diff --git a/STIX_for_digital_forensics/readme.md b/STIX_for_digital_forensics/readme.md index 76a49c1..37a84d1 100644 --- a/STIX_for_digital_forensics/readme.md +++ b/STIX_for_digital_forensics/readme.md @@ -36,14 +36,16 @@ The goal of the project is to customize STIX™ for facilitating the sharing of - [Browser History Event Object](#Browser-History-Event-Object) - [Plug and Play (PnP) Event Object](#Plug-and-Play-PnP-Event-Object) - [File Visit Event Object](#File-Visit-Event-Object) - - [Type 1: RecentFileCache](#Example-1-RecentFileCache) - - [type 2: Shimcache](#Example-2-Shimcache) - - [Type 3: UserAssist](#Example-3-UserAssist) - - [TYpe 4: Prefetch](#Example-4-Prefetch) - - [Type 5: USNJournal](#Example-5-USNJournal) - - [Type 6: Shellbags](#Example-6-Shellbags) - - [Type 7: Jumplist](#Example-7-Jumplist) - - [Type 8: Lnk]($Example-8-Lnk) + - [RecentFileCache](#RecentFileCache) + - [Shimcache](#Shimcache) + - [UserAssist](#TUserAssist) + - [Prefetch](#Prefetch) + - [USNJournal](#USNJournal) + - [Shellbags](#Shellbags) + - [Jumplist](#Jumplist) + - [Lnk]($Lnk) + - [RMU]($RMU) + - [applog](#applog) - Property Extension for Windows™ Registry Key Object - Other extension - [threat-actor-type-ov external reference](#threat-actor-type-ov-external-reference]) @@ -56,18 +58,18 @@ The WIndow Event object represents an event generated by Windows OS, including a ### Properties -| Property Name | Type | Description | -| ------------------------- | ---------- | -------------------------------------------------------------------------------------- | -| type (required) | string | The value of this property MUST be windows-security-evt. | -| id (required) | identifier | The ID of a secuity type. | -| log_name (required) | enum | The value of this property MUST come from the log-nam-enum enumeration. | -| logged_time (required) | timestamp | | -| source | string | | -| event_id | integer | | -| task_category | string | | -| computer | string | The name of the computer. | -| user_account_ref | identifier | The user account that is associated with the evewnt. | -| belongs_to_ref (required) | identity | The relation describes that event is a part of file or artifact (e.g., cache, memory). | +| Property Name | Type | Description | +| ---------------------- | ---------- | ----------------------------------------------------------------------------------------- | +| type (required) | string | The value of this property MUST be windows-security-evt. | +| id (required) | identifier | The ID of a secuity type. | +| log_name (required) | enum | The value of this property MUST come from the log-nam-enum enumeration. | +| logged_time (required) | timestamp | | +| source | string | | +| event_id | integer | | +| task_category | string | | +| computer | string | The name of the computer. | +| user_account_ref | identifier | The user account that is associated with the evewnt. | +| saved_to_ref(required) | identity | Specifies object type that event object belongs to. It MUST be a type of file or artifact | ### Relationships @@ -100,7 +102,7 @@ The WIndow Event object represents an event generated by Windows OS, including a "task_category ": "Logon", "computer": "ryzen3790-xu", "user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb", - "belongs_to_ref": "file--9460a8a8-6351-40bb-b5ad-18f3265bbf7a" + "saved_to_ref": "file--9460a8a8-6351-40bb-b5ad-18f3265bbf7a" } ``` @@ -108,23 +110,23 @@ The WIndow Event object represents an event generated by Windows OS, including a **Type Name:** x-browser-history-evt -The Browser History Event object represent a single visit to a URL. +The Browser History Event object represents a single visit to a URL. ### Properties -| Property Name | Type | Description | -| ------------------------- | ---------- | -------------------------------------------------------------------------------------- | -| type (required) | string | The value of this property MUST be browser-history. | -| id (required) | identifier | The ID of a browser