Merge branch 'main' into threat-actor/scarred-manticore-6a6965e2-0843-47b1-990d-d43016dd4dd1

This commit is contained in:
Mathieu Béligon 2023-11-02 13:19:14 +01:00 committed by GitHub
commit 63b422c7d0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 63681 additions and 5350 deletions

View file

@ -27,6 +27,14 @@ Category: *actor* - source: *https://apt.360.net/aptlist* - total: *42* elements
[[HTML](https://www.misp-project.org/galaxy.html#_360.net_threat_actors)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/360net.json)] [[HTML](https://www.misp-project.org/galaxy.html#_360.net_threat_actors)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/360net.json)]
## Ammunitions
[Ammunitions](https://www.misp-project.org/galaxy.html#_ammunitions) - Common ammunitions galaxy
Category: *firearm* - source: *https://ammo.com/* - total: *410* elements
[[HTML](https://www.misp-project.org/galaxy.html#_ammunitions)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ammunitions.json)]
## Android ## Android
[Android](https://www.misp-project.org/galaxy.html#_android) - Android malware galaxy based on multiple open sources. [Android](https://www.misp-project.org/galaxy.html#_android) - Android malware galaxy based on multiple open sources.
@ -55,7 +63,7 @@ Category: *guidelines* - source: *Open Sources* - total: *71* elements
[Backdoor](https://www.misp-project.org/galaxy.html#_backdoor) - A list of backdoor malware. [Backdoor](https://www.misp-project.org/galaxy.html#_backdoor) - A list of backdoor malware.
Category: *tool* - source: *Open Sources* - total: *16* elements Category: *tool* - source: *Open Sources* - total: *23* elements
[[HTML](https://www.misp-project.org/galaxy.html#_backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)] [[HTML](https://www.misp-project.org/galaxy.html#_backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)]
@ -147,6 +155,14 @@ Category: *tool* - source: *MISP Project* - total: *52* elements
[[HTML](https://www.misp-project.org/galaxy.html#_exploit-kit)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/exploit-kit.json)] [[HTML](https://www.misp-project.org/galaxy.html#_exploit-kit)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/exploit-kit.json)]
## Firearms
[Firearms](https://www.misp-project.org/galaxy.html#_firearms) - Common firearms galaxy
Category: *firearm* - source: *https://www.impactguns.com* - total: *5953* elements
[[HTML](https://www.misp-project.org/galaxy.html#_firearms)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/firearms.json)]
## FIRST DNS Abuse Techniques Matrix ## FIRST DNS Abuse Techniques Matrix
[FIRST DNS Abuse Techniques Matrix](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internets stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information. [FIRST DNS Abuse Techniques Matrix](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internets stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information.
@ -159,7 +175,7 @@ Category: *first-dns* - source: *https://www.first.org/global/sigs/dns/* - total
[Malpedia](https://www.misp-project.org/galaxy.html#_malpedia) - Malware galaxy cluster based on Malpedia. [Malpedia](https://www.misp-project.org/galaxy.html#_malpedia) - Malware galaxy cluster based on Malpedia.
Category: *tool* - source: *Malpedia* - total: *2823* elements Category: *tool* - source: *Malpedia* - total: *2947* elements
[[HTML](https://www.misp-project.org/galaxy.html#_malpedia)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/malpedia.json)] [[HTML](https://www.misp-project.org/galaxy.html#_malpedia)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/malpedia.json)]
@ -423,7 +439,7 @@ Category: *rsit* - source: *https://github.com/enisaeu/Reference-Security-Incide
[Sector](https://www.misp-project.org/galaxy.html#_sector) - Activity sectors [Sector](https://www.misp-project.org/galaxy.html#_sector) - Activity sectors
Category: *sector* - source: *CERT-EU* - total: *117* elements Category: *sector* - source: *CERT-EU* - total: *118* elements
[[HTML](https://www.misp-project.org/galaxy.html#_sector)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sector.json)] [[HTML](https://www.misp-project.org/galaxy.html#_sector)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sector.json)]
@ -431,7 +447,7 @@ Category: *sector* - source: *CERT-EU* - total: *117* elements
[Sigma-Rules](https://www.misp-project.org/galaxy.html#_sigma-rules) - MISP galaxy cluster based on Sigma Rules. [Sigma-Rules](https://www.misp-project.org/galaxy.html#_sigma-rules) - MISP galaxy cluster based on Sigma Rules.
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2568* elements Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2776* elements
[[HTML](https://www.misp-project.org/galaxy.html#_sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)] [[HTML](https://www.misp-project.org/galaxy.html#_sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)]
@ -495,7 +511,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
[Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. [Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
Category: *actor* - source: *MISP Project* - total: *420* elements Category: *actor* - source: *MISP Project* - total: *432* elements
[[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] [[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
@ -503,7 +519,7 @@ Category: *actor* - source: *MISP Project* - total: *420* elements
[Tool](https://www.misp-project.org/galaxy.html#_tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries. [Tool](https://www.misp-project.org/galaxy.html#_tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
Category: *tool* - source: *MISP Project* - total: *557* elements Category: *tool* - source: *MISP Project* - total: *585* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)] [[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)]

File diff suppressed because it is too large Load diff

File diff suppressed because it is too large Load diff

View file

@ -153,6 +153,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "45241b9e-9bbc-4826-a2cc-78855e51ca09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4",
"tags": [ "tags": [
@ -181,6 +188,20 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5", "dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5",
"tags": [ "tags": [
@ -1853,6 +1874,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
"tags": [ "tags": [
@ -1993,6 +2021,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "887274fc-2d63-4bdc-82f3-fae56d1d5fdc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
"tags": [ "tags": [
@ -2227,6 +2262,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "28fdd23d-aee3-4afe-bc3f-5f1f52929258",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9", "dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9",
"tags": [ "tags": [
@ -2805,6 +2847,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "d4dc46e3-5ba5-45b9-8204-010867cacfcb",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6",
"tags": [ "tags": [
@ -3350,6 +3399,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "43c9bc06-715b-42db-972f-52d25c09a20c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [ "tags": [
@ -3941,6 +3997,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "a0e6614a-7740-4b24-bd65-f1bde09fc365", "dest-uuid": "a0e6614a-7740-4b24-bd65-f1bde09fc365",
"tags": [ "tags": [
@ -4513,6 +4576,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "43c9bc06-715b-42db-972f-52d25c09a20c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "52759bf1-fe12-4052-ace6-c5b0cf7dd7fd", "dest-uuid": "52759bf1-fe12-4052-ace6-c5b0cf7dd7fd",
"tags": [ "tags": [
@ -4863,6 +4933,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5",
"tags": [ "tags": [
@ -4954,6 +5031,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "35d30338-5bfa-41b0-a170-ec06dfd75f64",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [ "tags": [
@ -4968,6 +5052,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "45241b9e-9bbc-4826-a2cc-78855e51ca09",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
"tags": [ "tags": [
@ -5010,6 +5101,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "562e9b64-7239-493d-80f4-2bff900d9054",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92", "dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92",
"tags": [ "tags": [
@ -5052,6 +5150,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf",
"tags": [ "tags": [
@ -5073,6 +5178,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "6fa224c7-5091-4595-bf15-3fc9fe2f2c7c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "70857657-bd0b-4695-ad3e-b13f92cac1b4", "dest-uuid": "70857657-bd0b-4695-ad3e-b13f92cac1b4",
"tags": [ "tags": [
@ -5143,6 +5255,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "851e071f-208d-4c79-adc6-5974c85c78f3",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "8565825b-21c8-4518-b75e-cbc4c717a156", "dest-uuid": "8565825b-21c8-4518-b75e-cbc4c717a156",
"tags": [ "tags": [
@ -5150,6 +5269,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "866d0d6d-02c6-42bd-aa2f-02907fdc0969",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d",
"tags": [ "tags": [
@ -5297,6 +5423,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "ca00366b-83a1-4c7b-a0ce-8ff950a7c87f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "cacc40da-4c9e-462c-80d5-fd70a178b12d", "dest-uuid": "cacc40da-4c9e-462c-80d5-fd70a178b12d",
"tags": [ "tags": [
@ -5535,6 +5668,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "c9e0c59e-162e-40a4-b8b1-78fab4329ada",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b",
"tags": [ "tags": [
@ -6073,6 +6213,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517",
"tags": [ "tags": [
@ -6416,6 +6563,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "cfb525cc-5494-401d-a82b-2539ca46a561",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4", "dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4",
"tags": [ "tags": [
@ -7090,6 +7244,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
"tags": [ "tags": [
@ -7841,6 +8002,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "43f2776f-b4bd-4118-94b8-fee47e69676d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5",
"tags": [ "tags": [
@ -8586,6 +8754,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "35d30338-5bfa-41b0-a170-ec06dfd75f64",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "4ffc1794-ec3b-45be-9e52-42dbcb2af2de", "dest-uuid": "4ffc1794-ec3b-45be-9e52-42dbcb2af2de",
"tags": [ "tags": [
@ -8937,6 +9112,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "5abfc5e6-3c56-49e7-ad72-502d01acf28b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d",
"tags": [ "tags": [
@ -9075,6 +9257,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490",
"tags": [ "tags": [
@ -9400,6 +9589,13 @@
] ]
}, },
"related": [ "related": [
{
"dest-uuid": "0b761f2b-197a-40f2-b100-8152cb957c0c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3", "dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3",
