mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-22 23:07:19 +00:00
commit
20e06dd067
5 changed files with 5902 additions and 5987 deletions
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
|
@ -37,6 +37,262 @@
|
|||
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966",
|
||||
"value": "Windows Credential Editor - S0005"
|
||||
},
|
||||
{
|
||||
"description": "[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of [Brute Ratel C4](https://attack.mitre.org/software/S1063) was leaked in the cybercriminal underground, leading to its use by threat actors.(Citation: Dark Vortex Brute Ratel C4)(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)(Citation: SANS Brute Ratel October 2022)(Citation: Trend Micro Black Basta October 2022)",
|
||||
"meta": {
|
||||
"external_id": "S1063",
|
||||
"mitre_platforms": [
|
||||
"Windows"
|
||||
],
|
||||
"refs": [
|
||||
"https://attack.mitre.org/software/S1063",
|
||||
"https://bruteratel.com/",
|
||||
"https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/",
|
||||
"https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/",
|
||||
"https://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/",
|
||||
"https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html"
|
||||
],
|
||||
"synonyms": [
|
||||
"Brute Ratel C4",
|
||||
"BRc4"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
{
|
||||
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
}
|
||||
],
|
||||
"uuid": "75d8b521-6b6a-42ff-8af3-d97e20ce12a5",
|
||||
"value": "Brute Ratel C4 - S1063"
|
||||
},
|
||||
{
|
||||
"description": "[Pass-The-Hash Toolkit](https://attack.mitre.org/software/S0122) is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)",
|
||||
"meta": {
|
||||
|
@ -1117,6 +1373,13 @@
|
|||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
|
||||
"tags": [
|
||||
|
@ -1211,6 +1474,13 @@
|
|||
]
|
||||
},
|
||||
"related": [
|
||||
{
|
||||
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
|
||||
"tags": [
|
||||
|
@ -2292,6 +2562,64 @@
|
|||
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507",
|
||||
"value": "UACMe - S0116"
|
||||
},
|
||||
{
|
||||
"description": "[Rubeus](https://attack.mitre.org/software/S1071) is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.(Citation: GitHub Rubeus March 2023)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)",
|
||||
"meta": {
|
||||
"external_id": "S1071",
|
||||
"mitre_platforms": [
|
||||
"Windows"
|
||||
],
|
||||
"refs": [
|
||||
"https://attack.mitre.org/software/S1071",
|
||||
"https://github.com/GhostPack/Rubeus",
|
||||
"https://thedfirreport.com/2020/10/08/ryuks-return/",
|
||||
"https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/",
|
||||
"https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html"
|
||||
],
|
||||
"synonyms": [
|
||||
"Rubeus"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
{
|
||||
"dest-uuid": "3986e7fd-a8e9-4ecb-bfc6-55920855912b",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "d273434a-448e-4598-8e14-607f4a0d5e27",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
}
|
||||
],
|
||||
"uuid": "e33267fe-099f-4af2-8730-63d49f8813b2",
|
||||
"value": "Rubeus - S1071"
|
||||
},
|
||||
{
|
||||
"description": "[Cachedump](https://attack.mitre.org/software/S0119) is a publicly-available tool that program extracts cached password hashes from a system’s registry. (Citation: Mandiant APT1)",
|
||||
"meta": {
|
||||
|
@ -3003,6 +3331,9 @@
|
|||
"refs": [
|
||||
"https://attack.mitre.org/software/S0174",
|
||||
"https://github.com/SpiderLabs/Responder"
|
||||
],
|
||||
"synonyms": [
|
||||
"Responder"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
|
@ -3189,13 +3520,6 @@
|
|||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b",
|
||||
"tags": [
|
||||
|
@ -3211,14 +3535,14 @@
|
|||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02",
|
||||
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
|
||||
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
|
@ -3728,8 +4052,8 @@
|
|||
"refs": [
|
||||
"https://attack.mitre.org/software/S0332",
|
||||
"https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html",
|
||||
"https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html",
|
||||
"https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/"
|
||||
"https://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/",
|
||||
"https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html"
|
||||
],
|
||||
"synonyms": [
|
||||
"Remcos"
|
||||
|
@ -5009,13 +5333,6 @@
|
|||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023",
|
||||
"tags": [
|
||||
|
@ -5079,6 +5396,13 @@
|
|||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
|
||||
"tags": [
|
||||
|
@ -6393,6 +6717,13 @@
|
|||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "b4409cd8-0da9-46e1-a401-a241afd4d1cc",
|
||||
"tags": [
|
||||
|
@ -6407,6 +6738,13 @@
|
|||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "d94b3ae9-8059-4989-8e9f-ea0f601f80a7",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db",
|
||||
"tags": [
|
||||
|
@ -6542,5 +6880,5 @@
|
|||
"value": "Mythic - S0699"
|
||||
}
|
||||
],
|
||||
"version": 27
|
||||
"version": 28
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue