├── OpenIOC_Schema_Changelog.md
├── README.md
├── schemas
    └── ioc.xsd
├── LICENSE
├── iocterms
    └── eventitem.iocterms
├── IOC_Terms_Defs.md
└── OpenIOC_Terms_Changelog.md


/OpenIOC_Schema_Changelog.md:
--------------------------------------------------------------------------------
 1 | # Detailed Changelogs from IOC 1.0
 2 | 
 3 | ## License
 4 | 
 5 | Copyright 2013 Mandiant Corporation.  Licensed under the Apache 2.0 license.  
 6 | 
 7 | Mandiant licenses this file to you under the Apache License, Version
 8 | 2.0 (the "License"); you may not use this file except in compliance with the
 9 | License.  You may obtain a copy of the License at:
10 | 
11 |         http://www.apache.org/licenses/LICENSE-2.0
12 | 
13 | Unless required by applicable law or agreed to in writing, software
14 | distributed under the License is distributed on an "AS IS" BASIS,
15 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
16 | implied.  See the License for the specific language governing
17 | permissions and limitations under the License.
18 | 
19 | ## Changes
20 | 
21 | 1. Restructured the XML. OpenIOC now has thee distinct sections
22 | 
23 |     1. metadata: Description, creator, dates... Metadata that pertains to the entire IOC.
24 | 
25 |     1. criteria: Everything that used to be `<definition>`. This is the part of the IOC that performs the actual matching.
26 | 
27 |     1. parameters: Additional section for providing arbitrary metadata on
28 |        specific <Indicator> and <IndicatorItem> elements.
29 | 
30 | 1. Removed IOCs requirement to respect Lucene behaviors.
31 | 
32 | 1. Added additional operators. Including the existing 'is' and 'contains', we
33 |     now have the following: The following operators are expected to perform as
34 |     they are described in XPath 2.0. Also, OpenIOC now respects Bool & Float variables in IOC terms files.
35 | 
36 |     ```
37 |                    String  Md5sum  IPAddr  Integer DateTime Bool  Float
38 |     is              yes     yes     yes     yes     yes      yes   yes
39 |     contains        yes     no      no      no      no       no    no
40 |     matches         yes     no      yes     no      no       no    no
41 |     starts-with     yes     no      no      no      no       no    no
42 |     ends-with       yes     no      no      no      no       no    no
43 |     greater-than    no      no      no      yes     yes      no    yes
44 |     less-than       no      no      no      yes     yes      no    yes
45 |     ```
46 | 
47 | 1. Moved operator negation out of the operator itself (isnot and containsnot) to its own
48 |     attribute `IndicatorItem/@negate=true|false`.
49 | 
50 | 1. Added case sensitivity `IndicatorItem/@preserve-case=true|false`.
51 | 
52 |     1. The behavior of `IndicatorItem/@preserve-case` should only apply to strings.  The table below states whether or not the given preserve-case value (true or false) is acceptable for a given content type.
53 | 
54 |         ```
55 |                        String  Md5sum  IPAddr  Integer DateTime Bool  Float
56 |         true            yes     no      no      no      no       no    no
57 |         false           yes     yes     yes     yes     yes      yes   yes
58 |         ```
59 |         
60 |     1. By default, the `IndicatorItem/@preserve-case` attribute should be set to 'false' when creating a IndicatorItem.
61 | 
62 |     1. The case sensitivity of a regular expression match, where `IndicatorItem/@condition='matches'`, should be determined by the `IndicatorItem/@preserve-case` term.
63 |     
64 | 1. `IndicatorItem/@id` is now a required item. Previously it was not, allowing for Items to not have ids and still validate.
65 |     
66 | 1. Added node context `Indicator/@node-context=xs:string`, this will allow for future ability to specify node-context to allow matches that consist of sibling or parent/child nodes that did not evaluate together properly in 1.0.
67 | 
68 | 1. `IndicatorItem/content` and `IndicatorItem/context` are now `minOccurs=1` -- this prevents items from existing without content or without context (this is important now that we allow you to specify context).
69 |     
70 | 1. Parameters now have two id attributes: `IOCParameter/@id` is a unique GUID to identify the parameter, and `IOCParameter/@ref-id` is used to show which element inside the IOC that specific parameter refers to.
71 | 
72 | 1. All attributes of parameters are required to keep blank/improper parameters from being created/retained.
73 | 
74 | 1. If you use a Link in the IOC metadata, the `rel` attribute is now required (i.e. there must actually be a link represented in the IOC xml, even if it is empty).
75 | 
76 | 2019-08-02  Matthew Dunwoody  <matthew d0t dunwoody a t mandiant d0t com>
77 | 
78 | 1. Added "platform" field, which contains a comma-delimited list of relevant/supported operating systems, e.g. "win,osx,linux".
79 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # OpenIOC 1.1 DRAFT -- README
  2 | 
  3 | ## Authors:
  4 | 
  5 | Copyright 2013 Mandiant Corporation.  Licensed under the Apache 2.0
  6 | license.  Developed for Mandiant by:
  7 | 
  8 | 
  9 |     David Ross
 10 |     Jason Shiffer
 11 |     Tony Dell
 12 |     William Gibb
 13 |     Doug Wilson
 14 | 
 15 | correspondence for the authors may be sent to openioc A T mandiant D O T com
 16 | 
 17 | 
 18 | ## License
 19 | 
 20 | The documents in this repository are made available under the terms of the
 21 | Apache License , Version 2.0. See the "LICENSE " file for more information.
 22 | 
 23 | ## Description
 24 | 
 25 | This repository contains a revised schema, iocterms file, and other supporting
 26 | documents which are the basis for a draft of a revised version of OpenIOC that we are
 27 | calling OpenIOC 1.1.
 28 | 
 29 | The updated OpenIOC 1.1 schema and a changelog are included. That changelog
 30 | details the changes in schema from OpenIOC 1.0. An updated set of iocterms
 31 | are included, as well as definitions of what selected commonly used terms mean.
 32 | 
 33 | We are publishing this draft as a means of garnering public comment. If you are
 34 | interested in commenting, please contact one of the authors, or join the OpenIOC
 35 | google group at https://groups.google.com/forum/#!forum/openioc 
 36 | 
 37 | A utility for working with OpenIOC 1.1 programmatically has been released at
 38 | https://github.com/mandiant/ioc_writer - Please go to that URL for more info.
 39 | 
 40 | An experimental version of the IOC Editor has been created for working with
 41 | OpenIOC 1.1. Please contact one of the authors if you are interested in
 42 | obtaining a copy of this tool.
 43 | 
 44 | ## What's new in OpenIOC 1.1?
 45 | 
 46 | A quick rundown of some of the changes:
 47 | 
 48 | An IOC under OpenIOC 1.1 has three distinct sections.
 49 | 
 50 |     1. Metadata - the traditional metadata header that contains metadata about
 51 |        the entire Indicator
 52 | 
 53 |     2. Criteria - the "matching" section -- a boolean logical evaluation that
 54 |        determines whether or not you have found evil, as defined by this specific 
 55 |        indicator.
 56 | 
 57 |     3. Parameters - This section is entirely new, although it houses the "comments"
 58 |        from OpenIOC 1.0 among other things. Parameters are assignable metadata,
 59 |        that can be applied to any element in the Criteria section of the IOC. The
 60 |        significance of the Parameters section will be discussed later.
 61 |     
 62 | We've moved away from unexpected behavior of operators that were due to OpenIOC 1.0
 63 | respecting Lucene. OpenIOC is usually used to generate Xpath expressions to query
 64 | data sources, so OpenIOC 1.1 operators behave as the would in Xpath 2.0. Please see the
 65 | changelog to see what operators we support.
 66 | 
 67 | In respecting Xpath operators, OpenIOC now supports regular expressions with the
 68 | "matches" operator. This feature is one that is still being heavily tested for
 69 | potential pros and cons. Additionally, negation now works the way that most users
 70 | will expect.
 71 | 
 72 | ## The Parameters Section
 73 | 
 74 | Parameters are metadata that can be assigned to any specific object within the
 75 | Criteria of an IOC. This may not sound like much, but it allows for application
 76 | specific logic or controls to be applied to an IOC, without muddying up the schema for
 77 | the matching or needing to be interwoven with the criteria section.
 78 | 
 79 | We've had many requests to add in various features that may only be of interest to
 80 | certain groups or industries, such as confidence scoring, release-to/data control
 81 | markings, sequences, and other features. Trying to build all of these in and allow
 82 | for all cases would create a schema bloated with features that are not fully fleshed
 83 | out yet, and that not everyone needs.
 84 | 
 85 | Parameters can be used to apply application or organization specific logic that can
 86 | then be passed along with the IOC, or restricted inside of a sharing boundary as
 87 | the creator sees fit.
 88 | 
 89 | With parameters, we are basically allowing folks to "roll their own" on some of the
 90 | features they want that are not included yet. We envision this as a test-ground for
 91 | new ideas and features -- and, if something seems to work well and be universally
 92 | needed, we can then consider adopting it into schema. Some ideas will just work
 93 | better living outside the matching/criteria section as parameters no matter what.
 94 | 
 95 | We feel that this solution allows flexibility and customization for different
 96 | organizational needs and workflows, while still providing for the standardization
 97 | needed for the Criteria section.
 98 | 
 99 | ## Per file descriptions
100 | 
101 | schemas/ioc.xsd - This is the XML schema document for OpenIOC 1.1.
102 | 
103 | OpenIOC_Schema_Changelog.md - This is a changelog for changes between
104 |         OpenIOC 1.0 and OpenIOC 1.1.
105 | 
106 | iocterms/current.iocterms - This is a .iocterms file, containing a list of IOC
107 |         Terms. This file can that can be used in the Windows IOC editor, IOCe.
108 | 
109 | OpenIOC_Terms_Changelog.md - This is a changlog for the current.iocterms file.
110 | 
111 | IOC_Terms_Defs.md - This document provides definitions and examples for what
112 |         some of the most commonly used IOC terms mean.
113 | 
114 | ## Files which are licensed under the Apache 2.0 License 
115 | 
116 | (see the LICENSE file for more information):
117 | 
118 |     Title                   Filename
119 |     =====                   ========
120 |     OpenIOC 1.1 Schema      schemas/ioc.xsd
121 |     Schema changelog        OpenIOC_Schema_Changelog.md
122 |     .iocterms file          iocterms/current.iocterms
123 |     iocterms changelog      OpenIOC_Terms_Changelog.txt
124 |     IOC Terms Definitions   IOC_Terms_Defs.md
125 | 


--------------------------------------------------------------------------------
/schemas/ioc.xsd:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <!--
  3 |     TITLE:          OpenIOC 1.1 Schema
  4 |     VERSION:        1.1 (draft)
  5 |     DESCRIPTION:    OpenIOC 1.1 Schema document, describing the structure of OpenIOC 1.1.
  6 |     LICENSE:        Copyright 2013 Mandiant Corporation.  Licensed under the Apache 2.0 license.  
  7 | 
  8 |     Mandiant licenses this file to you under the Apache License, Version
  9 |     2.0 (the "License"); you may not use this file except in compliance with the
 10 |     License.  You may obtain a copy of the License at:
 11 | 
 12 |             http://www.apache.org/licenses/LICENSE-2.0
 13 | 
 14 |     Unless required by applicable law or agreed to in writing, software
 15 |     distributed under the License is distributed on an "AS IS" BASIS,
 16 |     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
 17 |     implied.  See the License for the specific language governing
 18 |     permissions and limitations under the License.
