Worked on artifact definition naming convention (#486)

data/kaspersky_careto.yaml

@@ -1,43 +1,38 @@
-# Artifacts from the Kaspersky Careto report.
+# Artifact definitions based on the Kaspersky Careto report.
 ---
-name: KasperskyCaretoDarwinFiles
-doc: Darwin Careto IOCs.
+name: KasperskyCaretoDarwinFile
+aliases: [KasperskyCaretoDarwinFiles]
+doc: Kaspersky Careto Darwin file system indicators of compromise (IOCs).
 sources:
 - type: FILE
   attributes:
     paths:
     - /Applications/.DS_Store.app/**10
     - /Library/LaunchAgents/com.apple.launchport.plist
 supported_os: [Darwin]
-urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf']
+urls: ['https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf']
 ---
 name: KasperskyCaretoIndicators
-doc: Kaspersky Careto Indicators.
+doc: Kaspersky Careto indicators of compromise (IOCs).
 sources:
 - type: ARTIFACT_GROUP
   attributes:
     names:
-    - KasperskyCaretoWindowsFiles
-    - KasperskyCaretoWindowsRegKeys
-    - KasperskyCaretoDarwinFiles
+    - KasperskyCaretoDarwinFile
+    - KasperskyCaretoWindowsFile
+    - KasperskyCaretoWindowsRegistryValue
 supported_os: [Windows, Darwin]
-urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf']
+urls: ['https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf']
 ---
-name: KasperskyCaretoWindowsFiles
-doc: Windows Careto IOCs.
+name: KasperskyCaretoWindowsFile
+aliases: [KasperskyCaretoWindowsFiles]
+doc: Kaspersky Careto Windows file system indicators of compromise (IOCs).
 sources:
 - type: FILE
   attributes:
     paths:
-    - '%%environ_systemroot%%\System32\objframe.dll'
-    - '%%environ_systemroot%%\System32\shlink32.dll'
-    - '%%environ_systemroot%%\System32\shlink64.dll'
-    - '%%environ_systemroot%%\System32\cdllait32.dll'
-    - '%%environ_systemroot%%\System32\cdllait64.dll'
-    - '%%environ_systemroot%%\System32\cdlluninstallws32.dll'
-    - '%%environ_systemroot%%\System32\cdlluninstallws64.dll'
-    - '%%environ_systemroot%%\System32\cdlluninstallsgh32.dll'
-    - '%%environ_systemroot%%\System32\cdlluninstallsgh64.dll'
+    - '%%environ_systemroot%%\System32\awcodc32.dll'
+    - '%%environ_systemroot%%\System32\awview32.dll'
     - '%%environ_systemroot%%\System32\c_50225.nls'
     - '%%environ_systemroot%%\System32\c_50227.nls'
     - '%%environ_systemroot%%\System32\c_50229.nls'
@@ -50,6 +45,12 @@ sources:
     - '%%environ_systemroot%%\System32\c_57008.nls'
     - '%%environ_systemroot%%\System32\c_57010.nls'
     - '%%environ_systemroot%%\System32\cdgext32.dll'
+    - '%%environ_systemroot%%\System32\cdllait32.dll'
+    - '%%environ_systemroot%%\System32\cdllait64.dll'
+    - '%%environ_systemroot%%\System32\cdlluninstallsgh32.dll'
+    - '%%environ_systemroot%%\System32\cdlluninstallsgh64.dll'
+    - '%%environ_systemroot%%\System32\cdlluninstallws32.dll'
+    - '%%environ_systemroot%%\System32\cdlluninstallws64.dll'
     - '%%environ_systemroot%%\System32\cfgbkmgrs.dll'
     - '%%environ_systemroot%%\System32\cfgmgr64.dll'
     - '%%environ_systemroot%%\System32\comsvrpcs.dll'
@@ -63,31 +64,33 @@ sources:
     - '%%environ_systemroot%%\System32\HPQueue.bin'
     - '%%environ_systemroot%%\System32\LPQueue.bin'
     - '%%environ_systemroot%%\System32\mdwmnsp.dll'
+    - '%%environ_systemroot%%\System32\mfcn30.dll'
+    - '%%environ_systemroot%%\System32\nmwcdlog.dll'
+    - '%%environ_systemroot%%\System32\objframe.dll'
     - '%%environ_systemroot%%\System32\rpcdist.dll'
     - '%%environ_systemroot%%\System32\scsvrft.dll'
     - '%%environ_systemroot%%\System32\sdptbw.dll'
-    - '%%environ_systemroot%%\System32\slbkbw.dll'
-    - '%%environ_systemroot%%\System32\skypeie6plugin.dll'
-    - '%%environ_systemroot%%\System32\wmspdmgr.dll'
-    - '%%environ_systemroot%%\System32\mfcn30.dll'
+    - '%%environ_systemroot%%\System32\shlink32.dll'
+    - '%%environ_systemroot%%\System32\shlink64.dll'
     - '%%environ_systemroot%%\System32\siiw9x.dll'
-    - '%%environ_systemroot%%\System32\nmwcdlog.dll'
+    - '%%environ_systemroot%%\System32\skypeie6plugin.dll'
+    - '%%environ_systemroot%%\System32\slbkbw.dll'
     - '%%environ_systemroot%%\System32\WifiScan.dll'
-    - '%%environ_systemroot%%\System32\awview32.dll'
-    - '%%environ_systemroot%%\System32\awcodc32.dll'
-    - '%%users.temp%%\~DF01AC74D8BE15EE01.tmp'
-    - '%%users.temp%%\~DF23BF45A473C42B56.tmp'
-    - '%%users.temp%%\~DFA0528CD81300F372.tmp'
-    - '%%users.temp%%\~DF8471938479DA49221.tmp'
+    - '%%environ_systemroot%%\System32\wmspdmgr.dll'
     - '%%users.appdata%%\microsoft\c_27803.nls'
     - '%%users.appdata%%\microsoft\objframe.dll'
     - '%%users.appdata%%\microsoft\shmgr.dll'
+    - '%%users.temp%%\~DF01AC74D8BE15EE01.tmp'
+    - '%%users.temp%%\~DF23BF45A473C42B56.tmp'
+    - '%%users.temp%%\~DF8471938479DA49221.tmp'
+    - '%%users.temp%%\~DFA0528CD81300F372.tmp'
     separator: '\'
 supported_os: [Windows]
-urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf']
+urls: ['https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf']
 ---
-name: KasperskyCaretoWindowsRegKeys
-doc: Windows Careto IOCs.
+name: KasperskyCaretoWindowsRegistryValue
+aliases: [KasperskyCaretoWindowsRegKeys]
+doc: Kaspersky Careto Windows Registry indicators of compromise (IOCs).
 sources:
 - type: REGISTRY_VALUE
   attributes:
@@ -99,4 +102,4 @@ sources:
     - {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\\CLSID\{ECD4FC4D-521C-11D0-B792-00A0C90312E1}', value: 'InprocServer32'}
     - {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E6BB64BE-0618-4353-9193-0AFE606D6F0C}', value: 'InprocServer32'}
 supported_os: [Windows]
-urls: ['http://www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf']
+urls: ['https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf']

