mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-22 14:57:18 +00:00
This commit is contained in:
commit
711032d2e3
9 changed files with 94148 additions and 6309 deletions
28
README.md
28
README.md
|
@ -27,6 +27,14 @@ Category: *actor* - source: *https://apt.360.net/aptlist* - total: *42* elements
|
|||
|
||||
[[HTML](https://www.misp-project.org/galaxy.html#_360.net_threat_actors)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/360net.json)]
|
||||
|
||||
## Ammunitions
|
||||
|
||||
[Ammunitions](https://www.misp-project.org/galaxy.html#_ammunitions) - Common ammunitions galaxy
|
||||
|
||||
Category: *firearm* - source: *https://ammo.com/* - total: *410* elements
|
||||
|
||||
[[HTML](https://www.misp-project.org/galaxy.html#_ammunitions)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ammunitions.json)]
|
||||
|
||||
## Android
|
||||
|
||||
[Android](https://www.misp-project.org/galaxy.html#_android) - Android malware galaxy based on multiple open sources.
|
||||
|
@ -55,7 +63,7 @@ Category: *guidelines* - source: *Open Sources* - total: *71* elements
|
|||
|
||||
[Backdoor](https://www.misp-project.org/galaxy.html#_backdoor) - A list of backdoor malware.
|
||||
|
||||
Category: *tool* - source: *Open Sources* - total: *16* elements
|
||||
Category: *tool* - source: *Open Sources* - total: *23* elements
|
||||
|
||||
[[HTML](https://www.misp-project.org/galaxy.html#_backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)]
|
||||
|
||||
|
@ -147,6 +155,14 @@ Category: *tool* - source: *MISP Project* - total: *52* elements
|
|||
|
||||
[[HTML](https://www.misp-project.org/galaxy.html#_exploit-kit)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/exploit-kit.json)]
|
||||
|
||||
## Firearms
|
||||
|
||||
[Firearms](https://www.misp-project.org/galaxy.html#_firearms) - Common firearms galaxy
|
||||
|
||||
Category: *firearm* - source: *https://www.impactguns.com* - total: *5953* elements
|
||||
|
||||
[[HTML](https://www.misp-project.org/galaxy.html#_firearms)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/firearms.json)]
|
||||
|
||||
## FIRST DNS Abuse Techniques Matrix
|
||||
|
||||
[FIRST DNS Abuse Techniques Matrix](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information.
|
||||
|
@ -159,7 +175,7 @@ Category: *first-dns* - source: *https://www.first.org/global/sigs/dns/* - total
|
|||
|
||||
[Malpedia](https://www.misp-project.org/galaxy.html#_malpedia) - Malware galaxy cluster based on Malpedia.
|
||||
|
||||
Category: *tool* - source: *Malpedia* - total: *2823* elements
|
||||
Category: *tool* - source: *Malpedia* - total: *2947* elements
|
||||
|
||||
[[HTML](https://www.misp-project.org/galaxy.html#_malpedia)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/malpedia.json)]
|
||||
|
||||
|
@ -423,7 +439,7 @@ Category: *rsit* - source: *https://github.com/enisaeu/Reference-Security-Incide
|
|||
|
||||
[Sector](https://www.misp-project.org/galaxy.html#_sector) - Activity sectors
|
||||
|
||||
Category: *sector* - source: *CERT-EU* - total: *117* elements
|
||||
Category: *sector* - source: *CERT-EU* - total: *118* elements
|
||||
|
||||
[[HTML](https://www.misp-project.org/galaxy.html#_sector)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sector.json)]
|
||||
|
||||
|
@ -431,7 +447,7 @@ Category: *sector* - source: *CERT-EU* - total: *117* elements
|
|||
|
||||
[Sigma-Rules](https://www.misp-project.org/galaxy.html#_sigma-rules) - MISP galaxy cluster based on Sigma Rules.