 19 | -->
 20 | <xs:schema xmlns:tns="http://openioc.org/schemas/OpenIOC_1.1" elementFormDefault="qualified" targetNamespace="http://openioc.org/schemas/OpenIOC_1.1" xmlns:xs="http://www.w3.org/2001/XMLSchema">
 21 |   <xs:element name="OpenIOC" nillable="true" type="tns:IndicatorOfCompromise" />
 22 |   <xs:complexType name="IndicatorOfCompromise">
 23 |     <xs:sequence>
 24 |       <xs:element minOccurs="1" maxOccurs="1" name="metadata" type="tns:IOCMetadata" />
 25 |       <xs:element minOccurs="1" maxOccurs="1" name="criteria" type="tns:ArrayOfIocIndicator" />
 26 |       <xs:element minOccurs="0" maxOccurs="1" name="parameters" type="tns:ArrayOfIOCParameter" />
 27 |     </xs:sequence>
 28 |     <xs:attribute name="id" type="xs:string" use="required" />
 29 |     <xs:attribute name="last-modified" type="xs:dateTime" use="required" />
 30 |     <xs:attribute name="published-date" type="xs:dateTime" use="required" />
 31 |   </xs:complexType>
 32 |   <xs:complexType name="IOCMetadata">
 33 |     <xs:sequence>
 34 |       <xs:element minOccurs="0" maxOccurs="1" name="short_description" type="xs:string" />
 35 |       <xs:element minOccurs="0" maxOccurs="1" name="description" type="xs:string" />
 36 |       <xs:element minOccurs="0" maxOccurs="1" name="keywords" type="xs:string" />
 37 |       <xs:element minOccurs="0" maxOccurs="1" name="authored_by" type="xs:string" />
 38 |       <xs:element minOccurs="1" maxOccurs="1" name="authored_date" nillable="true" type="xs:dateTime" />
 39 |       <xs:element minOccurs="0" maxOccurs="1" name="links" type="tns:ArrayOfLink" />
 40 |     </xs:sequence>
 41 |   </xs:complexType>
 42 |   <xs:complexType name="ArrayOfLink">
 43 |     <xs:sequence>
 44 |       <xs:element minOccurs="0" maxOccurs="unbounded" name="link" nillable="true" type="tns:Link" />
 45 |     </xs:sequence>
 46 |   </xs:complexType>
 47 |   <xs:complexType name="Link" mixed="true">
 48 |     <xs:complexContent mixed="false">
 49 |       <xs:extension base="tns:Identity">
 50 |         <xs:attribute name="rel" type="xs:string" use="required"/>
 51 |         <xs:attribute name="title" type="xs:string" />
 52 |         <xs:attribute name="type" type="xs:string" />
 53 |       </xs:extension>
 54 |     </xs:complexContent>
 55 |   </xs:complexType>
 56 |   <xs:complexType name="Identity">
 57 |     <xs:attribute name="href" type="xs:string" />
 58 |   </xs:complexType>
 59 |   <xs:complexType name="ArrayOfIocIndicator">
 60 |     <xs:sequence>
 61 |       <xs:element minOccurs="1" maxOccurs="unbounded" name="Indicator" nillable="true" type="tns:IocIndicator" />
 62 |     </xs:sequence>
 63 |   </xs:complexType>
 64 |   <xs:complexType name="IocIndicator">
 65 |     <xs:sequence>
 66 |       <xs:element minOccurs="0" maxOccurs="unbounded" name="IndicatorItem" type="tns:IndicatorItem" />
 67 |       <xs:element minOccurs="0" maxOccurs="unbounded" name="Indicator" type="tns:IocIndicator" />
 68 |     </xs:sequence>
 69 |     <xs:attribute name="operator" type="tns:IocOperator" use="required" />
 70 |     <xs:attribute name="id" type="xs:string" use="required" />
 71 |     <xs:attribute name="node-context" type="xs:string" />
 72 |   </xs:complexType>
 73 |   <xs:complexType name="IndicatorItem">
 74 |     <xs:sequence>
 75 |       <xs:element minOccurs="1" maxOccurs="1" name="Context" type="tns:IndicatorItemContext" />
 76 |       <xs:element minOccurs="1" maxOccurs="1" name="Content" type="tns:IndicatorItemContent" />
 77 |     </xs:sequence>
 78 |     <xs:attribute name="id" type="xs:string" use="required" />
 79 |     <xs:attribute name="condition" type="tns:IndicatorItemCondition" use="required"/>
 80 |     <xs:attribute name="preserve-case" type="xs:boolean" use="required" />
 81 |     <xs:attribute name="negate" type="xs:boolean" use="required" />
 82 |   </xs:complexType>
 83 |   <xs:complexType name="IndicatorItemContext">
 84 |     <xs:attribute name="document" type="xs:string" />
 85 |     <xs:attribute name="search" type="xs:string" />
 86 |     <xs:attribute name="type" type="xs:string" />
 87 |   </xs:complexType>
 88 |   <xs:complexType name="IndicatorItemContent">
 89 |     <xs:simpleContent>
 90 |       <xs:extension base="xs:string">
 91 |         <xs:attribute name="type" type="xs:string" />
 92 |       </xs:extension>
 93 |     </xs:simpleContent>
 94 |   </xs:complexType>
 95 |   <xs:simpleType name="IndicatorItemCondition">
 96 |     <xs:restriction base="xs:string">
 97 |       <xs:enumeration value="is" />
 98 |       <xs:enumeration value="contains" />
 99 |       <xs:enumeration value="matches" />
100 |       <xs:enumeration value="starts-with" />
101 |       <xs:enumeration value="ends-with" />
102 |       <xs:enumeration value="greater-than" />
103 |       <xs:enumeration value="less-than" />
104 |     </xs:restriction>
105 |   </xs:simpleType>
106 |   <xs:simpleType name="IocOperator">
107 |     <xs:restriction base="xs:string">
108 |       <xs:enumeration value="OR" />
109 |       <xs:enumeration value="AND" />
110 |     </xs:restriction>
111 |   </xs:simpleType>
112 |   <xs:complexType name="ArrayOfIOCParameter">
113 |     <xs:sequence>
114 |       <xs:element minOccurs="0" maxOccurs="unbounded" name="param" nillable="true" type="tns:IOCParameter" />
115 |     </xs:sequence>
116 |   </xs:complexType>
117 |   <xs:complexType name="IOCParameter">
118 |     <xs:sequence>
119 |       <xs:element minOccurs="0" maxOccurs="1" name="value" type="tns:IndicatorItemContent" />
120 |     </xs:sequence>
121 |     <xs:attribute name="id" type="xs:string" use="required" />
122 |     <xs:attribute name="ref-id" type="xs:string" use="required" />
123 |     <xs:attribute name="name" type="xs:string" use="required" />
124 |   </xs:complexType>
125 | </xs:schema>


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 | 
  2 |                                  Apache License
  3 |                            Version 2.0, January 2004
  4 |                         http://www.apache.org/licenses/
  5 | 
  6 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  7 | 
  8 |    1. Definitions.
  9 | 
 10 |       "License" shall mean the terms and conditions for use, reproduction,
 11 |       and distribution as defined by Sections 1 through 9 of this document.
 12 | 
 13 |       "Licensor" shall mean the copyright owner or entity authorized by
 14 |       the copyright owner that is granting the License.
 15 | 
 16 |       "Legal Entity" shall mean the union of the acting entity and all
 17 |       other entities that control, are controlled by, or are under common
 18 |       control with that entity. For the purposes of this definition,
 19 |       "control" means (i) the power, direct or indirect, to cause the
 20 |       direction or management of such entity, whether by contract or
 21 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 22 |       outstanding shares, or (iii) beneficial ownership of such entity.
 23 | 
 24 |       "You" (or "Your") shall mean an individual or Legal Entity
 25 |       exercising permissions granted by this License.
 26 | 
 27 |       "Source" form shall mean the preferred form for making modifications,
 28 |       including but not limited to software source code, documentation
 29 |       source, and configuration files.
 30 | 
 31 |       "Object" form shall mean any form resulting from mechanical
 32 |       transformation or translation of a Source form, including but
 33 |       not limited to compiled object code, generated documentation,
 34 |       and conversions to other media types.
 35 | 
 36 |       "Work" shall mean the work of authorship, whether in Source or
 37 |       Object form, made available under the License, as indicated by a
 38 |       copyright notice that is included in or attached to the work
 39 |       (an example is provided in the Appendix below).
 40 | 
 41 |       "Derivative Works" shall mean any work, whether in Source or Object
 42 |       form, that is based on (or derived from) the Work and for which the
 43 |       editorial revisions, annotations, elaborations, or other modifications
 44 |       represent, as a whole, an original work of authorship. For the purposes
 45 |       of this License, Derivative Works shall not include works that remain
 46 |       separable from, or merely link (or bind by name) to the interfaces of,
 47 |       the Work and Derivative Works thereof.
 48 | 
 49 |       "Contribution" shall mean any work of authorship, including
 50 |       the original version of the Work and any modifications or additions
 51 |       to that Work or Derivative Works thereof, that is intentionally
 52 |       submitted to Licensor for inclusion in the Work by the copyright owner
 53 |       or by an individual or Legal Entity authorized to submit on behalf of
 54 |       the copyright owner. For the purposes of this definition, "submitted"
 55 |       means any form of electronic, verbal, or written communication sent
 56 |       to the Licensor or its representatives, including but not limited to
 57 |       communication on electronic mailing lists, source code control systems,
 58 |       and issue tracking systems that are managed by, or on behalf of, the
 59 |       Licensor for the purpose of discussing and improving the Work, but
 60 |       excluding communication that is conspicuously marked or otherwise
 61 |       designated in writing by the copyright owner as "Not a Contribution."
 62 | 
 63 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 64 |       on behalf of whom a Contribution has been received by Licensor and
 65 |       subsequently incorporated within the Work.
 66 | 
 67 |    2. Grant of Copyright License. Subject to the terms and conditions of
 68 |       this License, each Contributor hereby grants to You a perpetual,
 69 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 70 |       copyright license to reproduce, prepare Derivative Works of,
 71 |       publicly display, publicly perform, sublicense, and distribute the
 72 |       Work and such Derivative Works in Source or Object form.
 73 | 
 74 |    3. Grant of Patent License. Subject to the terms and conditions of
 75 |       this License, each Contributor hereby grants to You a perpetual,
 76 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 77 |       (except as stated in this section) patent license to make, have made,
 78 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 79 |       where such license applies only to those patent claims licensable
 80 |       by such Contributor that are necessarily infringed by their
 81 |       Contribution(s) alone or by combination of their Contribution(s)
 82 |       with the Work to which such Contribution(s) was submitted. If You
 83 |       institute patent litigation against any entity (including a
 84 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 85 |       or a Contribution incorporated within the Work constitutes direct
 86 |       or contributory patent infringement, then any patent licenses
 87 |       granted to You under this License for that Work shall terminate
 88 |       as of the date such litigation is filed.
 89 | 
 90 |    4. Redistribution. You may reproduce and distribute copies of the
 91 |       Work or Derivative Works thereof in any medium, with or without
 92 |       modifications, and in Source or Object form, provided that You
 93 |       meet the following conditions:
 94 | 
 95 |       (a) You must give any other recipients of the Work or
 96 |           Derivative Works a copy of this License; and
 97 | 
 98 |       (b) You must cause any modified files to carry prominent notices
 99 |           stating that You changed the files; and
100 | 
101 |       (c) You must retain, in the Source form of any Derivative Works
102 |           that You distribute, all copyright, patent, trademark, and
103 |           attribution notices from the Source form of the Work,
104 |           excluding those notices that do not pertain to any part of
105 |           the Derivative Works; and
106 | 
107 |       (d) If the Work includes a "NOTICE" text file as part of its
108 |           distribution, then any Derivative Works that You distribute must
109 |           include a readable copy of the attribution notices contained
110 |           within such NOTICE file, excluding those notices that do not
111 |           pertain to any part of the Derivative Works, in at least one
112 |           of the following places: within a NOTICE text file distributed
113 |           as part of the Derivative Works; within the Source form or
114 |           documentation, if provided along with the Derivative Works; or,
115 |           within a display generated by the Derivative Works, if and
116 |           wherever such third-party notices normally appear. The contents
117 |           of the NOTICE file are for informational purposes only and
118 |           do not modify the License. You may add Your own attribution
119 |           notices within Derivative Works that You distribute, alongside
120 |           or as an addendum to the NOTICE text from the Work, provided
121 |           that such additional attribution notices cannot be construed
122 |           as modifying the License.
123 | 
124 |       You may add Your own copyright statement to Your modifications and
125 |       may provide additional or different license terms and conditions
126 |       for use, reproduction, or distribution of Your modifications, or
127 |       for any such Derivative Works as a whole, provided Your use,
128 |       reproduction, and distribution of the Work otherwise complies with
129 |       the conditions stated in this License.
130 | 
131 |    5. Submission of Contributions. Unless You explicitly state otherwise,
132 |       any Contribution intentionally submitted for inclusion in the Work
133 |       by You to the Licensor shall be under the terms and conditions of
134 |       this License, without any additional terms or conditions.
135 |       Notwithstanding the above, nothing herein shall supersede or modify
136 |       the terms of any separate license agreement you may have executed
137 |       with Licensor regarding such Contributions.
138 | 
139 |    6. Trademarks. This License does not grant permission to use the trade
140 |       names, trademarks, service marks, or product names of the Licensor,
141 |       except as required for reasonable and customary use in describing the
142 |       origin of the Work and reproducing the content of the NOTICE file.
143 | 
144 |    7. Disclaimer of Warranty. Unless required by applicable law or
145 |       agreed to in writing, Licensor provides the Work (and each
146 |       Contributor provides its Contributions) on an "AS IS" BASIS,
147 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
148 |       implied, including, without limitation, any warranties or conditions
149 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
150 |       PARTICULAR PURPOSE. You are solely responsible for determining the
151 |       appropriateness of using or redistributing the Work and assume any
152 |       risks associated with Your exercise of permissions under this License.
153 | 
154 |    8. Limitation of Liability. In no event and under no legal theory,
155 |       whether in tort (including negligence), contract, or otherwise,
156 |       unless required by applicable law (such as deliberate and grossly
157 |       negligent acts) or agreed to in writing, shall any Contributor be
158 |       liable to You for damages, including any direct, indirect, special,
159 |       incidental, or consequential damages of any character arising as a
160 |       result of this License or out of the use or inability to use the
161 |       Work (including but not limited to damages for loss of goodwill,
162 |       work stoppage, computer failure or malfunction, or any and all
163 |       other commercial damages or losses), even if such Contributor
164 |       has been advised of the possibility of such damages.
165 | 
166 |    9. Accepting Warranty or Additional Liability. While redistributing
167 |       the Work or Derivative Works thereof, You may choose to offer,
168 |       and charge a fee for, acceptance of support, warranty, indemnity,
169 |       or other liability obligations and/or rights consistent with this
170 |       License. However, in accepting such obligations, You may act only
171 |       on Your own behalf and on Your sole responsibility, not on behalf
172 |       of any other Contributor, and only if You agree to indemnify,
173 |       defend, and hold each Contributor harmless for any liability
174 |       incurred by, or claims asserted against, such Contributor by reason
175 |       of your accepting any such warranty or additional liability.
176 | 
177 |    END OF TERMS AND CONDITIONS
178 | 
179 | APPENDIX: How to apply the Apache License to your work.
180 | 
181 |       To apply the Apache License to your work, attach the following
182 |       boilerplate notice, with the fields enclosed by brackets "[]"
183 |       replaced with your own identifying information. (Don't include
184 |       the brackets!)  The text should be enclosed in the appropriate
185 |       comment syntax for the file format. We also recommend that a
186 |       file or class name and description of purpose be included on the
187 |       same "printed page" as the copyright notice for easier
188 |       identification within third-party archives.
189 | 
190 |    Copyright [yyyy] [name of copyright owner]
191 | 
192 |    Licensed under the Apache License, Version 2.0 (the "License");
193 |    you may not use this file except in compliance with the License.
194 |    You may obtain a copy of the License at
195 | 
196 |        http://www.apache.org/licenses/LICENSE-2.0
197 | 
198 |    Unless required by applicable law or agreed to in writing, software
199 |    distributed under the License is distributed on an "AS IS" BASIS,
200 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
201 |    See the License for the specific language governing permissions and
202 |    limitations under the License.