history event object. | -| url_ref | identifier | Specify a visit to a url. | -| title | string | Speify the title of a web page (if a URL is a webpage) that has been visited. | -| visit_time | timestamp | The last time visited. | -| visit_count | integer | The number of times visited | -| browser_name | string | The values for this property SHOULD come from the browser-name-ov open vocabulary. | -| browser_ref | identifier | The value type for this property SHOULD software. | -| file_requested_ref | identifier | The ID of the file the http requested. | -| user_account_ref | identifier | The user account that is associated with record. | -| belongs_to_ref (required) | identifier | The relation describes that event is a part of file or artifact (e.g., cache, memory). | +| Property Name | Type | Description | +| ---------------------- | ---------- | ------------------------------------------------------------------------------------------ | +| type (required) | string | The value of this property MUST be browser-history. | +| id (required) | identifier | The ID of a browser history event object. | +| url_ref | identifier | Specify a visit to a url. | +| title | string | Speify the title of a web page (if a URL is a webpage) that has been visited. | +| visit_time | timestamp | The last time visited. | +| visit_count | integer | The number of times visited | +| browser_name | string | The values for this property SHOULD come from the browser-name-ov open vocabulary. | +| browser_ref | identifier | The value type for this property SHOULD software. | +| file_requested_ref | identifier | The ID of the file the http requested. | +| user_account_ref | identifier | The user account that is associated with record. | +| saved_to_ref(required) | identifier | Specifies object type that event object belongs to. It MUST be a type of file or artifact. | ### Relationships @@ -147,7 +149,7 @@ The Browser History Event object represent a single visit to a URL. "browser_ref": "software--db997c40-458d-4da6-a339-6eef90cf325e", "file_requested_ref ": "file--10624790-0e43-4498-89da-8979ab4215ae", "user_account_ref ": "user-account--68f0b7d5-f7ab-47d2-8773-739ceb1c11bb", - "belongs_to_ref": "file--843f6a43-0603-4e0d-84a4-198386eecf4f" + "saved_to_ref": "file--843f6a43-0603-4e0d-84a4-198386eecf4f" }, { "type": "url", @@ -187,15 +189,15 @@ The Plug and Play (PnP) Event object represents an event recorded by Windows Ker The completed log properties can be access [Microsoft office docs- Format of a text log section body](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/format-of-a-text-log-section-body) -| Property Name | Type | Description | -| ------------------------- | ---------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | -| type (required) | string | The value of this property MUST be x-pnp-evt. | -| id (required) | identifier | The ID of a Plug and Play (PnP) Event object. | -| entry_prefix | enum | The values of this property MUST come from the message-type-ov enumeration. | -| time_stamp | timestamp | Indicates the system time when the logged event occurred. | -| event_category | string | Indicates the category of SetupAPI operation that made the log entry. MUST be one of predefined Event_category operation strings, e.g.device installation. | -| formatted_message | string | Contains the specific information that applies to the log entry. | -| belongs_to_ref (required) | identifier | The relation describes that event is a part of file or artifact (e.g., cache, memory), e.g., steupAPI.log | +| Property Name | Type | Description | +| ---------------------- | ---------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | +| type (required) | string | The value of this property MUST be x-pnp-evt. | +| id (required) | identifier | The ID of a Plug and Play (PnP) Event object. | +| entry_prefix | enum | The values of this property MUST come from the message-type-ov enumeration. | +| time_stamp | timestamp | Indicates the system time when the logged