digital-forensics-labs/digital-forensics-lab
1
0
Fork 0
mirror of https://github.com/frankwxu/digital-forensics-lab.git synced 2026-04-10 12:13:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

add stix

Browse Source
This commit is contained in:
Frank Xu
2021-01-29 20:34:51 -05:00
parent f4d9d5957e
commit 7b87e34952
1 changed files with 204 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

306
STIX_for_digital_forensics/readme.md
View File

@@ -36,14 +36,16 @@ The goal of the project is to customize STIX™ for facilitating the sharing of
- [Browser History Event Object](#Browser-History-Event-Object)
- [Plug and Play (PnP) Event Object](#Plug-and-Play-PnP-Event-Object)
- [File Visit Event Object](#File-Visit-Event-Object)
- [Type 1: RecentFileCache](#Example-1-RecentFileCache)
- [type 2: Shimcache](#Example-2-Shimcache)
- [Type 3: UserAssist](#Example-3-UserAssist)
- [TYpe 4: Prefetch](#Example-4-Prefetch)
- [Type 5: USNJournal](#Example-5-USNJournal)
- [Type 6: Shellbags](#Example-6-Shellbags)
- [Type 7: Jumplist](#Example-7-Jumplist)
- [Type 8: Lnk]($Example-8-Lnk)
- [RecentFileCache](#RecentFileCache)
- [Shimcache](#Shimcache)
- [UserAssist](#TUserAssist)
- [Prefetch](#Prefetch)
- [USNJournal](#USNJournal)
- [Shellbags](#Shellbags)
- [Jumplist](#Jumplist)
- [Lnk]($Lnk)
- [RMU]($RMU)
- [applog](#applog)
- Property Extension for Windows™ Registry Key Object
- Other extension
- [threat-actor-type-ov external reference](#threat-actor-type-ov-external-reference])
@@ -56,18 +58,18 @@ The WIndow Event object represents an event generated by Windows OS, including a
### Properties
| Property Name | Type | Description |
| ------------------------- | ---------- | -------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be windows-security-evt. |
| id (required) | identifier | The ID of a secuity type. |
| log_name (required) | enum | The value of this property MUST come from the log-nam-enum enumeration. |
| logged_time (required) | timestamp | |
| source | string | |
| event_id | integer | |
| task_category | string | |
| computer | string | The name of the computer. |
| user_account_ref | identifier | The user account that is associated with the evewnt. |
| belongs_to_ref (required) | identity | The relation describes that event is a part of file or artifact (e.g., cache, memory). |
| Property Name | Type | Description |
| ---------------------- | ---------- | ----------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be windows-security-evt. |
| id (required) | identifier | The ID of a secuity type. |
| log_name (required) | enum | The value of this property MUST come from the log-nam-enum enumeration. |
| logged_time (required) | timestamp | |
| source | string | |
| event_id | integer | |
| task_category | string | |
| computer | string | The name of the computer. |
| user_account_ref | identifier | The user account that is associated with the evewnt. |
| saved_to_ref(required) | identity | Specifies object type that event object belongs to. It MUST be a type of file or artifact |
### Relationships
@@ -100,7 +102,7 @@ The WIndow Event object represents an event generated by Windows OS, including a
"task_category ": "Logon",
"computer": "ryzen3790-xu",
"user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb",
"belongs_to_ref": "file--9460a8a8-6351-40bb-b5ad-18f3265bbf7a"
"saved_to_ref": "file--9460a8a8-6351-40bb-b5ad-18f3265bbf7a"
}
```
@@ -108,23 +110,23 @@ The WIndow Event object represents an event generated by Windows OS, including a
**Type Name:** x-browser-history-evt
The Browser History Event object represent a single visit to a URL.
The Browser History Event object represents a single visit to a URL.