--------------------------------------------------------------------------------
/iocterms/eventitem.iocterms:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="us-ascii"?>
 2 | <ioctermlist xmlns="http://openioc.org/schemas/OpenIOC_1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" last-modified="2020-11-06T21:44:13Z">
 3 |   <iocterm text="dnsLookupEvent/hostname" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="DNS Lookup Event Hostname [Win] [OSX]" platform="win,osx"/>
 4 |   <iocterm text="dnsLookupEvent/pid" display-type="int" data-type="xs:int" term-source="application/vnd.mandiant.event" title="DNS Lookup Event Process ID [Win] [OSX]" platform="win,osx"/>
 5 |   <iocterm text="dnsLookupEvent/process" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="DNS Lookup Event Process Name [Win] [OSX]" platform="win,osx"/>
 6 |   <iocterm text="dnsLookupEvent/processPath" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="DNS Lookup Event Process Path [Win] [OSX]" platform="win,osx"/>
 7 |   <iocterm text="dnsLookupEvent/username" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="DNS Lookup Event Username [Win] [OSX]" platform="win,osx"/>
 8 |   <iocterm text="imageLoadEvent/fullPath" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Image Load Event Full Path [Win] [OSX]" platform="win,osx"/>
 9 |   <iocterm text="imageLoadEvent/filePath" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Image Load Event File Path [Win] [OSX]" platform="win,osx"/>
10 |   <iocterm text="imageLoadEvent/drive" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Image Load Event Drive [Win]" platform="win"/>
11 |   <iocterm text="imageLoadEvent/fileName" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Image Load Event Filename [Win] [OSX]" platform="win,osx"/>
12 |   <iocterm text="imageLoadEvent/fileExtension" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Image Load Event File Extension [Win] [OSX]" platform="win,osx"/>
13 |   <iocterm text="imageLoadEvent/devicePath" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Image Load Event DevicePath [Win] [OSX]" platform="win,osx"/>
14 |   <iocterm text="imageLoadEvent/pid" display-type="int" data-type="xs:int" term-source="application/vnd.mandiant.event" title="Image Load Event Process ID [Win] [OSX]" platform="win,osx"/>
15 |   <iocterm text="imageLoadEvent/username" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Image Load Event Username [Win] [OSX]" platform="win,osx"/>
16 |   <iocterm text="imageLoadEvent/parentPid" display-type="int" data-type="xs:int" term-source="application/vnd.mandiant.event" title="Image Load Event Parent Pid [Win] [OSX]" platform="win,osx"/>
17 |   <iocterm text="imageLoadEvent/process" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Image Load Event Process Name [Win] [OSX]" platform="win,osx"/>
18 |   <iocterm text="imageLoadEvent/processPath" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Image Load Event Process Path [Win] [OSX]" platform="win,osx"/>
19 |   <iocterm text="processEvent/eventType" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Process Event Type" platform="win,osx,linux"/>
20 |   <iocterm text="processEvent/pid" display-type="int" data-type="xs:int" term-source="application/vnd.mandiant.event" title="Process Event PID" platform="win,osx,linux"/>
21 |   <iocterm text="processEvent/processPath" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Process Event Path" platform="win,osx,linux"/>
22 |   <iocterm text="processEvent/process" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Process Event Name" platform="win,osx,linux"/>
23 |   <iocterm text="processEvent/parentPid" display-type="int" data-type="xs:int" term-source="application/vnd.mandiant.event" title="Process Event Parent Process PID" platform="win,osx,linux"/>
24 |   <iocterm text="processEvent/parentProcessPath" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Process Event Parent Path" platform="win,osx,linux"/>
25 |   <iocterm text="processEvent/parentProcess" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Process Event Parent Process Name" platform="win,osx,linux"/>
26 |   <iocterm text="processEvent/username" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Process Event Username" platform="win,osx,linux"/>
27 |   <iocterm text="processEvent/startTime" display-type="date" data-type="xs:dateTime" term-source="application/vnd.mandiant.event" title="Process Event Start Time" platform="win,osx,linux"/>
28 |   <iocterm text="processEvent/md5" display-type="md5" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Process Event MD5" platform="win,osx,linux"/>
29 |   <iocterm text="processEvent/processCmdLine" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Process Event Command Line" platform="win,osx,linux"/>
30 |   <iocterm text="ipv4NetworkEvent/remoteIP" display-type="IP" data-type="xs:string" term-source="application/vnd.mandiant.event" title="IPv4 Network Connection Event Remote IP" platform="win,osx,linux"/>
31 |   <iocterm text="ipv4NetworkEvent/remotePort" display-type="int" data-type="xs:int" term-source="application/vnd.mandiant.event" title="IPv4 Network Connection Event Remote Port" platform="win,osx,linux"/>
32 |   <iocterm text="ipv4NetworkEvent/localIP" display-type="IP" data-type="xs:string" term-source="application/vnd.mandiant.event" title="IPv4 Network Connection Event Local IP" platform="win,osx,linux"/>
33 |   <iocterm text="ipv4NetworkEvent/localPort" display-type="int" data-type="xs:int" term-source="application/vnd.mandiant.event" title="IPv4 Network Connection Event Local Port" platform="win,osx,linux"/>
34 |   <iocterm text="ipv4NetworkEvent/protocol" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="IPv4 Network Connection Event Protocol" platform="win,osx,linux"/>
35 |   <iocterm text="ipv4NetworkEvent/pid" display-type="int" data-type="xs:int" term-source="application/vnd.mandiant.event" title="IPv4 Network Connection Event Process ID" platform="win,osx,linux"/>
36 |   <iocterm text="ipv4NetworkEvent/process" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="IPv4 Network Connection Event Process Name" platform="win,osx,linux"/>
37 |   <iocterm text="ipv4NetworkEvent/processPath" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="IPv4 Network Connection Event Process Path" platform="win,osx,linux"/>
38 |   <iocterm text="ipv4NetworkEvent/username" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="IPv4 Network Connection Event Username" platform="win,osx,linux"/>
39 |   <iocterm text="fileWriteEvent/fullPath" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="File Write Event Full Path [Win] [OSX]" platform="win,osx"/>
40 |   <iocterm text="fileWriteEvent/filePath" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="File Write Event File Path [Win] [OSX]" platform="win,osx"/>
41 |   <iocterm text="fileWriteEvent/drive" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="File Write Event Drive [Win]" platform="win"/>
42 |   <iocterm text="fileWriteEvent/fileName" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="File Write Event File Name [Win] [OSX]" platform="win,osx"/>
43 |   <iocterm text="fileWriteEvent/fileExtension" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="File Write Event Extension [Win] [OSX]" platform="win,osx"/>
44 |   <iocterm text="fileWriteEvent/devicePath" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="File Write Event Device Path [Win] [OSX]" platform="win,osx"/>
45 |   <iocterm text="fileWriteEvent/pid" display-type="int" data-type="xs:int" term-source="application/vnd.mandiant.event" title="File Write Event Process ID [Win] [OSX]" platform="win,osx"/>
46 |   <iocterm text="fileWriteEvent/process" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="File Write Event Process Name [Win] [OSX]" platform="win,osx"/>
47 |   <iocterm text="fileWriteEvent/processPath" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="File Write Event Process Path [Win] [OSX]" platform="win,osx"/>
48 |   <iocterm text="fileWriteEvent/writes" display-type="int" data-type="xs:int" term-source="application/vnd.mandiant.event" title="File Write Event Number of Writes [Win]" platform="win"/>
49 |   <iocterm text="fileWriteEvent/numBytesSeenWritten" display-type="double" data-type="xs:string" term-source="application/vnd.mandiant.event" title="File Write Event Number of Bytes Seen Written [Win]" platform="win"/>
50 |   <iocterm text="fileWriteEvent/lowestFileOffsetSeen" display-type="uint64" data-type="xs:uint64" term-source="application/vnd.mandiant.event" title="File Write Event Lowest Write Offset [Win]" platform="win"/>
51 |   <iocterm text="fileWriteEvent/dataAtLowestOffset" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="File Write Event Data at Lowest Offset (Base64) [Win]" platform="win"/>
52 |   <iocterm text="fileWriteEvent/textAtLowestOffset" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="File Write Event Text at Lowest Offset [Win]" platform="win"/>
53 |   <iocterm text="fileWriteEvent/closed" display-type="bool" data-type="xs:boolean" term-source="application/vnd.mandiant.event" title="File Write Event Closed [Win] [OSX]" platform="win,osx"/>
54 |   <iocterm text="fileWriteEvent/size" display-type="double" data-type="xs:string" term-source="application/vnd.mandiant.event" title="File Write Event Size on Disk [Win] [OSX]" platform="win,osx"/>
55 |   <iocterm text="fileWriteEvent/md5" display-type="md5" data-type="xs:string" term-source="application/vnd.mandiant.event" title="File Write Event MD5 [Win] [OSX]" platform="win,osx"/>
56 |   <iocterm text="fileWriteEvent/username" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="File Write Event Username [Win] [OSX]" platform="win,osx"/>
57 |   <iocterm text="fileWriteEvent/parentProcessPath" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="File Write Parent Process Path [Win]" platform="win"/>
58 |   <iocterm text="fileWriteEvent/parentPid" display-type="int" data-type="xs:int" term-source="application/vnd.mandiant.event" title="File Write Parent Pid [Win]" platform="win"/>
59 |   <iocterm text="fileWriteEvent/openTime" display-type="date" data-type="xs:dateTime" term-source="application/vnd.mandiant.event" title="File Write Open Time [Win]" platform="win"/>
60 |   <iocterm text="fileWriteEvent/openDuration" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="File Write Open Duration [Win]" platform="win"/>
61 |   <iocterm text="fileWriteEvent/eventReason" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="File Write Reason [Win]" platform="win"/>
62 |   <iocterm text="urlMonitorEvent/hostname" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="URL Request Event Hostname [Win] [OSX]" platform="win,osx"/>
63 |   <iocterm text="urlMonitorEvent/requestUrl" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="URL Request Event Url [Win] [OSX]" platform="win,osx"/>
64 |   <iocterm text="urlMonitorEvent/urlMethod" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="URL Request Event Method [Win] [OSX]" platform="win,osx"/>
65 |   <iocterm text="urlMonitorEvent/userAgent" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="URL Request Event User Agent [Win] [OSX]" platform="win,osx"/>
66 |   <iocterm text="urlMonitorEvent/httpHeader" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="URL Request Event HTTP Header [Win] [OSX]" platform="win,osx"/>
67 |   <iocterm text="urlMonitorEvent/remoteIpAddress" display-type="IP" data-type="xs:string" term-source="application/vnd.mandiant.event" title="URL Request Event Remote IP Address [Win] [OSX]" platform="win,osx"/>
68 |   <iocterm text="urlMonitorEvent/remotePort" display-type="int" data-type="xs:int" term-source="application/vnd.mandiant.event" title="URL Request Event Remote Port [Win] [OSX]" platform="win,osx"/>
69 |   <iocterm text="urlMonitorEvent/localPort" display-type="int" data-type="xs:int" term-source="application/vnd.mandiant.event" title="URL Request Event Local Port [Win] [OSX]" platform="win,osx"/>
70 |   <iocterm text="urlMonitorEvent/pid" display-type="int" data-type="xs:int" term-source="application/vnd.mandiant.event" title="URL Request Event PID [Win] [OSX]" platform="win,osx"/>
71 |   <iocterm text="urlMonitorEvent/process" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="URL Request Event Process [Win] [OSX]" platform="win,osx"/>
72 |   <iocterm text="urlMonitorEvent/processPath" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="URL Request Event Process Path [Win] [OSX]" platform="win,osx"/>
73 |   <iocterm text="urlMonitorEvent/username" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="URL Request Event Username [Win] [OSX]" platform="win,osx"/>
74 |   <iocterm text="regKeyEvent/hive" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Registry Event Hive [Win]" platform="win"/>
75 |   <iocterm text="regKeyEvent/keyPath" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Registry Event KeyPath [Win]" platform="win"/>
76 |   <iocterm text="regKeyEvent/path" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Registry Event Path [Win]" platform="win"/>
77 |   <iocterm text="regKeyEvent/originalPath" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Registry Event Original Path [Win]" platform="win"/>
78 |   <iocterm text="regKeyEvent/eventType" display-type="int" data-type="xs:int" term-source="application/vnd.mandiant.event" title="Registry Event Event Type [Win]" platform="win"/>
79 |   <iocterm text="regKeyEvent/pid" display-type="int" data-type="xs:int" term-source="application/vnd.mandiant.event" title="Registry Event Process ID [Win]" platform="win"/>
80 |   <iocterm text="regKeyEvent/process" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Registry Event Process Name [Win]" platform="win"/>
81 |   <iocterm text="regKeyEvent/processPath" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Registry Event Process Path [Win]" platform="win"/>
82 |   <iocterm text="regKeyEvent/valueName" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Registry Event ValueName [Win]" platform="win"/>
83 |   <iocterm text="regKeyEvent/valueType" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Registry Event Type [Win]" platform="win"/>
84 |   <iocterm text="regKeyEvent/value" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Registry Event Value (Base64) [Win]" platform="win"/>
85 |   <iocterm text="regKeyEvent/text" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Registry Event Text [Win]" platform="win"/>
86 |   <iocterm text="regKeyEvent/username" display-type="string" data-type="xs:string" term-source="application/vnd.mandiant.event" title="Registry Event Username [Win]" platform="win"/>
87 |   <iocterm text="addressNotificationEvent/address" display-type="IP" data-type="xs:string" term-source="application/vnd.mandiant.event" title="IP Address Change Event IP [Win] [OSX]" platform="win,osx"/>
88 | </ioctermlist>


--------------------------------------------------------------------------------
/IOC_Terms_Defs.md:
--------------------------------------------------------------------------------
  1 | # IOC Terms Definitions
  2 | 
  3 | ## License
  4 | 
  5 | Copyright 2013 Mandiant Corporation.  Licensed under the Apache 2.0 license.  
  6 | 
  7 | Mandiant licenses this file to you under the Apache License, Version
  8 | 2.0 (the "License"); you may not use this file except in compliance with the
  9 | License.  You may obtain a copy of the License at:
 10 | 
 11 |         http://www.apache.org/licenses/LICENSE-2.0
 12 | 
 13 | Unless required by applicable law or agreed to in writing, software
 14 | distributed under the License is distributed on an "AS IS" BASIS,
 15 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
 16 | implied.  See the License for the specific language governing
 17 | permissions and limitations under the License.
 18 | 
 19 | ## Purpose
 20 | 
 21 | This document provides definitions for some IOC terms found in the iocterms files provided with the OpenIOC schema.
 22 | 
 23 | More information on OpenIOC can be found at OpenIOC.org
 24 | 
 25 | 
 26 | ## Terms
 27 | 
 28 | ### DNS Host
 29 | 
 30 | Audit Group & Name: DnsEntryItem/Host
 31 | 
 32 | Definition: The DnsEntryItem/Host is the cached host value of an attempted DNS lookup. This is stored locally in the host’s DNS cache, but only for a short period of time. 
 33 | 
 34 | Example:
 35 | 
 36 |     DNS Host contains "evildomain.com"
 37 | 
 38 | Use in an IOC: Use this term to find malicious hostnames that an infected host attempted to resolve, or to record hostnames for malware found in additional analysis.
 39 | 
 40 | Related Terms:
 41 | 
 42 |     Other network terms
 43 | 
 44 | 
 45 | 
 46 | ### EventLog Message
 47 | 
 48 | Audit Group & Name: EventLogItem/message
 49 | 
 50 | Definition: This is the formatted event log message text that comes from Windows’ standard event logs. It may contain Tab and NewLine characters in it. The text varies and could be user logs, schedule tasks, service installations, and antivirus events, etc.
 51 | 
 52 | Example:
 53 | 
 54 |     EventLog Message contains ‘PSEXEC SERVICE service was successfully sent a start control’
 55 | 
 56 | Use in an IOC: Often used after initial sweeping to conduct further investigation, or to identify specific events created by some specific types of malicious tools or malware.
