MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-22 14:57:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge https://github.com/MISP/misp-galaxy

Browse source
This commit is contained in:
Delta-Sierra 2024-07-12 14:31:22 +02:00
commit 6e0e8ad416
27 changed files with 36786 additions and 31525 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.github/workflows/pytest.yml vendored
View file

@ -51,3 +51,10 @@ jobs:
pushd PyMISPGalaxies
poetry run pytest --cov=pymispgalaxies tests/tests.py
popd
- name: Test updated README.md
run: |
pushd tools
python3 update_README_with_index.py
git diff --exit-code ../README.md
popd

66
.vscode/launch.json vendored
View file

@ -1,41 +1,77 @@
{
"version": "0.2.0",
"configurations": [
{
"name": "gen_gsma_motif",
"type": "debugpy",
"request": "launch",
"program": "gen_gsma_motif.py",
"console": "integratedTerminal",
"args": "",
"cwd": "${workspaceFolder}/tools"
},
{
"name": "gen_mitre_d3fend",
"type": "debugpy",
"request": "launch",
"program": "${file}",
"program": "gen_mitre_d3fend.py",
"console": "integratedTerminal",
"args": "",
"cwd": "${fileDirname}"
"cwd": "${workspaceFolder}/tools"
},
{
"name": "gen_mitre_fight",
"type": "debugpy",
"request": "launch",
"program": "gen_mitre_fight.py",
"console": "integratedTerminal",
"args": "",
"cwd": "${workspaceFolder}/tools"
},
{
"name": "gen_mitre",
"type": "debugpy",
"request": "launch",
"program": "${file}",
"program": "gen_mitre.py",
"console": "integratedTerminal",
"args": "-p ../../MITRE-ATTACK",
"cwd": "${fileDirname}"
},
{
"name": "gen_interpol_dwvat",
"type": "debugpy",
"request": "launch",
"program": "${file}",
"console": "integratedTerminal",
"args": "-p ../../DW-VA-Taxonomy",
"cwd": "${fileDirname}"
"cwd": "${workspaceFolder}/tools"
},
{
"name": "gen_mitre_atlas",
"type": "debugpy",
"request": "launch",
"program": "${file}",
"program": "gen_mitre_atlas.py",
"console": "integratedTerminal",
"args": "-p ../../atlas-navigator-data",
"cwd": "${fileDirname}"
"cwd": "${workspaceFolder}/tools"
},
{
"name": "gen_ms_tmss",
"type": "debugpy",
"request": "launch",
"program": "gen_ms_tmss.py",
"console": "integratedTerminal",
"args": "-p ../../Threat-matrix-for-storage-services",
"cwd": "${workspaceFolder}/tools"
},
{
"name": "gen_ms_atrm",
"type": "debugpy",
"request": "launch",
"program": "gen_ms_atrm.py",
"console": "integratedTerminal",
"args": "-p ../../Azure-Threat-Research-Matrix",
"cwd": "${workspaceFolder}/tools"
},
{
"name": "gen_interpol_dwvat",
"type": "debugpy",
"request": "launch",
"program": "gen_interpol_dwvat.py",
"console": "integratedTerminal",
"args": "-p ../../DW-VA-Taxonomy",
"cwd": "${workspaceFolder}/tools"
},
{
"name": "Python Debugger: Current File",

28
README.md
View file

@ -31,7 +31,7 @@ Category: *actor* - source: *https://apt.360.net/aptlist* - total: *42* elements
[Ammunitions](https://www.misp-galaxy.org/ammunitions) - Common ammunitions galaxy
Category: *firearm* - source: *https://ammo.com/* - total: *410* elements
Category: *firearm* - source: *https://ammo.com/* - total: *409* elements
[[HTML](https://www.misp-galaxy.org/ammunitions)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ammunitions.json)]
@ -211,6 +211,14 @@ Category: *first-dns* - source: *https://www.first.org/global/sigs/dns/* - total
[[HTML](https://www.misp-galaxy.org/first-dns)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/first-dns.json)]
## GSMA MoTIF
[GSMA MoTIF](https://www.misp-galaxy.org/gsma-motif) - Mobile Threat Intelligence Framework (MoTIF) Principles.
Category: *attack-pattern* - source: *https://www.gsma.com/solutions-and-impact/technologies/security/latest-news/establishing-motif-the-mobile-threat-intelligence-framework/* - total: *50* elements
[[HTML](https://www.misp-galaxy.org/gsma-motif)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/gsma-motif.json)]
## Intelligence Agencies
[Intelligence Agencies](https://www.misp-galaxy.org/intelligence-agencies) - List of intelligence agencies
@ -231,7 +239,7 @@ Category: *dwva* - source: *https://interpol-innovation-centre.github.io/DW-VA-T
[Malpedia](https://www.misp-galaxy.org/malpedia) - Malware galaxy cluster based on Malpedia.
Category: *tool* - source: *Malpedia* - total: *3039* elements
Category: *tool* - source: *Malpedia* - total: *3038* elements
[[HTML](https://www.misp-galaxy.org/malpedia)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/malpedia.json)]
@ -415,7 +423,7 @@ Category: *measure* - source: *MISP Project* - total: *20* elements
[Producer](https://www.misp-galaxy.org/producer) - List of threat intelligence producer from security vendors to CERTs including any producer of intelligence at large.
Category: *actor* - source: *MISP Project* - total: *21* elements
Category: *actor* - source: *MISP Project* - total: *22* elements
[[HTML](https://www.misp-galaxy.org/producer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/producer.json)]
@ -423,7 +431,7 @@ Category: *actor* - source: *MISP Project* - total: *21* elements
[Ransomware](https://www.misp-galaxy.org/ransomware) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar
Category: *tool* - source: *Various* - total: *1706* elements
Category: *tool* - source: *Various* - total: *1789* elements
[[HTML](https://www.misp-galaxy.org/ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)]
@ -431,7 +439,7 @@ Category: *tool* - source: *Various* - total: *1706* elements
[RAT](https://www.misp-galaxy.org/rat) - remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system.
Category: *tool* - source: *MISP Project* - total: *266* elements
Category: *tool* - source: *MISP Project* - total: *265* elements
[[HTML](https://www.misp-galaxy.org/rat)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/rat.json)]
@ -463,7 +471,7 @@ Category: *sector* - source: *CERT-EU* - total: *118* elements
[Sigma-Rules](https://www.misp-galaxy.org/sigma-rules) - MISP galaxy cluster based on Sigma Rules.
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2888* elements
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2901* elements
[[HTML](https://www.misp-galaxy.org/sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)]
@ -527,7 +535,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
[Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
Category: *actor* - source: *MISP Project* - total: *678* elements
Category: *actor* - source: *MISP Project* - total: *707* elements
[[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
@ -551,7 +559,7 @@ Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/group
[Tidal References](https://www.misp-galaxy.org/tidal-references) - Tidal References Cluster
Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4104* elements
Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *4261* elements
[[HTML](https://www.misp-galaxy.org/tidal-references)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-references.json)]
@ -559,7 +567,7 @@ Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/referenc
[Tidal Software](https://www.misp-galaxy.org/tidal-software) - Tidal Software Cluster
Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *961* elements
Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *1003* elements
[[HTML](https://www.misp-galaxy.org/tidal-software)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-software.json)]
@ -607,7 +615,7 @@ Category: *military equipment* - source: *Popular Mechanics* - total: *36* eleme
[UKHSA Culture Collections](https://www.misp-galaxy.org/ukhsa-culture-collections) - UK Health Security Agency Culture Collections represent deposits of cultures that consist of expertly preserved, authenticated cell lines and microbial strains of known provenance.
Category: *virus* - source: *https://www.culturecollections.org.uk* - total: *6667* elements
Category: *virus* - source: *https://www.culturecollections.org.uk* - total: *6638* elements
[[HTML](https://www.misp-galaxy.org/ukhsa-culture-collections)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ukhsa-culture-collections.json)]

12
clusters/ammunitions.json
View file

@ -3569,16 +3569,6 @@
"uuid": "9aa0a1b7-c9ff-422c-9ef1-431459e1e1b9",
"value": "PMC Bronze 44 Magnum Ammo - 500 Rounds of 180 Grain JHP Ammunition"
},
{
"meta": {
"caliber": "X",
"description": "Tac 7.62x51mm Ammo",
"manufacturer": "PMC",
"name": "PMC X"
},
"uuid": "0dd1db3c-8d5d-4296-b780-ae5ac7a92fed",
"value": "PMC X - Tac 7.62x51mm Ammo"
},
{
"meta": {
"caliber": "Bronze 308 Win Ammo",
@ -4110,5 +4100,5 @@
"value": "NobelSport High Brass Field 12 Gauge Ammo - 250 Rounds of 1"
}
],
"version": 1
"version": 2
}