|
||||
|
||||
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2568* elements
|
||||
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2776* elements
|
||||
|
||||
[[HTML](https://www.misp-project.org/galaxy.html#_sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)]
|
||||
|
||||
|
@ -495,7 +511,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
|
|||
|
||||
[Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
|
||||
|
||||
Category: *actor* - source: *MISP Project* - total: *420* elements
|
||||
Category: *actor* - source: *MISP Project* - total: *432* elements
|
||||
|
||||
[[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
|
||||
|
||||
|
@ -503,7 +519,7 @@ Category: *actor* - source: *MISP Project* - total: *420* elements
|
|||
|
||||
[Tool](https://www.misp-project.org/galaxy.html#_tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
|
||||
|
||||
Category: *tool* - source: *MISP Project* - total: *557* elements
|
||||
Category: *tool* - source: *MISP Project* - total: *585* elements
|
||||
|
||||
[[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)]
|
||||
|
||||
|
|
4114
clusters/ammunitions.json
Normal file
4114
clusters/ammunitions.json
Normal file
File diff suppressed because it is too large
Load diff
83356
clusters/firearms.json
Normal file
83356
clusters/firearms.json
Normal file
File diff suppressed because it is too large
Load diff
File diff suppressed because it is too large
Load diff
|
@ -209,6 +209,30 @@
|
|||
"uuid": "8a8f39df-74b3-4946-ab64-f84968bababe",
|
||||
"value": "DIZZY PANDA"
|
||||
},
|
||||
{
|
||||
"description": "Grayling activity was first observed in early 2023, when a number of victims were identified with distinctive malicious DLL side-loading activity. Grayling appears to target organisations in Asia, however one unknown organisation in the United States was also targeted. Industries targeted include Biomedical, Government and Information Technology. Grayling use a variety of tools during their attacks, including well known tools such as Cobalt Strike and Havoc and also some others.",
|
||||
"meta": {
|
||||
"attribution-confidence": "50",
|
||||
"cfr-suspected-state-sponsor": "China",
|
||||
"cfr-suspected-victims": [
|
||||
"Taiwan",
|
||||
"United States",
|
||||
"Vietnam",
|
||||
"Solomon Islands"
|
||||
],
|
||||
"cfr-target-category": [
|
||||
"Biomedical",
|
||||
"Government",
|
||||
"Information technology"
|
||||
],
|
||||
"country": "CN",
|
||||
"refs": [
|
||||
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks"
|
||||
]
|
||||
},
|
||||
"uuid": "6714de29-4dd8-463c-99a3-77c9e80fa47d",
|
||||
"value": "Grayling"
|
||||
},
|
||||
{
|
||||
"description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'",
|
||||
"meta": {
|
||||
|
@ -6190,7 +6214,8 @@
|
|||
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi",
|
||||
"https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia",
|
||||
"https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea",
|
||||
"https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf"
|
||||
"https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf",
|
||||
"https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/"
|
||||
],
|
||||
"synonyms": [
|
||||
"TEMP.Periscope",
|
||||
|
@ -6204,7 +6229,8 @@
|
|||
"TA423",
|
||||
"Red Ladon",
|
||||
"ITG09",
|
||||
"MUDCARP"
|
||||
"MUDCARP",
|
||||
"ISLANDDREAMS"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
|
@ -6246,13 +6272,19 @@
|
|||
"https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html",
|
||||
"https://www.cfr.org/cyber-operations/apt-35",
|
||||
"https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/",
|
||||
"https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/"
|
||||
"https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/",
|
||||
"https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/",
|
||||
"https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/",
|
||||
"https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us"
|
||||
],
|
||||
