MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-23 07:17:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge branch 'MISP:main' into main

Browse source
This commit is contained in:
Sebastien Larinier 2023-04-19 16:48:02 +02:00 committed by GitHub
commit 165ce70a28
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 199 additions and 51 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

109
clusters/microsoft-activity-group.json
View file

@ -315,6 +315,27 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "uses" "type": "uses"
},
{
"dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
} }
], ],
"uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", "uuid": "d7247cf9-13b6-4781-b789-a5f33521633b",
@ -322,10 +343,10 @@
}, },
{ {
"meta": { "meta": {
"country": "CN",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "China",
"synonyms": [ "synonyms": [
"APT41", "APT41",
"BARIUM" "BARIUM"
@ -336,10 +357,10 @@
}, },
{ {
"meta": { "meta": {
"country": "CN",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "China",
"synonyms": [ "synonyms": [
"CHROMIUM", "CHROMIUM",
"ControlX" "ControlX"
@ -350,10 +371,10 @@
}, },
{ {
"meta": { "meta": {
"country": "CN",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "China",
"synonyms": [ "synonyms": [
"DEV-0322" "DEV-0322"
] ]
@ -363,10 +384,10 @@
}, },
{ {
"meta": { "meta": {
"country": "CN",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "China",
"synonyms": [ "synonyms": [
"APT40", "APT40",
"GADOLINIUM", "GADOLINIUM",
@ -380,10 +401,10 @@
}, },
{ {
"meta": { "meta": {
"country": "CN",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "China",
"synonyms": [ "synonyms": [
"GALLIUM" "GALLIUM"
] ]
@ -393,10 +414,10 @@
}, },
{ {
"meta": { "meta": {
"country": "CN",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "China",
"synonyms": [ "synonyms": [
"DEV-0234" "DEV-0234"
] ]
@ -406,10 +427,10 @@
}, },
{ {
"meta": { "meta": {
"country": "CN",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "China",
"synonyms": [ "synonyms": [
"APT5", "APT5",
"Keyhole Panda", "Keyhole Panda",
@ -422,10 +443,10 @@
}, },
{ {
"meta": { "meta": {
"country": "CN",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "China",
"synonyms": [ "synonyms": [
"APT15", "APT15",
"NICKEL", "NICKEL",
@ -438,10 +459,10 @@
}, },
{ {
"meta": { "meta": {
"country": "CN",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "China",
"synonyms": [ "synonyms": [
"APT30", "APT30",
"LotusBlossom", "LotusBlossom",
@ -453,10 +474,10 @@
}, },
{ {
"meta": { "meta": {
"country": "CN",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "China",
"synonyms": [ "synonyms": [
"HAFNIUM" "HAFNIUM"
] ]
@ -466,10 +487,10 @@
}, },
{ {
"meta": { "meta": {
"country": "CN",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "China",
"synonyms": [ "synonyms": [
"APT31", "APT31",
"ZIRCONIUM" "ZIRCONIUM"
@ -666,10 +687,10 @@
}, },
{ {
"meta": { "meta": {
"country": "IR",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Iran",
"synonyms": [ "synonyms": [
"NEPTUNIUM", "NEPTUNIUM",
"Vice Leaker" "Vice Leaker"
@ -680,10 +701,10 @@
}, },
{ {
"meta": { "meta": {
"country": "IR",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Iran",
"synonyms": [ "synonyms": [
"CURIUM", "CURIUM",
"TA456", "TA456",
@ -695,10 +716,10 @@
}, },
{ {
"meta": { "meta": {
"country": "IR",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Iran",
"synonyms": [ "synonyms": [
"DEV-0228" "DEV-0228"
] ]
@ -708,10 +729,10 @@
}, },
{ {
"meta": { "meta": {
"country": "IR",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Iran",
"synonyms": [ "synonyms": [
"DEV-0343" "DEV-0343"
] ]
@ -721,10 +742,10 @@
}, },
{ {
"meta": { "meta": {
"country": "IR",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Iran",
"synonyms": [ "synonyms": [
"APT34", "APT34",
"Cobalt Gypsy", "Cobalt Gypsy",
@ -737,10 +758,10 @@
}, },
{ {
"meta": { "meta": {
"country": "IR",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Iran",
"synonyms": [ "synonyms": [
"Fox Kitten", "Fox Kitten",
"PioneerKitten", "PioneerKitten",
@ -753,10 +774,10 @@
}, },
{ {
"meta": { "meta": {
"country": "IR",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Iran",
"synonyms": [ "synonyms": [
"MERCURY", "MERCURY",
"MuddyWater", "MuddyWater",
@ -770,10 +791,10 @@
}, },
{ {
"meta": { "meta": {
"country": "IR",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Iran",
"synonyms": [ "synonyms": [
"DEV-0500", "DEV-0500",
"Moses Staff" "Moses Staff"
@ -784,10 +805,10 @@
}, },
{ {
"meta": { "meta": {
"country": "IR",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Iran",
"synonyms": [ "synonyms": [
"APT35", "APT35",
"Charming Kitten", "Charming Kitten",
@ -799,10 +820,10 @@
}, },
{ {
"meta": { "meta": {
