mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-26 16:57:18 +00:00
Merge branch 'main' into threat-actor/scarred-manticore-6a6965e2-0843-47b1-990d-d43016dd4dd1
This commit is contained in:
commit
63b422c7d0
12 changed files with 63681 additions and 5350 deletions
28
README.md
28
README.md
|
@ -27,6 +27,14 @@ Category: *actor* - source: *https://apt.360.net/aptlist* - total: *42* elements
|
|||
|
||||
[[HTML](https://www.misp-project.org/galaxy.html#_360.net_threat_actors)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/360net.json)]
|
||||
|
||||
## Ammunitions
|
||||
|
||||
[Ammunitions](https://www.misp-project.org/galaxy.html#_ammunitions) - Common ammunitions galaxy
|
||||
|
||||
Category: *firearm* - source: *https://ammo.com/* - total: *410* elements
|
||||
|
||||
[[HTML](https://www.misp-project.org/galaxy.html#_ammunitions)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ammunitions.json)]
|
||||
|
||||
## Android
|
||||
|
||||
[Android](https://www.misp-project.org/galaxy.html#_android) - Android malware galaxy based on multiple open sources.
|
||||
|
@ -55,7 +63,7 @@ Category: *guidelines* - source: *Open Sources* - total: *71* elements
|
|||
|
||||
[Backdoor](https://www.misp-project.org/galaxy.html#_backdoor) - A list of backdoor malware.
|
||||
|
||||
Category: *tool* - source: *Open Sources* - total: *16* elements
|
||||
Category: *tool* - source: *Open Sources* - total: *23* elements
|
||||
|
||||
[[HTML](https://www.misp-project.org/galaxy.html#_backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)]
|
||||
|
||||
|
@ -147,6 +155,14 @@ Category: *tool* - source: *MISP Project* - total: *52* elements
|
|||
|
||||
[[HTML](https://www.misp-project.org/galaxy.html#_exploit-kit)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/exploit-kit.json)]
|
||||
|
||||
## Firearms
|
||||
|
||||
[Firearms](https://www.misp-project.org/galaxy.html#_firearms) - Common firearms galaxy
|
||||
|
||||
Category: *firearm* - source: *https://www.impactguns.com* - total: *5953* elements
|
||||
|
||||
[[HTML](https://www.misp-project.org/galaxy.html#_firearms)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/firearms.json)]
|
||||
|
||||
## FIRST DNS Abuse Techniques Matrix
|
||||
|
||||
[FIRST DNS Abuse Techniques Matrix](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information.
|
||||
|
@ -159,7 +175,7 @@ Category: *first-dns* - source: *https://www.first.org/global/sigs/dns/* - total
|
|||
|
||||
[Malpedia](https://www.misp-project.org/galaxy.html#_malpedia) - Malware galaxy cluster based on Malpedia.
|
||||
|
||||
Category: *tool* - source: *Malpedia* - total: *2823* elements
|
||||
Category: *tool* - source: *Malpedia* - total: *2947* elements
|
||||
|
||||
[[HTML](https://www.misp-project.org/galaxy.html#_malpedia)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/malpedia.json)]
|
||||
|
||||
|
@ -423,7 +439,7 @@ Category: *rsit* - source: *https://github.com/enisaeu/Reference-Security-Incide
|
|||
|
||||
[Sector](https://www.misp-project.org/galaxy.html#_sector) - Activity sectors
|
||||
|
||||
Category: *sector* - source: *CERT-EU* - total: *117* elements
|
||||
Category: *sector* - source: *CERT-EU* - total: *118* elements
|
||||
|
||||
[[HTML](https://www.misp-project.org/galaxy.html#_sector)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sector.json)]
|
||||
|
||||
|
@ -431,7 +447,7 @@ Category: *sector* - source: *CERT-EU* - total: *117* elements
|
|||
|
||||
[Sigma-Rules](https://www.misp-project.org/galaxy.html#_sigma-rules) - MISP galaxy cluster based on Sigma Rules.