"tags": [ "tags": [
@ -9414,6 +9610,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "dest-uuid": "11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
"tags": [ "tags": [
@ -9484,6 +9687,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "5abfc5e6-3c56-49e7-ad72-502d01acf28b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "dest-uuid": "648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
"tags": [ "tags": [
@ -9547,6 +9757,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "9ef14445-6f35-4ed0-a042-5024f13a9242",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"tags": [ "tags": [
@ -9610,6 +9827,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "defc1257-4db1-4fb3-8ef5-bb77f63146df",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
"tags": [ "tags": [
@ -9652,6 +9876,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "f856eaab-e84a-4265-a8a2-7bf37e5dc2fc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0",
"tags": [ "tags": [
@ -9672,6 +9903,13 @@
] ]
}, },
"related": [ "related": [
{
"dest-uuid": "0b761f2b-197a-40f2-b100-8152cb957c0c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "20b0931a-8952-42ca-975f-775bad295f1a", "dest-uuid": "20b0931a-8952-42ca-975f-775bad295f1a",
"tags": [ "tags": [
@ -9686,6 +9924,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "28fdd23d-aee3-4afe-bc3f-5f1f52929258",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
"tags": [ "tags": [
@ -9787,7 +10032,7 @@
"external_id": "M1014", "external_id": "M1014",
"refs": [ "refs": [
"https://attack.mitre.org/mitigations/M1014", "https://attack.mitre.org/mitigations/M1014",
"https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
] ]
}, },
"related": [ "related": [
@ -10216,6 +10461,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517",
"tags": [ "tags": [
@ -10237,6 +10489,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "6a5d222a-a7e0-4656-b110-782c33098289",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530",
"tags": [ "tags": [
@ -10258,6 +10517,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "851e071f-208d-4c79-adc6-5974c85c78f3",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a",
"tags": [ "tags": [
@ -10328,6 +10594,20 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "bb5e59c4-abe7-40c7-8196-e373cb1e5974",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f",
"tags": [ "tags": [
@ -10335,6 +10615,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "c9e0c59e-162e-40a4-b8b1-78fab4329ada",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "cabe189c-a0e3-4965-a473-dcff00f17213", "dest-uuid": "cabe189c-a0e3-4965-a473-dcff00f17213",
"tags": [ "tags": [
@ -11454,6 +11741,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "52759bf1-fe12-4052-ace6-c5b0cf7dd7fd", "dest-uuid": "52759bf1-fe12-4052-ace6-c5b0cf7dd7fd",
"tags": [ "tags": [
@ -11475,6 +11769,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "824add00-99a1-4b15-9a2d-6c5683b7b497",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a", "dest-uuid": "861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a",
"tags": [ "tags": [
@ -12616,6 +12917,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
"tags": [ "tags": [
@ -12637,6 +12945,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "887274fc-2d63-4bdc-82f3-fae56d1d5fdc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"tags": [ "tags": [
@ -12711,6 +13026,26 @@
"uuid": "a6a47a06-08fc-4ec4-bdc3-20373375ebb9", "uuid": "a6a47a06-08fc-4ec4-bdc3-20373375ebb9",
"value": "Antivirus/Antimalware - M1049" "value": "Antivirus/Antimalware - M1049"
}, },
{
"description": "Mobile security products, such as Mobile Threat Defense (MTD), offer various device-based mitigations against certain behaviors.",
"meta": {
"external_id": "M1058",
"refs": [
"https://attack.mitre.org/mitigations/M1058"
]
},
"related": [
{
"dest-uuid": "defc1257-4db1-4fb3-8ef5-bb77f63146df",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "78671282-26aa-486c-a7a5-5921e1616b58",
"value": "Antivirus/Antimalware - M1058"
},
{ {
"description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.", "description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.",
"meta": { "meta": {
@ -13055,6 +13390,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "562e9b64-7239-493d-80f4-2bff900d9054",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92", "dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92",
"tags": [ "tags": [
@ -13279,6 +13621,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "ca00366b-83a1-4c7b-a0ce-8ff950a7c87f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
"tags": [ "tags": [
@ -13321,6 +13670,13 @@
], ],
"type": "mitigates" "type": "mitigates"
}, },
{
"dest-uuid": "ea071aa0-8f17-416f-ab0d-2bab7e79003d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{ {
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
"tags": [ "tags": [
@ -13375,5 +13731,5 @@
"value": "Audit - M1047" "value": "Audit - M1047"
} }
], ],
"version": 26 "version": 27
} }