data/unix_common.yaml

@@ -21,7 +21,7 @@ sources:
     - 'UserShellHistory'
 supported_os: [Darwin, Linux]
 ---
-name: BashShellConfigFiles
+name: BashShellConfigFile
 doc: Bourne Again Shell (bash) history files.
 sources:
 - type: FILE
@@ -42,7 +42,7 @@ sources:
 supported_os: [Darwin, Linux]
 urls: ['https://forensicswiki.xyz/wiki/index.php?title=Bash_shell']
 ---
-name: BashShellHistoryFiles
+name: BashShellHistoryFile
 aliases: [MacOSBashHistory]
 doc: Bourne Again Shell (bash) history files.
 sources:
@@ -54,7 +54,7 @@ sources:
 supported_os: [Darwin, Linux]
 urls: ['https://forensicswiki.xyz/wiki/index.php?title=Bash_shell']
 ---
-name: BashShellSessionFiles
+name: BashShellSessionFile
 aliases: [MacOSBashSessions]
 doc: Bourne Again Shell (bash) session files.
 sources:

docs/sources/Format-specification.md

@@ -36,18 +36,25 @@ labels | Optional list of predefined labels. Note that labels have been deprecat
 
 ## Name
 
-**Style note**: The name of an artifact definition should be in CamelCase name
-without spaces.
+The name of an artifact definition should be in CamelCase name without spaces.
 
-As of July 2016 we are migrating to the following naming convention:
+Prefix platform specific artifact definitions with the name of the operating
+system using "Linux", "MacOS" or "Windows".
 
-* Prefix platform specific artifact definitions with the name of the operating system using "Linux", "MacOS" or "Windows"
-* If not platform specific:
-** prefix with the application name, for example "ChromeHistory".
-** prefix with the name of the subsystem, for example "WMIComputerSystemProduct".
+If not platform specific:
 
-**Style note**: If the sole source of the artifact definition for example are
-files use "BrowserHistoryFiles" instead of "BrowserHistory" to reduce ambiguity.
+* prefix with the application name, for example "ChromeHistory".
+* prefix with the name of the subsystem, for example "WMIComputerSystemProduct".
+
+Suffix artifact definitions with the type of artifact, for example are files use
+"BrowserHistoryFile" instead of "BrowserHistory" to reduce ambiguity.
+
+Suffix | Description
+--- | ---
+Directory | Contents of one or more directories.
+File | Contents of one or more files.
+LogFile | Contents of one or more log files.
+PlistFile | Contents of one or more property list (plist) files.
 
 ## Description