0
|
Abusive.Spam
|
Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having a functionally comparable content. This IOC refers to resources, which make up a SPAM infrastructure, be it a harvesters like address verification, URLs in spam e-mails etc.
|
1
|
Abusive.Harassment
|
Discretization or discrimination of somebody, e.g. cyber stalking, racism or threats against one or more individuals.
|
2
|
Abusive.Illicit
|
Child Sexual Exploitation (CSE), Sexual content, glorification of violence, etc.
|
3
|
Malicious.System
|
System infected with malware, e.g. PC, smartphone or server infected with a rootkit. Most often this refers to a connection to a sinkholed C2 server
|
4
|
Malicious.Botnet
|
Command-and-control server contacted by malware on infected systems.
|
5
|
Malicious.Distribution
|
URI used for malware distribution, e.g. a download URL included in fake invoice malware spam or exploit-kits (on websites).
|
6
|
Malicious.Configuration
|
URI hosting a malware configuration file, e.g. web-injects for a banking trojan.
|
7
|
Recon.Scanning
|
Attacks that send requests to a system to discover weaknesses. This also includes testing processes to gather information on hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, ...), port scanning.
|
8
|
Recon.Sniffing
|
Observing and recording of network traffic (wiretapping).
|
9
|
Recon.SocialEngineering
|
Gathering information from a human being in a non-technical way (e.g. lies, tricks, bribes, or threats).
|
10
|
Attempt.Exploit
|
An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (e.g. buffer overflow, backdoor, cross site scripting, etc.)
|
11
|
Attempt.Login
|
Multiple login attempts (Guessing / cracking of passwords, brute force). This IOC refers to a resource, which has been observed to perform brute-force attacks over a given application protocol.
|
12
|
Attempt.NewSignature
|
An attack using an unknown exploit.
|
13
|
Intrusion.AdminCompromise
|
Compromise of a system where the attacker gained administrative privileges.
|
14
|
Intrusion.UserCompromise
|
Compromise of a system using an unprivileged (user/service) account.
|
15
|
Intrusion.AppCompromise
|
Compromise of an application by exploiting (un-)known software vulnerabilities, e.g. SQL injection.
|
16
|
Intrusion.SysCompromise
|
Compromise of a system, e.g. unauthorised logins or commands. This includes compromising attempts on honeypot systems.
|
17
|
Intrusion.Burglary
|
Physical intrusion, e.g. into corporate building or data-centre.
|
18
|
Availability.DoS
|
Denial of Service attack, e.g. sending specially crafted requests to a web application which causes the application to crash or slow down.
|
19
|
Availability.DDoS
|
Distributed Denial of Service attack, e.g. SYN-Flood or UDP-based reflection/amplification attacks.
|
20
|
Availability.Misconf
|
Software misconfiguration resulting in service availability issues, e.g. DNS server with outdated DNSSEC Root Zone KSK.
|
21
|
Availability.Theft
|
Physical theft, e.g. stolen laptop computer, stolen USB key, stolen paper document, etc.
|
22
|
Availability.Sabotage
|
Physical sabotage, e.g cutting wires or malicious arson.
|
23
|
Availability.Outage
|
Outage caused e.g. by air condition failure or natural disaster.
|
24
|
Availability.Failure
|
Failure, malfunction (e.g. : bug, wear, faults, etc.)
|
25
|
Information.
UnauthorizedAccess
|
Unauthorised access to information, e.g. by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents.
|
26
|
Information.
UnauthorizedModification
|
Unauthorised modification of information, e.g. by an attacker abusing stolen login credentials for a system or application or a ransomware encrypting data. Also includes defacements.
|
27
|
Information.DataLoss
|
Loss of data, e.g. caused by harddisk failure or physical theft.
|
28
|
Information.DataLeak
|
Leaked confidential information like credentials or personal data.
|
29
|
Fraud.UnauthorizedUsage
|
Using resources for unauthorised purposes including profit-making ventures, e.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes.
|
30
|
Fraud.Copyright
|
Offering or Installing copies of unlicensed commercial software or other copyright protected materials (Warez).
|
31
|
Fraud.Masquerade
|
Type of attack in which one entity illegitimately impersonates the identity of another in order to benefit from it.
|
32
|
Fraud.Phishing
|
Masquerading as another entity in order to persuade the user to reveal private credentials. This IOC most often refers to a URL, which is used to phish user credentials.
|
33
|
Vulnerable.Crypto
|
Publicly accessible services offering weak crypto, e.g. web servers susceptible to POODLE/FREAK attacks.
