mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-27 09:17:20 +00:00
commit
1903be8941
4 changed files with 328 additions and 91 deletions
|
@ -8,7 +8,9 @@
|
||||||
"complexity": "Medium",
|
"complexity": "Medium",
|
||||||
"effectiveness": "High",
|
"effectiveness": "High",
|
||||||
"impact": "Low",
|
"impact": "Low",
|
||||||
"type": "Recovery"
|
"type": [
|
||||||
|
"Recovery"
|
||||||
|
]
|
||||||
},
|
},
|
||||||
"value": "Backup and Restore Process",
|
"value": "Backup and Restore Process",
|
||||||
"description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schrödinger's backup - it is both existent and non-existent until you've tried a restore"
|
"description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schrödinger's backup - it is both existent and non-existent until you've tried a restore"
|
||||||
|
@ -22,7 +24,9 @@
|
||||||
"complexity": "Low",
|
"complexity": "Low",
|
||||||
"effectiveness": "High",
|
"effectiveness": "High",
|
||||||
"impact": "Low",
|
"impact": "Low",
|
||||||
"type": "GPO"
|
"type": [
|
||||||
|
"GPO"
|
||||||
|
]
|
||||||
},
|
},
|
||||||
"value": "Block Macros",
|
"value": "Block Macros",
|
||||||
"description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros"
|
"description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros"
|
||||||
|
@ -35,7 +39,9 @@
|
||||||
"complexity": "Low",
|
"complexity": "Low",
|
||||||
"effectiveness": "Medium",
|
"effectiveness": "Medium",
|
||||||
"impact": "Medium",
|
"impact": "Medium",
|
||||||
"type": "GPO",
|
"type": [
|
||||||
|
"GPO"
|
||||||
|
],
|
||||||
"possible_issues": "Administrative VBS scripts on Workstations"
|
"possible_issues": "Administrative VBS scripts on Workstations"
|
||||||
},
|
},
|
||||||
"value": "Disable WSH",
|
"value": "Disable WSH",
|
||||||
|
@ -46,7 +52,9 @@
|
||||||
"complexity": "Low",
|
"complexity": "Low",
|
||||||
"effectiveness": "Medium",
|
"effectiveness": "Medium",
|
||||||
"impact": "Low",
|
"impact": "Low",
|
||||||
"type": "Mail Gateway"
|
"type": [
|
||||||
|
"Mail Gateway"
|
||||||
|
]
|
||||||
},
|
},
|
||||||
"value": "Filter Attachments Level 1",
|
"value": "Filter Attachments Level 1",
|
||||||
"description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub"
|
"description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub"
|
||||||
|
@ -56,7 +64,9 @@
|
||||||
"complexity": "Low",
|
"complexity": "Low",
|
||||||
"effectiveness": "High",
|
"effectiveness": "High",
|
||||||
"impact": "High",
|
"impact": "High",
|
||||||
"type": "Mail Gateway",
|
"type": [
|
||||||
|
"Mail Gateway"
|
||||||
|
],
|
||||||
"possible_issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) "
|
"possible_issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) "
|
||||||
},
|
},
|
||||||
"value": "Filter Attachments Level 2",
|
"value": "Filter Attachments Level 2",
|
||||||
|
@ -71,7 +81,9 @@
|
||||||
"complexity": "Medium",
|
"complexity": "Medium",
|
||||||
"effectiveness": "Medium",
|
"effectiveness": "Medium",
|
||||||
"impact": "Medium",
|
"impact": "Medium",
|
||||||
"type": "GPO",
|
"type": [
|
||||||
|
"GPO"
|
||||||
|
],
|
||||||
"possible_issues": "Web embedded software installers"
|
"possible_issues": "Web embedded software installers"
|
||||||
},
|
},
|
||||||
"value": "Restrict program execution",
|
"value": "Restrict program execution",
|
||||||
|
@ -85,7 +97,9 @@
|
||||||
"complexity": "Low",
|
"complexity": "Low",
|
||||||
"effectiveness": "Low",
