From 0d97013022e98dd5144c238b8d0c7e45f7c6ca85 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 24 May 2019 15:55:58 +0200 Subject: [PATCH 01/92] add BlueKeep --- clusters/branded_vulnerability.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/branded_vulnerability.json b/clusters/branded_vulnerability.json index c4727ef..99dd9f1 100644 --- a/clusters/branded_vulnerability.json +++ b/clusters/branded_vulnerability.json @@ -172,6 +172,16 @@ }, "uuid": "3434339f-ea87-472e-a330-62d2b5cf2c26", "value": "SPOILER" + }, + { + "description": "A ‘wormable’ critical Remote Code Execution (RCE) vulnerability in Remote Desktop Services that could soon become the new go-to vector for spreading malware", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2019/05/22/patch-now-bluekeep-vulnerability/" + ] + }, + "uuid": "4f993170-f264-4c39-8c7f-58f9f2b9d105", + "value": "BlueKeep" } ], "version": 3 From 1ece51ed4873ab64ed47f657566f61e4c4def092 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 25 May 2019 08:41:33 +0200 Subject: [PATCH 02/92] chg: [branded_vulnerability] version updated --- clusters/branded_vulnerability.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/branded_vulnerability.json b/clusters/branded_vulnerability.json index 99dd9f1..2742777 100644 --- a/clusters/branded_vulnerability.json +++ b/clusters/branded_vulnerability.json @@ -184,5 +184,5 @@ "value": "BlueKeep" } ], - "version": 3 + "version": 4 } From af6241fd20e5809a28a45a9598bde8a7962bf770 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 27 May 2019 11:47:05 +0200 Subject: [PATCH 03/92] update Anchor Panda Threat Actor --- clusters/rat.json | 29 ++++------------------------ clusters/threat-actor.json | 39 +++++++++++++++++++++++++++++++++++++- clusters/tool.json | 34 +++++++++++---------------------- 3 files changed, 53 insertions(+), 49 deletions(-) diff --git a/clusters/rat.json b/clusters/rat.json index d32547a..c22ebfe 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -93,32 +93,11 @@ }, "related": [ { - "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "dest-uuid": "c82c904f-b3b4-40a2-bf0d-008912953104", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], - "type": "similar" - }, - { - "dest-uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" + "type": "used-by" } ], "uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0", @@ -669,11 +648,11 @@ }, "related": [ { - "dest-uuid": "225fa6cf-dc9c-4b86-873b-cdf1d9dd3738", + "dest-uuid": "c82c904f-b3b4-40a2-bf0d-008912953104", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], - "type": "similar" + "type": "used-by" } ], "uuid": "255a59a7-db2d-44fc-9ca9-5859b65817c3", diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f8a872c..2bd8567 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1165,7 +1165,7 @@ "value": "Mirage" }, { - "description": "PLA Navy", + "description": "PLA Navy\nAnchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area of operations of the South Sea Fleet of the PLA Navy. In addition to maritime operations in this region, Anchor Panda also heavily targeted western companies in the US, Germany, Sweden, the UK, and Australia, and other countries involved in maritime satellite systems, aerospace companies, and defense contractors. \nNot surprisingly, embassies and diplomatic missions in the region, foreign intelligence services, and foreign governments with space programs were also targeted.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", @@ -1194,6 +1194,43 @@ "ALUMINUM" ] }, + "related": [ + { + "dest-uuid": "255a59a7-db2d-44fc-9ca9-5859b65817c3", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cb8c8253-4024-4cc9-8989-b4a5f95f6c2f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "32a67552-3b31-47bb-8098-078099bbc813", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + } + ], "uuid": "c82c904f-b3b4-40a2-bf0d-008912953104", "value": "Anchor Panda" }, diff --git a/clusters/tool.json b/clusters/tool.json index c7917a5..77ca6b1 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -142,32 +142,11 @@ }, "related": [ { - "dest-uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0", + "dest-uuid": "c82c904f-b3b4-40a2-bf0d-008912953104", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], - "type": "similar" - }, - { - "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" + "type": "used-by" } ], "uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54", @@ -1022,6 +1001,15 @@ "Gh0stRat, GhostRat" ] }, + "related": [ + { + "dest-uuid": "c82c904f-b3b4-40a2-bf0d-008912953104", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], "uuid": "cb8c8253-4024-4cc9-8989-b4a5f95f6c2f", "value": "Gh0st Rat" }, From 0bb1420ab74bdf10225d2b21dac9d785269e51c3 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 27 May 2019 16:38:01 +0200 Subject: [PATCH 04/92] update threat-actor galaxy --- clusters/threat-actor.json | 24 +++++++++++++++++++----- clusters/tool.json | 9 +++++++++ 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2bd8567..a5fd331 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -411,7 +411,8 @@ "country": "CN", "refs": [ "http://www.crowdstrike.com/blog/whois-numbered-panda/", - "https://www.cfr.org/interactive/cyber-operations/apt-12" + "https://www.cfr.org/interactive/cyber-operations/apt-12", + "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" ], "synonyms": [ "Numbered Panda", @@ -439,6 +440,7 @@ "value": "IXESHE" }, { + "description": "Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", @@ -454,6 +456,10 @@ "refs": [ "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html", "https://www.cfr.org/interactive/cyber-operations/apt-16" + ], + "synonyms": [ + "APT16", + "SVCMONDR" ] }, "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf", @@ -485,7 +491,8 @@ "Group 8", "APT17", "Hidden Lynx", - "Tailgater Team" + "Tailgater Team", + "Dogfish" ] }, "related": [ @@ -4351,9 +4358,11 @@ "value": "Danti" }, { + "description": "We have observed one APT group, which we call APT5, particularly focused on telecommunications and technology companies. More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors. Several times, APT5 has targeted organizations and personnel based in Southeast Asia. APT5 has been active since at least 2007. It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure. APT5 has targeted or breached organizations across multiple industries, but its focus appears to be on telecommunications and technology companies, especially information about satellite communications. \nAPT5 targeted the network of an electronics firm that sells products for both industrial and military applications. The group subsequently stole communications related to the firm’s business relationship with a national military, including inventories and memoranda about specific products they provided. \nIn one case in late 2014, APT5 breached the network of an international telecommunications company. The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company’s relationships with other telecommunications companies", "meta": { "refs": [ - "https://www.fireeye.com/current-threats/apt-groups.html" + "https://www.fireeye.com/current-threats/apt-groups.html", + "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf" ] }, "uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795", @@ -4957,9 +4966,13 @@ "value": "Cyber fighters of Izz Ad-Din Al Qassam" }, { + "description": "The FBI issued a rare bulletin admitting that a group named Advanced Persistent Threat 6 (APT6) hacked into US government computer systems as far back as 2011 and for years stole sensitive data.\nThe FBI alert was issued in February and went largely unnoticed. Nearly a month later, security experts are now shining a bright light on the alert and the mysterious group behind the attack.\n“This is a rare alert and a little late, but one that is welcomed by all security vendors as it offers a chance to mitigate their customers and also collaborate further in what appears to be an ongoing FBI investigation,” said Deepen Desai, director of security research at the security firm Zscaler in an email to Threatpost.\nDetails regarding the actual attack and what government systems were infected are scant. Government officials said they knew the initial attack occurred in 2011, but are unaware of who specifically is behind the attacks.\n“Given the nature of malware payload involved and the duration of this compromise being unnoticed – the scope of lateral movement inside the compromised network is very high possibly exposing all the critical systems,”Deepen said.", "meta": { "attribution-confidence": "50", "country": "CN", + "refs": [ + "https://threatpost.com/fbi-quietly-admits-to-multi-year-apt-attack-sensitive-data-stolen/117267/" + ], "synonyms": [ "1.php Group", "APT6" @@ -5360,7 +5373,7 @@ "value": "Orangeworm" }, { - "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", + "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nALLANITE accesses business and industrial control (ICS) networks, conducts reconnaissance, and gathers intelligence in United States and United Kingdom electric utility sectors. Dragos assesses with moderate confidence that ALLANITE operators continue to maintain ICS network access to: (1) understand the operational environment necessary to develop disruptive capabilities, (2) have ready access from which to disrupt electric utilities.\nALLANITE uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks, including collecting and distributing screenshots of industrial control systems. ALLANITE operations limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities.\nALLANITE conducts malware-less operations primarily leveraging legitimate and available tools in the Windows operating system.", "meta": { "capabilities": "Powershell scripts, THC Hydra, SecretsDump, Inveigh, PSExec", "mode-of-operation": "Watering-hole and phishing leading to ICS recon and screenshot collection", @@ -5370,7 +5383,8 @@ ], "since": "2017", "synonyms": [ - "Palmetto Fusion" + "Palmetto Fusion", + "Allanite" ], "victimology": "Electric utilities, US and UK" }, diff --git a/clusters/tool.json b/clusters/tool.json index 77ca6b1..52278ab 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -177,6 +177,15 @@ "Backdoor" ] }, + "related": [ + { + "dest-uuid": "c82c904f-b3b4-40a2-bf0d-008912953104", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], "uuid": "32a67552-3b31-47bb-8098-078099bbc813", "value": "Torn RAT" }, From 940762e0c5c3fff21eaf039e8d97dd1db3fcff7e Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 28 May 2019 09:22:26 +0200 Subject: [PATCH 05/92] update threat actor --- clusters/rat.json | 28 ++++++++++++++++++++++++++++ clusters/threat-actor.json | 13 +++++++++++-- 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/clusters/rat.json b/clusters/rat.json index c22ebfe..687961c 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -92,6 +92,34 @@ ] }, "related": [ + { + "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "c82c904f-b3b4-40a2-bf0d-008912953104", "tags": [ diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a5fd331..a928bcb 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1471,6 +1471,7 @@ "value": "Impersonating Panda" }, { + "description": "We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer. Watering hole attacks are an increasingly popular component of APT campaigns, as many people are more aware of spear phishing and are less likely to open documents or click on links in unsolicited emails. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and installing malware intended to compromise website visitors. These are often popular websites frequented by people who work in specific industries or have political sympathies to which the actors want to gain access.\nIn contrast to many other APT campaigns, which tend to rely heavily on spear phishing to gain victims, “th3bug” is known for compromising legitimate websites their intended visitors are likely to frequent. Over the summer they compromised several sites, including a well-known Uyghur website written in that native language.", "meta": { "attribution-confidence": "50", "country": "CN", @@ -1852,7 +1853,11 @@ "refs": [ "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" ], - "synonyms": [] + "synonyms": [ + "APT 33", + "Elfin", + "MAGNALLIUM" + ] }, "related": [ { @@ -2301,7 +2306,9 @@ "Minidionis", "SeaDuke", "Hammer Toss", - "YTTRIUM" + "YTTRIUM", + "Iron Hemlock", + "Grizzly Steppe" ] }, "related": [ @@ -4080,9 +4087,11 @@ "synonyms": [ "OceanLotus Group", "Ocean Lotus", + "OceanLotus", "Cobalt Kitty", "APT-C-00", "SeaLotus", + "Sea Lotus", "APT-32", "APT 32", "Ocean Buffalo" From 77d20739db3ef64d47fd8b151125ef31cda17c07 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 28 May 2019 09:24:29 +0200 Subject: [PATCH 06/92] update threat actor --- clusters/rat.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/clusters/rat.json b/clusters/rat.json index 687961c..aadcfbe 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -675,6 +675,13 @@ ] }, "related": [ + { + "dest-uuid": "225fa6cf-dc9c-4b86-873b-cdf1d9dd3738", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "c82c904f-b3b4-40a2-bf0d-008912953104", "tags": [ From bf19ed9d8dd995bad5169bc8850121bac85d2765 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 28 May 2019 09:26:24 +0200 Subject: [PATCH 07/92] fix merge mistakes --- clusters/tool.json | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index 52278ab..8ee717e 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -147,6 +147,34 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "used-by" + }, + { + "dest-uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54", From f4cf3464ce0d07362329693a3d6a1f1d2664695b Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 28 May 2019 16:05:54 +0200 Subject: [PATCH 08/92] update threat actors and tools --- clusters/threat-actor.json | 73 +++++++++++++++++++++++++++++++++----- clusters/tool.json | 13 ++++++- 2 files changed, 77 insertions(+), 9 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a928bcb..0c05ddd 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2579,7 +2579,12 @@ "https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/", "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", - "https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/" + "https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/", + "https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain", + "https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf", + "https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf", + "https://attack.mitre.org/groups/G0008/" ], "synonyms": [ "Carbanak", @@ -2644,11 +2649,18 @@ "value": "TeamSpy Crew" }, { + "description": "Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks.\nFrom August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 mln). The number of successful attacks against Ukrainian banks has not been identified.\nBuhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network. As a result, banks have to shut down the whole infrastructure which provokes delay in servicing customers and additional losses.\nMalicious programs intentionally scan for machines with an automated Bank-Customer system of the Central Bank of Russia (further referred to as BCS CBR). We have not identified incidents of attacks involving online money transfer systems, ATM machines or payment gates which are known to be of interest for other criminal groups.", "meta": { "attribution-confidence": "50", "country": "RU", "refs": [ - "https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/" + "https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/", + "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf", + "https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack", + "https://www.forcepoint.com/blog/security-labs/highly-evasive-code-injection-awaits-user-interaction-delivering-malware", + "https://www.kaspersky.com/blog/financial-trojans-2019/25690/", + "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf", + "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/" ] }, "uuid": "b737c51f-b579-49d5-a907-743b2e6d03cb", @@ -4047,7 +4059,7 @@ "value": "Longhorn" }, { - "description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.", + "description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.", "meta": { "refs": [ "https://www.f-secure.com/documents/996508/1030745/callisto-group" @@ -4412,7 +4424,10 @@ "https://www.secureworks.jp/resources/rp-bronze-butler", "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/", "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html", - "https://www.cfr.org/interactive/cyber-operations/bronze-butler" + "https://www.cfr.org/interactive/cyber-operations/bronze-butler", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", + "https://attack.mitre.org/groups/G0060/" ], "synonyms": [ "Bronze Butler", @@ -4744,7 +4759,7 @@ "value": "Snake Wine" }, { - "description": "This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage purposes.", + "description": "This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage purposes.\nThe Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name \"Mask\" comes from the Spanish slang word \"Careto\" (\"Ugly Face\" or “Mask”) which the authors included in some of the malware modules.\n More than 380 unique victims in 31 countries have been observed to date.What makes “The Mask” special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, 32-and 64-bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS).", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Spain", @@ -4771,8 +4786,9 @@ "cfr-type-of-incident": "Espionage", "country": "ES", "refs": [ - "https://securelist.com/blog/research/58254/the-caretomask-apt-frequently-asked-questions/", - "https://www.cfr.org/interactive/cyber-operations/careto" + "https://securelist.com/the-caretomask-apt-frequently-asked-questions/58254/", + "https://www.cfr.org/interactive/cyber-operations/careto", + "https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133638/unveilingthemask_v1.0.pdf" ], "synonyms": [ "The Mask", @@ -5584,6 +5600,7 @@ ], "since": "2016", "synonyms": [ + "Dragonfly 2.0", "Dragonfly2", "Berserker Bear" ], @@ -6777,7 +6794,47 @@ }, "uuid": "6bf7e6b6-5917-45a6-9567-f0baba79768c", "value": "APT31" + }, + { + "description": "BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released covering this campaign, which used the ELIRKS backdoor when it was first discovered in 2012. It is known for using blogs and microblogging services to hide the location of its actual command-and-control (C&C) servers. This allows an attacker to change the C&C server used quickly by changing the information in these posts.\nLike most campaigns, BLACKGEAR has evolved over time. Our research indicates that it has started targeting Japanese users. Two things led us to this conclusion: first, the fake documents that are used as part of its infection routines are now in Japanese. Secondly, it is now using blogging sites and microblogging services based in Japan for its C&C activity.", + "meta": { + "refs": [ + "https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-campaign-evolves-adds-japan-target-list/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-cyberespionage-campaign-resurfaces-abuses-social-media-for-cc-communication/" + ], + "synonyms": [ + "Topgear", + "Comnie", + "BLACKGEAR" + ] + }, + "uuid": "8b62b20a-5b1c-48af-8424-e8220cd2fbd7", + "value": "Blackgear" + }, + { + "description": "BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified.", + "meta": { + "refs": [ + "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", + "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", + "https://attack.mitre.org/groups/G0063/" + ] + }, + "uuid": "8fbd195f-5e03-4e85-8ca5-4f1dff300bec", + "value": "BlackOasis" + }, + { + "description": "BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology.\nFollowing their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and of late, Waterbear.\nPLEAD is an information theft campaign with a penchant for confidential documents. Active since 2012, it has so far targeted Taiwanese government agencies and private organizations. PLEAD’s toolset includes the self-named PLEAD backdoor and the DRIGO exfiltration tool. PLEAD uses spear-phishing emails to deliver and install their backdoor, either as an attachment or through links to cloud storage services. Some of the cloud storage accounts used to deliver PLEAD are also used as drop off points for exfiltrated documents stolen by DRIGO.\nPLEAD actors use a router scanner tool to scan for vulnerable routers, after which the attackers will enable the router’s VPN feature then register a machine as virtual server. This virtual server will be used either as a C&C server or an HTTP server that delivers PLEAD malware to their targets.", + "meta": { + "refs": [ + "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/", + "https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/", + "https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/" + ] + }, + "uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e", + "value": "BlackTech" } ], - "version": 110 + "version": 111 } diff --git a/clusters/tool.json b/clusters/tool.json index 8ee717e..f9779b7 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7787,7 +7787,18 @@ ], "uuid": "80365d3a-6d46-4195-a772-364749a6dc06", "value": "SunOrcal" + }, + { + "description": "Threat actors have delivered Bookworm as a payload in attacks on targets in Thailand. Readers who are interested in this campaign should start with our first blog that lays out the overall functionality of the malware and introduces its many components.\n Unit 42 does not have detailed targeting information for all known Bookworm samples, but we are aware of attempted attacks on at least two branches of government in Thailand. We speculate that other attacks delivering Bookworm were also targeting organizations in Thailand based on the contents of the associated decoys documents, as well as several of the dynamic DNS domain names used to host C2 servers that contain the words “Thai” or “Thailand”. Analysis of compromised systems seen communicating with Bookworm C2 servers also confirms our speculation on targeting with a majority of systems existing within Thailand.", + "meta": { + "refs": [ + "https://unit42.paloaltonetworks.com/attack-campaign-on-the-government-of-thailand-delivers-bookworm-trojan/", + "https://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/" + ] + }, + "uuid": "9ff6e087-6755-447a-b537-8f06c7aa4a85", + "value": "Bookworm" } ], - "version": 121 + "version": 122 } From f48167ce7774f8afeaf7ff69961b735e5e2309a4 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 29 May 2019 15:34:20 +0200 Subject: [PATCH 09/92] update threat actors --- clusters/threat-actor.json | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0c05ddd..a3f87a8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1760,14 +1760,25 @@ "https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf", "https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/", "https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf", - "https://www.cfr.org/interactive/cyber-operations/newscaster" + "https://www.cfr.org/interactive/cyber-operations/newscaster", + "https://www.washingtontimes.com/news/2014/may/29/iranian-hackers-sucker-punch-us-defense-heads-crea/", + "https://securelist.com/freezer-paper-around-free-meat/74503/", + "https://www.scmagazine.com/home/security-news/cybercrime/hbo-breach-accomplished-with-hard-work-by-hacker-poor-security-practices-by-victim/", + "http://www.arabnews.com/node/1195681/media", + "https://cyware.com/news/iranian-apt-charming-kitten-impersonates-clearsky-the-security-firm-that-uncovered-its-campaigns-7fea0b4f", + "https://blog.certfa.com/posts/the-return-of-the-charming-kitten/", + "https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber", + "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/", + "https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", + "https://attack.mitre.org/groups/G0058/" ], "synonyms": [ "Newscaster", "Parastoo", "iKittens", "Group 83", - "Newsbeef" + "Newsbeef", + "NewsBeef" ] }, "related": [ @@ -6503,10 +6514,16 @@ "description": "APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as \"Chafer.\" However, there are differences in what has been publicly reported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39's targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.", "meta": { "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions", + "https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/", + "https://securelist.com/chafer-used-remexi-malware/89538/", + "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets", + "https://attack.mitre.org/groups/G0087/" ], "synonyms": [ - "APT 39" + "APT 39", + "Chafer" ] }, "uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b", From b47863f1c1c09ac60b54dd24b11ecb49bca2d69d Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 29 May 2019 16:18:50 +0200 Subject: [PATCH 10/92] update threat actors --- clusters/threat-actor.json | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a3f87a8..52241f2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4325,11 +4325,24 @@ "https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/", "https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/", "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-september-cobalt-spider/" + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-september-cobalt-spider/", + "https://www.group-ib.com/blog/cobalt", + "https://www.reuters.com/article/us-taiwan-cyber-atms/taiwan-atm-heist-linked-to-european-hacking-spree-security-firm-idUSKBN14P0CX", + "https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target", + "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/", + "https://www.riskiq.com/blog/labs/cobalt-strike/", + "https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/", + "https://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/", + "https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain", + "https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested", + "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf", + "https://attack.mitre.org/groups/G0080/" ], "synonyms": [ "Cobalt group", + "Cobalt Group", "Cobalt gang", + "Cobalt Gang", "GOLD KINGSWOOD", "Cobalt Spider" ] From a6c9d335ee97f57f365b41e897737f433b68be8f Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 4 Jun 2019 08:52:34 +0200 Subject: [PATCH 11/92] fix multiple refs --- clusters/threat-actor.json | 1 - 1 file changed, 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 52241f2..52a55d7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2670,7 +2670,6 @@ "https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack", "https://www.forcepoint.com/blog/security-labs/highly-evasive-code-injection-awaits-user-interaction-delivering-malware", "https://www.kaspersky.com/blog/financial-trojans-2019/25690/", - "https://www.group-ib.com/brochures/gib-buhtrap-report.pdf", "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/" ] }, From 468800ed59eb5880b04e6ecdcb8bf857f53618ca Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 4 Jun 2019 09:10:44 +0200 Subject: [PATCH 12/92] FlawedAmmy RAT --- clusters/rat.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/rat.json b/clusters/rat.json index aadcfbe..40e55af 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3362,7 +3362,17 @@ }, "uuid": "1b6a066c-50ba-4aa6-a49b-823e94e110fe", "value": "Caesar RAT" + }, + { + "description": "During the month of October, Check Point researchers discovered a widespread malware campaign spreading a remote access trojan (dubbed “FlawedAmmy”) that allows attackers to take over victims’ computers and data. The campaign was the latest and most widespread delivering the ‘FlawedAmmyy’ RAT, following a number of campaigns that have spread this malware in recent months. The Trojan allows attackers to gain full access to the machine’s camera and microphone, collect screen grabs, steal credentials and sensitive files, and intrusively monitor the victims’ actions. As a result, FlawedAmmy is the first RAT to enter the Global Threat Index’s top 10 ranking. ", + "meta": { + "refs": [ + "https://www.helpnetsecurity.com/2018/11/14/flawedammy-most-wanted-malware-list/" + ] + }, + "uuid": "4b9b99f0-9c2d-4db5-aaff-09de88509c04", + "value": "FlawedAmmy" } ], - "version": 28 + "version": 29 } From 189c3066a503c706e307c56575ffba7d33309609 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 4 Jun 2019 16:32:39 +0200 Subject: [PATCH 13/92] update threat actor --- clusters/threat-actor.json | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 52a55d7..27a3e18 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -45,7 +45,14 @@ "https://en.wikipedia.org/wiki/PLA_Unit_61398", "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf", "https://www.cfr.org/interactive/cyber-operations/pla-unit-61398", - "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/", + "https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-oceansalt-delivers-wave-after-wave/", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf", + "https://www.symantec.com/connect/blogs/apt1-qa-attacks-comment-crew", + "https://attack.mitre.org/groups/G0006/", + "https://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html" ], "synonyms": [ "Comment Panda", @@ -58,7 +65,9 @@ "TG-8223", "Comment Group", "Brown Fox", - "GIF89a" + "GIF89a", + "ShadyRAT", + "Shanghai Group" ] }, "related": [ @@ -4606,7 +4615,9 @@ "https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/", "http://www.clearskysec.com/copykitten-jpost/", "http://www.clearskysec.com/tulip/", - "https://www.cfr.org/interactive/cyber-operations/copykittens" + "https://www.cfr.org/interactive/cyber-operations/copykittens", + "https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf", + "https://attack.mitre.org/groups/G0052/" ], "synonyms": [ "Slayer Kitten" @@ -5243,7 +5254,8 @@ "attribution-confidence": "50", "country": "LB", "refs": [ - "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf", + "https://attack.mitre.org/groups/G0070/" ] }, "uuid": "3d449c83-4426-431a-b06a-cb4f8a0fca94", From b809b9cfbb994f449e5ba41d3349c7c8e431942d Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 6 Jun 2019 11:58:19 +0200 Subject: [PATCH 14/92] update threat actor darkhotel (nemim might be a typo) --- clusters/threat-actor.json | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 27a3e18..c87410c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -375,10 +375,13 @@ "refs": [ "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2", - "https://securelist.com/blog/research/66779/the-darkhotel-apt/", + "https://securelist.com/blog/research/66779/the-darkhotel-apt/",, + "https://securelist.com/the-darkhotel-apt/66779/" "http://drops.wooyun.org/tips/11726", "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/", - "https://www.cfr.org/interactive/cyber-operations/darkhotel" + "https://www.cfr.org/interactive/cyber-operations/darkhotel", + "https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians", + "https://attack.mitre.org/groups/G0012/>" ], "synonyms": [ "DUBNIUM", @@ -386,9 +389,12 @@ "Karba", "Luder", "Nemim", + "Nemin" "Tapaoux", "Pioneer", - "Shadow Crane" + "Shadow Crane", + "APT-C-06", + "SIG25" ] }, "related": [ From 185763a63ae258996972489f3ce3c4ea108b2b31 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 6 Jun 2019 16:34:09 +0200 Subject: [PATCH 15/92] update threat actor --- clusters/threat-actor.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c87410c..6ec6e3c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5853,7 +5853,10 @@ "refs": [ "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", "https://mobile.twitter.com/360TIC/status/1083289987339042817", - "https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/" + "https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/", + "https://unit42.paloaltonetworks.com/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/", + "https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/", + "https://attack.mitre.org/groups/G0079/" ], "synonyms": [ "LazyMeerkat" From 1f2e59addb1e2b5cd26f5e106d26cba8f7a14d93 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 7 Jun 2019 16:34:43 +0200 Subject: [PATCH 16/92] update Threat actor galaxy --- clusters/threat-actor.json | 42 ++++++++++++++++++++++++++++++-------- 1 file changed, 34 insertions(+), 8 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6ec6e3c..888f4af 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -375,13 +375,13 @@ "refs": [ "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2", - "https://securelist.com/blog/research/66779/the-darkhotel-apt/",, - "https://securelist.com/the-darkhotel-apt/66779/" + "https://securelist.com/blog/research/66779/the-darkhotel-apt/", + "https://securelist.com/the-darkhotel-apt/66779/", "http://drops.wooyun.org/tips/11726", "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/", "https://www.cfr.org/interactive/cyber-operations/darkhotel", "https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians", - "https://attack.mitre.org/groups/G0012/>" + "https://attack.mitre.org/groups/G0012/" ], "synonyms": [ "DUBNIUM", @@ -389,7 +389,7 @@ "Karba", "Luder", "Nemim", - "Nemin" + "Nemin", "Tapaoux", "Pioneer", "Shadow Crane", @@ -711,7 +711,25 @@ "refs": [ "http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf", "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf", - "https://www.cfr.org/interactive/cyber-operations/deep-panda" + "https://www.cfr.org/interactive/cyber-operations/deep-panda", + "https://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/", + "https://eromang.zataz.com/2013/01/02/capstone-turbine-corporation-also-targeted-in-the-cfr-watering-hole-attack-and-more/", + "https://www.crowdstrike.com/blog/department-labor-strategic-web-compromise/", + "https://www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/", + "https://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/", + "https://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/", + "https://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/", + "https://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/", + "https://www.abc.net.au/news/2014-11-13/g20-china-affliliated-hackers-breaches-australian-media/5889442", + "https://www.washingtonpost.com/business/economy/keypoint-suffers-network-breach-thousands-of-fed-workers-could-be-affected/2014/12/18/e6c7146c-86e1-11e4-a702-fa31ff4ae98e_story.html", + "https://www.seattletimes.com/business/local-business/feds-warned-premera-about-security-flaws-before-breach/", + "https://krebsonsecurity.com/2015/05/carefirst-blue-cross-breach-hits-1-1m/", + "https://threatvector.cylance.com/en_us/home/shell-crew-variants-continue-to-fly-under-big-avs-radar.html", + "https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/", + "https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695", + "https://www.cyberscoop.com/anthem-breach-indictment-chinese-national/", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf", + "https://attack.mitre.org/groups/G0009/" ], "synonyms": [ "Deep Panda", @@ -5058,7 +5076,9 @@ "https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View", "https://www.ci-project.org/blog/2017/3/4/arid-viper", "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", - "https://www.threatconnect.com/blog/kasperagent-malware-campaign/" + "https://www.threatconnect.com/blog/kasperagent-malware-campaign/", + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/sexually-explicit-material-used-as-lures-in-cyber-attacks?linkId=12425812", + " Date: Tue, 11 Jun 2019 11:57:04 +0200 Subject: [PATCH 17/92] update threat actor galaxy --- clusters/threat-actor.json | 116 +++++++++++++++++++++++++++++++------ 1 file changed, 97 insertions(+), 19 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 888f4af..0a80531 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -157,7 +157,9 @@ { "meta": { "refs": [ - "https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf" + "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf", + "https://www.symantec.com/connect/blogs/inside-back-door-attack", + "https://attack.mitre.org/groups/G0031/" ] }, "related": [ @@ -1400,10 +1402,15 @@ "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ - "https://www.cfr.org/interactive/cyber-operations/sneaky-panda" + "https://www.cfr.org/interactive/cyber-operations/sneaky-panda", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", + "https://attack.mitre.org/groups/G0066/" ], "synonyms": [ - "Sneaky Panda" + "Sneaky Panda", + "Elderwood", + "Elderwood Gang", + "SIG22" ] }, "related": [ @@ -2474,7 +2481,16 @@ "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", "http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans", "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/", - "https://www.cfr.org/interactive/cyber-operations/crouching-yeti" + "https://www.cfr.org/interactive/cyber-operations/crouching-yeti", + "https://ssu.gov.ua/sbu/control/uk/publish/article?art_id=170951&cat_i=39574", + "https://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA", + "https://dragos.com/wp-content/uploads/CrashOverride-01.pdf", + "https://www.independent.ie/irish-news/statesponsored-hackers-targeted-eirgrid-electricity-network-in-devious-attack-36005921.html", + "https://www.riskiq.com/blog/labs/energetic-bear/", + "https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", + "https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat", + "https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672", + "https://attack.mitre.org/groups/G0035/" ], "synonyms": [ "Dragonfly", @@ -2628,7 +2644,18 @@ "https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf", "https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf", - "https://attack.mitre.org/groups/G0008/" + "https://attack.mitre.org/groups/G0008/", + "https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html", + "https://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/", + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "http://blog.morphisec.com/fin7-attacks-restaurant-industry", + "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/", + "http://blog.morphisec.com/fin7-attack-modifications-revealed", + "http://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", + "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/", + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", + "https://attack.mitre.org/groups/G0046/" ], "synonyms": [ "Carbanak", @@ -2735,7 +2762,8 @@ "https://www.reuters.com/article/2015/06/23/us-hackers-insidertrading-idUSKBN0P31M720150623", "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html", "https://www2.fireeye.com/rs/fireye/images/rpt-fin4.pdf", - "https://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html" + "https://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html", + "https://attack.mitre.org/groups/G0085/" ], "synonyms": [ "FIN4" @@ -3218,11 +3246,13 @@ "refs": [ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", "https://attack.mitre.org/wiki/Groups", - "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/", - "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/", "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor", "http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor", - "https://www.cfr.org/interactive/cyber-operations/moafee" + "https://www.cfr.org/interactive/cyber-operations/moafee", + "https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/", + "https://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/", + "https://www.phnompenhpost.com/national/kingdom-targeted-new-malware", + "https://attack.mitre.org/groups/G0017/" ], "synonyms": [ "Moafee" @@ -3468,7 +3498,12 @@ "description": "FIN is a group targeting financial assets including assets able to do financial transaction including PoS.", "meta": { "refs": [ - "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "https://attack.mitre.org/groups/G0037/" + ], + "synonyms": [ + "Skeleton Spider" ] }, "related": [ @@ -3477,7 +3512,7 @@ "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], - "type": "similar" + "type": "similar", } ], "uuid": "647894f6-1723-4cba-aba4-0ef0966d5302", @@ -3886,12 +3921,18 @@ "country": "US", "refs": [ "https://en.wikipedia.org/wiki/Equation_Group", - "https://www.cfr.org/interactive/cyber-operations/equation-group" + "https://www.cfr.org/interactive/cyber-operations/equation-group", + "https://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/", + "https://www.dropbox.com/s/buxkfotx1kei0ce/Whitepaper%20Shadow%20Broker%20-%20Equation%20Group%20Hack.pdf?dl=0", + "https://en.wikipedia.org/wiki/Stuxnet", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf", + "https://attack.mitre.org/groups/G0020/" ], "synonyms": [ "Tilded Team", "Lamberts", - "EQGRP" + "EQGRP", + "Longhorn" ] }, "related": [ @@ -4296,7 +4337,9 @@ "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html", "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", "https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf", - "http://files.shareholder.com/downloads/AMDA-254Q5F/0x0x938351/665BA6A3-9573-486C-B96F-80FA35759E8C/FEYE_rpt-mtrends-2017_FINAL2.pdf" + "http://files.shareholder.com/downloads/AMDA-254Q5F/0x0x938351/665BA6A3-9573-486C-B96F-80FA35759E8C/FEYE_rpt-mtrends-2017_FINAL2.pdf", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "https://attack.mitre.org/groups/G0061" ] }, "related": [ @@ -4339,9 +4382,10 @@ ], "cfr-type-of-incident": "Espionage", "refs": [ - "https://securelist.com/blog/research/66108/el-machete/", + "https://securelist.com/el-machete/66108/", "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html", - "https://www.cfr.org/interactive/cyber-operations/machete" + "https://www.cfr.org/interactive/cyber-operations/machete", + "https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html" ], "synonyms": [ "Machete" @@ -5773,15 +5817,27 @@ "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage", "https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", - "https://securelist.com/luckymouse-ndisproxy-driver/87914/" + "https://securelist.com/luckymouse-ndisproxy-driver/87914/", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.09.17.Operation_Iron_Tiger/Operation%20Iron%20Tiger%20Appendix.pdf", + "https://www.cfr.org/interactive/cyber-operations/iron-tiger", + "https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/", + "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", + "https://securelist.com/luckymouse-hits-national-data-center/86083/", + "https://www.secureworks.com/research/bronze-union", + "https://attack.mitre.org/groups/G0027/" ], "synonyms": [ "Emissary Panda", "APT27", + "APT 27", "Threat Group 3390", "Bronze Union", "ZipToken", - "Iron Tiger" + "Iron Tiger", + "TG-3390", + "TEMP.Hippo", + "Group 35", + "ZipToken" ] }, "related": [ @@ -6910,7 +6966,29 @@ }, "uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e", "value": "BlackTech" + }, + { + "value": "FIN5", + "description": "FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian.", + "meta": { + "refs": [ + "https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?", + "https://attack.mitre.org/groups/G0053/" + ] + }, + "uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70" + }, + { + "value": "FIN10", + "description": "FireEye has observed multiple targeted intrusions occurring in North America — predominately in Canada — dating back to at least 2013 and continuing through at least 2016, in which the attacker(s) have compromised organizations’ networks and sought to monetize this illicit access by exfiltrating sensitive data and extorting victim organizations. In some cases, when the extortion demand was not met, the attacker(s) destroyed production Windows systems by deleting critical operating system files and then shutting down the impacted systems. Based on near parallel TTPs used by the attacker(s) across these targeted intrusions, we believe these clusters of activity are linked to a single, previously unobserved actor or group that we have dubbed FIN10.", + "meta": { + "refs": [ + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf", + "https://attack.mitre.org/groups/G0051/" + ] + }, + "uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79" } ], - "version": 111 + "version": 112 } From 79f11de6db14c4cd79fad10333feed1eda159c31 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 11 Jun 2019 15:54:39 +0200 Subject: [PATCH 18/92] update threat actor galaxy --- clusters/threat-actor.json | 71 ++++++++++++++++++++++++++++++++++---- 1 file changed, 65 insertions(+), 6 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0a80531..c8f4127 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -500,7 +500,11 @@ "refs": [ "http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf", - "https://www.cfr.org/interactive/cyber-operations/apt-17" + "https://www.cfr.org/interactive/cyber-operations/apt-17", + "https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/", + "https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware", + "https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire", + "https://www.recordedfuture.com/hidden-lynx-analysis/" ], "synonyms": [ "APT 17", @@ -1139,7 +1143,9 @@ "country": "CN", "refs": [ "https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/", - "https://www.cfr.org/interactive/cyber-operations/hellsing" + "https://www.cfr.org/interactive/cyber-operations/hellsing", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/", + "https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html" ], "synonyms": [ "Goblin Panda", @@ -3457,7 +3463,8 @@ "attribution-confidence": "50", "country": "RU", "refs": [ - "https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/" + "https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/", + "https://attack.mitre.org/groups/G0036/" ] }, "related": [ @@ -3980,7 +3987,10 @@ "description": "Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.", "meta": { "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution" + "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution", + "https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf", + "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/", + "https://attack.mitre.org/groups/G0047/" ] }, "related": [ @@ -5058,11 +5068,14 @@ "value": "Magnetic Spider" }, { + "description": "Arbor’s ASERT team is now reporting that, after looking deeper at that particular campaign, and by exposing a new trail in the group’s activities, they managed to identify a new RAT that was undetectable at that time by most antivirus vendors.\nNamed Trochilus, this new RAT was part of Group 27’s malware portfolio that included six other malware strains, all served together or in different combinations, based on the data that needed to be stolen from each victim.\nThis collection of malware, dubbed the Seven Pointed Dagger by ASERT experts, included two different PlugX versions, two different Trochilus RAT versions, one version of the 3012 variant of the 9002 RAT, one EvilGrab RAT version, and one unknown piece of malware, which the team has not entirely decloaked just yet.", "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ - "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf" + "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf", + "https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml", + "https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" ] }, "uuid": "73e4728a-955e-426a-b144-8cb95131f2ca", @@ -5917,7 +5930,14 @@ "description": "Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking, which we are calling Gorgon Group.", "meta": { "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://unit42.paloaltonetworks.com/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/", + "https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/", + "https://attack.mitre.org/groups/G0078/" + ], + "synonyms": [ + "Gorgon Group", + "Subaat" ] }, "uuid": "e47c2c4d-706b-4098-92a2-b93e7103e131", @@ -6988,6 +7008,45 @@ ] }, "uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79" + }, + { + "value": "GhostNet", + "description": "Cyber espionage is an issue whose time has come. In this second report from the Information Warfare Monitor, we lay out the findings of a 10-month investigation of alleged Chinese cyber spying against Tibetan institutions. The investigation, consisting of fieldwork, technical scouting, and laboratory analysis, discovered a lot more. The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries. Up to 30% of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The Tibetan computer systems we manually investigated, and from which our investigations began, were conclusively compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information.\nAttacks on the Dalai Lama’s Private Office The OHHDL started to suspect it was under surveillance while setting up meetings be-tween His Holiness and foreign dignitaries. They sent an email invitation on behalf of His Holiness to a foreign diplomat, but before they could follow it up with a courtesy telephone call, the diplomat’s office was contacted by the Chinese government and warned not to go ahead with the meeting. The Tibetans wondered whether a computer compromise might be the explanation; they called ONI Asia who called us. (Until May 2008, the first author was employed on a studentship funded by the OpenNet Initiative and the second author was a principal investigator for ONI.)", + "meta": { + "refs": [ + "http://www.nartv.org/mirror/ghostnet.pdf", + "https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf", + "https://en.wikipedia.org/wiki/GhostNet" + ], + "synonyms": [ + "Snooping Dragon" + ] + }, + "uuid": "cacf2ffc-8c49-11e9-895e-7f5bf9c2ff6d" + }, + { + "value": "GozNym", + "description": "IBM X-Force Research uncovered a Trojan hybrid spawned from the Nymaim and Gozi ISFB malware. It appears that the operators of Nymaim have recompiled its source code with part of the Gozi ISFB source code, creating a combination that is being actively used in attacks against more than 24 U.S. and Canadian banks, stealing millions of dollars so far. X-Force named this new hybrid GozNym. The new GozNym hybrid takes the best of both the Nymaim and Gozi ISFB malware to create a powerful Trojan. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers. The end result is a new banking Trojan in the wild.", + "meta": { + "refs": [ + "https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/", + "https://threatpost.com/attackers-behind-goznym-trojan-set-sights-on-europe/117647/", + "https://threatpost.com/goznym-banking-trojan-targeting-german-banks/120075/", + "https://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation" + ] + }, + "uuid": "7803b380-8c4c-11e9-90a1-f3880ab3aaa0" + }, + { + "value": "Group5", + "description": "A threat actor using Iranian-language tools, Iranian hosting companies, operating from the Iranian IP space at times was observed targeting the Syrian opposition in an elaborately staged malware operation, Citizen Lab researchers reveal.\nThe operation was first noticed in late 2015, when a member of the Syrian opposition flagged a suspicious email containing a PowerPoint slideshow, which led researchers to a watering hole website with malicious programs, malicious PowerPoint files, and Android malware.\nThe threat actor was targeting Windows and Android devices of well-connected individuals in the Syrian opposition, researchers discovered. They called the actor Group5, because it targets Syrian opposition after regime-linked malware groups, the Syrian Electronic Army, ISIS (also known as the Islamic State or ISIL), and a group linked to Lebanon did the same in the past", + "meta": { + "refs": [ + "https://www.securityweek.com/iranian-actor-group5-targeting-syrian-opposition", + "https://attack.mitre.org/groups/G0043/" + ] + }, + "uuid": "bc8390aa-8c4e-11e9-a9cb-e37c361210af" } ], "version": 112 From 347ed5d529600447a6c7edb734c0c0dd86751a75 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 11 Jun 2019 15:57:21 +0200 Subject: [PATCH 19/92] jq --- clusters/threat-actor.json | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c8f4127..6265681 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3519,7 +3519,7 @@ "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], - "type": "similar", + "type": "similar" } ], "uuid": "647894f6-1723-4cba-aba4-0ef0966d5302", @@ -6988,7 +6988,6 @@ "value": "BlackTech" }, { - "value": "FIN5", "description": "FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian.", "meta": { "refs": [ @@ -6996,10 +6995,10 @@ "https://attack.mitre.org/groups/G0053/" ] }, - "uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70" + "uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70", + "value": "FIN5" }, { - "value": "FIN10", "description": "FireEye has observed multiple targeted intrusions occurring in North America — predominately in Canada — dating back to at least 2013 and continuing through at least 2016, in which the attacker(s) have compromised organizations’ networks and sought to monetize this illicit access by exfiltrating sensitive data and extorting victim organizations. In some cases, when the extortion demand was not met, the attacker(s) destroyed production Windows systems by deleting critical operating system files and then shutting down the impacted systems. Based on near parallel TTPs used by the attacker(s) across these targeted intrusions, we believe these clusters of activity are linked to a single, previously unobserved actor or group that we have dubbed FIN10.", "meta": { "refs": [ @@ -7007,10 +7006,10 @@ "https://attack.mitre.org/groups/G0051/" ] }, - "uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79" + "uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79", + "value": "FIN10" }, { - "value": "GhostNet", "description": "Cyber espionage is an issue whose time has come. In this second report from the Information Warfare Monitor, we lay out the findings of a 10-month investigation of alleged Chinese cyber spying against Tibetan institutions. The investigation, consisting of fieldwork, technical scouting, and laboratory analysis, discovered a lot more. The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries. Up to 30% of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The Tibetan computer systems we manually investigated, and from which our investigations began, were conclusively compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information.\nAttacks on the Dalai Lama’s Private Office The OHHDL started to suspect it was under surveillance while setting up meetings be-tween His Holiness and foreign dignitaries. They sent an email invitation on behalf of His Holiness to a foreign diplomat, but before they could follow it up with a courtesy telephone call, the diplomat’s office was contacted by the Chinese government and warned not to go ahead with the meeting. The Tibetans wondered whether a computer compromise might be the explanation; they called ONI Asia who called us. (Until May 2008, the first author was employed on a studentship funded by the OpenNet Initiative and the second author was a principal investigator for ONI.)", "meta": { "refs": [ @@ -7022,10 +7021,10 @@ "Snooping Dragon" ] }, - "uuid": "cacf2ffc-8c49-11e9-895e-7f5bf9c2ff6d" + "uuid": "cacf2ffc-8c49-11e9-895e-7f5bf9c2ff6d", + "value": "GhostNet" }, { - "value": "GozNym", "description": "IBM X-Force Research uncovered a Trojan hybrid spawned from the Nymaim and Gozi ISFB malware. It appears that the operators of Nymaim have recompiled its source code with part of the Gozi ISFB source code, creating a combination that is being actively used in attacks against more than 24 U.S. and Canadian banks, stealing millions of dollars so far. X-Force named this new hybrid GozNym. The new GozNym hybrid takes the best of both the Nymaim and Gozi ISFB malware to create a powerful Trojan. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers. The end result is a new banking Trojan in the wild.", "meta": { "refs": [ @@ -7035,10 +7034,10 @@ "https://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation" ] }, - "uuid": "7803b380-8c4c-11e9-90a1-f3880ab3aaa0" + "uuid": "7803b380-8c4c-11e9-90a1-f3880ab3aaa0", + "value": "GozNym" }, { - "value": "Group5", "description": "A threat actor using Iranian-language tools, Iranian hosting companies, operating from the Iranian IP space at times was observed targeting the Syrian opposition in an elaborately staged malware operation, Citizen Lab researchers reveal.\nThe operation was first noticed in late 2015, when a member of the Syrian opposition flagged a suspicious email containing a PowerPoint slideshow, which led researchers to a watering hole website with malicious programs, malicious PowerPoint files, and Android malware.\nThe threat actor was targeting Windows and Android devices of well-connected individuals in the Syrian opposition, researchers discovered. They called the actor Group5, because it targets Syrian opposition after regime-linked malware groups, the Syrian Electronic Army, ISIS (also known as the Islamic State or ISIL), and a group linked to Lebanon did the same in the past", "meta": { "refs": [ @@ -7046,7 +7045,8 @@ "https://attack.mitre.org/groups/G0043/" ] }, - "uuid": "bc8390aa-8c4e-11e9-a9cb-e37c361210af" + "uuid": "bc8390aa-8c4e-11e9-a9cb-e37c361210af", + "value": "Group5" } ], "version": 112 From 1ba7f19ca22fc46870c6a5acc7d06d686c54a878 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 11 Jun 2019 16:14:58 +0200 Subject: [PATCH 20/92] update threat actor galaxy --- clusters/threat-actor.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 6265681..ada6030 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7047,7 +7047,18 @@ }, "uuid": "bc8390aa-8c4e-11e9-a9cb-e37c361210af", "value": "Group5" + }, + { + "description": "McAfee Advanced Threat Research analysts have discovered a new operation targeting humanitarian aid organizations and using North Korean political topics as bait to lure victims into opening malicious Microsoft Word documents. Our analysts have named this Operation Honeybee, based on the names of the malicious documents used in the attacks.\nAdvanced Threat Research analysts have also discovered malicious documents authored by the same actor that indicate a tactical shift. These documents do not contain the typical lures by this actor, instead using Word compatibility messages to entice victims into opening them.\nThe Advanced Threat Research team also observed a heavy concentration of the implant in Vietnam from January 15–17.", + "meta": { + "refs": [ + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/", + "https://attack.mitre.org/groups/G0072/" + ] + }, + "uuid": "2d82a18e-8c53-11e9-b0ec-536b62fa3d86", + "value": "Honeybee" } ], - "version": 112 + "version": 113 } From 5a3d7e816fe9489815286da4072027ea3f688e23 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 12 Jun 2019 09:24:05 +0200 Subject: [PATCH 21/92] fix duplicate --- clusters/threat-actor.json | 2 -- 1 file changed, 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ada6030..a3cedba 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5836,7 +5836,6 @@ "https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/", "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", "https://securelist.com/luckymouse-hits-national-data-center/86083/", - "https://www.secureworks.com/research/bronze-union", "https://attack.mitre.org/groups/G0027/" ], "synonyms": [ @@ -5845,7 +5844,6 @@ "APT 27", "Threat Group 3390", "Bronze Union", - "ZipToken", "Iron Tiger", "TG-3390", "TEMP.Hippo", From e4245ee991dfbe5ea9e2d1eef04abb4f56f83150 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 12 Jun 2019 16:25:24 +0200 Subject: [PATCH 22/92] update threat actor galaxy --- clusters/threat-actor.json | 200 +++++++++++++++++++++++++++++++------ 1 file changed, 168 insertions(+), 32 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a3cedba..9cdbdf7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -646,7 +646,7 @@ "refs": [ "http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/", "http://williamshowalter.com/a-universal-windows-bootkit/", - "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp", + "https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/", "https://www.cfr.org/interactive/cyber-operations/axiom" ], "synonyms": [ @@ -850,6 +850,7 @@ "value": "Naikon" }, { + "description": "Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", @@ -872,7 +873,11 @@ "https://securelist.com/spring-dragon-updated-activity/79067/", "https://www.cfr.org/interactive/cyber-operations/lotus-blossom", "https://unit42.paloaltonetworks.com/operation-lotus-blossom/", - "https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-46/Accenture-Security-Elise-Threat-Analysis.pdf" + "https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-46/Accenture-Security-Elise-Threat-Analysis.pdf", + "https://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/", + "https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting", + "https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", + "https://attack.mitre.org/groups/G0030/" ], "synonyms": [ "Spring Dragon", @@ -938,15 +943,21 @@ "value": "Lotus Panda" }, { + "description": "We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone.\nHURRICANE PANDA’s preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence.\nOnce inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via ‘net use’ and ‘wmic’ commands executed through the webshell terminal.", "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ - "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/" + "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/", + "https://blog.confiant.com/uncovering-2017s-largest-malvertising-operation-b84cd38d6b85", + "https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d" ], "synonyms": [ "Black Vine", - "TEMP.Avengers" + "TEMP.Avengers", + "Zirconium", + "APT 31", + "APT31" ] }, "related": [ @@ -1194,7 +1205,12 @@ "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html", "http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/", "https://github.com/nccgroup/Royal_APT", - "https://www.cfr.org/interactive/cyber-operations/mirage" + "https://www.cfr.org/interactive/cyber-operations/mirage", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", + "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", + "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/", + "https://attack.mitre.org/groups/G0004/" ], "synonyms": [ "Vixen Panda", @@ -1339,9 +1355,10 @@ "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ - "https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/", - "https://securelist.com/blog/incidents/58209/the-icefog-apt-hits-us-targets-with-java-backdoor/", - "https://www.cfr.org/interactive/cyber-operations/icefog" + "https://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/", + "https://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/", + "https://www.cfr.org/interactive/cyber-operations/icefog", + "https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133739/icefog.pdf" ], "synonyms": [ "IceFog", @@ -2098,7 +2115,17 @@ "https://www.secureworks.com/research/the-curious-case-of-mia-ash", "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", "https://www.cfr.org/interactive/cyber-operations/operation-cleaver", - "https://www.cfr.org/interactive/cyber-operations/magic-hound" + "https://www.cfr.org/interactive/cyber-operations/magic-hound", + "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf", + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing", + "https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", + "https://www.secureworks.com/research/the-curious-case-of-mia-ash", + "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/", + "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", + "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", + "https://attack.mitre.org/groups/G0059/", + "https://attack.mitre.org/groups/G0003/" ], "synonyms": [ "Operation Cleaver", @@ -2108,9 +2135,14 @@ "TG-2889", "Cobalt Gypsy", "Ghambar", + "Rocket_Kitten", "Cutting Kitten", "Group 41", - "Magic Hound" + "Magic Hound", + "APT35", + "APT 35", + "TEMP.Beanie", + "Ghambar" ] }, "related": [ @@ -2819,7 +2851,9 @@ "OperationTroy", "Guardian of Peace", "GOP", - "WHOis Team" + "WHOis Team", + "Andariel", + "Subgroup: Andariel" ] }, "uuid": "245c8dde-ed42-4c49-b48b-634e3e21bdd7", @@ -2874,7 +2908,43 @@ "https://securelist.com/operation-applejeus/87553/", "https://www.cfr.org/interactive/cyber-operations/compromise-cryptocurrency-exchanges-south-korea", "https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/", - "https://content.fireeye.com/apt/rpt-apt38" + "https://content.fireeye.com/apt/rpt-apt38", + "https://blog.malwarebytes.com/threat-analysis/2019/03/the-advanced-persistent-threat-files-lazarus-group/", + "https://www.theguardian.com/world/2009/jul/08/south-korea-cyber-attack", + "https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise", + "https://www.nytimes.com/2013/03/21/world/asia/south-korea-computer-network-crashes.html", + "https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov", + "https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war", + "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/the-hack-of-sony-pictures-what-you-need-to-know", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/", + "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/", + "https://securelist.com/operation-applejeus/87553/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/", + "https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/", + "https://www.theregister.co.uk/2019/04/10/lazarus_group_malware/", + "https://www.us-cert.gov/ncas/analysis-reports/AR19-129A", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations", + "https://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies", + "https://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c", + "https://content.fireeye.com/apt/rpt-apt38", + "https://attack.mitre.org/groups/G0032/", + "https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/", + "https://www.symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers", + "https://www.bankinfosecurity.com/vietnamese-bank-blocks-1-million-online-heist-a-9105", + "https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD", + "https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks", + "https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware", + "https://blog.trendmicro.com/trendlabs-security-intelligence/what-we-can-learn-from-the-bangladesh-central-bank-cyber-heist/", + "https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0", + "https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html", + "https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret", + "https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/", + "https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678", + "https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/" ], "synonyms": [ "Operation DarkSeoul", @@ -2886,13 +2956,20 @@ "Bureau 121", "NewRomanic Cyber Army Team", "Bluenoroff", + "Subgroup: Bluenoroff", "Group 77", "Labyrinth Chollima", "Operation Troy", "Operation GhostSecret", "Operation AppleJeus", "APT38", - "Stardust Chollima" + "APT 38", + "Stardust Chollima", + "Whois Hacking Team", + "Zinc", + "Appleworm", + "Nickel Academy", + "APT-C-26" ] }, "related": [ @@ -3258,7 +3335,8 @@ "https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/", "https://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/", "https://www.phnompenhpost.com/national/kingdom-targeted-new-malware", - "https://attack.mitre.org/groups/G0017/" + "https://attack.mitre.org/groups/G0017/", + "https://attack.mitre.org/groups/G0002/" ], "synonyms": [ "Moafee" @@ -3721,11 +3799,24 @@ "refs": [ "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", "http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks", - "https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/" + "https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/", + "https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/", + "https://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website", + "https://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html", + "https://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html", + "https://blog.vectra.ai/blog/moonlight-middle-east-targeted-attacks", + "https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/", + "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf", + "https://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf", + "https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26760/en_US/McAfee_Labs_Threat_Advisory_GazaCybergang.pdf", + "https://securelist.com/gaza-cybergang-updated-2017-activity/82765/", + "https://www.kaspersky.com/blog/gaza-cybergang/26363/", + "https://attack.mitre.org/groups/G0021/" ], "synonyms": [ "Gaza Hackers Team", "Gaza cybergang", + "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "Moonlight" @@ -4022,7 +4113,7 @@ "value": "Hammer Panda" }, { - "description": "Infy is a group of suspected Iranian origin.", + "description": "Infy is a group of suspected Iranian origin.\nSince early 2013, we have observed activity from a unique threat actor group, which we began to investigate based on increased activities against human right activists in the beginning of 2015. In line5with other research on the campaign, released prior to publication of this document, we have adopted the name “Infy”, which is based on labels used in the infrastructure and its two families of malware agents.\nThanks to information we have been able to collect during the course of our research, such as characteristics of the group’s malware and development cycle, our research strongly supports the claim that the Infy group is of Iranian origin and potentially connected to the Iranian state. Amongst a backdrop of other incidents, Infy became one of the most frequently observed agents for attempted malware attacks against Iranian civil society beginning in late 2014, growing in use up to the February 2016 parliamentary election in Iran. After the conclusion of the parliamentary election, the rate of attempted intrusions and new compromises through the Infy agent slowed, but did not end. The trends witnessed in reports from recipients are reinforced through telemetry provided by design failures in more recent versions of the Infy malware.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", @@ -4054,7 +4145,9 @@ "https://iranthreats.github.io/", "http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/", - "https://www.cfr.org/interactive/cyber-operations/prince-persia" + "https://www.cfr.org/interactive/cyber-operations/prince-persia", + "https://unit42.paloaltonetworks.com/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", + "https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/" ], "synonyms": [ "Operation Mermaid", @@ -4329,11 +4422,13 @@ "meta": { "refs": [ "https://dragos.com/blog/20180802Raspite.html", - "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east", + "https://attack.mitre.org/groups/G0077/" ], "since": "2017", "synonyms": [ - "LeafMiner" + "LeafMiner", + "Raspite" ], "victimology": "Electric utility sector" }, @@ -4661,7 +4756,8 @@ "refs": [ "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/", "https://www.threatconnect.com/china-superman-apt/", - "https://www.cfr.org/interactive/cyber-operations/mofang" + "https://www.cfr.org/interactive/cyber-operations/mofang", + "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" ], "synonyms": [ "Superman" @@ -4746,6 +4842,7 @@ "value": "Test Panda" }, { + "description": "Kaspersky Lab and Seculert worked together to sinkhole the Madi Command & Control (C&C) servers to monitor the campaign. Kaspersky Lab and Seculert identified more than 800 victims located in Iran, Israel and select countries across the globe connecting to the C&Cs over the past eight months. Statistics from the sinkhole revealed that the victims were primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East.\nCommon applications and websites that were spied on include accounts on Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+, and Facebook. Surveillance is also performed over integrated ERP/CRM systems, business contracts, and financial management systems.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", @@ -4762,9 +4859,12 @@ "cfr-type-of-incident": "Espionage", "country": "IR", "refs": [ - "https://securelist.com/blog/incidents/33693/the-madi-campaign-part-i-5/", - "https://securelist.com/blog/incidents/33701/the-madi-campaign-part-ii-53/", - "https://www.cfr.org/interactive/cyber-operations/madi" + "https://securelist.com/the-madi-campaign-part-i-5/33693/", + "https://securelist.com/the-madi-campaign-part-ii-53/33701/", + "https://www.cfr.org/interactive/cyber-operations/madi", + "https://www.kaspersky.com/about/press-releases/2012_kaspersky-lab-and-seculert-announce--madi--a-newly-discovered-cyber-espionage-campaign-in-the-middle-east", + "https://threatpost.com/new-and-improved-madi-spyware-campaign-continues-072512/76849/", + "https://www.symantec.com/connect/blogs/madi-attacks-series-social-engineering-campaigns" ] }, "uuid": "d5dacda0-12c2-4e80-bdf2-1c5019ec40e2", @@ -4850,7 +4950,7 @@ "cfr-type-of-incident": "Espionage", "country": "KP", "refs": [ - "http://securelist.com/analysis/57915/the-kimsuky-operation-a-north-korean-apt/", + "https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/", "https://www.cfr.org/interactive/cyber-operations/kimsuky" ], "synonyms": [ @@ -5288,12 +5388,23 @@ "cfr-type-of-incident": "Espionage", "country": "IR", "refs": [ - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", - "https://www.cfr.org/interactive/cyber-operations/muddywater" + "https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", + "https://www.cfr.org/interactive/cyber-operations/muddywater", + "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/", + "https://securelist.com/muddywater/88059/", + "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/", + "https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html", + "https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/", + "https://attack.mitre.org/groups/G0069/" ], "synonyms": [ "TEMP.Zagros", - "Static Kitten" + "Static Kitten", + "Seedworm" ] }, "related": [ @@ -5431,7 +5542,11 @@ "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www.cfr.org/interactive/cyber-operations/leviathan", - "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html" + "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", + "https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/", + "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html", + "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", + "https://attack.mitre.org/groups/G0065/" ], "synonyms": [ "TEMP.Periscope", @@ -6073,7 +6188,12 @@ ], "cfr-type-of-incident": "Espionage", "refs": [ - "https://www.cfr.org/interactive/cyber-operations/inception-framework" + "https://www.cfr.org/interactive/cyber-operations/inception-framework", + "https://www.symantec.com/connect/blogs/blue-coat-exposes-inception-framework-very-sophisticated-layered-malware-attack-targeted-milit", + "https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/%238", + "https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies", + "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/", + "https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf" ] }, "uuid": "71ef51ca-a791-11e8-a026-07980ca910ca", @@ -6843,7 +6963,9 @@ "country": "IR", "refs": [ "https://resecurity.com/blog/parliament_races/", - "https://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986" + "https://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986", + "https://threatpost.com/ranian-apt-6tb-data-citrix/142688/", + "https://hub.packtpub.com/resecurity-reports-iriduim-behind-citrix-data-breach-200-government-agencies-oil-and-gas-companies-and-technology-companies-also-targeted/" ] }, "uuid": "29cfe970-5446-4cfc-a2da-00e9f49e02ba", @@ -6919,10 +7041,12 @@ "https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment", "https://info.phishlabs.com/blog/silent-librarian-university-attacks-continue-unabated-in-days-following-indictment", "https://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic", + "https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary", "https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities" ], "synonyms": [ - "COBALT DICKENS" + "COBALT DICKENS", + "Mabna Institute" ] }, "uuid": "5059b44d-2753-4977-b987-4922f09afe6b", @@ -7056,7 +7180,19 @@ }, "uuid": "2d82a18e-8c53-11e9-b0ec-536b62fa3d86", "value": "Honeybee" + }, + { + "description": "A series of attacks, targeting both Indian military research and south Asian shipping organizations, demonstrate the minimum level of effort required to successfully compromise a target and steal sensitive information. The attackers use very simple malware, which required little development time or skills, in conjunction with freely available Web hosting, to implement a highly effective attack. It is a case of the attackers obtaining a maximum return on their investment. The attack shows how an intelligent attacker does not need to be particularly technically skilled in order to steal the information they are after. The attack begins, as is often the case, with an email sent to the victim. A malicious document is attached to the email, which, when loaded, activates the malware. The attackers use tailored emails to encourage the victim to open the email. For example, one email sent to an academic claimed to be a call for papers for a conference (CFP).\nThe vast majority of the victims were based in India, with some in Malaysia. The victim industry was mostly military research and also shipping based in the Arabian and South China seas. In some instances the attackers appeared to have a clear goal, whereby specific files were retrieved from certain compromised computers. In other cases, the attackers used more of a ‘shotgun’ like approach, copying every file from a computer. Military technologies were obviously the focus of one particular attack with what appeared to be source code stolen. 45 different attacker IP addresses were observed. Out of those, 43 were within the same IP address range based in Sichuan province, China. The remaining two were based in South Korea. The pattern of attacker connections implies that the IP addresses are being used as a VPN, probably in an attempt to render the attackers anonymous.ænThe attacks have been active from at least April 2011 up to February 2012. The attackers are intelligent and focused, employing the minimum amount of work necessary for the maximum gain. They do not use zero day exploits or complicated threats, instead they rely on effective social engineering and lax security measures on the part of the victims.", + "meta": { + "refs": [ + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_luckycat_hackers.pdf", + "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf", + "" + ] + }, + "uuid": "e502802e-8d0a-11e9-bd72-9f046529b3fd", + "value": "Lucky Cat" } ], - "version": 113 + "version": 114 } From 11c2f43c9fd9af3d9793f0ab3beb1f7b1c56ebe9 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 13 Jun 2019 11:26:42 +0200 Subject: [PATCH 23/92] tryto fix duplicate --- clusters/threat-actor.json | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9cdbdf7..a9c32cd 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2111,16 +2111,15 @@ "cfr-type-of-incident": "Espionage", "country": "IR", "refs": [ - "http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", - "https://www.secureworks.com/research/the-curious-case-of-mia-ash", - "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", - "https://www.cfr.org/interactive/cyber-operations/operation-cleaver", "https://www.cfr.org/interactive/cyber-operations/magic-hound", + "https://www.secureworks.com/research/the-curious-case-of-mia-ash", + "https://www.cfr.org/interactive/cyber-operations/operation-cleaver", + "http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", + "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing", "https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", - "https://www.secureworks.com/research/the-curious-case-of-mia-ash", "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", @@ -2134,7 +2133,6 @@ "2889", "TG-2889", "Cobalt Gypsy", - "Ghambar", "Rocket_Kitten", "Cutting Kitten", "Group 41", @@ -2897,15 +2895,15 @@ "refs": [ "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/", "https://www.us-cert.gov/ncas/alerts/TA17-164A", - "https://securelist.com/lazarus-under-the-hood/77908/", - "http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf", - "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", "https://www.us-cert.gov/ncas/alerts/TA17-318A", "https://www.us-cert.gov/ncas/alerts/TA17-318B", + "https://securelist.com/operation-applejeus/87553/", + "https://securelist.com/lazarus-under-the-hood/77908/", + "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", + "http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf", "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/", "https://www.cfr.org/interactive/cyber-operations/lazarus-group", "https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret", - "https://securelist.com/operation-applejeus/87553/", "https://www.cfr.org/interactive/cyber-operations/compromise-cryptocurrency-exchanges-south-korea", "https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/", "https://content.fireeye.com/apt/rpt-apt38", @@ -2920,17 +2918,15 @@ "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/", - "https://securelist.com/operation-applejeus/87553/", + "https://www.us-cert.gov/ncas/analysis-reports/AR19-129A", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/", "https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/", "https://www.theregister.co.uk/2019/04/10/lazarus_group_malware/", - "https://www.us-cert.gov/ncas/analysis-reports/AR19-129A", "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", "https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations", "https://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies", "https://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c", - "https://content.fireeye.com/apt/rpt-apt38", "https://attack.mitre.org/groups/G0032/", "https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/", "https://www.symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers", @@ -5545,7 +5541,6 @@ "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", "https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/", "https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html", - "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", "https://attack.mitre.org/groups/G0065/" ], "synonyms": [ From 20e77afcc318955bf19494236de788009805dfc1 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 13 Jun 2019 16:19:21 +0200 Subject: [PATCH 24/92] update threat actor galaxy --- clusters/threat-actor.json | 61 +++++++++++++++++++++++++++++++------- 1 file changed, 50 insertions(+), 11 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a9c32cd..26c6667 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -100,7 +100,9 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf" + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf", + "https://unit42.paloaltonetworks.com/new-indicators-compromise-apt-group-nitro-uncovered/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/the-significance-of-the-nitro-attacks/" ], "synonyms": [ "Covert Grove" @@ -804,7 +806,12 @@ "refs": [ "https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html", - "https://www.cfr.org/interactive/cyber-operations/apt-30" + "https://www.cfr.org/interactive/cyber-operations/apt-30", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/", + "https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/", + "https://threatconnect.com/tag/naikon/", + "https://attack.mitre.org/groups/G0019/" ], "synonyms": [ "PLA Unit 78020", @@ -813,7 +820,8 @@ "Override Panda", "Camerashy", "APT.Naikon", - "Lotus Panda" + "Lotus Panda", + "Hellsing" ] }, "related": [ @@ -1171,7 +1179,9 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "https://kc.mcafee.com/corporate/index?page=content&id=KB71150" + "https://kc.mcafee.com/corporate/index?page=content&id=KB71150", + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf", + "https://attack.mitre.org/groups/G0014/" ] }, "related": [ @@ -1327,10 +1337,16 @@ "country": "CN", "refs": [ "https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/", - "https://www.cfr.org/interactive/cyber-operations/nettraveler" + "https://www.cfr.org/interactive/cyber-operations/nettraveler", + "https://www.kaspersky.com/about/press-releases/2013_kaspersky-lab-uncovers--operation-nettraveler--a-global-cyberespionage-campaign-targeting-government-affiliated-organizations-and-research-institutes", + "https://www.kaspersky.com/about/press-releases/2014_nettraveler-gets-a-makeover-for-10th-anniversary", + "https://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/", + "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests" ], "synonyms": [ - "APT 21" + "APT 21", + "APT21", + "TravNet" ] }, "uuid": "b80f4788-ccb2-466d-ae16-b397159d907e", @@ -3658,13 +3674,33 @@ "https://www.cfr.org/interactive/cyber-operations/oilrig", "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/", "https://researchcenter.paloaltonetworks.com/2018/11/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/" + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/", + "https://www.symantec.com/connect/blogs/shamoon-attacks", + "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", + "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "https://www.symantec.com/connect/blogs/shamoon-back-dead-and-destructive-ever", + "https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", + "https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", + "https://www.clearskysec.com/oilrig/", + "https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/", + "https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/", + "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", + "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", + "https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/", + "https://www.symantec.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/", + "https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/", + "https://attack.mitre.org/groups/G0049/" ], "synonyms": [ "Twisted Kitten", "Cobalt Gypsy", "Crambus", - "Helix Kitten" + "Helix Kitten", + "APT 34", + "APT34", + "IRN2" ] }, "related": [ @@ -3837,7 +3873,9 @@ "country": "TR", "refs": [ "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", - "https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users" + "https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users", + "https://www.microsoft.com/security/blog/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", + "https://attack.mitre.org/groups/G0055/" ], "synonyms": [ "StrongPity" @@ -6239,7 +6277,7 @@ "value": "HenBox" }, { - "description": "This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes.", + "description": "This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes.\nIn April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor has a specific focus on gathering intelligence on Mongolia. These campaigns involve the use of shared malware like Poison Ivy or PlugX.\nRecently, Falcon Intelligence observed new activity from MUSTANG PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, MUSTANG PANDA actors reused previously-observed legitimate domains to host files.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", @@ -6252,7 +6290,8 @@ "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ - "https://www.cfr.org/interactive/cyber-operations/mustang-panda" + "https://www.cfr.org/interactive/cyber-operations/mustang-panda", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/" ] }, "uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339", From 2001652dae58ddd5eede71384955bb45d4e0ce5f Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 14 Jun 2019 08:28:44 +0200 Subject: [PATCH 25/92] fix duplicate --- clusters/threat-actor.json | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 26c6667..a30e6e3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3661,7 +3661,7 @@ "refs": [ "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", - "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", "http://www.clearskysec.com/oilrig/", "https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdf", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", @@ -3676,8 +3676,6 @@ "https://researchcenter.paloaltonetworks.com/2018/11/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/", "https://www.symantec.com/connect/blogs/shamoon-attacks", - "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", - "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", "https://www.symantec.com/connect/blogs/shamoon-back-dead-and-destructive-ever", "https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", "https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", From b040f9f57bde78ba3081e733159c7b532039ba7f Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 14 Jun 2019 08:41:38 +0200 Subject: [PATCH 26/92] fix duplicate and links update (APT34) --- clusters/threat-actor.json | 39 ++++++++++++++++++-------------------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a30e6e3..4f474b0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3659,36 +3659,33 @@ "cfr-type-of-incident": "Espionage", "country": "IR", "refs": [ - "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", - "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", - "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", "http://www.clearskysec.com/oilrig/", - "https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdf", - "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", - "http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability%20", - "https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a", - "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/", - "https://researchcenter.paloaltonetworks.com/2017/12/unit42-introducing-the-adversary-playbook-first-up-oilrig/", + "http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability", + "https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/", + "https://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/", + "https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/", + "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", + "https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/", + "https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", + "https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/", + "https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", + "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/", + "https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/", + "https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/", + "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", "https://pan-unit42.github.io/playbook_viewer/", + "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", + "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", + "https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdf", + "https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a", "https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json", "https://www.cfr.org/interactive/cyber-operations/oilrig", - "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/", - "https://researchcenter.paloaltonetworks.com/2018/11/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/", + "https://www.symantec.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", "https://www.symantec.com/connect/blogs/shamoon-attacks", "https://www.symantec.com/connect/blogs/shamoon-back-dead-and-destructive-ever", - "https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", - "https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", "https://www.clearskysec.com/oilrig/", - "https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/", - "https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/", - "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", - "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", - "https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/", - "https://www.symantec.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/", - "https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/", "https://attack.mitre.org/groups/G0049/" ], "synonyms": [ From 98f0572d51d12d7297f29a2a178b643fbf017a5d Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 14 Jun 2019 16:06:09 +0200 Subject: [PATCH 27/92] update threat actor galaxy --- clusters/threat-actor.json | 209 ++++++++++++++++++++++++++++++------- 1 file changed, 169 insertions(+), 40 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4f474b0..62c6de0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -291,16 +291,19 @@ "country": "CN", "refs": [ "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", - "https://www.cfr.org/interactive/cyber-operations/putter-panda" + "https://www.cfr.org/interactive/cyber-operations/putter-panda", + "https://attack.mitre.org/groups/G0024/" ], "synonyms": [ "PLA Unit 61486", "APT 2", + "APT2", "Group 36", "APT-2", "MSUpdater", "4HCrew", "SULPHUR", + "SearchFire", "TG-6952" ] }, @@ -1390,7 +1393,12 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2" + "http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2", + "http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.07.11.Pitty_Tiger/Pitty_Tiger_Final_Report.pdf", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/", + "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html", + "https://attack.mitre.org/groups/G0011/" ], "synonyms": [ "PittyTiger", @@ -1412,7 +1420,8 @@ { "meta": { "refs": [ - "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" + "https://unit42.paloaltonetworks.com/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/", + "http://2014.zeronights.org/assets/files/slides/roaming_tiger_zeronights_2014.pdf" ] }, "uuid": "1fb177c1-472a-4147-b7c4-b5269b11703d", @@ -1625,11 +1634,12 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india", + "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/", "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/" ], "synonyms": [ "APT23", + "APT 23", "KeyBoy" ] }, @@ -2315,7 +2325,43 @@ "https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/", "https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/", "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/", - "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware" + "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", + "http://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament", + "https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f", + "https://www.bbc.com/news/technology-37590375", + "https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html", + "https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff", + "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/", + "https://www.msn.com/en-au/news/world/russia-tried-to-hack-mh17-inquiry-system/ar-BBmmuuT", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/", + "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", + "http://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630", + "http://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508", + "https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/", + "file:///D:/Work/ThaiCERT/Cases/researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/", + "https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/", + "https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/", + "https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/", + "https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html", + "https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1", + "https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/", + "https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/", + "https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN", + "https://www.bbc.co.uk/news/technology-45257081", + "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/", + "https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", + "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf", + "https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae", + "https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf", + "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", + "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", + "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", + "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", + "https://en.wikipedia.org/wiki/Fancy_Bear", + "https://attack.mitre.org/groups/G0007/" ], "synonyms": [ "APT 28", @@ -2333,7 +2379,9 @@ "TAG_0700", "Swallowtail", "IRON TWILIGHT", - "Group 74" + "Group 74", + "SIG40", + "Grizzly Steppe" ] }, "related": [ @@ -2595,7 +2643,11 @@ "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "https://www.us-cert.gov/ncas/alerts/TA17-163A", "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid", - "https://www.cfr.org/interactive/cyber-operations/black-energy" + "https://www.cfr.org/interactive/cyber-operations/black-energy", + "https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks", + "https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage", + "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/", + "https://attack.mitre.org/groups/G0034/" ], "synonyms": [ "Sandworm Team", @@ -2603,7 +2655,8 @@ "BlackEnergy", "Quedagh", "Voodoo Bear", - "TEMP.Noble" + "TEMP.Noble", + "Iron Viking" ] }, "related": [ @@ -3005,6 +3058,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "50cd027f-df14-40b2-aa22-bf5de5061163", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "linked-to" } ], "uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", @@ -3084,11 +3144,13 @@ "https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france", "http://www.cyphort.com/evilbunny-malware-instrumented-lua/", "http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", - "https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html", - "https://www.cfr.org/interactive/cyber-operations/snowglobe" + "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", + "https://www.cfr.org/interactive/cyber-operations/snowglobe", + "https://resources.infosecinstitute.com/animal-farm-apt-and-the-shadow-of-france-intelligence/" ], "synonyms": [ - "Animal Farm" + "Animal Farm", + "Snowglobe" ] }, "uuid": "3b8e7462-c83f-4e7d-9511-2fe430d80aab", @@ -3194,7 +3256,10 @@ "description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer.", "meta": { "refs": [ - "https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/" + "https://securelist.com/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/75082/", + "https://securelist.com/operation-daybreak/75100/", + "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", + "https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/" ], "synonyms": [ "Operation Daybreak", @@ -3249,17 +3314,23 @@ "cfr-type-of-incident": "Espionage", "country": "IN", "refs": [ - "https://securelist.com/blog/research/75328/the-dropping-elephant-actor/", "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries", "https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign", - "https://www.cymmetria.com/patchwork-targeted-attack/" + "https://www.cymmetria.com/patchwork-targeted-attack/", + "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", + "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", + "https://attack.mitre.org/groups/G0040/", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://securelist.com/the-dropping-elephant-actor/75328/", + "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" ], "synonyms": [ "Chinastrats", "Patchwork", "Monsoon", "Sarit", - "Quilted Tiger" + "Quilted Tiger", + "APT-C-09" ] }, "related": [ @@ -3282,13 +3353,14 @@ "value": "Dropping Elephant" }, { - "description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.", + "description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group’s motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, APT 2, it has not been concluded that the groups are the same.\nThe attacks began over four years ago and their targeting pattern suggests that this adversary’s primary mission is to gather information about minority rights activists. We do not have evidence directly linking these attacks to a government source, but the information derived from these activities supports an assessment that a group or groups with motivations similar to the stated position of the Chinese government in relation to these targets is involved.\nThe attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes. Both the Tibetan community and the Uyghurs, a Turkic Muslim minority residing primarily in northwest China, have been targets of multiple sophisticated attacks in the past decade. Both also have history of strained relationships with the government of the People’s Republic of China (PRC), though we do not have evidence that links Scarlet Mimic attacks to the PRC.\nScarlet Mimic attacks have also been identified against government organizations in Russia and India, who are responsible for tracking activist and terrorist activities. While we do not know the precise target of each of the Scarlet Mimic attacks, many of them align to the patterns described above.", "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "https://attack.mitre.org/wiki/Groups", - "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" + "https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/", + "https://attack.mitre.org/groups/G0029/" ] }, "related": [ @@ -3309,8 +3381,9 @@ "attribution-confidence": "50", "country": "BR", "refs": [ - "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/", - "https://attack.mitre.org/wiki/Groups" + "https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/", + "https://attack.mitre.org/wiki/Groups", + "https://attack.mitre.org/groups/G0033/" ] }, "related": [ @@ -3867,10 +3940,10 @@ "attribution-confidence": "50", "country": "TR", "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", - "https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users", "https://www.microsoft.com/security/blog/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", - "https://attack.mitre.org/groups/G0055/" + "https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users", + "https://attack.mitre.org/groups/G0055/", + "https://attack.mitre.org/groups/G0056/" ], "synonyms": [ "StrongPity" @@ -3957,12 +4030,12 @@ "value": "Chafer" }, { - "description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on. ", + "description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on.", "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ - "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" + "https://threatvector.cylance.com/en_us/home/digitally-signed-malware-targeting-gaming-companies.html" ] }, "uuid": "ceae0bc4-eb5f-4184-b949-a6f7d6f0f965", @@ -4081,7 +4154,9 @@ "country": "IR", "refs": [ "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", - "https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/" + "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/", + "https://threatpost.com/shamoon-collaborator-greenbug-adopts-new-communication-tool/125383/", + "https://www.clearskysec.com/greenbug/" ] }, "related": [ @@ -4187,7 +4262,7 @@ "value": "Infy" }, { - "description": "Sima is a group of suspected Iranian origin targeting Iranians in diaspora.", + "description": "Sima is a group of suspected Iranian origin targeting Iranians in diaspora.\nIn February 2016, Iran-focused individuals received messages purporting to be from Human RightsWatch's (HRW) Emergencies Director, requesting that they read an article about Iran pressing Afghanr efugees to fight in Syria. While referencing a real report published by HRW, the links provided for the Director’s biography and article directed the recipient to malware hosted elsewhere. These spear-phishing attempts represent an evolution of Iranian actors based on their social engineering tactics and narrow targeting. Although the messages still had minor grammatical and stylistic errors that would be obvious to a native speaker, the actors demonstrated stronger English-language proficiency than past intrusion sets and a deeper investment in background research prior to the attempt. The actors appropriated a real identity that would be expected to professionally interact with the subject, then offered validation through links to their biography and social media, the former of which itself was malware as well. The bait documents contained a real article relevant to their interests and topic referenced, and the message attempted to address to how it aligned with their professional research or field of employment. The referenced documents sent were malware binaries posing as legitimate files using the common right-to-left filenames tactic in order to conceal the actual file extension. All of these techniques, while common pretexting mechanisms, are a refinement compared to a tendency amongst other groups to simply continually send different forms of generic malware or phishing, in the hopes that one would eventually be successful.", "meta": { "attribution-confidence": "50", "country": "IR", @@ -4378,7 +4453,8 @@ "meta": { "refs": [ "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf", - "https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/" + "https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/", + "https://attack.mitre.org/groups/G0068/" ], "synonyms": [ "TwoForOne" @@ -4991,9 +5067,12 @@ "value": "Kimsuki" }, { + "description": "While investigating some of the smaller name servers that APT28/Sofacy routinely use to host their infrastructure, Cylance discovered another prolonged campaign that appeared to exclusively target Japanese companies and individuals that began around August 2016. The later registration style was eerily close to previously registered APT28 domains, however, the malware used in the attacks did not seem to line up at all. During the course of our investigation, JPCERT published this analysis of one of the group’s backdoors. Cylance tracks this threat group internally as ‘Snake Wine’.\nThe Snake Wine group has proven to be highly adaptable and has continued to adopt new tactics in order to establish footholds inside victim environments. The exclusive interest in Japanese government, education, and commerce will likely continue into the future as the group is just starting to build and utilize their existing current attack infrastructure.", "meta": { "refs": [ - "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html" + "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html", + "https://threatvector.cylance.com/en_us/home/the-deception-project-a-new-japanese-centric-threat.html", + "https://www.jpcert.or.jp/magazine/acreport-ChChes.html" ] }, "uuid": "7b6ba207-94de-4f94-bc7f-52cd0dafade5", @@ -5515,7 +5594,10 @@ "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://twitter.com/mstoned7/status/966126706107953152", "https://www.cfr.org/interactive/cyber-operations/apt-37", - "https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/" + "https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/", + "https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://attack.mitre.org/groups/G0067/" ], "synonyms": [ "APT 37", @@ -5528,7 +5610,8 @@ "Ricochet Chollima", "StarCruft", "Operation Daybreak", - "Operation Erebus." + "Operation Erebus", + "Venus 121" ] }, "related": [ @@ -5545,6 +5628,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "linked-to" } ], "uuid": "50cd027f-df14-40b2-aa22-bf5de5061163", @@ -5652,7 +5742,8 @@ "description": "Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia.\nFirst identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage.", "meta": { "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" + "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", + "https://attack.mitre.org/groups/G0071/" ] }, "uuid": "35d71626-4794-11e8-b74d-bbcbe48fee3c", @@ -6036,11 +6127,14 @@ "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", - "https://www.cfr.org/interactive/cyber-operations/rancor" + "https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", + "https://www.cfr.org/interactive/cyber-operations/rancor", + "https://attack.mitre.org/groups/G0075/" ], "synonyms": [ - "Rancor group" + "Rancor group", + "Rancor", + "Rancor Group" ] }, "uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b", @@ -6152,7 +6246,7 @@ "value": "TempTick" }, { - "description": "This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage.", + "description": "This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage.\nBased on our findings, we believe the attackers represent a previously unknown geopolitically motivated threat actor. The campaign started in 2017, with the attackers doing just enough to achieve their goals. They most likely have access to additional tools when needed and appear to have access to an elaborate database of contacts in sensitive organizations and personnel worldwide, especially of vulnerable and non-trained staff. The victim systems range from personal desktop or laptop systems to large servers with domain controller roles or similar. The nature of the targeted ministries varied, including those responsible for telecommunications, health, energy, justice, finance and so on.\nOperation Parliament appears to be another symptom of escalating tensions in the Middle East region. The attackers have taken great care to stay under the radar, imitating another attack group in the region. They have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their command and control servers. The targeting seems to have slowed down since the beginning of 2018, probably winding down when the desired data or access was obtained. The targeting of specific victims is unlike previously seen behavior in regional campaigns by Gaza Cybergang or Desert Falcons and points to an elaborate information-gathering exercise that was carried out before the attacks (physical and/or digital).