### Properties
| Property Name | Type | Description |
| ------------------------- | ---------- | -------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be browser-history. |
| id (required) | identifier | The ID of a browser history event object. |
| url_ref | identifier | Specify a visit to a url. |
| title | string | Speify the title of a web page (if a URL is a webpage) that has been visited. |
| visit_time | timestamp | The last time visited. |
| visit_count | integer | The number of times visited |
| browser_name | string | The values for this property SHOULD come from the browser-name-ov open vocabulary. |
| browser_ref | identifier | The value type for this property SHOULD software. |
| file_requested_ref | identifier | The ID of the file the http requested. |
| user_account_ref | identifier | The user account that is associated with record. |
| belongs_to_ref (required) | identifier | The relation describes that event is a part of file or artifact (e.g., cache, memory). |
| Property Name | Type | Description |
| ---------------------- | ---------- | ------------------------------------------------------------------------------------------ |
| type (required) | string | The value of this property MUST be browser-history. |
| id (required) | identifier | The ID of a browser history event object. |
| url_ref | identifier | Specify a visit to a url. |
| title | string | Speify the title of a web page (if a URL is a webpage) that has been visited. |
| visit_time | timestamp | The last time visited. |
| visit_count | integer | The number of times visited |
| browser_name | string | The values for this property SHOULD come from the browser-name-ov open vocabulary. |
| browser_ref | identifier | The value type for this property SHOULD software. |
| file_requested_ref | identifier | The ID of the file the http requested. |
| user_account_ref | identifier | The user account that is associated with record. |
| saved_to_ref(required) | identifier | Specifies object type that event object belongs to. It MUST be a type of file or artifact. |
### Relationships
@@ -147,7 +149,7 @@ The Browser History Event object represent a single visit to a URL.
"browser_ref": "software--db997c40-458d-4da6-a339-6eef90cf325e",
"file_requested_ref ": "file--10624790-0e43-4498-89da-8979ab4215ae",
"user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb",
"belongs_to_ref": "file--843f6a43-0603-4e0d-84a4-198386eecf4f"
"saved_to_ref": "file--843f6a43-0603-4e0d-84a4-198386eecf4f"
},
{
"type": "url",
@@ -187,15 +189,15 @@ The Plug and Play (PnP) Event object represents an event recorded by Windows Ker
The completed log properties can be access [Microsoft office docs- Format of a text log section body](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/format-of-a-text-log-section-body)
| Property Name | Type | Description |
| ------------------------- | ---------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-pnp-evt. |
| id (required) | identifier | The ID of a Plug and Play (PnP) Event object. |
| entry_prefix | enum | The values of this property MUST come from the message-type-ov enumeration. |
| time_stamp | timestamp | Indicates the system time when the logged event occurred. |
| event_category | string | Indicates the category of SetupAPI operation that made the log entry. MUST be one of predefined Event_category operation strings, e.g.device installation. |
| formatted_message | string | Contains the specific information that applies to the log entry. |
| belongs_to_ref (required) | identifier | The relation describes that event is a part of file or artifact (e.g., cache, memory), e.g., steupAPI.log |
| Property Name | Type | Description |
| ---------------------- | ---------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-pnp-evt. |
| id (required) | identifier | The ID of a Plug and Play (PnP) Event object. |
| entry_prefix | enum | The values of this property MUST come from the message-type-ov enumeration. |
| time_stamp | timestamp | Indicates the system time when the logged event occurred. |
| event_category | string | Indicates the category of SetupAPI operation that made the log entry. MUST be one of predefined Event_category operation strings, e.g.device installation. |
| formatted_message | string | Contains the specific information that applies to the log entry. |
| saved_to_ref(required) | identifier | Specifies object type that event object belongs to. It MUST be a type of file or artifact (e.g., cache, memory), e.g., steupAPI.log |
### Message Type Vocabulary
@@ -218,7 +220,7 @@ Vocabulary Name: message-type-ov
"time_stamp": "2021-01-06T20:03:22.000Z",
"event_category": "device installation",
"formatted_message ": "Device Install (Hardware initiated) - USB\\VID_0781&PID_5517\\4C5300124505311010593",
"belongs_to_ref": "file--176353bd-b61d-4944-b0cd-0b98783c50b5"
"saved_to_ref": "file--176353bd-b61d-4944-b0cd-0b98783c50b5"
}
```
@@ -226,44 +228,45 @@ Vocabulary Name: message-type-ov
**Type Name:** x-file-visit-evt
The File Visit Event object represents properties associasted with when a file/directory is visited by an operating system, including when a file is read, modified, executed, preloaded. etc. The event may be saved in different forms, e.g., file, cache, Windows registry, etc.
The File Visit Event object represents properties that are associasted with a file/directory visited by operating systems or applications. The event is generated when a file is read, modified, executed, preloaded. etc. The event may be saved in different forms, e.g., file, cache, Windows registry, etc.