"synonyms": [
|
||||
"Newscaster Team",
|
||||
"Magic Hound",
|
||||
"G0059",
|
||||
"Phosphorus"
|
||||
"Phosphorus",
|
||||
"Mint Sandstorm",
|
||||
"TunnelVision",
|
||||
"COBALT MIRAGE"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
|
@ -7224,6 +7256,34 @@
|
|||
{
|
||||
"description": "Wizard Spider is reportedly associated with Grim Spider and Lunar Spider.\nThe WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function.\nGRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.",
|
||||
"meta": {
|
||||
"cfr-suspected-state-sponsor": "Russian Federation",
|
||||
"cfr-suspected-victims": [
|
||||
"Australia",
|
||||
"Bahamas",
|
||||
"Canada",
|
||||
"Costa Rica",
|
||||
"France",
|
||||
"Germany",
|
||||
"India",
|
||||
"Ireland",
|
||||
"Italy",
|
||||
"Japan",
|
||||
"Mexico",
|
||||
"New Zealand",
|
||||
"Spain",
|
||||
"Switzerland",
|
||||
"Taiwan",
|
||||
"United Kingdom",
|
||||
"Ukraine",
|
||||
"United States"
|
||||
],
|
||||
"cfr-target-category": [
|
||||
"Defense",
|
||||
"Financial",
|
||||
"Government",
|
||||
"Healthcare",
|
||||
"Telecommunications"
|
||||
],
|
||||
"country": "RU",
|
||||
"refs": [
|
||||
"https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/",
|
||||
|
@ -7237,7 +7297,9 @@
|
|||
"https://www.secureworks.com/research/dyre-banking-trojan",
|
||||
"https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic",
|
||||
"https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users",
|
||||
"http://www.secureworks.com/research/threat-profiles/gold-blackburn"
|
||||
"http://www.secureworks.com/research/threat-profiles/gold-blackburn",
|
||||
"https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf",
|
||||
"https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf"
|
||||
],
|
||||
"synonyms": [
|
||||
"TEMP.MixMaster",
|
||||
|
@ -7492,8 +7554,29 @@
|
|||
{
|
||||
"description": "Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc.",
|
||||
"meta": {
|
||||
"cfr-suspected-victims": [
|
||||
"Ecuador",
|
||||
"Colombia",
|
||||
"Spain",
|
||||
"Panama",
|
||||
"Chile"
|
||||
],
|
||||
"cfr-target-category": [
|
||||
"Petroleum",
|
||||
"Manufacturing",
|
||||
"Financial",
|
||||
"Private sector",
|
||||
"Government"
|
||||
],
|
||||
"cfr-type-of-incident": "Espionage",
|
||||
"refs": [
|
||||
"https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/"
|
||||
"https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
|
||||
"https://www.ecucert.gob.ec/wp-content/uploads/2022/03/alerta-APTs-2022-03-23.pdf",
|
||||
"https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia",
|
||||
"https://lab52.io/blog/apt-c-36-recent-activity-analysis/",
|
||||
"https://www.trendmicro.com/en_ph/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html",
|
||||
"https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/",
|
||||
"https://attack.mitre.org/groups/G0099/"
|
||||
],
|
||||
"synonyms": [
|
||||
"Blind Eagle"
|
||||
|
@ -9600,6 +9683,26 @@
|
|||
{
|
||||
"description": "The Gelsemium group has been active since at least 2014 and was described in the past by a few security companies. Gelsemium’s name comes from one possible translation ESET found while reading a report from VenusTech who dubbed the group 狼毒草 for the first time. It’s the name of a genus of flowering plants belonging to the family Gelsemiaceae, Gelsemium elegans is the species that contains toxic compounds like Gelsemine, Gelsenicine and Gelsevirine, which ESET choses as names for the three components of this malware family.",
|
||||
"meta": {
|
||||
"cfr-suspected-victims": [
|
||||
"North Korea",
|
||||
"South Korea",
|
||||
"Japan",
|
||||
"China",
|
||||
"Mongolia",
|
||||
"Egypt",
|
||||
"Saudi Arabia",
|
||||
"Yemen",
|
||||
"Oman",
|
||||
"Iran",
|
||||
"Iraq",
|
||||
"Kuwait",
|
||||
"Israel",
|
||||
"Jordan",
|
||||
"Gaza",
|
||||
"Syria",
|
||||
"Turkey",
|
||||
"Lebanon"
|
||||
],
|
||||
"cfr-target-category": [
|
||||
"Government",
|
||||
"Electronics Manufacturers",
|
||||
|
@ -11523,7 +11626,8 @@
|
|||
