From 65995bbe93389a14d0fdedc8cac812ae10a02dd6 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 20 Oct 2017 11:13:26 +0200 Subject: [PATCH] add cert-eu based vocabularies --- README.md | 4 + vocabularies/common/threat-actor-type.json | 25 + vocabularies/common/ttp-category.json | 40 ++ vocabularies/common/ttp-type.json | 514 +++++++++++++++++++++ 4 files changed, 583 insertions(+) create mode 100644 vocabularies/common/threat-actor-type.json create mode 100644 vocabularies/common/ttp-category.json create mode 100644 vocabularies/common/ttp-type.json diff --git a/README.md b/README.md index d8790e9..0bcd30e 100644 --- a/README.md +++ b/README.md @@ -41,9 +41,13 @@ A [readable PDF overview of the MISP galaxy is available](https://www.misp.softw ## Common - [vocabularies/common/certainty-level.json](vocabularies/common/certainty-level.json) - Certainty level of an associated element or cluster. +- [vocabularies/common/threat-actor-type.json](vocabularies/common/threat-actor-type.json) - threat actor type vocab as defined by Cert EU. +- [vocabularies/common/ttp-category.json](vocabularies/common/ttp-category.json) - ttp category vocab as defined by Cert EU. +- [vocabularies/common/ttp-type.json](vocabularies/common/ttp-type.json) - ttp type vocab as defined by Cert EU. ## Threat Actor +- [vocabularies/threat-actor/cert-eu-motive.json](vocabularies/threat-actor/cert-eu-motive.json) - Motive vocab as defined by Cert EU. - [vocabularies/threat-actor/intended-effect-vocabulary.json](vocabularies/threat-actor/intended-effect.json) - The IntendedEffectVocab is the default STIX vocabulary for expressing the intended effect of a threat actor. STIX 1.2.1 - [vocabularies/threat-actor/motivation-vocabulary.json](vocabularies/threat-actor/motivation.json) - The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor. STIX 1.2.1 - [vocabularies/threat-actor/planning-and-operational-support-vocabulary.json](vocabularies/threat-actor/planning-and-operational-support.json) - The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions available to a threat actor. diff --git a/vocabularies/common/threat-actor-type.json b/vocabularies/common/threat-actor-type.json new file mode 100644 index 0000000..27704b0 --- /dev/null +++ b/vocabularies/common/threat-actor-type.json @@ -0,0 +1,25 @@ +{ + "values": [ + { + "value": "Independent Group" + }, + { + "value": "State or state-sponsored Group" + }, + { + "value": "Individual" + }, + { + "value": "Other" + }, + { + "value": "Unknown" + } + ], + "version" : 1, + "description": "threat actor type vocab as defined by Cert EU.", + "source": "Cert EU", + "author": ["Cert EU"], + "uuid": "549d040e-b017-11e7-b30c-2fa231749902", + "type": "threat-actor-type" +} diff --git a/vocabularies/common/ttp-category.json b/vocabularies/common/ttp-category.json new file mode 100644 index 0000000..438eef1 --- /dev/null +++ b/vocabularies/common/ttp-category.json @@ -0,0 +1,40 @@ +{ + "values": [ + { + "value": "Exploits" + }, + { + "value": "Infrastructure" + }, + { + "value": "Malware" + }, + { + "value": "Tools" + }, + { + "value": "Other" + }, + { + "value": "Unknown" + }, + { + "value": "Attack Patterns (S)" + }, + { + "value": "Attack Patterns (G)" + }, + { + "value": "Tactic" + }, + { + "value": "Targeting" + } + ], + "version" : 1, + "description": "ttp category vocab as defined by Cert EU.", + "source": "Cert EU", + "author": ["Cert EU"], + "uuid": "54e405b6-b017-11e7-b2f7-df581d1a8587", + "type": "ttp-category-vocabulary" +} diff --git a/vocabularies/common/ttp-type.json b/vocabularies/common/ttp-type.json new file mode 100644 index 0000000..83aa3c8 --- /dev/null +++ b/vocabularies/common/ttp-type.json @@ -0,0 +1,514 @@ +{ + "values": [ + { + "value": "Android Trojan" + }, + { + "value": "Backdoor" + }, + { + "value": "Banking Trojan" + }, + { + "value": "Bot" + }, + { + "value": "DDoS malware" + }, + { + "value": "Espionage malware" + }, + { + "value": "Exploit kit" + }, + { + "value": "Keylogger" + }, + { + "value": "Mac Backdoor" + }, + { + "value": "Mac Trojan" + }, + { + "value": "Malware site" + }, + { + "value": "RAT" + }, + { + "value": "Rootkit" + }, + { + "value": "SQLI malware" + }, + { + "value": "Toolkit" + }, + { + "value": "Trojan" + }, + { + "value": "Other" + }, + { + "value": "Unknown" + }, + { + "value": "Ransomware" + }, + { + "value": "Dark Net Market" + }, + { + "value": "Destructive" + }, + { + "value": "Forums" + }, + { + "value": "Domain Registration" + }, + { + "value": "POS malware" + }, + { + "value": "Hosting" + }, + { + "value": "ICS" + }, + { + "value": "Android app" + }, + { + "value": "Privacy" + }, + { + "value": "Safe browsing" + }, + { + "value": "Safe internet search" + }, + { + "value": "Peer-to-peer" + }, + { + "value": "Crypto" + }, + { + "value": "Social media" + }, + { + "value": "Identity Theft" + }, + { + "value": "VPN" + }, + { + "value": "Speech recognition software" + }, + { + "value": "Encrypted