### Properties
| Property Name | Type | Description |
| ------------------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-file-visit-evt. |
| id (required) | identifier | The ID of a File Visit Event object. |
| visit_type | enum | Specifies the visit options defined for the visit. The values of this property MUST come from the file-visit-type-enum enumeration. |
| visit_time | timestamp | Specifies the time a file was visited. |
| visit_file_guid | string | The GUID of an application, e.g., {A3D53349-6E61-4557-8FC7-0028EDCEEBF6}} is Windows 8. |
| count | integer | The total number of times the program has visited. |
| visit_file_ref (required) | identifier | Specifies the file or directory that was recently visited. |
| event_type | string | Specifies the event type of source artifacts where the event is retrived from. It MUST come from the file-visit-event-common-name-ov open vocabulary. |
| belongs_to_ref (required) | identifier | The relation describes that event is a part of file (e.g., RecentFileCache.bcf or Amcache.hve), registry, artifact, or or directory. |
| Property Name | Type | Description |
| ------------------------- | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| type (required) | string | The value of this property MUST be x-file-visit-evt. |
| id (required) | identifier | The ID of a File Visit Event object. |
| visit_type | enum | Specifies how file was visited. The values of this property MUST come from the file-visit-type-enum enumeration. |
| visit_time | timestamp | Specifies the time a file was visited. |
| visit_file_guid | string | The GUID of an application, e.g., {A3D53349-6E61-4557-8FC7-0028EDCEEBF6}} is Windows 8. |
| visit_count | integer | The total number of times the program has visited. |
| visit_file_ref (required) | identifier | Specifies the file or directory that was recently visited. |
| reason | open-vocab | Specifies a resaon why an event is recorded. It MUST come from the file-visit-evt-reason-ov open vocabulary. |
| created_by_software_ref | identifier | The softwre that is used to capture and save the event. The value of this property MUST be the identifier for a SCO software object. |
| saved_to_ref(required) | identifier | Specifies object type that event object belongs to. It MUST be a type of file (e.g., RecentFileCache.bcf or Amcache.hve), registry, artifact, or or directory. |
### File Visit Type Enum
Vocabulary Name: file-visit-type-enum
| Vocabulary Value | Description |
| ---------------- | -------------------------------------------------------------------- |
| creation | A file was visited for creation. |
| reading | A file was visited for reading. |
| modification | A file was was visited for modification (content is to be modified). |
| updating | The meta data of a file was visited for changing (e.g. permissions) |
| execution | A file was visited for execution. |
| deletion | A file was visited for deletion. |
| preloading | A file was visited for preloading to memory. |
| prefetching | A file was visited for prefetching to memory. |
| loading | A file was visited for loading to memory. |
| unloadeding | A file was visited for unloadig from memory. |
| other | |
| unknown | |
| Vocabulary Value | Description |
| ---------------- | ----------------------------------------------------------------------------- |
| creation | A file was visited for creation. |
| reading | A file was visited for reading. |
| modification | A file was was visited for modification (content is to be modified). |
| updating | The meta data of a file was visited for changing (e.g. permissions) |
| execution | A file was visited for execution. |
| deletion | A file was visited for deletion. |
| preloading | A file was visited for preloading to memory. |
| prefetching | A file was visited for prefetching to memory. |
| loading | A file was visited for loading to memory. |
| unloading | A file was visited for unloading from memory. |
| other | |
| unknown | There is not enough information available to determine how file was accessed. |
### File Visit Event Common Name Vocabulary
### File Visit Event Reason Vocabulary
**Vocabulary Name:** file-visit-event-common-name-ov
**Vocabulary Name:** file-visit-evt-reason-ov
| Vocabulary Value | Description |
| ---------------- | ---------------------------------------------------------------------------------------- |
@@ -273,10 +276,13 @@ Vocabulary Name: file-visit-type-enum
| prefetch | |
| muicache | Support multiple language for software. |
| usnjournal | Store Update Sequence Number Journal. |
| shellbags | Store user preferences for GUI folder display within Windows Explorer. |
| shellbag | Store user preferences for GUI folder display within Windows Explorer. |
| jumplist | Represents a list of items and tasks displayed as a menu on a Windows 7 taskbar button. |
| mru | Most recently used files. |
| autorun | |
| applog | Logs generated by applications. |
### Type 1: RecentFileCache
### RecentFileCache
RecentFileCache.bcf only containes references to programs that recently executed. setuputility.exe is recently executed.