|
34
|
Vulnerable.DDoS
|
Publicly accessible services that can be abused for conducting DDoS reflection/amplification attacks, e.g. DNS open-resolvers or NTP servers with monlist enabled.
|
35
|
Vulnerable.Surface
|
Potentially unwanted publicly accessible services, e.g. Telnet, RDP or VNC.
|
36
|
Vulnerable.Disclosure
|
Publicly accessible services potentially disclosing sensitive information, e.g. SNMP or Redis.
|
37
|
Vulnerable.System
|
A system which is vulnerable to certain attacks. Example: misconfigured client proxy settings (example: WPAD), outdated operating system version, XSS vulnerabilities, etc.
|
38
|
Geophysical.Earthquake
|
A hazard originating from solid earth. This term is used interchangeably with the term geological hazard.
|
39
|
Geophysical.MassMovement
|
A hazard originating from solid earth. This term is used interchangeably with the term geological hazard.
|
40
|
Geophysical.Volcanic
|
A hazard originating from solid earth. This term is used interchangeably with the term geological hazard.
|
41
|
Meteorological.
Temperature
|
A hazard caused by short-lived, micro- to meso-scale extreme weather and atmospheric conditions that last from minutes to days.
|
42
|
Meteorological.Fog
|
A hazard caused by short-lived, micro- to meso-scale extreme weather and atmospheric conditions that last from minutes to days.
|
43
|
Meteorological.Storm
|
A hazard caused by short-lived, micro- to meso-scale extreme weather and atmospheric conditions that last from minutes to days.
|
44
|
Hydrological.Flood
|
A hazard caused by the occurrence, movement, and distribution of surface and subsurface freshwater and saltwater.
|
45
|
Hydrological.Landslide
|
A hazard caused by the occurrence, movement, and distribution of surface and subsurface freshwater and saltwater.
|
46
|
Hydrological.Wave
|
A hazard caused by the occurrence, movement, and distribution of surface and subsurface freshwater and saltwater.
|
47
|
Climatological.Drought
|
A hazard caused by long-lived, meso- to macro-scale atmospheric processes ranging from intra-seasonal to multi-decadal climate variability.
|
48
|
Climatological.
LakeOutburst
|
A hazard caused by long-lived, meso- to macro-scale atmospheric processes ranging from intra-seasonal to multi-decadal climate variability.
|
49
|
Climatological.Wildfire
|
A hazard caused by long-lived, meso- to macro-scale atmospheric processes ranging from intra-seasonal to multi-decadal climate variability.
|
50
|
Biological.Epidemic
|
A hazard caused by the exposure to living organisms and their toxic substances (e.g. venom, mold) or vector-borne diseases that they may carry. Examples are venomous wildlife and insects, poisonous plants, and mosquitoes carrying disease-causing agents such as parasites, bacteria, or viruses (e.g. malaria).
|
51
|
Biological.Insect
|
A hazard caused by the exposure to living organisms and their toxic substances (e.g. venom, mold) or vector-borne diseases that they may carry. Examples are venomous wildlife and insects, poisonous plants, and mosquitoes carrying disease-causing agents such as parasites, bacteria, or viruses (e.g. malaria).
|
52
|
Biological.Animal
|
A hazard caused by the exposure to living organisms and their toxic substances (e.g. venom, mold) or vector-borne diseases that they may carry. Examples are venomous wildlife and insects, poisonous plants, and mosquitoes carrying disease-causing agents such as parasites, bacteria, or viruses (e.g. malaria).
|
53
|
Extraterrestrial.Impact
|
A hazard caused by asteroids, meteoroids, and comets as they pass near-earth, enter the Earth’s atmosphere, and/or strike the Earth, and by changes in interplanetary conditions that effect the Earth’s magnetosphere, ionosphere, and thermosphere.
|
54
|
Extraterrestrial.
SpaceWeather
|
A hazard caused by asteroids, meteoroids, and comets as they pass near-earth, enter the Earth’s atmosphere, and/or strike the Earth, and by changes in interplanetary conditions that effect the Earth’s magnetosphere, ionosphere, and thermosphere.
|
55
|
Other.Uncategorised
|
All incidents which don't fit in one of the given categories should be put into this class or the incident is not categorised.
|
56
|
Other.Undetermined
|
The categorisation of the incident is unknown/undetermined.
|
57
|
Test.Test
|
Meant for testing.
|
58
|
ext-value
|
A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. (see )
|