"https://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/"
|
||||
],
|
||||
"synonyms": [
|
||||
"Nemesis Kitten"
|
||||
"Nemesis Kitten",
|
||||
"Storm-0270"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
|
@ -11909,7 +12013,53 @@
|
|||
],
|
||||
"uuid": "32eebd31-5e0f-4fb9-b478-26ff4e48aaf4",
|
||||
"value": "AtlasCross"
|
||||
},
|
||||
{
|
||||
"description": "Void Rabisu is an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine.",
|
||||
"meta": {
|
||||
"cfr-suspected-victims": [
|
||||
"Ukraine",
|
||||
"European Union"
|
||||
],
|
||||
"references": [
|
||||
"https://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html",
|
||||
"https://www.trendmicro.com/en_za/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html"
|
||||
],
|
||||
"synonyms": [
|
||||
"Tropical Scorpius"
|
||||
]
|
||||
},
|
||||
"related": [
|
||||
{
|
||||
"dest-uuid": "6d9dfc5f-4ebf-404b-ab5e-e6497867fe65",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
},
|
||||
{
|
||||
"dest-uuid": "5f1c11d3-c6ac-4368-a801-cced88a9d93b",
|
||||
"tags": [
|
||||
"estimative-language:likelihood-probability=\"likely\""
|
||||
],
|
||||
"type": "uses"
|
||||
}
|
||||
],
|
||||
"uuid": "9766d52e-0e5d-4997-9c31-7f2291dcda9e",
|
||||
"value": "Void Rabisu"
|
||||
},
|
||||
{
|
||||
"description": "In early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European healthcare institution involving a set of tools mentioned in the Avast report in late 2022. The incident was attributed to Camaro Dragon, a Chinese-based espionage threat actor whose activities overlap with activities tracked by different researchers as Mustang Panda and LuminousMoth, whose focus is primarily on Southeast Asian countries and their close peers.",
|
||||
"meta": {
|
||||
"country": "CN",
|
||||
"references": [
|
||||
"https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/",
|
||||
"https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/"
|
||||
]
|
||||
},
|
||||
"uuid": "9ee446fd-b0cd-4662-9cd1-a60b429192db",
|
||||
"value": "Camaro Dragon"
|
||||
}
|
||||
],
|
||||
"version": 285
|
||||
"version": 287
|
||||
}
|
||||
|
|
9
galaxies/ammunitions.json
Normal file
9
galaxies/ammunitions.json
Normal file
|
@ -0,0 +1,9 @@
|
|||
{
|
||||
"description": "Common ammunitions galaxy",
|
||||
"icon": "battery-full",
|
||||
"name": "Ammunitions",
|
||||
"namespace": "Ammunitions",
|
||||
"type": "ammunitions",
|
||||
"uuid": "e7394838-65a9-4b8a-b484-b8c4c7cf49c3",
|
||||
"version": 1
|
||||
}
|
9
galaxies/firearms.json
Normal file
9
galaxies/firearms.json
Normal file
|
@ -0,0 +1,9 @@
|
|||
{
|
||||
"description": "Common firearms galaxy",
|
||||
"icon": "fire",
|
||||
"name": "Firearms",
|
||||
"namespace": "Firearms",
|
||||
"type": "firearms",
|
||||
"uuid": "94af82d1-d62b-45a7-8c99-83c421cc0f3b",
|
||||
"version": 1
|
||||
}
|
|
@ -30,7 +30,7 @@ clusters = []
|
|||
pathClusters = os.path.join(thisDir, '../clusters')
|
||||
pathGalaxies = os.path.join(thisDir, '../galaxies')
|
||||
|
||||
skip_list = ["cancer.json", "handicap.json"]
|
||||
skip_list = ["cancer.json", "handicap.json", "ammunitions.json", "firearms.json"]
|
||||
|
||||
for f in os.listdir(pathGalaxies):
|
||||
if '.json' in f:
|
||||
|
|
27
tools/description_value.py
Executable file
27
tools/description_value.py
Executable file
|
@ -0,0 +1,27 @@
|
|||
#!/usr/bin/env python3
|
||||
# coding=utf-8
|
||||
"""
|
||||
Tool to remove duplicates in value
|
||||
"""
|
||||
import sys
|
||||
import json
|
||||
|
||||
with open(sys.argv[1], 'r') as f:
|
||||
data = json.load(f)
|
||||
|
||||
#for c in data['values']:
|
||||
# c['value'] = f'{c["value"]} - {c["meta"]["description"]}'
|
||||
|
||||
value_seen = []
|
||||
data_output = []
|
||||
for c in data['values']:
|
||||
if c['value'] in value_seen:
|
||||
continue
|
||||
else:
|
||||
data_output.append(c)
|
||||
value_seen.append(c['value'])
|
||||
|
||||
data['values'] = data_output
|
||||
with open(sys.argv[1], 'w') as f:
|
||||
json.dump(data, f)
|
||||
|
Loading…
Reference in a new issue