File diff suppressed because it is too large Load diff

File diff suppressed because it is too large Load diff

View file

@ -2021,6 +2021,13 @@
] ]
}, },
"related": [ "related": [
{
"dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{ {
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [ "tags": [
@ -2289,6 +2296,64 @@
"uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f",
"value": "Tasklist - S0057" "value": "Tasklist - S0057"
}, },
{
"description": "[ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021)",
"meta": {
"external_id": "S0508",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0508",
"https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44",
"https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
"https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf",
"https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/"
],
"synonyms": [
"ngrok"
]
},
"related": [
{
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "2f7f03bb-f367-4a5a-ad9b-310a12a48906",
"value": "ngrok - S0508"
},
{ {
"description": "[NBTscan](https://attack.mitre.org/software/S0590) is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June 2003)(Citation: Symantec Waterbug Jun 2019)(Citation: FireEye APT39 Jan 2019)", "description": "[NBTscan](https://attack.mitre.org/software/S0590) is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June 2003)(Citation: Symantec Waterbug Jun 2019)(Citation: FireEye APT39 Jan 2019)",
"meta": { "meta": {
@ -2647,6 +2712,173 @@
"uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52", "uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52",
"value": "Cachedump - S0119" "value": "Cachedump - S0119"
}, },
{
"description": "Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)",
"meta": {
"external_id": "S1091",
"mitre_platforms": [
"IaaS"
],
"refs": [
"https://attack.mitre.org/software/S1091",
"https://github.com/RhinoSecurityLabs/pacu"
],
"synonyms": [
"Pacu"
]
},
"related": [
{
"dest-uuid": "16e94db9-b5b1-4cd0-b851-f38fbd0a70f2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57a3d31a-d04f-4663-b2da-7df8ec3f8c9d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "77532a55-c283-4cd2-bc5d-2d0b65e9d88c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8565825b-21c8-4518-b75e-cbc4c717a156",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "866d0d6d-02c6-42bd-aa2f-02907fdc0969",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cacc40da-4c9e-462c-80d5-fd70a178b12d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cfb525cc-5494-401d-a82b-2539ca46a561",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d94b3ae9-8059-4989-8e9f-ea0f601f80a7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e848506b-8484-4410-8017-3d235a52f5b3",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "1b3b8f96-43b1-4460-8e02-1f53d7802fb9",
"value": "Pacu - S1091"
},
{ {
"description": "[Winexe](https://attack.mitre.org/software/S0191) is a lightweight, open source tool similar to [PsExec](https://attack.mitre.org/software/S0029) designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) [Winexe](https://attack.mitre.org/software/S0191) is unique in that it is a GNU/Linux based client. (Citation: Überwachung APT28 Forfiles June 2015)", "description": "[Winexe](https://attack.mitre.org/software/S0191) is a lightweight, open source tool similar to [PsExec](https://attack.mitre.org/software/S0029) designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) [Winexe](https://attack.mitre.org/software/S0191) is unique in that it is a GNU/Linux based client. (Citation: Überwachung APT28 Forfiles June 2015)",
"meta": { "meta": {
@ -3074,6 +3306,13 @@
], ],
"type": "uses" "type": "uses"
}, },
{
"dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{ {
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"tags": [ "tags": [
@ -3754,6 +3993,119 @@
"uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", "uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153",
"value": "SDelete - S0195" "value": "SDelete - S0195"
}, },
{
"description": "[AsyncRAT](https://attack.mitre.org/software/S1087) is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.(Citation: Morphisec Snip3 May 2021)(Citation: Cisco Operation Layover September 2021)(Citation: Telefonica Snip3 December 2021)",
"meta": {
"external_id": "S1087",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S1087",
"https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader",
"https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/",
"https://telefonicatech.com/blog/snip3-investigacion-malware"
],
"synonyms": [
"AsyncRAT"
]
},
"related": [
{
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "6a5947f3-1a36-4653-8734-526df3e1d28d",
"value": "AsyncRAT - S1087"
},
{ {
"description": "[MimiPenguin](https://attack.mitre.org/software/S0179) is a credential dumper, similar to [Mimikatz](https://attack.mitre.org/software/S0002), designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)", "description": "[MimiPenguin](https://attack.mitre.org/software/S0179) is a credential dumper, similar to [Mimikatz](https://attack.mitre.org/software/S0002), designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)",
"meta": { "meta": {
@ -6640,6 +6992,13 @@
], ],
"type": "uses" "type": "uses"
}, },
{
"dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{ {
"dest-uuid": "54ca26f3-c172-4231-93e5-ccebcac2161f", "dest-uuid": "54ca26f3-c172-4231-93e5-ccebcac2161f",
"tags": [ "tags": [
@ -6880,5 +7239,5 @@
"value": "Mythic - S0699" "value": "Mythic - S0699"
} }
], ],
"version": 28 "version": 29
} }