\nWith deception and false flags increasingly being employed by threat actors, attribution is a hard and complicated task that requires solid evidence, especially in complex regions such as the Middle East.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Unknown", @@ -6192,7 +6286,8 @@ "cfr-type-of-incident": "Espionage", "refs": [ "https://www.cfr.org/interactive/cyber-operations/operation-parliament", - "https://securelist.com/operation-parliament-who-is-doing-what/85237/" + "https://securelist.com/operation-parliament-who-is-doing-what/85237/", + "https://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html" ] }, "uuid": "e20e8eb8-a6b4-11e8-8a92-6ba6e7540c6d", @@ -6783,11 +6878,14 @@ "value": "Cold River" }, { - "description": "a relatively new threat actor that’s been operating since mid-2016", + "description": "a relatively new threat actor that’s been operating since mid-2016\nGroup-IB has exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group's activity in more than 25 countries worldwide. Group-IB has published its first detailed report on tactics and tools employed by Silence. Group-IB security analysts' hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD.\nSilence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services.", "meta": { "refs": [ - "https://reaqta.com/2019/01/silence-group-targeting-russian-banks/" - ] + "https://reaqta.com/2019/01/silence-group-targeting-russian-banks/", + "https://www.group-ib.com/blog/silence", + "https://securelist.com/the-silence/83009/" + ], + "synonyms": "Silence" }, "uuid": "0d5e17fd-7a71-47fd-b4bc-867cdb833726", "value": "Silence group" @@ -7054,7 +7152,7 @@ "value": "Whitefly" }, { - "description": " This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.", + "description": "This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.", "meta": { "refs": [ "https://blog.talosintelligence.com/2019/04/seaturtle.html" @@ -7221,6 +7319,37 @@ }, "uuid": "e502802e-8d0a-11e9-bd72-9f046529b3fd", "value": "Lucky Cat" + }, + { + "description": "There are several groups actively and profitably targeting businesses in Russia. A trend that we have seen unfold before our eyes lately is these cybercriminals’ use of simple backdoors to gain a foothold in their targets’ networks. Once they have this access, a lot of the work is done manually, slowly getting to understand the network layout and deploying custom tools the criminals can use to steal funds from these entities. Some of the groups that best exemplify these trends are Buhtrap, Cobalt and Corkow.\nThe group discussed in this white paper is part of this new trend. We call this new group RTM; it uses custom malware, written in Delphi, that we cover in detail in later sections. The first trace of this tool in our telemetry data dates back to late 2015. The group also makes use of several different modules that they deploy where appropriate to their targets. They are interested in users of remote banking systems (RBS), mainly in Russia and neighboring countries.", + "meta": { + "refs": [ + "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf", + "https://attack.mitre.org/groups/G0048/" + ] + }, + "uuid": "88100602-8e8b-11e9-bb7c-1bf20b58e305", + "value": "RTM" + }, + { + "description": "Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The report also contains an analysis of data which were stolen from politically sensitive targets and recovered during the course of the investigation. These include documents from the Offices of the Dalai Lama and agencies of the Indian national security establishment. Data containing sensitive information on citizens of numerous third-party countries, as well as personal, financial, and business information, were also exfiltrated and recovered during the course of the investigation. The report analyzes the malware ecosystem employed by the Shadows’ attackers, which leveraged multiple redundant cloud computing systems, social networking platforms, and free web hosting services in order to maintain persistent control while operating core servers located in the People’s Republic of China (PRC). Although the identity and motivation of the attackers remain unknown, the report is able to determine the location (Chengdu, PRC) as well as some of the associations of the attackers through circumstantial evidence. The investigation is the product of an eight month, collaborative activity between the Information Warfare Monitor (Citizen Lab and SecDev) and the Shadowserver Foundation. The investigation employed a fusion methodology, combining technical interrogation techniques, data analysis, and field research, to track and uncover the Shadow cyber espionage network.", + "meta": { + "refs": [ + "https://citizenlab.ca/wp-content/uploads/2017/05/shadows-in-the-cloud.pdf" + ] + }, + "uuid": "ef800f1c-8e90-11e9-972c-53e01614f101", + "value": "Shadow Network" + }, + { + "description": "While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity.\nWhile for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to MikroTik routers and placed a component downloaded by Winbox Loader, a management suite for MikroTik routers. In turn, this infected the administrator of the router.\nWe believe this cluster of activity started in at least 2012 and was still active at the time of this analysis (February 2018).", + "meta": { + "refs": [ + "https://securelist.com/apt-slingshot/84312/" + ] + }, + "uuid": "4fcbd08a-8ea6-11e9-8bf2-970182ab6bb5", + "value": "Slingshot" } ], "version": 114 From ead217eb28aef5edf82495be4e54b41b8483383e Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 14 Jun 2019 16:11:02 +0200 Subject: [PATCH 28/92] Update version --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 62c6de0..93d13ed 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7352,5 +7352,5 @@ "value": "Slingshot" } ], - "version": 114 + "version": 115 } From 1e5292d9995499b697af57ccb1ca47d7d9fda5ad Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 14 Jun 2019 16:21:33 +0200 Subject: [PATCH 29/92] fix duplicate --- clusters/threat-actor.json | 77 +++++++++++++++++++------------------- 1 file changed, 38 insertions(+), 39 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 93d13ed..5dff709 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2315,53 +2315,52 @@ "cfr-type-of-incident": "Espionage", "country": "RU", "refs": [ + "https://attack.mitre.org/groups/G0007/" + "https://en.wikipedia.org/wiki/Fancy_Bear", "https://en.wikipedia.org/wiki/Sofacy_Group", - "https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf", - "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", - "https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/", - "https://www.cfr.org/interactive/cyber-operations/apt-28", - "https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/", - "https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/", - "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/", - "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", - "http://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament", - "https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f", "https://www.bbc.com/news/technology-37590375", - "https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html", - "https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff", - "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/", - "https://www.msn.com/en-au/news/world/russia-tried-to-hack-mh17-inquiry-system/ar-BBmmuuT", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/", - "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", + "https://www.bbc.co.uk/news/technology-45257081", + "https://www.cfr.org/interactive/cyber-operations/apt-28", + "https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f", + "https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html", + "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", "http://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630", - "http://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508", "https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/", - "file:///D:/Work/ThaiCERT/Cases/researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/", + "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/", + "https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html", + "https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf", + "https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff", + "https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf", + "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware", + "https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/", + "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", + "https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/", + "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", + "https://www.msn.com/en-au/news/world/russia-tried-to-hack-mh17-inquiry-system/ar-BBmmuuT", + "https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/", "https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/", "https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/", - "https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/", - "https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html", - "https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1", - "https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/", - "https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/", - "https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN", - "https://www.bbc.co.uk/news/technology-45257081", - "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/", "https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", - "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf", - "https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae", - "https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf", + "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/", + "http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/", + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", + "https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/", + "http://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament", + "https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/", + "http://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508", + "https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/", "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", - "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", - "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", - "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", - "https://en.wikipedia.org/wiki/Fancy_Bear", - "https://attack.mitre.org/groups/G0007/" + "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf", + "https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN", + "file:///D:/Work/ThaiCERT/Cases/researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/", + "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", + "https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae", + "https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1", + "https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf", ], "synonyms": [ "APT 28", From b966369933df0c31f9ab7d1264d11c49960c0784 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 14 Jun 2019 16:35:55 +0200 Subject: [PATCH 30/92] ##COMMA## --- clusters/threat-actor.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5dff709..8ed9e23 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2315,7 +2315,7 @@ "cfr-type-of-incident": "Espionage", "country": "RU", "refs": [ - "https://attack.mitre.org/groups/G0007/" + "https://attack.mitre.org/groups/G0007/", "https://en.wikipedia.org/wiki/Fancy_Bear", "https://en.wikipedia.org/wiki/Sofacy_Group", "https://www.bbc.com/news/technology-37590375", @@ -2360,7 +2360,7 @@ "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", "https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae", "https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1", - "https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf", + "https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf" ], "synonyms": [ "APT 28", From 431e7a36c1e48cb9ed0aaf793481224b6db47362 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 17 Jun 2019 16:36:42 +0200 Subject: [PATCH 31/92] update threat actor galaxy --- clusters/threat-actor.json | 46 +++++++++++++++++++++++++++++--------- 1 file changed, 35 insertions(+), 11 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8ed9e23..047a49b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1097,24 +1097,34 @@ "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", + "https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", "https://www.cfr.org/interactive/cyber-operations/apt-10", "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf" + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", + "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", + "https://www.eweek.com/security/chinese-nation-state-hackers-target-u.s-in-operation-tradesecret", + "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/", + "https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf", + "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", + "https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf", + "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", + "https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018", + "https://attack.mitre.org/groups/G0045/" ], "synonyms": [ "APT10", "APT 10", "MenuPass", "Menupass Team", + "menuPass", + "menuPass Team", "happyyongzi", "POTASSIUM", "DustStorm", "Red Apollo", "CVNX", "HOGFISH", - "Cloud Hopper", - "Stone Panda" + "Cloud Hopper" ] }, "related": [ @@ -3233,7 +3243,8 @@ "refs": [ "https://citizenlab.org/2016/05/stealth-falcon/", "https://www.cfr.org/interactive/cyber-operations/stealth-falcon", - "https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/" + "https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/", + "https://attack.mitre.org/groups/G0038/" ], "synonyms": [ "FruityArmor" @@ -3518,7 +3529,10 @@ "country": "US", "refs": [ "https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/", - "https://www.cfr.org/interactive/cyber-operations/project-sauron" + "https://www.cfr.org/interactive/cyber-operations/project-sauron", + "https://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf", + "https://attack.mitre.org/groups/G0041/" ], "synonyms": [ "Strider", @@ -3648,7 +3662,8 @@ "country": "CN", "refs": [ "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates", - "http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks" + "http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks", + "https://attack.mitre.org/groups/G0039/" ] }, "related": [ @@ -4640,7 +4655,8 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts#.WS3IBVFV4no.twitter" + "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts", + "https://attack.mitre.org/groups/G0062/" ] }, "related": [ @@ -5458,7 +5474,8 @@ "cfr-type-of-incident": "Espionage", "refs": [ "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments", - "https://www.cfr.org/interactive/cyber-operations/sowbug" + "https://www.cfr.org/interactive/cyber-operations/sowbug", + "https://attack.mitre.org/groups/G0054/" ] }, "related": [ @@ -6811,7 +6828,12 @@ "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/", - "https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png" + "https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png", + "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter", + "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware", + "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", + "https://threatpost.com/ta505-servhelper-malware/140792/" + "https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/" ] }, "uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", @@ -7053,7 +7075,9 @@ "meta": { "refs": [ "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/", - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia", + "https://attack.mitre.org/groups/G0086/" ] }, "uuid": "769aeaa6-d193-4e90-a818-d74c6ff7b845", From 52e51833de582895f4a3a6a3c30d7bf16c257502 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 18 Jun 2019 16:05:49 +0200 Subject: [PATCH 32/92] update threat actor galaxy --- clusters/threat-actor.json | 95 +++++++++++++++++++++++++++++++++----- 1 file changed, 83 insertions(+), 12 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 047a49b..1a76931 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -613,7 +613,11 @@ "meta": { "refs": [ "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", - "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf" + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", + "https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", + "https://blog.lookout.com/titan-mobile-threat", + "https://attack.mitre.org/groups/G0081/" ], "synonyms": [ "Operation Tropic Trooper", @@ -1618,7 +1622,8 @@ "refs": [ "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", - "https://www.cfr.org/interactive/cyber-operations/admin338" + "https://www.cfr.org/interactive/cyber-operations/admin338", + "https://attack.mitre.org/groups/G0018/" ], "synonyms": [ "Admin338", @@ -2524,7 +2529,26 @@ "https://www.cfr.org/interactive/cyber-operations/turla", "https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", - "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf" + "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/", + "https://www.nytimes.com/2010/08/26/technology/26cyber.html", + "https://yle.fi/uutiset/osasto/news/russian_group_behind_2013_foreign_ministry_hack/8591548", + "https://securelist.com/the-epic-turla-operation/65545/", + "https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html", + "https://threatpost.com/linux-modules-connected-to-turla-apt-discovered/109765/", + "https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/", + "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", + "https://securelist.com/introducing-whitebear/81638/", + "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", + "https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/", + "https://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit", + "https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/", + "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf", + "https://attack.mitre.org/groups/G0010/" ], "synonyms": [ "Turla", @@ -2540,7 +2564,9 @@ "KRYPTON", "Hippo Team", "Pacifier APT", - "Popeye" + "Popeye", + "SIG23", + "Iron Hunter" ] }, "related": [ @@ -2702,12 +2728,18 @@ "value": "Sandworm" }, { - "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group.", + "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group. TeleBots appear to be associated with Sandworm Team, Iron Viking, Voodoo Bear.", "meta": { "attribution-confidence": "50", "country": "RU", "refs": [ - "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" + "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/", + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", + "https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare/", + "https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/", + "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/" ], "synonyms": [ "Sandworm" @@ -2797,6 +2829,7 @@ "value": "Anunak" }, { + "description": "Researchers have uncovered a long-term cyber-espionage campaign that used a combination of legitimate software packages and commodity malware tools to target a variety of heavy industry, government intelligence agencies and political activists. Known as the TeamSpy crew because of its affinity for using the legitimate TeamViewer application as part of its toolset, the attackers may have been active for as long as 10 years, researchers say.\nThe attack appears to be a years-long espionage campaign, but experts who have analyzed the victim profile, malware components and command-and-control infrastructure say that it’s not entirely clear what kind of data the attackers are going after. What is clear, though, is that the attackers have been at this for a long time and that they have specific people in mind as targets.\nResearchers at the CrySyS Lab in Hungary were alerted by the Hungarian National Security Authority to an attack against a high-profile target in the country and began looking into the campaign. They quickly discovered that some of the infrastructure being used in the attack had been in use for some time and that the target they were investigating was by no means the only one.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", @@ -2812,7 +2845,10 @@ "country": "RU", "refs": [ "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/", - "https://www.cfr.org/interactive/cyber-operations/team-spy-crew" + "https://www.cfr.org/interactive/cyber-operations/team-spy-crew", + "https://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/", + "https://www.crysys.hu/publications/files/teamspy.pdf", + "https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134928/theteamspystory_final_t2.pdf" ], "synonyms": [ "TeamSpy", @@ -3202,7 +3238,8 @@ "https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf", "https://aisa.org.au//PDF/AISA%20Sydney%20-%20Dec2016.pdf", "https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials", - "https://s.tencent.com/research/report/669.html" + "https://s.tencent.com/research/report/669.html", + "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html" ], "synonyms": [ "C-Major", @@ -3871,7 +3908,14 @@ "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive .", "meta": { "refs": [ - "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf" + "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf", + "https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/", + "https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/" + ], + "synonyms": [ + "Reuse team", + "Malware reusers", + "Dancing Salome" ] }, "uuid": "cf421ce6-ddfe-419a-bc65-6a9fc953232a", @@ -6417,7 +6461,8 @@ "cfr-type-of-incident": "Espionage", "refs": [ "https://www.cfr.org/interactive/cyber-operations/thrip", - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", + "https://attack.mitre.org/groups/G0076/" ] }, "uuid": "98be4300-a9ef-11e8-9a95-bb9221083cfc", @@ -6832,7 +6877,7 @@ "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter", "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware", "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", - "https://threatpost.com/ta505-servhelper-malware/140792/" + "https://threatpost.com/ta505-servhelper-malware/140792/", "https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/" ] }, @@ -7373,7 +7418,33 @@ }, "uuid": "4fcbd08a-8ea6-11e9-8bf2-970182ab6bb5", "value": "Slingshot" + }, + { + "description": "The Taidoor attackers have been actively engaging in targeted attacks since at least March 4, 2009. Despite some exceptions, the Taidoor campaign often used Taiwanese IP addresses as C&C servers and email addresses to send out socially engineered emails with malware as attachments. One of the primary targets of the Taidoor campaign appeared to be the Taiwanese government. The attackers spoofed Taiwanese government email addresses to send out socially engineered emails in the Chinese language that typically leveraged Taiwan-themed issues. The attackers actively sent out malicious documents and maintained several IP addresses for command and control.\nAs part of their social engineering ploy, the Taidoor attackers attach a decoy document to their emails that, when opened, displays the contents of a legitimate document but executes a malicious payload in the background.\nWe were only able to gather a limited amount of information regarding the Taidoor attackers’ activities after they have compromised a target. We did, however, find that the Taidoor malware allowed attackers to operate an interactive shell on compromised computers and to upload and download files. In order to determine the operational capabilities of the attackers behind the Taidoor campaign, we monitored a compromised honeypot. The attackers issued out some basic commands in an attempt to map out the extent of the network compromise but quickly realized that the honeypot was not an intended targeted and so promptly disabled the Taidoor malware running on it. This indicated that while Taidoor malware were more widely distributed compared with those tied to other targeted campaigns, the attackers could quickly assess their targets and distinguish these from inadvertently compromised computers and honeypots.", + "meta": { + "refs": [ + "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf", + "https://attack.mitre.org/groups/G0015/" + ] + }, + "uuid": "e6669606-91ad-11e9-b6f5-374843911989", + "value": "Taidoor" + }, + { + "description": "TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.", + "meta": { + "refs": [ + "https://dragos.com/resource/trisis-analyzing-safety-system-targeting-malware/", + "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", + "https://attack.mitre.org/groups/G0088/" + ], + "synonyms": [ + "Xenotime" + ] + }, + "uuid": "90abfc42-91c6-11e9-89b1-af58de8f7ec2", + "value": "TEMP.Veles" } ], - "version": 115 + "version": 117 } From 4bd37e2b2dbc68b1053dcbdb0fd3ce886fb5d3ae Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 19 Jun 2019 16:38:04 +0200 Subject: [PATCH 33/92] update threat actor galaxy --- clusters/threat-actor.json | 87 +++++++++++++++++++++++++++++++++++--- 1 file changed, 80 insertions(+), 7 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1a76931..84df172 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -653,10 +653,22 @@ "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ - "http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/", + "https://securelist.com/winnti-faq-more-than-just-a-game/57585/", + "https://securelist.com/winnti-more-than-just-a-game/37029/", "http://williamshowalter.com/a-universal-windows-bootkit/", "https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/", - "https://www.cfr.org/interactive/cyber-operations/axiom" + "https://www.cfr.org/interactive/cyber-operations/axiom", + "https://securelist.com/games-are-over/70991/", + "https://blog.vsec.com.vn/apt/initial-winnti-analysis-against-vietnam-game-company.html", + "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a", + "https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341", + "https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", + "https://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004", + "https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/", + "https://securelist.com/winnti-more-than-just-a-game/37029/", + "https://401trg.com/burning-umbrella/", + "https://attack.mitre.org/groups/G0044/" ], "synonyms": [ "Winnti Group", @@ -4490,12 +4502,16 @@ "value": "SilverTerrier" }, { - "description": "A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property. The gang, which Symantec calls Butterfly, is not-state sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, IT software, pharmaceutical, and commodities sectors. Twitter, Facebook, Apple, and Microsoft are among the companies who have publicly acknowledged attacks.", + "description": "A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property. The gang, which Symantec calls Butterfly, is not-state sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, IT software, pharmaceutical, and commodities sectors. Twitter, Facebook, Apple, and Microsoft are among the companies who have publicly acknowledged attacks.\n Butterfly is technically proficient and well resourced. The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero-day vulnerability in its attacks. It keeps a low profile and maintains good operational security. After successfully compromising a target organization, it cleans up after itself before moving on to its next target.\n This group operates at a much higher level than the average cybercrime gang. It is not interested in stealing credit card details or customer databases and is instead focused on high-level corporate information. Butterfly may be selling this information to the highest bidder or may be operating as hackers for hire. Stolen information could also be used for insider-trading purposes.", "meta": { "refs": [ "https://www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks", - "https://securelist.com/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/", - "https://research.kudelskisecurity.com/2015/11/05/sphinx-moth-expanding-our-knowledge-of-the-wild-neutron-morpho-apt/" + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://research.kudelskisecurity.com/2015/11/05/sphinx-moth-expanding-our-knowledge-of-the-wild-neutron-morpho-apt/", + "https://blog.twitter.com/official/en_us/a/2013/keeping-our-users-secure.html", + "https://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766", + "https://www.reuters.com/article/us-apple-hackers/exclusive-apple-macs-hit-by-hackers-who-targeted-facebook-idUSBRE91I10920130219", + "https://blogs.technet.microsoft.com/msrc/2013/02/22/recent-cyberattacks/" ], "synonyms": [ "Butterfly", @@ -5451,6 +5467,7 @@ "value": "Unit 8200" }, { + "description": "As a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear. Much of the contents of that report are reproduced here. WhiteBear is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private intelligence report “Skipper Turla – the White Atlas framework” from mid-2016. Like previous Turla activity, WhiteBear leverages compromised websites and hijacked satellite connections for command and control (C2) infrastructure. As a matter of fact, WhiteBear infrastructure has overlap with other Turla campaigns, like those deploying Kopiluwak, as documented in “KopiLuwak – A New JavaScript Payload from Turla” in December 2016. WhiteBear infected systems maintained a dropper (which was typically signed) as well as a complex malicious platform which was always preceded by WhiteAtlas module deployment attempts. However, despite the similarities to previous Turla campaigns, we believe that WhiteBear is a distinct project with a separate focus. We note that this observation of delineated target focus, tooling, and project context is an interesting one that also can be repeated across broadly labeled Turla and Sofacy activity.\nFrom February to September 2016, WhiteBear activity was narrowly focused on embassies and consular operations around the world. All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations. Continued WhiteBear activity later shifted to include defense-related organizations into June 2017. When compared to WhiteAtlas infections, WhiteBear deployments are relatively rare and represent a departure from the broader Skipper Turla target set. Additionally, a comparison of the WhiteAtlas framework to WhiteBear components indicates that the malware is the product of separate development efforts. WhiteBear infections appear to be preceded by a condensed spearphishing dropper, lack Firefox extension installer payloads, and contain several new components signed with a new code signing digital certificate, unlike WhiteAtlas incidents and modules.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", @@ -7213,7 +7230,8 @@ "description": "In July 2018, an attack on Singapore’s largest public health organization, SingHealth, resulted in a reported 1.5 million patient records being stolen. Until now, nothing was known about who was responsible for this attack. Symantec researchers have discovered that this attack group, which we call Whitefly, has been operating since at least 2017, has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information.", "meta": { "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/whitefly-espionage-singapore" + "https://www.symantec.com/blogs/threat-intelligence/whitefly-espionage-singapore", + "https://www.reuters.com/article/us-singapore-cyberattack/cyberattack-on-singapore-health-database-steals-details-of-1-5-million-including-pm-idUSKBN1KA14J" ] }, "uuid": "943f490e-ac7f-40fe-b6f3-33e2623649d2", @@ -7444,7 +7462,62 @@ }, "uuid": "90abfc42-91c6-11e9-89b1-af58de8f7ec2", "value": "TEMP.Veles" + }, + { + "description": "In August of 2018, DarkMatter released a report entitled “In the Trails of WINDSHIFT APT”, which unveiled a threat actor with TTPs very similar to those of Bahamut. Subsequently, two additional articles were released by Objective-See which provide an analysis of some validated WINDSHIFT samples targeting OSX systems. Pivoting on specific file attributes and infrastructure indicators, Unit 42 was able to identify and correlate additional attacker activity and can now provide specific details on a targeted WINDSHIFT attack as it unfolded at a Middle Eastern government agency.", + "meta": { + "refs": [ + "https://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/", + "https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf" + ] + }, + "uuid": "cbbbfc82-9294-11e9-8e19-2bc14137b25b", + "value": "WindShift" + }, + { + "description": "Over the last few weeks, several significant leaks regarding a number of Iranian APTs took place. After analyzing and investigating the documents we conclude that they are authentic. Consequently, this causes considerable harm to the groups and their operation. The identity of the actor behind the leak is currently unknown, however based on the scope and the quality of the exposed documents and information, it appears that they are professional and highly capable. This leak will likely hamstring the groups' operation in the near future. Accordingly, in our assessment this will minimize the risk of potential attacks in the next few months and possibly even year. Note -most of the leaks are posted on Telegram channels that were created specifically for this purpose.\n Below are the three main Telegram groups on which the leaks were posted: \nLab Dookhtegam pseudonym (\"The people whose lips are stitched and sealed\" –translation from Persian) –In this channel attack tools attributed to the group 'OilRig' were leaked; including a webshell that was inserted into the Technion, various tools that were used for DNS attacks, and more. \nGreen Leakers–In this channel attack tools attributed to the group 'MuddyWatter' were leaked. The group's name and its symbol are identified with the \"green movement\", which led the protests in Iran after the Presidential elections in 2009. These protests were heavily repressed by the revolutionary guards (IRGC) \nBlack Box–Unlike the previous two channels this has been around for a long time. On Friday May 5th, dozens of confidential documents labeled as \"secret\" (a high confidentiality level in Iran, one before the highest -top secret) were posted on this channel. The documents were related to Iranian attack groups' activity.", + "meta": { + "refs": [ + "https://www.clearskysec.com/wp-content/uploads/2019/05/Iranian-Nation-State-APT-Leak-Analysis-and-Overview.pdf" + ] + }, + "uuid": "f50a5f64-9296-11e9-9b46-a331d01a008d", + "value": "[Unnamed group]" + }, + { + "description": "DUNGEON SPIDER is a criminal group operating the ransomware most commonly known as Locky, which has been active since February 2016 and was last observed in late 2017. Locky is a ransomware tool that encrypts files using a combination of cryptographic algorithms: RSA with a key size of 2,048 bits, and AES with a key size of 128 bits. Locky targets a large number of file extensions and is able to encrypt data on shared network drives. In an attempt to further impact victims and prevent file recovery, Locky deletes all of the Shadow Volume Copies on the machine.\nDUNGEON SPIDER primarily relies on broad spam campaigns with malicious attachments for distribution. Locky is the community/industry name associated with this actor.", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-october-dungeon-spider/" + ] + }, + "uuid": "f1da463c-9297-11e9-875a-d327fc8282f2", + "value": "Dungeon Spider" + }, + { + "description": "Throughout 2017 and 2018, Fxmsp established a network of trusted proxy resellers to promote their breaches on the criminal underground. Some of the known Fxmsp TTPs included accessing network environments via externally available remote desktop protocol (RDP) servers and exposed active directory.\nMost recently, the actor claimed to have developed a credential-stealing botnet capable of infecting high-profile targets in order to exfiltrate sensitive usernames and passwords. Fxmsp has claimed that developing this botnet and improving its capabilities for stealing information from secured systems is their main goal.", + "meta": { + "refs": [ + "https://www.advanced-intel.com/blog/top-tier-russian-hacking-collective-claims-breaches-of-three-major-anti-virus-companies" + ] + }, + "uuid": "686f4fe0-9298-11e9-b02a-af9595918956", + "value": "Fxmsp" + }, + { + "description": "The hacker said that he put up the data for sale mainly because these companies had failed to protect passwords with strong encryption algorithms like bcrypt.\nMost of the hashed passwords the hacker put up for sale today can cracked with various levels of difficulty --but they can be cracked.\n\"I got upset because I feel no one is learning,\" the hacker told ZDNet in an online chat earlier today. \"I just felt upset at this particular moment, because seeing this lack of security in 2019 is making me angry.\"\nIn a conversation with ZDNet last month, the hacker told us he wanted to hack and put up for sale more than one billion records and then retire and disappear with the money.\nBut in a conversation today, the hacker says this is not his target anymore, as he learned that other hackers have already achieved the same goal before him.\n Gnosticplayers also revealed that not all the data he obtained from hacked companies had been put up for sale. Some companies gave into extortion demands and paid fees so breaches would remain private.\n\"I came to an agreement with some companies, but the concerned startups won't see their data for sale,\" he said. \"I did it that's why I can't publish the rest of my databases or even name them.\"", + "meta": { + "refs": [ + "https://www.zdnet.com/article/round-4-hacker-returns-and-puts-26mil-user-records-for-sale-on-the-dark-web/", + "https://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/", + "https://www.zdnet.com/article/127-million-user-records-from-8-companies-put-up-for-sale-on-the-dark-web/", + "https://www.zdnet.com/article/hacker-puts-up-for-sale-third-round-of-hacked-databases-on-the-dark-web/", + "https://www.zdnet.com/article/a-hacker-has-dumped-nearly-one-billion-user-records-over-the-past-two-months/" + ] + }, + "uuid": "f32e3682-9298-11e9-8dcb-639156d97cd1", + "value": "Gnosticplayers" } ], - "version": 117 + "version": 118 } From 7afb9083b28b502245127167d5ad30176331c291 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Wed, 19 Jun 2019 23:29:35 +0530 Subject: [PATCH 34/92] Update threat-actor.json --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4f474b0..82e5ab8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1946,7 +1946,8 @@ "synonyms": [ "APT 33", "Elfin", - "MAGNALLIUM" + "MAGNALLIUM", + "Refined Kitten" ] }, "related": [ From a984786c8b75f8c2053a04c09dc06d806e5b7487 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 20 Jun 2019 16:25:23 +0200 Subject: [PATCH 35/92] update threat actor galaxy --- clusters/threat-actor.json | 116 ++++++++++++++++++++++++++++++++----- 1 file changed, 102 insertions(+), 14 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 84df172..cd7a485 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -668,7 +668,8 @@ "https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/", "https://securelist.com/winnti-more-than-just-a-game/37029/", "https://401trg.com/burning-umbrella/", - "https://attack.mitre.org/groups/G0044/" + "https://attack.mitre.org/groups/G0044/", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/" ], "synonyms": [ "Winnti Group", @@ -6737,7 +6738,17 @@ "meta": { "refs": [ "https://en.wikipedia.org/wiki/The_Shadow_Brokers", - "https://securelist.com/darkpulsar/88199/" + "https://securelist.com/darkpulsar/88199/", + "https://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html", + "https://www.vice.com/en_us/article/53djj3/shadow-brokers-whine-that-nobody-is-buying-their-hacked-nsa-files", + "https://www.scmagazineuk.com/second-shadow-brokers-dump-released/article/1476023", + "https://securelist.com/darkpulsar/88199/", + "https://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/", + "https://www.csoonline.com/article/3190055/new-nsa-leak-may-expose-its-bank-spying-windows-exploits.html", + "https://threatpost.com/shadowbrokers-dump-more-equation-group-hacks-auction-file-password/124882/", + "http://securityaffairs.co/wordpress/62770/hacking/shadowbrokers-return.html", + "https://www.hackread.com/nsa-data-dump-shadowbrokers-expose-unitedrake-malware/", + "https://blacklakesecurity.com/who-was-the-nsa-contractor-arrested-for-leaking-the-shadow-brokers-hacking-tools/" ], "synonyms": [ "The ShadowBrokers", @@ -6774,7 +6785,7 @@ "value": "HookAds" }, { - "description": "INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014, those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits. Throughout its years of operation, Dridex has received multiple updates with new modules developed and new anti-analysis features added to the malware.", + "description": "INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014, those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits. Throughout its years of operation, Dridex has received multiple updates with new modules developed and new anti-analysis features added to the malware.\nIn August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K.’s National Health Service (NHS), with a high ransom demand of 53 BTC (approximately $200,000 USD). The targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out from other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex. Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER, suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy.", "meta": { "refs": [ "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" @@ -6902,27 +6913,30 @@ "value": "TA505" }, { - "description": "GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return.", + "description": "GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.\nSimilar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.\nGrim Spider is reportedly associated with Lunar Spider and Wizard Spider.", "meta": { "refs": [ - "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" + "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", + "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" ] }, "uuid": "3cf6dbb5-bf9e-47d4-a8d5-b6d76f5a791f", "value": "GRIM SPIDER" }, { - "description": "GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.", + "description": "Wizard Spider is reportedly associated with Grim Spider and Lunar Spider.\nThe WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function.\nGRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.", "meta": { "refs": [ - "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" + "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", + "https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/" ] }, "uuid": "bdf4fe4f-af8a-495f-a719-cf175cecda1f", "value": "WIZARD SPIDER" }, { - "description": "MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo. First observed in mid-2014, this malware shared code with the Bugat (aka Feodo) banking Trojan. However, MUMMY SPIDER swiftly developed the malware’s capabilities to include an RSA key exchange for command and control (C2) communication and a modular architecture.", + "description": "MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo. First observed in mid-2014, this malware shared code with the Bugat (aka Feodo) banking Trojan. However, MUMMY SPIDER swiftly developed the malware’s capabilities to include an RSA key exchange for command and control (C2) communication and a modular architecture.\nMUMMY SPIDER does not follow typical criminal behavioral patterns. In particular, MUMMY SPIDER usually conducts attacks for a few months before ceasing operations for a period of between three and 12 months, before returning with a new variant or version.\nAfter a 10 month hiatus, MUMMY SPIDER returned Emotet to operation in December 2016 but the latest variant is not deploying a banking Trojan module with web injects, it is currently acting as a ‘loader’ delivering other malware packages. The primary modules perform reconnaissance on victim machines, drop freeware tools for credential collection from web browsers and mail clients and a spam plugin for self-propagation. The malware is also issuing commands to download and execute other malware families such as the banking Trojans Dridex and Qakbot.\n MUMMY SPIDER advertised Emotet on underground forums until 2015, at which time it became private. Therefore, it is highly likely that Emotet is operate", "meta": { "refs": [ "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", @@ -6930,7 +6944,8 @@ "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service" ], "synonyms": [ - "TA542" + "TA542", + "Mummy Spider" ] }, "uuid": "c93281be-f6cd-4cd0-a5a3-defde9d77d8b", @@ -7023,10 +7038,11 @@ "value": "Boss Spider" }, { - "description": "First observed in January 2018, GandCrab ransomware quickly began to proliferate and receive regular updates from its developer, PINCHY SPIDER, which over the course of the year established a RaaS operation with a dedicated set of affiliates.", + "description": "First observed in January 2018, GandCrab ransomware quickly began to proliferate and receive regular updates from its developer, PINCHY SPIDER, which over the course of the year established a RaaS operation with a dedicated set of affiliates.\nCrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. This change in tactics makes PINCHY SPIDER and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware deployments known as “big game hunting.”\n PINCHY SPIDER is the criminal group behind the development of the ransomware most commonly known as GandCrab, which has been active since January 2018. PINCHY SPIDER sells access to use GandCrab ransomware under a partnership program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but PINCHY SPIDER is also willing to negotiate up to a 70-30 split for “sophisticated” customers.", "meta": { "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/" ] }, "uuid": "80f07c15-cad3-44a2-a8a4-dd14490b5117", @@ -7113,10 +7129,12 @@ "value": "Tiny Spider" }, { - "description": "According to CrowdStrike, this actor is using BokBok/IcedID, potentially buying distribution through Emotet infections.", + "description": "According to CrowdStrike, this actor is using BokBok/IcedID, potentially buying distribution through Emotet infections.\nOn March 17, 2019, CrowdStrike Intelligence observed the use of a new BokBot (developed and operated by LUNAR SPIDER) proxy module in conjunction with TrickBot (developed and operated by WIZARD SPIDER), which may provide WIZARD SPIDER with additional tools to steal sensitive information and conduct fraudulent wire transfers. This activity also provides further evidence to support the existence of a flourishing relationship between these two actors.\nLunar Spider is reportedly associated withGrim Spider and Wizard Spider.", "meta": { "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/", + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/" ] }, "uuid": "0db4c708-f33d-4d46-906d-12fdf7415f62", @@ -7517,7 +7535,77 @@ }, "uuid": "f32e3682-9298-11e9-8dcb-639156d97cd1", "value": "Gnosticplayers" + }, + { + "description": "The many 0-days that had been collected by Hacking Team and which became publicly available during the breach of their organization in 2015, have been used by several APT groups since.\nSince being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance tools to governments and their agencies across the world.\nThe capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting emails and instant messaging, as well as remotely activating a device’s webcam and microphone. The company has been criticized for selling these capabilities to authoritarian governments – an allegation it has consistently denied.\nWhen the tables turned in July 2015, with Hacking Team itself suffering a damaging hack, the reported use of RCS by oppressive regimes was confirmed. With 400GB of internal data – including the once-secret list of customers, internal communications, and spyware source code – leaked online, Hacking Team was forced to request its customers to suspend all use of RCS, and was left facing an uncertain future.\nFollowing the hack, the security community has been keeping a close eye on the company’s efforts to get back on its feet. The first reports suggesting Hacking Team’s resumed operations came six months later – a new sample of Hacking Team’s Mac spyware was apparently in the wild. A year after the breach, an investment by a company named Tablem Limited brought changes to Hacking Team’s shareholder structure, with Tablem Limited taking 20% of Hacking Team’s shareholding. Tablem Limited is officially based in Cyprus; however, recent news suggests it has ties to Saudi Arabia.", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/", + "https://en.wikipedia.org/wiki/Hacking_Team", + "https://www.vice.com/en_us/article/gvye3m/spy-tech-company-hacking-team-gets-hacked" + ] + }, + "uuid": "d7f0d2a8-9329-11e9-851e-dbfc1c517e4e", + "value": "Hacking Team" + }, + { + "description": "OurMine is known for celebrity internet accounts, often causing cyber vandalism, to advertise their commercial services.\n(Trend Micro) In light of the recent report detailing its willingness to pay US$250,000 in exchange for the 1.5 terabytes’ worth of data swiped by hackers from its servers, HBO finds itself dealing with yet another security breach.\nKnown for hijacking prominent social media accounts, the self-styled white hat hacking group OurMine took over a number of verified Twitter and Facebook accounts belonging to the cable network. These include accounts for HBO shows, such as “Game of Thrones,” “Girls,” and “Ballers.”\nThis is not the first time that OurMine has claimed responsibility for hacking high- profile social networking accounts. Last year, the group victimized Marvel, The New York Times, and even the heads of some of the biggest technology companies in the world. Mark Zuckerberg, Jack Dorsey, Sundar Pichai, and Daniel Ek — the CEOs of Facebook, Twitter, Google and Spotify, respectively — have also fallen victim to the hackers, dispelling the notion that a career in software and technology exempts one from being compromised.", + "meta": { + "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/hbo-twitter-and-facebook-accounts-hacked-by-ourmine", + "https://gizmodo.com/welp-vevo-just-got-hacked-1813390834", + "https://www.grahamcluley.com/despite-appearances-wikileaks-wasnt-hacked/", + "https://en.wikipedia.org/wiki/OurMine" + ] + }, + "uuid": "2c9e1964-9357-11e9-ad8f-5f422851e912", + "value": "OurMine" + }, + { + "description": "Antd is a miner found in the wild on September 18, 2018. Recently we discovered that the authors from Antd are actively delivering newer campaigns deploying a broad number of components, most of them completely undetected and operating within compromised third party Linux servers. Furthermore, we have observed that some of the techniques implemented by this group are unconventional, and there is an element of sophistication to them. We believe the authors behind this malware are from Chinese origin. We have labeled the undetected Linux.Antd variants, Linux.GreedyAntd and classified the threat actor as Pacha Group.", + "meta": { + "refs": [ + "https://www.intezer.com/blog-technical-analysis-pacha-group/", + "https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/" + ] + }, + "uuid": "aa469d96-9357-11e9-bd7d-df125c7cba53", + "value": "Pacha Group" + }, + { + "description": "This threat actor initially came to our attention in April 2018, leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability.\nIn late July, we became aware that the same actor was engaged in another similar campaign. Through our investigation into this new campaign, we were able to uncover more details about the actor.", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html", + "https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/", + "https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/" + ] + }, + "uuid": "53583c40-935e-11e9-b4fc-d7e217a306d2", + "value": "Rocke" + }, + { + "description": "An unnamed source leaked almost 10,000 documents describing a large number of 0-day vulnerabilities, methodologies and tools that had been collected by the CIA. This leaking was done through WikiLeaks, since March 2017. In weekly publications, the dumps were said to come from Vault 7 and later Vault 8, until his arrest in 2018.\nMost of the published vulnerabilities have since been fixed by the respective vendors, by many have been used by other threat actors. This actor turned out to be a former CIA software engineer.\n(WikiLeaks) Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named \"Vault 7\" by WikiLeaks, it is the largest ever publication of confidential documents on the agency.\nThe first full part of the series, \"Year Zero\", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina. It follows an introductory disclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012 presidential election.\nRecently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized \"zero day\" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.\n\"Year Zero\" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of \"zero day\" weaponized exploits against a wide range of U.S. and European company products, include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones.", + "meta": { + "refs": [ + "https://wikileaks.org/ciav7p1/", + "https://www.justice.gov/opa/pr/joshua-adam-schulte-charged-unauthorized-disclosure-classified-information-and-other-offenses" + ] + }, + "uuid": "9f133738-935f-11e9-aa5e-bbf8d91abb46", + "value": "[Vault 7/8]" + }, + { + "description": "CrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. This change in tactics makes PINCHY SPIDER and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware deployments known as “big game hunting.”