diff --git a/clusters/tidal-campaigns.json b/clusters/tidal-campaigns.json
index 0c0636d..0b3910f 100644
--- a/clusters/tidal-campaigns.json
+++ b/clusters/tidal-campaigns.json
@@ -7,7 +7,7 @@
"name": "Tidal Campaigns",
"source": "https://app-api.tidalcyber.com/api/v1/campaigns/",
"type": "campaigns",
- "uuid": "43a8fce6-08d3-46c2-957d-53606efe2c48",
+ "uuid": "3db4b6cb-5b89-4096-a057-e0205777adc9",
"values": [
{
"description": "[2015 Ukraine Electric Power Attack](https://app.tidalcyber.com/campaigns/96e367d0-a744-5b63-85ec-595f505248a3) was a [Sandworm Team](https://app.tidalcyber.com/groups/16a65ee9-cd60-4f04-ba34-f2f45fcfc666) campaign during which they used [BlackEnergy](https://app.tidalcyber.com/software/908216c7-3ad4-4e0c-9dd3-a7ed5d1c695f) (specifically BlackEnergy3) and [KillDisk](https://app.tidalcyber.com/software/b5532e91-d267-4819-a05d-8c5358995add) to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.",
diff --git a/clusters/tidal-groups.json b/clusters/tidal-groups.json
index 1c292dc..4b923a9 100644
--- a/clusters/tidal-groups.json
+++ b/clusters/tidal-groups.json
@@ -7,7 +7,7 @@
"name": "Tidal Groups",
"source": "https://app-api.tidalcyber.com/api/v1/groups/",
"type": "groups",
- "uuid": "41c3e5c0-de5c-4edb-b48b-48cd8e7519e6",
+ "uuid": "877cdc4b-3392-4353-a7d4-2e46d40e5936",
"values": [
{
"description": "[admin@338](https://app.tidalcyber.com/groups/8567136b-f84a-45ed-8cce-46324c7da60e) is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as [PoisonIvy](https://app.tidalcyber.com/software/1d87a695-7989-49ae-ac1a-b6601db565c3), as well as some non-public backdoors. [[FireEye admin@338](https://app.tidalcyber.com/references/f3470275-9652-440e-914d-ad4fc5165413)]",
diff --git a/clusters/tidal-references.json b/clusters/tidal-references.json
index c6ec02f..35270ab 100644
--- a/clusters/tidal-references.json
+++ b/clusters/tidal-references.json
@@ -7,7 +7,7 @@
"name": "Tidal References",
"source": "https://app-api.tidalcyber.com/api/v1/references/",
"type": "references",
- "uuid": "43a8fce6-08d3-46c2-957d-53606efe2c48",
+ "uuid": "efd98ec4-16ef-41c4-bc3c-60c7c1ae8b39",
"values": [
{
"description": "Banerd, W. (2019, April 30). 10 of the Best Open Source Threat Intelligence Feeds. Retrieved October 20, 2020.",
diff --git a/clusters/tidal-software.json b/clusters/tidal-software.json
index a5dc88e..bfacd01 100644
--- a/clusters/tidal-software.json
+++ b/clusters/tidal-software.json
@@ -7,7 +7,7 @@
"name": "Tidal Software",
"source": "https://app-api.tidalcyber.com/api/v1/software/",
"type": "software",
- "uuid": "38d62d8b-4c49-489a-9bc4-8e294c4f04f7",
+ "uuid": "6eb44da4-ed4f-4a5d-a444-0f105ff1b3c2",
"values": [
{
"description": "[3PARA RAT](https://app.tidalcyber.com/software/71d76208-c465-4447-8d6e-c54f142b65a4) is a remote access tool (RAT) programmed in C++ that has been used by [Putter Panda](https://app.tidalcyber.com/groups/6005f4a9-fe26-4237-a44e-3f6cbb1fe75c). [[CrowdStrike Putter Panda](https://app.tidalcyber.com/references/413962d0-bd66-4000-a077-38c2677995d1)]",
diff --git a/clusters/tidal-tactic.json b/clusters/tidal-tactic.json
index 3432967..b24c5fd 100644
--- a/clusters/tidal-tactic.json
+++ b/clusters/tidal-tactic.json
@@ -7,12 +7,12 @@
"name": "Tidal Tactic",