117
clusters/atrm.json
View file

@ -1,18 +1,18 @@
{
"authors": [
"Microsoft",
"Karl Fosaaen",
"Nestori Syynimaa",
"Ryan Cobb",
"Roberto Rodriguez",
"Manuel Berrueta",
"Jonny Johnson",
"Dor Edry",
"Ram Pliskin",
"Nikhil Mittal",
"MITRE ATT&CK",
"AlertIQ",
"Craig Fretwell"
"Craig Fretwell",
"Dor Edry",
"Jonny Johnson",
"Karl Fosaaen",
"MITRE ATT&CK",
"Manuel Berrueta",
"Microsoft",
"Nestori Syynimaa",
"Nikhil Mittal",
"Ram Pliskin",
"Roberto Rodriguez",
"Ryan Cobb"
],
"category": "atrm",
"description": "The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.",
@ -24,6 +24,7 @@
{
"description": "It is possible to view the open ports on a virtual machine by viewing the Virtual Network Interface's assigned Network Security Group",
"meta": {
"external_id": "AZT101",
"kill_chain": [
"ATRM-tactics:Reconnaissance"
],
@ -37,6 +38,7 @@
{
"description": "It is possible to view the IP address on a resource by viewing the Virtual Network Interface",
"meta": {
"external_id": "AZT102",
"kill_chain": [
"ATRM-tactics:Reconnaissance"
],
@ -50,6 +52,7 @@
{
"description": "A resource within Azure is accessible from the public internet.",
"meta": {
"external_id": "AZT103",
"kill_chain": [
"ATRM-tactics:Reconnaissance"
],
@ -63,6 +66,7 @@
{
"description": "An adversary may obtain information about a User within Azure Active Directory. Details may include email addresses, first/last names, job information, addresses, and assigned roles. By default, all users are able to read other user's roles and group memberships within AAD.",
"meta": {
"external_id": "AZT104",
"kill_chain": [
"ATRM-tactics:Reconnaissance"
],
@ -76,6 +80,7 @@
{
"description": "An adversary may obtain information about an application within Azure Active Directory.",
"meta": {
"external_id": "AZT105",
"kill_chain": [
"ATRM-tactics:Reconnaissance"
],
@ -89,6 +94,7 @@
{
"description": "An adversary may obtain information about a role within Azure Active Directory or within Azure Resource Manager.",
"meta": {
"external_id": "AZT106",
"kill_chain": [
"ATRM-tactics:Reconnaissance"
],
@ -102,6 +108,7 @@
{
"description": "An adversary may gather role assignments within Azure Active Directory.",
"meta": {
"external_id": "AZT106.1",
"kill_chain": [
"ATRM-tactics:Reconnaissance"
],
@ -115,6 +122,7 @@
{
"description": "An adversary may gather information about an application role & it's member assignments within Azure Active Directory.",
"meta": {
"external_id": "AZT106.2",
"kill_chain": [
"ATRM-tactics:Reconnaissance"
],
@ -128,6 +136,7 @@
{
"description": "An adversary may gather role assignments for a specific Azure Resource, Resource Group, or Subscription.",
"meta": {
"external_id": "AZT106.3",
"kill_chain": [
"ATRM-tactics:Reconnaissance"
],
@ -141,6 +150,7 @@
{
"description": "An adversary may obtain information and data within a resource.",
"meta": {
"external_id": "AZT107",
"kill_chain": [
"ATRM-tactics:Reconnaissance"
],
@ -154,6 +164,7 @@
{
"description": "An adversary may access a user's personal data if their account is compromised. This includes data such as email, OneDrive, Teams, etc.",
"meta": {
"external_id": "AZT108",
"kill_chain": [
"ATRM-tactics:Reconnaissance"
],
@ -167,6 +178,7 @@
{
"description": "Adversaries may login to AzureAD using valid credentials. By logging in with valid credentials to an account or service principal, the adversary will assume all privileges of that account or service principal. If the account is privileged, this may lead to other tactics, such as persistence or privilege escalation.",
"meta": {
"external_id": "AZT201",
"kill_chain": [
"ATRM-tactics:Initial Access",
"ATRM-tactics:Privilege Escalation",
@ -182,6 +194,7 @@
{
"description": "By obtaining valid user credentials, an adversary may login to AzureAD via command line or through the Azure Portal.",
"meta": {
"external_id": "AZT201.1",
"kill_chain": [
"ATRM-tactics:Initial Access"
],
@ -195,6 +208,7 @@
{
"description": "By obtaining a valid secret or certificate, an adversary may login to AzureAD via command line.",
"meta": {
"external_id": "AZT201.2",
"kill_chain": [
"ATRM-tactics:Initial Access"
],
@ -208,6 +222,7 @@
{
"description": "An adversary may potentially gain access to AzureAD by guessing a common password for multiple users.",
"meta": {
"external_id": "AZT202",
"kill_chain": [
"ATRM-tactics:Initial Access"
],
@ -221,6 +236,7 @@
{
"description": "An adversary may lure a victim into giving their access to a malicious application registered in AzureAD.",
"meta": {
"external_id": "AZT203",
"kill_chain": [
"ATRM-tactics:Initial Access"
],
@ -234,6 +250,7 @@
{
"description": "Adversaries may abuse access to virtual machines by executing a script through various methods in order to gain access to the Virtual Machine.",
"meta": {
"external_id": "AZT301",
"kill_chain": [
"ATRM-tactics:Execution"
],
@ -247,6 +264,7 @@
{
"description": "By utilizing the 'RunCommand' feature on a Virtual Machine, an attacker can pass:* **Windows**: PowerShell commands to the VM as SYSTEM.* **Linux**: Shell commands to the VM as root.",
"meta": {
"external_id": "AZT301.1",
"kill_chain": [
"ATRM-tactics:Execution"
],
@ -260,6 +278,7 @@
{
"description": "By utilizing the 'CustomScriptExtension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.",
"meta": {
"external_id": "AZT301.2",
"kill_chain": [
"ATRM-tactics:Execution"
],
@ -273,6 +292,7 @@
{
"description": "By utilizing the 'Desired State Configuration extension' extension on a Virtual Machine, an attacker can pass PowerShell commands to the VM as SYSTEM.",
"meta": {
"external_id": "AZT301.3",
"kill_chain": [
"ATRM-tactics:Execution"
],
@ -286,6 +306,7 @@
{
"description": "By utilizing Compute Gallery Applications, an attacker can pass MS-DOS or PowerShell commands to the VM as SYSTEM.",
"meta": {
"external_id": "AZT301.4",
"kill_chain": [
"ATRM-tactics:Execution"
],
@ -299,6 +320,7 @@
{
"description": "By utilizing 'command invoke' on an Azure Kubernetes Service (AKS) cluster, an attacker can pass commands to the cluster's VM as SYSTEM",
"meta": {
"external_id": "AZT301.5",
"kill_chain": [
"ATRM-tactics:Execution"
],
@ -312,6 +334,7 @@
{
"description": "By utilizing the 'RunCommand' feature on a virtual machine scale set (Vmss), an attacker can execute a command on an instance or instances of VMs as:* **Windows**: PowerShell commands to the VM as SYSTEM.* **Linux**: Shell commands to the VM as root.",
"meta": {
"external_id": "AZT301.6",
"kill_chain": [
"ATRM-tactics:Execution"
],
@ -325,6 +348,7 @@
{
"description": "By utilizing the serial console feature on an Azure Virtual Machine, an adversary can pass arbitrary commands.",
"meta": {
"external_id": "AZT301.7",
"kill_chain": [
"ATRM-tactics:Execution"
],
@ -338,6 +362,7 @@
{
"description": "Adversaries may abuse access to serverless resources that are able to execute PowerShell or Python scripts on an Azure resource.",
"meta": {
"external_id": "AZT302",
"kill_chain": [
"ATRM-tactics:Execution"
],
@ -351,6 +376,7 @@
{
"description": "By utilizing an Automation Account configured with a Hybrid Worker Group, an attacker can execute Azure commands on any Azure VM within that Hybrid Worker Group.",
"meta": {
"external_id": "AZT302.1",
"kill_chain": [
"ATRM-tactics:Execution"
],
@ -364,6 +390,7 @@
{
"description": "By utilizing an Automation Account configured with a RunAs account, an attacker can execute commands on an Azure VM via RunCommand [(AZT301.1)](../AZT301/AZT301-1.md) if that service principal has the correct role and privileges.",
"meta": {
"external_id": "AZT302.2",
"kill_chain": [
"ATRM-tactics:Execution"
],
@ -377,6 +404,7 @@
{
"description": "By utilizing an Automation Account configured with a Managed Identity, an attacker can execute commands on an Azure VM via RunCommand [(AZT301.1)](../AZT301/AZT301-1.md) if that service principal has the correct role and privileges.",
"meta": {
"external_id": "AZT302.3",
"kill_chain": [
"ATRM-tactics:Execution"
],
@ -390,6 +418,7 @@
{
"description": "By utilizing a Function Application, an attacker can execute Azure operations on a given resource.",
"meta": {
"external_id": "AZT302.4",
"kill_chain": [
"ATRM-tactics:Execution"
],
@ -403,6 +432,7 @@
{
"description": "Adversaries may abuse access to any managed devices in AzureAD by executing PowerShell or Python scripts on them.",
"meta": {
"external_id": "AZT303",
"kill_chain": [
"ATRM-tactics:Execution"
],
@ -416,6 +446,7 @@
{
"description": "An adversary may escalate their privileges if their current account is eligible for role activation via Privileged Identity Management (PIM).",
"meta": {
"external_id": "AZT401",
"kill_chain": [
"ATRM-tactics:Privilege Escalation"
],
@ -429,6 +460,7 @@
{
"description": "An adversary may escalate their privileges from Azure AD to all Azure subscriptions in the tenant if they are a global administrator",
"meta": {
"external_id": "AZT402",
"kill_chain": [
"ATRM-tactics:Privilege Escalation"
],
@ -442,6 +474,7 @@
{
"description": "By modifying the .bashrc file in a CloudShell .IMG file, an adversary may escalate their privileges by injecting commands that will add an arbitrary user account to a desired role and scope.",
"meta": {
"external_id": "AZT403",
"kill_chain": [
"ATRM-tactics:Privilege Escalation"
],
@ -455,6 +488,7 @@
{
"description": "Adversaries may abuse resources that are configured with a service principal or other identity to further their access to the current or other resources.",
"meta": {
"external_id": "AZT404",
"kill_chain": [
"ATRM-tactics:Privilege Escalation"
],
@ -468,6 +502,7 @@
{
"description": "By utilizing a Function Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.",
"meta": {
"external_id": "AZT404.1",
"kill_chain": [
"ATRM-tactics:Privilege Escalation"
],
@ -481,6 +516,7 @@
{
"description": "By utilizing a Logic Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.",
"meta": {
"external_id": "AZT404.2",
"kill_chain": [
"ATRM-tactics:Privilege Escalation"
],
@ -494,6 +530,7 @@
{
"description": "By utilizing a Function Application, an attacker can execute Azure operations on a given resource.",
"meta": {
"external_id": "AZT404.3",
"kill_chain": [
"ATRM-tactics:Privilege Escalation"
],
@ -507,6 +544,7 @@
{
"description": "By utilizing an App Service configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.",
"meta": {
"external_id": "AZT404.4",
"kill_chain": [
"ATRM-tactics:Privilege Escalation"
],
@ -520,6 +558,7 @@
{
"description": "Adversaries may abuse the assigned permissions on an Azure AD Application to escalate their privileges.",
"meta": {
"external_id": "AZT405",
"kill_chain": [
"ATRM-tactics:Privilege Escalation"
],
@ -533,6 +572,7 @@
{
"description": "By compromising a user, user in a group, or service principal that has an application role over an application, they may be able to escalate their privileges by impersonating the associated service principal and leveraging any privileged assigned application role.",
"meta": {
"external_id": "AZT405.1",
"kill_chain": [
"ATRM-tactics:Privilege Escalation"
],
@ -546,6 +586,7 @@
{
"description": "By compromising a service principal whose application has privileged API permissions, an attacker can escalate their privileges to a higher privileged role.",
"meta": {
"external_id": "AZT405.2",
"kill_chain": [
"ATRM-tactics:Privilege Escalation"
],
@ -559,6 +600,7 @@
{
"description": "By compromising an account who is an 'Owner' over an application that is configured with additional roles or API permissions, an attacker can escalate their privileges by adding a certificate or credentials & logging in as the service principal.",
"meta": {
"external_id": "AZT405.3",
"kill_chain": [
"ATRM-tactics:Privilege Escalation"
],
@ -572,6 +614,7 @@
{
"description": "An adverary may manipulate an account to maintain access in an Azure tenant",
"meta": {
"external_id": "AZT501",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -585,6 +628,7 @@
{
"description": "An adverary may manipulate a user account to maintain access in an Azure tenant",
"meta": {
"external_id": "AZT501.1",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -598,6 +642,7 @@
{
"description": "An adverary may manipulate a service principal to maintain access in an Azure tenant",
"meta": {
"external_id": "AZT501.2",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -611,6 +656,7 @@
{
"description": "An adverary may manipulate the local admin account on an Azure VM",
"meta": {
"external_id": "AZT501.3",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -624,6 +670,7 @@
{
"description": "An adversary may create an account in Azure Active Directory.",
"meta": {
"external_id": "AZT502",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -637,6 +684,7 @@
{
"description": "An adversary may create an application & service principal in Azure Active Directory",
"meta": {
"external_id": "AZT502.1",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -650,6 +698,7 @@
{
"description": "An adversary may create an application & service principal in Azure Active Directory",
"meta": {
"external_id": "AZT502.2",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -663,6 +712,7 @@
{
"description": "An adversary may create a guest account in Azure Active Directory",
"meta": {
"external_id": "AZT502.3",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -676,6 +726,7 @@
{
"description": "Adversaries may configure a resource with an HTTP trigger to run commands without needing authentication.",
"meta": {
"external_id": "AZT503",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -689,6 +740,7 @@
{
"description": "Adversaries may configure a Logic Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.",
"meta": {
"external_id": "AZT503.1",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -702,6 +754,7 @@
{
"description": "Adversaries may configure a Function Application with a user account or managed identity and modify the HTTP trigger to run a command via HTTP request.",
"meta": {
"external_id": "AZT503.2",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -715,6 +768,7 @@
{
"description": "Adversaries may create a webhook to a Runbook which allows unauthenticated access into an Azure subscription or tenant.",
"meta": {
"external_id": "AZT503.3",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -728,6 +782,7 @@
{
"description": "Adversaries may create a WebJob on a App Service which allows arbitrary background tasks to be run on a set schedule",
"meta": {
"external_id": "AZT503.4",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -741,6 +796,7 @@
{
"description": "By configurating a watcher task and a Runbook, an adversary can establish persistence by executing the Runbook on a triggered event.",
"meta": {
"external_id": "AZT504",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -754,6 +810,7 @@
{
"description": "Adversaries may create a schedule for a Runbook to run at a defined interval.",
"meta": {
"external_id": "AZT505",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -767,6 +824,7 @@
{
"description": "Adversaries can modify the rules in a Network Security Group to establish access over additional ports.",
"meta": {
"external_id": "AZT506",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -780,6 +838,7 @@
{
"description": "Adversaries may configure the target Azure tenant to be managed by another, externel tenant, or its users.",
"meta": {
"external_id": "AZT507",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -793,6 +852,7 @@
{
"description": "Adversaries may utilize Azure Lighthouse to manage the target tenant from an external tenant",
"meta": {
"external_id": "AZT507.1",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -806,6 +866,7 @@
{
"description": "Adversaries may use Delegated Administrative Privileges to give themselves administrator access to the target tenant.",
"meta": {
"external_id": "AZT507.2",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -819,6 +880,7 @@
{
"description": "An adversary may transfer a subscription from a target tenant to an attacker-controlled tenant. This retains the billing account setup by the target and the target tenant administrators will no longer have control over the subscription.",
"meta": {
"external_id": "AZT507.3",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -832,6 +894,7 @@
{
"description": "An adversary may add an additional identity provider or domain to maintain a backdoor into the tenant.",
"meta": {
"external_id": "AZT507.4",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -845,6 +908,7 @@
{
"description": "By configuring a policy with the 'DeployIfNotExists' definition, an adverary may establish persistence by creating a backdoor when the policy is triggered.",
"meta": {
"external_id": "AZT508",
"kill_chain": [
"ATRM-tactics:Persistence"
],
@ -858,6 +922,7 @@
{
"description": "An adverary may utilize the resource's functionality to obtain a JWT for the applied Managed Identity Service Principal account.",
"meta": {
"external_id": "AZT601",
"kill_chain": [
"ATRM-tactics:Credential Access"
],
@ -871,6 +936,7 @@
{
"description": "By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an Azure VM if they have access to execute commands on the system.",
"meta": {
"external_id": "AZT601.1",
"kill_chain": [
"ATRM-tactics:Credential Access"
],
@ -884,6 +950,7 @@
{
"description": "By utilizing access to IMDS, an attacker can request a JWT for a Managed Identity on an AKS Cluster if they have access to execute commands on the system.",
"meta": {
"external_id": "AZT601.2",
"kill_chain": [
"ATRM-tactics:Credential Access"
],
@ -897,6 +964,7 @@
{
"description": "If a Logic App is using a Managed Identity, an adversary can modify the logic to make an HTTP POST request to reveal the Managed Identity's JWT.",
"meta": {
"external_id": "AZT601.3",
"kill_chain": [
"ATRM-tactics:Credential Access"
],
@ -910,6 +978,7 @@
{
"description": "If a Function App is using a Managed Identity, an adversary can modify the logic respond to an HTTP GET request to reveal the Managed Identity's JWT.",
"meta": {
"external_id": "AZT601.4",
"kill_chain": [
"ATRM-tactics:Credential Access"
],
@ -923,6 +992,7 @@
{
"description": "If an Automation Account is using a Managed Identity, an adversary can create a Runbook to request the Managed Identity's JWT.",
"meta": {
"external_id": "AZT601.5",
"kill_chain": [
"ATRM-tactics:Credential Access"
],
@ -936,6 +1006,7 @@
{
"description": "If a Runbook is utilizing a 'RunAs' account, then an adversary may manipulate the Runbook to reveal the certificate the Service Principal is using for authentication.",
"meta": {
"external_id": "AZT602",
"kill_chain": [
"ATRM-tactics:Credential Access"
],
@ -949,6 +1020,7 @@
{
"description": "If a Function App is using a service principal for authentication, an adversary may manipulate the function app logic to reveal the service principal's secret in plain text.",
"meta": {
"external_id": "AZT603",
"kill_chain": [
"ATRM-tactics:Credential Access"
],
@ -962,6 +1034,7 @@
{
"description": "An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.",
"meta": {
"external_id": "AZT604",
"kill_chain": [
"ATRM-tactics:Credential Access"
],
@ -975,6 +1048,7 @@
{
"description": "By accessing an Azure Key Vault, an adversary may dump any or all secrets.",
"meta": {
"external_id": "AZT604.1",
"kill_chain": [
"ATRM-tactics:Credential Access"
],
@ -988,6 +1062,7 @@
{
"description": "By accessing an Azure Key Vault, an adversary may dump any or all certificates.",
"meta": {
"external_id": "AZT604.2",
"kill_chain": [
"ATRM-tactics:Credential Access"
],
@ -1001,6 +1076,7 @@
{
"description": "By accessing an Azure Key Vault, an adversary may dump any or all public keys. Note that Private keys cannot be retrieved.",
"meta": {
"external_id": "AZT604.3",
"kill_chain": [
"ATRM-tactics:Credential Access"
],
@ -1014,6 +1090,7 @@
{
"description": "An adverary may access an Azure KeyVault in an attempt to view secrets, certificates, or keys.",
"meta": {
"external_id": "AZT605",
"kill_chain": [
"ATRM-tactics:Credential Access"
],
@ -1027,6 +1104,7 @@
{
"description": "By accessing a Storage Account, an adversary may dump access keys pertaining to the Storage Account, which will give them full access to the Storage Account.",
"meta": {
"external_id": "AZT605.1",
"kill_chain": [
"ATRM-tactics:Credential Access"
],
@ -1040,6 +1118,7 @@
{
"description": "By editing a Runbook, a credential configured in an Automation Account may be revealed",
"meta": {
"external_id": "AZT605.2",
"kill_chain": [
"ATRM-tactics:Credential Access"
],
@ -1053,6 +1132,7 @@
{
"description": "By accessing deployment history of a Resource Group, secrets used in the ARM template may be revealed.",
"meta": {
"external_id": "AZT605.3",
"kill_chain": [
"ATRM-tactics:Credential Access"
],
@ -1066,6 +1146,7 @@
{
"description": "By generating an SAS URI for a resource, an adversary may extract the contents of that resource without authentication at any time.",
"meta": {
"external_id": "AZT701",
"kill_chain": [
"ATRM-tactics:Impact"
],
@ -1079,6 +1160,7 @@
{
"description": "An adversary may create an SAS URI to download the disk attached to a virtual machine.",
"meta": {
"external_id": "AZT701.1",
"kill_chain": [
"ATRM-tactics:Impact"
],
@ -1092,6 +1174,7 @@
{
"description": "By generating a Shared Access Signature (SAS) URI, an adversary can access a container in a Storage Account at any time.",
"meta": {
"external_id": "AZT701.2",
"kill_chain": [
"ATRM-tactics:Impact"
],
@ -1105,6 +1188,7 @@
{
"description": "An adversary can generate a connection string to mount an Azure Storage Account File Share as an NFS or SMB share to their local machine.",
"meta": {
"external_id": "AZT702",
"kill_chain": [
"ATRM-tactics:Impact"
],
@ -1116,8 +1200,8 @@
"value": "AZT702 - File Share Mounting"
},
{
"description": "",
"meta": {
"external_id": "AZT703",
"kill_chain": [
"ATRM-tactics:Impact"
],
@ -1131,6 +1215,7 @@
{
"description": "An adversary may leverage resources found at a 'soft deletion' state, restore them and advance their attack by retrieving contents meant to be deleted",
"meta": {
"external_id": "AZT704",
"kill_chain": [
"ATRM-tactics:Impact"
],
@ -1144,6 +1229,7 @@
{
"description": "An adversary may recover a key vault object found in a 'soft deletion' state.",
"meta": {
"external_id": "AZT704.1",
"kill_chain": [
"ATRM-tactics:Impact"
],
@ -1157,6 +1243,7 @@
{
"description": "An adversary may recover a storage account object found in a 'soft deletion' state.",
"meta": {
"external_id": "AZT704.2",
"kill_chain": [
"ATRM-tactics:Impact"
],
@ -1170,6 +1257,7 @@
{
"description": "An adversary may recover a virtual machine object found in a 'soft deletion' state.",
"meta": {
"external_id": "AZT704.3",
"kill_chain": [
"ATRM-tactics:Impact"
],
@ -1183,6 +1271,7 @@
{
"description": "An adversary may recover a virtual machine object found in a 'soft deletion' state.",
"meta": {
"external_id": "AZT705",
"kill_chain": [
"ATRM-tactics:Impact"
],
@ -1194,5 +1283,5 @@
"value": "AZT705 - Azure Backup Delete"
}
],
"version": 2
"version": 3
}

