is added to the system. With PnP, the system configuration can change with little or no input from the user.
The Plug and Play (PnP) Event object represents an event recorded by Windows Kernel-Mode Plug (pnp) and Play Manager. PnP manager is a combination of hardware technology and software techniques that enables a PC to recognize when a device is added to the system. With PnP, the system configuration can change with little or no input from the user.
### Properties
@@ -215,21 +226,21 @@ Vocabulary Name: message-type-ov
**Type Name:** x-file-visit-evt
The File Visit Event object represents properties associasted with when a file/directory is visited by an operating system, including when a file is read, modified, executed, preloaded. The event may be saved in different forms, e.g., file, cache, Windows registry, etc. If the event is saved in registry, it MUST saved in the data field of a registry values.
The File Visit Event object represents properties associasted with when a file/directory is visited by an operating system, including when a file is read, modified, executed, preloaded. etc. The event may be saved in different forms, e.g., file, cache, Windows registry, etc.
### Properties
| Property Name | Type | Description |
| ------------------------- | ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
| type (required) | string | The value of this property MUST be x-file-visit-evt. |
| id (required) | identifier | The ID of a File Visit Event object. |
| visit_type | enum | Specifies the visit options defined for the visit. The values of this property MUST come from the file-visit-type-enum enumeration. |
| visit_time | timestamp | Specifies the time a file was visited. |
| visit_file_guid | string | The GUID of an application, e.g., {A3D53349-6E61-4557-8FC7-0028EDCEEBF6}} is Windows 8. |
| count | integer | The total number of times the program has visited. |
| visit_file_ref (required) | identifier | The relation references the file that is recently visited. |
| common_name | string | Specifies the common name of source artifacts where the event is retrived from. It MUST come from the file-visit-event-common-name-ov open vocabulary. |
| belongs_to_ref (required) | identifier | The relation describes that event is a part of file (e.g., RecentFileCache.bcf or Amcache.hve), registry, artifact, or or directory. |
| Property Name | Type | Description |
| ------------------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-file-visit-evt. |
| id (required) | identifier | The ID of a File Visit Event object. |
| visit_type | enum | Specifies the visit options defined for the visit. The values of this property MUST come from the file-visit-type-enum enumeration. |
| visit_time | timestamp | Specifies the time a file was visited. |
| visit_file_guid | string | The GUID of an application, e.g., {A3D53349-6E61-4557-8FC7-0028EDCEEBF6}} is Windows 8. |
| count | integer | The total number of times the program has visited. |
| visit_file_ref (required) | identifier | Specifies the file or directory that was recently visited. |
| event_type | string | Specifies the event type of source artifacts where the event is retrived from. It MUST come from the file-visit-event-common-name-ov open vocabulary. |
| belongs_to_ref (required) | identifier | The relation describes that event is a part of file (e.g., RecentFileCache.bcf or Amcache.hve), registry, artifact, or or directory. |
### File Visit Type Enum
@@ -278,7 +289,7 @@ RecentFileCache.bcf only containes references to programs that recently executed
"visit_type": "execution",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--7bd8980c-91eb-461a-a357-ae75a35374e6",
"common_name": "recentfilecache",
"event_type": "recentfilecache",
"belongs_to_ref": "file--176353bd-b61d-4944-b0cd-0b98783c50b5"
},
{
@@ -315,7 +326,7 @@ Shimcache is created to identify application compatibility issues. Two actions/e
"visit_type": "executed",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--7bd8980c-91eb-461a-a357-ae75a35374e6",
"common_name": "shimcache",
"event_type": "shimcache",
"belongs_to_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016"
},
{
@@ -348,7 +359,7 @@ An example of Security ID (SID) is S-1-5-21-394942887-4226445097-2438273937-1001
"visit_type": "execution",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--674f8200-b56a-473b-9b1d-32a911ac5387",
"common_name": "userassist",
"event_type": "userassist",
"belongs_to_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016"
},
{
@@ -382,7 +393,7 @@ Prefetch preloads most frequently used software into memory. The example shows t
"visit_time ": "2021-01-06T20:03:22.000Z",
"count": 71,
"visit_file_ref": "file--674f8200-b56a-473b-9b1d-32a911ac5387",
"common_name": "prefetch",
"event_type": "prefetch",
"belongs_to_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016"
},
{
@@ -416,7 +427,7 @@ USN (Update Sequence Number) Journal records all files changes (e.g.., rename) t
"visit_type": "modification",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--674f8200-b56a-473b-9b1d-32a911ac5387",
"common_name": "usnjournal",
"event_type": "usnjournal",
"belongs_to_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016"
},
{
@@ -450,7 +461,7 @@ Windows uses the Shellbag keys to store user preferences for GUI folder display
"visit_type": "read",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--28d2e12c-c56c-4aaf-aeed-d0b69ccc601c",
"common_name": "shellbags",
"event_type": "shellbags",
"belongs_to_ref": "file--14a4a46c-0957-4b9d-900d-35cb8379055c"
},
{
@@ -484,7 +495,7 @@ Jumplist represents a list of items and tasks displayed as a menu on a Windows 7
"visit_type": "read",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--28d2e12c-c56c-4aaf-aeed-d0b69ccc601c",
"common_name": "jumplist",
"event_type": "jumplist",
"belongs_to_ref": "file--14a4a46c-0957-4b9d-900d-35cb8379055c"
},
{
@@ -503,6 +514,41 @@ Jumplist represents a list of items and tasks displayed as a menu on a Windows 7
"name": "a7bd71699cd38d1c.automaticDestinations-ms"
}
]
```
### Example 8: Lnk
lnk is a shortcut or "link" used by Windows as a reference to an original file, folder, or application. The example describes an event is generated when a file is accessed by a link.
```json
[
{
"type": "x-file-visit-evt",
"spec_version": "2.1",
"id": "x-file-visit-evt--ac69c037-c578-4c5e-ad6a-23d53a0b1d6e",
"visit_type": "read",
"visit_time ": "2021-01-16T21:03:22.000Z",
"visit_file_ref": "file-8c33da4c-fb61-4658-b28c-a5c60f561d78",
"event_type": "lnk",
"belongs_to_ref": "file--676b743a-3a56-4084-aeb5-fa9cfadf5663"
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--8c33da4c-fb61-4658-b28c-a5c60f561d78",
"name": "(secret_project)_pricing_decision.xlsx"
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--676b743a-3a56-4084-aeb5-fa9cfadf5663",
"hashes": {
"MD5": "9857b91a6427496e72d779893e6d49fb"
},
"name": "(secret_project)_pricing_decision.xlsx.lnk"
}
]
```
## threat-actor-type-ov external reference
@@ -546,3 +592,5 @@ Jumplist represents a list of items and tasks displayed as a menu on a Windows 7
```
```
```