|
||||
|
||||
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2568* elements
|
||||
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2776* elements
|
||||
|
||||
[[HTML](https://www.misp-project.org/galaxy.html#_sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)]
|
||||
|
||||
|
@ -495,7 +511,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
|
|||
|
||||
[Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
|
||||
|
||||
Category: *actor* - source: *MISP Project* - total: *420* elements
|
||||
Category: *actor* - source: *MISP Project* - total: *432* elements
|
||||
|
||||
[[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
|
||||
|
||||
|
@ -503,7 +519,7 @@ Category: *actor* - source: *MISP Project* - total: *420* elements
|
|||
|
||||
[Tool](https://www.misp-project.org/galaxy.html#_tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
|
||||
|
||||
Category: *tool* - source: *MISP Project* - total: *557* elements
|
||||
Category: *tool* - source: *MISP Project* - total: *585* elements
|
||||
|
||||
[[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)]
|
||||
|
||||
|
|
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
|
@ -153,6 +153,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "45241b9e-9bbc-4826-a2cc-78855e51ca09",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4",
|
||||
"tags": [
|
||||
|
@ -181,6 +188,20 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5",
|
||||
"tags": [
|
||||
|
@ -1853,6 +1874,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
|
||||
"tags": [
|
||||
|
@ -1993,6 +2021,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "887274fc-2d63-4bdc-82f3-fae56d1d5fdc",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5",
|
||||
"tags": [
|
||||
|
@ -2227,6 +2262,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "28fdd23d-aee3-4afe-bc3f-5f1f52929258",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "3775a580-a1d1-46c4-8147-c614a715f2e9",
|
||||
"tags": [
|
||||
|
@ -2805,6 +2847,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "d4dc46e3-5ba5-45b9-8204-010867cacfcb",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6",
|
||||
"tags": [
|
||||
|
@ -3350,6 +3399,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "43c9bc06-715b-42db-972f-52d25c09a20c",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
|
||||
"tags": [
|
||||
|
@ -3941,6 +3997,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "a0e6614a-7740-4b24-bd65-f1bde09fc365",
|
||||
"tags": [
|
||||
|
@ -4513,6 +4576,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "43c9bc06-715b-42db-972f-52d25c09a20c",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "52759bf1-fe12-4052-ace6-c5b0cf7dd7fd",
|
||||
"tags": [
|
||||
|
@ -4863,6 +4933,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5",
|
||||
"tags": [
|
||||
|
@ -4954,6 +5031,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "35d30338-5bfa-41b0-a170-ec06dfd75f64",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
|
||||
"tags": [
|
||||
|
@ -4968,6 +5052,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "45241b9e-9bbc-4826-a2cc-78855e51ca09",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179",
|
||||
"tags": [
|
||||
|
@ -5010,6 +5101,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "562e9b64-7239-493d-80f4-2bff900d9054",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92",
|
||||
"tags": [
|
||||
|
@ -5052,6 +5150,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf",
|
||||
"tags": [
|
||||
|
@ -5073,6 +5178,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "6fa224c7-5091-4595-bf15-3fc9fe2f2c7c",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "70857657-bd0b-4695-ad3e-b13f92cac1b4",
|
||||
"tags": [
|
||||
|
@ -5143,6 +5255,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "851e071f-208d-4c79-adc6-5974c85c78f3",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "8565825b-21c8-4518-b75e-cbc4c717a156",
|
||||
"tags": [
|
||||
|
@ -5150,6 +5269,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "866d0d6d-02c6-42bd-aa2f-02907fdc0969",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d",