800
clusters/gsma-motif.json Normal file
View file

@ -0,0 +1,800 @@
{
"authors": [
"GSMA"
],
"category": "attack-pattern",
"description": "Mobile Threat Intelligence Framework (MoTIF) Principles. ",
"name": "GSMA MoTIF",
"source": "https://www.gsma.com/solutions-and-impact/technologies/security/latest-news/establishing-motif-the-mobile-threat-intelligence-framework/",
"type": "gsma-motif",
"uuid": "02cb3863-ecb2-4a93-a5ed-18bb6dfd5c89",
"values": [
{
"description": "The adversaries may monitor radio interface traffic to passively collect information about the radio network configuration or about subscribers in close vicinity of the adversary. (1), (2), (3), (4).",
"meta": {
"external_id": "MOT3001",
"kill_chain": [
"Techniques:Reconnaissance"
],
"refs": [
"page 14 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (2) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks. (3) Kumar, P. et.al. (2021). Murat: Multi-RAT False Base Station Detector (Section IIB) (4) Rupprecht, D. et.al. (2018). On Security Research Towards Future Mobile Network Generations. (Section III D)"
]
},
"uuid": "ef315196-4c0f-50d5-85b7-eb5fe3757ba3",
"value": "Monitor Radio Interface"
},
{
"description": "In mobile networks the adversary needs to obtain information about the cell configuration parameters that will be used to prepare for the next phase of an attack that is utilizing the radio interface. Example of configuration could be the physical cell ID (PCI), neighbouring cells, frequencies used, Tracking Area Codes (TAC). (1), (2), (3), (4)",
"meta": {
"external_id": "MOT3001.301",
"kill_chain": [
"Techniques:Reconnaissance"
],
"refs": [
"page 15 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Li, Z. et al. (2017). FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild. (2) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (3) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks. (4) Quintin, C. (2020). Detecting Fake 4G Base Stations in Real Time. Black Hat USA 2020."
]
},
"uuid": "7dcf1eaa-a0c6-51c8-8e5f-dfd2e033cd50",
"value": "Broadcast Channel"
},
{
"description": "Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials. In mobile networks, the adversary wants to obtain information about subscriber and phone identities to conduct more targeted attacks. Subscriber identity can be, for example, MSISDN, IMSI, GUTI, TMSI.",
"meta": {
"external_id": "MOT1589",
"kill_chain": [
"Techniques:Reconnaissance"
],
"refs": [
"page 16 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) The Register. (2017). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts",
"ATT&CK Enterprise: Gather Victim Identity Information (T1589)"
]
},
"uuid": "c2993424-1861-5fab-8bd8-4b3f19082e42",
"value": "Gather Victim Identity Information"
},
{
"description": "In mobile networks, targeted attacks towards subscribers have to be done using the subscriber identity. Obtaining the identity would allow the attacker to gather more information or initiate more targeted attacks. The adversary gathers phone or subscription related information about subscriber(s). Examples are phone number (MSISDN), IMSI (International Mobile Subscriber Identity), home mobile network operator, S@T browser availability on the UICC, IMEI (International Mobile Equipment Identity). The data might be acquired through interconnection, social engineering, social media or otherwise. (1)",
"meta": {
"external_id": "MOT1589.301",
"kill_chain": [
"Techniques:Reconnaissance"
],
"refs": [
"page 17 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) The Register. (2017). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts",
"ATT&CK Enterprise: Gather Employee Names (T1589.003),"
]
},
"uuid": "6a035f24-73f0-5244-bc30-eb8cf5275ef7",
"value": "Phone and Subscription Information"
},
{
"description": "An adversary may discover operator network related information (identifiers). Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system. In mobile networks, the adversary wants to obtain information about subscriber, signalling addresses, supported service at a certain server. The scan may take place from the Internet or the interconnection network or the radio network. Often automated mass scanning events take place.",
"meta": {
"external_id": "MOT1046",
"kill_chain": [
"Techniques:Discovery"
],
"refs": [
"page 17 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) GSMA PRD IR.70 - SMS SS7 Fraud (Public)",
"ATT&CK Enterprise: Network Service Discovery (T1046),\nFiGHT: Network Service Scanning (FGT1046)\nNOTE: These two MITRE techniques are actually the same, however due to an\nerror the FiGHT technique was renamed."
]
},
"uuid": "19d9aa24-5b2d-5cd9-bf61-4a50ccabafed",
"value": "Network Service Scanning"
},
{
"description": "By sending signalling messages to the network, the adversary tries to check if mobile network nodes leak node or network related information, or bypasses defences ((1) (2) below). Using this sub-technique as a preparatory step, the adversary can then tune his further attack steps to send specific attack messages based on this scan. Examples are SS7 scans to evaluate if a Global Title is in use or not. The adversary may also probe which PLMN-ID values are accepted by the HPLMN in Diameter Authentication Information Request (AIR).",
"meta": {
"external_id": "MOT1046.301",
"kill_chain": [
"Techniques:Discovery"
],
"refs": [
"page 18 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Enea. (2017). Designated Attacker - Evolving SS7 Attack Tools (2) Enea. (2018). Diameter Signalling Security - Protecting 4G Networks",
"ATT&CK Enterprise: IP Block Scanning (T1595.001)"
]
},
"uuid": "827add59-8d04-57e3-b72a-22484d8ea618",
"value": "Scan Signalling Addresses"
},
{
"description": "Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime black markets. Adversaries may search and collect information about the mobile network operator from closed or semi-closed sources. Typical examples are GSMA IR.21, IR.85, FS.30 or T-ISAC, information from insiders or partners. The information acquisition might be done legally or illegally.",
"meta": {
"external_id": "MOT1597",
"kill_chain": [
"Techniques:Reconnaissance"
],
"refs": [
"page 19 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) The Intercept. (2014). Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide. (2) https://www.wikileaks.org/hackingteam/emails/emailid/72166",
"ATT&CK Enterprise: Search Closed Sources (T1597)"
]
},
"uuid": "0c536c66-1918-59f9-9f51-c1460c69c917",
"value": "Search Closed Sources"
},
{
"description": "The adversary may gather information about the mobile network operator to be used in initial access or for preparation of the attack. This can be network architecture, protocols, ports, Global Titles, roaming partners, suppliers. The adversary may search in closed sources like GSMA roaming database RAEX IR.21 (1), IMEI database (2) or IR.85.",
"meta": {
"external_id": "MOT1597.301",
"kill_chain": [
"Techniques:Reconnaissance"
],
"refs": [
"page 20 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) The Intercept. (2014). Operation AURORAGOLD: How the NSA Hacks Cellphone Networks Worldwide. (2) https://www.wikileaks.org/hackingteam/emails/emailid/72166"
]
},
"uuid": "82018f31-afeb-5452-918e-f47e1379d717",
"value": "Mobile Network Operator Sources"
},
{
"description": "Adversaries may buy, lease, or rent infrastructure that can be used during targeting. For example, commercial service providers exist that offer access to signalling infrastructure or sell False Base Station solutions. Use of these infrastructure solutions allows an adversary to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal.",
"meta": {
"external_id": "MOT1583",
"kill_chain": [
"Techniques:Resource-Development"
],
"refs": [
"page 20 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) TBIJ. (2020) Spy companies using Channel Islands to track phones around the world.",
"ATT&CK Enterprise: Acquire Infrastructure (T1583)"
]
},
"uuid": "653c42ec-68ae-5372-a2d8-65353df704cf",
"value": "Acquire Infrastructure"
},
{
"description": "Adversaries may buy, lease, or rent SS7, Diameter, GTP-C signalling infrastructure access or services that can be used during targeting (1), (2), (3). Targeted attacks to mobile network operators may use surveillance as a service specialists to achieve their goals (2). Their attacks often blend in with normal traffic coming from partners of the victim mobile network operator and make attribution difficult. Fraudsters and spammers may use specific partner gateways or access to messaging servers for their purposes.",
"meta": {
"external_id": "MOT1583.301",
"kill_chain": [
"Techniques:Resource-Development"
],
"refs": [
"page 21 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) TBIJ. (2020) Spy companies using Channel Islands to track phones around the world. (2) CitizenLab. (2020). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. (3) TBIJ. (2021). Swiss tech company boss accused of selling mobile network access for spying. (4) Enea (2021) 5G Network Slicing Security in 5G Core Networks (5) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem"
]
},
"uuid": "a7a503d3-cfcb-52f0-b76b-ce5d1604efb6",
"value": "Core Signalling Infrastructure Access"
},
{
"description": "Adversaries may buy, lease, or obtain physical access to a mobile operator network base station or use their own rogue cellular base (Stingray) station for launching an attack (2) (3). The adversary could set up a rogue cellular base station infrastructure and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique (1).",
"meta": {
"external_id": "MOT1583.302",
"kill_chain": [
"Techniques:Resource-Development"
],
"refs": [
"page 22 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) DePerry, D. & Ritter T. (2013). I Can Hear You Now - Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell. Black Hat USA2013 (2) Wired (2016). Here's How Much a StingRay Cell Phone Surveillance Tool Costs (3) Alibaba.com. Wholesale imsi catcher 4g For Online Communication"
]
},
"uuid": "f165ba28-bf24-5151-ac17-ae9ffa96f124",
"value": "Radio Interface Access"
},
{
"description": "Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle. In mobile networks adversary may develop false base stations (1), mobile exploits, core signalling exploitation tools (2), SIM card exploits, radio exploitation tools and other tools to initiate attacks.",
"meta": {
"external_id": "MOT1587",
"kill_chain": [
"Techniques:Resource-Development"
],
"refs": [
"page 23 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Motherboard. (2018). Here's How Easy It Is to Make Your Own IMSI-Catcher (2) Lighthouse Reports. (2022). Revealing Europe's NSO.",
"ATT&CK Enterprise: Develop Capabilities (T1587)."
]
},
"uuid": "eb832cc6-e988-52f8-9a22-391ed593dfe1",
"value": "Develop Capabilities"
},
{
"description": "Adversary develops special tools for mobile networks that carry out and deliver mobile network targeted exploits. (1) (2)",
"meta": {
"external_id": "MOT1587.301",
"kill_chain": [
"Techniques:Resource-Development"
],
"refs": [
"page 24 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Motherboard. (2018). Here's How Easy It Is to Make Your Own IMSI-Catcher (2) Lighthouse Reports. (2022). Revealing Europe's NSO. (3) Mobileum. (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem",
"N/A"
]
},
"uuid": "61b1a6a4-2140-5479-9ac0-386d4e91839f",
"value": "Mobile Network Tool"
},
{
"description": "The adversary may get access to the target network via the interconnection interface.",
"meta": {
"external_id": "MOT3002",
"kill_chain": [
"Techniques:Initial-Access"
],
"refs": [
"page 24 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) P1 Security. (2021). All authentication vectors are not made equal."
]
},
"uuid": "48318fd2-a653-581e-8c13-7f3846dfbb8f",
"value": "Exploit Interconnection Link"
},
{
"description": "The adversary may get access to the target network via a direct signalling link connected to the international exchange.",
"meta": {
"external_id": "MOT3002.301",
"kill_chain": [
"Techniques:Initial-Access"
],
"refs": [
"page 25 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor (2) P1 Security. (2021). All authentication vectors are not made equal."
]
},
"uuid": "b4dfe23b-1e4e-5979-b4e4-9b3dcecfddb2",
"value": "International Direct Signalling Link"
},
{
"description": "The adversary may get access to the target network via a direct signalling link connected to the national exchange.",
"meta": {
"external_id": "MOT3002.302",
"kill_chain": [
"Techniques:Initial-Access"
],
"refs": [
"page 25 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) P1 Security. (2014). SS7map: mapping vulnerability of the international mobile roaming infrastructure"
]
},
"uuid": "43af1748-6207-54d4-a402-a4371fcdd5cd",
"value": "National Direct Signalling Link"
},
{
"description": "The adversary may access the target network by exploiting signalling (i.e. control plane) protocols.",
"meta": {
"external_id": "MOT3003",
"kill_chain": [
"Techniques:Initial-Access"
],
"refs": [
"page 26 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) P1 Security. (2021). All authentication vectors are not made equal."
]
},
"uuid": "acd147cf-5a45-5bbf-b74d-7a59175b4c64",
"value": "Exploit via Core Signalling Interface"
},
{
"description": "The adversary may access the target network by using SS7 protocol.",
"meta": {
"external_id": "MOT3003.301",
"kill_chain": [
"Techniques:Initial-Access"
],
"refs": [
"page 27 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe. (2) Lighthouse Reports. (2022). Revealing Europe's NSO. (3) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020."
]
},
"uuid": "139f89a6-7727-5e80-a3a5-c33ba1e66775",
"value": "SS7 Protocol"
},
{
"description": "The adversary may access the target network by using Diameter protocol.",
"meta": {
"external_id": "MOT3003.302",
"kill_chain": [
"Techniques:Initial-Access"
],
"refs": [
"page 27 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) P1 Security. (2021). All authentication vectors are not made equal. (2) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020."
]
},
"uuid": "0bae4fc7-da2e-5b93-91aa-9a3a975db351",
"value": "Diameter Protocol"
},
{
"description": "The adversary may access the target network by using HTTPS/2 protocol.",
"meta": {
"external_id": "MOT3003.303",
"kill_chain": [
"Techniques:Initial-Access"
],
"refs": [
"page 28 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020.."
]
},
"uuid": "2c5d4f4f-7bf8-5b99-b9d9-4b3509ed468f",
"value": "HTTPS/2 Protocol"
},
{
"description": "Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third-party relationship exploits an existing connection that may not be protected or requires more complicated defence mechanisms to detect and prevent unauthorized access to a network. (1) (2)",
"meta": {
"external_id": "MOT1199",
"kill_chain": [
"Techniques:Initial-Access"
],
"refs": [
"page 28 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe. (2) Lighthouse Reports. (2022). Revealing Europe's NSO",
"ATT&CK Enterprise: Trusted Relationship (T1199)"
]
},
"uuid": "231c6854-14a3-5b1c-974b-2f33107274de",
"value": "Trusted Relationship"
},
{
"description": "The technique can be conducted by malicious partner or adversaries with access to interconnection networks or roaming partners mobile network. The adversary can remotely conduct the attacks by launching signalling messages e.g. related to location tracking, communication interception, or subscriber identify retrieval. (1), (2), (3)",
"meta": {
"external_id": "MOT1199.301",
"kill_chain": [
"Techniques:Initial-Access"
],
"refs": [
"page 29 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) P1 Security (2021). All authentication vectors are not made equal. (2) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe. (3) Lighthouse Reports. (2022). Revealing Europe's NSO (4) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor"
]
},
"uuid": "cb5103d5-5852-5184-8dbf-3f40f5ec0b9f",
"value": "Exploit Interconnection Agreements"
},
{
"description": "Adversaries may use the radio access network to initiate attacks towards the UE or the mobile network.(1) (2) (3) The adversary may leverage vulnerabilities in the protocols that make up the signalling procedures in a radio network, for example network information (SIB1) messages, or the RRC protocol, or NAS protocols to initiate attacks towards the UE or the mobile network.",
"meta": {
"external_id": "MOT3006",
"kill_chain": [
"Techniques:Initial-Access",
"Techniques:Discovery"
],
"refs": [
"page 30 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (2) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks. (3) Quintin, C. (2020). Detecting Fake 4G Base Stations in Real Time. Black Hat USA 2020.",
"ATT&CK Mobile: Exploit via Radio Interfaces (T1477). Note: Deprecated"
]
},
"uuid": "71f277f6-ded8-5a7e-84d3-fee99280bc66",
"value": "Exploit via Radio Interface"
},
{
"description": "Adversaries may modify or trigger control plane procedures on the radio interface control plane using Access Stratum (AS) signalling that occurs between the UE and the base station.",
"meta": {
"external_id": "MOT1477.301",
"kill_chain": [
"Techniques:Initial-Access"
],
"refs": [
"page 31 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks"
]
},
"uuid": "fc78b217-a914-52fe-a139-3bcdc9a07f5c",
"value": "AS Signalling"
},
{
"description": "Adversaries may modify or trigger Non-Access-Stratum (NAS) signalling related procedures that is generated from a false base station infrastructure. The adversary may impersonate core network elements (such as MME) towards the UE or UE towards the core network elements.",
"meta": {
"external_id": "MOT1477.302",
"kill_chain": [
"Techniques:Initial-Access",
"Techniques:Discovery"
],
"refs": [
"page 32 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) CableLabs: (2019). False Base Station or IMSI Catcher: What You Need to Know. (2) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks"
]
},
"uuid": "fd65d912-3ab1-5543-b488-9d328d56c2e5",
"value": "NAS Signalling"
},
{
"description": "The adversary leverages the radio broadcast System Information Block1 messages (SIB1) to advertise to the target UEs new cell configuration that in return forces the UE to initiate different procedures like for example, cell re- selection or Tracking Area Update.(1), (2), (3)",
"meta": {
"external_id": "MOT1477.303",
"kill_chain": [
"Techniques:Initial-Access"
],
"refs": [
"page 32 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Aftenposten (2015). New report: Clear signs of mobile surveillance in Oslo, despite denial from Police Security Service. (2) CableLabs: (2019). False Base Station or IMSI Catcher: What You Need to Know. (3) Quintin, C. (2020). Detecting Fake 4G Base Stations in Real Time. Black Hat USA 2020."
]
},
"uuid": "ce4ae0c9-9d83-5285-8b3f-40475aff0d19",
"value": "Radio Broadcast Channel (SIB1)"
},
{
"description": "An adversary may obtain a subscriber permanent or temporary identifier via various means. An adversary may obtain the subscriber identifier by using HLR Lookup, or by monitoring the radio interface. An adversary may obtain identifying information from 5G UEs only after the UE has been bid down (downgraded) to a lower security protocol e.g. 4G, since in 4G and 3G it is possible for the network to ask the UE to send its IMSI (International Subscriber Identifier) in the clear over the radio interface. The 5G UE sends an encrypted permanent identifier (called Subscriber Concealed Identifier (SUCI)) over the radio interface as part of the initial registration to the 5G network. Some non-UE specific information is part of the Subscriber Permanent Identifier or SUPI and is not encrypted (e.g., home network name).",
"meta": {
"external_id": "MOT5019",
"kill_chain": [
"Techniques:Discovery",
"Techniques:Collection"
],
"refs": [
"page 33 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Enea. (2016). Tracking the Trackers: Advanced Rogue Systems Exploiting the SS7 Network",
"Subscriber Profile Identifier Discovery: Intercept bid-down SUPI | MITRE\nFiGHT™\n*= This is the same Technique as MITRE FiGHT, however a different name is\nused, MITRE FiGHT may potentially update in the future"
]
},
"uuid": "79253aa8-a5a9-5bda-bd8a-062b1eece315",
"value": "Identify Subscriber"
},
{
"description": "The adversary can trigger mobile terminating activity, such as making calls to the subscribers profile (1), sending silent SMS (2), or trigger notifications from the instant messengers (1), to trigger paging of the subscriber. The technique can be made more stealthy by using silent phone calls or silent SMSs (2) (3), The adversary can monitor the paging activity in the radio network and use that information to correlate the paging with the for identifying the target subscriber identifier.",
"meta": {
"external_id": "MOT5019.301",
"kill_chain": [
"Techniques:Discovery"
],
"refs": [
"page 34 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Shaik, A. et al. (2016). Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems. (2) Nohl, K. & Munaut, S. (2010) GSM Sniffing. 27th CCC. (3) Hussain, S. et al. (2019) Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information.",
"N/A"
]
},
"uuid": "aa7dc324-0f5d-5ce8-b0d2-1d872f180693",
"value": "Trigger Subscriber Terminated Activity"
},
{
"description": "The adversary can retrieve subscriber information such as the IMSI, MSISDN, SUPI, SUCI etc",
"meta": {
"external_id": "MOT5019.302",
"kill_chain": [
"Techniques:Discovery",
"Techniques:Collection"
],
"refs": [
"page 35 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Enea. (2016). Tracking the Trackers: Advanced Rogue Systems Exploiting the SS7 Network",
"N/A"
]
},
"uuid": "ca405a15-74d0-575e-9774-253d40c74e53",
"value": "Retrieve Subscriber Identity Information"
},
{
"description": "The adversary can retrieve subscriber network information such as the current serving network element(s)",
"meta": {
"external_id": "MOT5019.303",
"kill_chain": [
"Techniques:Discovery",
"Techniques:Collection"
],
"refs": [
"page 35 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Enea. (2016). Tracking the Trackers: Advanced Rogue Systems Exploiting the SS7 Network",
"N/A"
]
},
"uuid": "2ac5c163-9e09-5d4a-bf32-bad2ad3e2882",
"value": "Retrieve Subscriber Network Information"
},
{
"description": "Adversaries may attempt to manipulate parameters in the control signalling to make them appear legitimate or benign to mobile subscribers, end nodes and/or security tools. Masquerading occurs when the parameter value is manipulated or abused for the sake of evading defences, or convincing the target to believe it is communicating with a spoofed entity. A typical masquerading operating is manipulation of the source node address.",
"meta": {
"external_id": "MOT1036",
"kill_chain": [
"Techniques:Defence-Evasion"
],
"refs": [
"page 36 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) P1 Security. (2021). All authentication vectors are not made equal. (2) Aftenposten (2015). New report: Clear signs of mobile surveillance in Oslo, despite denial from Police Security Service.",
"ATT&CK Enterprise: Masquerading (T1036),"
]
},
"uuid": "9518c6e3-152f-5e9c-9321-acce8347a19d",
"value": "Masquerading"
},
{
"description": "The adversary may attempt to manipulate the originating address information, such as Global Title Address, Diameter Host or Realm information for the sake of evading defences. The adversary may attempt to manipulate the configured cell ID on the false base station to configure it to a known cell ID in the network to evade detection.",
"meta": {
"external_id": "MOT1036.301",
"kill_chain": [
"Techniques:Defence-Evasion"
],
"refs": [
"page 37 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) P1 Security. (2021). All authentication vectors are not made equal. (2) Aftenposten (2015). New report: Clear signs of mobile surveillance in Oslo, despite denial from Police Security Service. (3) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor"
]
},
"uuid": "87cce0fb-1e5a-5b8b-aae5-58fcd4b3186a",
"value": "Originating Entity Spoofing"
},
{
"description": "The adversary can disguise its signalling messages in order to avoid detection and blocking of their attacks. Examples include using unexpected addresses, unexpected message format or unexpected message encoding.",
"meta": {
"external_id": "MOT3005",
"kill_chain": [
"Techniques:Defence-Evasion"
],
"refs": [
"page 37 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Symsoft & P1 Security. (2018). SS7 and Diameter: Exploit Delivery over signalling protocols. (2) Mc Daid, C. (2019). Simjacker the next frontier in mobile espionage. VB2019"
]
},
"uuid": "7258f576-72e9-5f27-ad69-f84e24a0eb18",
"value": "Disguise Signalling Messages"
},
{
"description": "The adversary may use an unexpected encoding of the signalling message in order to bypass detection and any defences which may be in place.",
"meta": {
"external_id": "MOT3005.301",
"kill_chain": [
"Techniques:Defence-Evasion"
],
"refs": [
"page 38 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Puzankov, K. (2019) Hidden Agendas: bypassing GSMA recommendations on SS7 networks. HITB AMS SecConf May 2019"
]
},
"uuid": "d6e3a64e-518d-59df-89d1-522ebc81c49d",
"value": "Unexpected Encoding"
},
{
"description": "The adversary can collect several types of user-specific data. Such data include, for instance, subscriber identities, subscribed services, subscriber location or status.",
"meta": {
"external_id": "MOT3004",
"kill_chain": [
"Techniques:Credential-Access",
"Techniques:Collection"
],
"refs": [
"page 38 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) P1 Security. (2021). All authentication vectors are not made equal. (2) Mc Daid, C. (2019). Simjacker the next frontier in mobile espionage. VB2019"
]
},
"uuid": "c1a47611-44fc-5e82-a05e-4958366ba9e3",
"value": "Access Subscriber Data"
},
{
"description": "The adversary may acquire subscriber authentication information from mobile network registers, such as HLR/HSS/AuC or MSC/VLR, SGSN, MME. For example, the adversary may query subscriber keys, authentication vectors etc. and use this information to tailor further phases of the attack.",
"meta": {
"external_id": "MOT3004.301",
"kill_chain": [
"Techniques:Credential-Access",
"Techniques:Collection"
],
"refs": [
"page 39 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) P1 Security. (2021). All authentication vectors are not made equal."
]
},
"uuid": "8161ff0c-485f-5941-854f-e0bd1d1f9b99",
"value": "Subscriber Authentication Data"
},
{
"description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material, base station configuration and user plane traffic passed over the network.",
"meta": {
"external_id": "MOT1040",
"kill_chain": [
"Techniques:Collection"
],
"refs": [
"page 40 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Kotuliak, M. et al. (2022) LTrack : Stealthy Tracking of Mobile Phones in LTE",
"Network Sniffing, Technique T1040 - Enterprise | MITRE ATT&CK®\nNetwork Sniffing | MITRE FiGHT™ (FGT1040)"
]
},
"uuid": "d5712f47-879c-531e-96f7-c46aa1fd591c",
"value": "Network Sniffing"
},
{
"description": "An adversary may eavesdrop on unencrypted or encrypted traffic to capture information to and from a UE. An adversary may employ a back-to-back false base station to eavesdrop on the communication and relay communication between the intended recipient and the intended source, over the radio interface. The adversary may also passively sniff the radio traffic and capture specific traffic that can be then, if possible, analyzed.(1) When operating a false base station the adversary needs to obtain information about the cell configuration parameters that will be used to prepare for the next phase of an attack that is utilizing the radio interface. Example of configuration could be the Physical Cell ID (PCI), neighbouring cells, frequencies used, Location Area Codes/Tracking Area Codes (LAC/TAC).(2) The adversary may use methods of capturing control plane or user plane traffic on the radio interface.",
"meta": {
"external_id": "MOT1040.501",
"kill_chain": [
"Techniques:Collection"
],
"refs": [
"page 41 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Borgaonkar, R. & Shaik, A. (2015). LTE and IMSI Catcher Myths. Black Hat USA 2015 (2) Li, Z. et al. (2017). FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild. (3) P1 Security. (2021). All authentication vectors are not made equal.",
"Network Sniffing: Radio interface | MITRE FiGHT™ (FGT1040.501)"
]
},
"uuid": "c0ec2969-4985-57e1-a11d-1e5c157cef3e",
"value": "Radio Interface"
},
{
"description": "An adversary may obtain the UE location using radio access or core network. Adversary may employ various means to obtain UE location (coarse, fine) using radio access or core network.",
"meta": {
"external_id": "MOT5012",
"kill_chain": [
"Techniques:Collection"
],
"refs": [
"page 41 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor (2) Mc Daid, C. (2019). Simjacker the next frontier in mobile espionage. VB2019 (3) The Washington Post. (2014). For sale: Systems that can secretly track where cellphone users go around the globe",
"Location Tracking, Technique T1430 - Mobile | MITRE ATT&CK®\nLocate UE | MITRE FiGHT™ (FGT5012)"
]
},
"uuid": "d14aa06e-105d-5fd8-a521-040564fdb756",
"value": "Locate Subscriber"
},
{
"description": "An adversary in the core network exploits signalling protocols to obtain the location of the UE. User location tracking is part of normal cellular operation. Adversaries with access to core network or a core network function (NF) can misuse signalling protocols (e.g., SS7, GTP and Diameter or the SBI API calls), or exploit vulnerabilities in the signalling plane, in order to obtain location information for a given UE.",
"meta": {
"external_id": "MOT5012.501",
"kill_chain": [
"Techniques:Collection"
],
"refs": [
"page 42 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Enea. (2022). HiddenArt - A Russian-linked SS7 Threat Actor. (2) Mc Daid, C. (2020) Watching the Watchers - How Surveillance Companies track you using Mobile Networks. #rC3 2020..",
"Locate UE: Core Network Function Signaling | MITRE FiGHT™\n(FGT5012.004)"
]
},
"uuid": "6e07b027-229c-5581-b079-633bc8f73a8c",
"value": "Core Network Function Signalling"
},
{
"description": "Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(1)(2)(3) Adversaries may gather subscription or residence related information about subscriber(s). Examples are phone number (MSISDN), home address, home mobile network operator. Adversaries may gather information about the mobile network operator to be used in initial access or for preparation of the attack. This can be network architecture, protocols, ports, Global Titles, roaming partners, or suppliers (4).",
"meta": {
"external_id": "MOT1593",
"kill_chain": [
"Techniques:Reconnaissance"
],
"refs": [
"page 43 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Cyware Hacker News. (2019). How Hackers Exploit Social Media To Break Into Your Company. (2) Security Trails. (2019). Exploring Google Hacking Techniques. (3) Offensive Security. (n.d.). Google Hacking Database. Retrieved October 23, 2020. (4) Holtmanns, S. (2018). Secure Interworking Between Networks in 5G Service Based Architecture. ETSI Security Week 2018.",
"Search Open Websites/Domains, Technique T1593 - Enterprise | MITRE\nATT&CK®\nGSMA Non-public materials"
]
},
"uuid": "3cbac245-ee47-5892-b031-0618fff739b4",
"value": "Search Open Websites/Domains"
},
{
"description": "Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff. Adversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victims into revealing specific information (i.e. Spearphishing Service)(1). Information from these sources may reveal opportunities for other forms of reconnaissance, establishing operational resources, and/or initial access. Social media sites may contain information about subscriber phone numbers, address etc, which can be used e.g. when installing false base stations in close vicinity of the victim. (2)",
"meta": {
"external_id": "MOT1593.001",
"kill_chain": [
"Techniques:Reconnaissance"
],
"refs": [
"page 44 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Cyware Hacker News. (2019). How Hackers Exploit Social Media To Break Into Your Company. (2) Equifax UK. (2022). The risks of sharing your location on social media.",
"Search Open Websites/Domains: Social Media, Sub-technique\nT1593.001 - Enterprise | MITRE ATT&CK®"
]
},
"uuid": "8463c2cd-cc58-5537-a083-62a80671e1f4",
"value": "Social Media"
},
{
"description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing (1) (2). Adversaries may leverage the AiTM position to attempt to monitor traffic.",
"meta": {
"external_id": "MOT1557",
"kill_chain": [
"Techniques:Persistence"
],
"refs": [
"page 44 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks (2) P1 Security. (2021). All authentication vectors are not made equal.",
"Adversary-in-the-Middle, Technique T1557 - Enterprise | MITRE\nATT&CK®\nAdversary-in-the-Middle | MITRE FiGHT™ (FGT1557)"
]
},
"uuid": "2c7b4a8d-ce6f-5244-ac52-871b0eb5136f",
"value": "Adversary-in-the-Middle"
},
{
"description": "An adversary positions itself on the radio interface to capture information to and from the UE. Adversary can deploy a false base station as a back-to-back base station - UE combination to impersonate UE towards the real eNB or core network element (such as MME), and impersonate base station or core network element towards the target UE (1) (2).",
"meta": {
"external_id": "MOT1557.301",
"kill_chain": [
"Techniques:Persistence"
],
"refs": [
"page 45 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Electronic Frontier Foundation. (2019). Gotta Catch 'Em All: Understanding How IMSI-Catchers Exploit Cell Networks (2) P1 Security. (2021). All authentication vectors are not made equal. https://labs.p1sec.com/2021/09/30/all-authentication-vectors-are-not-made-equal/",
"Adversary-in-the-Middle: Radio interface | MITRE FiGHT™"
]
},
"uuid": "b3278450-e723-54ad-85fa-4e97868c3a1c",
"value": "Radio Interface Authentication Relay"
},
{
"description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including: • Manipulation of development tools • Manipulation of a development environment • Manipulation of source code repositories (public or private) • Manipulation of source code in open-source dependencies • Manipulation of software update/distribution mechanisms • Compromised/infected system images (multiple cases of removable media infected at the factory)(1) (2) • Replacement of legitimate software with modified versions • Sales of modified/counterfeit products to legitimate distributors • Shipment interdiction While supply chain compromise can impact any component of hardware or software, adversaries looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels.",
"meta": {
"external_id": "MOT1195",
"kill_chain": [
"Techniques:Initial-Access"
],
"refs": [
"page 46 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) The Register. (2023). Millions of mobile phones come pre-infected with Malware (2) Schneider Electric. (2018). Security Notification USB Removable Media Provided With Conext Combox and Conext Battery Monitor.",
"Supply Chain Compromise, Technique T1195 - Enterprise | MITRE\nATT&CK®"
]
},
"uuid": "4131a562-0ac0-5985-af11-b14cd4c4fe57",
"value": "Supply Chain Compromise"
},
{
"description": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.",
"meta": {
"external_id": "MOT1195.002",
"kill_chain": [
"Techniques:Initial-Access"
],
"refs": [
"page 47 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) The Register (2023). Millions of mobile phones come pre-infected with Malware",
"Supply Chain Compromise: Compromise Software Supply Chain, Sub-\ntechnique T1195.002 - Enterprise | MITRE ATT&CK®"
]
},
"uuid": "52769709-9c9f-5cf7-8a50-3d5422b0fc03",
"value": "Compromise Software Supply Chain"
},
{
"description": "An adversary may query the Network Repository Function (NRF) to discover restricted Network Function (NF) services to further target that NF.",
"meta": {
"external_id": "MOT5003",
"kill_chain": [
"Techniques:Discovery"
],
"refs": [
"page 47 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) R. Pell, S. Moschoyiannis, E. Panaousis, R. Heartfield. (2021). Towards dynamic threat modelling in 5G core networks based on MITRE ATT&CK. (2) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem",
"Network Function Service Discovery | MITRE FiGHT™ (FGT5003)"
]
},
"uuid": "6beb2c07-a10e-566a-b2d4-fe08ad6b7ab8",
"value": "Network Function Service Discovery"
},
{
"description": "Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.",
"meta": {
"external_id": "MOT1212",
"kill_chain": [
"Techniques:Credential-Access"
],
"refs": [
"page 48 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem",
"Exploitation for Credential Access, Technique T1212 - Enterprise |\nMITRE ATT&CK® https://fight.mitre.org/techniques/FGT5003/"
]
},
"uuid": "8d9a29cc-d66c-5cc6-9500-4426765d6b7e",
"value": "Exploitation for Credential Access"
},
{
"description": "Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.",
"meta": {
"external_id": "MOT1565",
"kill_chain": [
"Techniques:Impact"
],
"refs": [
"page 49 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) The Register. (2017). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts (2) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem",
"Data Manipulation, Technique T1565 - Enterprise | MITRE ATT&CK®\nData Manipulation | MITRE FiGHT™ (FGT1565)"
]
},
"uuid": "ed3417df-6918-545f-8986-e967e1924b7f",
"value": "Data Manipulation"
},
{
"description": "Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data",
"meta": {
"external_id": "MOT1565.001",
"kill_chain": [
"Techniques:Impact"
],
"refs": [
"page 49 of https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf",
"(1) Mobileum (2023) OAuth2.0 Security and Protocol Exploit Analysis in 5G Ecosystem",
"Data Manipulation: Stored Data Manipulation, Sub-technique T1565.001\n- Enterprise | MITRE ATT&CK®"
]
},
"uuid": "e63a74cc-381c-51c4-870c-94c5a70ea851",
"value": "Stored Data Manipulation"
}
],
"version": 1
}