"country": "IR",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Iran",
"synonyms": [ "synonyms": [
"APT33", "APT33",
"HOLMIUM", "HOLMIUM",
@ -814,10 +835,10 @@
}, },
{ {
"meta": { "meta": {
"country": "IR",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Iran",
"synonyms": [ "synonyms": [
"AMERICIUM", "AMERICIUM",
"Agrius", "Agrius",
@ -831,10 +852,10 @@
}, },
{ {
"meta": { "meta": {
"country": "IR",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Iran",
"synonyms": [ "synonyms": [
"DEV-0146", "DEV-0146",
"ZeroCleare" "ZeroCleare"
@ -845,10 +866,10 @@
}, },
{ {
"meta": { "meta": {
"country": "IR",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Iran",
"synonyms": [ "synonyms": [
"BOHRIUM" "BOHRIUM"
] ]
@ -858,10 +879,10 @@
}, },
{ {
"meta": { "meta": {
"country": "LB",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Lebanon",
"synonyms": [ "synonyms": [
"POLONIUM" "POLONIUM"
] ]
@ -871,10 +892,10 @@
}, },
{ {
"meta": { "meta": {
"country": "KP",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "North Korea",
"synonyms": [ "synonyms": [
"Labyrinth Chollima", "Labyrinth Chollima",
"Lazarus", "Lazarus",
@ -886,10 +907,10 @@
}, },
{ {
"meta": { "meta": {
"country": "KP",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "North Korea",
"synonyms": [ "synonyms": [
"Kimsuky", "Kimsuky",
"THALLIUM", "THALLIUM",
@ -901,10 +922,10 @@
}, },
{ {
"meta": { "meta": {
"country": "KP",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "North Korea",
"synonyms": [ "synonyms": [
"Konni", "Konni",
"OSMIUM" "OSMIUM"
@ -915,10 +936,10 @@
}, },
{ {
"meta": { "meta": {
"country": "KP",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "North Korea",
"synonyms": [ "synonyms": [
"LAWRENCIUM" "LAWRENCIUM"
] ]
@ -928,10 +949,10 @@
}, },
{ {
"meta": { "meta": {
"country": "KP",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "North Korea",
"synonyms": [ "synonyms": [
"CERIUM" "CERIUM"
] ]
@ -941,10 +962,10 @@
}, },
{ {
"meta": { "meta": {
"country": "KP",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "North Korea",
"synonyms": [ "synonyms": [
"BlueNoroff", "BlueNoroff",
"COPERNICIUM", "COPERNICIUM",
@ -956,10 +977,10 @@
}, },
{ {
"meta": { "meta": {
"country": "KP",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "North Korea",
"synonyms": [ "synonyms": [
"DEV-0530", "DEV-0530",
"H0lyGh0st" "H0lyGh0st"
@ -1026,10 +1047,10 @@
}, },
{ {
"meta": { "meta": {
"country": "RU",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Russia",
"synonyms": [ "synonyms": [
"ACTINIUM", "ACTINIUM",
"Gamaredon", "Gamaredon",
@ -1042,10 +1063,10 @@
}, },
{ {
"meta": { "meta": {
"country": "RU",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Russia",
"synonyms": [ "synonyms": [
"DEV-0586" "DEV-0586"
] ]
@ -1055,10 +1076,10 @@
}, },
{ {
"meta": { "meta": {
"country": "RU",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Russia",
"synonyms": [ "synonyms": [
"APT28", "APT28",
"Fancy Bear", "Fancy Bear",
@ -1070,10 +1091,10 @@
}, },
{ {
"meta": { "meta": {
"country": "RU",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Russia",
"synonyms": [ "synonyms": [
"BROMINE", "BROMINE",
"Crouching Yeti", "Crouching Yeti",
@ -1085,10 +1106,10 @@
}, },
{ {
"meta": { "meta": {
"country": "RU",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Russia",
"synonyms": [ "synonyms": [
"APT29", "APT29",
"Cozy Bear", "Cozy Bear",
@ -1100,10 +1121,10 @@
}, },
{ {
"meta": { "meta": {
"country": "RU",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Russia",
"synonyms": [ "synonyms": [
"IRIDIUM", "IRIDIUM",
"Sandworm" "Sandworm"
@ -1114,10 +1135,10 @@
}, },
{ {
"meta": { "meta": {
"country": "RU",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Russia",
"synonyms": [ "synonyms": [
"Callisto", "Callisto",
"Reuse Team", "Reuse Team",
@ -1129,10 +1150,10 @@
}, },
{ {
"meta": { "meta": {
"country": "RU",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Russia",
"synonyms": [ "synonyms": [
"DEV-0665" "DEV-0665"
] ]
@ -1142,10 +1163,10 @@
}, },
{ {
"meta": { "meta": {
"country": "KR",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "South Korea",
"synonyms": [ "synonyms": [
"DUBNIUM", "DUBNIUM",
"Dark Hotel", "Dark Hotel",
@ -1157,10 +1178,10 @@
}, },
{ {
"meta": { "meta": {
"country": "TR",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Turkey",
"synonyms": [ "synonyms": [
"SILICON", "SILICON",
"Sea Turtle" "Sea Turtle"
@ -1171,10 +1192,10 @@
}, },
{ {
"meta": { "meta": {
"country": "VN",
"refs": [ "refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
], ],
"sector": "Vietnam",
"synonyms": [ "synonyms": [
"APT32", "APT32",
"BISMUTH", "BISMUTH",
@ -1185,5 +1206,5 @@
"value": "Canvas Cyclone" "value": "Canvas Cyclone"
} }
], ],
"version": 12 "version": 13
} }

