add cert-eu based vocabularies

This commit is contained in:
Deborah Servili 2017-10-20 11:13:26 +02:00
parent a6d5383adf
commit 65995bbe93
4 changed files with 583 additions and 0 deletions

View file

@ -41,9 +41,13 @@ A [readable PDF overview of the MISP galaxy is available](https://www.misp.softw
## Common ## Common
- [vocabularies/common/certainty-level.json](vocabularies/common/certainty-level.json) - Certainty level of an associated element or cluster. - [vocabularies/common/certainty-level.json](vocabularies/common/certainty-level.json) - Certainty level of an associated element or cluster.
- [vocabularies/common/threat-actor-type.json](vocabularies/common/threat-actor-type.json) - threat actor type vocab as defined by Cert EU.
- [vocabularies/common/ttp-category.json](vocabularies/common/ttp-category.json) - ttp category vocab as defined by Cert EU.
- [vocabularies/common/ttp-type.json](vocabularies/common/ttp-type.json) - ttp type vocab as defined by Cert EU.
## Threat Actor ## Threat Actor
- [vocabularies/threat-actor/cert-eu-motive.json](vocabularies/threat-actor/cert-eu-motive.json) - Motive vocab as defined by Cert EU.
- [vocabularies/threat-actor/intended-effect-vocabulary.json](vocabularies/threat-actor/intended-effect.json) - The IntendedEffectVocab is the default STIX vocabulary for expressing the intended effect of a threat actor. STIX 1.2.1 - [vocabularies/threat-actor/intended-effect-vocabulary.json](vocabularies/threat-actor/intended-effect.json) - The IntendedEffectVocab is the default STIX vocabulary for expressing the intended effect of a threat actor. STIX 1.2.1
- [vocabularies/threat-actor/motivation-vocabulary.json](vocabularies/threat-actor/motivation.json) - The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor. STIX 1.2.1 - [vocabularies/threat-actor/motivation-vocabulary.json](vocabularies/threat-actor/motivation.json) - The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor. STIX 1.2.1
- [vocabularies/threat-actor/planning-and-operational-support-vocabulary.json](vocabularies/threat-actor/planning-and-operational-support.json) - The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions available to a threat actor. - [vocabularies/threat-actor/planning-and-operational-support-vocabulary.json](vocabularies/threat-actor/planning-and-operational-support.json) - The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions available to a threat actor.

View file

@ -0,0 +1,25 @@
{
"values": [
{
"value": "Independent Group"
},
{
"value": "State or state-sponsored Group"
},
{
"value": "Individual"
},
{
"value": "Other"
},
{
"value": "Unknown"
}
],
"version" : 1,
"description": "threat actor type vocab as defined by Cert EU.",
"source": "Cert EU",
"author": ["Cert EU"],
"uuid": "549d040e-b017-11e7-b30c-2fa231749902",
"type": "threat-actor-type"
}

View file

@ -0,0 +1,40 @@
{
"values": [
{
"value": "Exploits"
},
{
"value": "Infrastructure"
},
{
"value": "Malware"
},
{
"value": "Tools"
},
{
"value": "Other"
},
{
"value": "Unknown"
},
{
"value": "Attack Patterns (S)"
},
{
"value": "Attack Patterns (G)"
},
{
"value": "Tactic"
},
{
"value": "Targeting"
}
],
"version" : 1,
"description": "ttp category vocab as defined by Cert EU.",
"source": "Cert EU",
"author": ["Cert EU"],
"uuid": "54e405b6-b017-11e7-b2f7-df581d1a8587",
"type": "ttp-category-vocabulary"
}