26
clusters/malpedia.json
View file

@ -3660,25 +3660,6 @@
"uuid": "6cb47609-b03e-43d9-a4c7-8342f1011f3b",
"value": "ANGRYREBEL"
},
{
"description": "",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.avoslocker",
"https://blogs.blackberry.com/en/2022/04/threat-thursday-avoslocker-prompts-advisory-from-fbi-and-fincen",
"https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux",
"https://blog.cyble.com/2022/01/17/avoslocker-ransomware-linux-version-targets-vmware-esxi-servers/",
"https://blog.lexfo.fr/Avoslocker.html",
"https://www.ic3.gov/Media/News/2022/220318.pdf",
"https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html",
"https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html"
],
"synonyms": [],
"type": []
},
"uuid": "465b6a74-87ca-4459-b4be-3f8b272f4485",
"value": "Avoslocker"
},
{
"description": "AVrecon is a Linux-based Remote Access Trojan (RAT) targeting small-office/home-office (SOHO) routers and other ARM-embedded devices. The malware is distributed via exploitation of unpatched vulnerabilities or common misconfiguration of the targeted devices. Once deployed, AVreckon will collect some information about the infected device, open a session to pre-configured C&C server, and spawn a remote shell for command execution. It might also download additional arbitrary files and run them. The malware has recently been used in campaigns aimed at ad-fraud activities, password spraying and data exfiltration.",
"meta": {
@ -15170,7 +15151,10 @@
"https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/",
"https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/",
"https://unit42.paloaltonetworks.com/emerging-ransomware-groups/",
"https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux"
"https://blog.qualys.com/vulnerabilities-threat-research/2022/03/06/avoslocker-ransomware-behavior-examined-on-windows-linux",
"https://blog.lexfo.fr/Avoslocker.html",
"https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html",
"https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html"
],
"synonyms": [],
"type": []
@ -56457,5 +56441,5 @@
"value": "Zyklon"
}
],
"version": 19803
"version": 19804
}

