Skip to content

Latest commit

 

History

History
78 lines (75 loc) · 2.69 KB

03.malware_hash.md

File metadata and controls

78 lines (75 loc) · 2.69 KB
Raw

Malware Hash Example

A known Malware Hash with associated COA with an explicit copy of the indicator value to scan endpoints for. The COA will delete files with that hash if any are present and it will send a report about the attempted deletion.

{
  "type": "bundle",
  "id": "bundle--5d0092c5-5f74-4287-9642-33f4c354e56d",
  "spec_version": "2.1",
  "objects": [
    {
      "type": "identity",
      "name": "ACME Corp, Inc.",
      "identity_class": "organization",
      "id": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff"
    },
    {
      "type": "indicator",
      "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
      "created": "2016-04-06T20:03:48.000Z",
      "modified": "2016-04-06T20:03:48.000Z",
      "labels": [
        "Malicious Filehash"
      ],
      "name": "Bad File1",
      "description": "This indicator should be detected and deleted if present",
      "pattern": "[file:hashes.'SHA-256' = 'bf07a7fbb825fc0aae7bf4a1177b2b31fcf8a3feeaf7092761e18c859ee52a9c' OR file:hashes.'MD5' = 'cead3f77f6cda6ec00f57d76c9a6879f']",
      "valid_from": "2016-01-01T00:00:00Z"
    },
    {
      "type": "course-of-action",
      "id": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
      "created": "2016-04-06T20:03:48.000Z",
      "modified": "2016-04-06T20:03:48.000Z",
      "name": "COA-Delete-Filehash",
      "description": "Delete files with the attached hash if any are present and report that deletion was attempted.",
      "action-steps": [
         {
           "type": "openc2",
           "name" : "1",
           "object": {
              "action": "delete",
              "target" : {
                "artifact": { 
                  "sha-256": "bf07a7fbb825fc0aae7bf4a1177b2b31fcf8a3feeaf7092761e18c859ee52a9c",
                  "md5": "cead3f77f6cda6ec00f57d76c9a6879f"
                 },
              }
              "target-options": {
                 "where": "endpoints",
              }
           }
        },
        {
           "type": "textual",
           "name" : "2",
           "value" : "Open/Update IT case with details on where the malicious files were found and that a delete was attempted.
        }
      ]
    },
    {
      "type": "relationship",
      "id": "relationship--b61fc7f5-db9d-46e0-9724-46b4e7ca496f",
      "created": "2016-04-06T20:03:48.000Z",
      "modified": "2016-04-06T20:03:48.000Z",
      "relationship_type": "remediates",
      "source_ref": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
      "target_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f"
    }
  ]
}