|
||||
"tags": [
|
||||
|
@ -5297,6 +5423,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "ca00366b-83a1-4c7b-a0ce-8ff950a7c87f",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "cacc40da-4c9e-462c-80d5-fd70a178b12d",
|
||||
"tags": [
|
||||
|
@ -5535,6 +5668,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "c9e0c59e-162e-40a4-b8b1-78fab4329ada",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b",
|
||||
"tags": [
|
||||
|
@ -6073,6 +6213,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517",
|
||||
"tags": [
|
||||
|
@ -6416,6 +6563,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "cfb525cc-5494-401d-a82b-2539ca46a561",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4",
|
||||
"tags": [
|
||||
|
@ -7090,6 +7244,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
||||
"tags": [
|
||||
|
@ -7841,6 +8002,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "43f2776f-b4bd-4118-94b8-fee47e69676d",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5",
|
||||
"tags": [
|
||||
|
@ -8586,6 +8754,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "35d30338-5bfa-41b0-a170-ec06dfd75f64",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "4ffc1794-ec3b-45be-9e52-42dbcb2af2de",
|
||||
"tags": [
|
||||
|
@ -8937,6 +9112,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "5abfc5e6-3c56-49e7-ad72-502d01acf28b",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d",
|
||||
"tags": [
|
||||
|
@ -9075,6 +9257,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490",
|
||||
"tags": [
|
||||
|
@ -9400,6 +9589,13 @@
|
|||
]
|
||||
},
|
||||
"related": [
|
||||
{
|
||||
"dest-uuid": "0b761f2b-197a-40f2-b100-8152cb957c0c",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "0cdd66ad-26ac-4338-a764-4972a1e17ee3",
|
||||
"tags": [
|
||||
|
@ -9414,6 +9610,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
|
||||
"tags": [
|
||||
|
@ -9484,6 +9687,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "5abfc5e6-3c56-49e7-ad72-502d01acf28b",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
|
||||
"tags": [
|
||||
|
@ -9547,6 +9757,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "9ef14445-6f35-4ed0-a042-5024f13a9242",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad",
|
||||
"tags": [
|
||||
|
@ -9610,6 +9827,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "defc1257-4db1-4fb3-8ef5-bb77f63146df",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
|
||||
"tags": [
|
||||
|
@ -9652,6 +9876,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "f856eaab-e84a-4265-a8a2-7bf37e5dc2fc",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0",
|
||||
"tags": [
|
||||
|
@ -9672,6 +9903,13 @@
|
|||
]
|
||||
},
|
||||
"related": [
|
||||
{
|
||||
"dest-uuid": "0b761f2b-197a-40f2-b100-8152cb957c0c",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "20b0931a-8952-42ca-975f-775bad295f1a",
|
||||
"tags": [
|
||||
|
@ -9686,6 +9924,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "28fdd23d-aee3-4afe-bc3f-5f1f52929258",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
|
||||
"tags": [
|
||||
|
@ -9787,7 +10032,7 @@
|
|||
"external_id": "M1014",
|
||||
"refs": [
|
||||
"https://attack.mitre.org/mitigations/M1014",
|
||||
"https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
|
||||
"https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
|
@ -10216,6 +10461,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517",
|
||||
"tags": [
|
||||
|
@ -10237,6 +10489,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "6a5d222a-a7e0-4656-b110-782c33098289",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530",
|
||||
"tags": [
|
||||
|
@ -10258,6 +10517,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "851e071f-208d-4c79-adc6-5974c85c78f3",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a",
|
||||
"tags": [
|
||||
|
@ -10328,6 +10594,20 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "bb5e59c4-abe7-40c7-8196-e373cb1e5974",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f",
|
||||
"tags": [
|
||||
|