47362
clusters/mitre-d3fend.json
View file

File diff suppressed because it is too large Load diff

233
clusters/ransomware.json
View file

@ -22024,11 +22024,6 @@
"uuid": "10254366-b6d0-4266-a277-6ef4eee460b3",
"value": "Foxy"
},
{
"description": "ransomware",
"uuid": "0b6e29d4-27e4-422b-944f-72e111462dee",
"value": "FreeMe"
},
{
"description": "ransomware",
"uuid": "a5e54d82-cb41-420e-a03d-89b762560dcc",
@ -24255,11 +24250,6 @@
"uuid": "90c6daf8-8212-4ea8-9b59-af49b290b3b9",
"value": "TurkStatik"
},
{
"description": "ransomware",
"uuid": "93277946-177a-4f92-833d-30db9d432656",
"value": "Tyrant"
},
{
"description": "ransomware",
"uuid": "0407e98d-cd3e-42e1-8daf-3c51d2e4906a",
@ -27040,7 +27030,8 @@
"description": "BianLian used subtle techniques to exploit, enumerate, and move laterally in victim networks to remain undetected and aggressively worked to counter Endpoint Detection & Response (EDR) protections during the encryption phase of their operations. The group has displayed signs of being new to the practical business aspects of ransomware and associated logistics. Generally they seemed to be experiencing the growing pains of a group of talented hackers new to this aspect of criminal extortion.\n\nInfrastructure associated with the BianLian group first appeared online in December 2021 and their toolset appears to have been under active development since then. Finally, we have observed the BianLian threat actor tripling their known command and control (C2) infrastructure in the month of August, suggesting a possible increase in the actors operational tempo.",
"meta": {
"links": [
"http://bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion/"
"http://bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion/",
"http://bianlivemqbawcco4cx4a672k2fip3guyxudzurfqvdszafam3ofqgqd.onion/"
],
"ransomnotes": [
"Your network systems were attacked and encrypted. Contact us in order to restore your data. Don't make any changes in your file structure: touch no files, don't try to recover by yourself, that may lead to it's complete loss.\n\nTo contact us you have to download \"tox\" messenger: https://qtox.github.io/\n\nAdd user with the following ID to get your instructions: \nA4B3B0845DA242A64BF17E0DB4278EDF85855739667D3E2AE8B89D5439015F07E81D12D767FC\n\nAlternative way: swikipedia@onionmail.org\n\nYour ID: wU1VC460GC \n\nYou should know that we have been downloading data from your network for a significant time before the attack: financial, client, business, post, technical and personal files.\nIn 10 days — it will be posted at our site http://bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion with links send to your clients, partners, competitors and news agencies, that will lead to a negative impact on your company: potential financial, business and reputational loses."
@ -27390,7 +27381,8 @@
"description": "",
"meta": {
"links": [
"http://ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion/"
"http://ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion/",
"http://ransomoefralti2zh5nrv7iqybp3d5b4a2eeecz5yjosp7ggbepj7iyd.onion"
],
"refs": [
"https://www.reuters.com/article/us-usa-products-colonial-pipeline-ransom/more-ransomware-websites-disappear-in-aftermath-of-colonial-pipeline-hack-idUSKCN2CX0KT",
@ -27579,7 +27571,8 @@
"http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion",
"http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion",
"http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion",
"http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion"
"http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion",
"http://ofj3oaltwaf67qtd7oafk5r44upm6wkc2jurpsdyih2c7mbrbshuwayd.onion"
],
"refs": [
"https://threatpost.com/lockbit-ransomware-proliferates-globally/168746",
@ -27633,7 +27626,8 @@
{
"meta": {
"links": [
"http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion"
"http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion",
"http://wtyafjyizleuw4yhepmdsrcfjwmtiysunos6ixchw3r5d7eeimw2rrid.onion"
],
"refs": [
"https://www.ransomlook.io/group/mallox"
@ -27918,7 +27912,8 @@
"http://ozsxj4hwxub7gio347ac7tyqqozvfioty37skqilzo2oqfs4cw2mgtyd.onion/",
"http://24kckepr3tdbcomkimbov5nqv2alos6vmrmlxdr76lfmkgegukubctyd.onion",
"http://wlh3dpptx2gt7nsxcor37a3kiyaiy6qwhdv7o6nl6iuniu5ycze5ydid.onion/blog",
"http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion/"
"http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion/",
"https://wikileaksv2.com"
],
"refs": [
"https://www.ransomlook.io/group/qilin"
@ -28243,7 +28238,8 @@
"links": [
"https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion/",
"https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion/n",
"https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/"
"https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion/",
"http://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion/l"
],
"refs": [
"https://www.ransomlook.io/group/akira"
@ -28670,7 +28666,12 @@
"links": [
"http://medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion",
"http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion",
"http://dlmfciajg5s4vliyo5dhs5jyzhi2xr2fnkebul46lpf4xudtqiue4nid.onion/"
"http://dlmfciajg5s4vliyo5dhs5jyzhi2xr2fnkebul46lpf4xudtqiue4nid.onion/",
"http://kyfiw76eol6ph2mq7pi5e5tdvce37bicddhai62qhdc5ja6jdchz4qqd.onion/",
"http://62foekhv5humjrfwjdyd2dgextpbf5i7obguhwvfoghmu3nxpkmxlcid.onion/",
"http://cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onion",
"http://hupxs7ps7md24kpz4lwsbra64abgxjx3pcc2wuca5ibawf2g5hlpfyqd.onion",
"http://osintcorp.net"
],
"refs": [
"https://www.ransomlook.io/group/medusa",
@ -28717,7 +28718,8 @@
"links": [
"http://pa32ymaeu62yo5th5mraikgw5fcvznnsiiwti42carjliarodltmqcqd.onion",
"http://hkpomcx622gnqp2qhenv4ceyrhwvld3zwogr4mnkdeudq2txf55keoad.onion",
"http://raworldw32b2qxevn3gp63pvibgixr4v75z62etlptg3u3pmajwra4ad.onion"
"http://raworldw32b2qxevn3gp63pvibgixr4v75z62etlptg3u3pmajwra4ad.onion",
"http://raworlddecssyq43oim3hxhc5oxvlbaxuj73xbz2pbbowso3l4kn27qd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/ra group"
@ -28813,7 +28815,8 @@
{
"meta": {
"links": [
"http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/blog"
"http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/blog",
"http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion/login"
],
"refs": [
"https://www.ransomlook.io/group/dragonforce"
@ -28827,7 +28830,10 @@
"meta": {
"links": [
"http://ransomxifxwc5eteopdobynonjctkxxvap77yqifu2emfbecgbqdw6qd.onion/",
"http://mjmru3yz65o5szsp4rmkmh4adlezcpy5tqjjc4y5z6lozk3nnz2da2ad.onion/"
"http://mjmru3yz65o5szsp4rmkmh4adlezcpy5tqjjc4y5z6lozk3nnz2da2ad.onion/",
"http:// http://an2ce4pqpf2ipvba2djurxi5pnxxhu3uo7ackul6eafcundqtly7bhid.onion",
"http://fpwwt67hm3mkt6hdavkfyqi42oo3vkaggvjj4kxdr2ivsbzyka5yr2qd.onion",
"http://an2ce4pqpf2ipvba2djurxi5pnxxhu3uo7ackul6eafcundqtly7bhid.onion"
],
"refs": [
"https://www.ransomlook.io/group/ransomhub"
@ -28867,7 +28873,8 @@
"meta": {
"links": [
"http://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion",
"http://k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion"
"http://k7kg3jqxang3wh7hnmaiokchk7qoebupfgoik6rha6mjpzwupwtj25yd.onion",
"http://k7kg3jqzffsxe2z53jjx4goybvxu3a557kpsqakpwi6mrvfgcdo55tid.onion"
],
"refs": [
"https://www.ransomlook.io/group/play",
@ -29157,7 +29164,8 @@
"description": "",
"meta": {
"links": [
"http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion"
"http://embargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion",
"http://5ntlvn7lmkezscee2vhatjaigkcu2rzj3bwhqaz32snmqc4jha3gcjad.onion"
],
"refs": [
"https://www.ransomlook.io/group/embargo"
@ -29203,7 +29211,186 @@
},
"uuid": "ee97d01c-b8b9-5c36-9c27-134f8d2ee603",
"value": "apos"
},
{
"meta": {
"links": [
"http://dataleakypypu7uwblm5kttv726l3iripago6p336xjnbstkjwrlnlid.onion/"
],
"refs": [
"https://www.ransomlook.io/group/el dorado"
]
},
"uuid": "15419dc6-8183-5805-aaba-9e7943bc164f",
"value": "el dorado"
},
{
"meta": {
"links": [
"http://ugn5khvt4kitlivv4ddfh3lb6mdhn2ud3ximcaypy73hxlk3arj2goad.onion/"
],
"refs": [
"https://www.ransomlook.io/group/locus"
]
},
"uuid": "37043fbf-a216-52ee-b8a7-3a604a87e9e2",
"value": "locus"
},
{
"description": "Risen, which is a fully optimized and high-speed program, is the result of our years of experience in the field of malware writing. Risen is written in C language and completely using winapi. We produced many products with different features and options, but we came to the conclusion that none of the options have the benefit and efficiency they should; So, instead of spending time on useless and inefficient options, we decided to spend all our time on the strength, speed and security of our cryptography, and that's how we created Risen. Software features in version 1: \r<br/>\r<br/>\r<br/> -Encryption security, utilizing Chacha20 and RSA 2048 algorithms.\r<br/> -High encryption speed and software optimization\r<br/> -compatible with all versions of Windows on any hardware without any issues.\r<br/> -Automatic option settings, its easy to using and default configuration set to the best mode.\r<br/> -Utilization of Threadpool method and queue creation for encryption.\r<br/> -A powerful file unlocker, unlock files without closing processes.\r<br/> -Safe deletion of backups, shadow copies, and all windows logs.\r<br/> -A blog, Leak website, and management panel on TOR for leaking data of non-paying companies.\r<br/>",
"meta": {
"links": [
"http://s2wk77h653qn54csf4gp52orhem4y72dgxsquxulf255pcymazeepbyd.onion/",
"http://o6pi3u67zyag73ligtsupin5rjkxpfrbofwoxnhimpgpfttxqu7lsuyd.onion"
],
"refs": [
"https://www.ransomlook.io/group/risen"
]
},
"uuid": "8e3f7112-2f82-5c64-95ff-34bfad65cc0d",
"value": "risen"
},
{
"meta": {
"links": [
"https://xql562evsy7njcsngacphc2erzjfecwotdkobn3m4uxu2gtqh26newid.onion/"
],
"refs": [
"https://www.ransomlook.io/group/fog"
]
},
"uuid": "76f14732-0e0a-5fdd-847e-65bc41c150ea",
"value": "fog"
},
{
"description": "Group is connected to Qilin.",
"meta": {
"links": [
"https://wikileaksv2.com"
],
"refs": [
"https://www.ransomlook.io/group/wikileaksv2"
]
},
"uuid": "004c96b4-ce25-5593-9d50-8ada0b2b873f",
"value": "wikileaksv2"
},
{
"meta": {
"links": [
"http://gmixcebhni6c3kcf5m7xxybomaphj7pizoqtxiqmrz5wsh6g6x5s2wqd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/sensayq"
]
},
"uuid": "678e1d98-cc54-5e7f-89be-6dd6163877a0",
"value": "sensayq"
},
{
"description": "",
"meta": {
"links": [
"http://txtggyng5euqkyzl2knbejwpm4rlq575jn2egqldu27osbqytrj6ruyd.onion/",
"http://txtggyng5euqkyzl2knbejwpm4rlq575jn2egqldu27osbqytrj6ruyd.onion/articles"
],
"refs": [
"https://www.ransomlook.io/group/trinity"
]
},
"uuid": "cae0824e-2c3d-5db8-9e45-0f7251e5def1",
"value": "trinity"
},
{
"meta": {
"links": [
"http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion/",
"http://vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/brain cipher"
]
},
"uuid": "a48c22f1-3f1f-583c-b94c-6feb2c0c1cf1",
"value": "brain cipher"
},
{
"meta": {
"links": [
"http://ugoakjk3v6hop3epjhdgn4num43ndb5glgixhraeg2xm455gxqtu2qid.onion"
],
"refs": [
"https://www.ransomlook.io/group/synapse"
]
},
"uuid": "5403ebcb-2468-5280-8b70-b43ed33b0b46",
"value": "synapse"
},
{
"meta": {
"links": [
"http://cicadabv7vicyvgz5khl7v2x5yygcgow7ryy6yppwmxii4eoobdaztqd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/cicada3301"
]
},
"uuid": "30273fce-be34-5518-a1fa-183ec12e1474",
"value": "cicada3301"
},
{
"meta": {
"links": [
"http://47h4pwve4scndaneljfnxdhzoulgsyfzbgayyonbwztfz74gsdprz5qd.onion/"
],
"refs": [
"https://www.ransomlook.io/group/good day"
]
},
"uuid": "025cf965-bb4b-50d6-8511-c8747e2bebee",
"value": "good day"
},
{
"meta": {
"links": [
"http://cloak.su/indexo.php"
],
"refs": [
"https://www.ransomlook.io/group/cloak.su (locker leak)"
],
"synonyms": [
"locker leak"
]
},
"uuid": "87a3c85c-0c98-5e8f-80c4-9e8b6e640916",
"value": "cloak.su"
},
{
"meta": {
"links": [
"http://c2mdhim6btaiyae3xqthnxsz64brvdxsnbty4tvos65zb565y4v55iid.onion",
"http://c2mdhim6btaiyae3xqthnxsz64brvdxsnbty4tvos65zb565y4v55iid.onion/b/"
],
"refs": [
"https://www.ransomlook.io/group/pyrx"
]
},
"uuid": "ed692e27-c3ab-5ed8-ae4a-e436c4c5b454",
"value": "pyrx"
},
{
"meta": {
"links": [
"http://6xdpj3sb5kekvq5ulym5qqmzsv6ektjgvpmajns3qrafgxtyxrhokfqd.onion",
"http://6xdpj3sb5kekvq5ulym5qqmzsv6ektjgvpmajns3qrafgxtyxrhokfqd.onion/assets/index-6d8af759.js"
],
"refs": [
"https://www.ransomlook.io/group/vanir group"
]
},
"uuid": "2b7f6554-ac22-5b6c-85a0-65f55401c20e",
"value": "vanir group"
}
],
"version": 121
"version": 128
}

11
clusters/rat.json
View file

@ -1770,7 +1770,7 @@
"date": "1998"
},
"uuid": "2a47361d-584b-493f-80a4-37c74c30cf1b",
"value": "Vortex"
"value": "VorteX"
},
{
"meta": {
@ -2140,13 +2140,6 @@
"uuid": "c42394f8-5f35-4797-9393-8289ab8ad3ad",
"value": "SharpEye"
},
{
"meta": {
"date": "2010"
},
"uuid": "58e2e2ee-5c25-4a13-abfc-2a6c85d978fa",
"value": "VorteX"
},
{
"meta": {
"date": "2010",
@ -3648,5 +3641,5 @@
"value": "COATHANGER"
}
],
"version": 45
"version": 46
}

