Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signed vs. Unsigned Drivers/Processes Cyber Observables #50

Open
ikiril01 opened this issue Nov 22, 2017 · 2 comments
Open

Signed vs. Unsigned Drivers/Processes Cyber Observables #50

ikiril01 opened this issue Nov 22, 2017 · 2 comments
Labels
Need to Discuss STIX: Observables Target: STIX-2.2 Type: New Feature

Comments

@ikiril01
Copy link

Jason pointed out that we currently can't characterize signed vs. unsigned processes and drivers in Cyber Observables. For processes, this would mean adding a new property to the Process Cyber Observable Object. For drivers, we'd have to add a new Cyber Observable Object.
@gtback
Copy link

gtback commented Nov 27, 2017

Is the process itself signed, or the file that is used to launch the process? Almost seems like this would be better for extension(s) of the File object.

@JasonKeirstead
Copy link

Use case example: Match when any unsigned executable has been loaded into lass.exe

@jordan2175 jordan2175 added this to the 2.2-csd01-wd01 milestone May 29, 2019
@jordan2175 jordan2175 modified the milestones: 2.2-csd01-wd01, unknown Jul 2, 2019
@jordan2175 jordan2175 removed this from the unknown milestone Feb 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Need to Discuss STIX: Observables Target: STIX-2.2 Type: New Feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@johnwunder @treyka @gtback @ikiril01 @JasonKeirstead @jordan2175 @srrelitz2