@ -10335,6 +10615,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "c9e0c59e-162e-40a4-b8b1-78fab4329ada",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "cabe189c-a0e3-4965-a473-dcff00f17213",
|
||||
"tags": [
|
||||
|
@ -11454,6 +11741,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "52759bf1-fe12-4052-ace6-c5b0cf7dd7fd",
|
||||
"tags": [
|
||||
|
@ -11475,6 +11769,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "824add00-99a1-4b15-9a2d-6c5683b7b497",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a",
|
||||
"tags": [
|
||||
|
@ -12616,6 +12917,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
|
||||
"tags": [
|
||||
|
@ -12637,6 +12945,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "887274fc-2d63-4bdc-82f3-fae56d1d5fdc",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
|
||||
"tags": [
|
||||
|
@ -12711,6 +13026,26 @@
|
|||
"uuid": "a6a47a06-08fc-4ec4-bdc3-20373375ebb9",
|
||||
"value": "Antivirus/Antimalware - M1049"
|
||||
},
|
||||
{
|
||||
"description": "Mobile security products, such as Mobile Threat Defense (MTD), offer various device-based mitigations against certain behaviors.",
|
||||
"meta": {
|
||||
"external_id": "M1058",
|
||||
"refs": [
|
||||
"https://attack.mitre.org/mitigations/M1058"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
{
|
||||
"dest-uuid": "defc1257-4db1-4fb3-8ef5-bb77f63146df",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
}
|
||||
],
|
||||
"uuid": "78671282-26aa-486c-a7a5-5921e1616b58",
|
||||
"value": "Antivirus/Antimalware - M1058"
|
||||
},
|
||||
{
|
||||
"description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.",
|
||||
"meta": {
|
||||
|
@ -13055,6 +13390,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "562e9b64-7239-493d-80f4-2bff900d9054",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92",
|
||||
"tags": [
|
||||
|
@ -13279,6 +13621,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "ca00366b-83a1-4c7b-a0ce-8ff950a7c87f",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
|
||||
"tags": [
|
||||
|
@ -13321,6 +13670,13 @@
|
|||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "ea071aa0-8f17-416f-ab0d-2bab7e79003d",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "mitigates"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
|
||||
"tags": [
|
||||
|
@ -13375,5 +13731,5 @@
|
|||
"value": "Audit - M1047"
|
||||
}
|
||||
],
|
||||
"version": 26
|
||||
"version": 27
|
||||
}
|
||||
|
|
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
|
@ -2021,6 +2021,13 @@
|
|||
]
|
||||
},
|
||||
"related": [
|
||||
{
|
||||
"dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
|
||||
"tags": [
|
||||
|
@ -2289,6 +2296,64 @@
|
|||
"uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f",
|
||||
"value": "Tasklist - S0057"
|
||||
},
|
||||
{
|
||||
"description": "[ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes LazyScripter Feb 2021)",
|
||||
"meta": {
|
||||
"external_id": "S0508",
|
||||
"mitre_platforms": [
|
||||
"Windows"
|
||||
],
|
||||
"refs": [
|
||||
"https://attack.mitre.org/software/S0508",
|
||||
"https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44",
|
||||
"https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html",
|
||||
"https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf",
|
||||
"https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/"
|
||||
],
|
||||
"synonyms": [
|
||||
"ngrok"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
{
|
||||
"dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
}
|
||||
],
|
||||
"uuid": "2f7f03bb-f367-4a5a-ad9b-310a12a48906",
|
||||
"value": "ngrok - S0508"
|
||||
},
|
||||
{
|
||||
"description": "[NBTscan](https://attack.mitre.org/software/S0590) is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June 2003)(Citation: Symantec Waterbug Jun 2019)(Citation: FireEye APT39 Jan 2019)",
|
||||
"meta": {
|
||||
|
@ -2647,6 +2712,173 @@
|
|||
"uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52",
|
||||
"value": "Cachedump - S0119"
|
||||
},
|
||||
{
|
||||
"description": "Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)",
|
||||
"meta": {
|
||||