51104
clusters/naics.json Normal file

File diff suppressed because it is too large Load diff

File diff suppressed because it is too large Load diff

View file

@ -209,6 +209,30 @@
"uuid": "8a8f39df-74b3-4946-ab64-f84968bababe", "uuid": "8a8f39df-74b3-4946-ab64-f84968bababe",
"value": "DIZZY PANDA" "value": "DIZZY PANDA"
}, },
{
"description": "Grayling activity was first observed in early 2023, when a number of victims were identified with distinctive malicious DLL side-loading activity. Grayling appears to target organisations in Asia, however one unknown organisation in the United States was also targeted. Industries targeted include Biomedical, Government and Information Technology. Grayling use a variety of tools during their attacks, including well known tools such as Cobalt Strike and Havoc and also some others.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"Taiwan",
"United States",
"Vietnam",
"Solomon Islands"
],
"cfr-target-category": [
"Biomedical",
"Government",
"Information technology"
],
"country": "CN",
"refs": [
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks"
]
},
"uuid": "6714de29-4dd8-463c-99a3-77c9e80fa47d",
"value": "Grayling"
},
{ {
"description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'", "description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'",
"meta": { "meta": {
@ -6190,7 +6214,8 @@
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi",
"https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia", "https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia",
"https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea", "https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea",
"https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf" "https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf",
"https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/"
], ],
"synonyms": [ "synonyms": [
"TEMP.Periscope", "TEMP.Periscope",
@ -6204,7 +6229,8 @@
"TA423", "TA423",
"Red Ladon", "Red Ladon",
"ITG09", "ITG09",
"MUDCARP" "MUDCARP",
"ISLANDDREAMS"
] ]
}, },
"related": [ "related": [
@ -6246,13 +6272,19 @@
"https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html", "https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html",
"https://www.cfr.org/cyber-operations/apt-35", "https://www.cfr.org/cyber-operations/apt-35",
"https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/", "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/",
"https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" "https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/",
"https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/",
"https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/",
"https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us"
], ],
"synonyms": [ "synonyms": [
"Newscaster Team", "Newscaster Team",
"Magic Hound", "Magic Hound",
"G0059", "G0059",
"Phosphorus" "Phosphorus",
"Mint Sandstorm",
"TunnelVision",
"COBALT MIRAGE"
] ]
}, },
"related": [ "related": [
@ -7522,8 +7554,29 @@
{ {
"description": "Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc.", "description": "Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc.",
"meta": { "meta": {
"cfr-suspected-victims": [
"Ecuador",
"Colombia",
"Spain",
"Panama",
"Chile"
],
"cfr-target-category": [
"Petroleum",
"Manufacturing",
"Financial",
"Private sector",
"Government"
],
"cfr-type-of-incident": "Espionage",
"refs": [ "refs": [
"https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
"https://www.ecucert.gob.ec/wp-content/uploads/2022/03/alerta-APTs-2022-03-23.pdf",