|
"effectiveness": "Low",
|
||||||
"impact": "Low",
|
"impact": "Low",
|
||||||
"type": "User Assistence"
|
"type": [
|
||||||
|
"User Assistence"
|
||||||
|
]
|
||||||
},
|
},
|
||||||
"value": "Show File Extensions",
|
"value": "Show File Extensions",
|
||||||
"description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")"
|
"description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")"
|
||||||
|
@ -98,7 +112,9 @@
|
||||||
"complexity": "Low",
|
"complexity": "Low",
|
||||||
"effectiveness": "Medium",
|
"effectiveness": "Medium",
|
||||||
"impact": "Low",
|
"impact": "Low",
|
||||||
"type": "GPO",
|
"type": [
|
||||||
|
"GPO"
|
||||||
|
],
|
||||||
"possible_issues": "administrator resentment"
|
"possible_issues": "administrator resentment"
|
||||||
},
|
},
|
||||||
"value": "Enforce UAC Prompt",
|
"value": "Enforce UAC Prompt",
|
||||||
|
@ -109,7 +125,9 @@
|
||||||
"complexity": "Medium",
|
"complexity": "Medium",
|
||||||
"effectiveness": "Medium",
|
"effectiveness": "Medium",
|
||||||
"impact": "Medium",
|
"impact": "Medium",
|
||||||
"type": "Best Practice",
|
"type": [
|
||||||
|
"Best Practice"
|
||||||
|
],
|
||||||
"possible_issues": "igher administrative costs"
|
"possible_issues": "igher administrative costs"
|
||||||
},
|
},
|
||||||
"value": "Remove Admin Privileges",
|
"value": "Remove Admin Privileges",
|
||||||
|
@ -120,7 +138,9 @@
|
||||||
"complexity": "Medium",
|
"complexity": "Medium",
|
||||||
"effectiveness": "Low",
|
"effectiveness": "Low",
|
||||||
"impact": "Low",
|
"impact": "Low",
|
||||||
"type": "Best Practice"
|
"type": [
|
||||||
|
"Best Practice"
|
||||||
|
]
|
||||||
},
|
},
|
||||||
"value": "Restrict Workstation Communication",
|
"value": "Restrict Workstation Communication",
|
||||||
"description": "Activate the Windows Firewall to restrict workstation to workstation communication"
|
"description": "Activate the Windows Firewall to restrict workstation to workstation communication"
|
||||||
|
@ -129,7 +149,9 @@
|
||||||
"meta": {
|
"meta": {
|
||||||
"complexity": "Medium",
|
"complexity": "Medium",
|
||||||
"effectiveness": "High",
|
"effectiveness": "High",
|
||||||
"type": "Advanced Malware Protection"
|
"type": [
|
||||||
|
"Advanced Malware Protection"
|
||||||
|
]
|
||||||
},
|
},
|
||||||
"value": "Sandboxing Email Input",
|
"value": "Sandboxing Email Input",
|
||||||
"description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis"
|
"description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis"
|
||||||
|
@ -138,7 +160,9 @@
|
||||||
"meta": {
|
"meta": {
|
||||||
"complexity": "Medium",
|
"complexity": "Medium",
|
||||||
"effectiveness": "Medium",
|
"effectiveness": "Medium",
|
||||||
"type": "3rd Party Tools"
|
"type": [
|
||||||
|
"3rd Party Tools"
|
||||||
|
]
|
||||||
},
|
},
|
||||||
"value": "Execution Prevention",
|
"value": "Execution Prevention",
|
||||||
"description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor"
|
"description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor"
|
||||||
|
@ -151,7 +175,9 @@
|
||||||
"complexity": "Low",
|
"complexity": "Low",
|
||||||
"effectiveness": "Medium",
|
"effectiveness": "Medium",
|
||||||
"impact": "Medium",
|
"impact": "Medium",
|
||||||
"type": "GPO",
|
"type": [
|
||||||
|
"GPO"
|
||||||
|
],
|
||||||
"possible_issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts."
|
"possible_issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts."