"external_id": "S1091",
|
||||
"mitre_platforms": [
|
||||
"IaaS"
|
||||
],
|
||||
"refs": [
|
||||
"https://attack.mitre.org/software/S1091",
|
||||
"https://github.com/RhinoSecurityLabs/pacu"
|
||||
],
|
||||
"synonyms": [
|
||||
"Pacu"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
{
|
||||
"dest-uuid": "16e94db9-b5b1-4cd0-b851-f38fbd0a70f2",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "57a3d31a-d04f-4663-b2da-7df8ec3f8c9d",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "77532a55-c283-4cd2-bc5d-2d0b65e9d88c",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "8565825b-21c8-4518-b75e-cbc4c717a156",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "866d0d6d-02c6-42bd-aa2f-02907fdc0969",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "cacc40da-4c9e-462c-80d5-fd70a178b12d",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "cfb525cc-5494-401d-a82b-2539ca46a561",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "d94b3ae9-8059-4989-8e9f-ea0f601f80a7",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "e848506b-8484-4410-8017-3d235a52f5b3",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
}
|
||||
],
|
||||
"uuid": "1b3b8f96-43b1-4460-8e02-1f53d7802fb9",
|
||||
"value": "Pacu - S1091"
|
||||
},
|
||||
{
|
||||
"description": "[Winexe](https://attack.mitre.org/software/S0191) is a lightweight, open source tool similar to [PsExec](https://attack.mitre.org/software/S0029) designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) [Winexe](https://attack.mitre.org/software/S0191) is unique in that it is a GNU/Linux based client. (Citation: Überwachung APT28 Forfiles June 2015)",
|
||||
"meta": {
|
||||
|
@ -3074,6 +3306,13 @@
|
|||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
|
||||
"tags": [
|
||||
|
@ -3754,6 +3993,119 @@
|
|||
"uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153",
|
||||
"value": "SDelete - S0195"
|
||||
},
|
||||
{
|
||||
"description": "[AsyncRAT](https://attack.mitre.org/software/S1087) is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.(Citation: Morphisec Snip3 May 2021)(Citation: Cisco Operation Layover September 2021)(Citation: Telefonica Snip3 December 2021)",
|
||||
"meta": {
|
||||
"external_id": "S1087",
|
||||
"mitre_platforms": [
|
||||
"Windows"
|
||||
],
|
||||
"refs": [
|
||||
"https://attack.mitre.org/software/S1087",
|
||||
"https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader",
|
||||
"https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/",
|
||||
"https://telefonicatech.com/blog/snip3-investigacion-malware"
|
||||
],
|
||||
"synonyms": [
|
||||
"AsyncRAT"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
{
|
||||
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "e4dc8c01-417f-458d-9ee0-bb0617c1b391",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
}
|
||||
],
|
||||
"uuid": "6a5947f3-1a36-4653-8734-526df3e1d28d",
|
||||
"value": "AsyncRAT - S1087"
|
||||
},
|
||||
{
|
||||
"description": "[MimiPenguin](https://attack.mitre.org/software/S0179) is a credential dumper, similar to [Mimikatz](https://attack.mitre.org/software/S0002), designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)",
|
||||
"meta": {
|
||||
|
@ -6640,6 +6992,13 @@
|
|||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"almost-certain\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "54ca26f3-c172-4231-93e5-ccebcac2161f",
|
||||
"tags": [
|
||||
|
@ -6880,5 +7239,5 @@
|
|||
"value": "Mythic - S0699"
|
||||
}
|
||||
],
|
||||
"version": 28
|
||||
"version": 29
|
||||
}
|
||||
|
|
51104
clusters/naics.json
Normal file
51104
clusters/naics.json
Normal file
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
|
@ -209,6 +209,30 @@
|
|||
"uuid": "8a8f39df-74b3-4946-ab64-f84968bababe",
|
||||
"value": "DIZZY PANDA"
|
||||
},
|
||||
{
|
||||
"description": "Grayling activity was first observed in early 2023, when a number of victims were identified with distinctive malicious DLL side-loading activity. Grayling appears to target organisations in Asia, however one unknown organisation in the United States was also targeted. Industries targeted include Biomedical, Government and Information Technology. Grayling use a variety of tools during their attacks, including well known tools such as Cobalt Strike and Havoc and also some others.",