"https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia",
"https://lab52.io/blog/apt-c-36-recent-activity-analysis/",
"https://www.trendmicro.com/en_ph/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html",
"https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/",
"https://attack.mitre.org/groups/G0099/"
], ],
"synonyms": [ "synonyms": [
"Blind Eagle" "Blind Eagle"
@ -11573,7 +11626,8 @@
"https://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/" "https://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/"
], ],
"synonyms": [ "synonyms": [
"Nemesis Kitten" "Nemesis Kitten",
"Storm-0270"
] ]
}, },
"related": [ "related": [
@ -11960,6 +12014,74 @@
"uuid": "32eebd31-5e0f-4fb9-b478-26ff4e48aaf4", "uuid": "32eebd31-5e0f-4fb9-b478-26ff4e48aaf4",
"value": "AtlasCross" "value": "AtlasCross"
}, },
{
"description": "Void Rabisu is an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine.",
"meta": {
"cfr-suspected-victims": [
"Ukraine",
"European Union"
],
"references": [
"https://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html",
"https://www.trendmicro.com/en_za/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html"
],
"synonyms": [
"Tropical Scorpius"
]
},
"related": [
{
"dest-uuid": "6d9dfc5f-4ebf-404b-ab5e-e6497867fe65",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "5f1c11d3-c6ac-4368-a801-cced88a9d93b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
}
],
"uuid": "9766d52e-0e5d-4997-9c31-7f2291dcda9e",
"value": "Void Rabisu"
},
{
"description": "In early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European healthcare institution involving a set of tools mentioned in the Avast report in late 2022. The incident was attributed to Camaro Dragon, a Chinese-based espionage threat actor whose activities overlap with activities tracked by different researchers as Mustang Panda and LuminousMoth, whose focus is primarily on Southeast Asian countries and their close peers.",
"meta": {
"country": "CN",
"references": [
"https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/",
"https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/"
]
},
"uuid": "9ee446fd-b0cd-4662-9cd1-a60b429192db",
"value": "Camaro Dragon"
},
{
"description": "Storm-0558 is a China-based threat actor with espionage objectives. While there are some minimal overlaps with other Chinese groups such as Violet Typhoon (ZIRCONIUM, APT31), Microsoft maintain high confidence that Storm-0558 operates as its own distinct group",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"United States"
],
"cfr-target-category": [
"Government"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"references": [
"https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/",
"https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr",
"https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/"
]
},
"uuid": "5b30bcb8-4923-45cc-bc89-29651ca5d54e",
"value": "Storm-0558"
},
{ {
"description": "Scarred Manticore has been pursuing high-value targets for years, utilizing a variety of IIS-based backdoors to attack Windows servers. These include a variety of custom web shells, custom DLL backdoors, and driver-based implants.", "description": "Scarred Manticore has been pursuing high-value targets for years, utilizing a variety of IIS-based backdoors to attack Windows servers. These include a variety of custom web shells, custom DLL backdoors, and driver-based implants.",
"meta": { "meta": {
@ -11972,5 +12094,5 @@
"value": "Scarred Manticore" "value": "Scarred Manticore"
} }
], ],
"version": 285 "version": 288
} }