|
||||||
},
|
},
|
||||||
"value": "Change Default \"Open With\" to Notepad",
|
"value": "Change Default \"Open With\" to Notepad",
|
||||||
|
@ -165,7 +191,9 @@
|
||||||
"complexity": "Low",
|
"complexity": "Low",
|
||||||
"effectiveness": "Medium",
|
"effectiveness": "Medium",
|
||||||
"impact": "Low",
|
"impact": "Low",
|
||||||
"type": "Monitoring"
|
"type": [
|
||||||
|
"Monitoring"
|
||||||
|
]
|
||||||
},
|
},
|
||||||
"value": "File Screening",
|
"value": "File Screening",
|
||||||
"description": "Server-side file screening with the help of File Server Resource Manager"
|
"description": "Server-side file screening with the help of File Server Resource Manager"
|
||||||
|
@ -179,7 +207,9 @@
|
||||||
"complexity": "Medium",
|
"complexity": "Medium",
|
||||||
"effectiveness": "Medium",
|
"effectiveness": "Medium",
|
||||||
"impact": "Medium",
|
"impact": "Medium",
|
||||||
"type": "GPO",
|
"type": [
|
||||||
|
"GPO"
|
||||||
|
],
|
||||||
"possible_issues": "Configure & test extensively"
|
"possible_issues": "Configure & test extensively"
|
||||||
},
|
},
|
||||||
"value": "Restrict program execution #2",
|
"value": "Restrict program execution #2",
|
||||||
|
@ -194,7 +224,9 @@
|
||||||
"complexity": "Medium",
|
"complexity": "Medium",
|
||||||
"effectiveness": "Medium",
|
"effectiveness": "Medium",
|
||||||
"impact": "Low",
|
"impact": "Low",
|
||||||
"type": "GPO"
|
"type": [
|
||||||
|
"GPO"
|
||||||
|
]
|
||||||
},
|
},
|
||||||
"value": "EMET",
|
"value": "EMET",
|
||||||
"description": "Detect and block exploitation techniques"
|
"description": "Detect and block exploitation techniques"
|
||||||
|
@ -207,7 +239,9 @@
|
||||||
"complexity": "Medium",
|
"complexity": "Medium",
|
||||||
"effectiveness": "Low",
|
"effectiveness": "Low",
|
||||||
"impact": "Low",
|
"impact": "Low",
|
||||||
"type": "3rd Party Tools"
|
"type": [
|
||||||
|
"3rd Party Tools"
|
||||||
|
]
|
||||||
},
|
},
|
||||||
"value": "Sysmon",
|
"value": "Sysmon",
|
||||||
"description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring"
|
"description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring"
|
||||||
|
|
|
@ -7,7 +7,9 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://keitarotds.com/"
|
"https://keitarotds.com/"
|
||||||
],
|
],
|
||||||
"type": "Commercial"
|
"type": [
|
||||||
|
"Commercial"
|
||||||
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -17,7 +19,9 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"http://kytoon.com/sutra-tds.html"
|
"http://kytoon.com/sutra-tds.html"
|
||||||
],
|
],
|
||||||
"type": "Commercial"
|
"type": [
|
||||||
|
"Commercial"
|
||||||
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -30,7 +34,9 @@
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Stds"
|
"Stds"
|
||||||
],
|
],
|
||||||
"type": "OpenSource"
|
"type": [
|
||||||
|
"OpenSource"
|
||||||
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -40,7 +46,9 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"http://bosstds.com/"
|
"http://bosstds.com/"
|
||||||
],
|
],
|
||||||
"type": "Commercial"
|
"type": [
|
||||||
|
"Commercial"
|
||||||
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -50,21 +58,27 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html"
|
"http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html"
|
||||||
],
|
],
|
||||||
"type": "Underground"
|
"type": [
|
||||||
|
"Underground"
|
||||||
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Futuristic TDS",
|
"value": "Futuristic TDS",
|
||||||
"description": "Futuristic TDS is the TDS component of BlackOS/CookieBomb/NorthTale Iframer",
|
"description": "Futuristic TDS is the TDS component of BlackOS/CookieBomb/NorthTale Iframer",
|
||||||
"meta": {
|
"meta": {
|
||||||
"type": "Underground"
|
"type": [
|
||||||
|
"Underground"
|
||||||
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Orchid TDS",
|
"value": "Orchid TDS",
|
||||||
"description": "Orchid TDS was sold underground. Rare usage",
|
"description": "Orchid TDS was sold underground. Rare usage",
|
||||||
"meta": {
|
"meta": {
|
||||||
"type": "Underground"
|
"type": [
|
||||||
|
"Underground"
|
||||||
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
|
|
|
@ -1,22 +1,80 @@
|
||||||
{
|
{
|
||||||
"values": [
|
"values": [
|
||||||
{
|
{
|
||||||
"value": "PlugX",
|
"value": "Tinba",
|
||||||
