-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sept 2024 pass at OCSF/DEFEND mappings #1173
base: main
Are you sure you want to change the base?
Conversation
58549ef
to
5bad0a3
Compare
@@ -1,6 +1,6 @@ | |||
{ | |||
"caption": "Script", | |||
"description": "The Script object describes a script or command that can be executed by a shell, script engine, or interpreter. Examples include Bash, JavsScript, PowerShell, Python, VBScript, etc. Note that the term <em>script</em> here denotes not only a script contained within a file but also a script or command typed interactively by a user, supplied on the command line, or provided by some other file-less mechanism.", | |||
"description": "The Script object describes a script or command that can be executed by a shell, script engine, or interpreter. Examples include Bash, JavsScript, PowerShell, Python, VBScript, etc. Note that the term <em>script</em> here denotes not only a script contained within a file but also a script or command typed interactively by a user, supplied on the command line, or provided by some other file-less mechanism. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:ExecutableScript/'>d3f:ExecutableScript</a>.", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A script can manifest as a file or a string-based commandline argument in the case of powershell.
Curious if OCSF is wanted to make such a distinction.
consider this shadowcat example:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to clarify, the file-less script case is more than just a string-based command line:
- It may be read by an interpreter from stdin.
- It may be embedded within a container document, e.g. VBA macro in a Word document or Excel sheet.
- It may be dynamically executed as a sub-script of another script, e.g. a sub-script that results from deobfuscation, a sub-script that is downloaded, etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would check with @davemcatcisco who authored the script class and object.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@davemcatcisco would be happy to hear your thoughts. Please see the CAD example above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As you can see, I wrote the above comment two weeks ago but then forgot to submit the review until now. I'm just pointing out that a file-less script execution can happen in a lot of ways beyond a PowerShell command line.
I'm afraid I'm not sure what you mean when you say you're curious if OCSF wants to make a distinction. Can you clarify?
looks good save for a potential distinction OCSF might want to make regarding scripts as cmd line args. They might have already discussed this somewhere but it was not jumping out at me. |
Thanks for doing this! A general question, based on your review of the objects you updated, do you see a need to add more attributes in any of the objects? Any pertinent gaps in an OCSF object when compared to it's d3fend counterpart? |
There is quite a bit more we can do, in general we're looking to incorporate "data properties" from OCSF into D3FEND, since they are precisely what the community needs. This was an intentional and planned on our part. We want to synchronize "object properties" between OCSF and D3FEND but that is going to require further discussion and modeling. |
There are a few instances where there are related D3FEND and OCSF objects, but the definitions don't align perfectly. Do we want to still relate those with "See also in D3FEND..." or something similar?
|
If it's pertinent enough, I think it's worth the callout. I did Overall the more specific examples or further reading we can do for descriptions and captions, the better it is overall, both producers and consumers alike. |
These all look good using the current form of relationships to d3fend artifact definitions. However now that we have references and source metashema, we are looking at either using those mechanisms or using a specific |
… PR #1173 doing it the old way via descriptions. Signed-off-by: Paul Agbabian <pagbabian@splunk.com>
Adding a few D3FEND mappings to OCSF.
Objects changed:
Noticed a minor typo in http_header