\nPINCHY SPIDER is the criminal group behind the development of the ransomware most commonly known as GandCrab, which has been active since January 2018. PINCHY SPIDER sells access to use GandCrab ransomware under a partnership program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but PINCHY SPIDER is also willing to negotiate up to a 70-30 split for “sophisticated” customers.", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", + "https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0" + ] + }, + "uuid": "e01b8f3a-9366-11e9-9c6f-17ba128aa4b6", + "value": "Zombie Spider" } ], - "version": 118 + "version": 119 } From 30f042211b32d80380d357771ea38e9359180f82 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 20 Jun 2019 16:35:49 +0200 Subject: [PATCH 36/92] fix duplicate --- clusters/threat-actor.json | 36 +++++++++++++++++------------------- 1 file changed, 17 insertions(+), 19 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index cd7a485..78d1c2f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -665,8 +665,7 @@ "https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/", "https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", "https://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004", - "https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/", - "https://securelist.com/winnti-more-than-just-a-game/37029/", + "https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/",, "https://401trg.com/burning-umbrella/", "https://attack.mitre.org/groups/G0044/", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/" @@ -2530,29 +2529,28 @@ "cfr-type-of-incident": "Espionage", "country": "RU", "refs": [ - "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf", "https://www.circl.lu/pub/tr-25/", - "https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", - "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", - "https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/", - "https://securelist.com/blog/research/67962/the-penquin-turla-2/", - "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf", - "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", - "https://www.cfr.org/interactive/cyber-operations/turla", - "https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", - "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/", - "https://www.nytimes.com/2010/08/26/technology/26cyber.html", - "https://yle.fi/uutiset/osasto/news/russian_group_behind_2013_foreign_ministry_hack/8591548", + "https://securelist.com/introducing-whitebear/81638/", "https://securelist.com/the-epic-turla-operation/65545/", - "https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html", + "https://www.cfr.org/interactive/cyber-operations/turla", + "https://www.nytimes.com/2010/08/26/technology/26cyber.html", + "https://securelist.com/blog/research/67962/the-penquin-turla-2/", + "https://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf", + "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", "https://threatpost.com/linux-modules-connected-to-turla-apt-discovered/109765/", "https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/", "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", - "https://securelist.com/introducing-whitebear/81638/", + "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf", + "https://yle.fi/uutiset/osasto/news/russian_group_behind_2013_foreign_ministry_hack/8591548", "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", + "https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", + "https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec", + "https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/", + "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html", "https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/", "https://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", From 195406cc6b60559e74dcaa75e2cb2e6aa9c38ac7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 20 Jun 2019 17:27:55 +0200 Subject: [PATCH 37/92] chg: [threat-actor] jq everything --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1b7d73e..8229cd7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -665,7 +665,7 @@ "https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/", "https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", "https://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004", - "https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/",, + "https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/", "https://401trg.com/burning-umbrella/", "https://attack.mitre.org/groups/G0044/", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/" From 5e9d075ae52b9de58296a607f837d8a7af462596 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 20 Jun 2019 17:30:01 +0200 Subject: [PATCH 38/92] chg: [threat-actor] synonyms fixed --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8229cd7..947e162 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6982,7 +6982,9 @@ "https://www.group-ib.com/blog/silence", "https://securelist.com/the-silence/83009/" ], - "synonyms": "Silence" + "synonyms": [ + "Silence" + ] }, "uuid": "0d5e17fd-7a71-47fd-b4bc-867cdb833726", "value": "Silence group" From 8c90f7231cb9bc6cb8cb1372adeaeec034b3f14d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 20 Jun 2019 17:35:35 +0200 Subject: [PATCH 39/92] chg: [threat-actor] duplicated refs removed --- clusters/threat-actor.json | 4 ---- 1 file changed, 4 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 947e162..ebeef11 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2557,9 +2557,6 @@ "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit", "https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/", - "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", - "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf", "https://attack.mitre.org/groups/G0010/" ], "synonyms": [ @@ -6741,7 +6738,6 @@ "https://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html", "https://www.vice.com/en_us/article/53djj3/shadow-brokers-whine-that-nobody-is-buying-their-hacked-nsa-files", "https://www.scmagazineuk.com/second-shadow-brokers-dump-released/article/1476023", - "https://securelist.com/darkpulsar/88199/", "https://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/", "https://www.csoonline.com/article/3190055/new-nsa-leak-may-expose-its-bank-spying-windows-exploits.html", "https://threatpost.com/shadowbrokers-dump-more-equation-group-hacks-auction-file-password/124882/", From 9517c8b8782a9385874940eec6741a78597cad12 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 20 Jun 2019 17:58:35 +0200 Subject: [PATCH 40/92] chg: [threat-actor] version updated --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ebeef11..9a34a93 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7604,5 +7604,5 @@ "value": "Zombie Spider" } ], - "version": 119 + "version": 120 } From 32ffc98e5d60aec6177bef0af917ba03d3ab7ac8 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 24 Jun 2019 10:20:29 +0200 Subject: [PATCH 41/92] add Felipe Trojan --- clusters/rat.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/rat.json b/clusters/rat.json index 40e55af..50922a0 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3372,7 +3372,17 @@ }, "uuid": "4b9b99f0-9c2d-4db5-aaff-09de88509c04", "value": "FlawedAmmy" + }, + { + "value": "Felipe", + "description": "The Zscaler ThreatLabZ team came across a new strain of infostealer Trojan called Felipe, which silently installs itself onto a user’s system and connects to a command-and-control (C&C) server to send system information from the compromised system. This malware is compiled for both 32-bit and 64-bit Windows operating systems. Felipe basically steals the victim's debit and credit card information and sends it, along with other personal information, to the remote C&C server. It also sets a date and time to perform other malicious activity upon successful infection of the victim machine.", + "meta": { + "refs": [ + "https://www.zscaler.com/blogs/research/felipe-new-infostealer-trojan" + ] + }, + "uuid": "0f117f50-9657-11e9-8e2b-83e391e0ce57" } ], - "version": 29 + "version": 30 } From ca45f0deec82daf4f8dd48f51a4f4881edf4d962 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 24 Jun 2019 10:22:38 +0200 Subject: [PATCH 42/92] jq --- clusters/rat.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/rat.json b/clusters/rat.json index 50922a0..cd041ba 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3374,14 +3374,14 @@ "value": "FlawedAmmy" }, { - "value": "Felipe", "description": "The Zscaler ThreatLabZ team came across a new strain of infostealer Trojan called Felipe, which silently installs itself onto a user’s system and connects to a command-and-control (C&C) server to send system information from the compromised system. This malware is compiled for both 32-bit and 64-bit Windows operating systems. Felipe basically steals the victim's debit and credit card information and sends it, along with other personal information, to the remote C&C server. It also sets a date and time to perform other malicious activity upon successful infection of the victim machine.", "meta": { "refs": [ "https://www.zscaler.com/blogs/research/felipe-new-infostealer-trojan" ] }, - "uuid": "0f117f50-9657-11e9-8e2b-83e391e0ce57" + "uuid": "0f117f50-9657-11e9-8e2b-83e391e0ce57", + "value": "Felipe" } ], "version": 30 From ea4d8a2d420ba2540fe340dff16ba1134843a39c Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 16 Jul 2019 10:03:07 +0200 Subject: [PATCH 43/92] add SWEED threat actor --- clusters/threat-actor.json | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9a34a93..49a93d4 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7602,7 +7602,25 @@ }, "uuid": "e01b8f3a-9366-11e9-9c6f-17ba128aa4b6", "value": "Zombie Spider" + }, + { + "value": "ViceLeaker", + "description": "In May 2018, we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens. Kaspersky spyware sensors caught the signal of an attack from the device of one of the victims; and a hash of the APK involved (Android application) was tagged in our sample feed for inspection. Once we looked into the file, we quickly found out that the inner-workings of the APK included a malicious payload, embedded in the original code of the application. This was an original spyware program, designed to exfiltrate almost all accessible information.\nDuring the course of our research, we noticed that we were not the only ones to have found the operation. Researchers from Bitdefender also released an analysis of one of the samples in a blogpost. Although something had already been published, we decided to do something different with the data we acquired. The following month, we released a private report on our Threat Intelligence Portal to alert our clients about this newly discovered operation and began writing YARA rules in order to catch more samples. We decided to call the operation “ViceLeaker”, because of strings and variables in its code.", + "meta": { + "refs": [ + "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" + ] + } + }, + { + "value": "SWEED", + "description": "Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling \"SWEED,\" including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans.\nSWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that's been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we've seen in the past in the way that it is packed, as well as how it infects the system. In this post, we'll run down each campaign we're able to connect to SWEED, and talk about some of the actor's tactics, techniques and procedures (TTPs).", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html" + ] + } } ], - "version": 120 + "version": 122 } From 2861d2d78c7db2f1cf308a0142504202c113b651 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 16 Jul 2019 10:13:10 +0200 Subject: [PATCH 44/92] jq --- clusters/threat-actor.json | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 49a93d4..7d2cd7f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7604,22 +7604,24 @@ "value": "Zombie Spider" }, { - "value": "ViceLeaker", "description": "In May 2018, we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens. Kaspersky spyware sensors caught the signal of an attack from the device of one of the victims; and a hash of the APK involved (Android application) was tagged in our sample feed for inspection. Once we looked into the file, we quickly found out that the inner-workings of the APK included a malicious payload, embedded in the original code of the application. This was an original spyware program, designed to exfiltrate almost all accessible information.\nDuring the course of our research, we noticed that we were not the only ones to have found the operation. Researchers from Bitdefender also released an analysis of one of the samples in a blogpost. Although something had already been published, we decided to do something different with the data we acquired. The following month, we released a private report on our Threat Intelligence Portal to alert our clients about this newly discovered operation and began writing YARA rules in order to catch more samples. We decided to call the operation “ViceLeaker”, because of strings and variables in its code.", "meta": { "refs": [ "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/" ] - } + }, + "uuid": "f676fcd1-cde9-4d0a-8958-221f2abb56e9", + "value": "ViceLeaker" }, { - "value": "SWEED", "description": "Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling \"SWEED,\" including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans.\nSWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that's been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we've seen in the past in the way that it is packed, as well as how it infects the system. In this post, we'll run down each campaign we're able to connect to SWEED, and talk about some of the actor's tactics, techniques and procedures (TTPs).", "meta": { "refs": [ "https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html" ] - } + }, + "uuid": "64ac8827-89d9-4738-9df3-cd955c628bee", + "value": "SWEED" } ], "version": 122 From 573b8366e7ca4251a9c7bc7eeecfd1f252b89179 Mon Sep 17 00:00:00 2001 From: Sami Mokaddem Date: Tue, 16 Jul 2019 16:53:46 +0200 Subject: [PATCH 45/92] Update banker.json Changed icon name --- galaxies/banker.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxies/banker.json b/galaxies/banker.json index 979dcaf..8edee2a 100644 --- a/galaxies/banker.json +++ b/galaxies/banker.json @@ -1,6 +1,6 @@ { "description": "Banking malware galaxy.", - "icon": "usd", + "icon": "dollar-sign", "name": "Banker", "namespace": "misp", "type": "banker", From 1035d1c71b8523179c3c12253bf75d74b8eb1ed9 Mon Sep 17 00:00:00 2001 From: Sami Mokaddem Date: Tue, 16 Jul 2019 16:56:10 +0200 Subject: [PATCH 46/92] Update mitre-course-of-action.json Changed icon --- galaxies/mitre-course-of-action.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxies/mitre-course-of-action.json b/galaxies/mitre-course-of-action.json index 380626f..2002f20 100644 --- a/galaxies/mitre-course-of-action.json +++ b/galaxies/mitre-course-of-action.json @@ -1,6 +1,6 @@ { "description": "ATT&CK Mitigation", - "icon": "chain", + "icon": "link", "name": "Course of Action", "namespace": "mitre-attack", "type": "mitre-course-of-action", From 00d1de6fdcb76c9809bbffc6dc6975a03c44dbdf Mon Sep 17 00:00:00 2001 From: Sami Mokaddem Date: Tue, 16 Jul 2019 16:56:28 +0200 Subject: [PATCH 47/92] Update mitre-enterprise-attack-course-of-action.json Changed icon --- galaxies/mitre-enterprise-attack-course-of-action.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxies/mitre-enterprise-attack-course-of-action.json b/galaxies/mitre-enterprise-attack-course-of-action.json index 671f2ef..d1a1420 100644 --- a/galaxies/mitre-enterprise-attack-course-of-action.json +++ b/galaxies/mitre-enterprise-attack-course-of-action.json @@ -1,6 +1,6 @@ { "description": "ATT&CK Mitigation", - "icon": "chain", + "icon": "link", "name": "Enterprise Attack - Course of Action", "namespace": "deprecated", "type": "mitre-enterprise-attack-course-of-action", From 3d4bfa7924c9c7b52fbdf80a0c2566c16e6d8248 Mon Sep 17 00:00:00 2001 From: Sami Mokaddem Date: Tue, 16 Jul 2019 16:56:35 +0200 Subject: [PATCH 48/92] Update mitre-mobile-attack-course-of-action.json Changed icon --- galaxies/mitre-mobile-attack-course-of-action.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxies/mitre-mobile-attack-course-of-action.json b/galaxies/mitre-mobile-attack-course-of-action.json index 4a58677..f3322df 100644 --- a/galaxies/mitre-mobile-attack-course-of-action.json +++ b/galaxies/mitre-mobile-attack-course-of-action.json @@ -1,6 +1,6 @@ { "description": "ATT&CK Mitigation", - "icon": "chain", + "icon": "link", "name": "Mobile Attack - Course of Action", "namespace": "deprecated", "type": "mitre-mobile-attack-course-of-action", From 294a8bf6a2bd6b577078aca45bfdb2458186953e Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 19 Jul 2019 10:30:47 +0200 Subject: [PATCH 49/92] new galaxy target-location [DRAFT] --- clusters/target-location.json | 3410 +++++++++++++++++++++++++++++++++ 1 file changed, 3410 insertions(+) create mode 100644 clusters/target-location.json diff --git a/clusters/target-location.json b/clusters/target-location.json new file mode 100644 index 0000000..d5b852a --- /dev/null +++ b/clusters/target-location.json @@ -0,0 +1,3410 @@ +{ + "authors": [ + "Unknown" + ], + "category": "target", + "description": "", + "name": "Target Information", + "source": "Various", + "type": "target-information", + "uuid": "cc6feae0-968a-11e9-a29a-bf581ae8eee3", + "values": [ + { + "meta": { + "calling-code": [ + "+352" + ], + "capital": "Luxembourg", + "currency": [ + "€", + "EUR", + "EURO" + ], + "iso-code": [ + "LU", + "LUX" + ], + "official-languages": [ + "French", + "Luxembourgish", + "German" + ], + "synomyms": [ + "Grand Duchy of Luxembourg", + "Grand-Duché de Luxembourg", + "Lëtzebuerg", + "Groussherzogtum Lëtzebuerg", + "Luxemburg", + "Großherzogtum Luxemburg" + ], + "top-level-domain": "lu", + "type": "country" + }, + "uuid": "f9a1d7f4-980a-11e9-a8b6-23162ddc4255", + "value": "Luxembourg" + }, + { + "meta": { + "calling-code": [ + "+93" + ], + "iso-code": [ + "AF", + "AFG" + ], + "type": "country" + }, + "uuid": "2d0b4ddc-4b46-4e75-8c8b-02f4f7446507", + "value": "Afghanistan" + }, + { + "meta": { + "calling-code": [ + "+355" + ], + "iso-code": [ + "AL", + "ALB" + ], + "type": "country" + }, + "uuid": "bc4c6bf6-c5f1-4927-b928-e9e2434e9ec4", + "value": "Albania" + }, + { + "meta": { + "calling-code": [ + "+213" + ], + "iso-code": [ + "DZ", + "DZA" + ], + "type": "country" + }, + "uuid": "13612aed-8efb-444f-8e29-5b93bd821d0e", + "value": "Algeria" + }, + { + "meta": { + "calling-code": [ + "+1-684" + ], + "iso-code": [ + "AS", + "ASM" + ], + "type": "country" + }, + "uuid": "9856b948-5662-4ce3-beef-9a777e758e5c", + "value": "American Samoa" + }, + { + "meta": { + "calling-code": [ + "+376" + ], + "iso-code": [ + "AD", + "AND" + ], + "type": "country" + }, + "uuid": "5f8aeaac-8654-4b12-99c6-d3bf5ba43c7a", + "value": "Andorra" + }, + { + "meta": { + "calling-code": [ + "+244" + ], + "iso-code": [ + "AO", + "AGO" + ], + "type": "country" + }, + "uuid": "ec22a747-be01-4bf8-bb3b-4dac8ec033dc", + "value": "Angola" + }, + { + "meta": { + "calling-code": [ + "+1-264" + ], + "iso-code": [ + "AI", + "AIA" + ], + "type": "country" + }, + "uuid": "eaeca984-4c51-4bff-8389-4b66c8fddb1c", + "value": "Anguilla" + }, + { + "meta": { + "calling-code": [ + "+672" + ], + "iso-code": [ + "AQ", + "ATA" + ], + "type": "country" + }, + "uuid": "09dbf944-5c73-4ff7-8b1b-b43b42282acb", + "value": "Antarctica" + }, + { + "meta": { + "calling-code": [ + "+1-268" + ], + "iso-code": [ + "AG", + "ATG" + ], + "type": "country" + }, + "uuid": "b0d7f6d5-8f5e-4bd8-98d7-92fcc4c195b9", + "value": "Antigua and Barbuda" + }, + { + "meta": { + "calling-code": [ + "+54" + ], + "iso-code": [ + "AR", + "ARG" + ], + "type": "country" + }, + "uuid": "f21ecd23-c3c8-4308-8363-c1260a57e695", + "value": "Argentina" + }, + { + "meta": { + "calling-code": [ + "+374" + ], + "iso-code": [ + "AM", + "ARM" + ], + "type": "country" + }, + "uuid": "e1a61736-a7d4-4c31-aeda-bd49beabdb40", + "value": "Armenia" + }, + { + "meta": { + "calling-code": [ + "+297" + ], + "iso-code": [ + "AW", + "ABW" + ], + "type": "country" + }, + "uuid": "d9684c43-0ced-48eb-86e6-d2802ff31cde", + "value": "Aruba" + }, + { + "meta": { + "calling-code": [ + "+61" + ], + "iso-code": [ + "AU", + "AUS" + ], + "type": "country" + }, + "uuid": "ca250c03-aead-41e3-a077-085d66211186", + "value": "Australia" + }, + { + "meta": { + "calling-code": [ + "+43" + ], + "iso-code": [ + "AT", + "AUT" + ], + "type": "country" + }, + "uuid": "e88f7003-09e9-4275-b176-d4246e59a0d5", + "value": "Austria" + }, + { + "meta": { + "calling-code": [ + "+994" + ], + "iso-code": [ + "AZ", + "AZE" + ], + "type": "country" + }, + "uuid": "4dac6eec-948d-4df5-946b-21ac0aaf5471", + "value": "Azerbaijan" + }, + { + "meta": { + "calling-code": [ + "+1-242" + ], + "iso-code": [ + "BS", + "BHS" + ], + "type": "country" + }, + "uuid": "5029a486-9c17-454a-bbcd-6e9b774705f9", + "value": "Bahamas" + }, + { + "meta": { + "calling-code": [ + "+973" + ], + "iso-code": [ + "BH", + "BHR" + ], + "type": "country" + }, + "uuid": "819805c9-8f06-4f0c-af79-926960b4c23f", + "value": "Bahrain" + }, + { + "meta": { + "calling-code": [ + "+880" + ], + "iso-code": [ + "BD", + "BGD" + ], + "type": "country" + }, + "uuid": "cb78009e-1355-4afa-a655-0cf03d7fd947", + "value": "Bangladesh" + }, + { + "meta": { + "calling-code": [ + "+1-246" + ], + "iso-code": [ + "BB", + "BRB" + ], + "type": "country" + }, + "uuid": "062daa09-7c4a-4dec-ba9d-625d96871708", + "value": "Barbados" + }, + { + "meta": { + "calling-code": [ + "+375" + ], + "iso-code": [ + "BY", + "BLR" + ], + "type": "country" + }, + "uuid": "9e5e118a-ebe8-464a-bd38-350af4d645c4", + "value": "Belarus" + }, + { + "meta": { + "calling-code": [ + "+32" + ], + "iso-code": [ + "BE", + "BEL" + ], + "type": "country" + }, + "uuid": "30f35478-7961-464f-bd3c-732a8f5e1fe5", + "value": "Belgium" + }, + { + "meta": { + "calling-code": [ + "+501" + ], + "iso-code": [ + "BZ", + "BLZ" + ], + "type": "country" + }, + "uuid": "4b7f2038-cc17-4bb1-bc28-dacc9772e6fc", + "value": "Belize" + }, + { + "meta": { + "calling-code": [ + "+229" + ], + "iso-code": [ + "BJ", + "BEN" + ], + "type": "country" + }, + "uuid": "5c68d3ce-0beb-4b9a-a81d-e5d64f14b9a1", + "value": "Benin" + }, + { + "meta": { + "calling-code": [ + "+1-441" + ], + "iso-code": [ + "BM", + "BMU" + ], + "type": "country" + }, + "uuid": "67e9dd29-9da1-4585-b0e6-303defa1e751", + "value": "Bermuda" + }, + { + "meta": { + "calling-code": [ + "+975" + ], + "iso-code": [ + "BT", + "BTN" + ], + "type": "country" + }, + "uuid": "7a431a2e-623b-4fb0-8316-a5d42266070d", + "value": "Bhutan" + }, + { + "meta": { + "calling-code": [ + "+591" + ], + "iso-code": [ + "BO", + "BOL" + ], + "type": "country" + }, + "uuid": "06c20eb8-bec1-4f56-a5af-91f5fb826e4d", + "value": "Bolivia" + }, + { + "meta": { + "calling-code": [ + "+387" + ], + "iso-code": [ + "BA", + "BIH" + ], + "type": "country" + }, + "uuid": "eccea7a8-d7f5-4b33-b948-ac8595e92500", + "value": "Bosnia and Herzegovina" + }, + { + "meta": { + "calling-code": [ + "+267" + ], + "iso-code": [ + "BW", + "BWA" + ], + "type": "country" + }, + "uuid": "b29dca55-6930-494e-ae8e-fe89e5317529", + "value": "Botswana" + }, + { + "meta": { + "calling-code": [ + "+55" + ], + "iso-code": [ + "BR", + "BRA" + ], + "type": "country" + }, + "uuid": "75fe4c94-f864-41dc-8dd2-758e2e2d4deb", + "value": "Brazil" + }, + { + "meta": { + "calling-code": [ + "+246" + ], + "iso-code": [ + "IO", + "IOT" + ], + "type": "country" + }, + "uuid": "f974dd18-3a6b-4910-af8f-1d6256369b05", + "value": "British Indian Ocean Territory" + }, + { + "meta": { + "calling-code": [ + "+1-284" + ], + "iso-code": [ + "VG", + "VGB" + ], + "type": "country" + }, + "uuid": "9feffe01-624f-46fd-9e55-baec2098db69", + "value": "British Virgin Islands" + }, + { + "meta": { + "calling-code": [ + "+673" + ], + "iso-code": [ + "BN", + "BRN" + ], + "type": "country" + }, + "uuid": "a039c8f7-1a7a-46e6-b16b-a9648a280f77", + "value": "Brunei" + }, + { + "meta": { + "calling-code": [ + "+359" + ], + "iso-code": [ + "BG", + "BGR" + ], + "type": "country" + }, + "uuid": "61766ec7-b1aa-4d92-afaa-883842d4f6ac", + "value": "Bulgaria" + }, + { + "meta": { + "calling-code": [ + "+226" + ], + "iso-code": [ + "BF", + "BFA" + ], + "type": "country" + }, + "uuid": "dfb27e34-f6dc-4db3-b3fa-313a8125ddf2", + "value": "Burkina Faso" + }, + { + "meta": { + "calling-code": [ + "+257" + ], + "iso-code": [ + "BI", + "BDI" + ], + "type": "country" + }, + "uuid": "f545307d-db22-49d3-858f-8d03db4428da", + "value": "Burundi" + }, + { + "meta": { + "calling-code": [ + "+855" + ], + "iso-code": [ + "KH", + "KHM" + ], + "type": "country" + }, + "uuid": "03757eb3-f75a-48e1-a4ef-18a62c7d1838", + "value": "Cambodia" + }, + { + "meta": { + "calling-code": [ + "+237" + ], + "iso-code": [ + "CM", + "CMR" + ], + "type": "country" + }, + "uuid": "68e9ed03-4954-4a2a-8971-1224fa3ab760", + "value": "Cameroon" + }, + { + "meta": { + "calling-code": [ + "+1" + ], + "iso-code": [ + "CA", + "CAN" + ], + "type": "country" + }, + "uuid": "d0e51f88-2a01-4a9d-b080-464bb6f5172f", + "value": "Canada" + }, + { + "meta": { + "calling-code": [ + "+238" + ], + "iso-code": [ + "CV", + "CPV" + ], + "type": "country" + }, + "uuid": "457e880a-0d5a-4729-b7b1-fcfeccf61f07", + "value": "Cape Verde" + }, + { + "meta": { + "calling-code": [ + "+1-345" + ], + "iso-code": [ + "KY", + "CYM" + ], + "type": "country" + }, + "uuid": "036ac306-bedd-44a6-807a-69314d59dfef", + "value": "Cayman Islands" + }, + { + "meta": { + "calling-code": [ + "+236" + ], + "iso-code": [ + "CF", + "CAF" + ], + "type": "country" + }, + "uuid": "4abded58-faa1-4a2b-ae16-01a12409df7c", + "value": "Central African Republic" + }, + { + "meta": { + "calling-code": [ + "+235" + ], + "iso-code": [ + "TD", + "TCD" + ], + "type": "country" + }, + "uuid": "da6f9a8b-91f0-400f-ad1b-47b49fe48412", + "value": "Chad" + }, + { + "meta": { + "calling-code": [ + "+56" + ], + "iso-code": [ + "CL", + "CHL" + ], + "type": "country" + }, + "uuid": "bb81858f-5803-4f3b-9aac-92869b750f9e", + "value": "Chile" + }, + { + "meta": { + "calling-code": [ + "+86" + ], + "iso-code": [ + "CN", + "CHN" + ], + "type": "country" + }, + "uuid": "53d3d205-db31-4ec9-86aa-c2bf11fd18e6", + "value": "China" + }, + { + "meta": { + "calling-code": [ + "+61" + ], + "iso-code": [ + "CX", + "CXR" + ], + "type": "country" + }, + "uuid": "0ccf619a-927a-4963-9ec3-34598e898d46", + "value": "Christmas Island" + }, + { + "meta": { + "calling-code": [ + "+61" + ], + "iso-code": [ + "CC", + "CCK" + ], + "type": "country" + }, + "uuid": "a5752a1e-1306-4a6c-8ed4-c9d0f627d397", + "value": "Cocos Islands" + }, + { + "meta": { + "calling-code": [ + "+57" + ], + "iso-code": [ + "CO", + "COL" + ], + "type": "country" + }, + "uuid": "25f47423-5005-4caa-b4b0-6b9ada986611", + "value": "Colombia" + }, + { + "meta": { + "calling-code": [ + "+269" + ], + "iso-code": [ + "KM", + "COM" + ], + "type": "country" + }, + "uuid": "3a9ec602-9f36-4943-baee-f873ee3c3691", + "value": "Comoros" + }, + { + "meta": { + "calling-code": [ + "+682" + ], + "iso-code": [ + "CK", + "COK" + ], + "type": "country" + }, + "uuid": "704756d4-9e33-48c3-8d25-037b00e94888", + "value": "Cook Islands" + }, + { + "meta": { + "calling-code": [ + "+506" + ], + "iso-code": [ + "CR", + "CRI" + ], + "type": "country" + }, + "uuid": "a568be65-88ff-4290-9562-9a5227eb346a", + "value": "Costa Rica" + }, + { + "meta": { + "calling-code": [ + "+385" + ], + "iso-code": [ + "HR", + "HRV" + ], + "type": "country" + }, + "uuid": "c753504c-9fe3-41f3-a423-86f64eff2af4", + "value": "Croatia" + }, + { + "meta": { + "calling-code": [ + "+53" + ], + "iso-code": [ + "CU", + "CUB" + ], + "type": "country" + }, + "uuid": "7abd8189-65d8-4682-8091-7350d8e8ea9f", + "value": "Cuba" + }, + { + "meta": { + "calling-code": [ + "+599" + ], + "iso-code": [ + "CW", + "CUW" + ], + "type": "country" + }, + "uuid": "2f8fc176-c26d-48a9-a441-2f0e7b04e74b", + "value": "Curacao" + }, + { + "meta": { + "calling-code": [ + "+357" + ], + "iso-code": [ + "CY", + "CYP" + ], + "type": "country" + }, + "uuid": "95e86a29-0ee0-4ac5-8ec0-57036298c141", + "value": "Cyprus" + }, + { + "meta": { + "calling-code": [ + "+420" + ], + "iso-code": [ + "CZ", + "CZE" + ], + "type": "country" + }, + "uuid": "ef6651eb-1168-422c-9853-5200c737b332", + "value": "Czech Republic" + }, + { + "meta": { + "calling-code": [ + "+243" + ], + "iso-code": [ + "CD", + "COD" + ], + "type": "country" + }, + "uuid": "5a266a76-fc45-4457-8838-3e490bd26dc1", + "value": "Democratic Republic of the Congo" + }, + { + "meta": { + "calling-code": [ + "+45" + ], + "iso-code": [ + "DK", + "DNK" + ], + "type": "country" + }, + "uuid": "2890ae27-cc54-42df-8c0c-47285145bd49", + "value": "Denmark" + }, + { + "meta": { + "calling-code": [ + "+253" + ], + "iso-code": [ + "DJ", + "DJI" + ], + "type": "country" + }, + "uuid": "543afec2-19b2-4769-aacb-dd69a380c2cc", + "value": "Djibouti" + }, + { + "meta": { + "calling-code": [ + "+1-767" + ], + "iso-code": [ + "DM", + "DMA" + ], + "type": "country" + }, + "uuid": "151ff291-da46-41aa-b8c2-62faecefbe4a", + "value": "Dominica" + }, + { + "meta": { + "calling-code": [ + "+1-809", + "+1-829", + "+1-849" + ], + "iso-code": [ + "DO", + "DOM" + ], + "type": "country" + }, + "uuid": "a621624f-5c1a-403d-b5dd-89da7af7555f", + "value": "Dominican Republic" + }, + { + "meta": { + "calling-code": [ + "+670" + ], + "iso-code": [ + "TL", + "TLS" + ], + "type": "country" + }, + "uuid": "b5371e8a-00bb-4653-abe3-2e9b92454b15", + "value": "East Timor" + }, + { + "meta": { + "calling-code": [ + "+593" + ], + "iso-code": [ + "EC", + "ECU" + ], + "type": "country" + }, + "uuid": "9e4f2bc9-9ef5-4369-a275-b3df56e5a35e", + "value": "Ecuador" + }, + { + "meta": { + "calling-code": [ + "+20" + ], + "iso-code": [ + "EG", + "EGY" + ], + "type": "country" + }, + "uuid": "7fbebdc8-5a13-430e-9248-58d2b1a9af0f", + "value": "Egypt" + }, + { + "meta": { + "calling-code": [ + "+503" + ], + "iso-code": [ + "SV", + "SLV" + ], + "type": "country" + }, + "uuid": "1822e12a-1f4b-4675-8e2a-a6d123b3ea24", + "value": "El Salvador" + }, + { + "meta": { + "calling-code": [ + "+240" + ], + "iso-code": [ + "GQ", + "GNQ" + ], + "type": "country" + }, + "uuid": "5c3d7a8e-9cd6-4d3d-ab6b-3cb8acaa208f", + "value": "Equatorial Guinea" + }, + { + "meta": { + "calling-code": [ + "+291" + ], + "iso-code": [ + "ER", + "ERI" + ], + "type": "country" + }, + "uuid": "aea99d00-9675-4289-9f3b-acb1ddf13f49", + "value": "Eritrea" + }, + { + "meta": { + "calling-code": [ + "+372" + ], + "iso-code": [ + "EE", + "EST" + ], + "type": "country" + }, + "uuid": "c8ea4824-7ed2-473a-906d-745bd73a2612", + "value": "Estonia" + }, + { + "meta": { + "calling-code": [ + "+251" + ], + "iso-code": [ + "ET", + "ETH" + ], + "type": "country" + }, + "uuid": "b25e700a-6b79-4c86-90ff-304032b182db", + "value": "Ethiopia" + }, + { + "meta": { + "calling-code": [ + "+500" + ], + "iso-code": [ + "FK", + "FLK" + ], + "type": "country" + }, + "uuid": "8041a1dc-e9a6-460e-8dd8-d37e45b787dd", + "value": "Falkland Islands" + }, + { + "meta": { + "calling-code": [ + "+298" + ], + "iso-code": [ + "FO", + "FRO" + ], + "type": "country" + }, + "uuid": "3aa1d642-9b8d-4dcd-bd4a-5368602555a4", + "value": "Faroe Islands" + }, + { + "meta": { + "calling-code": [ + "+679" + ], + "iso-code": [ + "FJ", + "FJI" + ], + "type": "country" + }, + "uuid": "218bcbfe-46cb-4fd0-852c-3a7fc64a2908", + "value": "Fiji" + }, + { + "meta": { + "calling-code": [ + "+358" + ], + "iso-code": [ + "FI", + "FIN" + ], + "type": "country" + }, + "uuid": "bde60aea-b748-4bd9-8d6d-f0174af0b36e", + "value": "Finland" + }, + { + "meta": { + "calling-code": [ + "+33" + ], + "iso-code": [ + "FR", + "FRA" + ], + "type": "country" + }, + "uuid": "0cc6ad08-fac6-42bc-a7c7-09a53ea6b968", + "value": "France" + }, + { + "meta": { + "calling-code": [ + "+689" + ], + "iso-code": [ + "PF", + "PYF" + ], + "type": "country" + }, + "uuid": "df751036-8c01-41ce-ab02-139119ce9213", + "value": "French Polynesia" + }, + { + "meta": { + "calling-code": [ + "+241" + ], + "iso-code": [ + "GA", + "GAB" + ], + "type": "country" + }, + "uuid": "8e70d742-c708-4a9e-8ab1-6a8a90306ccf", + "value": "Gabon" + }, + { + "meta": { + "calling-code": [ + "+220" + ], + "iso-code": [ + "GM", + "GMB" + ], + "type": "country" + }, + "uuid": "2ded2689-16c3-4476-a2d8-04c4bc51ae4a", + "value": "Gambia" + }, + { + "meta": { + "calling-code": [ + "+995" + ], + "iso-code": [ + "GE", + "GEO" + ], + "type": "country" + }, + "uuid": "76c2f2fe-ce68-4008-aa30-1ac8de38d617", + "value": "Georgia" + }, + { + "meta": { + "calling-code": [ + "+49" + ], + "iso-code": [ + "DE", + "DEU" + ], + "type": "country" + }, + "uuid": "4121d334-39d0-49c4-8a0e-0442c6bdcbc4", + "value": "Germany" + }, + { + "meta": { + "calling-code": [ + "+233" + ], + "iso-code": [ + "GH", + "GHA" + ], + "type": "country" + }, + "uuid": "6f7a0f04-8299-4a2d-95d0-a8305a1ae23e", + "value": "Ghana" + }, + { + "meta": { + "calling-code": [ + "+350" + ], + "iso-code": [ + "GI", + "GIB" + ], + "type": "country" + }, + "uuid": "078a914d-7ef3-413b-8a62-2473b8db1c12", + "value": "Gibraltar" + }, + { + "meta": { + "calling-code": [ + "+30" + ], + "iso-code": [ + "GR", + "GRC" + ], + "type": "country" + }, + "uuid": "505730f7-2637-4efb-845d-f1af7cdca109", + "value": "Greece" + }, + { + "meta": { + "calling-code": [ + "+299" + ], + "iso-code": [ + "GL", + "GRL" + ], + "type": "country" + }, + "uuid": "20f2c544-093d-4964-84ae-7d5fd54ad6d0", + "value": "Greenland" + }, + { + "meta": { + "calling-code": [ + "+1-473" + ], + "iso-code": [ + "GD", + "GRD" + ], + "type": "country" + }, + "uuid": "1aea4486-eef7-496b-9a69-a2d2bdbe7b77", + "value": "Grenada" + }, + { + "meta": { + "calling-code": [ + "+1-671" + ], + "iso-code": [ + "GU", + "GUM" + ], + "type": "country" + }, + "uuid": "4dc24d07-79ee-43b7-98a0-53bc79a29708", + "value": "Guam" + }, + { + "meta": { + "calling-code": [ + "+502" + ], + "iso-code": [ + "GT", + "GTM" + ], + "type": "country" + }, + "uuid": "3e3e89d2-07f3-4ddc-addf-2d5cb05bedd1", + "value": "Guatemala" + }, + { + "meta": { + "calling-code": [ + "+44-1481" + ], + "iso-code": [ + "GG", + "GGY" + ], + "type": "country" + }, + "uuid": "dd42b40e-2740-46f5-9bb1-6d0799a081c7", + "value": "Guernsey" + }, + { + "meta": { + "calling-code": [ + "+224" + ], + "iso-code": [ + "GN", + "GIN" + ], + "type": "country" + }, + "uuid": "f227edf8-e538-45b8-8a70-1a05ea5a605b", + "value": "Guinea" + }, + { + "meta": { + "calling-code": [ + "+245" + ], + "iso-code": [ + "GW", + "GNB" + ], + "type": "country" + }, + "uuid": "3b5824bc-936e-4403-bdc9-4dd9a7db36e3", + "value": "Guinea-Bissau" + }, + { + "meta": { + "calling-code": [ + "+592" + ], + "iso-code": [ + "GY", + "GUY" + ], + "type": "country" + }, + "uuid": "cb9fbca4-6cc6-4f83-9ebc-4e975cddea69", + "value": "Guyana" + }, + { + "meta": { + "calling-code": [ + "+509" + ], + "iso-code": [ + "HT", + "HTI" + ], + "type": "country" + }, + "uuid": "595dd000-64ac-43b5-be17-0f52eff47459", + "value": "Haiti" + }, + { + "meta": { + "calling-code": [ + "+504" + ], + "iso-code": [ + "HN", + "HND" + ], + "type": "country" + }, + "uuid": "74a66006-ce2b-4280-abd1-e6f14ff9b926", + "value": "Honduras" + }, + { + "meta": { + "calling-code": [ + "+852" + ], + "iso-code": [ + "HK", + "HKG" + ], + "type": "country" + }, + "uuid": "51c8ffc5-5453-4bf8-b100-74186d9a0de0", + "value": "Hong Kong" + }, + { + "meta": { + "calling-code": [ + "+36" + ], + "iso-code": [ + "HU", + "HUN" + ], + "type": "country" + }, + "uuid": "adc52cee-5668-498d-8111-db1c38a584c5", + "value": "Hungary" + }, + { + "meta": { + "calling-code": [ + "+354" + ], + "iso-code": [ + "IS", + "ISL" + ], + "type": "country" + }, + "uuid": "5bcfbed4-d9af-40ab-bcbd-013cad252570", + "value": "Iceland" + }, + { + "meta": { + "calling-code": [ + "+91" + ], + "iso-code": [ + "IN", + "IND" + ], + "type": "country" + }, + "uuid": "283a7b58-9fa6-48c8-95bc-9ece77b5b2ea", + "value": "India" + }, + { + "meta": { + "calling-code": [ + "+62" + ], + "iso-code": [ + "ID", + "IDN" + ], + "type": "country" + }, + "uuid": "417b5c63-a388-45d1-b104-cede98b13fe0", + "value": "Indonesia" + }, + { + "meta": { + "calling-code": [ + "+98" + ], + "iso-code": [ + "IR", + "IRN" + ], + "type": "country" + }, + "uuid": "12b32332-ead1-4f69-be61-69ab1ed27d01", + "value": "Iran" + }, + { + "meta": { + "calling-code": [ + "+964" + ], + "iso-code": [ + "IQ", + "IRQ" + ], + "type": "country" + }, + "uuid": "625f37bd-fe48-4791-ac1e-be8d069643a1", + "value": "Iraq" + }, + { + "meta": { + "calling-code": [ + "+353" + ], + "iso-code": [ + "IE", + "IRL" + ], + "type": "country" + }, + "uuid": "b1243ef1-78f4-4e10-841d-bc61361f21f8", + "value": "Ireland" + }, + { + "meta": { + "calling-code": [ + "+44-1624" + ], + "iso-code": [ + "IM", + "IMN" + ], + "type": "country" + }, + "uuid": "57855966-b290-47e2-b098-1d903f4163b8", + "value": "Isle of Man" + }, + { + "meta": { + "calling-code": [ + "+972" + ], + "iso-code": [ + "IL", + "ISR" + ], + "type": "country" + }, + "uuid": "3273414a-8331-44cc-b3f6-890bf2363607", + "value": "Israel" + }, + { + "meta": { + "calling-code": [ + "+39" + ], + "iso-code": [ + "IT", + "ITA" + ], + "type": "country" + }, + "uuid": "1bcc0b11-d906-40ea-910c-a1124c4d82bd", + "value": "Italy" + }, + { + "meta": { + "calling-code": [ + "+225" + ], + "iso-code": [ + "CI", + "CIV" + ], + "type": "country" + }, + "uuid": "c1aac71f-b060-4816-9369-451df1550883", + "value": "Ivory Coast" + }, + { + "meta": { + "calling-code": [ + "+1-876" + ], + "iso-code": [ + "JM", + "JAM" + ], + "type": "country" + }, + "uuid": "f5a606a6-80c4-4349-af9b-1450e6699868", + "value": "Jamaica" + }, + { + "meta": { + "calling-code": [ + "+81" + ], + "iso-code": [ + "JP", + "JPN" + ], + "type": "country" + }, + "uuid": "98ee5301-46da-4754-963f-8cf9aa17f7fa", + "value": "Japan" + }, + { + "meta": { + "calling-code": [ + "+44-1534" + ], + "iso-code": [ + "JE", + "JEY" + ], + "type": "country" + }, + "uuid": "2d2423ff-f5e1-4f2b-897e-da0aff79836f", + "value": "Jersey" + }, + { + "meta": { + "calling-code": [ + "+962" + ], + "iso-code": [ + "JO", + "JOR" + ], + "type": "country" + }, + "uuid": "f68750ae-d159-427e-bc6b-536fb676b8bf", + "value": "Jordan" + }, + { + "meta": { + "calling-code": [ + "+7" + ], + "iso-code": [ + "KZ", + "KAZ" + ], + "type": "country" + }, + "uuid": "fc54834e-2131-47c5-b470-974855757469", + "value": "Kazakhstan" + }, + { + "meta": { + "calling-code": [ + "+254" + ], + "iso-code": [ + "KE", + "KEN" + ], + "type": "country" + }, + "uuid": "60828537-e2d4-4f1c-b347-2c82901e9f01", + "value": "Kenya" + }, + { + "meta": { + "calling-code": [ + "+686" + ], + "iso-code": [ + "KI", + "KIR" + ], + "type": "country" + }, + "uuid": "7a51098b-34bd-4f86-a478-90c8c20a7fb7", + "value": "Kiribati" + }, + { + "meta": { + "calling-code": [ + "+383" + ], + "iso-code": [ + "XK", + "XKX" + ], + "type": "country" + }, + "uuid": "f7881f1c-647c-4a6e-9dc6-d5906832f978", + "value": "Kosovo" + }, + { + "meta": { + "calling-code": [ + "+965" + ], + "iso-code": [ + "KW", + "KWT" + ], + "type": "country" + }, + "uuid": "fbc205b4-0a7a-40db-8bf4-fe8e83357eea", + "value": "Kuwait" + }, + { + "meta": { + "calling-code": [ + "+996" + ], + "iso-code": [ + "KG", + "KGZ" + ], + "type": "country" + }, + "uuid": "92d31c81-c7e9-4ac5-bc73-6ea76ed19ce3", + "value": "Kyrgyzstan" + }, + { + "meta": { + "calling-code": [ + "+856" + ], + "iso-code": [ + "LA", + "LAO" + ], + "type": "country" + }, + "uuid": "54866dbe-1be0-4185-87e1-ed565d6d13ee", + "value": "Laos" + }, + { + "meta": { + "calling-code": [ + "+371" + ], + "iso-code": [ + "LV", + "LVA" + ], + "type": "country" + }, + "uuid": "367122b1-2645-49a9-b871-23a9c74d430e", + "value": "Latvia" + }, + { + "meta": { + "calling-code": [ + "+961" + ], + "iso-code": [ + "LB", + "LBN" + ], + "type": "country" + }, + "uuid": "7b7ed6de-7692-41ba-8f25-8456dda5b907", + "value": "Lebanon" + }, + { + "meta": { + "calling-code": [ + "+266" + ], + "iso-code": [ + "LS", + "LSO" + ], + "type": "country" + }, + "uuid": "666ac9e5-bb2d-4317-8ad7-e92e5895f476", + "value": "Lesotho" + }, + { + "meta": { + "calling-code": [ + "+231" + ], + "iso-code": [ + "LR", + "LBR" + ], + "type": "country" + }, + "uuid": "fad73876-fff0-4794-b970-c02d98ac2889", + "value": "Liberia" + }, + { + "meta": { + "calling-code": [ + "+218" + ], + "iso-code": [ + "LY", + "LBY" + ], + "type": "country" + }, + "uuid": "98cae8b3-c6cc-4434-ad7a-0b424e7b38a5", + "value": "Libya" + }, + { + "meta": { + "calling-code": [ + "+423" + ], + "iso-code": [ + "LI", + "LIE" + ], + "type": "country" + }, + "uuid": "7359fcca-a4a2-4e8a-915f-a080f6b2e7b6", + "value": "Liechtenstein" + }, + { + "meta": { + "calling-code": [ + "+370" + ], + "iso-code": [ + "LT", + "LTU" + ], + "type": "country" + }, + "uuid": "f32136ed-0727-4842-a9b7-9ea8f5d6f3fe", + "value": "Lithuania" + }, + { + "meta": { + "calling-code": [ + "+" + ], + "iso-code": [ + "" + ], + "type": "country" + }, + "uuid": "bda2a531-3fc7-4a68-8a50-0f9f6d003c05", + "value": "" + }, + { + "meta": { + "calling-code": [ + "+853" + ], + "iso-code": [ + "MO", + "MAC" + ], + "type": "country" + }, + "uuid": "edf25443-9d01-45e5-af67-4943746a06d8", + "value": "Macau" + }, + { + "meta": { + "calling-code": [ + "+389" + ], + "iso-code": [ + "MK", + "MKD" + ], + "type": "country" + }, + "uuid": "cbb86f5b-f390-489b-9c59-5f16d3db2cb6", + "value": "Macedonia" + }, + { + "meta": { + "calling-code": [ + "+261" + ], + "iso-code": [ + "MG", + "MDG" + ], + "type": "country" + }, + "uuid": "940cb63e-5e76-4494-a6f7-b976df4837a2", + "value": "Madagascar" + }, + { + "meta": { + "calling-code": [ + "+265" + ], + "iso-code": [ + "MW", + "MWI" + ], + "type": "country" + }, + "uuid": "5ed4a624-1c71-443b-8475-73caab1eea8f", + "value": "Malawi" + }, + { + "meta": { + "calling-code": [ + "+60" + ], + "iso-code": [ + "MY", + "MYS" + ], + "type": "country" + }, + "uuid": "add3c024-728a-4507-b29f-9135f93eed14", + "value": "Malaysia" + }, + { + "meta": { + "calling-code": [ + "+960" + ], + "iso-code": [ + "MV", + "MDV" + ], + "type": "country" + }, + "uuid": "8449ad6b-a590-4591-8676-2f9101341655", + "value": "Maldives" + }, + { + "meta": { + "calling-code": [ + "+223" + ], + "iso-code": [ + "ML", + "MLI" + ], + "type": "country" + }, + "uuid": "f783dd32-8b58-491a-9b10-3028ac64664a", + "value": "Mali" + }, + { + "meta": { + "calling-code": [ + "+356" + ], + "iso-code": [ + "MT", + "MLT" + ], + "type": "country" + }, + "uuid": "cd50bf6f-d86f-4470-9734-5aa83fd9e427", + "value": "Malta" + }, + { + "meta": { + "calling-code": [ + "+692" + ], + "iso-code": [ + "MH", + "MHL" + ], + "type": "country" + }, + "uuid": "aa71c335-c223-4f5f-956d-c7c82d9a8283", + "value": "Marshall Islands" + }, + { + "meta": { + "calling-code": [ + "+222" + ], + "iso-code": [ + "MR", + "MRT" + ], + "type": "country" + }, + "uuid": "a8561bba-3202-4165-8ef9-9e7412e8f5dd", + "value": "Mauritania" + }, + { + "meta": { + "calling-code": [ + "+230" + ], + "iso-code": [ + "MU", + "MUS" + ], + "type": "country" + }, + "uuid": "c49266e4-75ab-42dd-a434-5231b72cbc89", + "value": "Mauritius" + }, + { + "meta": { + "calling-code": [ + "+262" + ], + "iso-code": [ + "YT", + "MYT" + ], + "type": "country" + }, + "uuid": "aeb9cb0b-706c-44ad-9281-20dd857bbfc4", + "value": "Mayotte" + }, + { + "meta": { + "calling-code": [ + "+52" + ], + "iso-code": [ + "MX", + "MEX" + ], + "type": "country" + }, + "uuid": "55777eae-a885-4ee5-9ad3-8df56cddb82b", + "value": "Mexico" + }, + { + "meta": { + "calling-code": [ + "+691" + ], + "iso-code": [ + "FM", + "FSM" + ], + "type": "country" + }, + "uuid": "2043d3fc-d110-40e9-84f0-c6eb2904ce58", + "value": "Micronesia" + }, + { + "meta": { + "calling-code": [ + "+373" + ], + "iso-code": [ + "MD", + "MDA" + ], + "type": "country" + }, + "uuid": "8c076c68-08a3-4870-aa1e-bd39d45c1d0b", + "value": "Moldova" + }, + { + "meta": { + "calling-code": [ + "+377" + ], + "iso-code": [ + "MC", + "MCO" + ], + "type": "country" + }, + "uuid": "6b3e9217-0047-4a9f-9771-1fe24eb9c466", + "value": "Monaco" + }, + { + "meta": { + "calling-code": [ + "+976" + ], + "iso-code": [ + "MN", + "MNG" + ], + "type": "country" + }, + "uuid": "d11a74ac-1ffd-4e92-941a-54fc64b801c6", + "value": "Mongolia" + }, + { + "meta": { + "calling-code": [ + "+382" + ], + "iso-code": [ + "ME", + "MNE" + ], + "type": "country" + }, + "uuid": "b4eab2e9-f67a-449f-8f19-bf22c9bb2cac", + "value": "Montenegro" + }, + { + "meta": { + "calling-code": [ + "+1-664" + ], + "iso-code": [ + "MS", + "MSR" + ], + "type": "country" + }, + "uuid": "e93097db-aa74-40ae-b92a-53f012a74889", + "value": "Montserrat" + }, + { + "meta": { + "calling-code": [ + "+212" + ], + "iso-code": [ + "MA", + "MAR" + ], + "type": "country" + }, + "uuid": "04974cc3-fded-4af3-a0e6-0343e83f5f67", + "value": "Morocco" + }, + { + "meta": { + "calling-code": [ + "+258" + ], + "iso-code": [ + "MZ", + "MOZ" + ], + "type": "country" + }, + "uuid": "dcc6fc3a-f36b-4137-9c3d-1ed88eb89131", + "value": "Mozambique" + }, + { + "meta": { + "calling-code": [ + "+95" + ], + "iso-code": [ + "MM", + "MMR" + ], + "type": "country" + }, + "uuid": "8068b82b-461a-4b8a-acea-f4fe0b12b396", + "value": "Myanmar" + }, + { + "meta": { + "calling-code": [ + "+264" + ], + "iso-code": [ + "NA", + "NAM" + ], + "type": "country" + }, + "uuid": "964471d5-e84a-486c-94e2-95107b59de61", + "value": "Namibia" + }, + { + "meta": { + "calling-code": [ + "+674" + ], + "iso-code": [ + "NR", + "NRU" + ], + "type": "country" + }, + "uuid": "2d57902f-14b2-4e04-84ed-b2e24a7bba5f", + "value": "Nauru" + }, + { + "meta": { + "calling-code": [ + "+977" + ], + "iso-code": [ + "NP", + "NPL" + ], + "type": "country" + }, + "uuid": "9f6c918b-246f-43bc-a125-1a2639932fd2", + "value": "Nepal" + }, + { + "meta": { + "calling-code": [ + "+31" + ], + "iso-code": [ + "NL", + "NLD" + ], + "type": "country" + }, + "uuid": "1c016908-33df-485c-ba9a-3e629e6f92d9", + "value": "Netherlands" + }, + { + "meta": { + "calling-code": [ + "+599" + ], + "iso-code": [ + "AN", + "ANT" + ], + "type": "country" + }, + "uuid": "9da253c5-423a-4fb7-ab98-a2eebc9da34d", + "value": "Netherlands Antilles" + }, + { + "meta": { + "calling-code": [ + "+687" + ], + "iso-code": [ + "NC", + "NCL" + ], + "type": "country" + }, + "uuid": "6128fe4d-b7f4-4e9f-be44-7377d1236d7c", + "value": "New Caledonia" + }, + { + "meta": { + "calling-code": [ + "+64" + ], + "iso-code": [ + "NZ", + "NZL" + ], + "type": "country" + }, + "uuid": "665da546-a37a-4194-ad73-ff1a5e79b3f7", + "value": "New Zealand" + }, + { + "meta": { + "calling-code": [ + "+505" + ], + "iso-code": [ + "NI", + "NIC" + ], + "type": "country" + }, + "uuid": "f0a5a2de-5567-4581-8c99-3459e44d1608", + "value": "Nicaragua" + }, + { + "meta": { + "calling-code": [ + "+227" + ], + "iso-code": [ + "NE", + "NER" + ], + "type": "country" + }, + "uuid": "13c9337c-9c06-42fd-ba3f-7128de97ffff", + "value": "Niger" + }, + { + "meta": { + "calling-code": [ + "+234" + ], + "iso-code": [ + "NG", + "NGA" + ], + "type": "country" + }, + "uuid": "bdaa0f76-6fd0-4f2d-b6fd-76a97fe06c3b", + "value": "Nigeria" + }, + { + "meta": { + "calling-code": [ + "+683" + ], + "iso-code": [ + "NU", + "NIU" + ], + "type": "country" + }, + "uuid": "ccf0effb-f81c-4308-a758-e13cde30d5f7", + "value": "Niue" + }, + { + "meta": { + "calling-code": [ + "+850" + ], + "iso-code": [ + "KP", + "PRK" + ], + "type": "country" + }, + "uuid": "cc0bc1cc-6c68-46c2-b9f4-8fdc05f24fde", + "value": "North Korea" + }, + { + "meta": { + "calling-code": [ + "+1-670" + ], + "iso-code": [ + "MP", + "MNP" + ], + "type": "country" + }, + "uuid": "c6b20a69-9ec7-407e-a9f0-f7e7ee1ba123", + "value": "Northern Mariana Islands" + }, + { + "meta": { + "calling-code": [ + "+47" + ], + "iso-code": [ + "NO", + "NOR" + ], + "type": "country" + }, + "uuid": "a39f40d3-8fa5-4024-8c92-58c6a7362af8", + "value": "Norway" + }, + { + "meta": { + "calling-code": [ + "+968" + ], + "iso-code": [ + "OM", + "OMN" + ], + "type": "country" + }, + "uuid": "086ced26-e92c-4b55-9688-0d716d507ada", + "value": "Oman" + }, + { + "meta": { + "calling-code": [ + "+92" + ], + "iso-code": [ + "PK", + "PAK" + ], + "type": "country" + }, + "uuid": "6d6c87fd-8da6-465c-a381-b47f3810a6ea", + "value": "Pakistan" + }, + { + "meta": { + "calling-code": [ + "+680" + ], + "iso-code": [ + "PW", + "PLW" + ], + "type": "country" + }, + "uuid": "3d7ad346-2b4c-4f51-947c-7c0627457174", + "value": "Palau" + }, + { + "meta": { + "calling-code": [ + "+970" + ], + "iso-code": [ + "PS", + "PSE" + ], + "type": "country" + }, + "uuid": "91effc75-e4f6-4aa1-9e32-be5fe56903c9", + "value": "Palestine" + }, + { + "meta": { + "calling-code": [ + "+507" + ], + "iso-code": [ + "PA", + "PAN" + ], + "type": "country" + }, + "uuid": "a38eb164-18f8-4ac8-941c-b9911a85c9c1", + "value": "Panama" + }, + { + "meta": { + "calling-code": [ + "+675" + ], + "iso-code": [ + "PG", + "PNG" + ], + "type": "country" + }, + "uuid": "ac70053c-5b3b-42b4-b7de-421f097d74e1", + "value": "Papua New Guinea" + }, + { + "meta": { + "calling-code": [ + "+595" + ], + "iso-code": [ + "PY", + "PRY" + ], + "type": "country" + }, + "uuid": "d25565ce-babf-4919-8e64-f894c6d099f7", + "value": "Paraguay" + }, + { + "meta": { + "calling-code": [ + "+51" + ], + "iso-code": [ + "PE", + "PER" + ], + "type": "country" + }, + "uuid": "ff45884e-11e3-4b31-b805-8e4cb6c5e4e8", + "value": "Peru" + }, + { + "meta": { + "calling-code": [ + "+63" + ], + "iso-code": [ + "PH", + "PHL" + ], + "type": "country" + }, + "uuid": "61e24be6-cf32-4d0f-a8b3-379a05bac8a9", + "value": "Philippines" + }, + { + "meta": { + "calling-code": [ + "+64" + ], + "iso-code": [ + "PN", + "PCN" + ], + "type": "country" + }, + "uuid": "5ee746fb-7d00-494c-8dab-1a340a5ea49c", + "value": "Pitcairn" + }, + { + "meta": { + "calling-code": [ + "+48" + ], + "iso-code": [ + "PL", + "POL" + ], + "type": "country" + }, + "uuid": "8e73397d-5c08-477e-9b5c-2ef279b5883b", + "value": "Poland" + }, + { + "meta": { + "calling-code": [ + "+351" + ], + "iso-code": [ + "PT", + "PRT" + ], + "type": "country" + }, + "uuid": "fb9b1e68-2b99-467b-935d-1e98f312d9d6", + "value": "Portugal" + }, + { + "meta": { + "calling-code": [ + "+1-787", + "+1-939" + ], + "iso-code": [ + "PR", + "PRI" + ], + "type": "country" + }, + "uuid": "e9746233-bfd9-499f-b89c-54195295f6a2", + "value": "Puerto Rico" + }, + { + "meta": { + "calling-code": [ + "+974" + ], + "iso-code": [ + "QA", + "QAT" + ], + "type": "country" + }, + "uuid": "79da7e74-0680-4c83-8329-2978e730eb91", + "value": "Qatar" + }, + { + "meta": { + "calling-code": [ + "+242" + ], + "iso-code": [ + "CG", + "COG" + ], + "type": "country" + }, + "uuid": "5a5a71d8-9973-4a88-8ec5-8da50b24d90c", + "value": "Republic of the Congo" + }, + { + "meta": { + "calling-code": [ + "+262" + ], + "iso-code": [ + "RE", + "REU" + ], + "type": "country" + }, + "uuid": "b5ba4bdb-29c1-4907-b7dc-c2172fd83976", + "value": "Reunion" + }, + { + "meta": { + "calling-code": [ + "+40" + ], + "iso-code": [ + "RO", + "ROU" + ], + "type": "country" + }, + "uuid": "afa8ac3d-723d-4f10-8756-d8bbefc9eb2e", + "value": "Romania" + }, + { + "meta": { + "calling-code": [ + "+7" + ], + "iso-code": [ + "RU", + "RUS" + ], + "type": "country" + }, + "uuid": "f99a8e6e-ccb6-4709-842c-a21e5455ba7c", + "value": "Russia" + }, + { + "meta": { + "calling-code": [ + "+250" + ], + "iso-code": [ + "RW", + "RWA" + ], + "type": "country" + }, + "uuid": "d9dac31d-b4d7-4afb-b6fe-d9e09c5d4bac", + "value": "Rwanda" + }, + { + "meta": { + "calling-code": [ + "+590" + ], + "iso-code": [ + "BL", + "BLM" + ], + "type": "country" + }, + "uuid": "954b2de5-2f0a-477d-8bea-3fa08a52c04c", + "value": "Saint Barthelemy" + }, + { + "meta": { + "calling-code": [ + "+290" + ], + "iso-code": [ + "SH", + "SHN" + ], + "type": "country" + }, + "uuid": "083e69f2-14f1-4d8c-9fb7-4d38d38322cf", + "value": "Saint Helena" + }, + { + "meta": { + "calling-code": [ + "+1-869" + ], + "iso-code": [ + "KN", + "KNA" + ], + "type": "country" + }, + "uuid": "7334c20d-dc91-41ff-925c-08e3e7d22c30", + "value": "Saint Kitts and Nevis" + }, + { + "meta": { + "calling-code": [ + "+1-758" + ], + "iso-code": [ + "LC", + "LCA" + ], + "type": "country" + }, + "uuid": "ceb56016-5c27-42af-a4bd-0022bfcfee7b", + "value": "Saint Lucia" + }, + { + "meta": { + "calling-code": [ + "+590" + ], + "iso-code": [ + "MF", + "MAF" + ], + "type": "country" + }, + "uuid": "164b7a25-b531-4630-a398-0cde3a45e7d6", + "value": "Saint Martin" + }, + { + "meta": { + "calling-code": [ + "+508" + ], + "iso-code": [ + "PM", + "SPM" + ], + "type": "country" + }, + "uuid": "b45d813b-6fc2-4de1-8406-ecb51b70dd42", + "value": "Saint Pierre and Miquelon" + }, + { + "meta": { + "calling-code": [ + "+1-784" + ], + "iso-code": [ + "VC", + "VCT" + ], + "type": "country" + }, + "uuid": "b46efc73-2cee-4250-aa3e-5e369ef06c5c", + "value": "Saint Vincent and the Grenadines" + }, + { + "meta": { + "calling-code": [ + "+685" + ], + "iso-code": [ + "WS", + "WSM" + ], + "type": "country" + }, + "uuid": "8ee23019-4942-498c-89b7-4a6336015974", + "value": "Samoa" + }, + { + "meta": { + "calling-code": [ + "+378" + ], + "iso-code": [ + "SM", + "SMR" + ], + "type": "country" + }, + "uuid": "6d739a32-2b94-45cc-8be0-4c65cc8f3ef4", + "value": "San Marino" + }, + { + "meta": { + "calling-code": [ + "+239" + ], + "iso-code": [ + "ST", + "STP" + ], + "type": "country" + }, + "uuid": "84455318-8152-4fce-92a2-4e2a38d3ef9a", + "value": "Sao Tome and Principe" + }, + { + "meta": { + "calling-code": [ + "+966" + ], + "iso-code": [ + "SA", + "SAU" + ], + "type": "country" + }, + "uuid": "52a4e93d-5e64-4ae2-9f5f-97fbcf75dc55", + "value": "Saudi Arabia" + }, + { + "meta": { + "calling-code": [ + "+221" + ], + "iso-code": [ + "SN", + "SEN" + ], + "type": "country" + }, + "uuid": "31d92db8-d6e4-4531-955b-464986df7dad", + "value": "Senegal" + }, + { + "meta": { + "calling-code": [ + "+381" + ], + "iso-code": [ + "RS", + "SRB" + ], + "type": "country" + }, + "uuid": "4ec7dd40-4d7a-431c-844d-ee709b8fb935", + "value": "Serbia" + }, + { + "meta": { + "calling-code": [ + "+248" + ], + "iso-code": [ + "SC", + "SYC" + ], + "type": "country" + }, + "uuid": "e0f8c503-e005-409b-8915-b2cec757f85b", + "value": "Seychelles" + }, + { + "meta": { + "calling-code": [ + "+232" + ], + "iso-code": [ + "SL", + "SLE" + ], + "type": "country" + }, + "uuid": "8acd3be4-fc0f-4dff-bf47-76d3e916c8ca", + "value": "Sierra Leone" + }, + { + "meta": { + "calling-code": [ + "+65" + ], + "iso-code": [ + "SG", + "SGP" + ], + "type": "country" + }, + "uuid": "d9e1d8a2-1e57-41f1-b44f-efc26531e0c6", + "value": "Singapore" + }, + { + "meta": { + "calling-code": [ + "+1-721" + ], + "iso-code": [ + "SX", + "SXM" + ], + "type": "country" + }, + "uuid": "5f6c7e19-38a0-4b4e-8799-7dd8ab6e39e1", + "value": "Sint Maarten" + }, + { + "meta": { + "calling-code": [ + "+421" + ], + "iso-code": [ + "SK", + "SVK" + ], + "type": "country" + }, + "uuid": "707adc52-2c97-4e56-99fb-9661319117b4", + "value": "Slovakia" + }, + { + "meta": { + "calling-code": [ + "+386" + ], + "iso-code": [ + "SI", + "SVN" + ], + "type": "country" + }, + "uuid": "66b0e8f0-7f94-420b-ac26-b7d874ca6f85", + "value": "Slovenia" + }, + { + "meta": { + "calling-code": [ + "+677" + ], + "iso-code": [ + "SB", + "SLB" + ], + "type": "country" + }, + "uuid": "7a5d17e8-7597-4dd0-b009-60998149383e", + "value": "Solomon Islands" + }, + { + "meta": { + "calling-code": [ + "+252" + ], + "iso-code": [ + "SO", + "SOM" + ], + "type": "country" + }, + "uuid": "8250580d-e2a5-4215-af6f-093c21fb4834", + "value": "Somalia" + }, + { + "meta": { + "calling-code": [ + "+27" + ], + "iso-code": [ + "ZA", + "ZAF" + ], + "type": "country" + }, + "uuid": "6b3cc3a2-e95b-43b9-aeaa-1c3867e99319", + "value": "South Africa" + }, + { + "meta": { + "calling-code": [ + "+82" + ], + "iso-code": [ + "KR", + "KOR" + ], + "type": "country" + }, + "uuid": "e78f238b-c0f0-4856-acc8-a3ff7b1c9187", + "value": "South Korea" + }, + { + "meta": { + "calling-code": [ + "+211" + ], + "iso-code": [ + "SS", + "SSD" + ], + "type": "country" + }, + "uuid": "a152cd53-9a53-46e0-9b84-9d4101a59c5e", + "value": "South Sudan" + }, + { + "meta": { + "calling-code": [ + "+34" + ], + "iso-code": [ + "ES", + "ESP" + ], + "type": "country" + }, + "uuid": "d3400ce2-5701-4141-83ba-66f4fea068ca", + "value": "Spain" + }, + { + "meta": { + "calling-code": [ + "+94" + ], + "iso-code": [ + "LK", + "LKA" + ], + "type": "country" + }, + "uuid": "67d858c3-0ea2-4988-9dd4-d17375c5483d", + "value": "Sri Lanka" + }, + { + "meta": { + "calling-code": [ + "+249" + ], + "iso-code": [ + "SD", + "SDN" + ], + "type": "country" + }, + "uuid": "210b2138-a4de-4959-9528-9b382f9df98c", + "value": "Sudan" + }, + { + "meta": { + "calling-code": [ + "+597" + ], + "iso-code": [ + "SR", + "SUR" + ], + "type": "country" + }, + "uuid": "fa257ff1-9352-45ed-8fea-70fcc88781e0", + "value": "Suriname" + }, + { + "meta": { + "calling-code": [ + "+47" + ], + "iso-code": [ + "SJ", + "SJM" + ], + "type": "country" + }, + "uuid": "4e451aef-1bc7-49de-950d-340bbf691a71", + "value": "Svalbard and Jan Mayen" + }, + { + "meta": { + "calling-code": [ + "+268" + ], + "iso-code": [ + "SZ", + "SWZ" + ], + "type": "country" + }, + "uuid": "06918b9c-26be-4af8-b7bd-9add29798e7c", + "value": "Swaziland" + }, + { + "meta": { + "calling-code": [ + "+46" + ], + "iso-code": [ + "SE", + "SWE" + ], + "type": "country" + }, + "uuid": "6d3bbf09-dea6-4c99-bf8b-7f75537a8b38", + "value": "Sweden" + }, + { + "meta": { + "calling-code": [ + "+41" + ], + "iso-code": [ + "CH", + "CHE" + ], + "type": "country" + }, + "uuid": "56c661d4-471c-4e92-a4e6-349f8edabf41", + "value": "Switzerland" + }, + { + "meta": { + "calling-code": [ + "+963" + ], + "iso-code": [ + "SY", + "SYR" + ], + "type": "country" + }, + "uuid": "145a3afd-e9b6-497e-9b8f-a07a3b113c90", + "value": "Syria" + }, + { + "meta": { + "calling-code": [ + "+886" + ], + "iso-code": [ + "TW", + "TWN" + ], + "type": "country" + }, + "uuid": "5e8f4b1d-56fb-41ba-8107-1d936679673f", + "value": "Taiwan" + }, + { + "meta": { + "calling-code": [ + "+992" + ], + "iso-code": [ + "TJ", + "TJK" + ], + "type": "country" + }, + "uuid": "acc3015b-52f7-46a5-9bcd-b6c69a9af728", + "value": "Tajikistan" + }, + { + "meta": { + "calling-code": [ + "+255" + ], + "iso-code": [ + "TZ", + "TZA" + ], + "type": "country" + }, + "uuid": "b63d9a72-3c11-4948-b653-5ea6bdf1ed66", + "value": "Tanzania" + }, + { + "meta": { + "calling-code": [ + "+66" + ], + "iso-code": [ + "TH", + "THA" + ], + "type": "country" + }, + "uuid": "a9a5d54d-933a-41fe-9227-8c44d69e766f", + "value": "Thailand" + }, + { + "meta": { + "calling-code": [ + "+228" + ], + "iso-code": [ + "TG", + "TGO" + ], + "type": "country" + }, + "uuid": "6c61d5e6-b9be-466a-a0e0-768def1c5eae", + "value": "Togo" + }, + { + "meta": { + "calling-code": [ + "+690" + ], + "iso-code": [ + "TK", + "TKL" + ], + "type": "country" + }, + "uuid": "8e1da827-2562-4c8f-b668-779c7512410c", + "value": "Tokelau" + }, + { + "meta": { + "calling-code": [ + "+676" + ], + "iso-code": [ + "TO", + "TON" + ], + "type": "country" + }, + "uuid": "9d68906f-7e43-4d63-9b81-e3047b4f25e8", + "value": "Tonga" + }, + { + "meta": { + "calling-code": [ + "+1-868" + ], + "iso-code": [ + "TT", + "TTO" + ], + "type": "country" + }, + "uuid": "b42557d5-ec65-41e0-84db-171b3f48e66e", + "value": "Trinidad and Tobago" + }, + { + "meta": { + "calling-code": [ + "+216" + ], + "iso-code": [ + "TN", + "TUN" + ], + "type": "country" + }, + "uuid": "7e8d9de1-3e0c-4a9a-809b-e741096d93dc", + "value": "Tunisia" + }, + { + "meta": { + "calling-code": [ + "+90" + ], + "iso-code": [ + "TR", + "TUR" + ], + "type": "country" + }, + "uuid": "10cad663-ea15-4803-937d-f1f6bc046f6f", + "value": "Turkey" + }, + { + "meta": { + "calling-code": [ + "+993" + ], + "iso-code": [ + "TM", + "TKM" + ], + "type": "country" + }, + "uuid": "b8ac2942-599e-40a4-82d6-dc7d189b1d7f", + "value": "Turkmenistan" + }, + { + "meta": { + "calling-code": [ + "+1-649" + ], + "iso-code": [ + "TC", + "TCA" + ], + "type": "country" + }, + "uuid": "3a7ffa51-20aa-4cf5-ac82-2ba6b9cb0b59", + "value": "Turks and Caicos Islands" + }, + { + "meta": { + "calling-code": [ + "+688" + ], + "iso-code": [ + "TV", + "TUV" + ], + "type": "country" + }, + "uuid": "af9953e1-70b7-4925-bdc9-d0799d02aefa", + "value": "Tuvalu" + }, + { + "meta": { + "calling-code": [ + "+1-340" + ], + "iso-code": [ + "VI", + "VIR" + ], + "type": "country" + }, + "uuid": "d93523ea-148e-482b-9447-21569b5a7e9d", + "value": "U.S. Virgin Islands" + }, + { + "meta": { + "calling-code": [ + "+256" + ], + "iso-code": [ + "UG", + "UGA" + ], + "type": "country" + }, + "uuid": "5ad9c05c-4725-4cb0-81e7-9d7499bc1f08", + "value": "Uganda" + }, + { + "meta": { + "calling-code": [ + "+380" + ], + "iso-code": [ + "UA", + "UKR" + ], + "type": "country" + }, + "uuid": "4e2745c3-2447-4fa4-9e5b-7d32adc01761", + "value": "Ukraine" + }, + { + "meta": { + "calling-code": [ + "+971" + ], + "iso-code": [ + "AE", + "ARE" + ], + "type": "country" + }, + "uuid": "ec6d9524-cf39-4081-83e7-f87f5059ab4c", + "value": "United Arab Emirates" + }, + { + "meta": { + "calling-code": [ + "+44" + ], + "iso-code": [ + "GB", + "GBR" + ], + "type": "country" + }, + "uuid": "5d0b6a46-f4cf-42ac-b283-e5e28677ec0f", + "value": "United Kingdom" + }, + { + "meta": { + "calling-code": [ + "+1" + ], + "iso-code": [ + "US", + "USA" + ], + "type": "country" + }, + "uuid": "59b04875-12f9-49d8-b051-2759bba81824", + "value": "United States" + }, + { + "meta": { + "calling-code": [ + "+598" + ], + "iso-code": [ + "UY", + "URY" + ], + "type": "country" + }, + "uuid": "5a5dbbad-e27b-4f47-a3b7-6acfddf0b57c", + "value": "Uruguay" + }, + { + "meta": { + "calling-code": [ + "+998" + ], + "iso-code": [ + "UZ", + "UZB" + ], + "type": "country" + }, + "uuid": "46aa0f74-14c1-451a-a269-24141501c861", + "value": "Uzbekistan" + }, + { + "meta": { + "calling-code": [ + "+678" + ], + "iso-code": [ + "VU", + "VUT" + ], + "type": "country" + }, + "uuid": "6a1b40ad-b473-46d6-ba02-a66eeb5f9472", + "value": "Vanuatu" + }, + { + "meta": { + "calling-code": [ + "+379" + ], + "iso-code": [ + "VA", + "VAT" + ], + "type": "country" + }, + "uuid": "29e47ec8-f47e-43e6-8275-0e7ec185bdc0", + "value": "Vatican" + }, + { + "meta": { + "calling-code": [ + "+58" + ], + "iso-code": [ + "VE", + "VEN" + ], + "type": "country" + }, + "uuid": "ff8eae27-8b9f-4a44-98e9-810b74785d5e", + "value": "Venezuela" + }, + { + "meta": { + "calling-code": [ + "+84" + ], + "iso-code": [ + "VN", + "VNM" + ], + "type": "country" + }, + "uuid": "7102ea70-2af1-4b23-8d94-a87a9c9aea8e", + "value": "Vietnam" + }, + { + "meta": { + "calling-code": [ + "+681" + ], + "iso-code": [ + "WF", + "WLF" + ], + "type": "country" + }, + "uuid": "e343017d-b607-4cd2-8bd9-b3417caa9674", + "value": "Wallis and Futuna" + }, + { + "meta": { + "calling-code": [ + "+212" + ], + "iso-code": [ + "EH", + "ESH" + ], + "type": "country" + }, + "uuid": "7cca85b2-e06c-4c97-86de-0a2b3f473b59", + "value": "Western Sahara" + }, + { + "meta": { + "calling-code": [ + "+967" + ], + "iso-code": [ + "YE", + "YEM" + ], + "type": "country" + }, + "uuid": "2813a187-0827-4e70-80f1-ffdb261ec478", + "value": "Yemen" + }, + { + "meta": { + "calling-code": [ + "+260" + ], + "iso-code": [ + "ZM", + "ZMB" + ], + "type": "country" + }, + "uuid": "4ec0f561-4798-4b7e-a6f4-df8400284ee6", + "value": "Zambia" + }, + { + "meta": { + "calling-code": [ + "+263" + ], + "iso-code": [ + "ZW", + "ZWE" + ], + "type": "country" + }, + "uuid": "da228f94-4412-4226-9113-e19a55cd4aa5", + "value": "Zimbabwe" + } + ], + "version": 1 +} From 427b424cf70902a67945889836c6d6c5c0e7389d Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 19 Jul 2019 13:49:43 +0200 Subject: [PATCH 50/92] rename galaxy target-location -> target-information --- clusters/{target-location.json => target-information.json} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename clusters/{target-location.json => target-information.json} (99%) diff --git a/clusters/target-location.json b/clusters/target-information.json similarity index 99% rename from clusters/target-location.json rename to clusters/target-information.json index d5b852a..e967112 100644 --- a/clusters/target-location.json +++ b/clusters/target-information.json @@ -3,7 +3,7 @@ "Unknown" ], "category": "target", - "description": "", + "description": "Description of targets of threat actors.", "name": "Target Information", "source": "Various", "type": "target-information", From bb46e32d90b2528807bc6346dde4b416ac71f81f Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 19 Jul 2019 13:50:22 +0200 Subject: [PATCH 51/92] add target-information galaxy file --- galaxies/target-information.json | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 galaxies/target-information.json diff --git a/galaxies/target-information.json b/galaxies/target-information.json new file mode 100644 index 0000000..fdc86d9 --- /dev/null +++ b/galaxies/target-information.json @@ -0,0 +1,9 @@ +{ + "description": "Description of targets of threat actors.", + "icon": "bullseye", + "name": "Target Information", + "namespace": "misp", + "type": "target-information", + "uuid": "709ed29c-aa00-11e9-82cd-67ac1a6ee3bc", + "version": 1 +} From 08f713cb7d17a025e658835435dc3354da3470e2 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 26 Jul 2019 16:22:45 +0200 Subject: [PATCH 52/92] add tld Signed-off-by: Deborah Servili --- clusters/target-information.json | 207 ++++++++++++++++++++++++++++++- 1 file changed, 206 insertions(+), 1 deletion(-) diff --git a/clusters/target-information.json b/clusters/target-information.json index e967112..5c7f30b 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -40,6 +40,7 @@ "top-level-domain": "lu", "type": "country" }, + "top-level-domain": ".lu", "uuid": "f9a1d7f4-980a-11e9-a8b6-23162ddc4255", "value": "Luxembourg" }, @@ -54,6 +55,7 @@ ], "type": "country" }, + "top-level-domain": ".af", "uuid": "2d0b4ddc-4b46-4e75-8c8b-02f4f7446507", "value": "Afghanistan" }, @@ -68,6 +70,7 @@ ], "type": "country" }, + "top-level-domain": ".al", "uuid": "bc4c6bf6-c5f1-4927-b928-e9e2434e9ec4", "value": "Albania" }, @@ -82,6 +85,7 @@ ], "type": "country" }, + "top-level-domain": ".dz", "uuid": "13612aed-8efb-444f-8e29-5b93bd821d0e", "value": "Algeria" }, @@ -110,6 +114,7 @@ ], "type": "country" }, + "top-level-domain": ".ad", "uuid": "5f8aeaac-8654-4b12-99c6-d3bf5ba43c7a", "value": "Andorra" }, @@ -124,6 +129,7 @@ ], "type": "country" }, + "top-level-domain": ".ao", "uuid": "ec22a747-be01-4bf8-bb3b-4dac8ec033dc", "value": "Angola" }, @@ -138,6 +144,7 @@ ], "type": "country" }, + "top-level-domain": ".ai", "uuid": "eaeca984-4c51-4bff-8389-4b66c8fddb1c", "value": "Anguilla" }, @@ -152,6 +159,7 @@ ], "type": "country" }, + "top-level-domain": ".aq", "uuid": "09dbf944-5c73-4ff7-8b1b-b43b42282acb", "value": "Antarctica" }, @@ -166,6 +174,7 @@ ], "type": "country" }, + "top-level-domain": ".ag", "uuid": "b0d7f6d5-8f5e-4bd8-98d7-92fcc4c195b9", "value": "Antigua and Barbuda" }, @@ -180,6 +189,7 @@ ], "type": "country" }, + "top-level-domain": ".ar", "uuid": "f21ecd23-c3c8-4308-8363-c1260a57e695", "value": "Argentina" }, @@ -194,6 +204,7 @@ ], "type": "country" }, + "top-level-domain": ".am", "uuid": "e1a61736-a7d4-4c31-aeda-bd49beabdb40", "value": "Armenia" }, @@ -222,6 +233,7 @@ ], "type": "country" }, + "top-level-domain": ".au", "uuid": "ca250c03-aead-41e3-a077-085d66211186", "value": "Australia" }, @@ -236,6 +248,7 @@ ], "type": "country" }, + "top-level-domain": ".at", "uuid": "e88f7003-09e9-4275-b176-d4246e59a0d5", "value": "Austria" }, @@ -250,6 +263,7 @@ ], "type": "country" }, + "top-level-domain": ".az", "uuid": "4dac6eec-948d-4df5-946b-21ac0aaf5471", "value": "Azerbaijan" }, @@ -264,6 +278,7 @@ ], "type": "country" }, + "top-level-domain": ".bs", "uuid": "5029a486-9c17-454a-bbcd-6e9b774705f9", "value": "Bahamas" }, @@ -278,6 +293,7 @@ ], "type": "country" }, + "top-level-domain": ".bh", "uuid": "819805c9-8f06-4f0c-af79-926960b4c23f", "value": "Bahrain" }, @@ -292,6 +308,7 @@ ], "type": "country" }, + "top-level-domain": ".bd", "uuid": "cb78009e-1355-4afa-a655-0cf03d7fd947", "value": "Bangladesh" }, @@ -306,6 +323,7 @@ ], "type": "country" }, + "top-level-domain": ".bb", "uuid": "062daa09-7c4a-4dec-ba9d-625d96871708", "value": "Barbados" }, @@ -320,6 +338,7 @@ ], "type": "country" }, + "top-level-domain": ".by", "uuid": "9e5e118a-ebe8-464a-bd38-350af4d645c4", "value": "Belarus" }, @@ -334,6 +353,7 @@ ], "type": "country" }, + "top-level-domain": ".be", "uuid": "30f35478-7961-464f-bd3c-732a8f5e1fe5", "value": "Belgium" }, @@ -348,6 +368,7 @@ ], "type": "country" }, + "top-level-domain": ".bz", "uuid": "4b7f2038-cc17-4bb1-bc28-dacc9772e6fc", "value": "Belize" }, @@ -362,6 +383,7 @@ ], "type": "country" }, + "top-level-domain": ".bj", "uuid": "5c68d3ce-0beb-4b9a-a81d-e5d64f14b9a1", "value": "Benin" }, @@ -376,6 +398,7 @@ ], "type": "country" }, + "top-level-domain": ".bm", "uuid": "67e9dd29-9da1-4585-b0e6-303defa1e751", "value": "Bermuda" }, @@ -390,6 +413,7 @@ ], "type": "country" }, + "top-level-domain": ".bt", "uuid": "7a431a2e-623b-4fb0-8316-a5d42266070d", "value": "Bhutan" }, @@ -404,6 +428,7 @@ ], "type": "country" }, + "top-level-domain": ".bo", "uuid": "06c20eb8-bec1-4f56-a5af-91f5fb826e4d", "value": "Bolivia" }, @@ -418,6 +443,7 @@ ], "type": "country" }, + "top-level-domain": ".ba", "uuid": "eccea7a8-d7f5-4b33-b948-ac8595e92500", "value": "Bosnia and Herzegovina" }, @@ -432,6 +458,7 @@ ], "type": "country" }, + "top-level-domain": ".bw", "uuid": "b29dca55-6930-494e-ae8e-fe89e5317529", "value": "Botswana" }, @@ -446,6 +473,7 @@ ], "type": "country" }, + "top-level-domain": ".br", "uuid": "75fe4c94-f864-41dc-8dd2-758e2e2d4deb", "value": "Brazil" }, @@ -460,6 +488,7 @@ ], "type": "country" }, + "top-level-domain": ".io", "uuid": "f974dd18-3a6b-4910-af8f-1d6256369b05", "value": "British Indian Ocean Territory" }, @@ -474,6 +503,7 @@ ], "type": "country" }, + "top-level-domain": ".vg", "uuid": "9feffe01-624f-46fd-9e55-baec2098db69", "value": "British Virgin Islands" }, @@ -488,6 +518,7 @@ ], "type": "country" }, + "top-level-domain": ".bn", "uuid": "a039c8f7-1a7a-46e6-b16b-a9648a280f77", "value": "Brunei" }, @@ -502,6 +533,7 @@ ], "type": "country" }, + "top-level-domain": ".bg", "uuid": "61766ec7-b1aa-4d92-afaa-883842d4f6ac", "value": "Bulgaria" }, @@ -516,6 +548,7 @@ ], "type": "country" }, + "top-level-domain": ".bf", "uuid": "dfb27e34-f6dc-4db3-b3fa-313a8125ddf2", "value": "Burkina Faso" }, @@ -530,6 +563,7 @@ ], "type": "country" }, + "top-level-domain": ".bi", "uuid": "f545307d-db22-49d3-858f-8d03db4428da", "value": "Burundi" }, @@ -544,6 +578,7 @@ ], "type": "country" }, + "top-level-domain": ".kh", "uuid": "03757eb3-f75a-48e1-a4ef-18a62c7d1838", "value": "Cambodia" }, @@ -558,6 +593,7 @@ ], "type": "country" }, + "top-level-domain": ".cm", "uuid": "68e9ed03-4954-4a2a-8971-1224fa3ab760", "value": "Cameroon" }, @@ -572,6 +608,7 @@ ], "type": "country" }, + "top-level-domain": ".ca", "uuid": "d0e51f88-2a01-4a9d-b080-464bb6f5172f", "value": "Canada" }, @@ -586,6 +623,7 @@ ], "type": "country" }, + "top-level-domain": ".cv", "uuid": "457e880a-0d5a-4729-b7b1-fcfeccf61f07", "value": "Cape Verde" }, @@ -600,6 +638,7 @@ ], "type": "country" }, + "top-level-domain": ".ky", "uuid": "036ac306-bedd-44a6-807a-69314d59dfef", "value": "Cayman Islands" }, @@ -614,6 +653,7 @@ ], "type": "country" }, + "top-level-domain": ".cf", "uuid": "4abded58-faa1-4a2b-ae16-01a12409df7c", "value": "Central African Republic" }, @@ -628,6 +668,7 @@ ], "type": "country" }, + "top-level-domain": ".td", "uuid": "da6f9a8b-91f0-400f-ad1b-47b49fe48412", "value": "Chad" }, @@ -642,6 +683,7 @@ ], "type": "country" }, + "top-level-domain": ".cl", "uuid": "bb81858f-5803-4f3b-9aac-92869b750f9e", "value": "Chile" }, @@ -670,6 +712,7 @@ ], "type": "country" }, + "top-level-domain": ".cx", "uuid": "0ccf619a-927a-4963-9ec3-34598e898d46", "value": "Christmas Island" }, @@ -698,6 +741,7 @@ ], "type": "country" }, + "top-level-domain": ".co", "uuid": "25f47423-5005-4caa-b4b0-6b9ada986611", "value": "Colombia" }, @@ -712,6 +756,7 @@ ], "type": "country" }, + "top-level-domain": ".km", "uuid": "3a9ec602-9f36-4943-baee-f873ee3c3691", "value": "Comoros" }, @@ -726,6 +771,7 @@ ], "type": "country" }, + "top-level-domain": ".ck", "uuid": "704756d4-9e33-48c3-8d25-037b00e94888", "value": "Cook Islands" }, @@ -740,6 +786,7 @@ ], "type": "country" }, + "top-level-domain": ".cr", "uuid": "a568be65-88ff-4290-9562-9a5227eb346a", "value": "Costa Rica" }, @@ -754,6 +801,7 @@ ], "type": "country" }, + "top-level-domain": ".hr", "uuid": "c753504c-9fe3-41f3-a423-86f64eff2af4", "value": "Croatia" }, @@ -768,6 +816,7 @@ ], "type": "country" }, + "top-level-domain": ".cu", "uuid": "7abd8189-65d8-4682-8091-7350d8e8ea9f", "value": "Cuba" }, @@ -796,6 +845,7 @@ ], "type": "country" }, + "top-level-domain": ".cy", "uuid": "95e86a29-0ee0-4ac5-8ec0-57036298c141", "value": "Cyprus" }, @@ -810,6 +860,7 @@ ], "type": "country" }, + "top-level-domain": ".cz", "uuid": "ef6651eb-1168-422c-9853-5200c737b332", "value": "Czech Republic" }, @@ -824,6 +875,7 @@ ], "type": "country" }, + "top-level-domain": ".cd", "uuid": "5a266a76-fc45-4457-8838-3e490bd26dc1", "value": "Democratic Republic of the Congo" }, @@ -838,6 +890,7 @@ ], "type": "country" }, + "top-level-domain": ".dk", "uuid": "2890ae27-cc54-42df-8c0c-47285145bd49", "value": "Denmark" }, @@ -852,6 +905,7 @@ ], "type": "country" }, + "top-level-domain": ".dj", "uuid": "543afec2-19b2-4769-aacb-dd69a380c2cc", "value": "Djibouti" }, @@ -866,6 +920,7 @@ ], "type": "country" }, + "top-level-domain": ".dm", "uuid": "151ff291-da46-41aa-b8c2-62faecefbe4a", "value": "Dominica" }, @@ -882,6 +937,7 @@ ], "type": "country" }, + "top-level-domain": ".do", "uuid": "a621624f-5c1a-403d-b5dd-89da7af7555f", "value": "Dominican Republic" }, @@ -896,6 +952,7 @@ ], "type": "country" }, + "top-level-domain": ".tl", "uuid": "b5371e8a-00bb-4653-abe3-2e9b92454b15", "value": "East Timor" }, @@ -910,6 +967,7 @@ ], "type": "country" }, + "top-level-domain": ".ec", "uuid": "9e4f2bc9-9ef5-4369-a275-b3df56e5a35e", "value": "Ecuador" }, @@ -924,6 +982,7 @@ ], "type": "country" }, + "top-level-domain": ".eg", "uuid": "7fbebdc8-5a13-430e-9248-58d2b1a9af0f", "value": "Egypt" }, @@ -938,6 +997,7 @@ ], "type": "country" }, + "top-level-domain": ".sv", "uuid": "1822e12a-1f4b-4675-8e2a-a6d123b3ea24", "value": "El Salvador" }, @@ -952,6 +1012,7 @@ ], "type": "country" }, + "top-level-domain": ".gq", "uuid": "5c3d7a8e-9cd6-4d3d-ab6b-3cb8acaa208f", "value": "Equatorial Guinea" }, @@ -980,6 +1041,7 @@ ], "type": "country" }, + "top-level-domain": ".ee", "uuid": "c8ea4824-7ed2-473a-906d-745bd73a2612", "value": "Estonia" }, @@ -994,6 +1056,7 @@ ], "type": "country" }, + "top-level-domain": ".et", "uuid": "b25e700a-6b79-4c86-90ff-304032b182db", "value": "Ethiopia" }, @@ -1008,6 +1071,7 @@ ], "type": "country" }, + "top-level-domain": ".fk", "uuid": "8041a1dc-e9a6-460e-8dd8-d37e45b787dd", "value": "Falkland Islands" }, @@ -1036,6 +1100,7 @@ ], "type": "country" }, + "top-level-domain": ".fj", "uuid": "218bcbfe-46cb-4fd0-852c-3a7fc64a2908", "value": "Fiji" }, @@ -1050,6 +1115,7 @@ ], "type": "country" }, + "top-level-domain": ".fi", "uuid": "bde60aea-b748-4bd9-8d6d-f0174af0b36e", "value": "Finland" }, @@ -1064,6 +1130,7 @@ ], "type": "country" }, + "top-level-domain": ".fr", "uuid": "0cc6ad08-fac6-42bc-a7c7-09a53ea6b968", "value": "France" }, @@ -1092,6 +1159,7 @@ ], "type": "country" }, + "top-level-domain": ".ga", "uuid": "8e70d742-c708-4a9e-8ab1-6a8a90306ccf", "value": "Gabon" }, @@ -1120,6 +1188,7 @@ ], "type": "country" }, + "top-level-domain": ".ge", "uuid": "76c2f2fe-ce68-4008-aa30-1ac8de38d617", "value": "Georgia" }, @@ -1134,6 +1203,7 @@ ], "type": "country" }, + "top-level-domain": ".de", "uuid": "4121d334-39d0-49c4-8a0e-0442c6bdcbc4", "value": "Germany" }, @@ -1148,6 +1218,7 @@ ], "type": "country" }, + "top-level-domain": ".gh", "uuid": "6f7a0f04-8299-4a2d-95d0-a8305a1ae23e", "value": "Ghana" }, @@ -1176,6 +1247,7 @@ ], "type": "country" }, + "top-level-domain": ".gr", "uuid": "505730f7-2637-4efb-845d-f1af7cdca109", "value": "Greece" }, @@ -1204,6 +1276,7 @@ ], "type": "country" }, + "top-level-domain": ".gd", "uuid": "1aea4486-eef7-496b-9a69-a2d2bdbe7b77", "value": "Grenada" }, @@ -1232,6 +1305,7 @@ ], "type": "country" }, + "top-level-domain": ".gt", "uuid": "3e3e89d2-07f3-4ddc-addf-2d5cb05bedd1", "value": "Guatemala" }, @@ -1260,6 +1334,7 @@ ], "type": "country" }, + "top-level-domain": ".gn", "uuid": "f227edf8-e538-45b8-8a70-1a05ea5a605b", "value": "Guinea" }, @@ -1274,6 +1349,7 @@ ], "type": "country" }, + "top-level-domain": ".gw", "uuid": "3b5824bc-936e-4403-bdc9-4dd9a7db36e3", "value": "Guinea-Bissau" }, @@ -1288,6 +1364,7 @@ ], "type": "country" }, + "top-level-domain": ".gy", "uuid": "cb9fbca4-6cc6-4f83-9ebc-4e975cddea69", "value": "Guyana" }, @@ -1302,6 +1379,7 @@ ], "type": "country" }, + "top-level-domain": ".ht", "uuid": "595dd000-64ac-43b5-be17-0f52eff47459", "value": "Haiti" }, @@ -1316,6 +1394,7 @@ ], "type": "country" }, + "top-level-domain": ".hn", "uuid": "74a66006-ce2b-4280-abd1-e6f14ff9b926", "value": "Honduras" }, @@ -1330,6 +1409,7 @@ ], "type": "country" }, + "top-level-domain": ".hk", "uuid": "51c8ffc5-5453-4bf8-b100-74186d9a0de0", "value": "Hong Kong" }, @@ -1344,6 +1424,7 @@ ], "type": "country" }, + "top-level-domain": ".hu", "uuid": "adc52cee-5668-498d-8111-db1c38a584c5", "value": "Hungary" }, @@ -1358,6 +1439,7 @@ ], "type": "country" }, + "top-level-domain": ".is", "uuid": "5bcfbed4-d9af-40ab-bcbd-013cad252570", "value": "Iceland" }, @@ -1372,6 +1454,7 @@ ], "type": "country" }, + "top-level-domain": ".in", "uuid": "283a7b58-9fa6-48c8-95bc-9ece77b5b2ea", "value": "India" }, @@ -1386,6 +1469,7 @@ ], "type": "country" }, + "top-level-domain": ".id", "uuid": "417b5c63-a388-45d1-b104-cede98b13fe0", "value": "Indonesia" }, @@ -1400,6 +1484,7 @@ ], "type": "country" }, + "top-level-domain": ".ir", "uuid": "12b32332-ead1-4f69-be61-69ab1ed27d01", "value": "Iran" }, @@ -1414,6 +1499,7 @@ ], "type": "country" }, + "top-level-domain": ".iq", "uuid": "625f37bd-fe48-4791-ac1e-be8d069643a1", "value": "Iraq" }, @@ -1428,6 +1514,7 @@ ], "type": "country" }, + "top-level-domain": ".ie", "uuid": "b1243ef1-78f4-4e10-841d-bc61361f21f8", "value": "Ireland" }, @@ -1456,6 +1543,7 @@ ], "type": "country" }, + "top-level-domain": ".il", "uuid": "3273414a-8331-44cc-b3f6-890bf2363607", "value": "Israel" }, @@ -1470,6 +1558,7 @@ ], "type": "country" }, + "top-level-domain": ".it", "uuid": "1bcc0b11-d906-40ea-910c-a1124c4d82bd", "value": "Italy" }, @@ -1484,6 +1573,7 @@ ], "type": "country" }, + "top-level-domain": ".ci", "uuid": "c1aac71f-b060-4816-9369-451df1550883", "value": "Ivory Coast" }, @@ -1498,6 +1588,7 @@ ], "type": "country" }, + "top-level-domain": ".jm", "uuid": "f5a606a6-80c4-4349-af9b-1450e6699868", "value": "Jamaica" }, @@ -1512,6 +1603,7 @@ ], "type": "country" }, + "top-level-domain": ".jp", "uuid": "98ee5301-46da-4754-963f-8cf9aa17f7fa", "value": "Japan" }, @@ -1540,6 +1632,7 @@ ], "type": "country" }, + "top-level-domain": ".jo", "uuid": "f68750ae-d159-427e-bc6b-536fb676b8bf", "value": "Jordan" }, @@ -1554,6 +1647,7 @@ ], "type": "country" }, + "top-level-domain": ".kz", "uuid": "fc54834e-2131-47c5-b470-974855757469", "value": "Kazakhstan" }, @@ -1568,6 +1662,7 @@ ], "type": "country" }, + "top-level-domain": ".ke", "uuid": "60828537-e2d4-4f1c-b347-2c82901e9f01", "value": "Kenya" }, @@ -1582,6 +1677,7 @@ ], "type": "country" }, + "top-level-domain": ".ki", "uuid": "7a51098b-34bd-4f86-a478-90c8c20a7fb7", "value": "Kiribati" }, @@ -1610,6 +1706,7 @@ ], "type": "country" }, + "top-level-domain": ".kw", "uuid": "fbc205b4-0a7a-40db-8bf4-fe8e83357eea", "value": "Kuwait" }, @@ -1624,6 +1721,7 @@ ], "type": "country" }, + "top-level-domain": ".kg", "uuid": "92d31c81-c7e9-4ac5-bc73-6ea76ed19ce3", "value": "Kyrgyzstan" }, @@ -1638,6 +1736,7 @@ ], "type": "country" }, + "top-level-domain": ".la", "uuid": "54866dbe-1be0-4185-87e1-ed565d6d13ee", "value": "Laos" }, @@ -1652,6 +1751,7 @@ ], "type": "country" }, + "top-level-domain": ".lv", "uuid": "367122b1-2645-49a9-b871-23a9c74d430e", "value": "Latvia" }, @@ -1666,6 +1766,7 @@ ], "type": "country" }, + "top-level-domain": ".lb", "uuid": "7b7ed6de-7692-41ba-8f25-8456dda5b907", "value": "Lebanon" }, @@ -1680,6 +1781,7 @@ ], "type": "country" }, + "top-level-domain": ".ls", "uuid": "666ac9e5-bb2d-4317-8ad7-e92e5895f476", "value": "Lesotho" }, @@ -1694,6 +1796,7 @@ ], "type": "country" }, + "top-level-domain": ".lr", "uuid": "fad73876-fff0-4794-b970-c02d98ac2889", "value": "Liberia" }, @@ -1708,6 +1811,7 @@ ], "type": "country" }, + "top-level-domain": ".ly", "uuid": "98cae8b3-c6cc-4434-ad7a-0b424e7b38a5", "value": "Libya" }, @@ -1722,6 +1826,7 @@ ], "type": "country" }, + "top-level-domain": ".li", "uuid": "7359fcca-a4a2-4e8a-915f-a080f6b2e7b6", "value": "Liechtenstein" }, @@ -1736,6 +1841,7 @@ ], "type": "country" }, + "top-level-domain": ".lt", "uuid": "f32136ed-0727-4842-a9b7-9ea8f5d6f3fe", "value": "Lithuania" }, @@ -1763,6 +1869,7 @@ ], "type": "country" }, + "top-level-domain": ".mo", "uuid": "edf25443-9d01-45e5-af67-4943746a06d8", "value": "Macau" }, @@ -1791,6 +1898,7 @@ ], "type": "country" }, + "top-level-domain": ".mg", "uuid": "940cb63e-5e76-4494-a6f7-b976df4837a2", "value": "Madagascar" }, @@ -1805,6 +1913,7 @@ ], "type": "country" }, + "top-level-domain": ".mw", "uuid": "5ed4a624-1c71-443b-8475-73caab1eea8f", "value": "Malawi" }, @@ -1819,6 +1928,7 @@ ], "type": "country" }, + "top-level-domain": ".my", "uuid": "add3c024-728a-4507-b29f-9135f93eed14", "value": "Malaysia" }, @@ -1833,6 +1943,7 @@ ], "type": "country" }, + "top-level-domain": ".mv", "uuid": "8449ad6b-a590-4591-8676-2f9101341655", "value": "Maldives" }, @@ -1847,6 +1958,7 @@ ], "type": "country" }, + "top-level-domain": ".ml", "uuid": "f783dd32-8b58-491a-9b10-3028ac64664a", "value": "Mali" }, @@ -1861,6 +1973,7 @@ ], "type": "country" }, + "top-level-domain": ".mt", "uuid": "cd50bf6f-d86f-4470-9734-5aa83fd9e427", "value": "Malta" }, @@ -1875,6 +1988,7 @@ ], "type": "country" }, + "top-level-domain": ".mh", "uuid": "aa71c335-c223-4f5f-956d-c7c82d9a8283", "value": "Marshall Islands" }, @@ -1889,6 +2003,7 @@ ], "type": "country" }, + "top-level-domain": ".mr", "uuid": "a8561bba-3202-4165-8ef9-9e7412e8f5dd", "value": "Mauritania" }, @@ -1903,6 +2018,7 @@ ], "type": "country" }, + "top-level-domain": ".mu", "uuid": "c49266e4-75ab-42dd-a434-5231b72cbc89", "value": "Mauritius" }, @@ -1917,6 +2033,7 @@ ], "type": "country" }, + "top-level-domain": ".yt", "uuid": "aeb9cb0b-706c-44ad-9281-20dd857bbfc4", "value": "Mayotte" }, @@ -1931,6 +2048,7 @@ ], "type": "country" }, + "top-level-domain": ".mx", "uuid": "55777eae-a885-4ee5-9ad3-8df56cddb82b", "value": "Mexico" }, @@ -1959,6 +2077,7 @@ ], "type": "country" }, + "top-level-domain": ".md", "uuid": "8c076c68-08a3-4870-aa1e-bd39d45c1d0b", "value": "Moldova" }, @@ -1973,6 +2092,7 @@ ], "type": "country" }, + "top-level-domain": ".mc", "uuid": "6b3e9217-0047-4a9f-9771-1fe24eb9c466", "value": "Monaco" }, @@ -1987,6 +2107,7 @@ ], "type": "country" }, + "top-level-domain": ".mn", "uuid": "d11a74ac-1ffd-4e92-941a-54fc64b801c6", "value": "Mongolia" }, @@ -2001,6 +2122,7 @@ ], "type": "country" }, + "top-level-domain": ".me", "uuid": "b4eab2e9-f67a-449f-8f19-bf22c9bb2cac", "value": "Montenegro" }, @@ -2015,6 +2137,7 @@ ], "type": "country" }, + "top-level-domain": ".ms", "uuid": "e93097db-aa74-40ae-b92a-53f012a74889", "value": "Montserrat" }, @@ -2029,6 +2152,7 @@ ], "type": "country" }, + "top-level-domain": ".ma", "uuid": "04974cc3-fded-4af3-a0e6-0343e83f5f67", "value": "Morocco" }, @@ -2043,6 +2167,7 @@ ], "type": "country" }, + "top-level-domain": ".mz", "uuid": "dcc6fc3a-f36b-4137-9c3d-1ed88eb89131", "value": "Mozambique" }, @@ -2057,6 +2182,7 @@ ], "type": "country" }, + "top-level-domain": ".mm", "uuid": "8068b82b-461a-4b8a-acea-f4fe0b12b396", "value": "Myanmar" }, @@ -2071,6 +2197,7 @@ ], "type": "country" }, + "top-level-domain": ".na", "uuid": "964471d5-e84a-486c-94e2-95107b59de61", "value": "Namibia" }, @@ -2085,6 +2212,7 @@ ], "type": "country" }, + "top-level-domain": ".nr", "uuid": "2d57902f-14b2-4e04-84ed-b2e24a7bba5f", "value": "Nauru" }, @@ -2099,6 +2227,7 @@ ], "type": "country" }, + "top-level-domain": ".np", "uuid": "9f6c918b-246f-43bc-a125-1a2639932fd2", "value": "Nepal" }, @@ -2113,6 +2242,7 @@ ], "type": "country" }, + "top-level-domain": ".nl", "uuid": "1c016908-33df-485c-ba9a-3e629e6f92d9", "value": "Netherlands" }, @@ -2155,6 +2285,7 @@ ], "type": "country" }, + "top-level-domain": ".nz", "uuid": "665da546-a37a-4194-ad73-ff1a5e79b3f7", "value": "New Zealand" }, @@ -2169,6 +2300,7 @@ ], "type": "country" }, + "top-level-domain": ".ni", "uuid": "f0a5a2de-5567-4581-8c99-3459e44d1608", "value": "Nicaragua" }, @@ -2183,6 +2315,7 @@ ], "type": "country" }, + "top-level-domain": ".ne", "uuid": "13c9337c-9c06-42fd-ba3f-7128de97ffff", "value": "Niger" }, @@ -2197,6 +2330,7 @@ ], "type": "country" }, + "top-level-domain": ".ng", "uuid": "bdaa0f76-6fd0-4f2d-b6fd-76a97fe06c3b", "value": "Nigeria" }, @@ -2211,6 +2345,7 @@ ], "type": "country" }, + "top-level-domain": ".nu", "uuid": "ccf0effb-f81c-4308-a758-e13cde30d5f7", "value": "Niue" }, @@ -2225,6 +2360,7 @@ ], "type": "country" }, + "top-level-domain": ".kp", "uuid": "cc0bc1cc-6c68-46c2-b9f4-8fdc05f24fde", "value": "North Korea" }, @@ -2253,6 +2389,7 @@ ], "type": "country" }, + "top-level-domain": ".no", "uuid": "a39f40d3-8fa5-4024-8c92-58c6a7362af8", "value": "Norway" }, @@ -2267,6 +2404,7 @@ ], "type": "country" }, + "top-level-domain": ".om", "uuid": "086ced26-e92c-4b55-9688-0d716d507ada", "value": "Oman" }, @@ -2281,6 +2419,7 @@ ], "type": "country" }, + "top-level-domain": ".pk", "uuid": "6d6c87fd-8da6-465c-a381-b47f3810a6ea", "value": "Pakistan" }, @@ -2295,6 +2434,7 @@ ], "type": "country" }, + "top-level-domain": ".pw", "uuid": "3d7ad346-2b4c-4f51-947c-7c0627457174", "value": "Palau" }, @@ -2323,6 +2463,7 @@ ], "type": "country" }, + "top-level-domain": ".pa", "uuid": "a38eb164-18f8-4ac8-941c-b9911a85c9c1", "value": "Panama" }, @@ -2337,6 +2478,7 @@ ], "type": "country" }, + "top-level-domain": ".pg", "uuid": "ac70053c-5b3b-42b4-b7de-421f097d74e1", "value": "Papua New Guinea" }, @@ -2351,6 +2493,7 @@ ], "type": "country" }, + "top-level-domain": ".py", "uuid": "d25565ce-babf-4919-8e64-f894c6d099f7", "value": "Paraguay" }, @@ -2365,6 +2508,7 @@ ], "type": "country" }, + "top-level-domain": ".pe", "uuid": "ff45884e-11e3-4b31-b805-8e4cb6c5e4e8", "value": "Peru" }, @@ -2379,6 +2523,7 @@ ], "type": "country" }, + "top-level-domain": ".ph", "uuid": "61e24be6-cf32-4d0f-a8b3-379a05bac8a9", "value": "Philippines" }, @@ -2407,6 +2552,7 @@ ], "type": "country" }, + "top-level-domain": ".pl", "uuid": "8e73397d-5c08-477e-9b5c-2ef279b5883b", "value": "Poland" }, @@ -2421,6 +2567,7 @@ ], "type": "country" }, + "top-level-domain": ".pt", "uuid": "fb9b1e68-2b99-467b-935d-1e98f312d9d6", "value": "Portugal" }, @@ -2450,6 +2597,7 @@ ], "type": "country" }, + "top-level-domain": ".qa", "uuid": "79da7e74-0680-4c83-8329-2978e730eb91", "value": "Qatar" }, @@ -2464,6 +2612,7 @@ ], "type": "country" }, + "top-level-domain": ".cg", "uuid": "5a5a71d8-9973-4a88-8ec5-8da50b24d90c", "value": "Republic of the Congo" }, @@ -2492,6 +2641,7 @@ ], "type": "country" }, + "top-level-domain": ".ro", "uuid": "afa8ac3d-723d-4f10-8756-d8bbefc9eb2e", "value": "Romania" }, @@ -2506,6 +2656,7 @@ ], "type": "country" }, + "top-level-domain": ".ru", "uuid": "f99a8e6e-ccb6-4709-842c-a21e5455ba7c", "value": "Russia" }, @@ -2520,6 +2671,7 @@ ], "type": "country" }, + "top-level-domain": ".rw", "uuid": "d9dac31d-b4d7-4afb-b6fe-d9e09c5d4bac", "value": "Rwanda" }, @@ -2548,6 +2700,7 @@ ], "type": "country" }, + "top-level-domain": ".sh", "uuid": "083e69f2-14f1-4d8c-9fb7-4d38d38322cf", "value": "Saint Helena" }, @@ -2562,6 +2715,7 @@ ], "type": "country" }, + "top-level-domain": ".kn", "uuid": "7334c20d-dc91-41ff-925c-08e3e7d22c30", "value": "Saint Kitts and Nevis" }, @@ -2576,6 +2730,7 @@ ], "type": "country" }, + "top-level-domain": ".lc", "uuid": "ceb56016-5c27-42af-a4bd-0022bfcfee7b", "value": "Saint Lucia" }, @@ -2618,6 +2773,7 @@ ], "type": "country" }, + "top-level-domain": ".vc", "uuid": "b46efc73-2cee-4250-aa3e-5e369ef06c5c", "value": "Saint Vincent and the Grenadines" }, @@ -2632,6 +2788,7 @@ ], "type": "country" }, + "top-level-domain": ".ws", "uuid": "8ee23019-4942-498c-89b7-4a6336015974", "value": "Samoa" }, @@ -2646,6 +2803,7 @@ ], "type": "country" }, + "top-level-domain": ".sm", "uuid": "6d739a32-2b94-45cc-8be0-4c65cc8f3ef4", "value": "San Marino" }, @@ -2674,6 +2832,7 @@ ], "type": "country" }, + "top-level-domain": ".sa", "uuid": "52a4e93d-5e64-4ae2-9f5f-97fbcf75dc55", "value": "Saudi Arabia" }, @@ -2688,6 +2847,7 @@ ], "type": "country" }, + "top-level-domain": ".sn", "uuid": "31d92db8-d6e4-4531-955b-464986df7dad", "value": "Senegal" }, @@ -2702,6 +2862,7 @@ ], "type": "country" }, + "top-level-domain": ".rs", "uuid": "4ec7dd40-4d7a-431c-844d-ee709b8fb935", "value": "Serbia" }, @@ -2716,6 +2877,7 @@ ], "type": "country" }, + "top-level-domain": ".sc", "uuid": "e0f8c503-e005-409b-8915-b2cec757f85b", "value": "Seychelles" }, @@ -2730,6 +2892,7 @@ ], "type": "country" }, + "top-level-domain": ".sl", "uuid": "8acd3be4-fc0f-4dff-bf47-76d3e916c8ca", "value": "Sierra Leone" }, @@ -2744,6 +2907,7 @@ ], "type": "country" }, + "top-level-domain": ".sg", "uuid": "d9e1d8a2-1e57-41f1-b44f-efc26531e0c6", "value": "Singapore" }, @@ -2758,6 +2922,7 @@ ], "type": "country" }, + "top-level-domain": ".sx", "uuid": "5f6c7e19-38a0-4b4e-8799-7dd8ab6e39e1", "value": "Sint Maarten" }, @@ -2772,6 +2937,7 @@ ], "type": "country" }, + "top-level-domain": ".sk", "uuid": "707adc52-2c97-4e56-99fb-9661319117b4", "value": "Slovakia" }, @@ -2786,6 +2952,7 @@ ], "type": "country" }, + "top-level-domain": ".si", "uuid": "66b0e8f0-7f94-420b-ac26-b7d874ca6f85", "value": "Slovenia" }, @@ -2800,6 +2967,7 @@ ], "type": "country" }, + "top-level-domain": ".sb", "uuid": "7a5d17e8-7597-4dd0-b009-60998149383e", "value": "Solomon Islands" }, @@ -2814,6 +2982,7 @@ ], "type": "country" }, + "top-level-domain": ".so", "uuid": "8250580d-e2a5-4215-af6f-093c21fb4834", "value": "Somalia" }, @@ -2828,6 +2997,7 @@ ], "type": "country" }, + "top-level-domain": ".za", "uuid": "6b3cc3a2-e95b-43b9-aeaa-1c3867e99319", "value": "South Africa" }, @@ -2842,6 +3012,7 @@ ], "type": "country" }, + "top-level-domain": ".kr", "uuid": "e78f238b-c0f0-4856-acc8-a3ff7b1c9187", "value": "South Korea" }, @@ -2856,6 +3027,7 @@ ], "type": "country" }, + "top-level-domain": ".ss", "uuid": "a152cd53-9a53-46e0-9b84-9d4101a59c5e", "value": "South Sudan" }, @@ -2870,6 +3042,7 @@ ], "type": "country" }, + "top-level-domain": ".es", "uuid": "d3400ce2-5701-4141-83ba-66f4fea068ca", "value": "Spain" }, @@ -2884,6 +3057,7 @@ ], "type": "country" }, + "top-level-domain": ".lk", "uuid": "67d858c3-0ea2-4988-9dd4-d17375c5483d", "value": "Sri Lanka" }, @@ -2898,6 +3072,7 @@ ], "type": "country" }, + "top-level-domain": ".sd", "uuid": "210b2138-a4de-4959-9528-9b382f9df98c", "value": "Sudan" }, @@ -2912,6 +3087,7 @@ ], "type": "country" }, + "top-level-domain": ".sr", "uuid": "fa257ff1-9352-45ed-8fea-70fcc88781e0", "value": "Suriname" }, @@ -2954,6 +3130,7 @@ ], "type": "country" }, + "top-level-domain": ".se", "uuid": "6d3bbf09-dea6-4c99-bf8b-7f75537a8b38", "value": "Sweden" }, @@ -2968,6 +3145,7 @@ ], "type": "country" }, + "top-level-domain": ".ch", "uuid": "56c661d4-471c-4e92-a4e6-349f8edabf41", "value": "Switzerland" }, @@ -2982,6 +3160,7 @@ ], "type": "country" }, + "top-level-domain": ".sy", "uuid": "145a3afd-e9b6-497e-9b8f-a07a3b113c90", "value": "Syria" }, @@ -2996,6 +3175,7 @@ ], "type": "country" }, + "top-level-domain": ".tw", "uuid": "5e8f4b1d-56fb-41ba-8107-1d936679673f", "value": "Taiwan" }, @@ -3010,6 +3190,7 @@ ], "type": "country" }, + "top-level-domain": ".tj", "uuid": "acc3015b-52f7-46a5-9bcd-b6c69a9af728", "value": "Tajikistan" }, @@ -3024,6 +3205,7 @@ ], "type": "country" }, + "top-level-domain": ".tz", "uuid": "b63d9a72-3c11-4948-b653-5ea6bdf1ed66", "value": "Tanzania" }, @@ -3038,6 +3220,7 @@ ], "type": "country" }, + "top-level-domain": ".th", "uuid": "a9a5d54d-933a-41fe-9227-8c44d69e766f", "value": "Thailand" }, @@ -3052,6 +3235,7 @@ ], "type": "country" }, + "top-level-domain": ".tg", "uuid": "6c61d5e6-b9be-466a-a0e0-768def1c5eae", "value": "Togo" }, @@ -3066,6 +3250,7 @@ ], "type": "country" }, + "top-level-domain": ".tk", "uuid": "8e1da827-2562-4c8f-b668-779c7512410c", "value": "Tokelau" }, @@ -3080,6 +3265,7 @@ ], "type": "country" }, + "top-level-domain": ".to", "uuid": "9d68906f-7e43-4d63-9b81-e3047b4f25e8", "value": "Tonga" }, @@ -3094,6 +3280,7 @@ ], "type": "country" }, + "top-level-domain": ".tt", "uuid": "b42557d5-ec65-41e0-84db-171b3f48e66e", "value": "Trinidad and Tobago" }, @@ -3108,6 +3295,7 @@ ], "type": "country" }, + "top-level-domain": ".tn", "uuid": "7e8d9de1-3e0c-4a9a-809b-e741096d93dc", "value": "Tunisia" }, @@ -3122,6 +3310,7 @@ ], "type": "country" }, + "top-level-domain": ".tr", "uuid": "10cad663-ea15-4803-937d-f1f6bc046f6f", "value": "Turkey" }, @@ -3136,6 +3325,7 @@ ], "type": "country" }, + "top-level-domain": ".tm", "uuid": "b8ac2942-599e-40a4-82d6-dc7d189b1d7f", "value": "Turkmenistan" }, @@ -3150,6 +3340,7 @@ ], "type": "country" }, + "top-level-domain": ".tc", "uuid": "3a7ffa51-20aa-4cf5-ac82-2ba6b9cb0b59", "value": "Turks and Caicos Islands" }, @@ -3164,6 +3355,7 @@ ], "type": "country" }, + "top-level-domain": ".tv", "uuid": "af9953e1-70b7-4925-bdc9-d0799d02aefa", "value": "Tuvalu" }, @@ -3192,6 +3384,7 @@ ], "type": "country" }, + "top-level-domain": ".ug", "uuid": "5ad9c05c-4725-4cb0-81e7-9d7499bc1f08", "value": "Uganda" }, @@ -3206,6 +3399,7 @@ ], "type": "country" }, + "top-level-domain": ".ua", "uuid": "4e2745c3-2447-4fa4-9e5b-7d32adc01761", "value": "Ukraine" }, @@ -3220,6 +3414,7 @@ ], "type": "country" }, + "top-level-domain": ".ae", "uuid": "ec6d9524-cf39-4081-83e7-f87f5059ab4c", "value": "United Arab Emirates" }, @@ -3234,6 +3429,7 @@ ], "type": "country" }, + "top-level-domain": ".uk", "uuid": "5d0b6a46-f4cf-42ac-b283-e5e28677ec0f", "value": "United Kingdom" }, @@ -3262,6 +3458,7 @@ ], "type": "country" }, + "top-level-domain": ".uy", "uuid": "5a5dbbad-e27b-4f47-a3b7-6acfddf0b57c", "value": "Uruguay" }, @@ -3276,6 +3473,7 @@ ], "type": "country" }, + "top-level-domain": ".uz", "uuid": "46aa0f74-14c1-451a-a269-24141501c861", "value": "Uzbekistan" }, @@ -3290,6 +3488,7 @@ ], "type": "country" }, + "top-level-domain": ".vu", "uuid": "6a1b40ad-b473-46d6-ba02-a66eeb5f9472", "value": "Vanuatu" }, @@ -3318,6 +3517,7 @@ ], "type": "country" }, + "top-level-domain": ".ve", "uuid": "ff8eae27-8b9f-4a44-98e9-810b74785d5e", "value": "Venezuela" }, @@ -3332,6 +3532,7 @@ ], "type": "country" }, + "top-level-domain": ".vn", "uuid": "7102ea70-2af1-4b23-8d94-a87a9c9aea8e", "value": "Vietnam" }, @@ -3346,6 +3547,7 @@ ], "type": "country" }, + "top-level-domain": ".wf", "uuid": "e343017d-b607-4cd2-8bd9-b3417caa9674", "value": "Wallis and Futuna" }, @@ -3374,6 +3576,7 @@ ], "type": "country" }, + "top-level-domain": ".ye", "uuid": "2813a187-0827-4e70-80f1-ffdb261ec478", "value": "Yemen" }, @@ -3388,6 +3591,7 @@ ], "type": "country" }, + "top-level-domain": ".zm", "uuid": "4ec0f561-4798-4b7e-a6f4-df8400284ee6", "value": "Zambia" }, @@ -3402,9 +3606,10 @@ ], "type": "country" }, + "top-level-domain": ".zw", "uuid": "da228f94-4412-4226-9113-e19a55cd4aa5", "value": "Zimbabwe" } ], - "version": 1 + "version": 2 } From a4a72d0698ddd2b60e833ffcaeccfbd24e1beb28 Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Wed, 31 Jul 2019 14:08:50 +0200 Subject: [PATCH 53/92] adding Proofpoint's TA428 --- clusters/threat-actor.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7d2cd7f..f84fa12 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7622,7 +7622,18 @@ }, "uuid": "64ac8827-89d9-4738-9df3-cd955c628bee", "value": "SWEED" + }, + { + "description": "Proofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. We dubbed this campaign “Operation LagTime IT” based on entities that were targeted and the distinctive domains registered to C&C IP infrastructure. Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. We determined that the infection vector observed in this campaign was spear phishing, with emails originating from both free email accounts and compromised user accounts. Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT. Additionally, this APT group utilizes Poison Ivy payloads that share overlapping command and control (C&C) infrastructure with the newly identified Cotx campaigns. Based on infrastructure overlaps, post-exploitation techniques, and historic TTPs utilized in this operation, Proofpoint analysts attribute this activity to the Chinese APT group tracked internally as TA428. Researchers believe that this activity has an operational and tactical resemblance to the Maudi Surveillance Operation which was previously reported in 2013.", + "meta": { + "country": "CN", + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology" + ] + }, + "uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d", + "value": "TA428" } ], - "version": 122 + "version": 123 } From 0367e16ce023adc02aab03ac0b3878e47d892ba8 Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Wed, 31 Jul 2019 14:35:09 +0200 Subject: [PATCH 54/92] adding secureworks actor names for energetic bear and teamspy --- clusters/threat-actor.json | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7d2cd7f..2afccbf 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2634,7 +2634,8 @@ "https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", "https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat", "https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672", - "https://attack.mitre.org/groups/G0035/" + "https://attack.mitre.org/groups/G0035/", + "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" ], "synonyms": [ "Dragonfly", @@ -2642,7 +2643,8 @@ "Group 24", "Havex", "CrouchingYeti", - "Koala Team" + "Koala Team", + "IRON LIBERTY" ] }, "related": [ @@ -2857,13 +2859,15 @@ "https://www.cfr.org/interactive/cyber-operations/team-spy-crew", "https://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/", "https://www.crysys.hu/publications/files/teamspy.pdf", - "https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134928/theteamspystory_final_t2.pdf" + "https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134928/theteamspystory_final_t2.pdf", + "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" ], "synonyms": [ "TeamSpy", "Team Bear", "Berserk Bear", - "Anger Bear" + "Anger Bear", + "IRON LYRIC" ] }, "related": [ @@ -7624,5 +7628,5 @@ "value": "SWEED" } ], - "version": 122 + "version": 124 } From 17452d31a7e54eb72d2c697e21435b8e3a333894 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 1 Aug 2019 15:51:03 +0200 Subject: [PATCH 55/92] chg: [att&ck] July ATT&CK release included in MISP galaxy --- clusters/mitre-attack-pattern.json | 18 +- clusters/mitre-course-of-action.json | 4103 +++++++++++++++-- ...re-enterprise-attack-course-of-action.json | 2 +- clusters/mitre-intrusion-set.json | 1140 ++++- clusters/mitre-malware.json | 2569 ++++++++++- .../mitre-mobile-attack-attack-pattern.json | 2 +- .../mitre-mobile-attack-course-of-action.json | 9 +- clusters/mitre-mobile-attack-malware.json | 2 +- clusters/mitre-pre-attack-attack-pattern.json | 2 +- clusters/mitre-pre-attack-intrusion-set.json | 9 +- clusters/mitre-tool.json | 6 +- 11 files changed, 7406 insertions(+), 456 deletions(-) diff --git a/clusters/mitre-attack-pattern.json b/clusters/mitre-attack-pattern.json index d766609..9c6a6c3 100644 --- a/clusters/mitre-attack-pattern.json +++ b/clusters/mitre-attack-pattern.json @@ -775,7 +775,7 @@ "meta": { "external_id": "T1452", "kill_chain": [ - "mitre-mobile-attack:effects" + "mitre-mobile-attack:impact" ], "mitre_platforms": [ "Android", @@ -2072,7 +2072,7 @@ "meta": { "external_id": "APP-28", "kill_chain": [ - "mitre-mobile-attack:effects" + "mitre-mobile-attack:impact" ], "mitre_platforms": [ "Android", @@ -3648,7 +3648,7 @@ "meta": { "external_id": "T1472", "kill_chain": [ - "mitre-mobile-attack:effects" + "mitre-mobile-attack:impact" ], "mitre_platforms": [ "Android", @@ -3825,7 +3825,7 @@ "meta": { "external_id": "T1448", "kill_chain": [ - "mitre-mobile-attack:effects" + "mitre-mobile-attack:impact" ], "mitre_platforms": [ "Android" @@ -7096,7 +7096,7 @@ "meta": { "external_id": "T1447", "kill_chain": [ - "mitre-mobile-attack:effects" + "mitre-mobile-attack:impact" ], "mitre_platforms": [ "Android" @@ -9731,7 +9731,7 @@ "meta": { "external_id": "APP-28", "kill_chain": [ - "mitre-mobile-attack:effects" + "mitre-mobile-attack:impact" ], "mitre_platforms": [ "Android" @@ -10263,7 +10263,7 @@ "value": "Repackaged Application - T1444" }, { - "description": "Adversaries may destroy data data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1488) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1487) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018)", + "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1488) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1487) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018)", "meta": { "external_id": "T1485", "kill_chain": [ @@ -10637,7 +10637,7 @@ "value": "Masquerading - T1036" }, { - "description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.\n\nScripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.\n\nMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. (Citation: Metasploit) (Citation: Metasploit), (Citation: Veil) (Citation: Veil), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)", + "description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.\n\nScripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.\n\nMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)", "meta": { "external_id": "T1064", "kill_chain": [ @@ -11083,5 +11083,5 @@ "value": "DNSCalc - T1324" } ], - "version": 9 + "version": 10 } diff --git a/clusters/mitre-course-of-action.json b/clusters/mitre-course-of-action.json index 8483059..9036013 100644 --- a/clusters/mitre-course-of-action.json +++ b/clusters/mitre-course-of-action.json @@ -14,12 +14,12 @@ "meta": { "external_id": "T1060", "refs": [ - "https://attack.mitre.org/techniques/T1060", + "https://attack.mitre.org/mitigations/T1060", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -39,7 +39,7 @@ "meta": { "external_id": "T1041", "refs": [ - "https://attack.mitre.org/techniques/T1041", + "https://attack.mitre.org/mitigations/T1041", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -60,7 +60,7 @@ "meta": { "external_id": "T1011", "refs": [ - "https://attack.mitre.org/techniques/T1011", + "https://attack.mitre.org/mitigations/T1011", "https://technet.microsoft.com/library/dd252791.aspx", "https://www.techrepublic.com/blog/data-center/configuring-wireless-settings-via-group-policy/" ] @@ -77,12 +77,234 @@ "uuid": "a98be93b-a75b-4dd4-8a72-4dfd0b5e25bb", "value": "Exfiltration Over Other Network Medium Mitigation - T1011" }, + { + "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", + "meta": { + "external_id": "M1042", + "refs": [ + "https://attack.mitre.org/mitigations/M1042" + ] + }, + "related": [ + { + "dest-uuid": "7d6f590f-544b-45b4-9a42-e0805f342af3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "215190a9-9f02-4e83-bb5f-e0589965a302", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f792d02f-813d-402b-86a5-ab98cb391d3b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "eb88d97c-32f1-40be-80f0-d61a4b0b4b31", + "value": "Disable or Remove Feature or Program - M1042" + }, + { + "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", + "meta": { + "external_id": "M1035", + "refs": [ + "https://attack.mitre.org/mitigations/M1035" + ] + }, + "related": [ + { + "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "1dcaeb21-9348-42ea-950a-f842aaf1ae1f", + "value": "Limit Access to Resource Over Network - M1035" + }, { "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1039", "refs": [ - "https://attack.mitre.org/techniques/T1039", + "https://attack.mitre.org/mitigations/T1039", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -107,7 +329,7 @@ "meta": { "external_id": "T1084", "refs": [ - "https://attack.mitre.org/techniques/T1084", + "https://attack.mitre.org/mitigations/T1084", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf" ] }, @@ -128,7 +350,7 @@ "meta": { "external_id": "T1094", "refs": [ - "https://attack.mitre.org/techniques/T1094", + "https://attack.mitre.org/mitigations/T1094", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -149,7 +371,7 @@ "meta": { "external_id": "T1183", "refs": [ - "https://attack.mitre.org/techniques/T1183", + "https://attack.mitre.org/mitigations/T1183", "https://answers.microsoft.com/windows/forum/windows_10-security/part-of-windows-10-or-really-malware/af715663-a34a-423c-850d-2a46f369a54c", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -173,7 +395,7 @@ "meta": { "external_id": "T1198", "refs": [ - "https://attack.mitre.org/techniques/T1198", + "https://attack.mitre.org/mitigations/T1198", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf" ] }, @@ -194,7 +416,7 @@ "meta": { "external_id": "T1095", "refs": [ - "https://attack.mitre.org/techniques/T1095", + "https://attack.mitre.org/mitigations/T1095", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -215,12 +437,12 @@ "meta": { "external_id": "T1140", "refs": [ - "https://attack.mitre.org/techniques/T1140", + "https://attack.mitre.org/mitigations/T1140", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -260,7 +482,7 @@ "meta": { "external_id": "T1030", "refs": [ - "https://attack.mitre.org/techniques/T1030", + "https://attack.mitre.org/mitigations/T1030", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -281,7 +503,7 @@ "meta": { "external_id": "T1005", "refs": [ - "https://attack.mitre.org/techniques/T1005", + "https://attack.mitre.org/mitigations/T1005", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -306,7 +528,7 @@ "meta": { "external_id": "T1006", "refs": [ - "https://attack.mitre.org/techniques/T1006", + "https://attack.mitre.org/mitigations/T1006", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -365,7 +587,7 @@ "meta": { "external_id": "T1070", "refs": [ - "https://attack.mitre.org/techniques/T1070" + "https://attack.mitre.org/mitigations/T1070" ] }, "related": [ @@ -385,7 +607,7 @@ "meta": { "external_id": "T1210", "refs": [ - "https://attack.mitre.org/techniques/T1210", + "https://attack.mitre.org/mitigations/T1210", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", "https://en.wikipedia.org/wiki/Control-flow_integrity" @@ -408,11 +630,11 @@ "meta": { "external_id": "T1016", "refs": [ - "https://attack.mitre.org/techniques/T1016", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://attack.mitre.org/mitigations/T1016", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, @@ -433,7 +655,7 @@ "meta": { "external_id": "T1071", "refs": [ - "https://attack.mitre.org/techniques/T1071", + "https://attack.mitre.org/mitigations/T1071", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -454,7 +676,7 @@ "meta": { "external_id": "T1091", "refs": [ - "https://attack.mitre.org/techniques/T1091", + "https://attack.mitre.org/mitigations/T1091", "https://support.microsoft.com/en-us/kb/967715", "https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", @@ -476,12 +698,214 @@ "uuid": "effb83a0-ead1-4b36-b7f6-b7bdf9c4616e", "value": "Replication Through Removable Media Mitigation - T1091" }, + { + "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", + "meta": { + "external_id": "M1022", + "refs": [ + "https://attack.mitre.org/mitigations/M1022" + ] + }, + "related": [ + { + "dest-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d3046a90-580c-4004-8208-66915bc29830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8df54627-376c-487c-a09c-7d2b5620f56e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "aa8bfbc9-78dc-41a4-a03b-7453e0fdccda", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ca205a36-c1ad-488b-aa6c-ab34bdd3a36b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9e80ddfb-ce32-4961-a778-ca6a10cfae72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dce31a00-1e90-4655-b0f9-e2e71a748a87", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "06780952-177c-4247-b978-79c357fb311f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "987988f0-cf86-4680-a875-2f6456ab2448", + "value": "Restrict File and Directory Permissions - M1022" + }, { "description": "Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. (Citation: Windows Blogs Microsoft Edge Sandbox) (Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nOther types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)\n\nSecurity applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility.", "meta": { "external_id": "T1203", "refs": [ - "https://attack.mitre.org/techniques/T1203", + "https://attack.mitre.org/mitigations/T1203", "https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", @@ -505,13 +929,13 @@ "meta": { "external_id": "T1042", "refs": [ - "https://attack.mitre.org/techniques/T1042", + "https://attack.mitre.org/mitigations/T1042", + "https://msdn.microsoft.com/en-us/library/cc144156.aspx", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://msdn.microsoft.com/en-us/library/cc144156.aspx" + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -531,7 +955,7 @@ "meta": { "external_id": "T1025", "refs": [ - "https://attack.mitre.org/techniques/T1025", + "https://attack.mitre.org/mitigations/T1025", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -556,7 +980,7 @@ "meta": { "external_id": "T1052", "refs": [ - "https://attack.mitre.org/techniques/T1052", + "https://attack.mitre.org/mitigations/T1052", "https://support.microsoft.com/en-us/kb/967715", "https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx" ] @@ -578,7 +1002,7 @@ "meta": { "external_id": "T1027", "refs": [ - "https://attack.mitre.org/techniques/T1027", + "https://attack.mitre.org/mitigations/T1027", "https://cloudblogs.microsoft.com/microsoftsecure/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/?source=mmpc" ] }, @@ -599,7 +1023,7 @@ "meta": { "external_id": "T1092", "refs": [ - "https://attack.mitre.org/techniques/T1092", + "https://attack.mitre.org/mitigations/T1092", "https://support.microsoft.com/en-us/kb/967715", "https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx" ] @@ -621,11 +1045,11 @@ "meta": { "external_id": "T1083", "refs": [ - "https://attack.mitre.org/techniques/T1083", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://attack.mitre.org/mitigations/T1083", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, @@ -646,9 +1070,9 @@ "meta": { "external_id": "T1038", "refs": [ - "https://attack.mitre.org/techniques/T1038", - "http://msdn.microsoft.com/en-US/library/ms682586", + "https://attack.mitre.org/mitigations/T1038", "http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx", + "http://msdn.microsoft.com/en-US/library/ms682586", "https://github.com/mattifestation/PowerSploit", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -672,7 +1096,7 @@ "meta": { "external_id": "T1044", "refs": [ - "https://attack.mitre.org/techniques/T1044", + "https://attack.mitre.org/mitigations/T1044", "https://github.com/mattifestation/PowerSploit", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -697,7 +1121,7 @@ "meta": { "external_id": "T1048", "refs": [ - "https://attack.mitre.org/techniques/T1048", + "https://attack.mitre.org/mitigations/T1048", "https://technet.microsoft.com/en-us/library/cc700828.aspx", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] @@ -719,12 +1143,12 @@ "meta": { "external_id": "T1049", "refs": [ - "https://attack.mitre.org/techniques/T1049", + "https://attack.mitre.org/mitigations/T1049", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -744,7 +1168,7 @@ "meta": { "external_id": "T1058", "refs": [ - "https://attack.mitre.org/techniques/T1058", + "https://attack.mitre.org/mitigations/T1058", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" @@ -767,7 +1191,7 @@ "meta": { "external_id": "T1066", "refs": [ - "https://attack.mitre.org/techniques/T1066", + "https://attack.mitre.org/mitigations/T1066", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -792,7 +1216,7 @@ "meta": { "external_id": "T1068", "refs": [ - "https://attack.mitre.org/techniques/T1068", + "https://attack.mitre.org/mitigations/T1068", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", "https://en.wikipedia.org/wiki/Control-flow_integrity" @@ -815,7 +1239,7 @@ "meta": { "external_id": "T1088", "refs": [ - "https://attack.mitre.org/techniques/T1088", + "https://attack.mitre.org/mitigations/T1088", "https://github.com/hfiref0x/UACME" ] }, @@ -836,7 +1260,7 @@ "meta": { "external_id": "T1211", "refs": [ - "https://attack.mitre.org/techniques/T1211", + "https://attack.mitre.org/mitigations/T1211", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", "https://en.wikipedia.org/wiki/Control-flow_integrity" @@ -859,7 +1283,7 @@ "meta": { "external_id": "T1181", "refs": [ - "https://attack.mitre.org/techniques/T1181", + "https://attack.mitre.org/mitigations/T1181", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -884,7 +1308,7 @@ "meta": { "external_id": "T1212", "refs": [ - "https://attack.mitre.org/techniques/T1212", + "https://attack.mitre.org/mitigations/T1212", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", "https://en.wikipedia.org/wiki/Control-flow_integrity" @@ -907,7 +1331,7 @@ "meta": { "external_id": "T1122", "refs": [ - "https://attack.mitre.org/techniques/T1122", + "https://attack.mitre.org/mitigations/T1122", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -932,7 +1356,7 @@ "meta": { "external_id": "T1213", "refs": [ - "https://attack.mitre.org/techniques/T1213" + "https://attack.mitre.org/mitigations/T1213" ] }, "related": [ @@ -952,10 +1376,10 @@ "meta": { "external_id": "T1215", "refs": [ - "https://attack.mitre.org/techniques/T1215", - "https://patchwork.kernel.org/patch/8754821/", + "https://attack.mitre.org/mitigations/T1215", "http://rkhunter.sourceforge.net", - "http://www.chkrootkit.org/" + "http://www.chkrootkit.org/", + "https://patchwork.kernel.org/patch/8754821/" ] }, "related": [ @@ -975,7 +1399,7 @@ "meta": { "external_id": "T1126", "refs": [ - "https://attack.mitre.org/techniques/T1126", + "https://attack.mitre.org/mitigations/T1126", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1000,7 +1424,7 @@ "meta": { "external_id": "T1216", "refs": [ - "https://attack.mitre.org/techniques/T1216" + "https://attack.mitre.org/mitigations/T1216" ] }, "related": [ @@ -1020,7 +1444,7 @@ "meta": { "external_id": "T1218", "refs": [ - "https://attack.mitre.org/techniques/T1218" + "https://attack.mitre.org/mitigations/T1218" ] }, "related": [ @@ -1040,7 +1464,7 @@ "meta": { "external_id": "T1129", "refs": [ - "https://attack.mitre.org/techniques/T1129" + "https://attack.mitre.org/mitigations/T1129" ] }, "related": [ @@ -1060,13 +1484,12 @@ "meta": { "external_id": "T1175", "refs": [ - "https://attack.mitre.org/techniques/T1175", + "https://attack.mitre.org/mitigations/T1175", "https://msdn.microsoft.com/en-us/library/windows/desktop/ms687317(v=vs.85).aspx", "https://msdn.microsoft.com/en-us/library/windows/desktop/ms694331(v=vs.85).aspx", - "https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx", "https://docs.microsoft.com/en-us/windows/desktop/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1", - "https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653", - "https://technet.microsoft.com/library/cc771387.aspx" + "https://technet.microsoft.com/library/cc771387.aspx", + "https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653" ] }, "related": [ @@ -1086,7 +1509,7 @@ "meta": { "external_id": "T1185", "refs": [ - "https://attack.mitre.org/techniques/T1185" + "https://attack.mitre.org/mitigations/T1185" ] }, "related": [ @@ -1106,7 +1529,7 @@ "meta": { "external_id": "T1158", "refs": [ - "https://attack.mitre.org/techniques/T1158" + "https://attack.mitre.org/mitigations/T1158" ] }, "related": [ @@ -1126,7 +1549,7 @@ "meta": { "external_id": "T1486", "refs": [ - "https://attack.mitre.org/techniques/T1486", + "https://attack.mitre.org/mitigations/T1486", "https://www.ready.gov/business/implementation/IT", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -1152,7 +1575,7 @@ "meta": { "external_id": "T1498", "refs": [ - "https://attack.mitre.org/techniques/T1498", + "https://attack.mitre.org/mitigations/T1498", "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf" ] }, @@ -1173,7 +1596,7 @@ "meta": { "external_id": "T1499", "refs": [ - "https://attack.mitre.org/techniques/T1499", + "https://attack.mitre.org/mitigations/T1499", "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf" ] }, @@ -1210,11 +1633,11 @@ "value": "Use Device-Provided Credential Storage - M1008" }, { - "description": "Application Isolation and least privilege help lesson the impact of an exploit. Application isolation will limit what other processes and system features the exploited target can access, and least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system. Web Application Firewalls may be used to limit exposure of applications.