"description": "Malware"
|
"description": "Banking Malware",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://thehackernews.com/search/label/Zusy%20Malware",
|
||||||
|
"http://blog.trendmicro.com/trendlabs-security-intelligence/the-tinbatinybanker-malware/"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Hunter",
|
||||||
|
"Zusy",
|
||||||
|
"TinyBanker"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"Banking"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "MSUpdater"
|
"value": "PlugX",
|
||||||
|
"description": "Malware",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/112/pulling-the-plug-on-plugx"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Backdoor.FSZO-5117",
|
||||||
|
"Trojan.Heur.JP.juW@ayZZvMb",
|
||||||
|
"Trojan.Inject1.6386",
|
||||||
|
"Korplug",
|
||||||
|
"Agent.dhwf"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"Backdoor"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"value": "MSUpdater",
|
||||||
|
"description": " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.zscaler.com/pdf/whitepapers/msupdater_trojan_whitepaper.pdfx"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"Backdoor"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Lazagne",
|
"value": "Lazagne",
|
||||||
"description": "A password recovery tool regularly used by attackers"
|
"description": "A password sthealing tool regularly used by attackers",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://github.com/AlessandroZ/LaZagne"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"HackTool"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Poison Ivy",
|
"value": "Poison Ivy",
|
||||||
"description": "Poison Ivy is a RAT which was freely available and first released in 2005.",
|
"description": "Poison Ivy is a RAT which was freely available and first released in 2005.",
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf"
|
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf",
|
||||||
|
"https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Backdoor.Win32.PoisonIvy",
|
||||||
|
"Gen:Trojan.Heur.PT"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"Backdoor"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -26,11 +84,25 @@
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/"
|
"http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"Backdoor"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Torn RAT"
|
"value": "Torn RAT",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.crowdstrike.com/blog/whois-anchor-panda/"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Anchor Panda"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"Backdoor"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "OzoneRAT",
|
"value": "OzoneRAT",
|
||||||
|
@ -41,39 +113,77 @@
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Ozone RAT",
|
"Ozone RAT",
|
||||||
"ozonercp"
|
"ozonercp"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"Backdoor"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "ZeGhost"
|
"value": "ZeGhost",
|
||||||
|
"description": "ZeGhots is a RAT which was freely available and first released in 2014.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3aWin32%2fZegost.BW"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"BackDoor-FBZT!52D84425CDF2",
|
||||||
|
"Trojan.Win32.Staser.ytq",
|
||||||
|
"Win32/Zegost.BW"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"Backdoor"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Elise Backdoor",
|
"value": "Elise Backdoor",
|
||||||
|
"description": "Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://thehackernews.com/2015/08/elise-malware-hacking.html"
|
||||||
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Elise"
|
"Elise"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"dropper",
|
||||||
|
"PWS"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Trojan.Laziok",
|
"value": "Trojan.Laziok",
|
||||||
|
"description": "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector"
|
||||||
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Laziok"
|
"Laziok"
|
||||||
],
|
],
|
||||||
"refs": [
|
"type": [
|
||||||
"http://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector"
|
"PWS",
|
||||||
|
"reco"
|
||||||
]
|
]
|
||||||
},
|
}
|
||||||
"description": "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer."