4063
clusters/sigma-rules.json
View file

File diff suppressed because it is too large Load diff

382
clusters/threat-actor.json
View file

@ -1036,10 +1036,11 @@
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
"https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new"
"https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new",
"https://www.crowdstrike.com/blog/two-birds-one-stone-panda/"
],
"synonyms": [
"STONE PANDAD",
"STONE PANDA",
"Menupass Team",
"happyyongzi",
"POTASSIUM",
@ -2397,7 +2398,8 @@
"https://unit42.paloaltonetworks.com/atoms/fighting-ursa/",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
"https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html",
"https://bluepurple.binaryfirefly.com/p/bluepurple-pulse-week-ending-june-64e"
],
"synonyms": [
"Pawn Storm",
@ -2423,7 +2425,9 @@
"UAC-0028",
"FROZENLAKE",
"Sofacy",
"Forest Blizzard"
"Forest Blizzard",
"BlueDelta",
"Fancy Bear"
],
"targeted-sector": [
"Military",
@ -8967,6 +8971,19 @@
{
"description": "An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.",
"meta": {
"cfr-suspected-state-sponsor": "India",
"cfr-suspected-victims": [
"China",
"Pakistan",
"Nepal",
"Afghanistan"
],
"cfr-target-category": [
"Government",
"Military",
"Private Sector"
],
"country": "IN",
"refs": [
"https://securelist.com/apt-trends-report-q1-2018/85280/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/",
@ -12083,7 +12100,11 @@
"Energy"
],
"refs": [
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/"
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/",
"https://www.sentinelone.com/labs/chamelgang-attacking-critical-infrastructure-with-ransomware/"
],
"synonyms": [
"CamoFei"
]
},
"related": [
@ -12535,7 +12556,8 @@
"Octo Tempest",
"0ktapus",
"Storm-0971",
"DEV-0971"
"DEV-0971",
"Starfraud"
]
},
"uuid": "3b238f3a-c67a-4a9e-b474-dc3897e00129",
@ -13263,11 +13285,13 @@
"refs": [
"https://www.mandiant.com/resources/blog/north-korea-supply-chain",
"https://us-cert.cisa.gov/ncas/alerts/aa22-108a",
"https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023"
"https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023",
"https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil"
],
"synonyms": [
"Jade Sleet",
"UNC4899"
"UNC4899",
"Pukchong"
]
},
"uuid": "825abfd9-7238-4438-a9e7-c08791f4df4e",
@ -15994,7 +16018,347 @@
},
"uuid": "6149f3b6-510d-4e45-bf88-cd25c7193702",
"value": "Alpha Spider"
},
{
"description": "RansomHub is a rapidly growing ransomware group believed to be an updated version of the older Knight ransomware. They have been linked to attacks exploiting the Zerologon vulnerability to gain initial access. RansomHub has attracted former affiliates of the ALPHV ransomware group and operates as a Ransomware-as-a-Service with a unique affiliate prepayment model. The group has been active in extorting victims and leaking sensitive data to pressure for ransom payments.",
"meta": {
"refs": [
"https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhub-knight-ransomware",
"https://forescoutstage.wpengine.com/blog/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack/",
"https://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit/"
]
},
"uuid": "9d218bb3-fc59-43e0-a273-a0a0fb5c463e",
"value": "RansomHub"
},
{
"description": "Unfading Sea Haze is a threat actor focused on espionage, targeting government and military organizations in the South China Sea region since 2018. They employ spear-phishing emails with malicious attachments to gain initial access, followed by the deployment of custom malware such as Gh0st RAT variants and SharpJSHandler. The group utilizes scheduled tasks and manipulates local administrator accounts for persistence, while also incorporating Remote Monitoring and Management tools into their attacks. Unfading Sea Haze demonstrates a sophisticated and patient approach, remaining undetected for years and showing adaptability through evolving exfiltration tactics and malware arsenal.",
"meta": {
"country": "CN",
"refs": [
"https://www.securityweek.com/newly-detected-chinese-group-targeting-military-government-entities/",
"https://www.bleepingcomputer.com/news/security/unfading-sea-haze-hackers-hide-on-military-and-govt-networks-for-6-years/"
]
},
"uuid": "58e75098-8edc-48ce-b1de-c1a8647e33d3",
"value": "Unfading Sea Haze"
},
{
"description": "Stucx is a threat actor known for targeting Israeli systems, including SCADA systems and the Red Alert missile protection system. Stucx Team has also developed a mobile application called MyOPECS for coordinating attacks, which includes features like DDoS attacks and is expected to add more capabilities in the future. Additionally, they have been observed using VPNs and proxy software to conceal their activities and have a history of making threats against those who cooperate with Israel.",
"meta": {
"refs": [
"https://socradar.io/reflections-of-the-israel-palestine-conflict-on-the-cyber-world/",
"https://www.darkowl.com/blog-content/2-month-review-of-cyber-activities-in-the-israel-hamas-conflict/"
]
},
"uuid": "ee13ddb3-e8c0-4568-b56c-82d82c30f48b",
"value": "StucxTeam"
},
{
"description": "FlyingYeti is a Russia-aligned threat actor targeting Ukrainian military entities. They conduct reconnaissance activities and launch phishing campaigns using malware like COOKBOX. FlyingYeti exploits the WinRAR vulnerability CVE-2023-38831 to infect targets with malicious payloads. Cloudforce One has successfully disrupted their operations and provided recommendations for defense against their phishing campaigns.",
"meta": {
"country": "RU",
"refs": [
"https://blog.cloudflare.com/disrupting-flyingyeti-campaign-targeting-ukraine"
]
},
"uuid": "1dcbad05-c5b7-4ec3-8920-45f396554f7a",
"value": "FlyingYeti"
},
{
"description": "SEXi is a ransomware group that targets VMware ESXi servers, encrypting data and demanding ransom payments. They have been observed encrypting virtual machines and backups, causing significant disruptions to services. The group's name is a play on the word \"ESXi,\" indicating a deliberate focus on these systems. SEXi has been linked to other ransomware variants based on the Babuk source code.",
"meta": {
"refs": [
"https://www.cybersecurity-insiders.com/proven-data-restores-powerhosts-vmware-backups-after-sexi-ransomware-attack/",
"https://heimdalsecurity.com/blog/powerhosts-esxi-servers-encrypted-with-new-sexi-ransomware/",
"https://www.darkreading.com/threat-intelligence/sexi-ransomware-desires-vmware-hypervisors"
]
},
"uuid": "1bd2034f-a135-4c71-b08f-867b7f9e7998",
"value": "SEXi"
},
{
"description": "LilacSquid is an APT actor targeting a variety of industries worldwide since at least 2021. They use tactics such as exploiting vulnerabilities and compromised RDP credentials to gain access to victim organizations. Their post-compromise activities involve deploying MeshAgent and a customized version of QuasarRAT known as PurpleInk to maintain control over infected systems. LilacSquid has been observed using tools like Secure Socket Funneling for data exfiltration.",
"meta": {
"refs": [
"https://blog.talosintelligence.com/lilacsquid/"
]
},
"uuid": "efacc258-fa0e-4686-99d2-03bab14a640e",
"value": "LilacSquid"
},
{
"description": "Hunt3r Kill3rs is a newly emerged threat group claiming expertise in cyber operations, including ICS breaches and web application vulnerabilities exploitation. They have discussed using Java fuzzing in their exploits and have made unverified claims of joint attacks with other threat actors.",
"meta": {
"country": "RU",
"refs": [
"https://socradar.io/dark-web-profile-hunt3r-kill3rs/"
]
},
"uuid": "4b32ad58-972e-4aa2-be3d-ff875ed06eba",
"value": "Hunt3r Kill3rs"
},
{
"description": "UTG-Q-008 is a threat actor targeting Linux platforms, primarily focusing on government and enterprise entities in China. They utilize a massive botnet network for espionage activities, including reconnaissance, brute-forcing, and Trojan component delivery. The actor has a history of compromising thousands of servers in China using a password dictionary based on Chinese Pinyin. UTG-Q-008 operates during standard working hours in the UTC+8 time zone, with potential ties to Eastern Europe.",
"meta": {
"refs": [
"https://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector-EN/"
]
},
"uuid": "fd17cd3c-5131-4907-be7d-83a0c7dabd36",
"value": "UTG-Q-008"
},
{
"description": "Gitloker is a threat actor group targeting GitHub repositories, wiping their contents, and extorting victims for their data. They use stolen credentials to compromise accounts, claim to have created a backup, and instruct victims to contact them on Telegram. The attackers leave a ransom note in the form of a README file, urging victims to negotiate the return of their data. GitHub is working to combat these evolving attacks and the vulnerabilities they exploit.",
"meta": {
"refs": [
"https://www.itsecurityguru.org/2024/06/13/guest-blog-proactive-application-security-learning-from-the-recent-github-extortion-campaigns/",
"https://www.bleepingcomputer.com/news/security/new-gitloker-attacks-wipe-github-repos-in-extortion-scheme/"
]
},
"uuid": "75cc313a-6a95-4ab8-b7f8-bfd7e4a7fe00",
"value": "Gitloker"
},
{
"description": "UNC5537 is a financially motivated threat actor targeting Snowflake customer databases. They use stolen credentials obtained from infostealer malware to access and exfiltrate large volumes of data. The compromised accounts lack multi-factor authentication, allowing UNC5537 to conduct data theft and extortion.",
"meta": {
"refs": [
"https://research.checkpoint.com/2024/17th-june-threat-intelligence-report/",
"https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion"
]
},
"uuid": "b8c6da46-4c9a-4075-b9f3-3b5ef7bd3534",
"value": "UNC5537"
},
{
"description": "Sp1d3r, a threat actor, has been involved in multiple data breaches targeting companies like Truist Bank, Cylance, and Advance Auto Parts. They have stolen and attempted to sell sensitive information, including customer and employee emails, account numbers, and source code. Sp1d3r has also claimed to have obtained data from a third-party platform and a cloud storage vendor. They have utilized hacking forums to sell the stolen data for significant sums of money.",
"meta": {
"refs": [
"https://www.cysecurity.news/2024/06/truist-bank-confirms-data-breach-after.html",
"https://research.checkpoint.com/2024/17th-june-threat-intelligence-report/"
]
},
"uuid": "2be04e23-4376-4333-87df-27d635e43a98",
"value": "Sp1d3r"
},
{
"description": "TA571 is a spam distributor actor known for delivering a variety of malware, including DarkGate, NetSupport RAT, and information stealers. They use phishing emails with macro-enabled attachments to spread malicious PDFs containing rogue OneDrive links. TA571 has been observed using unique filtering techniques with intermediary \"gates\" to target specific users and bypass automated sandboxing. Proofpoint assesses with high confidence that TA571 infections can lead to ransomware.",
"meta": {
"refs": [
"https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta571-delivers-icedid-forked-loader",
"https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn"
]
},
"uuid": "0245113e-cef3-4638-9532-3bf235b07d49",
"value": "TA571"
},
{
"description": "Bondnet is a threat actor that deploys backdoors and cryptocurrency miners. They use high-performance bots as C2 servers and configure reverse RDP environments on compromised systems. Bondnet has infected over 15,000 Windows server machines worldwide, primarily targeting Windows Server 2008 R2 systems. The botnet is used for mining cryptocurrencies like Monero, ByteCoin, RieCoin, and ZCash, potentially earning the operator thousands of dollars per day.",
"meta": {
"refs": [
"https://asec.ahnlab.com/en/66662/",
"https://www.akamai.com/blog/security/the-bondnet-army",
"https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"
]
},
"uuid": "78e8bc1a-0be3-4792-a911-9d4813dd7bc3",
"value": "Bondnet"
},
{
"description": "Vermin is a threat actor group linked to the Luhansk Peoples Republic and believed to be acting on behalf of the Kremlin. They have targeted Ukrainian government infrastructure using malware like Spectr and legitimate tools like SyncThing for data exfiltration. Vermin has been active since at least 2018, using custom-made RATs like Vermin and open-source tools like Quasar for cyber-espionage. The group has resurfaced after periods of inactivity to conduct espionage operations against Ukraine's military and defense sectors.",
"meta": {
"country": "RU",
"refs": [
"https://socprime.com/blog/vermin-uac-0020-hacking-collective-hits-ukrainian-government-and-military-with-spectr-malware/",
"https://therecord.media/russian-vermin-hackers-target-ukraine",
"https://cert.gov.ua/article/6279600"
],
"synonyms": [
"Vermin",
"SickSync"
]
},
"uuid": "318be739-26fd-4f4d-bac8-aa20ec8273b7",
"value": "UAC-0020"
},
{
"description": "Void Arachne is a threat actor group targeting Chinese-speaking users with malicious MSI files containing legitimate software installers for AI software. They exploit public interest in VPN technology and AI software to distribute malware through SEO poisoning and Chinese-language-themed Telegram channels. The group's campaign includes bundling malicious Winos payloads with deepfake pornography-generating AI software and voice-and-face-swapping AI software. Void Arachne also promotes AI technologies for virtual kidnapping and uses AI voice-alternating technology to pressure victims into paying ransom.",
"meta": {
"refs": [
"https://www.trendmicro.com/en_us/research/24/f/behind-the-great-wall-void-arachne-targets-chinese-speaking-user.html"
]
},
"uuid": "2ac0db88-8e88-447b-ad44-f781326f5884",
"value": "Void Arachne"
},
{
"description": "Markopolo is a threat actor known for running scams targeting cryptocurrency users through a fake app called Vortax. They use social media and a dedicated blog to legitimize their malicious activities. Markopolo has been linked to a credential-harvesting operation and is agile in pivoting to new scams when detected. The actor leverages shared hosting and C2 infrastructure for their malicious builds.",
"meta": {
"refs": [
"https://www.darkreading.com/remote-workforce/vortax-meeting-software-branding-spreads-infostealers",
"https://www.recordedfuture.com/the-travels-of-markopolo-self-proclaimed-meeting-software-vortax-spreads-infostealers"
]
},
"uuid": "c1e2121a-84c9-4fd0-99ef-917ded9cb3e1",
"value": "Markopolo"
},
{
"description": "Adrastea is a threat actor who has been active on cybercrime forums, claiming to have breached organizations like MBDA and offering stolen data for sale. They describe themselves as a group of independent cybersecurity experts and researchers. Adrastea has been linked to ransomware operations, data leak platforms, and network access groups. The actor has been known to exploit critical vulnerabilities in target organizations' infrastructure to gain access to sensitive data.",
"meta": {
"refs": [
"https://www.cysecurity.news/2022/11/missile-supplier-mbda-breach-disclosed.html",
"https://www.itsecurityguru.org/2022/09/14/documents-for-sale-on-the-dark-web/",
"https://cybershafarat.com/2022/07/31/adrastea-hackers-claim-leading-european-designer-and-manufacturer-of-missile-systems-mbda-hacked/",
"https://securityaffairs.co/wordpress/133881/data-breach/mbda-alleged-data-breach.html"
]
},
"uuid": "b7f37e61-0e1c-4818-9a04-8f83afdd337c",
"value": "Adrastea"
},
{
"description": "JuiceLedger is a threat actor known for infostealing through their JuiceStealer .NET assembly. They have evolved from spreading fraudulent applications to conducting supply chain attacks, targeting PyPI contributors with phishing campaigns and typosquatting. Their malicious packages contain a code snippet that downloads and executes JuiceStealer, which has evolved to support additional browsers and Discord. Victims of JuiceLedger attacks are advised to reset passwords and report any suspicious activity to security@pypi.org.",
"meta": {
"refs": [
"https://www.sentinelone.com/labs/pypi-phishing-campaign-juiceledger-threat-actor-pivots-from-fake-apps-to-supply-chain-attacks/"
]
},
"uuid": "8f4eb6bc-3d3d-49e4-82d8-500c7bb0a2ec",
"value": "JuiceLedger"
},
{
"description": "RedJuliett is a likely Chinese state-sponsored threat actor targeting government, academic, technology, and diplomatic organizations in Taiwan. They exploit vulnerabilities in network edge devices for initial access and use SQL injection and directory traversal exploits against web and SQL applications. The group operates from Fuzhou, China, and aims to support Beijing's intelligence collection on Taiwan's economic and diplomatic relations. RedJuliett has also expanded its operations to compromise organizations in other countries such as Hong Kong, Malaysia, and the United States.",
"meta": {
"country": "CN",
"refs": [
"https://www.recordedfuture.com/redjuliett-intensifies-taiwanese-cyber-espionage-via-network-perimeter"
]
},
"uuid": "d20f5398-a362-4c88-b3fb-7e952dcf3948",
"value": "RedJuliett"
},
{
"description": "SneakyChef is a threat actor known for using the SugarGh0st RAT to target government agencies, research institutions, and organizations worldwide. They have been active since at least August 2023, with a focus on leveraging old and new command and control domains. The group has been observed using lures in the form of scanned documents related to Ministries of Foreign Affairs and embassies. Talos Intelligence assesses with medium confidence that the operators are likely Chinese-speaking based on language preferences and specific targets.",
"meta": {
"country": "CN",
"refs": [
"https://blog.talosintelligence.com/sneakychef-sugarghost-rat/"
]
},
"uuid": "cdf4506e-09ea-4eb8-b898-b1b5381aa343",
"value": "SneakyChef"
},
{
"description": "ALTDOS is a threat actor group that has targeted entities in Southeast Asia, including Singapore, Thailand, and Malaysia. They have been involved in data breaches of companies in various sectors, such as real estate and retail, compromising sensitive information like customer names, bank account numbers, and transaction details. ALTDOS uses tactics like ransomware attacks, data exfiltration, and dumping data publicly or for sale on underground forums. The group has been known to demand ransom payments from victims, but also leaks data if demands are not met.",
"meta": {
"refs": [
"https://www.databreaches.net/singapore-corporations-making-progress-in-preventing-cyberattacks/",
"https://www.databreaches.net/altdos-claims-to-have-hacked-one-of-malaysias-biggest-conglomerates/",
"https://www.databreaches.net/advisories-are-published-but-are-enough-entities-reading-them-and-taking-precautions/",
"https://www.databreaches.net/singapore-real-estate-firm-breached-by-altdos/",
"https://www.databreaches.net/sg-vhive-alerts-consumers-to-cyberattack/",
"https://www.databreaches.net/sg-vhive-attackers-escalate-take-control-of-furniture-retailers-email-server/"
]
},
"uuid": "2bd6c045-2ec2-438e-af66-0d97a0163290",
"value": "ALTDOS"
},
{
"description": "BlueHornet is an advanced persistent threat group targeting government organizations in China, North Korea, Iran, and Russia. They have compromised and leaked data from other APT groups like Kryptonite Panda and Lazarus Group. BlueHornet has been involved in campaigns such as Operation Renminbi, Operation Ruble, and Operation EUSec, focusing on exfiltrating region-specific data and selling it on the dark web. They have also been known to collaborate with different threat actors and have recently disclosed a zero-day exploit in NGINX 1.18.",
"meta": {
"refs": [
"https://cyberint.com/blog/research/bluehornet-one-apt-to-terrorize-them-all/",
"https://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics",
"https://www.csoonline.com/article/3684668/cyberattacks-against-governments-jumped-95-in-last-half-of-2022-cloudsek-says.html"
],
"synonyms": [
"APT49",
"AgainstTheWest"
]
},
"uuid": "06a615dc-fa13-4d6a-ac8b-3d2a8c9501c4",
"value": "BlueHornet"
},
{
"description": "Hellhounds is an APT group targeting organizations in Russia, using a modified version of Pupy RAT called Decoy Dog. They gain initial access through vulnerable web services and trusted relationships, with a focus on the public sector and IT companies. The group has been active since at least 2019, maintaining covert presence inside compromised organizations by modifying open-source projects to evade detection. Hellhounds have successfully targeted at least 48 victims, including a telecom operator where they disrupted services.",
"meta": {
"refs": [
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat-part-2/",
"https://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/"
]
},
"uuid": "46ef6903-deac-415a-afaf-97e3ce067d7e",
"value": "HellHounds"
},
{
"description": "IntelBroker is a threat actor known for orchestrating high-profile data breaches targeting companies like Apple, Zscaler, and Facebook Marketplace. They have a reputation for selling access to compromised systems and data on underground forums like BreachForums. IntelBroker has claimed responsibility for breaches involving government agencies such as Europol, the U.S. Department of Transportation, and the Pentagon, leaking sensitive information and classified documents. The actor has been linked to breaches at companies like Acuity, General Electric, and Home Depot, showcasing a pattern of targeting critical infrastructure and major corporations.",
"meta": {
"refs": [
"https://www.cysecurity.news/2024/06/infamous-hacker-intelbroker-breaches.html",
"https://www.malwarebytes.com/blog/news/2024/06/was-t-mobile-compromised-by-a-zero-day-in-jira",
"https://securityaffairs.com/164263/cyber-crime/pandabuy-extorted-again.html",
"https://meterpreter.org/cybersecurity-firm-hacked-sensitive-data-on-sale/"
]
},
"uuid": "849d16c8-eaa3-46e7-9c1c-179ef680922e",
"value": "IntelBroker"
},
{
"description": "DRAGONBRIDGE is a Chinese state-sponsored threat actor known for engaging in information operations to promote the political interests of the People's Republic of China. They have been observed using AI-generated images and videos to spread propaganda on social media platforms. The group has targeted various countries and regions, including the US, Taiwan, and Japan, with narratives promoting pro-PRC viewpoints. DRAGONBRIDGE has been linked to campaigns discrediting the US political system, sowing division between allies, and criticizing specific companies and individuals.",
"meta": {
"country": "CN",
"refs": [
"https://cloud.google.com/blog/topics/threat-intelligence/prc-dragonbridge-influence-elections/",
"https://quointelligence.eu/2024/06/european-election-at-risk-analysis/",
"https://blog.google/threat-analysis-group/over-50000-instances-of-dragonbridge-activity-disrupted-in-2022/"
],
"synonyms": [
"Spamouflage Dragon"
]
},
"uuid": "a4d55f94-d842-400a-acb6-dfee1c446257",
"value": "Dragonbridge"
},
{
"description": "Boolka is a threat actor known for infecting websites with malicious JavaScript scripts for data exfiltration. They have been carrying out opportunistic SQL injection attacks since at least 2022. Boolka has developed a malware delivery platform based on the BeEF framework and has been distributing the BMANAGER trojan. Their activities demonstrate a progression from basic website infections to more sophisticated malware operations.",
"meta": {
"refs": [
"https://www.group-ib.com/blog/boolka/"
]
},
"uuid": "99ad0cef-c53a-44d5-85d4-5459e59a06d5",
"value": "Boolka"
},
{
"description": "CloudSorcerer is a sophisticated APT targeting Russian government entities, utilizing cloud infrastructure for stealth monitoring and data exfiltration. The malware leverages APIs and authentication tokens to access cloud resources for command and control, with GitHub serving as its initial C2 server. CloudSorcerer operates as separate modules depending on the process it's running in, executing from a single executable and utilizing complex inter-process communication through Windows pipes. The actor behind CloudSorcerer shows similarities to the CloudWizard APT in modus operandi, but the unique code and functionality suggest it is a new threat actor inspired by previous techniques.",
"meta": {
"refs": [
"https://securelist.com/cloudsorcerer-new-apt-cloud-actor/113056/"
]
},
"uuid": "895548a2-e5c7-4a76-8425-19aa077db200",
"value": "CloudSorcerer"
},
{
"description": "The 8220 Gang, also known as Water Sigbin, is a threat actor group that focuses on deploying cryptocurrency-mining malware. They exploit vulnerabilities in Oracle WebLogic servers, such as CVE-2017-3506 and CVE-2023-21839, to deliver cryptocurrency miners using PowerShell scripts. The group has demonstrated a sophisticated multistage loading technique to deploy the PureCrypter loader and XMRIG crypto miner. They are known for using obfuscation techniques, such as hexadecimal encoding and code obfuscation, to evade detection and compromise systems.",
"meta": {
"country": "CN",
"refs": [
"https://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html",
"https://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html",
"https://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat",
"https://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/",
"https://asec.ahnlab.com/en/51568/",
"https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html",
"https://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134",
"https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/"
],
"synonyms": [
"8220 Gang"
]
},
"uuid": "745fd45f-9076-4c88-a977-01940bc0d36e",
"value": "Water Sigbin"
}
],
"version": 310
"version": 312
}