@@ -289,8 +295,9 @@ RecentFileCache.bcf only containes references to programs that recently executed
"visit_type": "execution",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--7bd8980c-91eb-461a-a357-ae75a35374e6",
"event_type": "recentfilecache",
"belongs_to_ref": "file--176353bd-b61d-4944-b0cd-0b98783c50b5"
"reason": "recentfilecache",
"created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "file--176353bd-b61d-4944-b0cd-0b98783c50b5"
},
{
"type": "file",
@@ -308,11 +315,20 @@ RecentFileCache.bcf only containes references to programs that recently executed
},
"size": 51164,
"name": "RecentFileCache.bcf"
},
{
"type": "software",
"spec_version": "2.1",
"id": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"name": "Windows",
"cpe": "cpe:2.3:o:microsoft:azure:-:*:*:*:*:*:*:*",
"version": "7",
"vendor": "Microsoft"
}
]
```
### Type 2: Shimcache
### Shimcache
Shimcache is created to identify application compatibility issues. Two actions/events that can cause the Shimcache to record an entry:
(1) A file is executed and (2) A user interactively browses a directory.
@@ -326,8 +342,9 @@ Shimcache is created to identify application compatibility issues. Two actions/e
"visit_type": "executed",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--7bd8980c-91eb-461a-a357-ae75a35374e6",
"event_type": "shimcache",
"belongs_to_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016"
"reason": "shimcache",
"created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016"
},
{
"type": "file",
@@ -345,7 +362,7 @@ Shimcache is created to identify application compatibility issues. Two actions/e
]
```
### Type 3: UserAssist
### UserAssist
Windows System, every GUI-based programs launched from the desktop are tracked in this registry key HKEY_USERS\{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist.
An Example of Security ID (SID) is S-1-5-21-394942887-4226445097-2438273937-1001.
@@ -359,16 +376,17 @@ An Example of Security ID (SID) is S-1-5-21-394942887-4226445097-2438273937-1001
"visit_type": "execution",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--674f8200-b56a-473b-9b1d-32a911ac5387",
"event_type": "userassist",
"belongs_to_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016"
"visit_count": 1,
"reason": "userassist",
"created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016"
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--150c4200-02c6-475d-ac44-2d4e65de9f36",
"count": "1",
"size": 55136,
"name": "WINWORD.EXE "
"name": "WINWORD.EXE"
},
{
"type": "windows-registry-key",
@@ -379,7 +397,7 @@ An Example of Security ID (SID) is S-1-5-21-394942887-4226445097-2438273937-1001
]
```
### Type 4: Prefetch
### Prefetch
Prefetch preloads most frequently used software into memory. The Typeshows the chrome.exe-999b1ba.pf contains chrome.exe-999b1ba.exe, the time when the exe file is executed, last time executed, and how many times it was exeucted.
@@ -391,10 +409,11 @@ Prefetch preloads most frequently used software into memory. The Typeshows the c
"id": "x-file-visit-evt--2bec785c-e1b0-4834-9a3a-9d04bd0749fe",
"visit_type": "execution",
"visit_time ": "2021-01-06T20:03:22.000Z",
"count": 71,
"visit_count": 71,
"visit_file_ref": "file--674f8200-b56a-473b-9b1d-32a911ac5387",
"event_type": "prefetch",
"belongs_to_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016"
"reason": "prefetch",
"created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016"
},
{
"type": "file",
@@ -414,7 +433,7 @@ Prefetch preloads most frequently used software into memory. The Typeshows the c
]
```
### Type 5: USNJournal
### USNJournal
USN (Update Sequence Number) Journal records all files changes (e.g.., rename) that are made to volume.
@@ -427,8 +446,9 @@ USN (Update Sequence Number) Journal records all files changes (e.g.., rename) t
"visit_type": "modification",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--674f8200-b56a-473b-9b1d-32a911ac5387",
"event_type": "usnjournal",
"belongs_to_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016"
"reason": "usnjournal",
"created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016"
},
{
"type": "file",
@@ -448,7 +468,7 @@ USN (Update Sequence Number) Journal records all files changes (e.g.., rename) t
]
```
### Type 6: Shellbags
### Shellbags
Windows uses the Shellbag keys to store user preferences for GUI folder display within Windows Explorer to improve user experience and “remember” preferences. The following Type descrbes a USB drive is visited.