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Slempo",
|
"value": "Slempo",
|
||||||
"description": "Android-based malware",
|
"description": "Android-based malware",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://securityintelligence.com/android-malware-about-to-get-worse-gm-bot-source-code-leaked/"
|
||||||
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"GM-Bot",
|
"GM-Bot",
|
||||||
|
"SlemBunk",
|
||||||
|
"Bankosy",
|
||||||
"Acecard"
|
"Acecard"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"Spyware",
|
||||||
|
"AndroidOS"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -83,24 +193,35 @@
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/"
|
"http://researchcenter.paloaltonetworks.com/2016/04/unit42-python-based-pwobot-targets-european-organizations/"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"PWOLauncher",
|
||||||
|
"PWOHTTPD",
|
||||||
|
"PWOKeyLogger",
|
||||||
|
"PWOMiner",
|
||||||
|
"PWOPyExec",
|
||||||
|
"PWOQuery"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"Dropper",
|
||||||
|
"Miner",
|
||||||
|
"Spyware"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"value": "Lstudio"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"value": "Joy RAT"
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"value": "Lost Door RAT",
|
"value": "Lost Door RAT",
|
||||||
"description": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.",
|
"description": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.",
|
||||||
"meta": {
|
"meta": {
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"LostDoor RAT"
|
"LostDoor RAT",
|
||||||
|
"BKDR_LODORAT"
|
||||||
],
|
],
|
||||||
"refs": [
|
"refs": [
|
||||||
"http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/"
|
"http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"Backdoor"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -108,10 +229,14 @@
|
||||||
"value": "njRAT",
|
"value": "njRAT",
|
||||||
"meta": {
|
"meta": {
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Bladabindi"
|
"Bladabindi",
|
||||||
|
"Jorik"
|
||||||
],
|
],
|
||||||
"refs": [
|
"refs": [
|
||||||
"http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf"
|
"http://www.fidelissecurity.com/files/files/FTA_1009-njRAT_Uncovered_rev2.pdf"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"Backdoor"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -119,10 +244,17 @@
|
||||||
"value": "NanoCoreRAT",
|
"value": "NanoCoreRAT",
|
||||||
"meta": {
|
"meta": {
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"NanoCore"
|
"NanoCore",
|
||||||
|
"Nancrat",
|
||||||
|
"Zurten",
|
||||||
|
"Atros2.CKPN"
|
||||||
],
|
],
|
||||||
"refs": [
|
"refs": [
|
||||||
"http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter"
|
"http://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter",
|
||||||
|
"https://nanocore.io/"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"Backdoor"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -131,23 +263,96 @@
|
||||||
"meta": {
|
"meta": {
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Sakurel"
|
"Sakurel"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"https://www.secureworks.com/research/sakula-malware-family"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"Backdoor"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Derusbi"
|
"value": "Hi-ZOR",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"Backdoor"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "EvilGrab"
|
"value": "Derusbi",
|
||||||
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"TROJ_DLLSERV.BE"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf",
|
||||||
|
"https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"Backdoor"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "IEChecker"
|
"value": "EvilGrab",
|
||||||
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"BKDR_HGDER",
|
||||||
|
"BKDR_EVILOGE",
|
||||||
|
"BKDR_NVICM",
|
||||||
|
"Wmonder"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"http://blog.trendmicro.com/trendlabs-security-intelligence/evilgrab-malware-family-used-in-targeted-attacks-in-asia/",
|
||||||
|
"http://researchcenter.paloaltonetworks.com/2015/06/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"Backdoor"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Trojan.Naid"
|
"value": "Trojan.Naid",
|
||||||
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"Naid",
|
||||||
|
"Mdmbot.E",
|
||||||
|
"AGENT.GUNZ",
|
||||||
|
"AGENT.AQUP.DROPPER",
|
||||||
|
"AGENT.BMZA",
|
||||||
|
"MCRAT.A",
|
||||||
|
"AGENT.ABQMR"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"https://www.symantec.com/connect/blogs/cve-2012-1875-exploited-wild-part-1-trojannaid",
|
||||||
|
"http://telussecuritylabs.com/threats/show/TSL20120614-05"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"Dropper"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Backdoor.Moudoor"
|
"value": "Moudoor",
|
||||||
|
"description": "Backdoor.Moudoor, a customized version of Gh0st RAT",
|
||||||
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"SCAR",
|
||||||
|