"source": "https://app-api.tidalcyber.com/api/v1/tactic/",
"type": "tactic",
- "uuid": "43a8fce6-08d3-46c2-957d-53606efe2c48",
+ "uuid": "16b963e7-4b88-44e0-b184-16bf9e71fdc9",
"values": [
{
"description": "The adversary is trying to gather information they can use to plan future operations.\n\nReconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.",
"meta": {
- "ordinal_position": 1,
+ "ordinal_position": "1",
"source": "MITRE",
"tactic_attack_id": "TA0043"
},
@@ -200,7 +200,7 @@
{
"description": "The adversary is trying to establish resources they can use to support operations.\n\nResource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion.",
"meta": {
- "ordinal_position": 2,
+ "ordinal_position": "2",
"source": "MITRE",
"tactic_attack_id": "TA0042"
},
@@ -392,7 +392,7 @@
{
"description": "The adversary is trying to get into your network.\n\nInitial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.",
"meta": {
- "ordinal_position": 3,
+ "ordinal_position": "3",
"source": "MITRE",
"tactic_attack_id": "TA0001"
},
@@ -488,7 +488,7 @@
{
"description": "The adversary is trying to run malicious code.\n\nExecution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery. ",
"meta": {
- "ordinal_position": 4,
+ "ordinal_position": "4",
"source": "MITRE",
"tactic_attack_id": "TA0002"
},
@@ -644,7 +644,7 @@
{
"description": "The adversary is trying to maintain their foothold.\n\nPersistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. ",
"meta": {
- "ordinal_position": 5,
+ "ordinal_position": "5",
"source": "MITRE",
"tactic_attack_id": "TA0003"
},
@@ -1116,7 +1116,7 @@
{
"description": "The adversary is trying to gain higher-level permissions.\n\nPrivilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: \n\n* SYSTEM/root level\n* local administrator\n* user account with admin-like access \n* user accounts with access to specific system or perform specific function\n\nThese techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context. ",
"meta": {
- "ordinal_position": 6,
+ "ordinal_position": "6",
"source": "MITRE",
"tactic_attack_id": "TA0004"
},
@@ -1544,7 +1544,7 @@
{
"description": "The adversary is trying to avoid being detected.\n\nDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses. ",
"meta": {
- "ordinal_position": 7,
+ "ordinal_position": "7",
"source": "MITRE",
"tactic_attack_id": "TA0005"
},
@@ -2320,7 +2320,7 @@
{
"description": "The adversary is trying to steal account names and passwords.\n\nCredential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.",
"meta": {
- "ordinal_position": 8,
+ "ordinal_position": "8",
"source": "MITRE",
"tactic_attack_id": "TA0006"
},
@@ -2588,7 +2588,7 @@
{
"description": "The adversary is trying to figure out your environment.\n\nDiscovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective. ",
"meta": {
- "ordinal_position": 9,
+ "ordinal_position": "9",
"source": "MITRE",
"tactic_attack_id": "TA0007"
},
@@ -2784,7 +2784,7 @@
{
"description": "The adversary is trying to move through your environment.\n\nLateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier. ",
"meta": {
- "ordinal_position": 10,
+ "ordinal_position": "10",
"source": "MITRE",
"tactic_attack_id": "TA0008"
},
@@ -2888,7 +2888,7 @@
{