11
clusters/online-service.json
View file

@ -16,9 +16,18 @@
"https://www.notion.so/product" "https://www.notion.so/product"
] ]
}, },
"related": [
{
"dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
}
],
"uuid": "5c807e49-dc90-4f80-b044-49bb990acb61", "uuid": "5c807e49-dc90-4f80-b044-49bb990acb61",
"value": "Notion" "value": "Notion"
} }
], ],
"version": 1 "version": 2
} }

44
clusters/threat-actor.json
View file

@ -2302,6 +2302,27 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
} }
], ],
"uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", "uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a",
@ -8192,6 +8213,27 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
} }
], ],
"uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", "uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b",
@ -10667,5 +10709,5 @@
"value": "Anonymous Sudan" "value": "Anonymous Sudan"
} }
], ],
"version": 263 "version": 265
} }

86
clusters/tool.json
View file

@ -8711,7 +8711,7 @@
}, },
"related": [ "related": [
{ {
"dest-uuid": "54c03b3c-6f97-46ea-a93f-f07bfd5cdd36,", "dest-uuid": "54c03b3c-6f97-46ea-a93f-f07bfd5cdd36",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
@ -8756,7 +8756,7 @@
"value": "AHK Bot" "value": "AHK Bot"
}, },
{ {
"description": "A tool first used in October 2022, abusing the Notion7 service to communicate and download further malicious files. Two versions of this tool have been observed.", "description": "A tool first used in October 2022, abusing the Notion service to communicate and download further malicious files. Two versions of this tool have been observed.\n\nSNOWYAMBER is a dropper that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. SNOWYAMBER abuses the NOTION collaboration service as a communication channel. It does not contain any other capabilities aside from downloading and executing 2nd stage. To bypass security products, SNOWYAMBER uses several antidetection and obfuscation techniques, including string encryption, dynamic API resolving, EDR/AV unhooking, and direct syscalls.",
"meta": { "meta": {
"refs": [ "refs": [
"https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services", "https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services",
@ -8764,11 +8764,41 @@
"https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d" "https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d"
] ]
}, },
"related": [
{
"dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
},
{
"dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
},
{
"dest-uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
},
{
"dest-uuid": "5c807e49-dc90-4f80-b044-49bb990acb61",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
}
],
"uuid": "0125ef58-2675-426f-90eb-0b189961199a", "uuid": "0125ef58-2675-426f-90eb-0b189961199a",
"value": "SNOWYAMBER" "value": "SNOWYAMBER"
}, },
{ {
"description": "Used for the first time in February 2023. This tool is distinguished from the others by the embedded code that runs the COBALT STRIKE tool.", "description": "Used for the first time in February 2023. This tool is distinguished from the others by the embedded code that runs the COBALT STRIKE tool.\n\nHALFRIG is a stager for CobaltStrike Beacon that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. HALFRIG has significant code overlap with the QUARTERRIG and it is highly probable that it was developed by the same team.",
"meta": { "meta": {
"refs": [ "refs": [
"https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services", "https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services",
@ -8776,11 +8806,34 @@
"https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf" "https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf"
] ]
}, },
"related": [
{
"dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
},
{
"dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
},
{
"dest-uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
}
],
"uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e", "uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e",
"value": "HALFRIG" "value": "HALFRIG"
}, },
{ {
"description": "A tool first used in March 2023, sharing part of the code with HALFRIG. Two versions of this tool were observed.", "description": "A tool first used in March 2023, sharing part of the code with HALFRIG. Two versions of this tool were observed.\n\nQUARTERRIG is a dropper that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. QUARTERRIG does not contain any other capabilities aside from downloading and executing 2nd stage. To bypass security products, QUARTERRIG heavily relies on obfuscation based on opaque predicates and multi-stage execution, interweaving shellcode and PE files. HALFRIG and QUARTERRIG share some of the codebase, suggesting that QUARTERRIG authors have access to both HALFRIG source code and the same obfuscation libraries.",
"meta": { "meta": {
"refs": [ "refs": [
"https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services", "https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services",
@ -8788,9 +8841,32 @@
"https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf" "https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf"
] ]
}, },
"related": [
{
"dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
},
{
"dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
},
{
"dest-uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
}
],
"uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b", "uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b",
"value": "QUARTERRIG" "value": "QUARTERRIG"
} }
], ],
"version": 162 "version": 164
} }