email" + }, + { + "value": "Messaging" + }, + { + "value": "ATM malware" + }, + { + "value": "Network mapper" + }, + { + "value": "Pentest tool" + }, + { + "value": "Authentication bypass" + }, + { + "value": "Phishing infra" + }, + { + "value": "Dox and ransom" + }, + { + "value": "Hot patching" + }, + { + "value": "Arsenal" + }, + { + "value": "CVE" + }, + { + "value": "Fake website" + }, + { + "value": "Information stealer" + }, + { + "value": "DoS" + }, + { + "value": "Worm" + }, + { + "value": "Downloader" + }, + { + "value": "Loader" + }, + { + "value": "Infostealer" + }, + { + "value": "RF Signals Intercepter" + }, + { + "value": "Wireless Keystroke Logger" + }, + { + "value": "Recon tool" + }, + { + "value": "Website" + }, + { + "value": "Website recon" + }, + { + "value": "Malware features" + }, + { + "value": "URL shortener service" + }, + { + "value": "Information Warfare" + }, + { + "value": "Programming language" + }, + { + "value": "Port scanner" + }, + { + "value": "Installer" + }, + { + "value": "CMS exploitation" + }, + { + "value": "Remote execution tool" + }, + { + "value": "Service" + }, + { + "value": "Money miner" + }, + { + "value": "Remote administration tool" + }, + { + "value": "First-stage" + }, + { + "value": "Dropper" + }, + { + "value": "Virtual server penetration" + }, + { + "value": "Scripting language" + }, + { + "value": "Adware" + }, + { + "value": "Obfuscation technique" + }, + { + "value": "Drive-by attack" + }, + { + "value": "PLC worm" + }, + { + "value": "Blog" + }, + { + "value": "Account checker" + }, + { + "value": "Internet Control" + }, + { + "value": "C2" + }, + { + "value": "Scanning routers" + }, + { + "value": "Take over" + }, + { + "value": "Credit Card Fraud" + }, + { + "value": "DDoS Tool" + }, + { + "value": "IoT bot" + }, + { + "value": "Targeting" + }, + { + "value": "cryptocurrency" + }, + { + "value": "Anti-analysis" + }, + { + "value": "persistence" + }, + { + "value": "Anti-detection" + }, + { + "value": "Phishing-theme" + }, + { + "value": "OpSec" + }, + { + "value": "Automatic phone calls" + }, + { + "value": "Selling" + }, + { + "value": "Extortion" + }, + { + "value": "Watering hole" + }, + { + "value": "Sharing platform" + }, + { + "value": "Sideloading" + }, + {"value": "Operating System" + }, + {"value": "Sample" + }, + {"value": "Buffer overflow" + }, + { + "value": "Online magazine" + }, + { + "value": "Spoofing" + }, + { + "value": "Ransomware-as-a-Service" + }, + { + "value": "Spambot" + }, + { + "value": "HTTP bot" + }, + { + "value": "Shop" + }, + { + "value": "Password recovery" + }, + { + "value": "Password manager" + }, + { + "value": "Certificate exploit" + }, + { + "value": "Mailer" + }, + { + "value": "Card" + }, + { + "value": "Powershell agent" + }, + { + "value": "Skimmer" + }, + { + "value": "Exploit" + }, + { + "value": "Medical device tampering" + }, + { + "value": "App store" + }, + { + "value": "Scareware" + }, + { + "value": "Payment platform" + }, + { + "value": "Man-in-the-middle" + }, + { + "value": "Switch ttack" + }, + { + "value": "Switch attack" + }, + { + "value": "Browser hijacker" + }, + { + "value": "Supply chain attack" + }, + { + "value": "Powershell scripts" + }, + { + "value": "Malicious iFrame injects" + }, + { + "value": "Dumps grabber" + }, + { + "value": "Exfiltration tool" + }, + { + "value": "Code injection" + }, + { + "value": "Mobile malware" + }, + { + "value": "Zero-Day" + }, + { + "value": "Multi-stage implant framework" + }, + { + "value": "Second-stage" + }, + { + "value": "IRC" + }, + { + "value": "Administration" + }, + { + "value": "XSS tool" + }, + { + "value": "Tracking program" + }, + { + "value": "HTTP loader" + }, + { + "value": "Spyware" + }, + { + "value": "Bitcoin stealer" + }, + { + "value": "Phone bot" + }, + { + "value": "Video editor" + }, + { + "value": "URL shortening service" + }, + { + "value": "Fraud" + }, + { + "value": "Spreading mechanisms" + }, + { + "value": "Android bot" + }, + { + "value": "Disinformation" + }, + { + "value": "Mineware" + }, + { + "value": "Adware" + }, + { + "value": "CWE" + }, + { + "value": "SCADA malware" + }, + { + "value": "Crypter" + }, + { + "value": "Phishing" + }, + { + "value": "Template injection" + }, + { + "value": "Credential stealer" + }, + { + "value": "Crypto currency exchange and trading platform" + }, + { + "value": "cryptocurrency mining malware" + }, + { + "value": "Card shop" + }, + { + "value": "Evasion" + }, + { + "value": "Browser" + }, + { + "value": "Wiper" + }, + { + "value": "cryptocurrency cloud mining" + }, + { + "value": "Distribution vector" + }, + { + "value": "Postscript Abuse" + }, + { + "value": "Bolware" + }, + { + "value": "Software" + }, + { + "value": "Proxy malware" + } + ], + "version" : 1, + "description": "ttp type vocab as defined by Cert EU.", + "source": "Cert EU", + "author": ["Cert EU"], + "uuid": "55224678-b017-11e7-874d-971b517d8cba", + "type": "ttp-type-vocabulary" +}