3971
clusters/tidal-references.json
View file

File diff suppressed because it is too large Load diff

1399
clusters/tidal-software.json
View file

File diff suppressed because it is too large Load diff

18
clusters/tmss.json
View file

@ -1,7 +1,7 @@
{
"authors": [
"Microsoft",
"Evgeny Bogokovsky",
"Microsoft",
"Ram Pliskin"
],
"category": "tmss",
@ -202,8 +202,8 @@
"meta": {
"external_id": "MS-T840",
"kill_chain": [
"TMSS-tactics:Initial Access",
"TMSS-tactics:Exfiltration"
"TMSS-tactics:Exfiltration",
"TMSS-tactics:Initial Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/object-replication"
@ -223,8 +223,8 @@
"meta": {
"external_id": "MS-T813",
"kill_chain": [
"TMSS-tactics:Persistence",
"TMSS-tactics:Defense Evasion"
"TMSS-tactics:Defense Evasion",
"TMSS-tactics:Persistence"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/firewall-configuration-changes"
@ -238,8 +238,8 @@
"meta": {
"external_id": "MS-T808",
"kill_chain": [
"TMSS-tactics:Persistence",
"TMSS-tactics:Defense Evasion"
"TMSS-tactics:Defense Evasion",
"TMSS-tactics:Persistence"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/rbac-permission"
@ -323,8 +323,8 @@
"meta": {
"external_id": "MS-T812",
"kill_chain": [
"TMSS-tactics:Persistence",
"TMSS-tactics:Defense Evasion"
"TMSS-tactics:Defense Evasion",
"TMSS-tactics:Persistence"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/private-endpoint"

9141
clusters/ukhsa-culture-collections.json
View file

File diff suppressed because it is too large Load diff

22
galaxies/gsma-motif.json Normal file
View file

@ -0,0 +1,22 @@
{
"description": "Mobile Threat Intelligence Framework (MoTIF) Principles. ",
"icon": "user-shield",
"kill_chain_order": {
"Techniques": [
"Reconnaissance",
"Resource-Development",
"Initial-Access",
"Persistence",
"Defence-Evasion",
"Credential-Access",
"Discovery",
"Collection",
"Impact"
]
},
"name": "GSMA MoTIF",
"namespace": "gsma",
"type": "gsma-motif",
"uuid": "57cf3a17-e186-407a-b58b-d53887ce4950",
"version": 1
}

4
tools/gen_adoc_galaxy.sh
View file

@ -1,7 +1,7 @@
python3 adoc_galaxy.py >a.txt
asciidoctor -a allow-uri-read a.txt
asciidoctor-pdf -a allow-uri-read a.txt
cp a.html ../../misp-website-new/static/galaxy.html
cp a.pdf ../../misp-website-new/static/galaxy.pdf
cp a.html ../../misp-website/static/galaxy.html
cp a.pdf ../../misp-website/static/galaxy.pdf
scp -l 81920 a.html circl@cpab.circl.lu:/var/www/nwww.circl.lu/doc/misp-galaxy/index.html
scp -l 81920 a.pdf circl@cpab.circl.lu:/var/www/nwww.circl.lu/doc/misp-galaxy/galaxy.pdf

290
tools/gen_gsma_motif.py Normal file
View file

@ -0,0 +1,290 @@
#!/usr/bin/env python3
#
# A simple convertor of the GSMA Mobile Threat Intelligence Framework (MoTIF) Principles to a MISP Galaxy datastructure.
# https://www.gsma.com/security/resources/fs-57-mobile-threat-intelligence-framework-motif-principles/
# Copyright (c) 2024 MISP Project
# Copyright (c) 2024 Christophe Vandeplas
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import pdfplumber
import requests
import json
import tempfile
import os
import uuid
pdf_url = 'https://www.gsma.com/solutions-and-impact/technologies/security/wp-content/uploads/2024/04/FS.57-MoTIF-Principles-v1.0.pdf'
uuid_seed = '5022ff98-cf0d-45d2-89b5-5c63104197cc'
def sub_table_to_list(table: list) -> list:
if len(table) == 0:
return []
try:
result = []
# FIXME use header row to know column names
for row in table:
result.append({
'ID': row[2].replace('\n', ''),
'Name': row[4]. replace('\n', ' ').strip(),
'Description': row[5]
})
return result
except IndexError:
return []
def table_to_technique(table: list) -> dict:
'''
Convert a table to a technique dictionary
'''
result = {}
row_index = 0
while row_index < len(table):
row = table[row_index]
# row[1] is None : sub-table in table
field = cleanup_field(row[0])
try:
if result['ID'] == 'MOT1036.301':
pass
except KeyError:
pass
if field == 'Procedure Examples':
# extract sub-table in the next rows
sub_table = []
try:
while table[row_index + 1][0] is None:
sub_table.append(table[row_index + 1])
row_index += 1
except IndexError: # just the end of the page, will be handled in the next page
pass
value = sub_table_to_list(sub_table)
elif field == 'Analogous technique in other frameworks':
# column index is not always the same... so figure out the first non-empty cell
i = 1
value = ''
while i < len(row):
try:
if row[i] is not None:
value = row[i]
break
except IndexError:
pass
i += 1
elif not field:
# annoyingly a sub-table might have been parsed differently from previous page. So bad luck. There's not much we can do about it except even worse code than we have here.
row_index += 1
continue
else:
value = row[1].replace('\n', ' ').strip()
result[field] = value
row_index += 1
return result
def cleanup_field(field: str) -> str:
'''
Cleanup a field name
'''
try:
return field.strip().replace(':', '').replace('\n', ' ').replace('- ', '-').strip()
except AttributeError:
return ''
def is_end_of_table(table: list) -> bool:
'''
Check if this is the end of the table, by checking the last row in the table.
'''
try:
# Techniques
if table['ID'].startswith('MOT') and 'Analogous technique in other frameworks' in table:
return True
# Mitigations
if table['ID'].startswith('MOS') and 'References' in table:
return True
except KeyError:
pass
return False
def parse_pdf(pdf_file_name: str) -> dict:
table_settings = {
"vertical_strategy": "lines",
"horizontal_strategy": "lines",
# "explicit_vertical_lines": [],
# "explicit_horizontal_lines": [],
# "snap_tolerance": 6,
"snap_x_tolerance": 6, # pg49: must be 6
"snap_y_tolerance": 3, # max 14
# "join_tolerance": 3,
# "join_x_tolerance": 3,
# "join_y_tolerance": 3,
# "edge_min_length": 3,
# "min_words_vertical": 3,
# "min_words_horizontal": 1,
# "intersection_tolerance": 3,
# "intersection_x_tolerance": 3,
# "intersection_y_tolerance": 3,
# "text_tolerance": 3,
# "text_x_tolerance": 3,
# "text_y_tolerance": 3,
}
entries = {}
with pdfplumber.open(pdf_file_name) as pdfp:
page_index = 0
title_seen = False
curr_table = None
while page_index < len(pdfp.pages):
page = pdfp.pages[page_index]
# skip to section 4.1 Techniques and Sub-techniques Definition
if not title_seen:
page_text = page.extract_text()
if '4.1 Techniques and Sub-techniques Definition' not in page_text or 'Table of Contents' in page_text:
# print(f"Skipping page {page_index}")
page_index += 1
continue
title_seen = True
# parse technique tables
for table in page.extract_tables(table_settings=table_settings):
if curr_table: # merge tables if continuation
# if first row does not have a first column, then it's the continuation of the previous row
if table[0][0] == '' and table[0][1] != '':
curr_table[-1][1] += ' ' + table[0][1] # add description of new row to previous row
table.pop(0) # remove the first new row of the table
# annoyingly a sub-table might have been parsed differently from previous page. So bad luck. There's not much we can do about it except even worse code than we have here.
# handle rest of merging case
table = curr_table + table
curr_table = None # reset for clean start
parsed_table = table_to_technique(table)
if is_end_of_table(parsed_table):
# valid table
parsed_table['page'] = page_index + 1 # minor bug: we document the page where the table ends, not where it starts
entries[parsed_table['ID']] = parsed_table
else:
# incomplete table, store in curr_table and continue next row
curr_table = table
page_index += 1
return entries
print(f"Downloading PDF: {pdf_url}")
r = requests.get(pdf_url, allow_redirects=True)
with tempfile.TemporaryFile() as tmp_f:
tmp_f.write(r.content)
print("Parsing PDF ... this takes time")
items = parse_pdf(tmp_f)
print("Converting to MISP Galaxy ...")
# now convert and extract data to have something clean and usable
kill_chain_tactics = {
'Techniques': [],
}
techniques = []
for item in items.values():
if item['ID'].startswith('MOT'):
kill_chain_root = 'Techniques'
else:
# TODO skip these MOS softwares for now
continue
if ',' in item['Tactic']:
tactics = [t.strip().replace(' ', '-') for t in item['Tactic'].split(',')]
else:
tactics = [item['Tactic'].replace(' ', '-')]
kill_chain = []
for tactic in tactics:
kill_chain_tactics[kill_chain_root].append(tactic)
kill_chain.append(f"{kill_chain_root}:{tactic}")
technique = {
'value': item['Name'],
'description': item['Description'],
'uuid': str(uuid.uuid5(uuid.UUID(uuid_seed), item['ID'])),
'meta': {
'kill_chain': kill_chain,
'refs': [
f"page {item['page']} of {pdf_url}"
],
'external_id': item['ID'],
}
}
if item['References']:
technique['meta']['refs'].append(item['References'])
if item['Analogous technique in other frameworks']:
technique['meta']['refs'].append(item['Analogous technique in other frameworks'])
techniques.append(technique)
# TODO relations + refs as subtechniques
# make entries unique
kill_chain_tactics['Techniques'] = list(set(kill_chain_tactics['Techniques']))
galaxy_fname = 'gsma-motif.json'
galaxy_type = "gsma-motif"
galaxy_name = "GSMA MoTIF"
galaxy_description = 'Mobile Threat Intelligence Framework (MoTIF) Principles. '
galaxy_source = 'https://www.gsma.com/solutions-and-impact/technologies/security/latest-news/establishing-motif-the-mobile-threat-intelligence-framework/'
json_galaxy = {
'description': galaxy_description,
'icon': "user-shield",
'kill_chain_order': kill_chain_tactics,
'name': galaxy_name,
'namespace': "gsma",
'type': galaxy_type,
'uuid': "57cf3a17-e186-407a-b58b-d53887ce4950",
'version': 1
}
json_cluster = {
'authors': ["GSMA"],
'category': 'attack-pattern',
'name': galaxy_name,
'description': galaxy_description,
'source': galaxy_source,
'type': galaxy_type,
'uuid': "02cb3863-ecb2-4a93-a5ed-18bb6dfd5c89",
'values': list(techniques),
'version': 1
}
# save the Galaxy and Cluster file
# with open(os.path.join('..', 'galaxies', galaxy_fname), 'w') as f:
# # sort_keys, even if it breaks the kill_chain_order , but jq_all_the_things requires sorted keys
# json.dump(json_galaxy, f, indent=2, sort_keys=True, ensure_ascii=False)
# f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things
with open(os.path.join('..', 'clusters', galaxy_fname), 'w') as f:
json.dump(json_cluster, f, indent=2, sort_keys=True, ensure_ascii=False)
f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things
print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")