"description": "The adversary is trying to gather data of interest to their goal.\n\nCollection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.",
"meta": {
- "ordinal_position": 11,
+ "ordinal_position": "11",
"source": "MITRE",
"tactic_attack_id": "TA0009"
},
@@ -3048,7 +3048,7 @@
{
"description": "The adversary is trying to communicate with compromised systems to control them.\n\nCommand and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.",
"meta": {
- "ordinal_position": 12,
+ "ordinal_position": "12",
"source": "MITRE",
"tactic_attack_id": "TA0011"
},
@@ -3220,7 +3220,7 @@
{
"description": "The adversary is trying to steal data.\n\nExfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.",
"meta": {
- "ordinal_position": 13,
+ "ordinal_position": "13",
"source": "MITRE",
"tactic_attack_id": "TA0010"
},
@@ -3308,7 +3308,7 @@
{
"description": "The adversary is trying to manipulate, interrupt, or destroy your systems and data.\n \nImpact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.",
"meta": {
- "ordinal_position": 14,
+ "ordinal_position": "14",
"source": "MITRE",
"tactic_attack_id": "TA0040"
},
diff --git a/clusters/tidal-technique.json b/clusters/tidal-technique.json
index 60f2413..cf11914 100644
--- a/clusters/tidal-technique.json
+++ b/clusters/tidal-technique.json
@@ -7,7 +7,7 @@
"name": "Tidal Technique",
"source": "https://app-api.tidalcyber.com/api/v1/technique/",
"type": "technique",
- "uuid": "43a8fce6-08d3-46c2-957d-53606efe2c48",
+ "uuid": "298b6aee-981b-4fd8-8759-a2e72ad223fa",
"values": [
{
"description": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.[[TechNet How UAC Works](https://app.tidalcyber.com/references/bbf8d1a3-115e-4bc8-be43-47ce3b295d45)]\n\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://app.tidalcyber.com/technique/8bc683db-1311-476f-8cae-45f3f89dcc66) objects without prompting the user through the UAC notification box.[[TechNet Inside UAC](https://app.tidalcyber.com/references/dea47af6-677a-4625-8664-adf0e6839c9f)][[MSDN COM Elevation](https://app.tidalcyber.com/references/898df7c7-4f19-40cb-a216-7b0f6c6155b3)] An example of this is use of [Rundll32](https://app.tidalcyber.com/technique/5652575d-cdb9-44ef-9c32-fff038f15444) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://app.tidalcyber.com/technique/8bc683db-1311-476f-8cae-45f3f89dcc66) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.[[Davidson Windows](https://app.tidalcyber.com/references/49af01f2-06c5-4b21-9882-901ad828ee28)]\n\nMany methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods[[Github UACMe](https://app.tidalcyber.com/references/7006d59d-3b61-4030-a680-5dac52133722)] that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\n\n* eventvwr.exe
can auto-elevate and execute a specified binary or script.[[enigma0x3 Fileless UAC Bypass](https://app.tidalcyber.com/references/74b16ca4-9494-4f10-97c5-103a8521818f)][[Fortinet Fareit](https://app.tidalcyber.com/references/d06223d7-2d86-41c6-af23-50865a1810c0)]\n\nAnother bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.[[SANS UAC Bypass](https://app.tidalcyber.com/references/824739ac-633a-40e0-bb01-2bfd43714d67)]",
diff --git a/tools/tidal-api/config/campaigns.json b/tools/tidal-api/config/campaigns.json
index 408476e..2a8bbc4 100644