View file

@ -0,0 +1,514 @@
{
"values": [
{
"value": "Android Trojan"
},
{
"value": "Backdoor"
},
{
"value": "Banking Trojan"
},
{
"value": "Bot"
},
{
"value": "DDoS malware"
},
{
"value": "Espionage malware"
},
{
"value": "Exploit kit"
},
{
"value": "Keylogger"
},
{
"value": "Mac Backdoor"
},
{
"value": "Mac Trojan"
},
{
"value": "Malware site"
},
{
"value": "RAT"
},
{
"value": "Rootkit"
},
{
"value": "SQLI malware"
},
{
"value": "Toolkit"
},
{
"value": "Trojan"
},
{
"value": "Other"
},
{
"value": "Unknown"
},
{
"value": "Ransomware"
},
{
"value": "Dark Net Market"
},
{
"value": "Destructive"
},
{
"value": "Forums"
},
{
"value": "Domain Registration"
},
{
"value": "POS malware"
},
{
"value": "Hosting"
},
{
"value": "ICS"
},
{
"value": "Android app"
},
{
"value": "Privacy"
},
{
"value": "Safe browsing"
},
{
"value": "Safe internet search"
},
{
"value": "Peer-to-peer"
},
{
"value": "Crypto"
},
{
"value": "Social media"
},
{
"value": "Identity Theft"
},
{
"value": "VPN"
},
{
"value": "Speech recognition software"
},
{
"value": "Encrypted email"
},
{
"value": "Messaging"
},
{
"value": "ATM malware"
},
{
"value": "Network mapper"
},
{
"value": "Pentest tool"
},
{
"value": "Authentication bypass"
},
{
"value": "Phishing infra"
},
{
"value": "Dox and ransom"
},
{
"value": "Hot patching"
},
{
"value": "Arsenal"
},
{
"value": "CVE"
},
{
"value": "Fake website"
},
{
"value": "Information stealer"
},
{
"value": "DoS"
},
{
"value": "Worm"
},
{
"value": "Downloader"
},
{
"value": "Loader"
},
{
"value": "Infostealer"
},
{
"value": "RF Signals Intercepter"
},
{
"value": "Wireless Keystroke Logger"
},
{
"value": "Recon tool"
},
{
"value": "Website"
},
{
"value": "Website recon"
},
{
"value": "Malware features"
},
{
"value": "URL shortener service"
},
{
"value": "Information Warfare"
},
{
"value": "Programming language"
},
{
"value": "Port scanner"
},
{
"value": "Installer"
},
{
"value": "CMS exploitation"
},
{
"value": "Remote execution tool"
},
{
"value": "Service"
},
{
"value": "Money miner"
},
{
"value": "Remote administration tool"
},
{
"value": "First-stage"
},
{
"value": "Dropper"
},
{
"value": "Virtual server penetration"
},
{
"value": "Scripting language"
},
{
"value": "Adware"
},
{
"value": "Obfuscation technique"
},
{
"value": "Drive-by attack"
},
{
"value": "PLC worm"
},
{
"value": "Blog"
},
{
"value": "Account checker"
},
{
"value": "Internet Control"
},
{
"value": "C2"
},
{
"value": "Scanning routers"
},
{
"value": "Take over"
},
{
"value": "Credit Card Fraud"
},
{
"value": "DDoS Tool"
},
{
"value": "IoT bot"
},
{
"value": "Targeting"
},
{
"value": "cryptocurrency"
},
{
"value": "Anti-analysis"
},
{
"value": "persistence"
},
{
"value": "Anti-detection"
},
{
"value": "Phishing-theme"
},
{
"value": "OpSec"
},
{
"value": "Automatic phone calls"
},
{
"value": "Selling"
},
{
"value": "Extortion"
},
{
"value": "Watering hole"
},
{
"value": "Sharing platform"
},
{
"value": "Sideloading"
},
{"value": "Operating System"
},
{"value": "Sample"
},
{"value": "Buffer overflow"
},
{
"value": "Online magazine"
},
{
"value": "Spoofing"
},
{
"value": "Ransomware-as-a-Service"
},
{
"value": "Spambot"
},
{
"value": "HTTP bot"
},
{
"value": "Shop"
},
{
"value": "Password recovery"
},
{
"value": "Password manager"
},
{
"value": "Certificate exploit"
},
{
"value": "Mailer"
},
{
"value": "Card"
},
{
"value": "Powershell agent"
},
{
"value": "Skimmer"
},
{
"value": "Exploit"
},
{
"value": "Medical device tampering"
},
{
"value": "App store"
},
{
"value": "Scareware"
},
{
"value": "Payment platform"
},
{
"value": "Man-in-the-middle"
},
{
"value": "Switch ttack"
},
{
"value": "Switch attack"
},
{
"value": "Browser hijacker"
},
{
"value": "Supply chain attack"
},
{
"value": "Powershell scripts"
},
{
"value": "Malicious iFrame injects"
},
{
"value": "Dumps grabber"
},
{
"value": "Exfiltration tool"
},
{
"value": "Code injection"
},
{
"value": "Mobile malware"
},
{
"value": "Zero-Day"
},
{
"value": "Multi-stage implant framework"
},
{
"value": "Second-stage"
},
{
"value": "IRC"
},
{
"value": "Administration"
},
{
"value": "XSS tool"
},
{
"value": "Tracking program"
},
{
"value": "HTTP loader"
},
{
"value": "Spyware"
},
{
"value": "Bitcoin stealer"
},
{
"value": "Phone bot"
},
{
"value": "Video editor"
},
{
"value": "URL shortening service"
},
{
"value": "Fraud"
},
{
"value": "Spreading mechanisms"
},
{
"value": "Android bot"
},
{
"value": "Disinformation"
},
{
"value": "Mineware"
},
{
"value": "Adware"
},
{
"value": "CWE"
},
{
"value": "SCADA malware"
},
{
"value": "Crypter"
},
{
"value": "Phishing"
},
{
"value": "Template injection"
},
{
"value": "Credential stealer"
},
{
"value": "Crypto currency exchange and trading platform"
},
{
"value": "cryptocurrency mining malware"
},
{
"value": "Card shop"
},
{
"value": "Evasion"
},
{
"value": "Browser"
},
{
"value": "Wiper"
},
{
"value": "cryptocurrency cloud mining"
},
{
"value": "Distribution vector"
},
{
"value": "Postscript Abuse"
},
{
"value": "Bolware"
},
{
"value": "Software"
},
{
"value": "Proxy malware"
}
],
"version" : 1,
"description": "ttp type vocab as defined by Cert EU.",
"source": "Cert EU",
"author": ["Cert EU"],
"uuid": "55224678-b017-11e7-874d-971b517d8cba",
"type": "ttp-type-vocabulary"
}