97
tools/gen_mitre_d3fend.py
View file

@ -17,14 +17,22 @@
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import json
import os
import requests
import uuid
from pymispgalaxies import Cluster, Galaxy
d3fend_url = 'https://d3fend.mitre.org/ontologies/d3fend.json'
d3fend_full_mappings_url = 'https://d3fend.mitre.org/api/ontology/inference/d3fend-full-mappings.json'
galaxy_fname = 'mitre-d3fend.json'
galaxy_type = "mitre-d3fend"
galaxy_name = "MITRE D3FEND"
galaxy_description = 'A knowledge graph of cybersecurity countermeasures.'
galaxy_source = 'https://d3fend.mitre.org/'
# we love eating lots of memory
r = requests.get(d3fend_url)
d3fend_json = r.json()
@ -32,9 +40,6 @@ d3fend_json = r.json()
r = requests.get(d3fend_full_mappings_url)
d3fend_mappings_json = r.json()
with open('../clusters/mitre-attack-pattern.json', 'r') as mitre_f:
mitre = json.load(mitre_f)
uuid_seed = '35527064-12b4-4b73-952b-6d76b9f1b1e3'
@ -123,14 +128,31 @@ def find_kill_chain_of(original_item):
return find_kill_chain_of(data[parent_class])
def find_mitre_uuid_from_technique_id(technique_id):
for item in mitre['values']:
if item['meta']['external_id'] == technique_id:
return item['uuid']
print("No MITRE UUID found for technique_id: ", technique_id)
return None
mitre_attack_pattern = Cluster('mitre-attack-pattern')
def find_mitre_uuid_from_technique_id(technique_id):
try:
return mitre_attack_pattern.get_by_external_id(technique_id).uuid
except KeyError:
print("No MITRE UUID found for technique_id: ", technique_id)
return None
try:
cluster = Cluster('mitre-d3fend')
except (KeyError, FileNotFoundError):
cluster = Cluster({
'authors': ["MITRE"],
'category': 'd3fend',
'name': galaxy_name,
'description': galaxy_description,
'source': galaxy_source,
'type': galaxy_type,
'uuid': "b8bd7e45-63bf-4c44-8ab1-c81c82547380",
'version': 0
})
# relationships
for item in d3fend_mappings_json['results']['bindings']:
d3fend_technique = item['def_tech_label']['value']
@ -213,47 +235,28 @@ while seen_new:
if item['rdfs:label'] in relations:
technique['related'] = relations[item['rdfs:label']]
techniques.append(technique)
cluster.append(technique)
print(f"Technique: {item['rdfs:label']} - {item['d3f:d3fend-id']}")
galaxy_fname = 'mitre-d3fend.json'
galaxy_type = "mitre-d3fend"
galaxy_name = "MITRE D3FEND"
galaxy_description = 'A knowledge graph of cybersecurity countermeasures.'
galaxy_source = 'https://d3fend.mitre.org/'
json_galaxy = {
'description': galaxy_description,
'icon': "user-shield",
'kill_chain_order': kill_chain_tactics,
'name': galaxy_name,
'namespace': "mitre",
'type': galaxy_type,
'uuid': "77d1bbfa-2982-4e0a-9238-1dae4a48c5b4",
'version': 1
}
json_cluster = {
'authors': ["MITRE"],
'category': 'd3fend',
'name': galaxy_name,
'description': galaxy_description,
'source': galaxy_source,
'type': galaxy_type,
'uuid': "b8bd7e45-63bf-4c44-8ab1-c81c82547380",
'values': list(techniques),
'version': 1
}
cluster.save('mitre-d3fend')
# save the Galaxy and Cluster file
with open(os.path.join('..', 'galaxies', galaxy_fname), 'w') as f:
# sort_keys, even if it breaks the kill_chain_order , but jq_all_the_things requires sorted keys
json.dump(json_galaxy, f, indent=2, sort_keys=True, ensure_ascii=False)
f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things
try:
galaxy = Galaxy('mitre-d3fend')
galaxy.kill_chain_order = kill_chain_tactics
except (KeyError, FileNotFoundError):
galaxy = Galaxy({
'description': galaxy_description,
'icon': "user-shield",
'kill_chain_order': kill_chain_tactics,
'name': galaxy_name,
'namespace': "mitre",
'type': galaxy_type,
'uuid': "77d1bbfa-2982-4e0a-9238-1dae4a48c5b4",
'version': 1
})
with open(os.path.join('..', 'clusters', galaxy_fname), 'w') as f:
json.dump(json_cluster, f, indent=2, sort_keys=True, ensure_ascii=False)
f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things
galaxy.save('mitre-d3fend')
print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")

79
tools/gen_ms_atrm.py
View file

@ -22,9 +22,9 @@ import yaml
import os
import uuid
import re
import json
import argparse
from pymispgalaxies import Cluster, Galaxy
parser = argparse.ArgumentParser(description='Create/update the Azure Threat Research Matrix based on Markdown files.')
parser.add_argument("-p", "--path", required=True, help="Path of the 'Azure Threat Research Matrix' git clone folder")
@ -67,9 +67,12 @@ for nav_item in mkdocs_data['nav']:
'uuid': str(uuid.uuid5(uuid.UUID("9319371e-2504-4128-8410-3741cebbcfd3"), technique)),
'meta': {
'kill_chain': [],
'refs': [f"https://microsoft.github.io/Azure-Threat-Research-Matrix/{fname[:-3]}"]
'refs': [f"https://microsoft.github.io/Azure-Threat-Research-Matrix/{fname[:-3]}"],
'external_id': technique.split(' ')[0]
}
}
else:
pass
clusters[technique]['meta']['kill_chain'].append(f"ATRM-tactics:{tactic}")
except KeyError:
continue
@ -77,44 +80,52 @@ for nav_item in mkdocs_data['nav']:
except KeyError:
continue
json_galaxy = {
'icon': "map",
'kill_chain_order': {
'ATRM-tactics': tactics
},
'name': "Azure Threat Research Matrix",
'description': "The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.",
'namespace': "microsoft",
'type': "atrm",
'uuid': "b541a056-154c-41e7-8a56-41db3f871c00",
'version': 1
}
json_cluster = {
'authors': ["Microsoft"],
'category': 'atrm',
'name': "Azure Threat Research Matrix",
'description': "The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.",
'source': 'https://github.com/microsoft/Azure-Threat-Research-Matrix',
'type': "atrm",
'uuid': "b541a056-154c-41e7-8a56-41db3f871c00",
'values': list(clusters.values()),
'version': 1
}
try:
cluster = Cluster('atrm')
except (KeyError, FileNotFoundError):
cluster = Cluster({
'authors': ["Microsoft"],
'category': 'atrm',
'name': "Azure Threat Research Matrix",
'description': "The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.",
'source': 'https://github.com/microsoft/Azure-Threat-Research-Matrix',
'type': "atrm",
'uuid': "b541a056-154c-41e7-8a56-41db3f871c00",
'version': 0
})
# add authors based on the Acknowledgements page
with open(os.path.join(args.path, 'docs', 'acknowledgments.md'), 'r') as f:
for line in f:
if line.startswith('* '):
try:
json_cluster['authors'].append(re.search(r'\w+ [\w&]+', line).group())
cluster.authors.add(re.search(r'\w+ [\w&]+', line).group())
except AttributeError:
json_cluster['authors'].append(re.search(r'\w+', line).group())
cluster.authors.add(re.search(r'\w+', line).group())
# save the Galaxy and Cluster file
with open(os.path.join('..', 'galaxies', 'atrm.json'), 'w') as f:
json.dump(json_galaxy, f, indent=2, sort_keys=True)
for cluster_value in clusters.values():
cluster.append(cluster_value)
with open(os.path.join('..', 'clusters', 'atrm.json'), 'w') as f:
json.dump(json_cluster, f, indent=2, sort_keys=True)
cluster.save('atrm')
print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")
try:
galaxy = Galaxy('atrm')
except (KeyError, FileNotFoundError):
galaxy = Galaxy({
'icon': "map",
'kill_chain_order': {
'ATRM-tactics': tactics
},
'name': "Azure Threat Research Matrix",
'description': "The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.",
'namespace': "microsoft",
'type': "atrm",
'uuid': "b541a056-154c-41e7-8a56-41db3f871c00",
'version': 1
})
galaxy.save('atrm')
print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh, and also update_README_with_index.py.")

93
tools/gen_ms_tmss.py
View file

@ -22,9 +22,8 @@ import yaml
import os
import uuid
import re
import json
import argparse
from pymispgalaxies import Cluster, Galaxy
parser = argparse.ArgumentParser(description='Create/update the Threat Matrix for storage services based on Markdown files.')
parser.add_argument("-p", "--path", required=True, help="Path of the 'Threat Matrix for storage services' git clone folder")
@ -40,13 +39,17 @@ with open(os.path.join(args.path, 'mkdocs.yml'), 'r') as f:
tactics = []
clusters = {}
mitre_attack_pattern = Cluster('mitre-attack-pattern')
def find_mitre_uuid_from_technique_id(technique_id):
with open('../clusters/mitre-attack-pattern.json', 'r') as mitre_f:
mitre = json.load(mitre_f)
for item in mitre['values']:
if item['meta']['external_id'] == technique_id:
return item['uuid']
return None
try:
return mitre_attack_pattern.get_by_external_id(technique_id).uuid
except KeyError:
print("No MITRE UUID found for technique_id: ", technique_id)
return None
for nav_item in mkdocs_data['nav']:
try:
@ -70,8 +73,8 @@ for nav_item in mkdocs_data['nav']:
mitre_technique_uuid = find_mitre_uuid_from_technique_id(mitre_technique_id)
related = [
{
"dest-uuid": mitre_technique_uuid,
"type": "related-to"
"dest-uuid": mitre_technique_uuid,
"type": "related-to"
}
]
except AttributeError:
@ -107,43 +110,47 @@ galaxy_type = "tmss"
galaxy_name = "Threat Matrix for storage services"
galaxy_description = 'Microsoft Defender for Cloud threat matrix for storage services contains attack tactics, techniques and mitigations relevant storage services delivered by cloud providers.'
galaxy_source = 'https://github.com/microsoft/Threat-matrix-for-storage-services'
json_galaxy = {
'icon': "map",
'kill_chain_order': {
'TMSS-tactics': tactics
},
'name': galaxy_name,
'description': galaxy_description,
'namespace': "microsoft",
'type': galaxy_type,
'uuid': "d6532b58-99e0-44a9-93c8-affe055e4443",
'version': 1
}
json_cluster = {
'authors': ["Microsoft"],
'category': 'tmss',
'name': galaxy_name,
'description': galaxy_description,
'source': galaxy_source,
'type': galaxy_type,
'uuid': "aaf033a6-7f1e-45ab-beef-20a52b75b641",
'values': list(clusters.values()),
'version': 1
}
try:
galaxy = Galaxy('tmss')
except (KeyError, FileNotFoundError):
galaxy = Galaxy({
'icon': "map",
'kill_chain_order': {
'TMSS-tactics': tactics
},
'name': galaxy_name,
'description': galaxy_description,
'namespace': "microsoft",
'type': galaxy_type,
'uuid': "d6532b58-99e0-44a9-93c8-affe055e4443",
'version': 1
})
galaxy.save('tmss')
try:
cluster = Cluster('tmss')
except (KeyError, FileNotFoundError):
cluster = Cluster({
'authors': ["Microsoft"],
'category': 'tmss',
'name': galaxy_name,
'description': galaxy_description,
'source': galaxy_source,
'type': galaxy_type,
'uuid': "aaf033a6-7f1e-45ab-beef-20a52b75b641",
'version': 0
})
# add authors based on the Acknowledgements page
authors = ('Evgeny Bogokovsky', 'Ram Pliskin')
for author in authors:
json_cluster['authors'].append(author)
cluster.authors.add(author)
for cluster_value in clusters.values():
cluster.append(cluster_value)
# save the Galaxy and Cluster file
with open(os.path.join('..', 'galaxies', 'tmss.json'), 'w') as f:
json.dump(json_galaxy, f, indent=2, sort_keys=True, ensure_ascii=False)
f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things
cluster.save('tmss')
with open(os.path.join('..', 'clusters', 'tmss.json'), 'w') as f:
json.dump(json_cluster, f, indent=2, sort_keys=True, ensure_ascii=False)
f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things
print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")
print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh, and update_README.")

51
tools/gen_ukhsa_culture_collections.py
View file

@ -19,10 +19,10 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import json
import requests
import uuid
from pymispgalaxies import Cluster, Galaxy
'''
From https://www.culturecollections.org.uk/search/?searchScope=Product&pageNumber=1&filter.collectionGroup=0&filter.collection=0&filter.sorting=DateCreated
@ -42,6 +42,7 @@ cell culture characteristics. Passage numbers where given act only as a guide an
the passage number stated will be the passage number received by the customer.
'''
def download_items():
data = {'items': [],
'collections': {},
@ -75,11 +76,13 @@ def save_items(d):
json.dump(d, f, indent=2, sort_keys=True)
return True
def load_saved_items():
with open('items.json', 'r') as f:
d = json.load(f)
return d
data = download_items()
# save_items(data)
# data = load_saved_items()
@ -110,33 +113,27 @@ for item in data['items']:
clusters_dict[cluster['value']] = cluster
# transform dict to list
clusters = []
cluster = Cluster('ukhsa-culture-collections', skip_duplicates=True)
cluster.cluster_values = {}
for item in clusters_dict.values():
clusters.append(item)
cluster.append(item, skip_duplicates=True)
cluster.save('ukhsa-culture-collections')
for cluster, duplicate in cluster.duplicates:
print(f"WARNING: Skipped duplicate: {duplicate} in cluster {cluster}")
json_galaxy = {
'icon': "virus",
'name': "UKHSA Culture Collections",
'description': "UK Health Security Agency Culture Collections represent deposits of cultures that consist of expertly preserved, authenticated cell lines and microbial strains of known provenance.",
'namespace': "gov.uk",
'type': "ukhsa-culture-collections",
'uuid': "bbe11c06-1d6a-477e-88f1-cdda2d71de56",
'version': 1
}
try:
galaxy = Galaxy('ukhsa-culture-collections')
except KeyError:
galaxy = Galaxy({
'icon': "virus",
'name': "UKHSA Culture Collections",
'description': "UK Health Security Agency Culture Collections represent deposits of cultures that consist of expertly preserved, authenticated cell lines and microbial strains of known provenance.",
'namespace': "gov.uk",
'type': "ukhsa-culture-collections",
'uuid': "bbe11c06-1d6a-477e-88f1-cdda2d71de56",
'version': 1
})
galaxy.save('ukhsa-culture-collections')
with open(os.path.join('..', 'clusters', 'ukhsa-culture-collections.json'), 'r') as f:
json_cluster = json.load(f)
json_cluster['values'] = clusters
json_cluster['version'] += 1
# save the Galaxy and Cluster file
with open(os.path.join('..', 'galaxies', 'ukhsa-culture-collections.json'), 'w') as f:
json.dump(json_galaxy, f, indent=2, sort_keys=True, ensure_ascii=False)
f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things
with open(os.path.join('..', 'clusters', 'ukhsa-culture-collections.json'), 'w') as f:
json.dump(json_cluster, f, indent=2, sort_keys=True, ensure_ascii=False)
f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things
print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")
print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")

6
tools/mkdocs/requirements.txt
View file

@ -1,6 +1,6 @@
Babel==2.14.0
bracex==2.4
certifi==2023.11.17
certifi==2024.7.4
cffi==1.16.0
charset-normalizer==3.3.2
click==8.1.7
@ -37,11 +37,11 @@ python-dateutil==2.8.2
PyYAML==6.0.1
pyyaml_env_tag==0.1
regex==2023.12.25
requests==2.32.0
requests==2.32.2
six==1.16.0
smmap==5.0.1
typing_extensions==4.9.0
urllib3==2.1.0
urllib3==2.2.2
validators==0.22.0
watchdog==3.0.0
wcmatch==8.5

5
tools/requirements.txt Normal file
View file

@ -0,0 +1,5 @@
pdfplumber==0.11.0
graphviz==0.20.3
requests==2.32.2

25
tools/tidal-api/models/cluster.py
View file

@ -132,7 +132,8 @@ class Cluster:
def save_to_file(self, path):
with open(path, "w") as file:
file.write(json.dumps(self.__dict__(), indent=4))
file.write(json.dumps(self.__dict__(), indent=2))
file.write('\n')
def __str__(self) -> str:
return f"Cluster: {self.name} - {self.type} - {self.uuid}"
@ -270,7 +271,7 @@ class GroupCluster(Cluster):
# Code Block for handling duplicate from Tidal API data (hopefully only temporary)
if value.uuid == "3290dcb9-5781-4b87-8fa0-6ae820e152cd":
value.value = "Volt Typhoon - Tidal"
value.value = "Volt Typhoon - Tidal"
self.values.append(value.return_value())
@ -367,6 +368,7 @@ class SoftwareCluster(Cluster):
uuid=associated_software.get("associated_software_id"),
value=associated_software.get("name") + " - Associated Software",
)
self.values.append(value.return_value())
related.append(
{
@ -384,6 +386,12 @@ class SoftwareCluster(Cluster):
uuid=entry.get("id"),
value=entry.get("name"),
)
# duplicates, manually handled
if value.uuid == '6af0eac2-c35f-4569-ae09-47f1ca846961':
value.value = f"{value.value} - Duplicate"
if value.uuid == '39d81c48-8f7c-54cb-8fac-485598e31a55':
value.value = f"{value.value} - Duplicate"
self.values.append(value.return_value())
@ -493,7 +501,7 @@ class TechniqueCluster(Cluster):
sub_value.value = "Spearphishing Link - Duplicate"
elif sub_value.uuid == "350c12a3-33f6-5942-8892-4d6e70abbfc1":
sub_value.value = "Spearphishing Voice - Duplicate"
self.values.append(sub_value.return_value())
related.append(
{
@ -585,6 +593,17 @@ class ReferencesCluster(Cluster):
uuid=entry.get("id"),
value=entry.get("name"),
)
# handle duplicates manually
if value.uuid == 'eea178f4-80bd-49d1-84b1-f80671e9a3e4':
value.value = f"{value.value} - Duplicate"
if value.uuid == '9bb5c330-56bd-47e7-8414-729d8e6cb3b3':
value.value = f"{value.value} - Duplicate"
if value.uuid == '8b4bdce9-da19-443f-88d2-11466e126c09':
value.value = f"{value.value} - Duplicate"
if value.uuid == 'b4727044-51bb-43b3-afdb-515bb4bb0f7e':
value.value = f"{value.value} - Duplicate"
self.values.append(value.return_value())

3
tools/tidal-api/models/galaxy.py
View file

@ -14,4 +14,5 @@ class Galaxy:
def save_to_file(self, path: str):
with open(path, "w") as file:
file.write(json.dumps(asdict(self), indent=4))
file.write(json.dumps(asdict(self), indent=2))
file.write('\n')