|
||||
"meta": {
|
||||
"attribution-confidence": "50",
|
||||
"cfr-suspected-state-sponsor": "China",
|
||||
"cfr-suspected-victims": [
|
||||
"Taiwan",
|
||||
"United States",
|
||||
"Vietnam",
|
||||
"Solomon Islands"
|
||||
],
|
||||
"cfr-target-category": [
|
||||
"Biomedical",
|
||||
"Government",
|
||||
"Information technology"
|
||||
],
|
||||
"country": "CN",
|
||||
"refs": [
|
||||
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks"
|
||||
]
|
||||
},
|
||||
"uuid": "6714de29-4dd8-463c-99a3-77c9e80fa47d",
|
||||
"value": "Grayling"
|
||||
},
|
||||
{
|
||||
"description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'",
|
||||
"meta": {
|
||||
|
@ -6190,7 +6214,8 @@
|
|||
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi",
|
||||
"https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia",
|
||||
"https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea",
|
||||
"https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf"
|
||||
"https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf",
|
||||
"https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/"
|
||||
],
|
||||
"synonyms": [
|
||||
"TEMP.Periscope",
|
||||
|
@ -6204,7 +6229,8 @@
|
|||
"TA423",
|
||||
"Red Ladon",
|
||||
"ITG09",
|
||||
"MUDCARP"
|
||||
"MUDCARP",
|
||||
"ISLANDDREAMS"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
|
@ -6246,13 +6272,19 @@
|
|||
"https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html",
|
||||
"https://www.cfr.org/cyber-operations/apt-35",
|
||||
"https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/",
|
||||
"https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/"
|
||||
"https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/",
|
||||
"https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/",
|
||||
"https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/",
|
||||
"https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us"
|
||||
],
|
||||
"synonyms": [
|
||||
"Newscaster Team",
|
||||
"Magic Hound",
|
||||
"G0059",
|
||||
"Phosphorus"
|
||||
"Phosphorus",
|
||||
"Mint Sandstorm",
|
||||
"TunnelVision",
|
||||
"COBALT MIRAGE"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
|
@ -7522,8 +7554,29 @@
|
|||
{
|
||||
"description": "Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc.",
|
||||
"meta": {
|
||||
"cfr-suspected-victims": [
|
||||
"Ecuador",
|
||||
"Colombia",
|
||||
"Spain",
|
||||
"Panama",
|
||||
"Chile"
|
||||
],
|
||||
"cfr-target-category": [
|
||||
"Petroleum",
|
||||
"Manufacturing",
|
||||
"Financial",
|
||||
"Private sector",
|
||||
"Government"
|
||||
],
|
||||
"cfr-type-of-incident": "Espionage",
|
||||
"refs": [
|
||||
"https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/"
|
||||
"https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
|
||||
"https://www.ecucert.gob.ec/wp-content/uploads/2022/03/alerta-APTs-2022-03-23.pdf",
|
||||
"https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia",
|
||||
"https://lab52.io/blog/apt-c-36-recent-activity-analysis/",
|
||||
"https://www.trendmicro.com/en_ph/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html",
|
||||
"https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/",
|
||||
"https://attack.mitre.org/groups/G0099/"
|
||||
],
|
||||
"synonyms": [
|
||||
"Blind Eagle"
|
||||
|
@ -11573,7 +11626,8 @@
|
|||
"https://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/"
|
||||
],
|
||||
"synonyms": [
|
||||
"Nemesis Kitten"
|
||||
"Nemesis Kitten",
|
||||
"Storm-0270"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
|
@ -11960,6 +12014,74 @@
|
|||
"uuid": "32eebd31-5e0f-4fb9-b478-26ff4e48aaf4",
|
||||
"value": "AtlasCross"
|
||||
},
|
||||
{
|
||||
"description": "Void Rabisu is an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine.",
|
||||
"meta": {
|
||||
"cfr-suspected-victims": [
|
||||
"Ukraine",
|
||||
"European Union"