event occurred. | +| event_category | string | Indicates the category of SetupAPI operation that made the log entry. MUST be one of predefined Event_category operation strings, e.g.device installation. | +| formatted_message | string | Contains the specific information that applies to the log entry. | +| saved_to_ref(required) | identifier | Specifies object type that event object belongs to. It MUST be a type of file or artifact (e.g., cache, memory), e.g., steupAPI.log | ### Message Type Vocabulary @@ -218,7 +220,7 @@ Vocabulary Name: message-type-ov "time_stamp": "2021-01-06T20:03:22.000Z", "event_category": "device installation", "formatted_message ": "Device Install (Hardware initiated) - USB\\VID_0781&PID_5517\\4C5300124505311010593", - "belongs_to_ref": "file--176353bd-b61d-4944-b0cd-0b98783c50b5" + "saved_to_ref": "file--176353bd-b61d-4944-b0cd-0b98783c50b5" } ``` @@ -226,44 +228,45 @@ Vocabulary Name: message-type-ov **Type Name:** x-file-visit-evt -The File Visit Event object represents properties associasted with when a file/directory is visited by an operating system, including when a file is read, modified, executed, preloaded. etc. The event may be saved in different forms, e.g., file, cache, Windows registry, etc. +The File Visit Event object represents properties that are associasted with a file/directory visited by operating systems or applications. The event is generated when a file is read, modified, executed, preloaded. etc. The event may be saved in different forms, e.g., file, cache, Windows registry, etc. ### Properties -| Property Name | Type | Description | -| ------------------------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | -| type (required) | string | The value of this property MUST be x-file-visit-evt. | -| id (required) | identifier | The ID of a File Visit Event object. | -| visit_type | enum | Specifies the visit options defined for the visit. The values of this property MUST come from the file-visit-type-enum enumeration. | -| visit_time | timestamp | Specifies the time a file was visited. | -| visit_file_guid | string | The GUID of an application, e.g., {A3D53349-6E61-4557-8FC7-0028EDCEEBF6}} is Windows 8. | -| count | integer | The total number of times the program has visited. | -| visit_file_ref (required) | identifier | Specifies the file or directory that was recently visited. | -| event_type | string | Specifies the event type of source artifacts where the event is retrived from. It MUST come from the file-visit-event-common-name-ov open vocabulary. | -| belongs_to_ref (required) | identifier | The relation describes that event is a part of file (e.g., RecentFileCache.bcf or Amcache.hve), registry, artifact, or or directory. | +| Property Name | Type | Description | +| ------------------------- | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| type (required) | string | The value of this property MUST be x-file-visit-evt. | +| id (required) | identifier | The ID of a File Visit Event object. | +| visit_type | enum | Specifies how file was visited. The values of this property MUST come from the file-visit-type-enum enumeration. | +| visit_time | timestamp | Specifies the time a file was visited. | +| visit_file_guid | string | The GUID of an application, e.g., {A3D53349-6E61-4557-8FC7-0028EDCEEBF6}} is Windows 8. | +| visit_count | integer | The total number of times the program has visited. | +| visit_file_ref (required) | identifier | Specifies the file or directory that was recently visited. | +| reason | open-vocab | Specifies a resaon why an event is recorded. It MUST come from the file-visit-evt-reason-ov open vocabulary. | +| created_by_software_ref | identifier | The softwre that is used to capture and save the event. The value of this property MUST be the identifier for a SCO software object. | +| saved_to_ref(required) | identifier | Specifies object type that event object belongs to. It MUST be a type of file (e.g., RecentFileCache.bcf or Amcache.hve), registry, artifact, or