"KillProc.14145"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"http://www.darkreading.com/attacks-breaches/elite-chinese-cyberspy-group-behind-bit9-hack/d/d-id/1140495",
|
||||||
|
"https://securityledger.com/2013/09/apt-for-hire-symantec-outs-hidden-lynx-hacking-crew/"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"Backdoor"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "NetTraveler"
|
"value": "NetTraveler"
|
||||||
|
@ -156,7 +361,19 @@
|
||||||
"value": "Winnti"
|
"value": "Winnti"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Mimikatz"
|
"value": "Mimikatz",
|
||||||
|
"description": "Ease Credential stealh and replay, A little tool to play with Windows security.",
|
||||||
|
"meta": {
|
||||||
|
"synonyms": [
|
||||||
|
"Mikatz"
|
||||||
|
],
|
||||||
|
"refs": [
|
||||||
|
"https://github.com/gentilkiwi/mimikatz"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"HackTool"
|
||||||
|
]
|
||||||
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "WEBC2"
|
"value": "WEBC2"
|
||||||
|
@ -299,9 +516,6 @@
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"value": "CORESHELL"
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"value": "CHOPSTICK",
|
"value": "CHOPSTICK",
|
||||||
"description": "backdoor",
|
"description": "backdoor",
|
||||||
|
@ -365,10 +579,16 @@
|
||||||
"description": "credential harvester",
|
"description": "credential harvester",
|
||||||
"meta": {
|
"meta": {
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Sasfis"
|
"Sasfis",
|
||||||
|
"BackDoor-FDU",
|
||||||
|
"IEChecker"
|
||||||
],
|
],
|
||||||
"refs": [
|
"refs": [
|
||||||
|
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_sasfis.tl",
|
||||||
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
|
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
|
||||||
|
],
|
||||||
|
"type": [
|
||||||
|
"PWS"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
@ -973,29 +1193,12 @@
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"value": "Angler EK",
|
|
||||||
"description": "Angler Exploit Kit is a hacking tool that is produced to search for Java and Flash Player vulnerabilities on the attacked PC and use them with the aim to distribute malware infections. Angler Exploit Kit commonly checks to see if the PC it is proliferating to has Java or Flash.",
|
|
||||||
"meta": {
|
|
||||||
"refs": [
|
|
||||||
"http://researchcenter.paloaltonetworks.com/2016/06/unit42-understanding-angler-exploit-kit-part-1-exploit-kit-fundamentals/",
|
|
||||||
"https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"value": "Bedep"
|
"value": "Bedep"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"value": "Cromptui"
|
"value": "Cromptui"
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"value": "Cryptowall",
|
|
||||||
"description": "CryptoWall is a new and highly destructive variant of ransomware. Ransomware is malicious software (malware) that infects your computer and holds hostage something of value to you in exchange for money. Older ransomware used to block access to computers. Newer ransomware, such as CryptoWall, takes your data hostage."
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"value": "CTB-Locker"
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"value": "Dridex",
|
"value": "Dridex",
|
||||||
"description": "Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.",
|
"description": "Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.",
|
||||||
|
@ -1025,10 +1228,6 @@
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"value": "Locky",
|
|
||||||
"description": "Ransomware"
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"value": "Necurs",
|
"value": "Necurs",
|
||||||
"description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky.",
|
"description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky.",
|
||||||
|
@ -1038,14 +1237,6 @@
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"value": "Nuclear Pack",
|
|
||||||
"meta": {
|
|
||||||
"synonyms": [
|
|
||||||
"Nuclear EK"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"value": "Palevo"
|
"value": "Palevo"
|
||||||
},
|
},
|
||||||
|
@ -1062,12 +1253,6 @@
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"value": "Rig EK"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"value": "Teslacrypt"
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"value": "Upatre",
|
"value": "Upatre",
|
||||||
"description": "Upatre is a Trojan downloader that is used to set up other threats on the victim's PC. Upatre has been used recently in several high profile Trojan attacks involving the Gameover Trojan. "
|
"description": "Upatre is a Trojan downloader that is used to set up other threats on the victim's PC. Upatre has been used recently in several high profile Trojan attacks involving the Gameover Trojan. "
|
||||||
|
|
|
@ -74,7 +74,11 @@
|
||||||
"type": "string"
|
"type": "string"
|
||||||
},
|
},
|
||||||
"type": {
|
"type": {
|
||||||
|
"type": "array",
|
||||||
|
"uniqueItems": true,
|
||||||
|
"items": {
|
||||||
"type": "string"
|
"type": "string"
|
||||||
|
}
|
||||||
},
|
},
|
||||||
"impact": {
|
"impact": {
|
||||||
"type": "string"
|
"type": "string"
|
||||||
|
|
Loading…
Reference in a new issue