\n\nSegment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.\n\nUse secure coding best practices when designing custom software that is meant for deployment to externally facing systems. Avoid issues documented by OWASP, CWE, and other software weakness identification efforts.\n\nRegularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.", + "description": "Application isolation and least privilege help lesson the impact of an exploit. Application isolation will limit what other processes and system features the exploited target can access, and least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system. Web Application Firewalls may be used to limit exposure of applications.\n\nSegment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.\n\nUse secure coding best practices when designing custom software that is meant for deployment to externally facing systems. Avoid issues documented by OWASP, CWE, and other software weakness identification efforts.\n\nRegularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.", "meta": { "external_id": "T1190", "refs": [ - "https://attack.mitre.org/techniques/T1190" + "https://attack.mitre.org/mitigations/T1190" ] }, "related": [ @@ -1234,7 +1657,7 @@ "meta": { "external_id": "T1111", "refs": [ - "https://attack.mitre.org/techniques/T1111", + "https://attack.mitre.org/mitigations/T1111", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1259,7 +1682,7 @@ "meta": { "external_id": "T1156", "refs": [ - "https://attack.mitre.org/techniques/T1156" + "https://attack.mitre.org/mitigations/T1156" ] }, "related": [ @@ -1277,9 +1700,9 @@ { "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system users, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { - "external_id": "T1482", + "external_id": "T1033", "refs": [ - "https://attack.mitre.org/techniques/T1482", + "https://attack.mitre.org/mitigations/T1033", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1304,14 +1727,14 @@ } ], "uuid": "16f144e4-c780-4ed2-98b4-55d14e2dfa44", - "value": "System Owner/User Discovery Mitigation - T1482" + "value": "System Owner/User Discovery Mitigation - T1033" }, { "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1010", "refs": [ - "https://attack.mitre.org/techniques/T1010", + "https://attack.mitre.org/mitigations/T1010", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1331,12 +1754,39 @@ "uuid": "25d5e1d8-c6fb-4735-bc57-115a21222f4b", "value": "Application Window Discovery Mitigation - T1010" }, + { + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "meta": { + "external_id": "M1040", + "refs": [ + "https://attack.mitre.org/mitigations/M1040" + ] + }, + "related": [ + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "90f39ee1-d5a3-4aaa-9f28-3b42815b0d46", + "value": "Behavior Prevention on Endpoint - M1040" + }, { "description": "Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.\n\nIdentify and block potentially malicious software that may be executed through the Winlogon helper process by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.", "meta": { "external_id": "T1004", "refs": [ - "https://attack.mitre.org/techniques/T1004", + "https://attack.mitre.org/mitigations/T1004", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" @@ -1354,6 +1804,31 @@ "uuid": "313c8b20-4d49-40c1-9ac0-4c573aca28f3", "value": "Winlogon Helper DLL Mitigation - T1004" }, + { + "description": "This type of technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, blocking all file compilation may have unintended side effects, such as preventing legitimate OS frameworks and code development mechanisms from operating properly. Consider removing compilers if not needed, otherwise efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to decrypt, deobfuscate, decode, and compile files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "meta": { + "external_id": "T1500", + "refs": [ + "https://attack.mitre.org/mitigations/T1500", + "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" + ] + }, + "related": [ + { + "dest-uuid": "cf7b3a06-8b42-4c33-bbe9-012120027925", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "ae56a49d-5281-45c5-ab95-70a1439c338e", + "value": "Compile After Delivery Mitigation - T1500" + }, { "description": "New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.", "meta": { @@ -1526,7 +2001,7 @@ "meta": { "external_id": "T1007", "refs": [ - "https://attack.mitre.org/techniques/T1007", + "https://attack.mitre.org/mitigations/T1007", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1551,7 +2026,7 @@ "meta": { "external_id": "T1080", "refs": [ - "https://attack.mitre.org/techniques/T1080", + "https://attack.mitre.org/mitigations/T1080", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1576,7 +2051,7 @@ "meta": { "external_id": "T1101", "refs": [ - "https://attack.mitre.org/techniques/T1101", + "https://attack.mitre.org/mitigations/T1101", "http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html", "https://technet.microsoft.com/en-us/library/dn408187.aspx" ] @@ -1598,7 +2073,7 @@ "meta": { "external_id": "T1120", "refs": [ - "https://attack.mitre.org/techniques/T1120", + "https://attack.mitre.org/mitigations/T1120", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1623,7 +2098,7 @@ "meta": { "external_id": "T1201", "refs": [ - "https://attack.mitre.org/techniques/T1201", + "https://attack.mitre.org/mitigations/T1201", "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements" ] }, @@ -1644,7 +2119,7 @@ "meta": { "external_id": "T1130", "refs": [ - "https://attack.mitre.org/techniques/T1130", + "https://attack.mitre.org/mitigations/T1130", "https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning", "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec" ] @@ -1666,7 +2141,7 @@ "meta": { "external_id": "T1031", "refs": [ - "https://attack.mitre.org/techniques/T1031", + "https://attack.mitre.org/mitigations/T1031", "https://github.com/mattifestation/PowerSploit", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -1690,7 +2165,7 @@ "meta": { "external_id": "T1105", "refs": [ - "https://attack.mitre.org/techniques/T1105", + "https://attack.mitre.org/mitigations/T1105", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -1711,7 +2186,7 @@ "meta": { "external_id": "T1106", "refs": [ - "https://attack.mitre.org/techniques/T1106", + "https://attack.mitre.org/mitigations/T1106", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1736,7 +2211,7 @@ "meta": { "external_id": "T1061", "refs": [ - "https://attack.mitre.org/techniques/T1061", + "https://attack.mitre.org/mitigations/T1061", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1761,7 +2236,7 @@ "meta": { "external_id": "T1017", "refs": [ - "https://attack.mitre.org/techniques/T1017" + "https://attack.mitre.org/mitigations/T1017" ] }, "related": [ @@ -1781,7 +2256,7 @@ "meta": { "external_id": "T1081", "refs": [ - "https://attack.mitre.org/techniques/T1081", + "https://attack.mitre.org/mitigations/T1081", "http://support.microsoft.com/kb/2962486" ] }, @@ -1802,7 +2277,7 @@ "meta": { "external_id": "T1018", "refs": [ - "https://attack.mitre.org/techniques/T1018", + "https://attack.mitre.org/mitigations/T1018", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1827,7 +2302,7 @@ "meta": { "external_id": "T1202", "refs": [ - "https://attack.mitre.org/techniques/T1202", + "https://attack.mitre.org/mitigations/T1202", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1853,7 +2328,7 @@ "meta": { "external_id": "T1220", "refs": [ - "https://attack.mitre.org/techniques/T1220" + "https://attack.mitre.org/mitigations/T1220" ] }, "related": [ @@ -1873,7 +2348,7 @@ "meta": { "external_id": "T1032", "refs": [ - "https://attack.mitre.org/techniques/T1032", + "https://attack.mitre.org/mitigations/T1032", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -1894,7 +2369,7 @@ "meta": { "external_id": "T1024", "refs": [ - "https://attack.mitre.org/techniques/T1024", + "https://attack.mitre.org/mitigations/T1024", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -1910,41 +2385,16 @@ "uuid": "a569295c-a093-4db4-9fb4-7105edef85ad", "value": "Custom Cryptographic Protocol Mitigation - T1024" }, - { - "description": "This type of technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, blocking all file compilation may have unintended side effects, such as preventing legitimate OS frameworks and code development mechanisms from operating properly. Consider removing compilers if not needed, otherwise efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to decrypt, deobfuscate, decode, and compile files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", - "meta": { - "external_id": "T1502", - "refs": [ - "https://attack.mitre.org/techniques/T1502", - "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", - "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx" - ] - }, - "related": [ - { - "dest-uuid": "cf7b3a06-8b42-4c33-bbe9-012120027925", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - } - ], - "uuid": "ae56a49d-5281-45c5-ab95-70a1439c338e", - "value": "Compile After Delivery Mitigation - T1502" - }, { "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1082", "refs": [ - "https://attack.mitre.org/techniques/T1082", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://attack.mitre.org/mitigations/T1082", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, @@ -1965,7 +2415,7 @@ "meta": { "external_id": "T1028", "refs": [ - "https://attack.mitre.org/techniques/T1028", + "https://attack.mitre.org/mitigations/T1028", "https://www.iad.gov/iad/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm" ] }, @@ -1986,7 +2436,7 @@ "meta": { "external_id": "T1043", "refs": [ - "https://attack.mitre.org/techniques/T1043", + "https://attack.mitre.org/mitigations/T1043", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -2007,7 +2457,7 @@ "meta": { "external_id": "T1063", "refs": [ - "https://attack.mitre.org/techniques/T1063", + "https://attack.mitre.org/mitigations/T1063", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2032,7 +2482,7 @@ "meta": { "external_id": "T1046", "refs": [ - "https://attack.mitre.org/techniques/T1046", + "https://attack.mitre.org/mitigations/T1046", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2057,7 +2507,7 @@ "meta": { "external_id": "T1047", "refs": [ - "https://attack.mitre.org/techniques/T1047", + "https://attack.mitre.org/mitigations/T1047", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf" ] }, @@ -2073,12 +2523,95 @@ "uuid": "ba2ec548-fb75-4b8c-88d6-d91a77a943cf", "value": "Windows Management Instrumentation Mitigation - T1047" }, + { + "description": "Restrict execution of code to a virtual environment on or in transit to an endpoint system.", + "meta": { + "external_id": "M1048", + "refs": [ + "https://attack.mitre.org/mitigations/M1048" + ] + }, + "related": [ + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "b9f0c069-abbe-4a07-a245-2481219a1463", + "value": "Application Isolation and Sandboxing - M1048" + }, { "description": "Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. \n\nConsider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.\n\nIdentify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1490", "refs": [ - "https://attack.mitre.org/techniques/T1490", + "https://attack.mitre.org/mitigations/T1490", "https://www.ready.gov/business/implementation/IT", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -2104,7 +2637,7 @@ "meta": { "external_id": "T1065", "refs": [ - "https://attack.mitre.org/techniques/T1065", + "https://attack.mitre.org/mitigations/T1065", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -2125,7 +2658,7 @@ "meta": { "external_id": "T1075", "refs": [ - "https://attack.mitre.org/techniques/T1075", + "https://attack.mitre.org/mitigations/T1075", "https://github.com/iadgov/Secure-Host-Baseline/blob/master/Windows/Group%20Policy%20Templates/en-US/SecGuide.adml" ] }, @@ -2146,7 +2679,7 @@ "meta": { "external_id": "T1076", "refs": [ - "https://attack.mitre.org/techniques/T1076", + "https://attack.mitre.org/mitigations/T1076", "https://security.berkeley.edu/node/94", "https://technet.microsoft.com/en-us/library/cc754272(v=ws.11).aspx" ] @@ -2168,15 +2701,15 @@ "meta": { "external_id": "T1096", "refs": [ - "https://attack.mitre.org/techniques/T1096", + "https://attack.mitre.org/mitigations/T1096", + "https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/", + "https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://blog.stealthbits.com/attack-step-3-persistence-ntfs-extended-attributes-file-system-attacks", - "https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/", - "https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore" + "https://blog.stealthbits.com/attack-step-3-persistence-ntfs-extended-attributes-file-system-attacks" ] }, "related": [ @@ -2196,11 +2729,11 @@ "meta": { "external_id": "T1069", "refs": [ - "https://attack.mitre.org/techniques/T1069", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://attack.mitre.org/mitigations/T1069", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, @@ -2221,7 +2754,7 @@ "meta": { "external_id": "T1077", "refs": [ - "https://attack.mitre.org/techniques/T1077", + "https://attack.mitre.org/mitigations/T1077", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2246,14 +2779,14 @@ "meta": { "external_id": "T1097", "refs": [ - "https://attack.mitre.org/techniques/T1097", + "https://attack.mitre.org/mitigations/T1097", "https://adsecurity.org/?p=556", + "https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf" + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -2273,7 +2806,7 @@ "meta": { "external_id": "T1089", "refs": [ - "https://attack.mitre.org/techniques/T1089" + "https://attack.mitre.org/mitigations/T1089" ] }, "related": [ @@ -2293,7 +2826,7 @@ "meta": { "external_id": "T1151", "refs": [ - "https://attack.mitre.org/techniques/T1151" + "https://attack.mitre.org/mitigations/T1151" ] }, "related": [ @@ -2313,7 +2846,7 @@ "meta": { "external_id": "T1214", "refs": [ - "https://attack.mitre.org/techniques/T1214" + "https://attack.mitre.org/mitigations/T1214" ] }, "related": [ @@ -2333,12 +2866,12 @@ "meta": { "external_id": "T1124", "refs": [ - "https://attack.mitre.org/techniques/T1124", + "https://attack.mitre.org/mitigations/T1124", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -2358,7 +2891,7 @@ "meta": { "external_id": "T1217", "refs": [ - "https://attack.mitre.org/techniques/T1217", + "https://attack.mitre.org/mitigations/T1217", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2383,10 +2916,10 @@ "meta": { "external_id": "T1127", "refs": [ - "https://attack.mitre.org/techniques/T1127", + "https://attack.mitre.org/mitigations/T1127", + "https://github.com/Microsoft/windows-itpro-docs/blob/master/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md", "http://www.exploit-monday.com/2016/09/using-device-guard-to-mitigate-against.html", - "https://github.com/mattifestation/DeviceGuardBypassMitigationRules", - "https://github.com/Microsoft/windows-itpro-docs/blob/master/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md" + "https://github.com/mattifestation/DeviceGuardBypassMitigationRules" ] }, "related": [ @@ -2406,7 +2939,7 @@ "meta": { "external_id": "T1128", "refs": [ - "https://attack.mitre.org/techniques/T1128", + "https://attack.mitre.org/mitigations/T1128", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" @@ -2429,7 +2962,7 @@ "meta": { "external_id": "T1219", "refs": [ - "https://attack.mitre.org/techniques/T1219" + "https://attack.mitre.org/mitigations/T1219" ] }, "related": [ @@ -2445,11 +2978,11 @@ "value": "Remote Access Tools Mitigation - T1219" }, { - "description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems. Deny direct remote access to internal systems through uses of network proxies, gateways, and firewalls as appropriate. Disable or block services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1028) can be used externally. Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of [Two-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111) techniques for some two-factor authentication implementations.", + "description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems. Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Disable or block remotely available services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1028). Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of [Two-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111) techniques for some two-factor authentication implementations.", "meta": { "external_id": "T1133", "refs": [ - "https://attack.mitre.org/techniques/T1133" + "https://attack.mitre.org/mitigations/T1133" ] }, "related": [ @@ -2469,7 +3002,7 @@ "meta": { "external_id": "T1134", "refs": [ - "https://attack.mitre.org/techniques/T1134", + "https://attack.mitre.org/mitigations/T1134", "https://docs.microsoft.com/windows/device-security/security-policy-settings/create-a-token-object", "https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token" ] @@ -2491,7 +3024,7 @@ "meta": { "external_id": "T1135", "refs": [ - "https://attack.mitre.org/techniques/T1135", + "https://attack.mitre.org/mitigations/T1135", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2516,7 +3049,7 @@ "meta": { "external_id": "T1137", "refs": [ - "https://attack.mitre.org/techniques/T1137", + "https://attack.mitre.org/mitigations/T1137", "https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/", "https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/", "https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/", @@ -2541,7 +3074,7 @@ "meta": { "external_id": "T1173", "refs": [ - "https://attack.mitre.org/techniques/T1173", + "https://attack.mitre.org/mitigations/T1173", "https://technet.microsoft.com/library/security/4053440", "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/", "https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b", @@ -2568,7 +3101,7 @@ "meta": { "external_id": "T1146", "refs": [ - "https://attack.mitre.org/techniques/T1146", + "https://attack.mitre.org/mitigations/T1146", "http://www.akyl.net/securing-bashhistory-file-make-sure-your-linux-system-users-won%E2%80%99t-hide-or-delete-their-bashhistory" ] }, @@ -2589,7 +3122,7 @@ "meta": { "external_id": "T1174", "refs": [ - "https://attack.mitre.org/techniques/T1174", + "https://attack.mitre.org/mitigations/T1174", "https://msdn.microsoft.com/library/windows/desktop/ms721766.aspx" ] }, @@ -2610,7 +3143,7 @@ "meta": { "external_id": "T1194", "refs": [ - "https://attack.mitre.org/techniques/T1194" + "https://attack.mitre.org/mitigations/T1194" ] }, "related": [ @@ -2630,7 +3163,7 @@ "meta": { "external_id": "T1195", "refs": [ - "https://attack.mitre.org/techniques/T1195", + "https://attack.mitre.org/mitigations/T1195", "https://www.mitre.org/sites/default/files/publications/se-guide-book-interactive.pdf", "http://dx.doi.org/10.6028/NIST.IR.7622", "https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" @@ -2653,7 +3186,7 @@ "meta": { "external_id": "T1166", "refs": [ - "https://attack.mitre.org/techniques/T1166" + "https://attack.mitre.org/mitigations/T1166" ] }, "related": [ @@ -2693,7 +3226,7 @@ "meta": { "external_id": "T1196", "refs": [ - "https://attack.mitre.org/techniques/T1196", + "https://attack.mitre.org/mitigations/T1196", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2717,7 +3250,7 @@ "meta": { "external_id": "T1222", "refs": [ - "https://attack.mitre.org/techniques/T1222" + "https://attack.mitre.org/mitigations/T1222" ] }, "related": [ @@ -2737,7 +3270,7 @@ "meta": { "external_id": "T1223", "refs": [ - "https://attack.mitre.org/techniques/T1223", + "https://attack.mitre.org/mitigations/T1223", "https://live.paloaltonetworks.com/t5/Ignite-2016-Blog/Breakout-Recap-Cybersecurity-Best-Practices-Part-1-Preventing/ba-p/75913" ] }, @@ -2758,7 +3291,7 @@ "meta": { "external_id": "T1482", "refs": [ - "https://attack.mitre.org/techniques/T1482", + "https://attack.mitre.org/mitigations/T1482", "http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ " ] }, @@ -2775,11 +3308,11 @@ "value": "Domain Trust Discovery Mitigation - T1482" }, { - "description": "Identify critical business and system processes that may be targeted by adversaries and work to secure the data related to those processes against tampering. least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. Consider encrypting important information to reduce an adversaries ability to perform tailor data modifications. Where applicable, examine using file monitoring software to check integrity on important files and directories as well as take corrective actions when unauthorized changes are detected. \n\nConsider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups.", + "description": "Identify critical business and system processes that may be targeted by adversaries and work to secure the data related to those processes against tampering. Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. Consider encrypting important information to reduce an adversaries ability to perform tailor data modifications. Where applicable, examine using file monitoring software to check integrity on important files and directories as well as take corrective actions when unauthorized changes are detected. \n\nConsider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups.", "meta": { "external_id": "T1492", "refs": [ - "https://attack.mitre.org/techniques/T1492", + "https://attack.mitre.org/mitigations/T1492", "https://www.ready.gov/business/implementation/IT" ] }, @@ -2800,7 +3333,7 @@ "meta": { "external_id": "T1483", "refs": [ - "https://attack.mitre.org/techniques/T1483", + "https://attack.mitre.org/mitigations/T1483", "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf", "https://umbrella.cisco.com/blog/2015/02/18/at-high-noon-algorithms-do-battle/", "https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html", @@ -2824,7 +3357,7 @@ "meta": { "external_id": "T1493", "refs": [ - "https://attack.mitre.org/techniques/T1493" + "https://attack.mitre.org/mitigations/T1493" ] }, "related": [ @@ -2844,7 +3377,7 @@ "meta": { "external_id": "T1484", "refs": [ - "https://attack.mitre.org/techniques/T1484", + "https://attack.mitre.org/mitigations/T1484", "https://github.com/BloodHoundAD/BloodHound", "https://wald0.com/?p=179", "https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/", @@ -2868,7 +3401,7 @@ "meta": { "external_id": "T1494", "refs": [ - "https://attack.mitre.org/techniques/T1494", + "https://attack.mitre.org/mitigations/T1494", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -2893,7 +3426,7 @@ "meta": { "external_id": "T1171", "refs": [ - "https://attack.mitre.org/techniques/T1171", + "https://attack.mitre.org/mitigations/T1171", "https://adsecurity.org/?p=3299", "https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html", "https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html", @@ -2912,12 +3445,81 @@ "uuid": "54246e2e-683f-4bf2-be4c-d7d5a60e7d22", "value": "LLMNR/NBT-NS Poisoning Mitigation - T1171" }, + { + "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", + "meta": { + "external_id": "M1021", + "refs": [ + "https://attack.mitre.org/mitigations/M1021" + ] + }, + "related": [ + { + "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "21da4fd4-27ad-4e9c-b93d-0b9b14d02c96", + "value": "Restrict Web-Based Content - M1021" + }, { "description": "Command and control infrastructure used in a multi-stage channel may be blocked if known ahead of time. If unique signatures are present in the C2 traffic, they could also be used as the basis of identifying and blocking the channel. (Citation: University of Birmingham C2)", "meta": { "external_id": "T1104", "refs": [ - "https://attack.mitre.org/techniques/T1104", + "https://attack.mitre.org/mitigations/T1104", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -2934,11 +3536,11 @@ "value": "Multi-Stage Channels Mitigation - T1104" }, { - "description": "Evaluate the security of third-party software that could be used to deploy or execute programs. Ensure that access to management systems for deployment systems is limited, monitored, and secure. Have a strict approval policy for use of deployment systems.\n\nGrant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068). \n\nIf the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.", + "description": "Evaluate the security of third-party software that could be used in the enterprise environment. Ensure that access to management systems for third-party systems is limited, monitored, and secure. Have a strict approval policy for use of third-party systems.\n\nGrant access to Third-party systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multi-factor authentication. Verify that account credentials that may be used to access third-party systems are unique and not used throughout the enterprise network. Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure third-party systems are regularly patched by users or the provider to prevent potential remote access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068). \n\nEnsure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required.\n\nWhere the third-party system is used for deployment services, ensure that it can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the third-party system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.", "meta": { "external_id": "T1072", "refs": [ - "https://attack.mitre.org/techniques/T1072" + "https://attack.mitre.org/mitigations/T1072" ] }, "related": [ @@ -2958,7 +3560,7 @@ "meta": { "external_id": "T1073", "refs": [ - "https://attack.mitre.org/techniques/T1073" + "https://attack.mitre.org/mitigations/T1073" ] }, "related": [ @@ -2978,7 +3580,7 @@ "meta": { "external_id": "T1059", "refs": [ - "https://attack.mitre.org/techniques/T1059", + "https://attack.mitre.org/mitigations/T1059", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3003,7 +3605,7 @@ "meta": { "external_id": "T1164", "refs": [ - "https://attack.mitre.org/techniques/T1164", + "https://attack.mitre.org/mitigations/T1164", "https://support.apple.com/en-us/HT204005" ] }, @@ -3024,11 +3626,10 @@ "meta": { "external_id": "T1178", "refs": [ - "https://attack.mitre.org/techniques/T1178", - "https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx", + "https://attack.mitre.org/mitigations/T1178", + "https://technet.microsoft.com/library/cc755321.aspx", "https://technet.microsoft.com/library/cc794757.aspx", "https://technet.microsoft.com/library/cc835085.aspx", - "https://technet.microsoft.com/library/cc755321.aspx", "https://adsecurity.org/?p=1640" ] }, @@ -3049,7 +3650,7 @@ "meta": { "external_id": "T1188", "refs": [ - "https://attack.mitre.org/techniques/T1188" + "https://attack.mitre.org/mitigations/T1188" ] }, "related": [ @@ -3069,7 +3670,7 @@ "meta": { "external_id": "T1189", "refs": [ - "https://attack.mitre.org/techniques/T1189", + "https://attack.mitre.org/mitigations/T1189", "https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/", "https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/", @@ -3093,7 +3694,7 @@ "meta": { "external_id": "T1497", "refs": [ - "https://attack.mitre.org/techniques/T1497" + "https://attack.mitre.org/mitigations/T1497" ] }, "related": [ @@ -3113,7 +3714,7 @@ "meta": { "external_id": "T1001", "refs": [ - "https://attack.mitre.org/techniques/T1001", + "https://attack.mitre.org/mitigations/T1001", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -3134,7 +3735,7 @@ "meta": { "external_id": "T1100", "refs": [ - "https://attack.mitre.org/techniques/T1100", + "https://attack.mitre.org/mitigations/T1100", "https://www.us-cert.gov/ncas/alerts/TA15-314A" ] }, @@ -3155,7 +3756,7 @@ "meta": { "external_id": "T1020", "refs": [ - "https://attack.mitre.org/techniques/T1020", + "https://attack.mitre.org/mitigations/T1020", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3180,7 +3781,7 @@ "meta": { "external_id": "T1200", "refs": [ - "https://attack.mitre.org/techniques/T1200", + "https://attack.mitre.org/mitigations/T1200", "https://en.wikipedia.org/wiki/IEEE_802.1X" ] }, @@ -3201,7 +3802,7 @@ "meta": { "external_id": "T1002", "refs": [ - "https://attack.mitre.org/techniques/T1002", + "https://attack.mitre.org/mitigations/T1002", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3226,7 +3827,8 @@ "meta": { "external_id": "T1003", "refs": [ - "https://attack.mitre.org/techniques/T1003", + "https://attack.mitre.org/mitigations/T1003", + "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach", "https://technet.microsoft.com/en-us/library/dn408187.aspx", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -3237,8 +3839,7 @@ "https://github.com/iadgov/Secure-Host-Baseline/tree/master/Credential%20Guard", "https://adsecurity.org/?p=1729", "https://support.microsoft.com/help/303972/how-to-grant-the-replicating-directory-changes-permission-for-the-micr", - "https://technet.microsoft.com/library/jj865668.aspx", - "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach" + "https://technet.microsoft.com/library/jj865668.aspx" ] }, "related": [ @@ -3278,12 +3879,12 @@ "meta": { "external_id": "T1040", "refs": [ - "https://attack.mitre.org/techniques/T1040", + "https://attack.mitre.org/mitigations/T1040", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -3303,7 +3904,7 @@ "meta": { "external_id": "T1050", "refs": [ - "https://attack.mitre.org/techniques/T1050", + "https://attack.mitre.org/mitigations/T1050", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3328,7 +3929,7 @@ "meta": { "external_id": "T1008", "refs": [ - "https://attack.mitre.org/techniques/T1008", + "https://attack.mitre.org/mitigations/T1008", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -3349,7 +3950,7 @@ "meta": { "external_id": "T1009", "refs": [ - "https://attack.mitre.org/techniques/T1009", + "https://attack.mitre.org/mitigations/T1009", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3374,7 +3975,7 @@ "meta": { "external_id": "T1090", "refs": [ - "https://attack.mitre.org/techniques/T1090", + "https://attack.mitre.org/mitigations/T1090", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -3459,7 +4060,7 @@ "meta": { "external_id": "T1110", "refs": [ - "https://attack.mitre.org/techniques/T1110", + "https://attack.mitre.org/mitigations/T1110", "https://pages.nist.gov/800-63-3/sp800-63b.html" ] }, @@ -3480,7 +4081,7 @@ "meta": { "external_id": "T1012", "refs": [ - "https://attack.mitre.org/techniques/T1012", + "https://attack.mitre.org/mitigations/T1012", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3505,7 +4106,7 @@ "meta": { "external_id": "T1021", "refs": [ - "https://attack.mitre.org/techniques/T1021" + "https://attack.mitre.org/mitigations/T1021" ] }, "related": [ @@ -3525,7 +4126,7 @@ "meta": { "external_id": "T1102", "refs": [ - "https://attack.mitre.org/techniques/T1102", + "https://attack.mitre.org/mitigations/T1102", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -3566,7 +4167,7 @@ "meta": { "external_id": "T1103", "refs": [ - "https://attack.mitre.org/techniques/T1103", + "https://attack.mitre.org/mitigations/T1103", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" @@ -3584,12 +4185,221 @@ "uuid": "10571bf2-8073-4edf-a71c-23bad225532e", "value": "AppInit DLLs Mitigation - T1103" }, + { + "description": "Use intrusion detection signatures to block traffic at network boundaries.", + "meta": { + "external_id": "M1031", + "refs": [ + "https://attack.mitre.org/mitigations/M1031" + ] + }, + "related": [ + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "12241367-a8b7-49b4-b86e-2236901ba50c", + "value": "Network Intrusion Prevention - M1031" + }, { "description": "Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by processes running under SYSTEM permissions.", "meta": { "external_id": "T1013", "refs": [ - "https://attack.mitre.org/techniques/T1013", + "https://attack.mitre.org/mitigations/T1013", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599" ] }, @@ -3605,12 +4415,129 @@ "uuid": "1c6bc7f3-d517-4971-aed4-8f939090846b", "value": "Port Monitors Mitigation - T1013" }, + { + "description": "Protect sensitive information with strong encryption.", + "meta": { + "external_id": "M1041", + "refs": [ + "https://attack.mitre.org/mitigations/M1041" + ] + }, + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "cc1e737c-236c-4e3b-83ba-32039a626ef8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "feff9142-e8c2-46f4-842b-bd6fb3d41157", + "value": "Encrypt Sensitive Information - M1041" + }, + { + "description": "Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.", + "meta": { + "external_id": "M1015", + "refs": [ + "https://attack.mitre.org/mitigations/M1015" + ] + }, + "related": [ + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "e3388c78-2a8d-47c2-8422-c1398b324462", + "value": "Active Directory Configuration - M1015" + }, { "description": "To use this technique remotely, an adversary must use it in conjunction with RDP. Ensure that Network Level Authentication is enabled to force the remote desktop session to authenticate before the session is created and the login screen displayed. It is enabled by default on Windows Vista and later. (Citation: TechNet RDP NLA)\n\nIf possible, use a Remote Desktop Gateway to manage connections and security configuration of RDP within a network. (Citation: TechNet RDP Gateway)\n\nIdentify and block potentially malicious software that may be executed by an adversary with this technique by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1015", "refs": [ - "https://attack.mitre.org/techniques/T1015", + "https://attack.mitre.org/mitigations/T1015", "https://technet.microsoft.com/en-us/library/cc732713.aspx", "https://technet.microsoft.com/en-us/library/cc731150.aspx", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", @@ -3637,7 +4564,7 @@ "meta": { "external_id": "T1150", "refs": [ - "https://attack.mitre.org/techniques/T1150" + "https://attack.mitre.org/mitigations/T1150" ] }, "related": [ @@ -3657,7 +4584,7 @@ "meta": { "external_id": "T1501", "refs": [ - "https://attack.mitre.org/techniques/T1501" + "https://attack.mitre.org/mitigations/T1501" ] }, "related": [ @@ -3677,7 +4604,7 @@ "meta": { "external_id": "T1051", "refs": [ - "https://attack.mitre.org/techniques/T1051", + "https://attack.mitre.org/mitigations/T1051", "https://www.acunetix.com/websitesecurity/webserver-security/", "https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-123.pdf" ] @@ -3699,7 +4626,7 @@ "meta": { "external_id": "T1160", "refs": [ - "https://attack.mitre.org/techniques/T1160" + "https://attack.mitre.org/mitigations/T1160" ] }, "related": [ @@ -3719,7 +4646,7 @@ "meta": { "external_id": "T1107", "refs": [ - "https://attack.mitre.org/techniques/T1107", + "https://attack.mitre.org/mitigations/T1107", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3739,12 +4666,249 @@ "uuid": "34efb2fd-4dc2-40d4-a564-0c147c85034d", "value": "File Deletion Mitigation - T1107" }, + { + "description": "Manage the creation, modification, use, and permissions associated to user accounts.", + "meta": { + "external_id": "M1018", + "refs": [ + "https://attack.mitre.org/mitigations/M1018" + ] + }, + "related": [ + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "aa8bfbc9-78dc-41a4-a03b-7453e0fdccda", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e99ec083-abdd-48de-ad87-4dbf6f8ba2a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "53bfc8bf-8f76-4cd7-8958-49a884ddb3ee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "18d4ab39-12ed-4a16-9fdb-ae311bba4a0f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "93e7968a-9074-4eac-8ae9-9f5200ec3317", + "value": "User Account Management - M1018" + }, { "description": "Identify and block potentially malicious software that may be used as a remote access tool, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "meta": { "external_id": "T1108", "refs": [ - "https://attack.mitre.org/techniques/T1108", + "https://attack.mitre.org/mitigations/T1108", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3770,7 +4934,7 @@ "meta": { "external_id": "T1109", "refs": [ - "https://attack.mitre.org/techniques/T1109" + "https://attack.mitre.org/mitigations/T1109" ] }, "related": [ @@ -3790,7 +4954,7 @@ "meta": { "external_id": "T1019", "refs": [ - "https://attack.mitre.org/techniques/T1019", + "https://attack.mitre.org/mitigations/T1019", "http://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf" ] }, @@ -3806,12 +4970,53 @@ "uuid": "25e53928-6f33-49b7-baee-8180578286f6", "value": "System Firmware Mitigation - T1019" }, + { + "description": "A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.", + "meta": { + "external_id": "M1019", + "refs": [ + "https://attack.mitre.org/mitigations/M1019" + ] + }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "874c0166-e407-45c2-a1d9-e4e3a6570fd8", + "value": "Threat Intelligence Program - M1019" + }, { "description": "Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1022", "refs": [ - "https://attack.mitre.org/techniques/T1022", + "https://attack.mitre.org/mitigations/T1022", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3836,13 +5041,13 @@ "meta": { "external_id": "T1023", "refs": [ - "https://attack.mitre.org/techniques/T1023", + "https://attack.mitre.org/mitigations/T1023", + "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-06-25/finding/V-26482", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-06-25/finding/V-26482" + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -3858,11 +5063,11 @@ "value": "Shortcut Modification Mitigation - T1023" }, { - "description": "Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. Application whitelisting may be able to prevent the running of executables masquerading as other files.\n\nIf a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files in [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).\n\nIf a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity. Solutions can be signature and behavior based, but adversaries may construct files in a way to avoid these systems.", + "description": "Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. Application whitelisting may be able to prevent the running of executables masquerading as other files.\n\nIf a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .lnk, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and RAR that may be used to conceal malicious files in [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).\n\nIf a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity. Solutions can be signature and behavior based, but adversaries may construct files in a way to avoid these systems.", "meta": { "external_id": "T1204", "refs": [ - "https://attack.mitre.org/techniques/T1204" + "https://attack.mitre.org/mitigations/T1204" ] }, "related": [ @@ -3877,12 +5082,149 @@ "uuid": "548bf7ad-e19c-4d74-84bf-84ac4e57f505", "value": "User Execution Mitigation - T1204" }, + { + "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", + "meta": { + "external_id": "M1024", + "refs": [ + "https://attack.mitre.org/mitigations/M1024" + ] + }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "39a130e1-6ab7-434a-8bd2-418e7d9d6427", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dce31a00-1e90-4655-b0f9-e2e71a748a87", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "a2c36a5d-4058-475e-8e77-fff75e50d3b9", + "value": "Restrict Registry Permissions - M1024" + }, + { + "description": "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.", + "meta": { + "external_id": "M1052", + "refs": [ + "https://attack.mitre.org/mitigations/M1052" + ] + }, + "related": [ + { + "dest-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "2c2ad92a-d710-41ab-a996-1db143bb4808", + "value": "User Account Control - M1052" + }, + { + "description": "Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.", + "meta": { + "external_id": "M1025", + "refs": [ + "https://attack.mitre.org/mitigations/M1025" + ] + }, + "related": [ + { + "dest-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "72dade3e-1cba-4182-b3b3-a77ca52f02a1", + "value": "Privileged Process Integrity - M1025" + }, { "description": "Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.", "meta": { "external_id": "T1205", "refs": [ - "https://attack.mitre.org/techniques/T1205" + "https://attack.mitre.org/mitigations/T1205" ] }, "related": [ @@ -3897,12 +5239,270 @@ "uuid": "f6b7c116-0821-4eb7-9b24-62bd09b3e575", "value": "Port Knocking Mitigation - T1205" }, + { + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "meta": { + "external_id": "M1026", + "refs": [ + "https://attack.mitre.org/mitigations/M1026" + ] + }, + "related": [ + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9e80ddfb-ce32-4961-a778-ca6a10cfae72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2169ba87-1146-4fc7-a118-12b72251db7e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6be14413-578e-46c1-8304-310762b3ecd5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "9bb9e696-bff8-4ae1-9454-961fc7d91d5f", + "value": "Privileged Account Management - M1026" + }, { "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "meta": { "external_id": "T1026", "refs": [ - "https://attack.mitre.org/techniques/T1026", + "https://attack.mitre.org/mitigations/T1026", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -3923,7 +5523,7 @@ "meta": { "external_id": "T1206", "refs": [ - "https://attack.mitre.org/techniques/T1206" + "https://attack.mitre.org/mitigations/T1206" ] }, "related": [ @@ -3938,12 +5538,192 @@ "uuid": "dbf0186e-722d-4a0a-af6a-b3460f162f84", "value": "Sudo Caching Mitigation - T1206" }, + { + "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", + "meta": { + "external_id": "M1028", + "refs": [ + "https://attack.mitre.org/mitigations/M1028" + ] + }, + "related": [ + { + "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c0df6533-30ee-4a4a-9c6d-17af5abdf0b2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2169ba87-1146-4fc7-a118-12b72251db7e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "086952c4-5b90-4185-b573-02bad8e11953", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ce73ea43-8e77-47ba-9c11-5e9c9c58b9ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "44dca04b-808d-46ca-b25f-d85236d4b9f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "2f316f6c-ae42-44fe-adf8-150989e0f6d3", + "value": "Operating System Configuration - M1028" + }, + { + "description": "Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.", + "meta": { + "external_id": "M1029", + "refs": [ + "https://attack.mitre.org/mitigations/M1029" + ] + }, + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "20a2baeb-98c2-4901-bad7-dc62d0a03dea", + "value": "Remote Data Storage - M1029" + }, { "description": "Identify and block potentially malicious software that may be executed as a time provider by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.\n\nConsider using Group Policy to configure and block subsequent modifications to W32Time parameters. (Citation: Microsoft W32Time May 2017)", "meta": { "external_id": "T1209", "refs": [ - "https://attack.mitre.org/techniques/T1209", + "https://attack.mitre.org/mitigations/T1209", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -3967,7 +5747,7 @@ "meta": { "external_id": "T1029", "refs": [ - "https://attack.mitre.org/techniques/T1029", + "https://attack.mitre.org/mitigations/T1029", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -3983,18 +5763,99 @@ "uuid": "1c0711c8-2a73-48a1-893d-ff88bcd23824", "value": "Scheduled Transfer Mitigation - T1029" }, + { + "description": "Block users or groups from installing unapproved software.", + "meta": { + "external_id": "M1033", + "refs": [ + "https://attack.mitre.org/mitigations/M1033" + ] + }, + "related": [ + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "23843cff-f7b9-4659-a7b7-713ef347f547", + "value": "Limit Software Installation - M1033" + }, + { + "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", + "meta": { + "external_id": "M1043", + "refs": [ + "https://attack.mitre.org/mitigations/M1043" + ] + }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "49c06d54-9002-491d-9147-8efb537fbd26", + "value": "Credential Access Protection - M1043" + }, + { + "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", + "meta": { + "external_id": "M1034", + "refs": [ + "https://attack.mitre.org/mitigations/M1034" + ] + }, + "related": [ + { + "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "2995bc22-2851-4345-ad19-4e7e295be264", + "value": "Limit Hardware Installation - M1034" + }, { "description": "Eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them (Citation: Microsoft CreateProcess). Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate (Citation: MSDN DLL Security). Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries.\n\nPeriodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations (Citation: Kanthak Sentinel). \n\nRequire that all executables be placed in write-protected directories. Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\\Windows\\, to reduce places where malicious files could be placed for execution.\n\nIdentify and block potentially malicious software that may be executed through the path interception by using whitelisting (Citation: Beechey 2010) tools, like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies, (Citation: Corio 2008) that are capable of auditing and/or blocking unknown executables.", "meta": { "external_id": "T1034", "refs": [ - "https://attack.mitre.org/techniques/T1034", + "https://attack.mitre.org/mitigations/T1034", "http://msdn.microsoft.com/en-us/library/ms682425", + "https://msdn.microsoft.com/en-us/library/ff919712.aspx", + "https://skanthak.homepage.t-online.de/sentinel.html", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://msdn.microsoft.com/en-us/library/ff919712.aspx", - "https://skanthak.homepage.t-online.de/sentinel.html", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx" ] }, @@ -4015,12 +5876,12 @@ "meta": { "external_id": "T1035", "refs": [ - "https://attack.mitre.org/techniques/T1035", + "https://attack.mitre.org/mitigations/T1035", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -4040,15 +5901,15 @@ "meta": { "external_id": "T1053", "refs": [ - "https://attack.mitre.org/techniques/T1053", + "https://attack.mitre.org/mitigations/T1053", + "https://github.com/mattifestation/PowerSploit", + "https://technet.microsoft.com/library/jj852168.aspx", + "https://technet.microsoft.com/library/dn221960.aspx", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://github.com/mattifestation/PowerSploit", - "https://technet.microsoft.com/library/jj852168.aspx", - "https://technet.microsoft.com/library/dn221960.aspx" + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -4063,12 +5924,122 @@ "uuid": "f2cb6ce2-188d-4162-8feb-594f949b13dd", "value": "Scheduled Task Mitigation - T1053" }, + { + "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", + "meta": { + "external_id": "M1036", + "refs": [ + "https://attack.mitre.org/mitigations/M1036" + ] + }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "f9f9e6ef-bc0a-41ad-ba11-0924e5e84c4c", + "value": "Account Use Policies - M1036" + }, + { + "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering.", + "meta": { + "external_id": "M1037", + "refs": [ + "https://attack.mitre.org/mitigations/M1037" + ] + }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c675646d-e204-4aa8-978d-e3d6d65885c4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "20f6a9df-37c4-4e20-9e47-025983b1b39d", + "value": "Filter Network Traffic - M1037" + }, { "description": "Restrict write access to logon scripts to specific administrators. Prevent access to administrator accounts by mitigating Credential Access techniques and limiting account access and permissions of [Valid Accounts](https://attack.mitre.org/techniques/T1078).\n\nIdentify and block potentially malicious software that may be executed through logon script modification by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.", "meta": { "external_id": "T1037", "refs": [ - "https://attack.mitre.org/techniques/T1037", + "https://attack.mitre.org/mitigations/T1037", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" @@ -4086,12 +6057,39 @@ "uuid": "9ab7de33-99b2-4d8d-8cf3-182fa0015cc2", "value": "Logon Scripts Mitigation - T1037" }, + { + "description": "Prevent modification of environment variables by unauthorized users and groups.", + "meta": { + "external_id": "M1039", + "refs": [ + "https://attack.mitre.org/mitigations/M1039" + ] + }, + "related": [ + { + "dest-uuid": "d3046a90-580c-4004-8208-66915bc29830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "086952c4-5b90-4185-b573-02bad8e11953", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "609191bf-7d06-40e4-b1f8-9e11eb3ff8a6", + "value": "Environment Variable Permissions - M1039" + }, { "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior. \n\nAlthough process hollowing may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1093", "refs": [ - "https://attack.mitre.org/techniques/T1093", + "https://attack.mitre.org/mitigations/T1093", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4111,12 +6109,39 @@ "uuid": "7c39ebbf-244e-4d1c-b0ac-b282453ece43", "value": "Process Hollowing Mitigation - T1093" }, + { + "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", + "meta": { + "external_id": "M1044", + "refs": [ + "https://attack.mitre.org/mitigations/M1044" + ] + }, + "related": [ + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "e8242a33-481c-4891-af63-4cf3e4cf6aff", + "value": "Restrict Library Loading - M1044" + }, { "description": "Ensure event tracers/forwarders (Citation: Microsoft ETW May 2018), firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls. Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.", "meta": { "external_id": "T1054", "refs": [ - "https://attack.mitre.org/techniques/T1054", + "https://attack.mitre.org/mitigations/T1054", "https://docs.microsoft.com/windows/desktop/etw/event-tracing-portal" ] }, @@ -4137,7 +6162,7 @@ "meta": { "external_id": "T1045", "refs": [ - "https://attack.mitre.org/techniques/T1045", + "https://attack.mitre.org/mitigations/T1045", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4158,16 +6183,11 @@ "value": "Software Packing Mitigation - T1045" }, { - "description": "Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "description": "Identify system utilities, remote access or third-party tools, users or potentially malicious software that may be used to store compressed or encrypted data in a publicly writeable directory, central location, or commonly used staging directories (e.g. recycle bin) that is indicative of non-standard behavior, and audit and/or block them by using file integrity monitoring tools where appropriate. Consider applying data size limits or blocking file writes of common compression and encryption utilities such as 7zip, RAR, ZIP, or zlib on frequently used staging directories or central locations and monitor attempted violations of those restrictions.", "meta": { "external_id": "T1074", "refs": [ - "https://attack.mitre.org/techniques/T1074", - "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", - "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx" + "https://attack.mitre.org/mitigations/T1074" ] }, "related": [ @@ -4187,7 +6207,7 @@ "meta": { "external_id": "T1480", "refs": [ - "https://attack.mitre.org/techniques/T1480" + "https://attack.mitre.org/mitigations/T1480" ] }, "related": [ @@ -4202,18 +6222,38 @@ "uuid": "c61e2da1-f51f-424c-b152-dc930d4f2e70", "value": "Environmental Keying Mitigation - T1480" }, + { + "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.", + "meta": { + "external_id": "M1055", + "refs": [ + "https://attack.mitre.org/mitigations/M1055" + ] + }, + "related": [ + { + "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "787fb64d-c87b-4ee5-a341-0ef17ec4c15c", + "value": "Do Not Mitigate - M1055" + }, { "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific Windows API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. (Citation: GDSecurity Linux injection)\n\nIdentify or block potentially malicious software that may contain process injection functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nUtilize Yama (Citation: Linux kernel Yama) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux (Citation: SELinux official), grsecurity (Citation: grsecurity official), and AppAmour (Citation: AppArmor official).", "meta": { "external_id": "T1055", "refs": [ - "https://attack.mitre.org/techniques/T1055", + "https://attack.mitre.org/mitigations/T1055", + "https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html", "https://www.kernel.org/doc/Documentation/security/Yama.txt", "https://selinuxproject.org/page/Main_Page", "https://grsecurity.net/", @@ -4237,12 +6277,12 @@ "meta": { "external_id": "T1056", "refs": [ - "https://attack.mitre.org/techniques/T1056", + "https://attack.mitre.org/mitigations/T1056", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -4262,7 +6302,7 @@ "meta": { "external_id": "T1057", "refs": [ - "https://attack.mitre.org/techniques/T1057", + "https://attack.mitre.org/mitigations/T1057", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4287,13 +6327,13 @@ "meta": { "external_id": "T1087", "refs": [ - "https://attack.mitre.org/techniques/T1087", - "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://attack.mitre.org/mitigations/T1087", + "https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000077", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/ee791851.aspx", - "https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000077" + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" ] }, "related": [ @@ -4313,7 +6353,7 @@ "meta": { "external_id": "T1078", "refs": [ - "https://attack.mitre.org/techniques/T1078", + "https://attack.mitre.org/mitigations/T1078", "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach", "https://technet.microsoft.com/en-us/library/dn535501.aspx", "https://technet.microsoft.com/en-us/library/dn487450.aspx", @@ -4337,7 +6377,7 @@ "meta": { "external_id": "T1079", "refs": [ - "https://attack.mitre.org/techniques/T1079", + "https://attack.mitre.org/mitigations/T1079", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -4358,7 +6398,7 @@ "meta": { "external_id": "T1098", "refs": [ - "https://attack.mitre.org/techniques/T1098" + "https://attack.mitre.org/mitigations/T1098" ] }, "related": [ @@ -4378,7 +6418,7 @@ "meta": { "external_id": "T1112", "refs": [ - "https://attack.mitre.org/techniques/T1112", + "https://attack.mitre.org/mitigations/T1112", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4403,7 +6443,7 @@ "meta": { "external_id": "T1131", "refs": [ - "https://attack.mitre.org/techniques/T1131", + "https://attack.mitre.org/mitigations/T1131", "http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html", "https://technet.microsoft.com/en-us/library/dn408187.aspx" ] @@ -4425,7 +6465,7 @@ "meta": { "external_id": "T1113", "refs": [ - "https://attack.mitre.org/techniques/T1113", + "https://attack.mitre.org/mitigations/T1113", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4450,7 +6490,7 @@ "meta": { "external_id": "T1114", "refs": [ - "https://attack.mitre.org/techniques/T1114", + "https://attack.mitre.org/mitigations/T1114", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4475,7 +6515,7 @@ "meta": { "external_id": "T1141", "refs": [ - "https://attack.mitre.org/techniques/T1141" + "https://attack.mitre.org/mitigations/T1141" ] }, "related": [ @@ -4495,7 +6535,7 @@ "meta": { "external_id": "T1115", "refs": [ - "https://attack.mitre.org/techniques/T1115", + "https://attack.mitre.org/mitigations/T1115", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4520,7 +6560,7 @@ "meta": { "external_id": "T1161", "refs": [ - "https://attack.mitre.org/techniques/T1161" + "https://attack.mitre.org/mitigations/T1161" ] }, "related": [ @@ -4540,10 +6580,10 @@ "meta": { "external_id": "T1116", "refs": [ - "https://attack.mitre.org/techniques/T1116", - "https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/", + "https://attack.mitre.org/mitigations/T1116", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", - "https://technet.microsoft.com/en-us/library/cc733026.aspx" + "https://technet.microsoft.com/en-us/library/cc733026.aspx", + "https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/" ] }, "related": [ @@ -4563,7 +6603,7 @@ "meta": { "external_id": "T1119", "refs": [ - "https://attack.mitre.org/techniques/T1119", + "https://attack.mitre.org/mitigations/T1119", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4588,9 +6628,9 @@ "meta": { "external_id": "T1221", "refs": [ - "https://attack.mitre.org/techniques/T1221", - "https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104", - "https://support.office.com/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6" + "https://attack.mitre.org/mitigations/T1221", + "https://support.office.com/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6", + "https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104" ] }, "related": [ @@ -4610,7 +6650,7 @@ "meta": { "external_id": "T1123", "refs": [ - "https://attack.mitre.org/techniques/T1123", + "https://attack.mitre.org/mitigations/T1123", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4635,7 +6675,7 @@ "meta": { "external_id": "T1132", "refs": [ - "https://attack.mitre.org/techniques/T1132", + "https://attack.mitre.org/mitigations/T1132", "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" ] }, @@ -4656,7 +6696,7 @@ "meta": { "external_id": "T1125", "refs": [ - "https://attack.mitre.org/techniques/T1125", + "https://attack.mitre.org/mitigations/T1125", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -4681,7 +6721,7 @@ "meta": { "external_id": "T1162", "refs": [ - "https://attack.mitre.org/techniques/T1162", + "https://attack.mitre.org/mitigations/T1162", "https://support.apple.com/en-us/HT204005" ] }, @@ -4702,9 +6742,9 @@ "meta": { "external_id": "T1172", "refs": [ - "https://attack.mitre.org/techniques/T1172", - "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016", - "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html" + "https://attack.mitre.org/mitigations/T1172", + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", + "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" ] }, "related": [ @@ -4724,7 +6764,7 @@ "meta": { "external_id": "T1182", "refs": [ - "https://attack.mitre.org/techniques/T1182", + "https://attack.mitre.org/mitigations/T1182", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm" @@ -4743,11 +6783,11 @@ "value": "AppCert DLLs Mitigation - T1182" }, { - "description": "Because this technique involves user interaction on the endpoint, it's difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails with malicious links. Other mitigations can take place as [User Execution](https://attack.mitre.org/techniques/T1204) occurs.", + "description": "Because this technique involves user interaction on the endpoint, it's difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails with malicious links. Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. Other mitigations can take place as [User Execution](https://attack.mitre.org/techniques/T1204) occurs.", "meta": { "external_id": "T1192", "refs": [ - "https://attack.mitre.org/techniques/T1192" + "https://attack.mitre.org/mitigations/T1192" ] }, "related": [ @@ -4767,7 +6807,7 @@ "meta": { "external_id": "T1143", "refs": [ - "https://attack.mitre.org/techniques/T1143" + "https://attack.mitre.org/mitigations/T1143" ] }, "related": [ @@ -4787,7 +6827,7 @@ "meta": { "external_id": "T1136", "refs": [ - "https://attack.mitre.org/techniques/T1136" + "https://attack.mitre.org/mitigations/T1136" ] }, "related": [ @@ -4807,7 +6847,7 @@ "meta": { "external_id": "T1138", "refs": [ - "https://attack.mitre.org/techniques/T1138" + "https://attack.mitre.org/mitigations/T1138" ] }, "related": [ @@ -4827,7 +6867,7 @@ "meta": { "external_id": "T1193", "refs": [ - "https://attack.mitre.org/techniques/T1193" + "https://attack.mitre.org/mitigations/T1193" ] }, "related": [ @@ -4847,7 +6887,7 @@ "meta": { "external_id": "T1139", "refs": [ - "https://attack.mitre.org/techniques/T1139" + "https://attack.mitre.org/mitigations/T1139" ] }, "related": [ @@ -4867,7 +6907,7 @@ "meta": { "external_id": "T1144", "refs": [ - "https://attack.mitre.org/techniques/T1144" + "https://attack.mitre.org/mitigations/T1144" ] }, "related": [ @@ -4887,7 +6927,7 @@ "meta": { "external_id": "T1145", "refs": [ - "https://attack.mitre.org/techniques/T1145" + "https://attack.mitre.org/mitigations/T1145" ] }, "related": [ @@ -4907,7 +6947,7 @@ "meta": { "external_id": "T1147", "refs": [ - "https://attack.mitre.org/techniques/T1147" + "https://attack.mitre.org/mitigations/T1147" ] }, "related": [ @@ -4927,7 +6967,7 @@ "meta": { "external_id": "T1184", "refs": [ - "https://attack.mitre.org/techniques/T1184", + "https://attack.mitre.org/mitigations/T1184", "https://www.symantec.com/connect/articles/ssh-and-ssh-agent" ] }, @@ -4948,7 +6988,7 @@ "meta": { "external_id": "T1149", "refs": [ - "https://attack.mitre.org/techniques/T1149" + "https://attack.mitre.org/mitigations/T1149" ] }, "related": [ @@ -4968,7 +7008,7 @@ "meta": { "external_id": "T1491", "refs": [ - "https://attack.mitre.org/techniques/T1491", + "https://attack.mitre.org/mitigations/T1491", "https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" ] }, @@ -4989,7 +7029,7 @@ "meta": { "external_id": "T1165", "refs": [ - "https://attack.mitre.org/techniques/T1165" + "https://attack.mitre.org/mitigations/T1165" ] }, "related": [ @@ -5009,7 +7049,7 @@ "meta": { "external_id": "T1157", "refs": [ - "https://attack.mitre.org/techniques/T1157" + "https://attack.mitre.org/mitigations/T1157" ] }, "related": [ @@ -5029,7 +7069,7 @@ "meta": { "external_id": "T1159", "refs": [ - "https://attack.mitre.org/techniques/T1159" + "https://attack.mitre.org/mitigations/T1159" ] }, "related": [ @@ -5049,7 +7089,7 @@ "meta": { "external_id": "T1176", "refs": [ - "https://attack.mitre.org/techniques/T1176", + "https://attack.mitre.org/mitigations/T1176", "http://www.technospot.net/blogs/block-chrome-extensions-using-google-chrome-group-policy-settings/" ] }, @@ -5070,7 +7110,7 @@ "meta": { "external_id": "T1186", "refs": [ - "https://attack.mitre.org/techniques/T1186", + "https://attack.mitre.org/mitigations/T1186", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -5095,7 +7135,7 @@ "meta": { "external_id": "T1177", "refs": [ - "https://attack.mitre.org/techniques/T1177", + "https://attack.mitre.org/mitigations/T1177", "https://technet.microsoft.com/library/dn408187.aspx", "https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-manage", "https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-how-it-works", @@ -5119,7 +7159,7 @@ "meta": { "external_id": "T1187", "refs": [ - "https://attack.mitre.org/techniques/T1187", + "https://attack.mitre.org/mitigations/T1187", "https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices", "https://www.us-cert.gov/ncas/alerts/TA17-293A" ] @@ -5141,10 +7181,10 @@ "meta": { "external_id": "T1197", "refs": [ - "https://attack.mitre.org/techniques/T1197", - "https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx", + "https://attack.mitre.org/mitigations/T1197", "https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/", - "https://www.symantec.com/connect/blogs/malware-update-windows-update" + "https://www.symantec.com/connect/blogs/malware-update-windows-update", + "https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx" ] }, "related": [ @@ -5164,7 +7204,7 @@ "meta": { "external_id": "T1199", "refs": [ - "https://attack.mitre.org/techniques/T1199" + "https://attack.mitre.org/mitigations/T1199" ] }, "related": [ @@ -5184,7 +7224,7 @@ "meta": { "external_id": "T1495", "refs": [ - "https://attack.mitre.org/techniques/T1495" + "https://attack.mitre.org/mitigations/T1495" ] }, "related": [ @@ -5204,7 +7244,7 @@ "meta": { "external_id": "T1496", "refs": [ - "https://attack.mitre.org/techniques/T1496", + "https://attack.mitre.org/mitigations/T1496", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -5229,7 +7269,7 @@ "meta": { "external_id": "T1488", "refs": [ - "https://attack.mitre.org/techniques/T1488", + "https://attack.mitre.org/mitigations/T1488", "https://www.ready.gov/business/implementation/IT", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", @@ -5247,14 +7287,14 @@ "type": "mitigates" }, { - "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", + "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5269,7 +7309,7 @@ "meta": { "external_id": "T1489", "refs": [ - "https://attack.mitre.org/techniques/T1489" + "https://attack.mitre.org/mitigations/T1489" ] }, "related": [ @@ -5284,12 +7324,95 @@ "uuid": "417fed8c-bd76-48b5-90a2-a88882a95241", "value": "Service Stop Mitigation - T1489" }, + { + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "meta": { + "external_id": "M1032", + "refs": [ + "https://attack.mitre.org/mitigations/M1032" + ] + }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "b045d015-6bed-4490-bd38-56b41ece59a0", + "value": "Multi-factor Authentication - M1032" + }, { "description": "Limit privileges of user accounts so only authorized users can edit the rc.common file.", "meta": { "external_id": "T1163", "refs": [ - "https://attack.mitre.org/techniques/T1163" + "https://attack.mitre.org/mitigations/T1163" ] }, "related": [ @@ -5304,12 +7427,39 @@ "uuid": "c3cf2312-3aab-4aaf-86e6-ab3505430482", "value": "Rc.common Mitigation - T1163" }, + { + "description": "Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.", + "meta": { + "external_id": "M1020", + "refs": [ + "https://attack.mitre.org/mitigations/M1020" + ] + }, + "related": [ + { + "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "7bb5fae9-53ad-4424-866b-f0ea2a8b731d", + "value": "SSL/TLS Inspection - M1020" + }, { "description": "Regsvcs and Regasm may not be necessary within a given environment. Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuse by adversaries.", "meta": { "external_id": "T1121", "refs": [ - "https://attack.mitre.org/techniques/T1121" + "https://attack.mitre.org/mitigations/T1121" ] }, "related": [ @@ -5497,6 +7647,173 @@ "uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58", "value": "Lock Bootloader - M1003" }, + { + "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.", + "meta": { + "external_id": "M1030", + "refs": [ + "https://attack.mitre.org/mitigations/M1030" + ] + }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ca205a36-c1ad-488b-aa6c-ab34bdd3a36b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "86598de0-b347-4928-9eb0-0acbfc21908c", + "value": "Network Segmentation - M1030" + }, { "description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as [Detect App Analysis Environment](https://attack.mitre.org/techniques/T1440) exist that can enable adversaries to bypass vetting.", "meta": { @@ -5741,6 +8058,89 @@ "uuid": "1553b156-6767-47f7-9eb4-2a692505666d", "value": "Application Vetting - M1005" }, + { + "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", + "meta": { + "external_id": "M1050", + "refs": [ + "https://attack.mitre.org/mitigations/M1050" + ] + }, + "related": [ + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "d2a24649-9694-4c97-9c62-ce7b270bf6a3", + "value": "Exploit Protection - M1050" + }, { "description": "Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.", "meta": { @@ -5867,6 +8267,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", @@ -5905,7 +8312,7 @@ "meta": { "external_id": "T1014", "refs": [ - "https://attack.mitre.org/techniques/T1014", + "https://attack.mitre.org/mitigations/T1014", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -5925,12 +8332,178 @@ "uuid": "95ddb356-7ba0-4bd9-a889-247262b8946f", "value": "Rootkit Mitigation - T1014" }, + { + "description": "Perform regular software updates to mitigate exploitation risk.", + "meta": { + "external_id": "M1051", + "refs": [ + "https://attack.mitre.org/mitigations/M1051" + ] + }, + "related": [ + { + "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "e5d930e9-775a-40ad-9bdb-b941d8dfe86b", + "value": "Update Software - M1051" + }, + { + "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", + "meta": { + "external_id": "M1016", + "refs": [ + "https://attack.mitre.org/mitigations/M1016" + ] + }, + "related": [ + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "15437c6d-b998-4a36-be41-4ace3d54d266", + "value": "Vulnerability Scanning - M1016" + }, { "description": "Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life. Use application whitelisting configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries.", "meta": { "external_id": "T1170", "refs": [ - "https://attack.mitre.org/techniques/T1170" + "https://attack.mitre.org/mitigations/T1170" ] }, "related": [ @@ -5945,12 +8518,130 @@ "uuid": "d2dce10b-3562-4d61-b2f5-7c6384b038e2", "value": "Mshta Mitigation - T1170" }, + { + "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "meta": { + "external_id": "M1017", + "refs": [ + "https://attack.mitre.org/mitigations/M1017" + ] + }, + "related": [ + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a", + "value": "User Training - M1017" + }, { "description": "Block .scr files from being executed from non-standard locations. Set Group Policy to force users to have a dedicated screensaver where local changes should not override the settings to prevent changes. Use Group Policy to disable screensavers if they are unnecessary. (Citation: TechNet Screensaver GP)", "meta": { "external_id": "T1180", "refs": [ - "https://attack.mitre.org/techniques/T1180", + "https://attack.mitre.org/mitigations/T1180", "https://technet.microsoft.com/library/cc938799.aspx" ] }, @@ -5971,7 +8662,7 @@ "meta": { "external_id": "T1085", "refs": [ - "https://attack.mitre.org/techniques/T1085", + "https://attack.mitre.org/mitigations/T1085", "https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET" ] }, @@ -5992,7 +8683,7 @@ "meta": { "external_id": "T1062", "refs": [ - "https://attack.mitre.org/techniques/T1062" + "https://attack.mitre.org/mitigations/T1062" ] }, "related": [ @@ -6012,7 +8703,7 @@ "meta": { "external_id": "T1207", "refs": [ - "https://attack.mitre.org/techniques/T1207" + "https://attack.mitre.org/mitigations/T1207" ] }, "related": [ @@ -6027,12 +8718,130 @@ "uuid": "b70627f7-3b43-4c6f-8fc0-c918c41f8f72", "value": "DCShadow Mitigation - T1207" }, + { + "description": "Set and enforce secure password policies for accounts.", + "meta": { + "external_id": "M1027", + "refs": [ + "https://attack.mitre.org/mitigations/M1027" + ] + }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "90c218c3-fbf8-4830-98a7-e8cfb7eaa485", + "value": "Password Policies - M1027" + }, { "description": "Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire. (Citation: AdSecurity Cracking Kerberos Dec 2015) Also consider using Group Managed Service Accounts or another third party product such as password vaulting. (Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nLimit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators. (Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nEnable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible. (Citation: AdSecurity Cracking Kerberos Dec 2015)", "meta": { "external_id": "T1208", "refs": [ - "https://attack.mitre.org/techniques/T1208", + "https://attack.mitre.org/mitigations/T1208", "https://adsecurity.org/?p=2293" ] }, @@ -6048,12 +8857,67 @@ "uuid": "a3e12b04-8598-4909-8855-2c97c1e7d549", "value": "Kerberoasting Mitigation - T1208" }, + { + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.", + "meta": { + "external_id": "M1053", + "refs": [ + "https://attack.mitre.org/mitigations/M1053" + ] + }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "5909f20f-3c39-4795-be06-ef1ea40d350b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "3efe43d1-6f3f-4fcb-ab39-4a730971f70b", + "value": "Data Backup - M1053" + }, { "description": "When creating security rules, avoid exclusions based on file name or file path. Require signed binaries. Use file system access controls to protect folders such as C:\\Windows\\System32. Use tools that restrict program execution via whitelisting by attributes other than file name.\n\nIdentify potentially malicious software that may look like a legitimate program based on name and location, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { "external_id": "T1036", "refs": [ - "https://attack.mitre.org/techniques/T1036", + "https://attack.mitre.org/mitigations/T1036", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -6073,12 +8937,379 @@ "uuid": "45e7f570-6a0b-4095-bf02-4bca05da6bae", "value": "Masquerading Mitigation - T1036" }, + { + "description": "Block execution of code on a system through application whitelisting, blacklisting, and/or script blocking.", + "meta": { + "external_id": "M1038", + "refs": [ + "https://attack.mitre.org/mitigations/M1038" + ] + }, + "related": [ + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "7d6f590f-544b-45b4-9a42-e0805f342af3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6be14413-578e-46c1-8304-310762b3ecd5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f792d02f-813d-402b-86a5-ab98cb391d3b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6fb6408c-0db3-41d9-a3a1-a32e5f16454e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4bf5845d-a814-4490-bc5c-ccdee6043025", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8df54627-376c-487c-a09c-7d2b5620f56e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "215190a9-9f02-4e83-bb5f-e0589965a302", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "47e0e9fe-96ce-4f65-8bb1-8be1feacb5db", + "value": "Execution Prevention - M1038" + }, + { + "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.", + "meta": { + "external_id": "M1054", + "refs": [ + "https://attack.mitre.org/mitigations/M1054" + ] + }, + "related": [ + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6a5848a8-6201-4a2c-8a6a-ca5af8c6f3df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067", + "value": "Software Configuration - M1054" + }, + { + "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", + "meta": { + "external_id": "M1045", + "refs": [ + "https://attack.mitre.org/mitigations/M1045" + ] + }, + "related": [ + { + "dest-uuid": "5ad95aaa-49c1-4784-821d-2e83f47b079b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a0a189c8-d3bd-4991-bf6f-153d185ee373", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "590777b3-b475-4c7c-aaf8-f4a73b140312", + "value": "Code Signing - M1045" + }, + { + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "meta": { + "external_id": "M1046", + "refs": [ + "https://attack.mitre.org/mitigations/M1046" + ] + }, + "related": [ + { + "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "7da0387c-ba92-4553-b291-b636ee42b2eb", + "value": "Boot Integrity - M1046" + }, { "description": "Turn off unused features or restrict access to scripting engines such as VBScript or scriptable administration frameworks such as PowerShell.\n\nConfigure Office security settings enable Protected View, to execute within a sandbox environment, and to block macros through Group Policy. (Citation: Microsoft Block Office Macros) Other types of virtualization and application microsegmentation may also mitigate the impact of compromise. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)", "meta": { "external_id": "T1064", "refs": [ - "https://attack.mitre.org/techniques/T1064", + "https://attack.mitre.org/mitigations/T1064", "https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/", "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" ] @@ -6100,7 +9331,7 @@ "meta": { "external_id": "T1067", "refs": [ - "https://attack.mitre.org/techniques/T1067", + "https://attack.mitre.org/mitigations/T1067", "http://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf", "https://technet.microsoft.com/en-us/windows/dn168167.aspx" ] @@ -6122,7 +9353,7 @@ "meta": { "external_id": "T1086", "refs": [ - "https://attack.mitre.org/techniques/T1086", + "https://attack.mitre.org/mitigations/T1086", "https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/" ] }, @@ -6143,7 +9374,7 @@ "meta": { "external_id": "T1099", "refs": [ - "https://attack.mitre.org/techniques/T1099", + "https://attack.mitre.org/mitigations/T1099", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -6168,7 +9399,7 @@ "meta": { "external_id": "T1117", "refs": [ - "https://attack.mitre.org/techniques/T1117", + "https://attack.mitre.org/mitigations/T1117", "https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET" ] }, @@ -6189,7 +9420,7 @@ "meta": { "external_id": "T1118", "refs": [ - "https://attack.mitre.org/techniques/T1118" + "https://attack.mitre.org/mitigations/T1118" ] }, "related": [ @@ -6209,7 +9440,7 @@ "meta": { "external_id": "T1191", "refs": [ - "https://attack.mitre.org/techniques/T1191", + "https://attack.mitre.org/mitigations/T1191", "https://msitpros.com/?p=3960" ] }, @@ -6230,7 +9461,7 @@ "meta": { "external_id": "T1142", "refs": [ - "https://attack.mitre.org/techniques/T1142" + "https://attack.mitre.org/mitigations/T1142" ] }, "related": [ @@ -6250,7 +9481,7 @@ "meta": { "external_id": "T1152", "refs": [ - "https://attack.mitre.org/techniques/T1152" + "https://attack.mitre.org/mitigations/T1152" ] }, "related": [ @@ -6270,7 +9501,7 @@ "meta": { "external_id": "T1153", "refs": [ - "https://attack.mitre.org/techniques/T1153" + "https://attack.mitre.org/mitigations/T1153" ] }, "related": [ @@ -6290,7 +9521,7 @@ "meta": { "external_id": "T1154", "refs": [ - "https://attack.mitre.org/techniques/T1154" + "https://attack.mitre.org/mitigations/T1154" ] }, "related": [ @@ -6310,7 +9541,7 @@ "meta": { "external_id": "T1148", "refs": [ - "https://attack.mitre.org/techniques/T1148", + "https://attack.mitre.org/mitigations/T1148", "http://www.akyl.net/securing-bashhistory-file-make-sure-your-linux-system-users-won%E2%80%99t-hide-or-delete-their-bashhistory" ] }, @@ -6331,7 +9562,7 @@ "meta": { "external_id": "T1155", "refs": [ - "https://attack.mitre.org/techniques/T1155", + "https://attack.mitre.org/mitigations/T1155", "https://www.engadget.com/2013/10/23/applescript-and-automator-gain-new-features-in-os-x-mavericks/" ] }, @@ -6352,7 +9583,7 @@ "meta": { "external_id": "T1169", "refs": [ - "https://attack.mitre.org/techniques/T1169" + "https://attack.mitre.org/mitigations/T1169" ] }, "related": [ @@ -6372,7 +9603,7 @@ "meta": { "external_id": "T1179", "refs": [ - "https://attack.mitre.org/techniques/T1179" + "https://attack.mitre.org/mitigations/T1179" ] }, "related": [ @@ -6387,6 +9618,61 @@ "uuid": "7aee8ea0-0baa-4232-b379-5d9ce98352cf", "value": "Hooking Mitigation - T1179" }, + { + "description": "Use signatures or heuristics to detect malicious software.", + "meta": { + "external_id": "M1049", + "refs": [ + "https://attack.mitre.org/mitigations/M1049" + ] + }, + "related": [ + { + "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6be14413-578e-46c1-8304-310762b3ecd5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "a6a47a06-08fc-4ec4-bdc3-20373375ebb9", + "value": "Antivirus/Antimalware - M1049" + }, { "description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.", "meta": { @@ -6406,7 +9692,132 @@ ], "uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c", "value": "Attestation - M1002" + }, + { + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "meta": { + "external_id": "M1047", + "refs": [ + "https://attack.mitre.org/mitigations/M1047" + ] + }, + "related": [ + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8", + "value": "Audit - M1047" } ], - "version": 12 + "version": 14 } diff --git a/clusters/mitre-enterprise-attack-course-of-action.json b/clusters/mitre-enterprise-attack-course-of-action.json index 2fadd8f..d770d14 100644 --- a/clusters/mitre-enterprise-attack-course-of-action.json +++ b/clusters/mitre-enterprise-attack-course-of-action.json @@ -3672,5 +3672,5 @@ "value": "Security Software Discovery Mitigation - T1063" } ], - "version": 7 + "version": 8 } diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json index 0520025..b8d173f 100644 --- a/clusters/mitre-intrusion-set.json +++ b/clusters/mitre-intrusion-set.json @@ -9,6 +9,93 @@ "type": "mitre-intrusion-set", "uuid": "10df003c-7831-11e7-bdb9-971cdd1218df", "values": [ + { + "description": "[The White Company](https://attack.mitre.org/groups/G0089) is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.(Citation: Cylance Shaheen Nov 2018)", + "meta": { + "external_id": "G0089", + "refs": [ + "https://attack.mitre.org/groups/G0089", + "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517" + ], + "synonyms": [ + "The White Company" + ] + }, + "related": [ + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2a70812b-f1ef-44db-8578-a496a227aef2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bdb27a1d-1844-42f1-a0c0-826027ae0326", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "6688d679-ccdb-4f12-abf6-c7545dd767a4", + "value": "The White Company - G0089" + }, { "description": "[Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims. (Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors. (Citation: SecureWorks BRONZE UNION June 2017) (Citation: Securelist LuckyMouse June 2018)", "meta": { @@ -20,7 +107,8 @@ "https://securelist.com/luckymouse-hits-national-data-center/86083/", "https://thehackernews.com/2018/06/chinese-watering-hole-attack.html", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/", - "http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/" + "http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" ], "synonyms": [ "Threat Group-3390", @@ -396,6 +484,48 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5e814485-012d-423d-b769-026bfed0f451", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", @@ -1263,6 +1393,27 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8a831aaa-f3e0-47a3-bed8-a9ced744dd12", @@ -1800,6 +1951,13 @@ ], "type": "uses" }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", "tags": [ @@ -1849,13 +2007,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ @@ -2070,6 +2221,62 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5dd649c0-bca4-488b-bd85-b180474ec62e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cb444a16-3ea5-4a91-88c6-f329adcb8af3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "56319646-eb6e-41fc-ae53-aadfa7adb924", @@ -2986,6 +3193,303 @@ "uuid": "894aab42-3371-47b1-8859-a4a074c804c8", "value": "Stealth Falcon - G0038" }, + { + "description": "Operation [Soft Cell](https://attack.mitre.org/groups/G0093) is a group that is reportedly affiliated with China and is likely state-sponsored. The group has operated since at least 2012 and has compromised high-profile telecommunications networks.(Citation: Cybereason Soft Cell June 2019)", + "meta": { + "external_id": "G0093", + "refs": [ + "https://attack.mitre.org/groups/G0093", + "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" + ], + "synonyms": [ + "Soft Cell" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "06a11b7e-2a36-47fe-8d3e-82c265df3258", + "value": "Soft Cell - G0093" + }, { "description": "[Winnti Group](https://attack.mitre.org/groups/G0044) is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including [Axiom](https://attack.mitre.org/groups/G0001), [APT17](https://attack.mitre.org/groups/G0025), and [Ke3chang](https://attack.mitre.org/groups/G0004), are closely linked to [Winnti Group](https://attack.mitre.org/groups/G0044). (Citation: 401 TRG Winnti Umbrella May 2018)", "meta": { @@ -3714,6 +4218,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "1f21da59-6a13-455b-afd0-d58d0a5a7d27", @@ -3976,7 +4487,7 @@ "value": "FIN10 - G0051" }, { - "description": "[APT12](https://attack.mitre.org/groups/G0005) is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)", + "description": "[APT12](https://attack.mitre.org/groups/G0005) is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.(Citation: Meyers Numbered Panda)", "meta": { "external_id": "G0005", "refs": [ @@ -4013,6 +4524,41 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", @@ -4137,6 +4683,13 @@ ], "type": "uses" }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", "tags": [ @@ -4270,13 +4823,6 @@ ], "type": "uses" }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "tags": [ @@ -4510,7 +5056,8 @@ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", - "https://securelist.com/introducing-whitebear/81638/" + "https://securelist.com/introducing-whitebear/81638/", + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" ], "synonyms": [ "Turla", @@ -4801,6 +5348,139 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dcac85c1-6485-4790-84f6-de5e6f6b91dd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", @@ -5313,7 +5993,152 @@ "value": "APT32 - G0050" }, { - "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [APT28](https://attack.mitre.org/groups/G0007) has been active since at least January 2007.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018)", + "description": "[TA505](https://attack.mitre.org/groups/G0092) is a financially motivated threat group that has been active since at least 2014. The group is known for frequently changing malware and driving global trends in criminal malware distribution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)", + "meta": { + "external_id": "G0092", + "refs": [ + "https://attack.mitre.org/groups/G0092", + "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter", + "https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times", + "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" + ], + "synonyms": [ + "TA505" + ] + }, + "related": [ + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00806466-754d-44ea-ad6f-0caf59cb8556", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "432555de-63bf-4f2a-a3fa-f720a4561078", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "aae22730-e571-4d17-b037-65f2a3e26213", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43155329-3edf-47a6-9a14-7dac899b01e4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", + "value": "TA505 - G0092" + }, + { + "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [APT28](https://attack.mitre.org/groups/G0007) has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)", "meta": { "external_id": "G0007", "refs": [ @@ -5328,6 +6153,7 @@ "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", + "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf", "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", @@ -5833,6 +6659,20 @@ ], "type": "uses" }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b865dded-0553-4962-a44b-6fe7863effed", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "56660521-6db4-4e5a-a927-464f22954b7c", "tags": [ @@ -6668,13 +7508,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e494ad79-37ee-4cd0-866b-299c521d8b94", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ @@ -6820,6 +7653,72 @@ "uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", "value": "Carbanak - G0008" }, + { + "description": "[WIRTE](https://attack.mitre.org/groups/G0090) is a threat group that has been active since at least August 2018. The group focuses on targeting Middle East defense and diplomats.(Citation: Lab52 WIRTE Apr 2019)", + "meta": { + "external_id": "G0090", + "refs": [ + "https://attack.mitre.org/groups/G0090", + "https://lab52.io/blog/wirte-group-attacking-the-middle-east/" + ], + "synonyms": [ + "WIRTE" + ] + }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "f8cb7b36-62ef-4488-8a6d-a7033e3271c1", + "value": "WIRTE - G0090" + }, { "description": "[PittyTiger](https://attack.mitre.org/groups/G0011) is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control. (Citation: Bizeul 2014) (Citation: Villeneuve 2014)", "meta": { @@ -7337,7 +8236,7 @@ "type": "uses" }, { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7461,6 +8360,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", @@ -8544,6 +9450,115 @@ "uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "value": "Naikon - G0019" }, + { + "description": "[Silence](https://attack.mitre.org/groups/G0091) is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing. (Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017) ", + "meta": { + "external_id": "G0091", + "refs": [ + "https://attack.mitre.org/groups/G0091", + "https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/", + "https://securelist.com/the-silence/83009/" + ], + "synonyms": [ + "Silence" + ] + }, + "related": [ + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "d13c8a7f-740b-4efa-a232-de7d6bb05321", + "value": "Silence - G0091" + }, { "description": "[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security. (Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. (Citation: FireEye Clandestine Wolf) (Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. (Citation: Symantec Buckeye)\n\nMITRE has also developed an APT3 Adversary Emulation Plan.(Citation: APT3 Adversary Emulation Plan)", "meta": { @@ -9213,7 +10228,10 @@ "meta": { "external_id": "G0052", "refs": [ - "https://attack.mitre.org/groups/G0052" + "https://attack.mitre.org/groups/G0052", + "http://www.clearskysec.com/copykitten-jpost/", + "http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf", + "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf" ], "synonyms": [ "CopyKittens" @@ -9767,6 +10785,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "8dbadf80-468c-4a62-b817-4e4d8b606887", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fbd29c89-18ba-4c2d-b792-51c0adee049f", @@ -9807,12 +10832,12 @@ "value": "APT34 - G0057" }, { - "description": "[Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)", + "description": "[Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)", "meta": { "external_id": "G0043", "refs": [ "https://attack.mitre.org/groups/G0043", - "https://citizenlab.org/2016/08/group5-syria/" + "https://citizenlab.ca/2016/08/group5-syria/" ], "synonyms": [ "Group5" @@ -9860,6 +10885,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", @@ -10038,7 +11077,7 @@ "value": "Dragonfly - G0035" }, { - "description": "[APT37](https://attack.mitre.org/groups/G0067) is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018. (Citation: FireEye APT37 Feb 2018) (Citation: Securelist ScarCruft Jun 2016) (Citation: Talos Group123)\n\nNorth Korean group definitions are known to have significant overlap, and the name [Lazarus Group](https://attack.mitre.org/groups/G0032) is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.(Citation: US-CERT HIDDEN COBRA June 2017) Some organizations track North Korean clusters or groups such as Bluenoroff,(Citation: Kaspersky Lazarus Under The Hood Blog 2017), [APT37](https://attack.mitre.org/groups/G0067), and [APT38](https://attack.mitre.org/groups/G0082) separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.", + "description": "[APT37](https://attack.mitre.org/groups/G0067) is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018. (Citation: FireEye APT37 Feb 2018) (Citation: Securelist ScarCruft Jun 2016) (Citation: Talos Group123)\n\nNorth Korean group definitions are known to have significant overlap, and the name [Lazarus Group](https://attack.mitre.org/groups/G0032) is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.(Citation: US-CERT HIDDEN COBRA June 2017) Some organizations track North Korean clusters or groups such as Bluenoroff,(Citation: Kaspersky Lazarus Under The Hood Blog 2017) [APT37](https://attack.mitre.org/groups/G0067), and [APT38](https://attack.mitre.org/groups/G0082) separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.", "meta": { "external_id": "G0067", "refs": [ @@ -10047,7 +11086,8 @@ "https://securelist.com/operation-daybreak/75100/", "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://www.us-cert.gov/ncas/alerts/TA17-164A", - "https://securelist.com/lazarus-under-the-hood/77908/" + "https://securelist.com/lazarus-under-the-hood/77908/", + "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/" ], "synonyms": [ "APT37", @@ -10316,6 +11356,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4a2ce82e-1a74-468a-a6fb-bbead541383c", @@ -10986,7 +12040,8 @@ "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", "https://www.justice.gov/opa/press-release/file/1121706/download", - "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" + "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", + "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" ], "synonyms": [ "menuPass", @@ -11666,6 +12721,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "8fc6c9e7-a162-4ca4-a488-f1819e9a7b06", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", @@ -11769,7 +12831,7 @@ "value": "RTM - G0048" }, { - "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a threat group with suspected Iranian origins that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.", "meta": { "external_id": "G0049", "refs": [ @@ -12923,7 +13985,8 @@ "meta": { "external_id": "G0068", "refs": [ - "https://attack.mitre.org/groups/G0068" + "https://attack.mitre.org/groups/G0068", + "https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" ], "synonyms": [ "PLATINUM" @@ -13301,6 +14364,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "269e8108-68c6-4f99-b911-14b2e765dec2", @@ -13498,5 +14568,5 @@ "value": "DarkHydrus - G0079" } ], - "version": 15 + "version": 17 } diff --git a/clusters/mitre-malware.json b/clusters/mitre-malware.json index bc1fbae..6a2f263 100644 --- a/clusters/mitre-malware.json +++ b/clusters/mitre-malware.json @@ -610,7 +610,8 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/software/S0007" + "https://attack.mitre.org/software/S0007", + "https://www.secureworks.com/research/skeleton-key-malware-analysis" ], "synonyms": [ "Skeleton Key" @@ -1685,7 +1686,7 @@ "type": "uses" }, { - "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1697,6 +1698,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0efefea5-78da-4022-92bc-d726139e8883", @@ -1739,6 +1747,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5af7a825-2d9f-400d-931a-e00eb9e27f48", @@ -2334,6 +2356,509 @@ "uuid": "3249e92a-870b-426d-8790-ba311c1abfb4", "value": "Olympic Destroyer - S0365" }, + { + "description": "[Ursnif ](https://attack.mitre.org/software/S0386) is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193)s, and malicious links.(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) [Ursnif ](https://attack.mitre.org/software/S0386) is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.(Citation: TrendMicro Ursnif Mar 2015)", + "meta": { + "external_id": "S0386", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0386", + "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif", + "https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992", + "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" + ], + "synonyms": [ + "Ursnif ", + "Gozi-ISFB", + "PE_URSNIF", + "Dreambot" + ] + }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "1492d0f8-7e14-4af3-9239-bc3fe10d3407", + "value": "Ursnif - S0386" + }, + { + "description": "[Revenge RAT](https://attack.mitre.org/software/S0379) is a freely available remote access tool written in .NET (C#).(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense RevengeRAT Feb 2019)", + "meta": { + "external_id": "S0379", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0379", + "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517", + "https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/" + ], + "synonyms": [ + "Revenge RAT" + ] + }, + "related": [ + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "bdb27a1d-1844-42f1-a0c0-826027ae0326", + "value": "Revenge RAT - S0379" + }, + { + "description": "[HyperBro ](https://attack.mitre.org/software/S0398) is a custom in-memory backdoor used by [Threat Group-3390](https://attack.mitre.org/groups/G0027).(Citation: Unit42 Emissary Panda May 2019)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)", + "meta": { + "external_id": "S0398", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0398", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://securelist.com/luckymouse-hits-national-data-center/86083/", + "https://thehackernews.com/2018/06/chinese-watering-hole-attack.html" + ], + "synonyms": [ + "HyperBro " + ] + }, + "related": [ + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "5e814485-012d-423d-b769-026bfed0f451", + "value": "HyperBro - S0398" + }, { "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)", "meta": { @@ -2875,6 +3400,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "89fcd02f-62dc-40b9-a54b-9ac4b1baef05", "tags": [ @@ -2889,13 +3421,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c6a146ae-9c63-4606-97ff-e261e76e8380", "tags": [ @@ -3408,7 +3933,8 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/software/S0060" + "https://attack.mitre.org/software/S0060", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [ "Sys10" @@ -5709,7 +6235,7 @@ "value": "POSHSPY - S0150" }, { - "description": "[Ixeshe](https://attack.mitre.org/software/S0015) is a malware family that has been used since 2009 to attack targets in East Asia. (Citation: Moran 2013)", + "description": "[Ixeshe](https://attack.mitre.org/software/S0015) is a malware family that has been used since at least 2009 against targets in East Asia. (Citation: Moran 2013)", "meta": { "external_id": "S0015", "mitre_platforms": [ @@ -5730,6 +6256,111 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", @@ -6700,6 +7331,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", @@ -6832,13 +7470,6 @@ ], "type": "uses" }, - { - "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "tags": [ @@ -6866,6 +7497,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5bcd5511-6756-4824-a692-e8bb109364af", @@ -7571,7 +8209,7 @@ "value": "LOWBALL - S0042" }, { - "description": "[ROKRAT](https://attack.mitre.org/software/S0240) is a remote access tool (RAT) used by [APT37](https://attack.mitre.org/groups/G0067). This software has been used to target victims in South Korea. [APT37](https://attack.mitre.org/groups/G0067) used ROKRAT during several campaigns in 2016 through 2018. (Citation: Talos ROKRAT) (Citation: Talos Group123)", + "description": "[ROKRAT](https://attack.mitre.org/software/S0240) is a cloud-based remote access tool (RAT) used by [APT37](https://attack.mitre.org/groups/G0067). This software has been used to target victims in South Korea. [APT37](https://attack.mitre.org/groups/G0067) used ROKRAT during several campaigns in 2016 through 2018. (Citation: Talos ROKRAT) (Citation: Talos Group123)", "meta": { "external_id": "S0240", "mitre_platforms": [ @@ -7671,6 +8309,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", @@ -10086,6 +10738,133 @@ "uuid": "4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62", "value": "SamSam - S0370" }, + { + "description": "[StoneDrill](https://attack.mitre.org/software/S0380) is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with [APT33](https://attack.mitre.org/groups/G0064).(Citation: FireEye APT33 Sept 2017)(Citation: Kaspersky StoneDrill 2017)", + "meta": { + "external_id": "S0380", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0380", + "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf" + ], + "synonyms": [ + "StoneDrill", + "DROPSHOT" + ] + }, + "related": [ + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "8dbadf80-468c-4a62-b817-4e4d8b606887", + "value": "StoneDrill - S0380" + }, { "description": "[Duqu](https://attack.mitre.org/software/S0038) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)", "meta": { @@ -10441,6 +11220,79 @@ "uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "value": "Adups - S0309" }, + { + "description": "[SQLRat](https://attack.mitre.org/software/S0390) is malware that executes SQL scripts to avoid leaving traditional host artifacts. [FIN7](https://attack.mitre.org/groups/G0046) has been observed using it.(Citation: Flashpoint FIN 7 March 2019)", + "meta": { + "external_id": "S0390", + "refs": [ + "https://attack.mitre.org/software/S0390", + "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/ " + ], + "synonyms": [ + "SQLRat" + ] + }, + "related": [ + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "8fc6c9e7-a162-4ca4-a488-f1819e9a7b06", + "value": "SQLRat - S0390" + }, { "description": "[JHUHUGIT](https://attack.mitre.org/software/S0044) is malware used by [APT28](https://attack.mitre.org/groups/G0007). It is based on Carberp source code and serves as reconnaissance malware. (Citation: Kaspersky Sofacy) (Citation: F-Secure Sofacy 2015) (Citation: ESET Sednit Part 1) (Citation: FireEye APT28 January 2017)", "meta": { @@ -11452,7 +12304,8 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/software/S0059" + "https://attack.mitre.org/software/S0059", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [ "WinMM" @@ -12578,13 +13431,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -13067,13 +13913,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ @@ -13751,6 +14590,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0241", + "https://blog.trendmicro.com/trendlabs-security-intelligence/ratankba-watering-holes-against-enterprises/", "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" ], "synonyms": [ @@ -14477,10 +15317,13 @@ "https://attack.mitre.org/software/S0251", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", - "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" + "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/", + "https://www.cyberscoop.com/apt28-brexit-phishing-accenture/", + "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" ], "synonyms": [ - "Zebrocy" + "Zebrocy", + "Zekapab" ] }, "related": [ @@ -14644,6 +15487,48 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a4f57468-fbd5-49e4-8476-52088220b92d", @@ -15662,7 +16547,8 @@ "meta": { "external_id": "S0182", "mitre_platforms": [ - "Windows" + "Windows", + "Android" ], "refs": [ "https://attack.mitre.org/software/S0182", @@ -15838,6 +16724,48 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3911658a-6506-4deb-9ab4-595a51ae71ad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", @@ -16094,9 +17022,9 @@ ], "refs": [ "https://attack.mitre.org/software/S0143", + "https://securelist.com/the-flame-questions-and-answers-51/34344/", "https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache", - "https://www.crysys.hu/publications/files/skywiper.pdf", - "https://securelist.com/the-flame-questions-and-answers-51/34344/" + "https://www.crysys.hu/publications/files/skywiper.pdf" ], "synonyms": [ "Flame", @@ -16286,6 +17214,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6a92d80f-cc65-45f6-aa66-3cdea6786b3c", @@ -17204,6 +18146,96 @@ "uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", "value": "OLDBAIT - S0138" }, + { + "description": "[FlawedAmmyy](https://attack.mitre.org/software/S0381) is a remote access tool (RAT) that was first seen in early 2016. The code for [FlawedAmmyy](https://attack.mitre.org/software/S0381) was based on leaked source code for a version of Ammyy Admin, a remote access software.(Citation: Proofpoint TA505 Mar 2018)", + "meta": { + "external_id": "S0381", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0381", + "https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware" + ], + "synonyms": [ + "FlawedAmmyy" + ] + }, + "related": [ + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "432555de-63bf-4f2a-a3fa-f720a4561078", + "value": "FlawedAmmyy - S0381" + }, { "description": "[XLoader](https://attack.mitre.org/software/S0318) is a malicious Android app that was observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. (Citation: TrendMicro-XLoader)", "meta": { @@ -17252,6 +18284,124 @@ "uuid": "2740eaf6-2db2-4a40-a63f-f5b166c7059c", "value": "XLoader - S0318" }, + { + "description": "[HAWKBALL](https://attack.mitre.org/software/S0391) is a backdoor that was observed in targeting of the government sector in Central Asia.