 57 | 
 58 | Related Terms:
 59 | 
 60 |     EventLog ID
 61 |     EventLog GenTime
 62 | 
 63 | 
 64 | 
 65 | ### File ADS Name
 66 | 
 67 | Audit Group & Name: FileItem/StreamList/Stream/Name
 68 | 
 69 | Definition: Looks for alternate data streams associated with files on a disk. This term is the name of a file contained in an Alternate Data Stream on an NTFS file system that is attached to the end of a file. The name does not include the parent filename.
 70 | 
 71 | Example:
 72 | 
 73 |     File ADS Name is "evilhiddenfile"
 74 |     File ADS Name contains "evil"
 75 | 
 76 | Use in an IOC: Use this term to match filenames of files contained in alternate data streams, when you are looking for a particular stream.
 77 | 
 78 | Related Terms:
 79 | 
 80 |     File Name
 81 |     File Full Path
 82 |     Other File Attributes
 83 | 
 84 | 
 85 | 
 86 | ### File Compile Time
 87 | 
 88 | Audit Group & Name: FileItem/PEInfo/PETimeStamp
 89 | 
 90 | Definition: This term describes an attribute of a Windows PE files that shows a timestamp of when the file was compiled. It uses the ISO 8601 format for date & time, based off of Zulu time zone. It can also describe a range between two times.
 91 | 
 92 | Example:
 93 | 
 94 |     File Compile Time is "2011-04-20T10:28:55Z"
 95 |     File Compile Time is "2011-04-20T10:28:55Z TO 2012-12-14T19:09:00Z"
 96 | 
 97 | Use in an IOC: You can use this to determine what files have been recently compiled, compiled at a specific time, or compiled during a range of times. This can detect recently compiled files, or help find anomalies against other file timestamp information.
 98 | 
 99 | Related Terms:
100 | 
101 |     File Created Time
102 |     File Modified Time
103 |     Other FileItem terms for constraining matches.
104 | 
105 | 
106 | 
107 | ### File DLL Export Name
108 | 
109 | Audit Group & Name: FileItem/PEInfo/Exports/DllName
110 | 
111 | Definition: The name of the library that a function in the DLL export table is exported from.
112 | 
113 | Example:
114 | 
115 |     File DLL Export Name is "evildll.dll"
116 | 
117 | Use in an IOC: Use this IOC term to match malicious filename in the DLL export table. May be used in conjunction with other File terms to narrow down results
118 | 
119 | Related Terms:
120 | 
121 |     File Export Function
122 |     File Export Count
123 |     File Full Path
124 |     File Name
125 |     File Import Function
126 | 
127 | 
128 | 
129 | ### File Export Count
130 | 
131 | Audit Group & Name: FileItem/PEInfo/Exports/NumberOfFunctions
132 | 
133 | Definition: The number of exported functions published by a given DLL.
134 | 
135 | Example:
136 | 
137 |     File Export Count is "5"
138 | 
139 | Use in an IOC: Used to narrow down potential DLLs that other PEInfo functions are applied to, or identify DLLs with unusual numbers of functions (very large or very small)
140 | 
141 | Related Terms:
142 | 
143 |     File DLL Export Name
144 |     File Export Function
145 |     Other FileItem terms
146 | 
147 | 
148 | 
149 | ### File Export Function
150 | 
151 | Audit Group & Name: FileItem/PEInfo/Exports/ExportedFunctions/string
152 | 
153 | Definition: File Export Functions are functions in a Windows PE that are advertised so they can be called by other modules in other executables. They are listed in the PE File that offers them, usually by name. They are usually in DLLs, rarely in EXEs.
154 | 
155 | Example:
156 | 
157 |     File Export Function is "UnServiceInstall"
158 | 
159 | Use in an IOC: This term may be used to look for exports in files that do not usually have exports, or for unique exports in files that are specific to malicious tools, or combinations of exports that are specific to malicious software.
160 | 
161 | Related Terms:
162 | 
163 |     File Dll Export Name
164 |     File Export Count
165 |     Other FileItem terms for constraining matches.
166 | 
167 | 
168 | 
169 | ### File Extension
170 | 
171 | Audit Group & Name: FileItem/FileExtension
172 | 
173 | Definition: The suffix of a file name that typically indicates the type of file it is (such as .exe).  This is derived from the filename itself, and is not indicative of whether or not a file is actually the type that it claims to be.
174 | 
175 | Example:
176 | 
177 |     File Extension is "exe"
178 |     Not File Extension is "dll"
179 | 
180 | Use in an IOC: This term is usually used with other file item terms to help include or exclude certain types of files.
181 | 
182 | Related Terms:
183 | 
184 |     File PE Type
185 |     Other FileItem terms
186 | 
187 | 
188 | 
189 | ### File Full Path
190 | 
191 | Audit Group & Name: FileItem/FullPath
192 | 
193 | Definition: The File Full Path shows the entire path to a file from the root of the drive partition it is on, including the drive designation and the file extension.
194 | 
195 | Example:
196 | 
197 |     File Full Path is "C:\Windows\System32\autocheck.exe"
198 |     File Full Path contains "AppData\log.txt"
199 | 
200 | 
201 | Use in an IOC: Use of this term allows you to specify the exact path of where you expect to find a file, including the drive designation and the name of the file. It is usually used with the "contains" operator since it is so specific, but can be used with "is" when you want to specify an exact location. It is used less often than File Path, and is limited because it is so specific.
202 | 
203 | Related Terms:
204 | 
205 |     File Path
206 |     File Name
207 |     Other FileItem terms for constraining matches.
208 | 
209 | 
210 | 
211 | ### File Import Function
212 | 
213 | Audit Group & Name: FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string
214 | 
215 | Definition: File Import Functions are functions called in other code modules by a Windows PE file when it executes. They are listed in the PE File that requires them, usually by name.
216 | 
217 | Example:
218 | 
219 |     File Import Function is "expungeconsolecommandhistoryw"
220 | 
221 | Use in an IOC: File Import Function can be used to find uniquely named functions or specific groups of functions used by attackers. Non-unique function names or groups of functions that are too generic can lead to false positives. Be careful when using with small groups of functions that might be called by normal windows programs.
222 | 
223 | Related Terms:
224 | 
225 |     File Import Name
226 |     Other FileItem terms for constraining matches.
227 | 
228 | 
229 | 
230 | ### File Import Name
231 | 
232 | Audit Group & Name: FileItem/PEInfo/ImportedModules/Module/Name
233 | 
234 | Definition: This Term indicates the name of DLLs that imported functions are called from. Imported functions are capabilities that are imported from other DLLs rather than being in the binary itself.
235 | 
236 | Example:
237 | 
238 |     File Import Name is "evildll.dll"
239 |     Not File Import Name is "kernel32.dll"
240 | 
241 | Use in an IOC: Use with File Import Function to specify combinations of DLLs that imports are called from by a file and the imports themselves. Also, use this term to remove false positives by excluding legitimate files.
242 | 
243 | Related Terms:
244 | 
245 |     File Import Function
246 | 
247 | 
248 | 
249 | ### File MD5
250 | 
251 | Audit Group & Name: FileItem/MD5Sum
252 | 
253 | Definition: File MD5 is the MD5 checksum of a file. This value is derived from using the MD5 cryptographic algorithm to determine a unique fingerprint for the file.
254 | 
255 | Example:
256 | 
257 |     File MD5 is "e4d909c290d0fb1ca068ffaddf22cbd0"
258 | 
259 | Use in an IOC: MD5 is used to match exact instances of a file. Aside from very rare cases, if you match on the MD5 of a file, you can assume it is the exact file that you have seen before. MD5 alone should not be relied upon for anything other than that use case.
260 | 
261 | Related Terms:
262 | 
263 |     Other FileItem terms for constraining matches.
264 | 
265 | 
266 | 
267 | ### File Name
268 | 
269 | Audit Group & Name: FileItem/FileName
270 | 
271 | Definition: File Name is the name attribute of a file saved on disk.
272 | 
273 | Example:
274 | 
275 |     File Name is "foo.exe"
276 | 
277 | Use in an IOC: File Name is used to match the names of specific files. File names are highly mutable by attackers, so File Name should ONLY ever be used with other file attributes, unless the file name is extremely unusual or truly unique. Even then, other attributes of the file should be captured if possible.
278 | 
279 | Related Terms:
280 | 
281 |     File Size
282 |     File Compile Time
283 |     Other FileItem terms for constraining matches.
284 | 
285 | 
286 | 
287 | ### File Path
288 | 
289 | Audit Group & Name: FileItem/FilePath
290 | 
291 | Definition: This term is the path to where a file resides on a file system starting from the root of the drive, but does not include the drive designation or the file name. This term also does not include trailing or following slashes or backslashes.
292 | 
293 | Example:
294 | 
295 |     File Path contains "Windows\System32"
296 |     File Path is "Recycler"
297 | 
298 | Use in an IOC: Use of this term allows you to specify the path to a file, in a less specific manner than File Full Path. File Path is not specific to a drive designation, nor a specific file, thus allowing for more flexible matching trying to find files in specific locations.
299 | 
300 | Related Terms:
301 | 
302 |     File Full Path
303 |     Other FileItem terms for constraining matches.
304 | 
305 | 
306 | 
307 | ### File PE Detected Anomalies
308 | 
309 | Audit Group & Name: FileItem/PEInfo/DetectedAnomalies/string
310 | 
311 | Definition: This term indicates that there is an anomaly with the structure of a Windows PE file. Values returned for this are detailed in the MIR User Guide, Appendix I.
312 | 
313 | Example:
314 | 
315 |     File Detected Anomalies contains "contains_eof_data"
316 | 
317 | Use in an IOC: Some anomalies can be innocent, and just a result of faulty or benign code, and are best combined with other factors to identify specific pieces of malware that contain said anomalies. Other anomalies are much more likely to be malicious, such as contains_eof_data.
318 | 
319 | Related Terms:
320 | 
321 |     File Import Function
322 |     File Export Function
323 |     Other FileItem terms for constraining matches.
324 | 
325 | 
326 | 
327 | ### File PE Type
328 | 
329 | Audit Group & Name: FileItem/PEInfo/Type
330 | 
331 | Definition: This indicates whether a PE file is an executable or DLL by looking at the actual file header instead of the file extension.
332 | 
333 | Example:
334 | 
335 |     AND
336 |         File PE Type is "DLL"
337 |         File Name is "Evil.txt"
338 | 
339 |     AND
340 |         File PE Type is "executable"
341 |         Not File Extension is "exe"
342 | 
343 | Use in an IOC: Use this term to match the value of the PE Type from an executable file’s PE header. It is a way of searching for seemingly innocent files that may actually be mislabeled .dll or .exe files.
344 | 
345 | Related Terms:
346 | 
347 |     File Extension
348 | 
349 | 
350 | 
351 | ### File Section Name
352 | 
353 | Audit Group & Name: FileItem/PEInfo/Sections/Section/Name
354 | 
355 | Definition: This is a named section of a Windows PE file.  These represent code or data portions of a PE file.
356 | 
357 | Example:
358 | 
359 |     File Section Name contains ".code"
360 |     File Section Name contains ".data"
361 |     File Section Name contains ".upx1"
362 | 
363 | Use in an IOC: Use this term to identify files with uncommon or unique section names within an environment.
364 | 
365 | Related Terms:
366 | 
367 |     Other FileItem terms
368 | 
369 | 
370 | 
371 | ### File Size
372 | 
373 | Audit Group & Name: FileItem/SizeInBytes
374 | 
375 | Definition: The File Size is the size of a file represented in number of bytes. It can be a number or a range
376 | 
377 | Example:
378 | 
379 |     File Size is "12300"
380 |     File Size is "101000 TO 120000"
381 | 
382 | Use in an IOC: File Size is used with other file operators to indicate specific instances of a file. It can be used to distinguish between two files with the same name (that are actually different files) or in conjunction with other file attributes to show recurrence of the same file.
383 | 
384 | Related Terms:
385 | 
386 |     File Name
387 |     File Compile Time
388 |     Other FileItem terms for constraining matches.
389 | 
390 | 
391 | 
392 | ### File Strings
393 | 
394 | Audit Group & Name: FileItem/StringList/string
395 | 
396 | Definition: A string found within a file.
397 | 
398 | Example:
399 | 
400 |     File Strings contains "xyzpdq13"
401 | 
402 | Use in an IOC: This term is used to match against unique strings in malicious files. It may be for informational purposes or further investigation versus an initial hit, as a strings audit is very time consuming to conduct. Very unique strings often are strong enough to stand alone at the top level of an indicator.
403 | 
404 | Related Terms:
405 | 
406 |     Other FileItem Terms
407 | 
408 | 
409 | 
410 | ### Network DNS
411 | 
412 | Audit Group & Name: Network/DNS
413 | 
414 | Definition: This is the FQDN of a DNS lookup. This is for informational purposes, and is not found in MIR audits.
415 | 
416 | Example:
417 | 
418 |     DNS is "www.malwaredomain.com"
419 |     DNS contains "malwaredomain.com"
420 | 
421 | Use in an IOC: This term is used mainly for reference, so that the context of DNS entries observed in the course of an investigation can be communicated to future consumers of the IOC.
422 | 
423 | Related Terms:
424 | 
425 |     Other Network Items
426 | 
427 | 
428 | 
429 | ### Network String URI
430 | 
431 | Audit Group & Name: Network/URI
432 | 
433 | Definition: The URI portion of an HTTP or related network request.
434 | 
435 | Example:
436 | 
437 |     Network String URI contains "/cgi_bin/evil.php"
438 | 
439 | Use in an IOC: Used for reference to identify network communication strings.
440 | 
441 | Related Terms:
442 | 
443 |     Other Network terms
444 | 
445 |     
446 | 
447 | ### Prefetch Accessed File
448 | 
449 | Audit Group & Name: PrefetchItem/AccessedFileList/AccessedFile
450 | 
451 | Definition: A full path to a file found in the prefetch list created by Windows. This list is of files that are commonly used or accessed, and may additionally show when a particular executable was launched. The prefetch list is stored in a subfolder of the Windows system folder.
452 | 
453 | Example:
454 | 
455 |     Prefetch Accessed File is "C:\WINDOWS\system32\evil.dll"
456 |     Prefetch Accessed File contains "evil.exe"
457 | 
458 | Use in an IOC: Use this term to find files accessed by programs executed on the system. If malware consists of a collection of files, but only one of them is actually executed while others are just accessed, this term might be useful to find the accessed file.
459 | 
460 | Related Terms:
461 | 
462 |     FileItem/FullPath
463 |     FileItem/FileName
464 |     FileItem/Path
465 |     PrefetchItem/ApplicationFullPath
466 | 
467 | 
468 | 
469 | ### Prefetch Application Full Path
470 | 
471 | Audit Group & Name: PrefetchItem/ApplicationFullPath
472 | 
473 | Definition: This is the full path, including drive letter and directories, of an executable for which a prefetch file was created after that file was executed by the operating system.