9
galaxies/naics.json Normal file
View file

@ -0,0 +1,9 @@
{
"description": "North American Industry Classification System - NAICS",
"icon": "industry",
"name": "NAICS",
"namespace": "misp",
"type": "naics",
"uuid": "b73ecad4-6529-4625-8c4f-ee3ef703a72a",
"version": 1
}

View file

@ -0,0 +1,101 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#Used to generate naics galaxy clusters; takes naics.csv as entry
#naics.csv is extract from [2022]_NAICS_Structure.xlsx and only uses the 2022 NAICS Code and 2022 NAICS Title columns, without title.
#Note 1 : This only generate the file for the "clusters" folder
#Note 2 : The generated file needs to pass the jq_all_the_thigs.sh script to be in the corresponding information
#Note 3 : New uuids are generated on every run
import json
import csv
import uuid
galaxy={}
galaxy['description']="The North American Industry Classification System or NAICS is a classification of business establishments by type of economic activity (the process of production)."
galaxy['name']="NAICS"
galaxy['source']="North American Industry Classification System - NAICS"
galaxy['type']="naics"
galaxy['uuid']="b73ecad4-6529-4625-8c4f-ee3ef703a72a"
galaxy['version']=2022 #Change when updating
galaxy['authors']=[]
galaxy['authors'].append("Executive Office of the President Office of Management and Budget")
galaxy['category']="sector"
values = []
with open('naics.csv', newline='') as csvfile:
reader = csv.reader(csvfile, delimiter=',', quotechar='"')
for row in reader:
#Cluster creation
cluster = {}
cluster['value']=row[0]
cluster['description']=row[1].strip()
cluster['uuid']=str(uuid.uuid4())
cluster['related']=[]
values.append(cluster)
#Relationsship preparation (Yes it's crappy but at least it works as intended ¯\_(ツ)_/¯)
relationparent={}
relationparent['tags']=[]
relationparent['tags'].append("estimative-language:likelihood-probability=\"likely\"")
relationparent['type']="parent-of"
relationchild={}
relationchild['tags']=[]
relationchild['tags'].append("estimative-language:likelihood-probability=\"likely\"")
relationchild['type']="child-of"
relationsiblings={}
relationsiblings['tags']=[]
relationsiblings['tags'].append("estimative-language:likelihood-probability=\"likely\"")
relationsiblings['type']="similar"
relationsiblings2={}
relationsiblings2['tags']=[]
relationsiblings2['tags'].append("estimative-language:likelihood-probability=\"likely\"")
relationsiblings2['type']="similar"
#Building relationships
if len(cluster['value']) > 2: #2 digit codes have no parents
if len(cluster['value']) == 6: #specific case of 6 digit codes, parent have only 4 digits
for value in values:
if value['value'] == cluster['value'][0:len(cluster['value'])-2]:
relationchild['dest-uuid']=value['uuid']
cluster['related'].append(relationchild)
relationparent['dest-uuid']=cluster['uuid']
value['related'].append(relationparent)
break
if cluster['value'][5] == "0": #If a 6 digit code ends with 0, it has a similar/identical 5 digit code
for value in values:
if value['value'] == cluster['value'][0:len(cluster['value'])-1]:
relationsiblings['dest-uuid']=value['uuid']
cluster['related'].append(relationsiblings)
relationsiblings2['dest-uuid']=cluster['uuid']
value['related'].append(relationsiblings2)
break
else: #All other cases (codes with 3 to 5 digits)
for value in values:
if value['value'] == cluster['value'][0:len(cluster['value'])-1]:
relationchild['dest-uuid']=value['uuid']
cluster['related'].append(relationchild)
relationparent['dest-uuid']=cluster['uuid']
value['related'].append(relationparent)
break
galaxy['values']=values
tojson = json.dumps(galaxy, indent=2)
jsonFile = open("naisc_cluster.json", "w")
jsonFile.write(tojson)
jsonFile.close()