@@ -461,8 +481,9 @@ Windows uses the Shellbag keys to store user preferences for GUI folder display
"visit_type": "read",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--28d2e12c-c56c-4aaf-aeed-d0b69ccc601c",
"event_type": "shellbags",
"belongs_to_ref": "file--14a4a46c-0957-4b9d-900d-35cb8379055c"
"reason": "shellbag",
"created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "file--14a4a46c-0957-4b9d-900d-35cb8379055c"
},
{
"type": "directory",
@@ -482,7 +503,7 @@ Windows uses the Shellbag keys to store user preferences for GUI folder display
]
```
### Type 7: Jumplist
### Jumplist
Jumplist represents a list of items and tasks displayed as a menu on a Windows 7 taskbar button. The following Type shows a Jumplist of Word 2010 Pinned and Recent accessed files.
@@ -495,8 +516,9 @@ Jumplist represents a list of items and tasks displayed as a menu on a Windows 7
"visit_type": "read",
"visit_time ": "2021-01-06T20:03:22.000Z",
"visit_file_ref": "file--28d2e12c-c56c-4aaf-aeed-d0b69ccc601c",
"event_type": "jumplist",
"belongs_to_ref": "file--14a4a46c-0957-4b9d-900d-35cb8379055c"
"reason": "jumplist",
"created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "file--14a4a46c-0957-4b9d-900d-35cb8379055c"
},
{
"type": "file",
@@ -516,7 +538,7 @@ Jumplist represents a list of items and tasks displayed as a menu on a Windows 7
]
```
### Type 8: Lnk
### Lnk
lnk is a shortcut or "link" used by Windows as a reference to an original file, folder, or application. The example describes an event is generated when a file is accessed by a link.
@@ -529,8 +551,9 @@ lnk is a shortcut or "link" used by Windows as a reference to an original file,
"visit_type": "read",
"visit_time ": "2021-01-16T21:03:22.000Z",
"visit_file_ref": "file-8c33da4c-fb61-4658-b28c-a5c60f561d78",
"event_type": "lnk",
"belongs_to_ref": "file--676b743a-3a56-4084-aeb5-fa9cfadf5663"
"reason": "lnk",
"created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "file--676b743a-3a56-4084-aeb5-fa9cfadf5663"
},
{
"type": "file",
@@ -550,6 +573,85 @@ lnk is a shortcut or "link" used by Windows as a reference to an original file,
]
```
### RMU
Most Recently Used files.
```json
[
{
"type": "x-file-visit-evt",
"spec_version": "2.1",
"id": "x-file-visit-evt--8cdbf030-89d9-48be-b733-5f4900706f0e",
"visit_type": "read",
"visit_time ": "2021-01-16T21:03:22.000Z",
"visit_file_ref": "file-8c33da4c-fb61-4658-b28c-a5c60f561d78",
"reason": "rmu",
"created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228",
"saved_to_ref": "file--676b743a-3a56-4084-aeb5-fa9cfadf5663"
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--8c33da4c-fb61-4658-b28c-a5c60f561d78",
"name": "(secret_project)_pricing_decision.xlsx"
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--676b743a-3a56-4084-aeb5-fa9cfadf5663",
"hashes": {
"MD5": "9857b91a6427496e72d779893e6d49fb"
},
"name": "informant.DAT"
}
]
```
### applog
An event logged by Google drive. The event shows a file (happy_holiday.jpg) has been deleted.
```json
[
{
"type": "x-file-visit-evt",
"spec_version": "2.1",
"id": "x-file-visit-evt--9880e636-38b0-471a-8266-8a622a95b3a5",
"visit_type": "read",
"visit_time ": "2021-01-16T21:03:22.000Z",
"visit_file_ref": "file-8cdbf030-89d9-48be-b733-5f4900706f0e",
"reason": "rmu",
"created_by_software_ref": "software--764c3bcd-e053-46dc-b77d-51de1a311b39",
"saved_to_ref": "file--d5faf70b-36b8-437c-9137-6c0fc83b1e69"
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--8cdbf030-89d9-48be-b733-5f4900706f0e",
"name": "(secret_project)_pricing_decision.xlsx"
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--d5faf70b-36b8-437c-9137-6c0fc83b1e69",
"hashes": {
"MD5": "64c6451132676e5a14e20d7d9283fa58"
},
"name": "sync_log.log"
},
{
"type": "software",
"spec_version": "2.1",
"id": "software--764c3bcd-e053-46dc-b77d-51de1a311b39",
"name": "Windows",
"cpe": "cpe:2.3:a:google:drive:-:*:*:*:*:*:*:*",
"version": "1.0.257",
"vendor": "Google"
}
]
```
## threat-actor-type-ov external reference
| Vocabulary Value | Description |