--- a/tools/tidal-api/config/campaigns.json
+++ b/tools/tidal-api/config/campaigns.json
@@ -4,7 +4,7 @@
"namespace": "tidal",
"description": "Tidal Campaigns Galaxy",
"type": "campaigns",
- "uuid": "43a8fce6-08d3-46c2-957d-53606efe2c48",
+ "uuid": "3db4b6cb-5b89-4096-a057-e0205777adc9",
"icon": "bullhorn"
},
"cluster": {
diff --git a/tools/tidal-api/config/groups.json b/tools/tidal-api/config/groups.json
index f54a60c..62d50b5 100644
--- a/tools/tidal-api/config/groups.json
+++ b/tools/tidal-api/config/groups.json
@@ -4,7 +4,7 @@
"namespace": "tidal",
"description": "Tidal Groups Galaxy",
"type": "groups",
- "uuid": "41c3e5c0-de5c-4edb-b48b-48cd8e7519e6",
+ "uuid": "877cdc4b-3392-4353-a7d4-2e46d40e5936",
"icon": "user-secret"
},
"cluster": {
diff --git a/tools/tidal-api/config/references.json b/tools/tidal-api/config/references.json
index 037b034..a2071c6 100644
--- a/tools/tidal-api/config/references.json
+++ b/tools/tidal-api/config/references.json
@@ -4,7 +4,7 @@
"namespace": "tidal",
"description": "Tidal References Galaxy",
"type": "references",
- "uuid": "43a8fce6-08d3-46c2-957d-53606efe2c48",
+ "uuid": "efd98ec4-16ef-41c4-bc3c-60c7c1ae8b39",
"icon": "list"
},
"cluster": {
diff --git a/tools/tidal-api/config/software.json b/tools/tidal-api/config/software.json
index f2070dd..ed0e548 100644
--- a/tools/tidal-api/config/software.json
+++ b/tools/tidal-api/config/software.json
@@ -4,7 +4,7 @@
"namespace": "tidal",
"description": "Tidal Software Galaxy",
"type": "software",
- "uuid": "38d62d8b-4c49-489a-9bc4-8e294c4f04f7",
+ "uuid": "6eb44da4-ed4f-4a5d-a444-0f105ff1b3c2",
"icon": "file-code"
},
"cluster": {
diff --git a/tools/tidal-api/config/tactic.json b/tools/tidal-api/config/tactic.json
index d2a845d..260d37c 100644
--- a/tools/tidal-api/config/tactic.json
+++ b/tools/tidal-api/config/tactic.json
@@ -4,7 +4,7 @@
"namespace": "tidal",
"description": "Tidal Tactic Galaxy",
"type": "tactic",
- "uuid": "43a8fce6-08d3-46c2-957d-53606efe2c48",
+ "uuid": "16b963e7-4b88-44e0-b184-16bf9e71fdc9",
"icon": "map"
},
"cluster": {
diff --git a/tools/tidal-api/config/technique.json b/tools/tidal-api/config/technique.json
index debdda0..b192d04 100644
--- a/tools/tidal-api/config/technique.json
+++ b/tools/tidal-api/config/technique.json
@@ -4,7 +4,7 @@
"namespace": "tidal",
"description": "Tidal Technique Galaxy",
"type": "technique",
- "uuid": "43a8fce6-08d3-46c2-957d-53606efe2c48",
+ "uuid": "298b6aee-981b-4fd8-8759-a2e72ad223fa",
"icon": "user-ninja"
},
"cluster": {
diff --git a/tools/tidal-api/models/cluster.py b/tools/tidal-api/models/cluster.py
index df22826..77f60eb 100644
--- a/tools/tidal-api/models/cluster.py
+++ b/tools/tidal-api/models/cluster.py
@@ -62,7 +62,7 @@ class SubTechniqueMeta(Meta):
class TacticMeta(Meta):
source: str = None
tactic_attack_id: str = None
- ordinal_position: int = None
+ ordinal_position: str = None
tags: list = None
owner: str = None
@@ -531,7 +531,7 @@ class TacticCluster(Cluster):
meta = TacticMeta(
source=entry.get("source"),
tactic_attack_id=entry.get("tactic_attack_id"),
- ordinal_position=entry.get("ordinal_position"),
+ ordinal_position=str(entry.get("ordinal_position")),
tags=[x.get("tag") for x in entry.get("tags")],
owner=entry.get("owner_name"),
)