474 | 
475 | Example:
476 | 
477 |     Prefetch Application Full Path is "C:\temp\malware.exe"
478 |     Prefetch Application Full Path contains "malware.exe"
479 | 
480 | Use in an IOC: Use this term to find malicious filenames or paths of executables that ran on a system and created prefetch entries. You can use this term to look for instances of malware named the same as a normal file, but in the wrong directory by looking at the full path.
481 | 
482 | Related Terms:
483 | 
484 |     File Full Path
485 |     File Name
486 |     File Path
487 |     Prefetch File Executed
488 |     Prefetch Accessed File
489 | 
490 | 
491 | 
492 | ### Prefetch File Executed
493 | 
494 | Audit Group & Name: PrefetchItem/ApplicationFileName
495 | 
496 | Definition: This is the name of an executable for which Windows created a prefetch file for after execution. The term does not include the full path, just the name of the file.
497 | 
498 | Example:
499 | 
500 |     Prefetch File Executed is "blah.exe"
501 |     Prefetch File Executed contains "blah.exe"
502 |     Prefetch File Executed contains "blah"
503 | 
504 | Use in an IOC: Use this term to find malicious filenames of executables that ran on a system and had prefetch entries created.
505 | 
506 | Related Terms:
507 | 
508 |     File Full Path
509 |     File Name
510 |     File Path
511 |     Prefetch Application Full Path
512 |     Prefetch Accessed File
513 | 
514 |  
515 | 
516 | ### Port Remote IP
517 | 
518 | Audit Group & Name: PortItem/RemoteIP
519 | 
520 | Definition: The Port Remote IP is any remote IP address that is communicating with the Windows host that is captured in real-time when an audit is run. This is reported in the TP/IP connection table.
521 | 
522 | Example:
523 | 
524 |     Port Remote IP is "192.168.1.1"
525 | 
526 | Use in an IOC: This Term is often used for contextual information. It records the remote IP address that a host is currently communicating with, and may be used if remote IPs of C2 servers or other suspicious systems are known.
527 | 
528 | Related Terms:
529 | 
530 |     Other Network Terms
531 | 
532 | 
533 | 
534 | ### Process Handle Name
535 | 
536 | Audit Group & Name: ProcessItem/HandleList/Handle/Name
537 | 
538 | Definition: The name of a named handle associated with a running process.
539 | 
540 | Example:
541 | 
542 |     Process Handle Name contains "evilMutex"
543 | 
544 | Use in an IOC: This term is often used to describe Mutexes or "Mutants" which can be unique to malware processes. It can be used with Process Handle Type as well, but it is not necessary.  The use of this term is NOT limited to describing mutexes.
545 | 
546 | Related Terms:
547 | 
548 |     Process Name
549 |     Process HandleList Type
550 |     Other Process Items
551 | 
552 | 
553 | 
554 | ### Process Handle Type
555 | 
556 | Audit Group & Name: ProcessItem/HandleList/Handle/Type
557 | 
558 | Definition: The type of handle that a Windows process currently has opened. A handle is a connection from a process to an object or resource in the Windows operating system. Handle types are defined for each version of Windows, but there are common names across most versions.
559 | 
560 | Example:
561 | 
562 |     Process Handle is "File"
563 |     Process Handle is "Event"
564 |     Process Handle is "Mutant"
565 |     Process Handle is "Registry Key"
566 | 
567 | Use in an IOC: Use this term to specify the type of handle that a process has open. Common handle types that are useful in IOCs are “mutant,” “event,” and “file.” Never use this term by itself.
568 | 
569 | Related Terms:
570 | 
571 |     Process HandleList Name
572 |     Process Name
573 |     Process Path
574 | 
575 | 
576 | 
577 | ### Process Path
578 | 
579 | Audit Group & Name: ProcessItem/path
580 | 
581 | Definition: The full path (without drive letter) to a directory that a process is running out of. The process path does not include the name of the running process.
582 | 
583 | Example:
584 | 
585 |     ProcessItem/path contains "WINDOWS\system32"
586 |     ProcessItem/path is "Windows\ "
587 | 
588 | Use in an IOC: Use this term to match the path that a process is running from. You can use this to look for files with the correct names that are running from the wrong locations, or other anomalous behavior. You can also use this to look for files running from a particular directory without knowing an exact file name.
589 | 
590 | Related Terms:
591 | 
592 |     File Full Path
593 |     Process Name
594 | 
595 | 
596 | 
597 | ### Process Name
598 | 
599 | Audit Group & Name: ProcessItem/name
600 | 
601 | Definition: This is the name of the process that is identified on the system.
602 | 
603 | Example:
604 | 
605 |     Process Name is "IEXPLORE.EXE"
606 | 
607 | Use in an IOC: This may be used to identify running processes on a system.
608 | 
609 | Related Terms:
610 | 
611 |     Process Path
612 | 
613 | 
614 | 
615 | ### Process Section Name
616 | 
617 | Audit Group & Name: ProcessItem/SectionList/MemorySection/Name
618 | 
619 | Definition: The full path (drive letter, directory, and file name) to a file that is loaded into that section of a process’s memory.
620 | 
621 | Example:
622 | 
623 |     Process Section Name contains "system32\cmd.exe"
624 |     Process Section Name is "C:\WINDOWS\system32\cmd.exe"
625 | 
626 | Use in an IOC: Use this IOC term to match names of sections loaded in a process. The section name will usually be a full path to a library or file on disk.
627 | 
628 | Related Terms:
629 | 
630 |     File Full Path
631 |     Process Path
632 |     Process Name
633 | 
634 | 
635 | 
636 | ### Registry Path
637 | 
638 | Audit Group & Name: RegistryItem/Path
639 | 
640 | Definition: The location of a Key in the Windows Registry, including everything from the Hive Name down to the Key Name.
641 | 
642 | Example:
643 | 
644 |     Registry Path contains "Services\RasAuto\Parameters"
645 |     Registry Path is "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto\Parameters\ServiceDLL"
646 | 
647 | Use in an IOC: Registry Path is usually used in conjunction with Registry Text, ANDed together to describe a Key location and what the value of the Key is. Registry Path is much like File Full Path, and usually best used with contains to depict a specific portion of the path, though it can be used to indicate the entire path from a Hive down to the Key Name.
648 | 
649 | Related Terms:
650 | 
651 |     Registry Text
652 |     Registry Value Name
653 |     Other RegistryItem terms for constraining matches.
654 | 
655 | 
656 | 
657 | ### Registry Text
658 | 
659 | Audit Group & Name: RegistryItem/Text
660 | 
661 | Definition: The value of an entry designated by a Registry Value Name inside a Registry Key. 
662 | 
663 | Example:
664 | 
665 |     Registry Text contains "svchost.exe"
666 |     Registry Text is "svchost.exe"
667 | 
668 | Use in an IOC: Registry Text is usually used in conjunction with Registry Text, ANDed together to describe a value of a Registry Key, and the location of where that Key may be found in the registry. 
669 | 
670 | Related Terms:
671 | 
672 |     Registry Path
673 |     Registry Value Name
674 |     Other RegistryItem terms for constraining matches.
675 | 
676 |  
677 | 
678 | ### Registry ValueName
679 | 
680 | Audit Group & Name: RegistryItem/ValueName
681 | 
682 | Definition: This is the name of a registry value (REG_SZ, REG_DWORD, REG_KEY, etc..) that is present in a registry key.
683 | 
684 | Example:
685 | 
686 |     Registry ValueName is "ServiceDLL"
687 | 
688 | Use in an IOC: This term allows for flexibility when identifying values that are associated with specific Registry Paths or Registry Text fields.
689 | 
690 | Related Terms:
691 | 
692 |     Registry Path
693 |     Registry Text
694 | 
695 | 
696 | 
697 | ### Service Descriptive Name
698 | 
699 | Audit Group & Name: ServiceItem/descriptiveName
700 | 
701 | Definition: The long descriptive name of a Windows service displayed in the service manager list. This is the name that appears in the services manager control panel.
702 | 
703 | Example:
704 | 
705 |     Service Descriptive Name is "Desktop Help Session Manager"
706 | 
707 | Use in an IOC: Use this to find anomalies or malicious service names. You can search for malicious services that an attacker installs, that may have a descriptive name that is similar to a legitimate service, but has subtle (or not so subtle) differences that could be found using this term.
708 | 
709 | Related Terms:
710 | 
711 |     Registry Text
712 |     Service Path
713 |     Service DLL
714 |     Service Name
715 | 
716 | 
717 | 
718 | ### Service DLL
719 | 
720 | Audit Group & Name: ServiceItem/serviceDLL
721 | 
722 | Definition: The path to the DLL loaded by a service, including the name of the DLL itself. 
723 | 
724 | Example:
725 | 
726 |     Service DLL contains "system32\evil.dll"
727 |     Not Service DLL contains "system32\good.dll"
728 | 
729 | Use in an IOC: This term is usually used with contains, since it is the path and file name of the DLL loaded by a service. This can be used to identify DLLs that are malicious that are loaded by compromised or malicious services, or it could be used to exclude legitimate DLLs to remove false positives.
730 | 
731 | Related Terms:
732 | 
733 |     Service Path
734 |     Service Name
735 | 
736 | 
737 | 
738 | ### Service DLL MD5
739 | 
740 | Audit Group & Name: ServiceItem/serviceDLLmd5sum
741 | 
742 | Definition: This is the MD5 hash value of a dynamic link library loaded by a Windows service. For services that run as DLLs, this is the MD5 checksum of that DLL.
743 | 
744 | Example:
745 | 
746 |     Service DLL MD5 is "a9a3daa780ca6c9671a19d52456705b4"
747 | 
748 | Use in an IOC: Use this to match the MD5s of known malicious Service DLLs.  This is similar to looking for a File MD5, but for services only.
749 | 
750 | Related Terms:
751 | 
752 |     File MD5
753 |     Service DLL Path
754 |     Registry Text
755 |     Service DLL
756 |     Service Name
757 | 
758 | 
759 | 
760 | ### Service Name
761 | 
762 | Audit Group & Name: ServiceItem/Name
763 | 
764 | Definition: This Term is the short name of a service as it is stored in the Windows Registry. 
765 | 
766 | Example:
767 | 
768 |     Service Name is "windowzupdate"
769 | 
770 | Use in an IOC: This term is often used to look for known malicious services, or in conjunction with other terms to look for anomalies from expected service behavior.
771 | 
772 | Related Terms:
773 | 
774 |     Service Path
775 | 
776 | 
777 | 
778 | ### Service Path
779 | 
780 | Audit Group & Name: ServiceItem/path
781 | 
782 | Definition: The path to and including the name of an executable used to launch a service.
783 | 
784 | Example:
785 | 
786 |     Service Path contains "evilfile.exe"
787 |     Service Path contains "system32\svch0st.exe"
788 | 
789 | Use in an IOC: This is usually used to specify the executable used to launch a service with a "contains" specifying the file name in question, or the file and a portion of the path leading to it.
790 | 
791 | Related Terms:
792 | 
793 |     Other ServiceItems
794 | 
795 | 
796 | 
797 | ### Snort
798 | 
799 | Audit Group & Name: Snort/Snort
800 | 
801 | Definition: This allows embedding a complete snort signature into an IndicatorItem.
802 | 
803 | Example:
804 | 
805 |     <Snort Signature encoded in field>
806 | 
807 | Use in an IOC: Used to encapsulate a Snort signature in an IOC
808 | 
809 | Related Terms:
810 | 
811 |     Network DNS
812 |     DNS Host
813 |     Network String URI
814 | 
815 | 
816 | 
817 | ### SystemRestore Original Filename
818 | 
819 | Audit Group & Name: SystemRestoreItem/OriginalFileName    
820 | 
821 | Definition: A file name and path not including the drive letter of a file that was copied by the Windows XP system restore mechanism. This only pertains to specific files with certain extensions. Please consult Windows XP documentation for the functioning of the Windows XP system restore mechanism.
822 | 
823 | Example:
824 | 
825 |     SystemRestore Original Filename contains "\WINDOWS\Installer\evilfile.msi"
826 | 
827 | Use in an IOC: Use this term in an IOC to search for a filename or path in the system restore points on a Windows XP system. Using this term may allow an investigator to find evidence of files that were once on a system, but were subsequently deleted after the creation of a restore point.
828 | 
829 | Example: 
830 | 
831 | Related Terms:
832 | 
833 |     File Full Path
834 |     SystemRestore Original Short File Name
835 | 
836 | 
837 | 
838 | ### YARA
839 | 
840 | Audit Group & Name: YARA/YARA
841 | 
842 | Definition: This allows embedding a complete YARA signature into an IndicatorItem.
843 | 
844 | Example:
845 | 
846 |         <YARA Signature encoded in field>
847 | 
848 | Use in an IOC: Used to encapsulate a YARA signature in an IOC file.
849 | 
850 | Related Terms:
851 | 
852 |     File Strings


--------------------------------------------------------------------------------
/OpenIOC_Terms_Changelog.md:
--------------------------------------------------------------------------------
  1 | # current.iocterms changelog
  2 | 
  3 | ## License
  4 | 
  5 | Copyright 2013 Mandiant Corporation.  Licensed under the Apache 2.0 license.  
  6 | 
  7 | Mandiant licenses this file to you under the Apache License, Version
  8 | 2.0 (the "License"); you may not use this file except in compliance with the
  9 | License.  You may obtain a copy of the License at:
 10 | 
 11 |         http://www.apache.org/licenses/LICENSE-2.0
 12 | 
 13 | Unless required by applicable law or agreed to in writing, software
 14 | distributed under the License is distributed on an "AS IS" BASIS,
 15 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
 16 | implied.  See the License for the specific language governing
 17 | permissions and limitations under the License.