|
||||
],
|
||||
"references": [
|
||||
"https://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html",
|
||||
"https://www.trendmicro.com/en_za/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html"
|
||||
],
|
||||
"synonyms": [
|
||||
"Tropical Scorpius"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
{
|
||||
"dest-uuid": "6d9dfc5f-4ebf-404b-ab5e-e6497867fe65",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "5f1c11d3-c6ac-4368-a801-cced88a9d93b",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
}
|
||||
],
|
||||
"uuid": "9766d52e-0e5d-4997-9c31-7f2291dcda9e",
|
||||
"value": "Void Rabisu"
|
||||
},
|
||||
{
|
||||
"description": "In early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European healthcare institution involving a set of tools mentioned in the Avast report in late 2022. The incident was attributed to Camaro Dragon, a Chinese-based espionage threat actor whose activities overlap with activities tracked by different researchers as Mustang Panda and LuminousMoth, whose focus is primarily on Southeast Asian countries and their close peers.",
|
||||
"meta": {
|
||||
"country": "CN",
|
||||
"references": [
|
||||
"https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/",
|
||||
"https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/"
|
||||
]
|
||||
},
|
||||
"uuid": "9ee446fd-b0cd-4662-9cd1-a60b429192db",
|
||||
"value": "Camaro Dragon"
|
||||
},
|
||||
{
|
||||
"description": "Storm-0558 is a China-based threat actor with espionage objectives. While there are some minimal overlaps with other Chinese groups such as Violet Typhoon (ZIRCONIUM, APT31), Microsoft maintain high confidence that Storm-0558 operates as its own distinct group",
|
||||
"meta": {
|
||||
"attribution-confidence": "50",
|
||||
"cfr-suspected-state-sponsor": "China",
|
||||
"cfr-suspected-victims": [
|
||||
"United States"
|
||||
],
|
||||
"cfr-target-category": [
|
||||
"Government"
|
||||
],
|
||||
"cfr-type-of-incident": "Espionage",
|
||||
"country": "CN",
|
||||
"references": [
|
||||
"https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/",
|
||||
"https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr",
|
||||
"https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/"
|
||||
]
|
||||
},
|
||||
"uuid": "5b30bcb8-4923-45cc-bc89-29651ca5d54e",
|
||||
"value": "Storm-0558"
|
||||
},
|
||||
{
|
||||
"description": "Scarred Manticore has been pursuing high-value targets for years, utilizing a variety of IIS-based backdoors to attack Windows servers. These include a variety of custom web shells, custom DLL backdoors, and driver-based implants.",
|
||||
"meta": {
|
||||
|
@ -11972,5 +12094,5 @@
|
|||
"value": "Scarred Manticore"
|
||||
}
|
||||
],
|
||||
"version": 285
|
||||
"version": 288
|
||||
}
|
||||
|
|
9
galaxies/naics.json
Normal file
9
galaxies/naics.json
Normal file
|
@ -0,0 +1,9 @@
|
|||
{
|
||||
"description": "North American Industry Classification System - NAICS",
|
||||
"icon": "industry",
|
||||
"name": "NAICS",
|
||||
"namespace": "misp",
|
||||
"type": "naics",
|
||||
"uuid": "b73ecad4-6529-4625-8c4f-ee3ef703a72a",
|
||||
"version": 1
|
||||
}
|
101
tools/generate_naics_clusters.py
Normal file
101
tools/generate_naics_clusters.py
Normal file
|
@ -0,0 +1,101 @@
|
|||
#!/usr/bin/env python3
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
#Used to generate naics galaxy clusters; takes naics.csv as entry
|
||||
#naics.csv is extract from [2022]_NAICS_Structure.xlsx and only uses the 2022 NAICS Code and 2022 NAICS Title columns, without title.
|
||||
#Note 1 : This only generate the file for the "clusters" folder
|
||||
#Note 2 : The generated file needs to pass the jq_all_the_thigs.sh script to be in the corresponding information
|
||||
#Note 3 : New uuids are generated on every run
|
||||
|
||||
import json
|
||||
import csv
|
||||
import uuid
|
||||
|
||||
galaxy={}
|
||||
galaxy['description']="The North American Industry Classification System or NAICS is a classification of business establishments by type of economic activity (the process of production)."
