mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-22 23:07:19 +00:00
This commit is contained in:
commit
6016b1000c
12 changed files with 23621 additions and 5804 deletions
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
|
@ -108,7 +108,7 @@
|
||||||
"User Execution https://collaborate.mitre.org/attackics/index.php/Technique/T863",
|
"User Execution https://collaborate.mitre.org/attackics/index.php/Technique/T863",
|
||||||
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
|
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
|
||||||
],
|
],
|
||||||
"refss": [
|
"refs": [
|
||||||
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
|
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
@ -167,7 +167,7 @@
|
||||||
"Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858",
|
"Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858",
|
||||||
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
|
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
|
||||||
],
|
],
|
||||||
"refss": [
|
"refs": [
|
||||||
"https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions",
|
"https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions",
|
||||||
"http://isa99.isa.org/ISA99%20Wiki/WP-2-1.aspx",
|
"http://isa99.isa.org/ISA99%20Wiki/WP-2-1.aspx",
|
||||||
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
|
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
|
||||||
|
@ -216,7 +216,7 @@
|
||||||
"User Execution https://collaborate.mitre.org/attackics/index.php/Technique/T863",
|
"User Execution https://collaborate.mitre.org/attackics/index.php/Technique/T863",
|
||||||
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
|
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
|
||||||
],
|
],
|
||||||
"refss": [
|
"refs": [
|
||||||
"https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions",
|
"https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions",
|
||||||
"http://isa99.isa.org/ISA99%20Wiki/WP-2-1.aspx"
|
"http://isa99.isa.org/ISA99%20Wiki/WP-2-1.aspx"
|
||||||
]
|
]
|
||||||
|
@ -238,7 +238,7 @@
|
||||||
"System Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T857",
|
"System Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T857",
|
||||||
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
|
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
|
||||||
],
|
],
|
||||||
"refss": [
|
"refs": [
|
||||||
"https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions"
|
"https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
@ -274,7 +274,7 @@
|
||||||
"Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858",
|
"Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858",
|
||||||
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859 "
|
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859 "
|
||||||
],
|
],
|
||||||
"refss": [
|
"refs": [
|
||||||
"http://sache.org/beacon/files/2009/07/en/read/2009-07-Beacon-s.pdf",
|
"http://sache.org/beacon/files/2009/07/en/read/2009-07-Beacon-s.pdf",
|
||||||
"http://www.gegridsolutions.com/multilin/notes/artsci/artsci.pdf"
|
"http://www.gegridsolutions.com/multilin/notes/artsci/artsci.pdf"
|
||||||
]
|
]
|
||||||
|
|
|
@ -1589,7 +1589,7 @@
|
||||||
{
|
{
|
||||||
"description": "Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. Firmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for I/O that can be attached to the asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable Impact. ",
|
"description": "Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. Firmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for I/O that can be attached to the asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable Impact. ",
|
||||||
"meta": {
|
"meta": {
|
||||||
"Mitigation": [
|
"Mitigations": [
|
||||||
"Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.",
|
"Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Unauthorized and suspicious media should be avoided and kept away from systems and the network.",
|
||||||
"Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.",
|
"Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.",
|
||||||
"Hold new acquisitions to strict security requirements; be sure they are properly secured and haven’t been tampered with",
|
"Hold new acquisitions to strict security requirements; be sure they are properly secured and haven’t been tampered with",
|
||||||
|
|
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
|
@ -2700,7 +2700,7 @@
|
||||||
"https://twitter.com/malwrhunterteam/status/816993165119016960?lang=en",
|
"https://twitter.com/malwrhunterteam/status/816993165119016960?lang=en",
|
||||||
"https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape"
|
"https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape"
|
||||||
],
|
],
|
||||||
"synonym": [
|
"synonyms": [
|
||||||
"Vengeance Justice Worm",
|
"Vengeance Justice Worm",
|
||||||
"VJw0rm",
|
"VJw0rm",
|
||||||
"VJwOrm"
|
"VJwOrm"
|
||||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -9937,7 +9937,7 @@
|
||||||
"https://vb2020.vblocalhost.com/uploads/VB2020-43.pdf",
|
"https://vb2020.vblocalhost.com/uploads/VB2020-43.pdf",
|
||||||
"https://www.virusbulletin.com/virusbulletin/2014/02/needle-haystack"
|
"https://www.virusbulletin.com/virusbulletin/2014/02/needle-haystack"
|
||||||
],
|
],
|
||||||
"synonym": [
|
"synonyms": [
|
||||||
"BRONZE HIGHLAND"
|
"BRONZE HIGHLAND"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
|
|
@ -7338,7 +7338,7 @@
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs:": [
|
"refs": [
|
||||||
"https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html"
|
"https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
|
|
@ -25,11 +25,12 @@ for element in os.listdir('.'):
|
||||||
value['value'] = temp['name'] + ' - ' + temp['external_references'][0]['external_id']
|
value['value'] = temp['name'] + ' - ' + temp['external_references'][0]['external_id']
|
||||||
value['meta'] = {}
|
value['meta'] = {}
|
||||||
value['meta']['refs'] = []
|
value['meta']['refs'] = []
|
||||||
|
value['meta']['external_id'] = []
|
||||||
for reference in temp['external_references']:
|
for reference in temp['external_references']:
|
||||||
if 'url' in reference and reference['url'] not in value['meta']['refs']:
|
if 'url' in reference and reference['url'] not in value['meta']['refs']:
|
||||||
value['meta']['refs'].append(reference['url'])
|
value['meta']['refs'].append(reference['url'])
|
||||||
if 'external_id' in reference:
|
if 'external_id' in reference and reference['external_id'] not in value['meta']['external_id]:
|
||||||
value['meta']['external_id'] = reference['external_id']
|
value['meta']['external_id'].append(reference['external_id'])
|
||||||
value['meta']['kill_chain'] = []
|
value['meta']['kill_chain'] = []
|
||||||
for killchain in temp['kill_chain_phases']:
|
for killchain in temp['kill_chain_phases']:
|
||||||
value['meta']['kill_chain'].append(killchain['kill_chain_name'] + ':enterprise-attack:' + killchain['phase_name'])
|
value['meta']['kill_chain'].append(killchain['kill_chain_name'] + ':enterprise-attack:' + killchain['phase_name'])
|
||||||
|
|
Loading…
Reference in a new issue