 18 | 
 19 | ## Changes
 20 | 
 21 | 2019-08-02  Matthew Dunwoody  <matthew d0t dunwoody a t mandiant d0t com>
 22 | 
 23 |     * Updated term titles to reflect level of support (unsupported, deprecated) and supported operating systems 
 24 |     (where not supported on all of Windows, OSX and Linux) in FireEye Endpoint Security
 25 |     * Updated term-source for FireEye terms from "application/vnd.mandiant.mir" to "application/vnd.fireeye.endpoint"
 26 |     * Added DnsEntryItem/RecordData/PrimaryServerName
 27 |     * Added DnsEntryItem/RecordData/AdministratorName
 28 |     * Added DnsEntryItem/RecordData/SerialNumber
 29 |     * Added DnsEntryItem/RecordData/Refresh
 30 |     * Added DnsEntryItem/RecordData/Refresh
 31 |     * Added DnsEntryItem/RecordData/Retry
 32 |     * Added DnsEntryItem/RecordData/Retry
 33 |     * Added DnsEntryItem/RecordData/Expire
 34 |     * Added DnsEntryItem/RecordData/Expire
 35 |     * Added DnsEntryItem/RecordData/DefaultTimeToLive
 36 |     * Added DnsEntryItem/RecordData/DefaultTimeToLive
 37 |     * Added DnsEntryItem/RecordData/MailboxName
 38 |     * Added DnsEntryItem/RecordData/MailboxErrorsName
 39 |     * Added DnsEntryItem/RecordData/MxHost
 40 |     * Added DnsEntryItem/RecordData/Preference
 41 |     * Added DnsEntryItem/RecordData/String
 42 |     * Added DnsEntryItem/RecordData/Blob
 43 |     * Added DnsEntryItem/RecordData/IPv6Address
 44 |     * Added DnsEntryItem/RecordData/Algorithm
 45 |     * Added DnsEntryItem/RecordData/Protocol
 46 |     * Added DnsEntryItem/RecordData/KeyFlags
 47 |     * Added DnsEntryItem/RecordData/Signer
 48 |     * Added DnsEntryItem/RecordData/TypeCovered
 49 |     * Added DnsEntryItem/RecordData/LabelCount
 50 |     * Added DnsEntryItem/RecordData/OriginalTimeToLive
 51 |     * Added DnsEntryItem/RecordData/ExpirationDate
 52 |     * Added DnsEntryItem/RecordData/DateSigned
 53 |     * Added DnsEntryItem/RecordData/KeyTag
 54 |     * Added DnsEntryItem/RecordData/AddressType
 55 |     * Added DnsEntryItem/RecordData/ATMAddress
 56 |     * Added DnsEntryItem/RecordData/NextHost
 57 |     * Added DnsEntryItem/RecordData/Type
 58 |     * Added DnsEntryItem/RecordData/TargetHost
 59 |     * Added DnsEntryItem/RecordData/Priority
 60 |     * Added DnsEntryItem/RecordData/Weight
 61 |     * Added DnsEntryItem/RecordData/Port
 62 |     * Added DnsEntryItem/RecordData/Order
 63 |     * Added DnsEntryItem/RecordData/Flags
 64 |     * Added DnsEntryItem/RecordData/Services
 65 |     * Added DnsEntryItem/RecordData/RegularExpression
 66 |     * Added DnsEntryItem/RecordData/Replacement
 67 |     * Added DnsEntryItem/RecordData/DigestType
 68 |     * Added DnsEntryItem/RecordData/DigestLength
 69 |     * Added DnsEntryItem/RecordData/Digest
 70 |     * Added DnsEntryItem/RecordData/KeyLength
 71 |     * Added DnsEntryItem/RecordData/PublicKey
 72 |     * Added DnsEntryItem/RecordData/KeyName
 73 |     * Added DnsEntryItem/RecordData/Key
 74 |     * Added DnsEntryItem/RecordData/CreationDate
 75 |     * Added DnsEntryItem/RecordData/Error
 76 |     * Added DnsEntryItem/RecordData/Mode
 77 |     * Added DnsEntryItem/RecordData/SignatureLength
 78 |     * Added DnsEntryItem/RecordData/Signature
 79 |     * Added DnsEntryItem/RecordData/FudgeTime
 80 |     * Added DnsEntryItem/RecordData/OriginalXid
 81 |     * Added DnsEntryItem/RecordData/MappingFlag
 82 |     * Added DnsEntryItem/RecordData/WinsServerIPv4Address
 83 |     * Added DnsEntryItem/RecordData/LookupTimeout
 84 |     * Added DnsEntryItem/RecordData/CacheTimeout
 85 |     * Added DnsEntryItem/RecordData/Bitmask
 86 |     * Added DnsEntryItem/RecordData/Data
 87 |     * Added RouteEntryItem/ValidLifetime
 88 |     * Added RouteEntryItem/PreferredLifetime
 89 |     * Added RouteEntryItem/IsLoopback
 90 |     * Added RouteEntryItem/IsAutoconfigureAddress
 91 |     * Added RouteEntryItem/IsPublish
 92 |     * Added RouteEntryItem/IsImmortal
 93 |     * Added RouteEntryItem/Origin
 94 |     * Added RouteEntryItem/Flags
 95 |     * Added RouteEntryItem/MTU
 96 |     * Added SudoLogItem/timestamp
 97 |     * Added SudoLogItem/ModifiedTimestamp
 98 |     * Added SudoLogItem/suOrSudo
 99 |     * Added SudoLogItem/username
100 |     * Added SudoLogItem/tty
101 |     * Added SudoLogItem/pwd
102 |     * Added SudoLogItem/userExecuteAs
103 |     * Added SudoLogItem/command
104 |     * Added SudoLogItem/success
105 |     * Added SudoLogItem/SourceLog
106 |     * Added FileItem/PEInfo/Sections/Section/Entropy/AverageValue
107 |     * Added ProcessItem/SectionList/MemorySection/PEInfo/ImportedModules/Module/NumberOfFunctions
108 |     * Added ProcessItem/SectionList/MemorySection/MemD5
109 |     * Added RegistryItem/SecurityID
110 |     * Added FileItem/Group
111 |     * Added FileItem/GroupID
112 |     * Added FileItem/Permissions
113 |     * Added FileItem/PEInfo/Sections/Section/Entropy/AverageValue
114 |     * Added FileItem/PEInfo/DigitalSignature/CertificateChain
115 |     * Added FileItem/DigitalSignature/SignatureExists
116 |     * Added FileItem/DigitalSignature/SignatureVerified
117 |     * Added FileItem/DigitalSignature/CertificateSubject
118 |     * Added FileItem/DigitalSignature/CertificateIssuer
119 |     * Added FileItem/DigitalSignature/CertificateChain
120 |     * Added FileItem/DigitalSignature/Description
121 |     * Added PersistenceItem/FileItem/Md5sum
122 |     * Added PersistenceItem/FileItem/StreamList/Stream/Md5sum
123 |     * Added PersistenceItem/ServiceItem/pathmd5sum
124 |     * Added PersistenceItem/ServiceItem/serviceDLLmd5sum
125 |     * Added PersistenceItem/md5sum
126 |     * Added PersistenceItem/pathAttributes/md5sum
127 |     * Added PersistenceItem/pathmd5sum
128 |     * Added PersistenceItem/serviceDLLmd5sum
129 |     * Added PersistenceItem/FileItem/Sha1sum
130 |     * Added PersistenceItem/FileItem/StreamList/Stream/Sha1sum
131 |     * Added PersistenceItem/ServiceItem/pathsha1sum
132 |     * Added PersistenceItem/ServiceItem/serviceDLLsha1sum
133 |     * Added PersistenceItem/sha1sum
134 |     * Added PersistenceItem/pathAttributes/sha1sum
135 |     * Added PersistenceItem/pathsha1sum
136 |     * Added PersistenceItem/serviceDLLsha1sum
137 |     * Added PersistenceItem/FileItem/Sha256sum
138 |     * Added PersistenceItem/FileItem/StreamList/Stream/Sha256sum
139 |     * Added PersistenceItem/ServiceItem/pathsha256sum
140 |     * Added PersistenceItem/ServiceItem/serviceDLLsha256sum
141 |     * Added PersistenceItem/sha256sum
142 |     * Added PersistenceItem/pathAttributes/sha256sum
143 |     * Added PersistenceItem/pathsha256sum
144 |     * Added PersistenceItem/serviceDLLsha256sum
145 |     * Added PersistenceItem/FileItem/PEInfo/Type
146 |     * Added PersistenceItem/FileItem/PEInfo/Subsystem
147 |     * Added PersistenceItem/FileItem/PEInfo/BaseAddress
148 |     * Added PersistenceItem/FileItem/PEInfo/PETimeStamp
149 |     * Added PersistenceItem/FileItem/PEInfo/PEChecksum/PEFileRaw
150 |     * Added PersistenceItem/FileItem/PEInfo/PEChecksum/PEFileAPI
151 |     * Added PersistenceItem/FileItem/PEInfo/PEChecksum/PEComputedAPI
152 |     * Added PersistenceItem/FileItem/PEInfo/ExtraneousBytes
153 |     * Added PersistenceItem/FileItem/PEInfo/Sections/NumberOfSections
154 |     * Added PersistenceItem/FileItem/PEInfo/Sections/ActualNumberOfSections
155 |     * Added PersistenceItem/FileItem/PEInfo/Sections/Section/Name
156 |     * Added PersistenceItem/FileItem/PEInfo/Sections/Section/Type
157 |     * Added PersistenceItem/FileItem/PEInfo/Sections/Section/SizeInBytes
158 |     * Added PersistenceItem/FileItem/PEInfo/Sections/Section/DetectedCharacteristics
159 |     * Added PersistenceItem/FileItem/PEInfo/Sections/Section/Entropy/AverageValue
160 |     * Added PersistenceItem/FileItem/PeakEntropy
161 |     * Added PersistenceItem/FileItem/PeakCodeEntropy
162 |     * Added PersistenceItem/FileItem/PEInfo/ImportedModules/Module/Name
163 |     * Added PersistenceItem/FileItem/PEInfo/ImportedModules/Module/NumberOfFunctions
164 |     * Added PersistenceItem/FileItem/PEInfo/ImportedModules/Module/ImportedFunctions/string
165 |     * Added PersistenceItem/FileItem/PEInfo/Exports/ExportsTimeStamp
166 |     * Added PersistenceItem/FileItem/PEInfo/Exports/NumberOfFunctions
167 |     * Added PersistenceItem/FileItem/PEInfo/Exports/NumberOfNames
168 |     * Added PersistenceItem/FileItem/PEInfo/Exports/DllName
169 |     * Added PersistenceItem/FileItem/PEInfo/Exports/ExportedFunctions/string
170 |     * Added PersistenceItem/FileItem/PEInfo/DetectedAnomalies/string
171 |     * Added PersistenceItem/FileItem/PEInfo/DetectedEntryPointSignature/Name
172 |     * Added PersistenceItem/FileItem/PEInfo/DetectedEntryPointSignature/Type
173 |     * Added PersistenceItem/FileItem/PEInfo/Sections/Section/DetectedSignatureKeys/string
174 |     * Added PersistenceItem/FileItem/PEInfo/EpJumpCodes/Depth
175 |     * Added PersistenceItem/FileItem/PEInfo/EpJumpCodes/Opcodes
176 |     * Added PersistenceItem/FileItem/PEInfo/DigitalSignature/SignatureExists
177 |     * Added PersistenceItem/FileItem/PEInfo/DigitalSignature/SignatureVerified
178 |     * Added PersistenceItem/FileItem/PEInfo/DigitalSignature/Description
179 |     * Added PersistenceItem/FileItem/PEInfo/DigitalSignature/CertificateIssuer
180 |     * Added PersistenceItem/FileItem/PEInfo/DigitalSignature/CertificateSubject
181 |     * Added PersistenceItem/ServiceItem/pathSignatureExists
182 |     * Added PersistenceItem/ServiceItem/pathSignatureVerified
183 |     * Added PersistenceItem/ServiceItem/pathSignatureDescription
184 |     * Added PersistenceItem/ServiceItem/pathCertificateSubject
185 |     * Added PersistenceItem/ServiceItem/pathCertificateIssuer
186 |     * Added PersistenceItem/ServiceItem/serviceDLLCertificateSubject
187 |     * Added PersistenceItem/ServiceItem/serviceDLLCertificateIssuer
188 |     * Added PersistenceItem/ServiceItem/serviceDLLSignatureExists
189 |     * Added PersistenceItem/ServiceItem/serviceDLLSignatureVerified
190 |     * Added PersistenceItem/ServiceItem/serviceDLLSignatureDescription
191 |     * Added PersistenceItem/SignatureExists
192 |     * Added PersistenceItem/SignatureVerified
193 |     * Added PersistenceItem/SignatureDescription
194 |     * Added PersistenceItem/CertificateSubject
195 |     * Added PersistenceItem/CertificateIssuer
196 |     * Added PersistenceItem/DigitalSignature/SignatureExists
197 |     * Added PersistenceItem/DigitalSignature/SignatureVerified
198 |     * Added PersistenceItem/DigitalSignature/CertificateSubject
199 |     * Added PersistenceItem/DigitalSignature/CertificateIssuer
200 |     * Added PersistenceItem/DigitalSignature/CertificateChain
201 |     * Added PersistenceItem/DigitalSignature/Description
202 |     * Added PersistenceItem/FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Name
203 |     * Added PersistenceItem/FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Type
204 |     * Added PersistenceItem/FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Size
205 |     * Added PersistenceItem/FileItem/PEInfo/ResourceInfoList/ResourceInfoItem/Language
206 |     * Added PersistenceItem/FileItem/PEInfo/VersionInfoList/VersionInfoItem/Language
207 |     * Added PersistenceItem/FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductName
208 |     * Added PersistenceItem/FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductVersion
209 |     * Added PersistenceItem/FileItem/PEInfo/VersionInfoList/VersionInfoItem/Comments
210 |     * Added PersistenceItem/FileItem/PEInfo/VersionInfoList/VersionInfoItem/CompanyName
211 |     * Added PersistenceItem/FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileDescription
212 |     * Added PersistenceItem/FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileVersion
213 |     * Added PersistenceItem/FileItem/PEInfo/VersionInfoList/VersionInfoItem/InternalName
214 |     * Added PersistenceItem/FileItem/PEInfo/VersionInfoList/VersionInfoItem/LegalCopyright
215 |     * Added PersistenceItem/FileItem/PEInfo/VersionInfoList/VersionInfoItem/OriginalFilename
216 |     * Added PersistenceItem/FileItem/PEInfo/VersionInfoList/VersionInfoItem/LegalTrademarks
217 |     * Added PersistenceItem/FileItem/PEInfo/VersionInfoList/VersionInfoItem/PrivateBuild
218 |     * Added PersistenceItem/FileItem/PEInfo/VersionInfoList/VersionInfoItem/SpecialBuild
219 |     * Added PersistenceItem/FileItem/DevicePath
220 |     * Added PersistenceItem/FileItem/FullPath
221 |     * Added PersistenceItem/FileItem/Drive
222 |     * Added PersistenceItem/FileItem/FilePath
223 |     * Added PersistenceItem/FileItem/FileName
224 |     * Added PersistenceItem/FileItem/FileExtension
225 |     * Added PersistenceItem/FileItem/SizeInBytes
226 |     * Added PersistenceItem/FileItem/Created
227 |     * Added PersistenceItem/FileItem/Modified
228 |     * Added PersistenceItem/FileItem/Accessed
229 |     * Added PersistenceItem/FileItem/Entry
230 |     * Added PersistenceItem/FileItem/Changed
231 |     * Added PersistenceItem/FileItem/FilenameCreated
232 |     * Added PersistenceItem/FileItem/FilenameModified
233 |     * Added PersistenceItem/FileItem/FilenameAccessed
234 |     * Added PersistenceItem/FileItem/FilenameChanged
235 |     * Added PersistenceItem/FileItem/FileAttributes
236 |     * Added PersistenceItem/FileItem/Username
237 |     * Added PersistenceItem/FileItem/SecurityID
238 |     * Added PersistenceItem/FileItem/SecurityType
239 |     * Added PersistenceItem/FileItem/INode
240 |     * Added PersistenceItem/FileItem/detectedAnomaly
241 |     * Added PersistenceItem/FileItem/StreamList/Stream/SizeInBytes
242 |     * Added PersistenceItem/FileItem/StreamList/Stream/Name
243 |     * Added PersistenceItem/RegistryItem/Path
244 |     * Added PersistenceItem/RegistryItem/Type
245 |     * Added PersistenceItem/RegistryItem/Modified
246 |     * Added PersistenceItem/RegistryItem/NumSubKeys
247 |     * Added PersistenceItem/RegistryItem/NumValues
248 |     * Added PersistenceItem/RegistryItem/Hive
249 |     * Added PersistenceItem/RegistryItem/KeyPath
250 |     * Added PersistenceItem/RegistryItem/Username
251 |     * Added PersistenceItem/RegistryItem/SecurityID
252 |     * Added PersistenceItem/RegistryItem/ValueName
253 |     * Added PersistenceItem/RegistryItem/Text
254 |     * Added PersistenceItem/RegistryItem/ReportedLengthInBytes
255 |     * Added PersistenceItem/RegistryItem/Value
256 |     * Added PersistenceItem/RegistryItem/detectedAnomaly
257 |     * Added PersistenceItem/ServiceItem/name
258 |     * Added PersistenceItem/ServiceItem/descriptiveName
259 |     * Added PersistenceItem/ServiceItem/description
260 |     * Added PersistenceItem/ServiceItem/mode
261 |     * Added PersistenceItem/ServiceItem/startedAs
262 |     * Added PersistenceItem/ServiceItem/path
263 |     * Added PersistenceItem/ServiceItem/arguments
264 |     * Added PersistenceItem/ServiceItem/serviceDLL
265 |     * Added PersistenceItem/ServiceItem/status
266 |     * Added PersistenceItem/ServiceItem/pid
267 |     * Added PersistenceItem/ServiceItem/type
268 |     * Added PersistenceItem/ServiceItem/detectedAnomaly
269 |     * Added PersistenceItem/RegPath
270 |     * Added PersistenceItem/RegText
271 |     * Added PersistenceItem/RegValue
272 |     * Added PersistenceItem/RegContext
273 |     * Added PersistenceItem/RegOwner
274 |     * Added PersistenceItem/RegModified
275 |     * Added PersistenceItem/FilePath
276 |     * Added PersistenceItem/LinkFilePath
277 |     * Added PersistenceItem/PersistenceType
278 |     * Added PersistenceItem/FileOwner
279 |     * Added PersistenceItem/FileCreated
280 |     * Added PersistenceItem/FileModified
281 |     * Added PersistenceItem/FileAccessed
282 |     * Added PersistenceItem/FileChanged
283 |     * Added PersistenceItem/ServiceName
284 |     * Added PersistenceItem/ServicePath
285 |     * Added PersistenceItem/serviceDLL
286 |     * Added PersistenceItem/descriptiveName
287 |     * Added PersistenceItem/arguments
288 |     * Added PersistenceItem/mode
289 |     * Added PersistenceItem/startedAs
290 |     * Added PersistenceItem/status
291 |     * Added PersistenceItem/pathSignatureExists
292 |     * Added PersistenceItem/pathSignatureVerified
293 |     * Added PersistenceItem/pathSignatureDescription
294 |     * Added PersistenceItem/pathCertificateSubject
295 |     * Added PersistenceItem/pathCertificateIssuer
296 |     * Added PersistenceItem/serviceDLLSignatureExists
297 |     * Added PersistenceItem/serviceDLLSignatureVerified
298 |     * Added PersistenceItem/serviceDLLSignatureDescription
299 |     * Added PersistenceItem/serviceDLLCertificateSubject
300 |     * Added PersistenceItem/serviceDLLCertificateIssuer
301 |     * Added PersistenceItem/detectedAnomaly
302 |     * Added PersistenceItem/name
303 |     * Added PersistenceItem/userName
304 |     * Added PersistenceItem/groupName
305 |     * Added PersistenceItem/reference
306 |     * Added PersistenceItem/keepAlive
307 |     * Added PersistenceItem/disabled
308 |     * Added PersistenceItem/alias
309 |     * Added PersistenceItem/path
310 |     * Added PersistenceItem/pathAttributes/owner
311 |     * Added PersistenceItem/pathAttributes/group
312 |     * Added PersistenceItem/pathAttributes/size
313 |     * Added PersistenceItem/pathAttributes/accessedTime
314 |     * Added PersistenceItem/pathAttributes/modifiedTime
315 |     * Added PersistenceItem/pathAttributes/changedTime
316 |     * Added PersistenceItem/pathAttributes/createdTime
317 |     * Added PersistenceItem/type
318 |     * Added ModuleItem/Md5sum
319 |     * Added ModuleItem/Sha1sum
320 |     * Added ModuleItem/Sha256sum
321 |     * Added ModuleItem/Module
322 |     * Added ModuleItem/Size
323 |     * Added ModuleItem/UsedByList/Module
324 |     * Added ModuleItem/Status
325 |     * Added ModuleItem/Address
326 |     * Added ModuleItem/Filename
327 |     * Added ModuleItem/License
328 |     * Added ModuleItem/AliasList/Alias/Name
329 |     * Added ModuleItem/SrcVersion
330 |     * Added ModuleItem/DependsList/Depends/Module
331 |     * Added ModuleItem/Retpoline
332 |     * Added ModuleItem/Intree
333 |     * Added ModuleItem/Vermagic
334 |     * Added ModuleItem/Signat
335 |     * Added ModuleItem/Signer
336 |     * Added ModuleItem/SigKey
337 |     * Added ModuleItem/SigHashAlgorithm
338 |     * Added ModuleItem/ParmList/Parm/Name
339 |     * Added ArpEntryItem/IPv6Address
340 |     * Added ArpEntryItem/InterfaceType
341 |     * Added ArpEntryItem/State
342 |     * Added ArpEntryItem/IsRouter
343 |     * Added ArpEntryItem/LastReachable
344 |     * Added ArpEntryItem/LastUnreachable
345 |     * Added QuarantineEventItem/User
346 |     * Added QuarantineEventItem/EventIdentifier
347 |     * Added QuarantineEventItem/TimeStamp
348 |     * Added QuarantineEventItem/AgentBundleIdentifier
349 |     * Added QuarantineEventItem/AgentName
350 |     * Added QuarantineEventItem/DataURLString
351 |     * Added QuarantineEventItem/TypeNumber
352 |     * Added QuarantineEventItem/OriginURLString
353 |     * Added QuarantineEventItem/SenderName
354 |     * Added QuarantineEventItem/SenderAddress
355 |     * Added QuarantineEventItem/OriginTitle
356 |     * Added ProcessItem/HandleList/Handle/FileDescriptor
357 |     * Added ProcessItem/HandleList/Handle/User
358 |     * Added ProcessItem/HandleList/Handle/Device
359 |     * Added ProcessItem/HandleList/Handle/Size
360 |     * Added ProcessItem/HandleList/Handle/INode
361 |     * Added ProcessItem/HandleList/Handle/SocketType
362 |     * Added ProcessItem/HandleList/Handle/SocketProtocol
363 |     * Added ProcessItem/HandleList/Handle/SocketState
364 |     * Added ProcessItem/HandleList/Handle/SocketLocalAddress
365 |     * Added ProcessItem/HandleList/Handle/SocketLocalPort
366 |     * Added ProcessItem/HandleList/Handle/SocketRemoteAddress
367 |     * Added ProcessItem/HandleList/Handle/SocketRemotePort
368 |     * Added ProcessItem/HandleList/Handle/Md5sum
369 |     * Added ProcessItem/HandleList/Handle/Sha1sum
370 |     * Added ProcessItem/HandleList/Handle/Sha256sum
371 |     * Added GroupItem/GroupName
372 |     * Added GroupItem/fullname
373 |     * Added GroupItem/groupguid
374 |     * Added GroupItem/userlist/username
375 |     * Added GroupItem/gid
376 |     * Added TaskItem/DigitalSignature/SignatureExists
377 |     * Added TaskItem/DigitalSignature/SignatureVerified
378 |     * Added TaskItem/DigitalSignature/CertificateSubject
379 |     * Added TaskItem/DigitalSignature/CertificateIssuer
380 |     * Added TaskItem/DigitalSignature/CertificateChain
381 |     * Added TaskItem/DigitalSignature/Description
382 |     * Added TaskItem/path
383 |     * Added TaskItem/arguments
384 |     * Added TaskItem/userName
385 |     * Added TaskItem/groupName
386 |     * Added TaskItem/disabled
387 |     * Added TaskItem/triggers/trigger/type
388 |     * Added TaskItem/triggers/trigger/delay
389 |     * Added TaskItem/triggers/trigger/schedule
390 |     * Added TaskItem/triggers/trigger/details
391 |     * Added TaskItem/reference
392 |     * Added TaskItem/crontabPath
393 |     * Added TaskItem/crontabMinute
394 |     * Added TaskItem/crontabHour
395 |     * Added TaskItem/crontabDayOfMonth
396 |     * Added TaskItem/crontabMonth
397 |     * Added TaskItem/crontabDayOfWeek
398 |     * Added TaskItem/crontabEvent
399 |     * Added TaskItem/crontabCommand
400 |     * Added TaskItem/crontabPeriod
401 |     * Added TaskItem/crontabDelay
402 |     * Added TaskItem/crontabJobIdentifier
403 |     * Added SystemRestoreItem/ChangeEvent
404 |     * Added SystemRestoreItem/ProcessName
405 |     * Added SystemRestoreItem/DebugInfoProcessId
406 |     * Added SystemRestoreItem/DebugInfoThreadId
407 |     * Added SystemRestoreItem/DebugInfoProcessName
408 |     * Added SystemRestoreItem/DebugInfoTimeStamp
409 |     * Added SystemRestoreItem/OriginalVolumePath
410 |     * Added SystemRestoreItem/NewFileName
411 |     * Added VolumeItem/DeviceID
412 |     * Added VolumeItem/RemoteFS
413 |     * Added VolumeItem/RemoteAddress
414 |     * Added VolumeItem/VolumeID
415 |     * Added VolumeItem/TotalSize
416 |     * Added VolumeItem/FreeSize
417 |     * Added VolumeItem/MountPoint
418 |     * Added VolumeItem/Flags/Ejectable
419 |     * Added VolumeItem/Flags/Removable
420 |     * Added VolumeItem/Flags/ReadOnly
421 |     * Added VolumeItem/Flags/Logical
422 |     * Added VolumeItem/Flags/RAID
423 |     * Added UserItem/shell
424 |     * Added UserItem/userid
425 |     * Added UserItem/userguid
426 |     * Added UserItem/autologin
427 |     * Added ShellHistoryItem/FileOrder
428 |     * Added ShellHistoryItem/Command
429 |     * Added ShellHistoryItem/UserName
430 |     * Added ShellHistoryItem/Shell
431 |     * Added ShellHistoryItem/Timestamp
432 |     * Added FormHistoryItem/EncryptedUsername
433 |     * Added FormHistoryItem/PasswordChangedDate
434 |     * Added DriverItem/PEInfo/ImportedModules/Module/NumberOfFunctions
435 |     * Added DriverItem/IRP_MJ_CREATE
436 |     * Added DriverItem/IRP_MJ_CREATE_NAMED_PIPE
437 |     * Added DriverItem/IRP_MJ_CLOSE
438 |     * Added DriverItem/IRP_MJ_WRITE
439 |     * Added DriverItem/IRP_MJ_READ
440 |     * Added DriverItem/IRP_MJ_QUERY_INFORMATION
441 |     * Added DriverItem/IRP_MJ_SET_INFORMATION
442 |     * Added DriverItem/IRP_MJ_QUERY_EA
443 |     * Added DriverItem/IRP_MJ_SET_EA
444 |     * Added DriverItem/IRP_MJ_FLUSH_BUFFERS
445 |     * Added DriverItem/IRP_MJ_QUERY_VOLUME_INFORMATION
446 |     * Added DriverItem/IRP_MJ_SET_VOLUME_INFORMATION
447 |     * Added DriverItem/IRP_MJ_DIRECTORY_CONTROL
448 |     * Added DriverItem/IRP_MJ_FILE_SYSTEM_CONTROL
449 |     * Added DriverItem/IRP_MJ_DEVICE_CONTROL
450 |     * Added DriverItem/IRP_MJ_INTERNAL_DEVICE_CONTROL
451 |     * Added DriverItem/IRP_MJ_SHUTDOWN
452 |     * Added DriverItem/IRP_MJ_LOCK_CONTROL
453 |     * Added DriverItem/IRP_MJ_CLEANUP
454 |     * Added DriverItem/IRP_MJ_CREATE_MAILSLOT
455 |     * Added DriverItem/IRP_MJ_QUERY_SECURITY
456 |     * Added DriverItem/IRP_MJ_SET_SECURITY
457 |     * Added DriverItem/IRP_MJ_POWER
458 |     * Added DriverItem/IRP_MJ_SYSTEM_CONTROL
459 |     * Added DriverItem/IRP_MJ_DEVICE_CHANGE
460 |     * Added DriverItem/IRP_MJ_QUERY_QUOTA
461 |     * Added DriverItem/IRP_MJ_SET_QUOTA
462 |     * Added DriverItem/IRP_MJ_PNP
463 |     * Added eventItem/dnsLookupEvent/timestamp
464 |     * Added eventItem/dnsLookupEvent/hostname
465 |     * Added eventItem/dnsLookupEvent/pid
466 |     * Added eventItem/dnsLookupEvent/process
467 |     * Added eventItem/dnsLookupEvent/processPath
468 |     * Added eventItem/dnsLookupEvent/username
469 |     * Added eventItem/imageLoadEvent/timestamp
470 |     * Added eventItem/imageLoadEvent/fullPath
471 |     * Added eventItem/imageLoadEvent/filePath
472 |     * Added eventItem/imageLoadEvent/drive
473 |     * Added eventItem/imageLoadEvent/fileName
474 |     * Added eventItem/imageLoadEvent/fileExtension
475 |     * Added eventItem/imageLoadEvent/devicePath