|
||||
galaxy['name']="NAICS"
|
||||
galaxy['source']="North American Industry Classification System - NAICS"
|
||||
galaxy['type']="naics"
|
||||
galaxy['uuid']="b73ecad4-6529-4625-8c4f-ee3ef703a72a"
|
||||
galaxy['version']=2022 #Change when updating
|
||||
galaxy['authors']=[]
|
||||
galaxy['authors'].append("Executive Office of the President Office of Management and Budget")
|
||||
galaxy['category']="sector"
|
||||
|
||||
values = []
|
||||
|
||||
with open('naics.csv', newline='') as csvfile:
|
||||
reader = csv.reader(csvfile, delimiter=',', quotechar='"')
|
||||
for row in reader:
|
||||
#Cluster creation
|
||||
cluster = {}
|
||||
cluster['value']=row[0]
|
||||
cluster['description']=row[1].strip()
|
||||
cluster['uuid']=str(uuid.uuid4())
|
||||
cluster['related']=[]
|
||||
|
||||
values.append(cluster)
|
||||
|
||||
#Relationsship preparation (Yes it's crappy but at least it works as intended ¯\_(ツ)_/¯)
|
||||
relationparent={}
|
||||
relationparent['tags']=[]
|
||||
relationparent['tags'].append("estimative-language:likelihood-probability=\"likely\"")
|
||||
relationparent['type']="parent-of"
|
||||
|
||||
relationchild={}
|
||||
relationchild['tags']=[]
|
||||
relationchild['tags'].append("estimative-language:likelihood-probability=\"likely\"")
|
||||
relationchild['type']="child-of"
|
||||
|
||||
relationsiblings={}
|
||||
relationsiblings['tags']=[]
|
||||
relationsiblings['tags'].append("estimative-language:likelihood-probability=\"likely\"")
|
||||
relationsiblings['type']="similar"
|
||||
|
||||
relationsiblings2={}
|
||||
relationsiblings2['tags']=[]
|
||||
relationsiblings2['tags'].append("estimative-language:likelihood-probability=\"likely\"")
|
||||
relationsiblings2['type']="similar"
|
||||
|
||||
#Building relationships
|
||||
if len(cluster['value']) > 2: #2 digit codes have no parents
|
||||
if len(cluster['value']) == 6: #specific case of 6 digit codes, parent have only 4 digits
|
||||
for value in values:
|
||||
if value['value'] == cluster['value'][0:len(cluster['value'])-2]:
|
||||
relationchild['dest-uuid']=value['uuid']
|
||||
cluster['related'].append(relationchild)
|
||||
|
||||
relationparent['dest-uuid']=cluster['uuid']
|
||||
value['related'].append(relationparent)
|
||||
break
|
||||
|
||||
if cluster['value'][5] == "0": #If a 6 digit code ends with 0, it has a similar/identical 5 digit code
|
||||
for value in values:
|
||||
if value['value'] == cluster['value'][0:len(cluster['value'])-1]:
|
||||
relationsiblings['dest-uuid']=value['uuid']
|
||||
cluster['related'].append(relationsiblings)
|
||||
|
||||
relationsiblings2['dest-uuid']=cluster['uuid']
|
||||
value['related'].append(relationsiblings2)
|
||||
break
|
||||
|
||||
|
||||
|
||||
else: #All other cases (codes with 3 to 5 digits)
|
||||
for value in values:
|
||||
if value['value'] == cluster['value'][0:len(cluster['value'])-1]:
|
||||
relationchild['dest-uuid']=value['uuid']
|
||||
cluster['related'].append(relationchild)
|
||||
|
||||
relationparent['dest-uuid']=cluster['uuid']
|
||||
value['related'].append(relationparent)
|
||||
break
|
||||
|
||||
|
||||
|
||||
galaxy['values']=values
|
||||
|
||||
tojson = json.dumps(galaxy, indent=2)
|
||||
jsonFile = open("naisc_cluster.json", "w")
|
||||
jsonFile.write(tojson)
|
||||
jsonFile.close()
|
Loading…
Reference in a new issue