LOLBAS/YML-Schema.yml
2022-09-15 13:44:18 -04:00

119 lines
3.0 KiB
YAML

---
type: map
mapping:
# Id field enhancement possibility commenting out for now
# "Id":
# type: str
# required: true
# pattern: '[a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12}'
"Name":
type: str
required: true
"Description":
type: str
required: true
"Aliases":
type: seq
required: false
sequence:
- type: map
mapping:
"Alias":
type: str
required: false
"Author":
type: str
required: true
"Created":
type: date
required: true
"Commands":
type: seq
required: true
sequence:
- type: map
mapping:
"Command":
type: str
required: true
"Description":
type: str
required: true
"Usecase":
type: str
required: true
"Category":
type: str
required: true
enum: [ADS, AWL Bypass, Compile, Conceal, Copy, Credentials, Decode, Download, Dump, Encode, Execute, Reconnaissance, Tamper, UAC Bypass, Upload]
"Privileges":
type: str
required: true
"MitreID":
type: str
required: true
pattern: '^T[0-9]{4}(\.[0-9]{3})?$'
"OperatingSystem":
type: str
required: true
"Full_Path":
type: seq
required: true
sequence:
- type: map
mapping:
"Path":
type: str
required: true
"Code_Sample":
type: seq
required: false
sequence:
- type: map
mapping:
"Code":
type: str
"Detection":
type: seq
required: false
sequence:
- type: map
mapping:
"IOC":
type: str
"Sigma":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Analysis":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Elastic":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Splunk":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"BlockRule":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Resources":
type: seq
required: false
sequence:
- type: map
mapping:
"Link":
type: str
pattern: '^http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+#]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+$'
"Acknowledgement":
type: seq
required: false
sequence:
- type: map
mapping:
"Person":
type: str
"Handle":
type: str
pattern: '^(@(\w){1,15})?$'