or directory. | ### File Visit Type Enum Vocabulary Name: file-visit-type-enum -| Vocabulary Value | Description | -| ---------------- | -------------------------------------------------------------------- | -| creation | A file was visited for creation. | -| reading | A file was visited for reading. | -| modification | A file was was visited for modification (content is to be modified). | -| updating | The meta data of a file was visited for changing (e.g. permissions) | -| execution | A file was visited for execution. | -| deletion | A file was visited for deletion. | -| preloading | A file was visited for preloading to memory. | -| prefetching | A file was visited for prefetching to memory. | -| loading | A file was visited for loading to memory. | -| unloadeding | A file was visited for unloadig from memory. | -| other | | -| unknown | | +| Vocabulary Value | Description | +| ---------------- | ----------------------------------------------------------------------------- | +| creation | A file was visited for creation. | +| reading | A file was visited for reading. | +| modification | A file was was visited for modification (content is to be modified). | +| updating | The meta data of a file was visited for changing (e.g. permissions) | +| execution | A file was visited for execution. | +| deletion | A file was visited for deletion. | +| preloading | A file was visited for preloading to memory. | +| prefetching | A file was visited for prefetching to memory. | +| loading | A file was visited for loading to memory. | +| unloading | A file was visited for unloading from memory. | +| other | | +| unknown | There is not enough information available to determine how file was accessed. | -### File Visit Event Common Name Vocabulary +### File Visit Event Reason Vocabulary -**Vocabulary Name:** file-visit-event-common-name-ov +**Vocabulary Name:** file-visit-evt-reason-ov | Vocabulary Value | Description | | ---------------- | ---------------------------------------------------------------------------------------- | @@ -273,10 +276,13 @@ Vocabulary Name: file-visit-type-enum | prefetch | | | muicache | Support multiple language for software. | | usnjournal | Store Update Sequence Number Journal. | -| shellbags | Store user preferences for GUI folder display within Windows Explorer. | +| shellbag | Store user preferences for GUI folder display within Windows Explorer. | | jumplist | Represents a list of items and tasks displayed as a menu on a Windows 7 taskbar button. | +| mru | Most recently used files. | +| autorun | | +| applog | Logs generated by applications. | -### Type 1: RecentFileCache +### RecentFileCache RecentFileCache.bcf only containes references to programs that recently executed. setuputility.exe is recently executed. @@ -289,8 +295,9 @@ RecentFileCache.bcf only containes references to programs that recently executed "visit_type": "execution", "visit_time ": "2021-01-06T20:03:22.000Z", "visit_file_ref": "file--7bd8980c-91eb-461a-a357-ae75a35374e6", - "event_type": "recentfilecache", - "belongs_to_ref": "file--176353bd-b61d-4944-b0cd-0b98783c50b5" + "reason": "recentfilecache", + "created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228", + "saved_to_ref": "file--176353bd-b61d-4944-b0cd-0b98783c50b5" }, { "type": "file", @@ -308,11 +315,20 @@ RecentFileCache.bcf only containes references to programs that recently executed }, "size": 51164, "name": "RecentFileCache.bcf" + }, + { + "type": "software", + "spec_version": "2.1", + "id": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228", + "name": "Windows", + "cpe": "cpe:2.3:o:microsoft:azure:-:*:*:*:*:*:*:*", + "version": "7", + "vendor": "Microsoft" } ] ``` -### Type 2: Shimcache +### Shimcache Shimcache is created to identify application compatibility issues. Two actions/events that can cause the Shimcache to record an entry: (1) A file is executed and (2) A user interactively browses a directory. @@ -326,8 +342,9 @@ Shimcache is created to identify