476 |     * Added eventItem/imageLoadEvent/pid
477 |     * Added eventItem/imageLoadEvent/username
478 |     * Added eventItem/imageLoadEvent/parentPid
479 |     * Added eventItem/imageLoadEvent/process
480 |     * Added eventItem/imageLoadEvent/processPath
481 |     * Added eventItem/processEvent/timestamp
482 |     * Added eventItem/processEvent/eventType
483 |     * Added eventItem/processEvent/pid
484 |     * Added eventItem/processEvent/processPath
485 |     * Added eventItem/processEvent/process
486 |     * Added eventItem/processEvent/parentPid
487 |     * Added eventItem/processEvent/parentProcessPath
488 |     * Added eventItem/processEvent/parentProcess
489 |     * Added eventItem/processEvent/username
490 |     * Added eventItem/processEvent/startTime
491 |     * Added eventItem/processEvent/md5
492 |     * Added eventItem/processEvent/processCmdLine
493 |     * Added eventItem/ipv4NetworkEvent/timestamp
494 |     * Added eventItem/ipv4NetworkEvent/remoteIP
495 |     * Added eventItem/ipv4NetworkEvent/remotePort
496 |     * Added eventItem/ipv4NetworkEvent/localIP
497 |     * Added eventItem/ipv4NetworkEvent/localPort
498 |     * Added eventItem/ipv4NetworkEvent/protocol
499 |     * Added eventItem/ipv4NetworkEvent/pid
500 |     * Added eventItem/ipv4NetworkEvent/process
501 |     * Added eventItem/ipv4NetworkEvent/processPath
502 |     * Added eventItem/ipv4NetworkEvent/username
503 |     * Added eventItem/fileWriteEvent/timestamp
504 |     * Added eventItem/fileWriteEvent/fullPath
505 |     * Added eventItem/fileWriteEvent/filePath
506 |     * Added eventItem/fileWriteEvent/drive
507 |     * Added eventItem/fileWriteEvent/fileName
508 |     * Added eventItem/fileWriteEvent/fileExtension
509 |     * Added eventItem/fileWriteEvent/devicePath
510 |     * Added eventItem/fileWriteEvent/pid
511 |     * Added eventItem/fileWriteEvent/process
512 |     * Added eventItem/fileWriteEvent/processPath
513 |     * Added eventItem/fileWriteEvent/writes
514 |     * Added eventItem/fileWriteEvent/numBytesSeenWritten
515 |     * Added eventItem/fileWriteEvent/lowestFileOffsetSeen
516 |     * Added eventItem/fileWriteEvent/dataAtLowestOffset
517 |     * Added eventItem/fileWriteEvent/textAtLowestOffset
518 |     * Added eventItem/fileWriteEvent/closed
519 |     * Added eventItem/fileWriteEvent/size
520 |     * Added eventItem/fileWriteEvent/md5
521 |     * Added eventItem/fileWriteEvent/username
522 |     * Added eventItem/fileWriteEvent/parentProcessPath
523 |     * Added eventItem/fileWriteEvent/parentPid
524 |     * Added eventItem/fileWriteEvent/openTime
525 |     * Added eventItem/fileWriteEvent/openDuration
526 |     * Added eventItem/fileWriteEvent/eventReason
527 |     * Added eventItem/urlMonitorEvent/timestamp
528 |     * Added eventItem/urlMonitorEvent/hostname
529 |     * Added eventItem/urlMonitorEvent/requestUrl
530 |     * Added eventItem/urlMonitorEvent/urlMethod
531 |     * Added eventItem/urlMonitorEvent/userAgent
532 |     * Added eventItem/urlMonitorEvent/httpHeader
533 |     * Added eventItem/urlMonitorEvent/remoteIpAddress
534 |     * Added eventItem/urlMonitorEvent/remotePort
535 |     * Added eventItem/urlMonitorEvent/localPort
536 |     * Added eventItem/urlMonitorEvent/pid
537 |     * Added eventItem/urlMonitorEvent/process
538 |     * Added eventItem/urlMonitorEvent/processPath
539 |     * Added eventItem/urlMonitorEvent/username
540 |     * Added eventItem/regKeyEvent/timestamp
541 |     * Added eventItem/regKeyEvent/hive
542 |     * Added eventItem/regKeyEvent/keyPath
543 |     * Added eventItem/regKeyEvent/path
544 |     * Added eventItem/regKeyEvent/originalPath
545 |     * Added eventItem/regKeyEvent/eventType
546 |     * Added eventItem/regKeyEvent/pid
547 |     * Added eventItem/regKeyEvent/process
548 |     * Added eventItem/regKeyEvent/processPath
549 |     * Added eventItem/regKeyEvent/valueName
550 |     * Added eventItem/regKeyEvent/valueType
551 |     * Added eventItem/regKeyEvent/value
552 |     * Added eventItem/regKeyEvent/text
553 |     * Added eventItem/regKeyEvent/username
554 |     * Added eventItem/addressNotificationEvent/timestamp
555 |     * Added eventItem/addressNotificationEvent/address
556 |     * Added DiskItem/DevicePath
557 |     * Added DiskItem/DiskConnection
558 |     * Added DiskItem/Type
559 |     * Added QuarantineListItem/QuarId
560 |     * Added QuarantineListItem/CorrelationId
561 |     * Added QuarantineListItem/QuarantineTime
562 |     * Added QuarantineListItem/Final
563 |     * Added QuarantineListItem/ObjectType
564 |     * Added QuarantineListItem/FilePath
565 |     * Added QuarantineListItem/FileSize
566 |     * Added QuarantineListItem/FileMD5
567 |     * Added QuarantineListItem/FileSHA1
568 |     * Added QuarantineListItem/FileState
569 |     * Added PortItem/isIPv6
570 |     * Added RegistryItem/SecurityID
571 |     * Added LoginHistoryItem/Path
572 |     * Added LoginHistoryItem/StartTime
573 |     * Added LoginHistoryItem/EndTime
574 |     * Added LoginHistoryItem/SessionLength
575 |     * Added LoginHistoryItem/Hostname
576 |     * Added LoginHistoryItem/IsRemoteLogin
577 |     * Added LoginHistoryItem/IPv4Address
578 |     * Added LoginHistoryItem/IPv6Address
579 |     * Added LoginHistoryItem/Username
580 |     * Added LoginHistoryItem/RecordType
581 |     * Added LoginHistoryItem/PID
582 |     * Added LoginHistoryItem/Terminal
583 |     * Added LoginHistoryItem/IsFailedLogin
584 |     * Added ServiceItem/md5sum
585 |     * Added ServiceItem/sha1sum
586 |     * Added ServiceItem/sha256sum
587 |     * Added ServiceItem/pathCertificateChain
588 |     * Added ServiceItem/DigitalSignature/SignatureExists
589 |     * Added ServiceItem/DigitalSignature/SignatureVerified
590 |     * Added ServiceItem/DigitalSignature/CertificateSubject
591 |     * Added ServiceItem/DigitalSignature/CertificateIssuer
592 |     * Added ServiceItem/DigitalSignature/Description
593 |     * Added ServiceItem/machServices/machService
594 |     * Added ServiceItem/userName
595 |     * Added ServiceItem/groupName
596 |     * Added ServiceItem/reference
597 |     * Added Syslog/ID
598 |     * Added Syslog/Time
599 |     * Added Syslog/Date
600 |     * Added Syslog/Level
601 |     * Added Syslog/PID
602 |     * Added Syslog/UID
603 |     * Added Syslog/GID
604 |     * Added Syslog/Host
605 |     * Added Syslog/Sender
606 |     * Added Syslog/Facility
607 |     * Added Syslog/Message
608 |     * Added Syslog/LogFile
609 |     * Added Syslog/LogFileModified
610 |     * Added CookieHistoryItem/IsHTTPOnly
611 |     * Added CookieHistoryItem/LastVisitDate
612 |     * Added SystemInfoItem/containmentState
613 |     * Added SystemInfoItem/containmentWhitelistArray/ip
614 |     * Added SystemInfoItem/biosInfo/biosType
615 |     * Added SystemInfoItem/drives
616 |     * Added SystemInfoItem/platform
617 |     * Added SystemInfoItem/procConfigInfo/vmGuest
618 |     * Added SystemInfoItem/procConfigInfo/virtualization
619 |     * Added SystemInfoItem/procConfigInfo/iommu
620 |     * Added SystemInfoItem/procConfigInfo/lpcDevice
621 |     * Added SystemInfoItem/kernelVersion
622 |     * Added SystemInfoItem/OSbitness
623 |     * Added SystemInfoItem/timezone
624 |     * Added SystemInfoItem/gmtoffset
625 |     * Added SystemInfoItem/clockSkew
626 |     * Added SystemInfoItem/stateAgentStatus
627 |     * Added SystemInfoItem/networkArray/networkInfo/ipArray/ipInfo/ipv6Address
628 |     * Added SystemInfoItem/primaryIpv4Address
629 |     * Added SystemInfoItem/primaryIpAddress
630 |     * Added SystemInfoItem/loggedOnUser
631 |     * Added SystemInfoItem/appVersion
632 |     * Added SystemInfoItem/appCreated
633 | 
634 | 2013-06-04  William Gibb  <william d0t gibb a t mandiant d0t com>
635 | 
636 |     * Added ProcessItem/SectionList/MemorySection/PEInfo/Exports/DllName
637 | 
638 | 2013-05-14  Tony Dell  <tony d0t dell a t mandiant d0t com>
639 | 
640 |     * CookieHistoryItem/IsSecure: 
641 |     changing from [string] [xs:string] to [bool] [xs:string]
642 | 
643 |     * DriverItem/PEInfo/DigitalSignature/SignatureExists: 
644 |     changing from [string] [xs:string] to [bool] [xs:string]
645 | 
646 |     * DriverItem/PEInfo/DigitalSignature/SignatureVerified: 
647 |     changing from [string] [xs:string] to [bool] [xs:string]
648 | 
649 |     * DriverItem/PEInfo/Sections/Section/Entropy/CurveData/float: 
650 |     changing from [int] [xs:int] to [float] [xs:string]
651 | 
652 |     * DriverItem/SignatureExists: 
653 |     changing from [string] [xs:string] to [bool] [xs:string]
654 | 
655 |     * DriverItem/SignatureVerified: 
656 |     changing from [string] [xs:string] to [bool] [xs:string]
657 | 
658 |     * FileItem/PEInfo/DigitalSignature/SignatureExists: 
659 |     changing from [string] [xs:string] to [bool] [xs:string]
660 | 
661 |     * FileItem/PEInfo/DigitalSignature/SignatureVerified: 
662 |     changing from [string] [xs:string] to [bool] [xs:string]
663 | 
664 |     * FileItem/PEInfo/Sections/Section/Entropy/CurveData/float: 
665 |     changing from [int] [xs:int] to [float] [xs:string]
666 | 
667 |     * FileItem/PeakCodeEntropy: 
668 |     changing from [int] [xs:int] to [float] [xs:string]
669 | 
670 |     * FileItem/PeakEntropy: 
671 |     changing from [int] [xs:int] to [float] [xs:string]
672 | 
673 |     * HookItem/DigitalSignatureHooked/SignatureExists: 
674 |     changing from [string] [xs:string] to [bool] [xs:string]
675 | 
676 |     * HookItem/DigitalSignatureHooked/SignatureVerified: 
677 |     changing from [string] [xs:string] to [bool] [xs:string]
678 | 
679 |     * HookItem/DigitalSignatureHooking/SignatureExists: 
680 |     changing from [string] [xs:string] to [bool] [xs:string]
681 | 
682 |     * HookItem/DigitalSignatureHooking/SignatureVerified: 
683 |     changing from [string] [xs:string] to [bool] [xs:string]
684 | 
685 |     * ProcessItem/SectionList/MemorySection/DigitalSignature/SignatureExists: 
686 |     changing from [string] [xs:string] to [bool] [xs:string]
687 | 
688 |     * ProcessItem/SectionList/MemorySection/DigitalSignature/SignatureVerified: 
689 |     changing from [string] [xs:string] to [bool] [xs:string]
690 | 
691 |     * ProcessItem/SectionList/MemorySection/Injected: 
692 |     changing from [string] [xs:string] to [bool] [xs:string]
693 | 
694 |     * ProcessItem/SectionList/MemorySection/PEInfo/DigitalSignature/SignatureExists: 
695 |     changing from [string] [xs:string] to [bool] [xs:string]
696 | 
697 |     * ProcessItem/SectionList/MemorySection/PEInfo/DigitalSignature/SignatureVerified: 
698 |     changing from [string] [xs:string] to [bool] [xs:string]
699 | 
700 |     * ProcessItem/SectionList/MemorySection/PEInfo/Sections/Section/Entropy/CurveData/float: 
701 |     changing from [int] [xs:int] to [float] [xs:string]
702 | 
703 |     * RouteEntryItem/IsIPv6: 
704 |     changing from [string] [xs:string] to [bool] [xs:string]
705 | 
706 |     * ServiceItem/pathSignatureExists: 
707 |     changing from [string] [xs:string] to [bool] [xs:string]
708 | 
709 |     * ServiceItem/pathSignatureVerified: 
710 |     changing from [string] [xs:string] to [bool] [xs:string]
711 | 
712 |     * ServiceItem/serviceDLLSignatureExists: 
713 |     changing from [string] [xs:string] to [bool] [xs:string]
714 | 
715 |     * ServiceItem/serviceDLLSignatureVerified: 
716 |     changing from [string] [xs:string] to [bool] [xs:string]
717 | 
718 |     * TaskItem/ActionList/Action/DigitalSignature/SignatureExists: 
719 |     changing from [string] [xs:string] to [bool] [xs:string]
720 | 
721 |     * TaskItem/ActionList/Action/DigitalSignature/SignatureVerified: 
722 |     changing from [string] [xs:string] to [bool] [xs:string]
723 | 
724 |     * TaskItem/SignatureVerified: 
725 |     changing from [string] [xs:string] to [bool] [xs:string]
726 | 
727 |     * TaskItem/TriggerList/Trigger/TriggerEnabled: 
728 |     changing from [string] [xs:string] to [bool] [xs:string]
729 | 
730 |     * UserItem/disabled: 
731 |     changing from [string] [xs:string] to [bool] [xs:string]
732 | 
733 |     * UserItem/lockedout: 
734 |     changing from [string] [xs:string] to [bool] [xs:string]
735 | 
736 |     * UserItem/passwordrequired: 
737 |     changing from [string] [xs:string] to [bool] [xs:string]
738 | 
739 |     * VolumeItem/IsMounted: 
740 |     changing from [string] [xs:string] to [bool] [xs:string]
741 | 


--------------------------------------------------------------------------------