6 September 2022
Editors:
-
Jeffrey Mates
Additional artifacts:
-
STIX™ Version 2.1 - OS
-
N/A
Abstract:
The current STIX 2.1 standard does not provide a way to share generic human readable strings that have been discovered as part of CTI or malware analysis work. While it is possible to share information such as filenames, urls and passwords for specific user accounts. It is not possible to indicate that a particular string is used as part of the unpacker process for a piece of malware nor that a piece of malware is packaged with a unique identifier for a campaign.
This extension creates a new SCO to support this kind of information capture and sharing. Observed strings allow for the sharing of simple string information and a high-level understanding of the purpose the string serves.
1. Observed Strings in STIX
Observed strings are an SCO that tracks both the value and purpose of a string that was discovered through malware analysis, threat hunting, or other analysis activities. These can be used to track things like common decryption keys, mission IDs embedded within malware, named pipes, user-agent strings and much more.
2. Observed String SCO
The properties and additional types within the Observed String Extension are defined below. This extension MUST use extension-definition—8b1aa84c-5532-4c69-a8e7-b6170facfd3d as its extension ID.
There is only one property within this extension section "extension_type" with a value of new-sco.
Required Common Properties |
id, type |
Optional Common Properties |
defanged, spec_version, object_marking_refs, granular_markings, extensions |
Not Applicable Common Properties |
confidence, created_by_ref, external_references, labels, lang, revoked |
Observed String Object Specific Properties |
purpose, value, |
ID Contributing Properties |
purpose, value, |
| Property Name | Type | Description |
|---|---|---|
purpose (required) |
What this string is used for. This SHOULD come from string-purpose-ov. |
|
type |
The value of this property MUST be set to observed-string. |
|
value (required) |
The Unicode encoded value of the string. |
|
extensions (optional) |
As an SCO extension the extensions block is required and SHOULD be included when using this object. This SHOULD have an entry for extension-definition—8b1aa84c-5532-4c69-a8e7-b6170facfd3d. |
Examples
{
"type": "observed-string",
"spec_version": "2.1",
"id": "observed-string--d28133c6-610f-54e7-9cb4-4add1a2929f7",
"value": "asd52asdadSAD23ssa",
"purpose": "mission-id",
"extensions": {
"extension-definition--8b1aa84c-5532-4c69-a8e7-b6170facfd3d": {
"extension_type": "new-sco"
}
}
}3. Vocabularies
3.1. String Purpose Vocabulary
Type Name: string-purpose-ov
| Vocabulary Value | Description |
|---|---|
decoded |
A generic string that was decoded from a source input. |
document-text |
The full text of a document or text file that was extracted for human review. |
gui-text |
Text presented to users as part of a graphical user interface. For example, a ransom message. |
mission-id |
A mission or campaign ID found within a malware sample that is used for tracking. |
pipe |
A named pipe. |
unknown |
The purpose of this string is unknown. These can be produced by running a generic string extraction against an executable instead of using more specific techniques. |
user-agent |
A user agent string found from network traffic or which a program may generate. |
uuid |
A UUID without a more specific purpose |
4. Relationships
| Common Relationships | |||
|---|---|---|---|
derived-from, duplicate-of, related-to |
|||
Source |
Type |
Target |
Description |
outputs |
An artifact can be decoded to output an observed string. |
||
outputs |
An encoded observed-string can be decoded to output an observed string |
||
| Reverse Relationships | |||
|---|---|---|---|
Source |
Type |
Target |
Description |
contained |
The url contained the observed-string. |
||
Appendix A. Acknowledgements
Primary Editor
Jeffrey Mates, US Department of Defense (DoD)
Contributors
The following individuals were members of the OASIS CTI Technical Committee and contributed time and effort to ensure that this extension would be possible. Their contributions are gratefully acknowledged:
Appendix B. Revision History
| Revision | Date | Editor | Changes Made |
|---|---|---|---|
01 |
2022-09-06 |
Jeffrey Mates |
Initial Version |