application compatibility issues. Two actions/e "visit_type": "executed", "visit_time ": "2021-01-06T20:03:22.000Z", "visit_file_ref": "file--7bd8980c-91eb-461a-a357-ae75a35374e6", - "event_type": "shimcache", - "belongs_to_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016" + "reason": "shimcache", + "created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228", + "saved_to_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016" }, { "type": "file", @@ -345,7 +362,7 @@ Shimcache is created to identify application compatibility issues. Two actions/e ] ``` -### Type 3: UserAssist +### UserAssist Windows System, every GUI-based programs launched from the desktop are tracked in this registry key HKEY_USERS\{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist. An Example of Security ID (SID) is S-1-5-21-394942887-4226445097-2438273937-1001. @@ -359,16 +376,17 @@ An Example of Security ID (SID) is S-1-5-21-394942887-4226445097-2438273937-1001 "visit_type": "execution", "visit_time ": "2021-01-06T20:03:22.000Z", "visit_file_ref": "file--674f8200-b56a-473b-9b1d-32a911ac5387", - "event_type": "userassist", - "belongs_to_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016" + "visit_count": 1, + "reason": "userassist", + "created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228", + "saved_to_ref": "windows-registry-key--2ba37ae7-2745-5082-9dfd-9486dad41016" }, { "type": "file", "spec_version": "2.1", "id": "file--150c4200-02c6-475d-ac44-2d4e65de9f36", - "count": "1", "size": 55136, - "name": "WINWORD.EXE " + "name": "WINWORD.EXE" }, { "type": "windows-registry-key", @@ -379,7 +397,7 @@ An Example of Security ID (SID) is S-1-5-21-394942887-4226445097-2438273937-1001 ] ``` -### Type 4: Prefetch +### Prefetch Prefetch preloads most frequently used software into memory. The Typeshows the chrome.exe-999b1ba.pf contains chrome.exe-999b1ba.exe, the time when the exe file is executed, last time executed, and how many times it was exeucted. @@ -391,10 +409,11 @@ Prefetch preloads most frequently used software into memory. The Typeshows the c "id": "x-file-visit-evt--2bec785c-e1b0-4834-9a3a-9d04bd0749fe", "visit_type": "execution", "visit_time ": "2021-01-06T20:03:22.000Z", - "count": 71, + "visit_count": 71, "visit_file_ref": "file--674f8200-b56a-473b-9b1d-32a911ac5387", - "event_type": "prefetch", - "belongs_to_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016" + "reason": "prefetch", + "created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228", + "saved_to_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016" }, { "type": "file", @@ -414,7 +433,7 @@ Prefetch preloads most frequently used software into memory. The Typeshows the c ] ``` -### Type 5: USNJournal +### USNJournal USN (Update Sequence Number) Journal records all files changes (e.g.., rename) that are made to volume. @@ -427,8 +446,9 @@ USN (Update Sequence Number) Journal records all files changes (e.g.., rename) t "visit_type": "modification", "visit_time ": "2021-01-06T20:03:22.000Z", "visit_file_ref": "file--674f8200-b56a-473b-9b1d-32a911ac5387", - "event_type": "usnjournal", - "belongs_to_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016" + "reason": "usnjournal", + "created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228", + "saved_to_ref": "file--2ba37ae7-2745-5082-9dfd-9486dad41016" }, { "type": "file", @@ -448,7 +468,7 @@ USN (Update Sequence Number) Journal records all files changes (e.g.., rename) t ] ``` -### Type 6: Shellbags +### Shellbags Windows uses the Shellbag keys to store user preferences for GUI folder display within Windows Explorer to improve user experience and “remember” preferences. The following Type descrbes a USB drive is visited. @@ -461,8 +481,9 @@ Windows uses the Shellbag keys to store user preferences for GUI folder display "visit_type": "read", "visit_time ": "2021-01-06T20:03:22.000Z", "visit_file_ref": "file--28d2e12c-c56c-4aaf-aeed-d0b69ccc601c", - "event_type": "shellbags", - "belongs_to_ref": "file--14a4a46c-0957-4b9d-900d-35cb8379055c" + "reason": "shellbag", + "created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228", + "saved_to_ref": "file--14a4a46c-0957-4b9d-900d-35cb8379055c" }, { "type": "directory", @@ -482,7 +503,7 @@ Windows uses the Shellbag keys to store user preferences for GUI folder display ] ``` -### Type 7: Jumplist +### Jumplist Jumplist represents a list of items and tasks displayed as a menu on a Windows 7 taskbar button. The following Type shows a Jumplist of Word 2010 Pinned and Recent accessed files. @@ -495,8 +516,9 @@ Jumplist represents a list of items and tasks displayed as a menu on a Windows 7 "visit_type": "read", "visit_time ": "2021-01-06T20:03:22.000Z", "visit_file_ref": "file--28d2e12c-c56c-4aaf-aeed-d0b69ccc601c", - "event_type": "jumplist", - "belongs_to_ref": "file--14a4a46c-0957-4b9d-900d-35cb8379055c" + "reason": "jumplist", + "created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228", + "saved_to_ref": "file--14a4a46c-0957-4b9d-900d-35cb8379055c" }, { "type": "file", @@ -516,7 +538,7 @@ Jumplist represents a list of items and tasks displayed as a menu on a Windows 7 ] ``` -### Type 8: Lnk +### Lnk lnk is a shortcut or "link" used by Windows as a reference to an original file, folder, or application. The example describes an event is generated when a file is accessed by a link. @@ -529,8 +551,9 @@ lnk is a shortcut or "link" used by Windows as a reference to an original file, "visit_type": "read", "visit_time ": "2021-01-16T21:03:22.000Z", "visit_file_ref": "file-8c33da4c-fb61-4658-b28c-a5c60f561d78", - "event_type": "lnk", - "belongs_to_ref": "file--676b743a-3a56-4084-aeb5-fa9cfadf5663" + "reason": "lnk", + "created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228", + "saved_to_ref": "file--676b743a-3a56-4084-aeb5-fa9cfadf5663" }, { "type": "file", @@ -550,6 +573,85 @@ lnk is a shortcut or "link" used by Windows as a reference to an original file, ] ``` +### RMU + +Most Recently Used files. + +```json +[ + { + "type": "x-file-visit-evt", + "spec_version": "2.1", + "id": "x-file-visit-evt--8cdbf030-89d9-48be-b733-5f4900706f0e", + "visit_type": "read", + "visit_time ": "2021-01-16T21:03:22.000Z", + "visit_file_ref": "file-8c33da4c-fb61-4658-b28c-a5c60f561d78", + "reason": "rmu", + "created_by_software_ref": "software--a67ca75e-bda5-45e0-8bf0-b5884528d228", + "saved_to_ref": "file--676b743a-3a56-4084-aeb5-fa9cfadf5663" + }, + { + "type": "file", + "spec_version": "2.1", + "id": "file--8c33da4c-fb61-4658-b28c-a5c60f561d78", + "name": "(secret_project)_pricing_decision.xlsx" + }, + { + "type": "file", + "spec_version": "2.1", + "id": "file--676b743a-3a56-4084-aeb5-fa9cfadf5663", + "hashes": { + "MD5": "9857b91a6427496e72d779893e6d49fb" + }, + "name": "informant.DAT" + } +] +``` + +### applog + +An event logged by Google drive. The event shows a file (happy_holiday.jpg) has been deleted. + +```json +[ + { + "type": "x-file-visit-evt", + "spec_version": "2.1", + "id": "x-file-visit-evt--9880e636-38b0-471a-8266-8a622a95b3a5", + "visit_type": "read", + "visit_time ": "2021-01-16T21:03:22.000Z", + "visit_file_ref": "file-8cdbf030-89d9-48be-b733-5f4900706f0e", + "reason": "rmu", + "created_by_software_ref": "software--764c3bcd-e053-46dc-b77d-51de1a311b39", + "saved_to_ref": "file--d5faf70b-36b8-437c-9137-6c0fc83b1e69" + }, + { + "type": "file", + "spec_version": "2.1", + "id": "file--8cdbf030-89d9-48be-b733-5f4900706f0e", + "name": "(secret_project)_pricing_decision.xlsx" + }, + { + "type": "file", + "spec_version": "2.1", + "id": "file--d5faf70b-36b8-437c-9137-6c0fc83b1e69", + "hashes": { + "MD5": "64c6451132676e5a14e20d7d9283fa58" + }, + "name": "sync_log.log" + }, + { + "type": "software", + "spec_version": "2.1", + "id": "software--764c3bcd-e053-46dc-b77d-51de1a311b39", + "name": "Windows", + "cpe": "cpe:2.3:a:google:drive:-:*:*:*:*:*:*:*", + "version": "1.0.257", + "vendor": "Google" + } +] +``` + ## threat-actor-type-ov external reference | Vocabulary Value | Description |