(Citation: FireEye HAWKBALL Jun 2019)", + "meta": { + "external_id": "S0391", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0391", + "https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html" + ], + "synonyms": [ + "HAWKBALL" + ] + }, + "related": [ + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "12a7450d-b03e-4990-a5b8-b405ab9c803b", + "value": "HAWKBALL - S0391" + }, { "description": "[Allwinner](https://attack.mitre.org/software/S0319) is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)", "meta": { @@ -19234,7 +20384,7 @@ "value": "Gazer - S0168" }, { - "description": "[PUNCHBUGGY](https://attack.mitre.org/software/S0196) is a dynamic-link library (DLL) downloader utilized by [FIN8](https://attack.mitre.org/groups/G0061). (Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)", + "description": "[PUNCHBUGGY](https://attack.mitre.org/software/S0196) is a backdoor malware used by [FIN8](https://attack.mitre.org/groups/G0061) that has been observed targeting POS networks in the hospitality industry. (Citation: Morphisec ShellTea June 2019)(Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)", "meta": { "external_id": "S0196", "mitre_platforms": [ @@ -19242,11 +20392,13 @@ ], "refs": [ "https://attack.mitre.org/software/S0196", + "http://blog.morphisec.com/security-alert-fin8-is-back", "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html", "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" ], "synonyms": [ - "PUNCHBUGGY" + "PUNCHBUGGY", + "ShellTea" ] }, "related": [ @@ -19305,6 +20457,69 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", @@ -19741,7 +20956,7 @@ "value": "ISMInjector - S0189" }, { - "description": "[TURNEDUP](https://attack.mitre.org/software/S0199) is a non-public backdoor. It has been dropped by [APT33](https://attack.mitre.org/groups/G0064)'s DROPSHOT malware (also known as Stonedrill). (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)", + "description": "[TURNEDUP](https://attack.mitre.org/software/S0199) is a non-public backdoor. It has been dropped by [APT33](https://attack.mitre.org/groups/G0064)'s [StoneDrill](https://attack.mitre.org/software/S0380) malware. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)", "meta": { "external_id": "S0199", "mitre_platforms": [ @@ -20232,6 +21447,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "04227b24-7817-4de1-9050-b7b1b57f5866", @@ -22175,6 +23397,117 @@ "uuid": "efece7e8-e40b-49c2-9f84-c55c5c93d05c", "value": "jRAT - S0283" }, + { + "description": "[ServHelper](https://attack.mitre.org/software/S0382) is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.(Citation: Proofpoint TA505 Jan 2019)", + "meta": { + "external_id": "S0382", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0382", + "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" + ], + "synonyms": [ + "ServHelper" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "aae22730-e571-4d17-b037-65f2a3e26213", + "value": "ServHelper - S0382" + }, { "description": "[Proxysvc](https://attack.mitre.org/software/S0238) is a malicious DLL used by [Lazarus Group](https://attack.mitre.org/groups/G0032) in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of [Proxysvc](https://attack.mitre.org/software/S0238) is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. (Citation: McAfee GhostSecret)", "meta": { @@ -26614,6 +27947,47 @@ "uuid": "9af05de0-bc09-4511-a350-5eb8b06185c1", "value": "BadPatch - S0337" }, + { + "description": "[FlawedGrace](https://attack.mitre.org/software/S0383) is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.(Citation: Proofpoint TA505 Jan 2019)", + "meta": { + "external_id": "S0383", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0383", + "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" + ], + "synonyms": [ + "FlawedGrace" + ] + }, + "related": [ + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "43155329-3edf-47a6-9a14-7dac899b01e4", + "value": "FlawedGrace - S0383" + }, { "description": "[Micropsia](https://attack.mitre.org/software/S0339) is a remote access tool written in Delphi.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)", "meta": { @@ -26747,6 +28121,68 @@ "uuid": "8c050cea-86e1-4b63-bf21-7af4fa483349", "value": "Micropsia - S0339" }, + { + "description": "[PowerStallion](https://attack.mitre.org/software/S0393) is a lightweight [PowerShell](https://attack.mitre.org/techniques/T1086) backdoor used by [Turla](https://attack.mitre.org/groups/G0010), possibly as a recovery access tool to install other backdoors.(Citation: ESET Turla PowerShell May 2019)", + "meta": { + "external_id": "S0393", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0393", + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" + ], + "synonyms": [ + "PowerStallion" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "dcac85c1-6485-4790-84f6-de5e6f6b91dd", + "value": "PowerStallion - S0393" + }, { "description": "[Azorult](https://attack.mitre.org/software/S0344) is a commercial Trojan that is used to steal information from compromised hosts. [Azorult](https://attack.mitre.org/software/S0344) has been observed in the wild as early as 2016.\nIn July 2018, [Azorult](https://attack.mitre.org/software/S0344) was seen used in a spearphishing campaign against targets in North America. [Azorult](https://attack.mitre.org/software/S0344) has been seen used for cryptocurrency theft. (Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)", "meta": { @@ -26862,13 +28298,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -27417,6 +28846,160 @@ "uuid": "a5575606-9b85-4e3d-9cd2-40ef30e3672d", "value": "SpeakUp - S0374" }, + { + "description": "[Dridex](https://attack.mitre.org/software/S0384) is a banking Trojan that has been used for financial gain. Dridex was created from the source code of the Bugat banking trojan (also known as Cridex).(Citation: Dell Dridex Oct 2015)(Citation: Kaspersky Dridex May 2017)", + "meta": { + "external_id": "S0384", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0384", + "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation", + "https://securelist.com/dridex-a-history-of-evolution/78531/" + ], + "synonyms": [ + "Dridex", + "Bugat v5" + ] + }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19", + "value": "Dridex - S0384" + }, + { + "description": "[HiddenWasp](https://attack.mitre.org/software/S0394) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statistically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019)", + "meta": { + "external_id": "S0394", + "mitre_platforms": [ + "Linux" + ], + "refs": [ + "https://attack.mitre.org/software/S0394", + "https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/" + ], + "synonyms": [ + "HiddenWasp" + ] + }, + "related": [ + { + "dest-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "fc774af4-533b-4724-96d2-ac1026316794", + "value": "HiddenWasp - S0394" + }, { "description": "[KONNI](https://attack.mitre.org/software/S0356) is a Windows remote administration too that has been seen in use since 2014 and evolved in its capabilities through at least 2017. [KONNI](https://attack.mitre.org/software/S0356) has been linked to several campaigns involving North Korean themes.(Citation: Talos Konni May 2017) [KONNI](https://attack.mitre.org/software/S0356) has significant code overlap with the [NOKKI](https://attack.mitre.org/software/S0353) malware family. There is some evidence potentially linking [KONNI](https://attack.mitre.org/software/S0356) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)", "meta": { @@ -27463,13 +29046,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -27690,6 +29266,346 @@ "uuid": "ecc2f65a-b452-4eaf-9689-7e181f17f7a5", "value": "Remexi - S0375" }, + { + "description": "[njRAT](https://attack.mitre.org/software/S0385) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)", + "meta": { + "external_id": "S0385", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0385", + "https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf", + "https://www.fireeye.com/blog/threat-research/2013/08/njw0rm-brother-from-the-same-mother.html", + "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/" + ], + "synonyms": [ + "njRAT", + "Njw0rm", + "LV", + "Bladabindi" + ] + }, + "related": [ + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", + "value": "njRAT - S0385" + }, + { + "description": "[LightNeuron](https://attack.mitre.org/software/S0395) is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. [LightNeuron](https://attack.mitre.org/software/S0395) has been used by [Turla](https://attack.mitre.org/groups/G0010) to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of [LightNeuron](https://attack.mitre.org/software/S0395) exists.(Citation: ESET LightNeuron May 2019)", + "meta": { + "external_id": "S0395", + "mitre_platforms": [ + "Windows", + "Linux" + ], + "refs": [ + "https://attack.mitre.org/software/S0395", + "https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" + ], + "synonyms": [ + "LightNeuron" + ] + }, + "related": [ + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc1e737c-236c-4e3b-83ba-32039a626ef8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb", + "value": "LightNeuron - S0395" + }, { "description": "[WannaCry](https://attack.mitre.org/software/S0366) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.(Citation: LogRhythm WannaCry)(Citation: US-CERT WannaCry 2017)(Citation: Washington Post WannaCry 2017)(Citation: FireEye WannaCry 2017)", "meta": { @@ -28054,6 +29970,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "32066e94-3112-48ca-b9eb-ba2b59d2f023", @@ -28320,6 +30243,110 @@ "uuid": "5719af9d-6b16-46f9-9b28-fb019541ddbb", "value": "NotPetya - S0368" }, + { + "description": "[EvilBunny](https://attack.mitre.org/software/S0396) is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.(Citation: Cyphort EvilBunny Dec 2014)", + "meta": { + "external_id": "S0396", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0396", + "https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/" + ], + "synonyms": [ + "EvilBunny" + ] + }, + "related": [ + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "a8a778f5-0035-4870-bb25-53dc05029586", + "value": "EvilBunny - S0396" + }, { "description": "[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)", "meta": { @@ -28493,7 +30520,435 @@ ], "uuid": "d6b3fcd0-1c86-4350-96f0-965ed02fcc51", "value": "Ebury - S0377" + }, + { + "description": "[KeyBoy](https://attack.mitre.org/software/S0387) is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.(Citation: CitizenLab KeyBoy Nov 2016)(Citation: PWC KeyBoys Feb 2017)", + "meta": { + "external_id": "S0387", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0387", + "https://citizenlab.ca/2016/11/parliament-keyboy/", + "https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html", + "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" + ], + "synonyms": [ + "KeyBoy" + ] + }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "5dd649c0-bca4-488b-bd85-b180474ec62e", + "value": "KeyBoy - S0387" + }, + { + "description": "[LoJax](https://attack.mitre.org/software/S0397) is a UEFI rootkit used by [APT28](https://attack.mitre.org/groups/G0007) to persist remote access software on targeted systems.(Citation: ESET LoJax Sept 2018)", + "meta": { + "external_id": "S0397", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0397", + "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" + ], + "synonyms": [ + "LoJax" + ] + }, + "related": [ + { + "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "b865dded-0553-4962-a44b-6fe7863effed", + "value": "LoJax - S0397" + }, + { + "description": "Yahoyah is a Trojan used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) as a second-stage backdoor.(Citation: TrendMicro TropicTrooper 2015)", + "meta": { + "external_id": "S0388", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0388", + "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf" + ], + "synonyms": [ + "Yahoyah" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "cb444a16-3ea5-4a91-88c6-f329adcb8af3", + "value": "Yahoyah - S0388" + }, + { + "description": "[JCry](https://attack.mitre.org/software/S0389) is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.(Citation: Carbon Black JCry May 2019)", + "meta": { + "external_id": "S0389", + "refs": [ + "https://attack.mitre.org/software/S0389", + "https://www.carbonblack.com/2019/05/14/cb-tau-threat-intelligence-notification-jcry-ransomware-pretends-to-be-adobe-flash-player-update-installer/" + ], + "synonyms": [ + "JCry" + ] + }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "aaf3fa65-8b27-4e68-91de-2b7738fe4c82", + "value": "JCry - S0389" + }, + { + "description": "[Pallas](https://attack.mitre.org/software/S0399) is mobile surveillanceware that was custom-developed by [Dark Caracal](https://attack.mitre.org/groups/G0070).(Citation: Lookout Dark Caracal Jan 2018)", + "meta": { + "external_id": "S0399", + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/software/S0399", + "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" + ], + "synonyms": [ + "Pallas" + ] + }, + "related": [ + { + "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "c41a8b7c-3e42-4eee-b87d-ad8a100ee878", + "value": "Pallas - S0399" } ], - "version": 14 + "version": 16 } diff --git a/clusters/mitre-mobile-attack-attack-pattern.json b/clusters/mitre-mobile-attack-attack-pattern.json index c0a9a6f..e7eef0e 100644 --- a/clusters/mitre-mobile-attack-attack-pattern.json +++ b/clusters/mitre-mobile-attack-attack-pattern.json @@ -1670,5 +1670,5 @@ "value": "Malicious Software Development Tools - MOB-T1065" } ], - "version": 5 + "version": 6 } diff --git a/clusters/mitre-mobile-attack-course-of-action.json b/clusters/mitre-mobile-attack-course-of-action.json index 81b31ae..2834728 100644 --- a/clusters/mitre-mobile-attack-course-of-action.json +++ b/clusters/mitre-mobile-attack-course-of-action.json @@ -274,6 +274,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", @@ -304,5 +311,5 @@ "value": "Encrypt Network Traffic - MOB-M1009" } ], - "version": 6 + "version": 7 } diff --git a/clusters/mitre-mobile-attack-malware.json b/clusters/mitre-mobile-attack-malware.json index 8697db8..6ccc268 100644 --- a/clusters/mitre-mobile-attack-malware.json +++ b/clusters/mitre-mobile-attack-malware.json @@ -1117,5 +1117,5 @@ "value": "XcodeGhost - MOB-S0013" } ], - "version": 8 + "version": 9 } diff --git a/clusters/mitre-pre-attack-attack-pattern.json b/clusters/mitre-pre-attack-attack-pattern.json index 66fd09b..a61508d 100644 --- a/clusters/mitre-pre-attack-attack-pattern.json +++ b/clusters/mitre-pre-attack-attack-pattern.json @@ -2785,5 +2785,5 @@ "value": "Data Hiding - PRE-T1097" } ], - "version": 6 + "version": 7 } diff --git a/clusters/mitre-pre-attack-intrusion-set.json b/clusters/mitre-pre-attack-intrusion-set.json index 7c69222..b6893a4 100644 --- a/clusters/mitre-pre-attack-intrusion-set.json +++ b/clusters/mitre-pre-attack-intrusion-set.json @@ -222,6 +222,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", @@ -369,5 +376,5 @@ "value": "APT17 - G0025" } ], - "version": 8 + "version": 9 } diff --git a/clusters/mitre-tool.json b/clusters/mitre-tool.json index c64f5e9..9775174 100644 --- a/clusters/mitre-tool.json +++ b/clusters/mitre-tool.json @@ -2493,8 +2493,8 @@ "refs": [ "https://attack.mitre.org/software/S0262", "https://github.com/quasar/QuasarRAT", - "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", - "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" + "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" ], "synonyms": [ "QuasarRAT", @@ -3724,5 +3724,5 @@ "value": "Nltest - S0359" } ], - "version": 13 + "version": 15 } From 984be503964c316c0ef634d6f55602b59f2a5fab Mon Sep 17 00:00:00 2001 From: Andras Iklody Date: Fri, 2 Aug 2019 15:40:31 +0200 Subject: [PATCH 56/92] lowercased value field for DarkHotel --- clusters/threat-actor.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5364b56..8f13979 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -414,7 +414,7 @@ } ], "uuid": "b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d", - "value": "DarkHotel" + "value": "darkhotel" }, { "description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.", @@ -7639,5 +7639,5 @@ "value": "TA428" } ], - "version": 125 + "version": 126 } From 7913adad619df76d732281a2e895f1f8bb3ae787 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 2 Aug 2019 16:08:40 +0200 Subject: [PATCH 57/92] chg: [threat-actor] rollback as discussed by chat with Andras until version 2.0 --- clusters/threat-actor.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8f13979..5364b56 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -414,7 +414,7 @@ } ], "uuid": "b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d", - "value": "darkhotel" + "value": "DarkHotel" }, { "description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.", @@ -7639,5 +7639,5 @@ "value": "TA428" } ], - "version": 126 + "version": 125 } From 21318cdf3dc8a42e050d5d73ec9672e120e5e3f8 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 2 Aug 2019 16:28:32 +0200 Subject: [PATCH 58/92] fix building mistakes --- clusters/target-information.json | 790 ++++++++++++------------------- 1 file changed, 302 insertions(+), 488 deletions(-) diff --git a/clusters/target-information.json b/clusters/target-information.json index 5c7f30b..3431c8c 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -40,7 +40,6 @@ "top-level-domain": "lu", "type": "country" }, - "top-level-domain": ".lu", "uuid": "f9a1d7f4-980a-11e9-a8b6-23162ddc4255", "value": "Luxembourg" }, @@ -49,13 +48,29 @@ "calling-code": [ "+93" ], + "capital": "Kabul", + "currency": [ + "AFN", + "Afs", + "Afghani" + ], "iso-code": [ "AF", "AFG" ], + "official-languages": [ + "Dari", + "Pashto" + ], + "synomyms": [ + "افغانستان", + "Afġānistān", + "Afġānestān", + "Islamic Republic of Afghanistan" + ], + "top-level-domain": ".af", "type": "country" }, - "top-level-domain": ".af", "uuid": "2d0b4ddc-4b46-4e75-8c8b-02f4f7446507", "value": "Afghanistan" }, @@ -64,13 +79,30 @@ "calling-code": [ "+355" ], + "capital": "Tirana", + "currency": [ + "Lek", + "ALL" + ], "iso-code": [ "AL", "ALB" ], + "official-languages": [ + "Albanian" + ], + "synomyms": [ + "Shqipëri", + "Shqipëria", + "Shqipni", + "Shqipnia", + "Shqypni", + "Shqypnia", + "Republic of Albania" + ], + "top-level-domain": ".al", "type": "country" }, - "top-level-domain": ".al", "uuid": "bc4c6bf6-c5f1-4927-b928-e9e2434e9ec4", "value": "Albania" }, @@ -79,13 +111,29 @@ "calling-code": [ "+213" ], + "capital": "Algiers", + "currency": [ + "Dinar", + "DZD" + ], "iso-code": [ "DZ", "DZA" ], + "official-languages": [ + "Arabic", + "Berbe[" + ], + "synomyms": [ + "الجزائر‎", + "al-Jazāʾir", + "الدزاير‎", + "al-dzāyīr", + "People's Democratic Republic of Algeria" + ], + "top-level-domain": ".dz", "type": "country" }, - "top-level-domain": ".dz", "uuid": "13612aed-8efb-444f-8e29-5b93bd821d0e", "value": "Algeria" }, @@ -94,11 +142,25 @@ "calling-code": [ "+1-684" ], + "capital": "Pago Pago", + "currency": [ + "United States dollar", + "USD" + ], "iso-code": [ "AS", "ASM" ], - "type": "country" + "official-languages": [ + "English", + "Samoan" + ], + "synomyms": [ + "Amerika Sāmoa", + "Amelika Sāmoa", + "Sāmoa Amelika" + ], + "type": "unincorporated territory" }, "uuid": "9856b948-5662-4ce3-beef-9a777e758e5c", "value": "American Samoa" @@ -112,9 +174,8 @@ "AD", "AND" ], - "type": "country" + "top-level-domain": ".ad" }, - "top-level-domain": ".ad", "uuid": "5f8aeaac-8654-4b12-99c6-d3bf5ba43c7a", "value": "Andorra" }, @@ -127,9 +188,8 @@ "AO", "AGO" ], - "type": "country" + "top-level-domain": ".ao" }, - "top-level-domain": ".ao", "uuid": "ec22a747-be01-4bf8-bb3b-4dac8ec033dc", "value": "Angola" }, @@ -142,9 +202,8 @@ "AI", "AIA" ], - "type": "country" + "top-level-domain": ".ai" }, - "top-level-domain": ".ai", "uuid": "eaeca984-4c51-4bff-8389-4b66c8fddb1c", "value": "Anguilla" }, @@ -157,9 +216,8 @@ "AQ", "ATA" ], - "type": "country" + "top-level-domain": ".aq" }, - "top-level-domain": ".aq", "uuid": "09dbf944-5c73-4ff7-8b1b-b43b42282acb", "value": "Antarctica" }, @@ -172,9 +230,8 @@ "AG", "ATG" ], - "type": "country" + "top-level-domain": ".ag" }, - "top-level-domain": ".ag", "uuid": "b0d7f6d5-8f5e-4bd8-98d7-92fcc4c195b9", "value": "Antigua and Barbuda" }, @@ -187,9 +244,8 @@ "AR", "ARG" ], - "type": "country" + "top-level-domain": ".ar" }, - "top-level-domain": ".ar", "uuid": "f21ecd23-c3c8-4308-8363-c1260a57e695", "value": "Argentina" }, @@ -202,9 +258,8 @@ "AM", "ARM" ], - "type": "country" + "top-level-domain": ".am" }, - "top-level-domain": ".am", "uuid": "e1a61736-a7d4-4c31-aeda-bd49beabdb40", "value": "Armenia" }, @@ -216,8 +271,7 @@ "iso-code": [ "AW", "ABW" - ], - "type": "country" + ] }, "uuid": "d9684c43-0ced-48eb-86e6-d2802ff31cde", "value": "Aruba" @@ -231,9 +285,8 @@ "AU", "AUS" ], - "type": "country" + "top-level-domain": ".au" }, - "top-level-domain": ".au", "uuid": "ca250c03-aead-41e3-a077-085d66211186", "value": "Australia" }, @@ -246,9 +299,8 @@ "AT", "AUT" ], - "type": "country" + "top-level-domain": ".at" }, - "top-level-domain": ".at", "uuid": "e88f7003-09e9-4275-b176-d4246e59a0d5", "value": "Austria" }, @@ -261,9 +313,8 @@ "AZ", "AZE" ], - "type": "country" + "top-level-domain": ".az" }, - "top-level-domain": ".az", "uuid": "4dac6eec-948d-4df5-946b-21ac0aaf5471", "value": "Azerbaijan" }, @@ -276,9 +327,8 @@ "BS", "BHS" ], - "type": "country" + "top-level-domain": ".bs" }, - "top-level-domain": ".bs", "uuid": "5029a486-9c17-454a-bbcd-6e9b774705f9", "value": "Bahamas" }, @@ -291,9 +341,8 @@ "BH", "BHR" ], - "type": "country" + "top-level-domain": ".bh" }, - "top-level-domain": ".bh", "uuid": "819805c9-8f06-4f0c-af79-926960b4c23f", "value": "Bahrain" }, @@ -306,9 +355,8 @@ "BD", "BGD" ], - "type": "country" + "top-level-domain": ".bd" }, - "top-level-domain": ".bd", "uuid": "cb78009e-1355-4afa-a655-0cf03d7fd947", "value": "Bangladesh" }, @@ -321,9 +369,8 @@ "BB", "BRB" ], - "type": "country" + "top-level-domain": ".bb" }, - "top-level-domain": ".bb", "uuid": "062daa09-7c4a-4dec-ba9d-625d96871708", "value": "Barbados" }, @@ -336,9 +383,8 @@ "BY", "BLR" ], - "type": "country" + "top-level-domain": ".by" }, - "top-level-domain": ".by", "uuid": "9e5e118a-ebe8-464a-bd38-350af4d645c4", "value": "Belarus" }, @@ -351,9 +397,8 @@ "BE", "BEL" ], - "type": "country" + "top-level-domain": ".be" }, - "top-level-domain": ".be", "uuid": "30f35478-7961-464f-bd3c-732a8f5e1fe5", "value": "Belgium" }, @@ -366,9 +411,8 @@ "BZ", "BLZ" ], - "type": "country" + "top-level-domain": ".bz" }, - "top-level-domain": ".bz", "uuid": "4b7f2038-cc17-4bb1-bc28-dacc9772e6fc", "value": "Belize" }, @@ -381,9 +425,8 @@ "BJ", "BEN" ], - "type": "country" + "top-level-domain": ".bj" }, - "top-level-domain": ".bj", "uuid": "5c68d3ce-0beb-4b9a-a81d-e5d64f14b9a1", "value": "Benin" }, @@ -396,9 +439,8 @@ "BM", "BMU" ], - "type": "country" + "top-level-domain": ".bm" }, - "top-level-domain": ".bm", "uuid": "67e9dd29-9da1-4585-b0e6-303defa1e751", "value": "Bermuda" }, @@ -411,9 +453,8 @@ "BT", "BTN" ], - "type": "country" + "top-level-domain": ".bt" }, - "top-level-domain": ".bt", "uuid": "7a431a2e-623b-4fb0-8316-a5d42266070d", "value": "Bhutan" }, @@ -426,9 +467,8 @@ "BO", "BOL" ], - "type": "country" + "top-level-domain": ".bo" }, - "top-level-domain": ".bo", "uuid": "06c20eb8-bec1-4f56-a5af-91f5fb826e4d", "value": "Bolivia" }, @@ -441,9 +481,8 @@ "BA", "BIH" ], - "type": "country" + "top-level-domain": ".ba" }, - "top-level-domain": ".ba", "uuid": "eccea7a8-d7f5-4b33-b948-ac8595e92500", "value": "Bosnia and Herzegovina" }, @@ -456,9 +495,8 @@ "BW", "BWA" ], - "type": "country" + "top-level-domain": ".bw" }, - "top-level-domain": ".bw", "uuid": "b29dca55-6930-494e-ae8e-fe89e5317529", "value": "Botswana" }, @@ -471,9 +509,8 @@ "BR", "BRA" ], - "type": "country" + "top-level-domain": ".br" }, - "top-level-domain": ".br", "uuid": "75fe4c94-f864-41dc-8dd2-758e2e2d4deb", "value": "Brazil" }, @@ -486,9 +523,8 @@ "IO", "IOT" ], - "type": "country" + "top-level-domain": ".io" }, - "top-level-domain": ".io", "uuid": "f974dd18-3a6b-4910-af8f-1d6256369b05", "value": "British Indian Ocean Territory" }, @@ -501,9 +537,8 @@ "VG", "VGB" ], - "type": "country" + "top-level-domain": ".vg" }, - "top-level-domain": ".vg", "uuid": "9feffe01-624f-46fd-9e55-baec2098db69", "value": "British Virgin Islands" }, @@ -516,9 +551,8 @@ "BN", "BRN" ], - "type": "country" + "top-level-domain": ".bn" }, - "top-level-domain": ".bn", "uuid": "a039c8f7-1a7a-46e6-b16b-a9648a280f77", "value": "Brunei" }, @@ -531,9 +565,8 @@ "BG", "BGR" ], - "type": "country" + "top-level-domain": ".bg" }, - "top-level-domain": ".bg", "uuid": "61766ec7-b1aa-4d92-afaa-883842d4f6ac", "value": "Bulgaria" }, @@ -546,9 +579,8 @@ "BF", "BFA" ], - "type": "country" + "top-level-domain": ".bf" }, - "top-level-domain": ".bf", "uuid": "dfb27e34-f6dc-4db3-b3fa-313a8125ddf2", "value": "Burkina Faso" }, @@ -561,9 +593,8 @@ "BI", "BDI" ], - "type": "country" + "top-level-domain": ".bi" }, - "top-level-domain": ".bi", "uuid": "f545307d-db22-49d3-858f-8d03db4428da", "value": "Burundi" }, @@ -576,9 +607,8 @@ "KH", "KHM" ], - "type": "country" + "top-level-domain": ".kh" }, - "top-level-domain": ".kh", "uuid": "03757eb3-f75a-48e1-a4ef-18a62c7d1838", "value": "Cambodia" }, @@ -591,9 +621,8 @@ "CM", "CMR" ], - "type": "country" + "top-level-domain": ".cm" }, - "top-level-domain": ".cm", "uuid": "68e9ed03-4954-4a2a-8971-1224fa3ab760", "value": "Cameroon" }, @@ -606,9 +635,8 @@ "CA", "CAN" ], - "type": "country" + "top-level-domain": ".ca" }, - "top-level-domain": ".ca", "uuid": "d0e51f88-2a01-4a9d-b080-464bb6f5172f", "value": "Canada" }, @@ -621,9 +649,8 @@ "CV", "CPV" ], - "type": "country" + "top-level-domain": ".cv" }, - "top-level-domain": ".cv", "uuid": "457e880a-0d5a-4729-b7b1-fcfeccf61f07", "value": "Cape Verde" }, @@ -636,9 +663,8 @@ "KY", "CYM" ], - "type": "country" + "top-level-domain": ".ky" }, - "top-level-domain": ".ky", "uuid": "036ac306-bedd-44a6-807a-69314d59dfef", "value": "Cayman Islands" }, @@ -651,9 +677,8 @@ "CF", "CAF" ], - "type": "country" + "top-level-domain": ".cf" }, - "top-level-domain": ".cf", "uuid": "4abded58-faa1-4a2b-ae16-01a12409df7c", "value": "Central African Republic" }, @@ -666,9 +691,8 @@ "TD", "TCD" ], - "type": "country" + "top-level-domain": ".td" }, - "top-level-domain": ".td", "uuid": "da6f9a8b-91f0-400f-ad1b-47b49fe48412", "value": "Chad" }, @@ -681,9 +705,8 @@ "CL", "CHL" ], - "type": "country" + "top-level-domain": ".cl" }, - "top-level-domain": ".cl", "uuid": "bb81858f-5803-4f3b-9aac-92869b750f9e", "value": "Chile" }, @@ -695,8 +718,7 @@ "iso-code": [ "CN", "CHN" - ], - "type": "country" + ] }, "uuid": "53d3d205-db31-4ec9-86aa-c2bf11fd18e6", "value": "China" @@ -710,9 +732,8 @@ "CX", "CXR" ], - "type": "country" + "top-level-domain": ".cx" }, - "top-level-domain": ".cx", "uuid": "0ccf619a-927a-4963-9ec3-34598e898d46", "value": "Christmas Island" }, @@ -724,8 +745,7 @@ "iso-code": [ "CC", "CCK" - ], - "type": "country" + ] }, "uuid": "a5752a1e-1306-4a6c-8ed4-c9d0f627d397", "value": "Cocos Islands" @@ -739,9 +759,8 @@ "CO", "COL" ], - "type": "country" + "top-level-domain": ".co" }, - "top-level-domain": ".co", "uuid": "25f47423-5005-4caa-b4b0-6b9ada986611", "value": "Colombia" }, @@ -754,9 +773,8 @@ "KM", "COM" ], - "type": "country" + "top-level-domain": ".km" }, - "top-level-domain": ".km", "uuid": "3a9ec602-9f36-4943-baee-f873ee3c3691", "value": "Comoros" }, @@ -769,9 +787,8 @@ "CK", "COK" ], - "type": "country" + "top-level-domain": ".ck" }, - "top-level-domain": ".ck", "uuid": "704756d4-9e33-48c3-8d25-037b00e94888", "value": "Cook Islands" }, @@ -784,9 +801,8 @@ "CR", "CRI" ], - "type": "country" + "top-level-domain": ".cr" }, - "top-level-domain": ".cr", "uuid": "a568be65-88ff-4290-9562-9a5227eb346a", "value": "Costa Rica" }, @@ -799,9 +815,8 @@ "HR", "HRV" ], - "type": "country" + "top-level-domain": ".hr" }, - "top-level-domain": ".hr", "uuid": "c753504c-9fe3-41f3-a423-86f64eff2af4", "value": "Croatia" }, @@ -814,9 +829,8 @@ "CU", "CUB" ], - "type": "country" + "top-level-domain": ".cu" }, - "top-level-domain": ".cu", "uuid": "7abd8189-65d8-4682-8091-7350d8e8ea9f", "value": "Cuba" }, @@ -828,8 +842,7 @@ "iso-code": [ "CW", "CUW" - ], - "type": "country" + ] }, "uuid": "2f8fc176-c26d-48a9-a441-2f0e7b04e74b", "value": "Curacao" @@ -843,9 +856,8 @@ "CY", "CYP" ], - "type": "country" + "top-level-domain": ".cy" }, - "top-level-domain": ".cy", "uuid": "95e86a29-0ee0-4ac5-8ec0-57036298c141", "value": "Cyprus" }, @@ -858,9 +870,8 @@ "CZ", "CZE" ], - "type": "country" + "top-level-domain": ".cz" }, - "top-level-domain": ".cz", "uuid": "ef6651eb-1168-422c-9853-5200c737b332", "value": "Czech Republic" }, @@ -873,9 +884,8 @@ "CD", "COD" ], - "type": "country" + "top-level-domain": ".cd" }, - "top-level-domain": ".cd", "uuid": "5a266a76-fc45-4457-8838-3e490bd26dc1", "value": "Democratic Republic of the Congo" }, @@ -888,9 +898,8 @@ "DK", "DNK" ], - "type": "country" + "top-level-domain": ".dk" }, - "top-level-domain": ".dk", "uuid": "2890ae27-cc54-42df-8c0c-47285145bd49", "value": "Denmark" }, @@ -903,9 +912,8 @@ "DJ", "DJI" ], - "type": "country" + "top-level-domain": ".dj" }, - "top-level-domain": ".dj", "uuid": "543afec2-19b2-4769-aacb-dd69a380c2cc", "value": "Djibouti" }, @@ -918,9 +926,8 @@ "DM", "DMA" ], - "type": "country" + "top-level-domain": ".dm" }, - "top-level-domain": ".dm", "uuid": "151ff291-da46-41aa-b8c2-62faecefbe4a", "value": "Dominica" }, @@ -935,9 +942,8 @@ "DO", "DOM" ], - "type": "country" + "top-level-domain": ".do" }, - "top-level-domain": ".do", "uuid": "a621624f-5c1a-403d-b5dd-89da7af7555f", "value": "Dominican Republic" }, @@ -950,9 +956,8 @@ "TL", "TLS" ], - "type": "country" + "top-level-domain": ".tl" }, - "top-level-domain": ".tl", "uuid": "b5371e8a-00bb-4653-abe3-2e9b92454b15", "value": "East Timor" }, @@ -965,9 +970,8 @@ "EC", "ECU" ], - "type": "country" + "top-level-domain": ".ec" }, - "top-level-domain": ".ec", "uuid": "9e4f2bc9-9ef5-4369-a275-b3df56e5a35e", "value": "Ecuador" }, @@ -980,9 +984,8 @@ "EG", "EGY" ], - "type": "country" + "top-level-domain": ".eg" }, - "top-level-domain": ".eg", "uuid": "7fbebdc8-5a13-430e-9248-58d2b1a9af0f", "value": "Egypt" }, @@ -995,9 +998,8 @@ "SV", "SLV" ], - "type": "country" + "top-level-domain": ".sv" }, - "top-level-domain": ".sv", "uuid": "1822e12a-1f4b-4675-8e2a-a6d123b3ea24", "value": "El Salvador" }, @@ -1010,9 +1012,8 @@ "GQ", "GNQ" ], - "type": "country" + "top-level-domain": ".gq" }, - "top-level-domain": ".gq", "uuid": "5c3d7a8e-9cd6-4d3d-ab6b-3cb8acaa208f", "value": "Equatorial Guinea" }, @@ -1024,8 +1025,7 @@ "iso-code": [ "ER", "ERI" - ], - "type": "country" + ] }, "uuid": "aea99d00-9675-4289-9f3b-acb1ddf13f49", "value": "Eritrea" @@ -1039,9 +1039,8 @@ "EE", "EST" ], - "type": "country" + "top-level-domain": ".ee" }, - "top-level-domain": ".ee", "uuid": "c8ea4824-7ed2-473a-906d-745bd73a2612", "value": "Estonia" }, @@ -1054,9 +1053,8 @@ "ET", "ETH" ], - "type": "country" + "top-level-domain": ".et" }, - "top-level-domain": ".et", "uuid": "b25e700a-6b79-4c86-90ff-304032b182db", "value": "Ethiopia" }, @@ -1069,9 +1067,8 @@ "FK", "FLK" ], - "type": "country" + "top-level-domain": ".fk" }, - "top-level-domain": ".fk", "uuid": "8041a1dc-e9a6-460e-8dd8-d37e45b787dd", "value": "Falkland Islands" }, @@ -1083,8 +1080,7 @@ "iso-code": [ "FO", "FRO" - ], - "type": "country" + ] }, "uuid": "3aa1d642-9b8d-4dcd-bd4a-5368602555a4", "value": "Faroe Islands" @@ -1098,9 +1094,8 @@ "FJ", "FJI" ], - "type": "country" + "top-level-domain": ".fj" }, - "top-level-domain": ".fj", "uuid": "218bcbfe-46cb-4fd0-852c-3a7fc64a2908", "value": "Fiji" }, @@ -1113,9 +1108,8 @@ "FI", "FIN" ], - "type": "country" + "top-level-domain": ".fi" }, - "top-level-domain": ".fi", "uuid": "bde60aea-b748-4bd9-8d6d-f0174af0b36e", "value": "Finland" }, @@ -1128,9 +1122,8 @@ "FR", "FRA" ], - "type": "country" + "top-level-domain": ".fr" }, - "top-level-domain": ".fr", "uuid": "0cc6ad08-fac6-42bc-a7c7-09a53ea6b968", "value": "France" }, @@ -1142,8 +1135,7 @@ "iso-code": [ "PF", "PYF" - ], - "type": "country" + ] }, "uuid": "df751036-8c01-41ce-ab02-139119ce9213", "value": "French Polynesia" @@ -1157,9 +1149,8 @@ "GA", "GAB" ], - "type": "country" + "top-level-domain": ".ga" }, - "top-level-domain": ".ga", "uuid": "8e70d742-c708-4a9e-8ab1-6a8a90306ccf", "value": "Gabon" }, @@ -1171,8 +1162,7 @@ "iso-code": [ "GM", "GMB" - ], - "type": "country" + ] }, "uuid": "2ded2689-16c3-4476-a2d8-04c4bc51ae4a", "value": "Gambia" @@ -1186,9 +1176,8 @@ "GE", "GEO" ], - "type": "country" + "top-level-domain": ".ge" }, - "top-level-domain": ".ge", "uuid": "76c2f2fe-ce68-4008-aa30-1ac8de38d617", "value": "Georgia" }, @@ -1201,9 +1190,8 @@ "DE", "DEU" ], - "type": "country" + "top-level-domain": ".de" }, - "top-level-domain": ".de", "uuid": "4121d334-39d0-49c4-8a0e-0442c6bdcbc4", "value": "Germany" }, @@ -1216,9 +1204,8 @@ "GH", "GHA" ], - "type": "country" + "top-level-domain": ".gh" }, - "top-level-domain": ".gh", "uuid": "6f7a0f04-8299-4a2d-95d0-a8305a1ae23e", "value": "Ghana" }, @@ -1230,8 +1217,7 @@ "iso-code": [ "GI", "GIB" - ], - "type": "country" + ] }, "uuid": "078a914d-7ef3-413b-8a62-2473b8db1c12", "value": "Gibraltar" @@ -1245,9 +1231,8 @@ "GR", "GRC" ], - "type": "country" + "top-level-domain": ".gr" }, - "top-level-domain": ".gr", "uuid": "505730f7-2637-4efb-845d-f1af7cdca109", "value": "Greece" }, @@ -1259,8 +1244,7 @@ "iso-code": [ "GL", "GRL" - ], - "type": "country" + ] }, "uuid": "20f2c544-093d-4964-84ae-7d5fd54ad6d0", "value": "Greenland" @@ -1274,9 +1258,8 @@ "GD", "GRD" ], - "type": "country" + "top-level-domain": ".gd" }, - "top-level-domain": ".gd", "uuid": "1aea4486-eef7-496b-9a69-a2d2bdbe7b77", "value": "Grenada" }, @@ -1288,8 +1271,7 @@ "iso-code": [ "GU", "GUM" - ], - "type": "country" + ] }, "uuid": "4dc24d07-79ee-43b7-98a0-53bc79a29708", "value": "Guam" @@ -1303,9 +1285,8 @@ "GT", "GTM" ], - "type": "country" + "top-level-domain": ".gt" }, - "top-level-domain": ".gt", "uuid": "3e3e89d2-07f3-4ddc-addf-2d5cb05bedd1", "value": "Guatemala" }, @@ -1317,8 +1298,7 @@ "iso-code": [ "GG", "GGY" - ], - "type": "country" + ] }, "uuid": "dd42b40e-2740-46f5-9bb1-6d0799a081c7", "value": "Guernsey" @@ -1332,9 +1312,8 @@ "GN", "GIN" ], - "type": "country" + "top-level-domain": ".gn" }, - "top-level-domain": ".gn", "uuid": "f227edf8-e538-45b8-8a70-1a05ea5a605b", "value": "Guinea" }, @@ -1347,9 +1326,8 @@ "GW", "GNB" ], - "type": "country" + "top-level-domain": ".gw" }, - "top-level-domain": ".gw", "uuid": "3b5824bc-936e-4403-bdc9-4dd9a7db36e3", "value": "Guinea-Bissau" }, @@ -1362,9 +1340,8 @@ "GY", "GUY" ], - "type": "country" + "top-level-domain": ".gy" }, - "top-level-domain": ".gy", "uuid": "cb9fbca4-6cc6-4f83-9ebc-4e975cddea69", "value": "Guyana" }, @@ -1377,9 +1354,8 @@ "HT", "HTI" ], - "type": "country" + "top-level-domain": ".ht" }, - "top-level-domain": ".ht", "uuid": "595dd000-64ac-43b5-be17-0f52eff47459", "value": "Haiti" }, @@ -1392,9 +1368,8 @@ "HN", "HND" ], - "type": "country" + "top-level-domain": ".hn" }, - "top-level-domain": ".hn", "uuid": "74a66006-ce2b-4280-abd1-e6f14ff9b926", "value": "Honduras" }, @@ -1407,9 +1382,8 @@ "HK", "HKG" ], - "type": "country" + "top-level-domain": ".hk" }, - "top-level-domain": ".hk", "uuid": "51c8ffc5-5453-4bf8-b100-74186d9a0de0", "value": "Hong Kong" }, @@ -1422,9 +1396,8 @@ "HU", "HUN" ], - "type": "country" + "top-level-domain": ".hu" }, - "top-level-domain": ".hu", "uuid": "adc52cee-5668-498d-8111-db1c38a584c5", "value": "Hungary" }, @@ -1437,9 +1410,8 @@ "IS", "ISL" ], - "type": "country" + "top-level-domain": ".is" }, - "top-level-domain": ".is", "uuid": "5bcfbed4-d9af-40ab-bcbd-013cad252570", "value": "Iceland" }, @@ -1452,9 +1424,8 @@ "IN", "IND" ], - "type": "country" + "top-level-domain": ".in" }, - "top-level-domain": ".in", "uuid": "283a7b58-9fa6-48c8-95bc-9ece77b5b2ea", "value": "India" }, @@ -1467,9 +1438,8 @@ "ID", "IDN" ], - "type": "country" + "top-level-domain": ".id" }, - "top-level-domain": ".id", "uuid": "417b5c63-a388-45d1-b104-cede98b13fe0", "value": "Indonesia" }, @@ -1482,9 +1452,8 @@ "IR", "IRN" ], - "type": "country" + "top-level-domain": ".ir" }, - "top-level-domain": ".ir", "uuid": "12b32332-ead1-4f69-be61-69ab1ed27d01", "value": "Iran" }, @@ -1497,9 +1466,8 @@ "IQ", "IRQ" ], - "type": "country" + "top-level-domain": ".iq" }, - "top-level-domain": ".iq", "uuid": "625f37bd-fe48-4791-ac1e-be8d069643a1", "value": "Iraq" }, @@ -1512,9 +1480,8 @@ "IE", "IRL" ], - "type": "country" + "top-level-domain": ".ie" }, - "top-level-domain": ".ie", "uuid": "b1243ef1-78f4-4e10-841d-bc61361f21f8", "value": "Ireland" }, @@ -1526,8 +1493,7 @@ "iso-code": [ "IM", "IMN" - ], - "type": "country" + ] }, "uuid": "57855966-b290-47e2-b098-1d903f4163b8", "value": "Isle of Man" @@ -1541,9 +1507,8 @@ "IL", "ISR" ], - "type": "country" + "top-level-domain": ".il" }, - "top-level-domain": ".il", "uuid": "3273414a-8331-44cc-b3f6-890bf2363607", "value": "Israel" }, @@ -1556,9 +1521,8 @@ "IT", "ITA" ], - "type": "country" + "top-level-domain": ".it" }, - "top-level-domain": ".it", "uuid": "1bcc0b11-d906-40ea-910c-a1124c4d82bd", "value": "Italy" }, @@ -1571,9 +1535,8 @@ "CI", "CIV" ], - "type": "country" + "top-level-domain": ".ci" }, - "top-level-domain": ".ci", "uuid": "c1aac71f-b060-4816-9369-451df1550883", "value": "Ivory Coast" }, @@ -1586,9 +1549,8 @@ "JM", "JAM" ], - "type": "country" + "top-level-domain": ".jm" }, - "top-level-domain": ".jm", "uuid": "f5a606a6-80c4-4349-af9b-1450e6699868", "value": "Jamaica" }, @@ -1601,9 +1563,8 @@ "JP", "JPN" ], - "type": "country" + "top-level-domain": ".jp" }, - "top-level-domain": ".jp", "uuid": "98ee5301-46da-4754-963f-8cf9aa17f7fa", "value": "Japan" }, @@ -1615,8 +1576,7 @@ "iso-code": [ "JE", "JEY" - ], - "type": "country" + ] }, "uuid": "2d2423ff-f5e1-4f2b-897e-da0aff79836f", "value": "Jersey" @@ -1630,9 +1590,8 @@ "JO", "JOR" ], - "type": "country" + "top-level-domain": ".jo" }, - "top-level-domain": ".jo", "uuid": "f68750ae-d159-427e-bc6b-536fb676b8bf", "value": "Jordan" }, @@ -1645,9 +1604,8 @@ "KZ", "KAZ" ], - "type": "country" + "top-level-domain": ".kz" }, - "top-level-domain": ".kz", "uuid": "fc54834e-2131-47c5-b470-974855757469", "value": "Kazakhstan" }, @@ -1660,9 +1618,8 @@ "KE", "KEN" ], - "type": "country" + "top-level-domain": ".ke" }, - "top-level-domain": ".ke", "uuid": "60828537-e2d4-4f1c-b347-2c82901e9f01", "value": "Kenya" }, @@ -1675,9 +1632,8 @@ "KI", "KIR" ], - "type": "country" + "top-level-domain": ".ki" }, - "top-level-domain": ".ki", "uuid": "7a51098b-34bd-4f86-a478-90c8c20a7fb7", "value": "Kiribati" }, @@ -1689,8 +1645,7 @@ "iso-code": [ "XK", "XKX" - ], - "type": "country" + ] }, "uuid": "f7881f1c-647c-4a6e-9dc6-d5906832f978", "value": "Kosovo" @@ -1704,9 +1659,8 @@ "KW", "KWT" ], - "type": "country" + "top-level-domain": ".kw" }, - "top-level-domain": ".kw", "uuid": "fbc205b4-0a7a-40db-8bf4-fe8e83357eea", "value": "Kuwait" }, @@ -1719,9 +1673,8 @@ "KG", "KGZ" ], - "type": "country" + "top-level-domain": ".kg" }, - "top-level-domain": ".kg", "uuid": "92d31c81-c7e9-4ac5-bc73-6ea76ed19ce3", "value": "Kyrgyzstan" }, @@ -1734,9 +1687,8 @@ "LA", "LAO" ], - "type": "country" + "top-level-domain": ".la" }, - "top-level-domain": ".la", "uuid": "54866dbe-1be0-4185-87e1-ed565d6d13ee", "value": "Laos" }, @@ -1749,9 +1701,8 @@ "LV", "LVA" ], - "type": "country" + "top-level-domain": ".lv" }, - "top-level-domain": ".lv", "uuid": "367122b1-2645-49a9-b871-23a9c74d430e", "value": "Latvia" }, @@ -1764,9 +1715,8 @@ "LB", "LBN" ], - "type": "country" + "top-level-domain": ".lb" }, - "top-level-domain": ".lb", "uuid": "7b7ed6de-7692-41ba-8f25-8456dda5b907", "value": "Lebanon" }, @@ -1779,9 +1729,8 @@ "LS", "LSO" ], - "type": "country" + "top-level-domain": ".ls" }, - "top-level-domain": ".ls", "uuid": "666ac9e5-bb2d-4317-8ad7-e92e5895f476", "value": "Lesotho" }, @@ -1794,9 +1743,8 @@ "LR", "LBR" ], - "type": "country" + "top-level-domain": ".lr" }, - "top-level-domain": ".lr", "uuid": "fad73876-fff0-4794-b970-c02d98ac2889", "value": "Liberia" }, @@ -1809,9 +1757,8 @@ "LY", "LBY" ], - "type": "country" + "top-level-domain": ".ly" }, - "top-level-domain": ".ly", "uuid": "98cae8b3-c6cc-4434-ad7a-0b424e7b38a5", "value": "Libya" }, @@ -1824,9 +1771,8 @@ "LI", "LIE" ], - "type": "country" + "top-level-domain": ".li" }, - "top-level-domain": ".li", "uuid": "7359fcca-a4a2-4e8a-915f-a080f6b2e7b6", "value": "Liechtenstein" }, @@ -1839,25 +1785,11 @@ "LT", "LTU" ], - "type": "country" + "top-level-domain": ".lt" }, - "top-level-domain": ".lt", "uuid": "f32136ed-0727-4842-a9b7-9ea8f5d6f3fe", "value": "Lithuania" }, - { - "meta": { - "calling-code": [ - "+" - ], - "iso-code": [ - "" - ], - "type": "country" - }, - "uuid": "bda2a531-3fc7-4a68-8a50-0f9f6d003c05", - "value": "" - }, { "meta": { "calling-code": [ @@ -1867,9 +1799,8 @@ "MO", "MAC" ], - "type": "country" + "top-level-domain": ".mo" }, - "top-level-domain": ".mo", "uuid": "edf25443-9d01-45e5-af67-4943746a06d8", "value": "Macau" }, @@ -1881,8 +1812,7 @@ "iso-code": [ "MK", "MKD" - ], - "type": "country" + ] }, "uuid": "cbb86f5b-f390-489b-9c59-5f16d3db2cb6", "value": "Macedonia" @@ -1896,9 +1826,8 @@ "MG", "MDG" ], - "type": "country" + "top-level-domain": ".mg" }, - "top-level-domain": ".mg", "uuid": "940cb63e-5e76-4494-a6f7-b976df4837a2", "value": "Madagascar" }, @@ -1911,9 +1840,8 @@ "MW", "MWI" ], - "type": "country" + "top-level-domain": ".mw" }, - "top-level-domain": ".mw", "uuid": "5ed4a624-1c71-443b-8475-73caab1eea8f", "value": "Malawi" }, @@ -1926,9 +1854,8 @@ "MY", "MYS" ], - "type": "country" + "top-level-domain": ".my" }, - "top-level-domain": ".my", "uuid": "add3c024-728a-4507-b29f-9135f93eed14", "value": "Malaysia" }, @@ -1941,9 +1868,8 @@ "MV", "MDV" ], - "type": "country" + "top-level-domain": ".mv" }, - "top-level-domain": ".mv", "uuid": "8449ad6b-a590-4591-8676-2f9101341655", "value": "Maldives" }, @@ -1956,9 +1882,8 @@ "ML", "MLI" ], - "type": "country" + "top-level-domain": ".ml" }, - "top-level-domain": ".ml", "uuid": "f783dd32-8b58-491a-9b10-3028ac64664a", "value": "Mali" }, @@ -1971,9 +1896,8 @@ "MT", "MLT" ], - "type": "country" + "top-level-domain": ".mt" }, - "top-level-domain": ".mt", "uuid": "cd50bf6f-d86f-4470-9734-5aa83fd9e427", "value": "Malta" }, @@ -1986,9 +1910,8 @@ "MH", "MHL" ], - "type": "country" + "top-level-domain": ".mh" }, - "top-level-domain": ".mh", "uuid": "aa71c335-c223-4f5f-956d-c7c82d9a8283", "value": "Marshall Islands" }, @@ -2001,9 +1924,8 @@ "MR", "MRT" ], - "type": "country" + "top-level-domain": ".mr" }, - "top-level-domain": ".mr", "uuid": "a8561bba-3202-4165-8ef9-9e7412e8f5dd", "value": "Mauritania" }, @@ -2016,9 +1938,8 @@ "MU", "MUS" ], - "type": "country" + "top-level-domain": ".mu" }, - "top-level-domain": ".mu", "uuid": "c49266e4-75ab-42dd-a434-5231b72cbc89", "value": "Mauritius" }, @@ -2031,9 +1952,8 @@ "YT", "MYT" ], - "type": "country" + "top-level-domain": ".yt" }, - "top-level-domain": ".yt", "uuid": "aeb9cb0b-706c-44ad-9281-20dd857bbfc4", "value": "Mayotte" }, @@ -2046,9 +1966,8 @@ "MX", "MEX" ], - "type": "country" + "top-level-domain": ".mx" }, - "top-level-domain": ".mx", "uuid": "55777eae-a885-4ee5-9ad3-8df56cddb82b", "value": "Mexico" }, @@ -2060,8 +1979,7 @@ "iso-code": [ "FM", "FSM" - ], - "type": "country" + ] }, "uuid": "2043d3fc-d110-40e9-84f0-c6eb2904ce58", "value": "Micronesia" @@ -2075,9 +1993,8 @@ "MD", "MDA" ], - "type": "country" + "top-level-domain": ".md" }, - "top-level-domain": ".md", "uuid": "8c076c68-08a3-4870-aa1e-bd39d45c1d0b", "value": "Moldova" }, @@ -2090,9 +2007,8 @@ "MC", "MCO" ], - "type": "country" + "top-level-domain": ".mc" }, - "top-level-domain": ".mc", "uuid": "6b3e9217-0047-4a9f-9771-1fe24eb9c466", "value": "Monaco" }, @@ -2105,9 +2021,8 @@ "MN", "MNG" ], - "type": "country" + "top-level-domain": ".mn" }, - "top-level-domain": ".mn", "uuid": "d11a74ac-1ffd-4e92-941a-54fc64b801c6", "value": "Mongolia" }, @@ -2120,9 +2035,8 @@ "ME", "MNE" ], - "type": "country" + "top-level-domain": ".me" }, - "top-level-domain": ".me", "uuid": "b4eab2e9-f67a-449f-8f19-bf22c9bb2cac", "value": "Montenegro" }, @@ -2135,9 +2049,8 @@ "MS", "MSR" ], - "type": "country" + "top-level-domain": ".ms" }, - "top-level-domain": ".ms", "uuid": "e93097db-aa74-40ae-b92a-53f012a74889", "value": "Montserrat" }, @@ -2150,9 +2063,8 @@ "MA", "MAR" ], - "type": "country" + "top-level-domain": ".ma" }, - "top-level-domain": ".ma", "uuid": "04974cc3-fded-4af3-a0e6-0343e83f5f67", "value": "Morocco" }, @@ -2165,9 +2077,8 @@ "MZ", "MOZ" ], - "type": "country" + "top-level-domain": ".mz" }, - "top-level-domain": ".mz", "uuid": "dcc6fc3a-f36b-4137-9c3d-1ed88eb89131", "value": "Mozambique" }, @@ -2180,9 +2091,8 @@ "MM", "MMR" ], - "type": "country" + "top-level-domain": ".mm" }, - "top-level-domain": ".mm", "uuid": "8068b82b-461a-4b8a-acea-f4fe0b12b396", "value": "Myanmar" }, @@ -2195,9 +2105,8 @@ "NA", "NAM" ], - "type": "country" + "top-level-domain": ".na" }, - "top-level-domain": ".na", "uuid": "964471d5-e84a-486c-94e2-95107b59de61", "value": "Namibia" }, @@ -2210,9 +2119,8 @@ "NR", "NRU" ], - "type": "country" + "top-level-domain": ".nr" }, - "top-level-domain": ".nr", "uuid": "2d57902f-14b2-4e04-84ed-b2e24a7bba5f", "value": "Nauru" }, @@ -2225,9 +2133,8 @@ "NP", "NPL" ], - "type": "country" + "top-level-domain": ".np" }, - "top-level-domain": ".np", "uuid": "9f6c918b-246f-43bc-a125-1a2639932fd2", "value": "Nepal" }, @@ -2240,9 +2147,8 @@ "NL", "NLD" ], - "type": "country" + "top-level-domain": ".nl" }, - "top-level-domain": ".nl", "uuid": "1c016908-33df-485c-ba9a-3e629e6f92d9", "value": "Netherlands" }, @@ -2254,8 +2160,7 @@ "iso-code": [ "AN", "ANT" - ], - "type": "country" + ] }, "uuid": "9da253c5-423a-4fb7-ab98-a2eebc9da34d", "value": "Netherlands Antilles" @@ -2268,8 +2173,7 @@ "iso-code": [ "NC", "NCL" - ], - "type": "country" + ] }, "uuid": "6128fe4d-b7f4-4e9f-be44-7377d1236d7c", "value": "New Caledonia" @@ -2283,9 +2187,8 @@ "NZ", "NZL" ], - "type": "country" + "top-level-domain": ".nz" }, - "top-level-domain": ".nz", "uuid": "665da546-a37a-4194-ad73-ff1a5e79b3f7", "value": "New Zealand" }, @@ -2298,9 +2201,8 @@ "NI", "NIC" ], - "type": "country" + "top-level-domain": ".ni" }, - "top-level-domain": ".ni", "uuid": "f0a5a2de-5567-4581-8c99-3459e44d1608", "value": "Nicaragua" }, @@ -2313,9 +2215,8 @@ "NE", "NER" ], - "type": "country" + "top-level-domain": ".ne" }, - "top-level-domain": ".ne", "uuid": "13c9337c-9c06-42fd-ba3f-7128de97ffff", "value": "Niger" }, @@ -2328,9 +2229,8 @@ "NG", "NGA" ], - "type": "country" + "top-level-domain": ".ng" }, - "top-level-domain": ".ng", "uuid": "bdaa0f76-6fd0-4f2d-b6fd-76a97fe06c3b", "value": "Nigeria" }, @@ -2343,9 +2243,8 @@ "NU", "NIU" ], - "type": "country" + "top-level-domain": ".nu" }, - "top-level-domain": ".nu", "uuid": "ccf0effb-f81c-4308-a758-e13cde30d5f7", "value": "Niue" }, @@ -2358,9 +2257,8 @@ "KP", "PRK" ], - "type": "country" + "top-level-domain": ".kp" }, - "top-level-domain": ".kp", "uuid": "cc0bc1cc-6c68-46c2-b9f4-8fdc05f24fde", "value": "North Korea" }, @@ -2372,8 +2270,7 @@ "iso-code": [ "MP", "MNP" - ], - "type": "country" + ] }, "uuid": "c6b20a69-9ec7-407e-a9f0-f7e7ee1ba123", "value": "Northern Mariana Islands" @@ -2387,9 +2284,8 @@ "NO", "NOR" ], - "type": "country" + "top-level-domain": ".no" }, - "top-level-domain": ".no", "uuid": "a39f40d3-8fa5-4024-8c92-58c6a7362af8", "value": "Norway" }, @@ -2402,9 +2298,8 @@ "OM", "OMN" ], - "type": "country" + "top-level-domain": ".om" }, - "top-level-domain": ".om", "uuid": "086ced26-e92c-4b55-9688-0d716d507ada", "value": "Oman" }, @@ -2417,9 +2312,8 @@ "PK", "PAK" ], - "type": "country" + "top-level-domain": ".pk" }, - "top-level-domain": ".pk", "uuid": "6d6c87fd-8da6-465c-a381-b47f3810a6ea", "value": "Pakistan" }, @@ -2432,9 +2326,8 @@ "PW", "PLW" ], - "type": "country" + "top-level-domain": ".pw" }, - "top-level-domain": ".pw", "uuid": "3d7ad346-2b4c-4f51-947c-7c0627457174", "value": "Palau" }, @@ -2446,8 +2339,7 @@ "iso-code": [ "PS", "PSE" - ], - "type": "country" + ] }, "uuid": "91effc75-e4f6-4aa1-9e32-be5fe56903c9", "value": "Palestine" @@ -2461,9 +2353,8 @@ "PA", "PAN" ], - "type": "country" + "top-level-domain": ".pa" }, - "top-level-domain": ".pa", "uuid": "a38eb164-18f8-4ac8-941c-b9911a85c9c1", "value": "Panama" }, @@ -2476,9 +2367,8 @@ "PG", "PNG" ], - "type": "country" + "top-level-domain": ".pg" }, - "top-level-domain": ".pg", "uuid": "ac70053c-5b3b-42b4-b7de-421f097d74e1", "value": "Papua New Guinea" }, @@ -2491,9 +2381,8 @@ "PY", "PRY" ], - "type": "country" + "top-level-domain": ".py" }, - "top-level-domain": ".py", "uuid": "d25565ce-babf-4919-8e64-f894c6d099f7", "value": "Paraguay" }, @@ -2506,9 +2395,8 @@ "PE", "PER" ], - "type": "country" + "top-level-domain": ".pe" }, - "top-level-domain": ".pe", "uuid": "ff45884e-11e3-4b31-b805-8e4cb6c5e4e8", "value": "Peru" }, @@ -2521,9 +2409,8 @@ "PH", "PHL" ], - "type": "country" + "top-level-domain": ".ph" }, - "top-level-domain": ".ph", "uuid": "61e24be6-cf32-4d0f-a8b3-379a05bac8a9", "value": "Philippines" }, @@ -2535,8 +2422,7 @@ "iso-code": [ "PN", "PCN" - ], - "type": "country" + ] }, "uuid": "5ee746fb-7d00-494c-8dab-1a340a5ea49c", "value": "Pitcairn" @@ -2550,9 +2436,8 @@ "PL", "POL" ], - "type": "country" + "top-level-domain": ".pl" }, - "top-level-domain": ".pl", "uuid": "8e73397d-5c08-477e-9b5c-2ef279b5883b", "value": "Poland" }, @@ -2565,9 +2450,8 @@ "PT", "PRT" ], - "type": "country" + "top-level-domain": ".pt" }, - "top-level-domain": ".pt", "uuid": "fb9b1e68-2b99-467b-935d-1e98f312d9d6", "value": "Portugal" }, @@ -2580,8 +2464,7 @@ "iso-code": [ "PR", "PRI" - ], - "type": "country" + ] }, "uuid": "e9746233-bfd9-499f-b89c-54195295f6a2", "value": "Puerto Rico" @@ -2595,9 +2478,8 @@ "QA", "QAT" ], - "type": "country" + "top-level-domain": ".qa" }, - "top-level-domain": ".qa", "uuid": "79da7e74-0680-4c83-8329-2978e730eb91", "value": "Qatar" }, @@ -2610,9 +2492,8 @@ "CG", "COG" ], - "type": "country" + "top-level-domain": ".cg" }, - "top-level-domain": ".cg", "uuid": "5a5a71d8-9973-4a88-8ec5-8da50b24d90c", "value": "Republic of the Congo" }, @@ -2624,8 +2505,7 @@ "iso-code": [ "RE", "REU" - ], - "type": "country" + ] }, "uuid": "b5ba4bdb-29c1-4907-b7dc-c2172fd83976", "value": "Reunion" @@ -2639,9 +2519,8 @@ "RO", "ROU" ], - "type": "country" + "top-level-domain": ".ro" }, - "top-level-domain": ".ro", "uuid": "afa8ac3d-723d-4f10-8756-d8bbefc9eb2e", "value": "Romania" }, @@ -2654,9 +2533,8 @@ "RU", "RUS" ], - "type": "country" + "top-level-domain": ".ru" }, - "top-level-domain": ".ru", "uuid": "f99a8e6e-ccb6-4709-842c-a21e5455ba7c", "value": "Russia" }, @@ -2669,9 +2547,8 @@ "RW", "RWA" ], - "type": "country" + "top-level-domain": ".rw" }, - "top-level-domain": ".rw", "uuid": "d9dac31d-b4d7-4afb-b6fe-d9e09c5d4bac", "value": "Rwanda" }, @@ -2683,8 +2560,7 @@ "iso-code": [ "BL", "BLM" - ], - "type": "country" + ] }, "uuid": "954b2de5-2f0a-477d-8bea-3fa08a52c04c", "value": "Saint Barthelemy" @@ -2698,9 +2574,8 @@ "SH", "SHN" ], - "type": "country" + "top-level-domain": ".sh" }, - "top-level-domain": ".sh", "uuid": "083e69f2-14f1-4d8c-9fb7-4d38d38322cf", "value": "Saint Helena" }, @@ -2713,9 +2588,8 @@ "KN", "KNA" ], - "type": "country" + "top-level-domain": ".kn" }, - "top-level-domain": ".kn", "uuid": "7334c20d-dc91-41ff-925c-08e3e7d22c30", "value": "Saint Kitts and Nevis" }, @@ -2728,9 +2602,8 @@ "LC", "LCA" ], - "type": "country" + "top-level-domain": ".lc" }, - "top-level-domain": ".lc", "uuid": "ceb56016-5c27-42af-a4bd-0022bfcfee7b", "value": "Saint Lucia" }, @@ -2742,8 +2615,7 @@ "iso-code": [ "MF", "MAF" - ], - "type": "country" + ] }, "uuid": "164b7a25-b531-4630-a398-0cde3a45e7d6", "value": "Saint Martin" @@ -2756,8 +2628,7 @@ "iso-code": [ "PM", "SPM" - ], - "type": "country" + ] }, "uuid": "b45d813b-6fc2-4de1-8406-ecb51b70dd42", "value": "Saint Pierre and Miquelon" @@ -2771,9 +2642,8 @@ "VC", "VCT" ], - "type": "country" + "top-level-domain": ".vc" }, - "top-level-domain": ".vc", "uuid": "b46efc73-2cee-4250-aa3e-5e369ef06c5c", "value": "Saint Vincent and the Grenadines" }, @@ -2786,9 +2656,8 @@ "WS", "WSM" ], - "type": "country" + "top-level-domain": ".ws" }, - "top-level-domain": ".ws", "uuid": "8ee23019-4942-498c-89b7-4a6336015974", "value": "Samoa" }, @@ -2801,9 +2670,8 @@ "SM", "SMR" ], - "type": "country" + "top-level-domain": ".sm" }, - "top-level-domain": ".sm", "uuid": "6d739a32-2b94-45cc-8be0-4c65cc8f3ef4", "value": "San Marino" }, @@ -2815,8 +2683,7 @@ "iso-code": [ "ST", "STP" - ], - "type": "country" + ] }, "uuid": "84455318-8152-4fce-92a2-4e2a38d3ef9a", "value": "Sao Tome and Principe" @@ -2830,9 +2697,8 @@ "SA", "SAU" ], - "type": "country" + "top-level-domain": ".sa" }, - "top-level-domain": ".sa", "uuid": "52a4e93d-5e64-4ae2-9f5f-97fbcf75dc55", "value": "Saudi Arabia" }, @@ -2845,9 +2711,8 @@ "SN", "SEN" ], - "type": "country" + "top-level-domain": ".sn" }, - "top-level-domain": ".sn", "uuid": "31d92db8-d6e4-4531-955b-464986df7dad", "value": "Senegal" }, @@ -2860,9 +2725,8 @@ "RS", "SRB" ], - "type": "country" + "top-level-domain": ".rs" }, - "top-level-domain": ".rs", "uuid": "4ec7dd40-4d7a-431c-844d-ee709b8fb935", "value": "Serbia" }, @@ -2875,9 +2739,8 @@ "SC", "SYC" ], - "type": "country" + "top-level-domain": ".sc" }, - "top-level-domain": ".sc", "uuid": "e0f8c503-e005-409b-8915-b2cec757f85b", "value": "Seychelles" }, @@ -2890,9 +2753,8 @@ "SL", "SLE" ], - "type": "country" + "top-level-domain": ".sl" }, - "top-level-domain": ".sl", "uuid": "8acd3be4-fc0f-4dff-bf47-76d3e916c8ca", "value": "Sierra Leone" }, @@ -2905,9 +2767,8 @@ "SG", "SGP" ], - "type": "country" + "top-level-domain": ".sg" }, - "top-level-domain": ".sg", "uuid": "d9e1d8a2-1e57-41f1-b44f-efc26531e0c6", "value": "Singapore" }, @@ -2920,9 +2781,8 @@ "SX", "SXM" ], - "type": "country" + "top-level-domain": ".sx" }, - "top-level-domain": ".sx", "uuid": "5f6c7e19-38a0-4b4e-8799-7dd8ab6e39e1", "value": "Sint Maarten" }, @@ -2935,9 +2795,8 @@ "SK", "SVK" ], - "type": "country" + "top-level-domain": ".sk" }, - "top-level-domain": ".sk", "uuid": "707adc52-2c97-4e56-99fb-9661319117b4", "value": "Slovakia" }, @@ -2950,9 +2809,8 @@ "SI", "SVN" ], - "type": "country" + "top-level-domain": ".si" }, - "top-level-domain": ".si", "uuid": "66b0e8f0-7f94-420b-ac26-b7d874ca6f85", "value": "Slovenia" }, @@ -2965,9 +2823,8 @@ "SB", "SLB" ], - "type": "country" + "top-level-domain": ".sb" }, - "top-level-domain": ".sb", "uuid": "7a5d17e8-7597-4dd0-b009-60998149383e", "value": "Solomon Islands" }, @@ -2980,9 +2837,8 @@ "SO", "SOM" ], - "type": "country" + "top-level-domain": ".so" }, - "top-level-domain": ".so", "uuid": "8250580d-e2a5-4215-af6f-093c21fb4834", "value": "Somalia" }, @@ -2995,9 +2851,8 @@ "ZA", "ZAF" ], - "type": "country" + "top-level-domain": ".za" }, - "top-level-domain": ".za", "uuid": "6b3cc3a2-e95b-43b9-aeaa-1c3867e99319", "value": "South Africa" }, @@ -3010,9 +2865,8 @@ "KR", "KOR" ], - "type": "country" + "top-level-domain": ".kr" }, - "top-level-domain": ".kr", "uuid": "e78f238b-c0f0-4856-acc8-a3ff7b1c9187", "value": "South Korea" }, @@ -3025,9 +2879,8 @@ "SS", "SSD" ], - "type": "country" + "top-level-domain": ".ss" }, - "top-level-domain": ".ss", "uuid": "a152cd53-9a53-46e0-9b84-9d4101a59c5e", "value": "South Sudan" }, @@ -3040,9 +2893,8 @@ "ES", "ESP" ], - "type": "country" + "top-level-domain": ".es" }, - "top-level-domain": ".es", "uuid": "d3400ce2-5701-4141-83ba-66f4fea068ca", "value": "Spain" }, @@ -3055,9 +2907,8 @@ "LK", "LKA" ], - "type": "country" + "top-level-domain": ".lk" }, - "top-level-domain": ".lk", "uuid": "67d858c3-0ea2-4988-9dd4-d17375c5483d", "value": "Sri Lanka" }, @@ -3070,9 +2921,8 @@ "SD", "SDN" ], - "type": "country" + "top-level-domain": ".sd" }, - "top-level-domain": ".sd", "uuid": "210b2138-a4de-4959-9528-9b382f9df98c", "value": "Sudan" }, @@ -3085,9 +2935,8 @@ "SR", "SUR" ], - "type": "country" + "top-level-domain": ".sr" }, - "top-level-domain": ".sr", "uuid": "fa257ff1-9352-45ed-8fea-70fcc88781e0", "value": "Suriname" }, @@ -3099,8 +2948,7 @@ "iso-code": [ "SJ", "SJM" - ], - "type": "country" + ] }, "uuid": "4e451aef-1bc7-49de-950d-340bbf691a71", "value": "Svalbard and Jan Mayen" @@ -3113,8 +2961,7 @@ "iso-code": [ "SZ", "SWZ" - ], - "type": "country" + ] }, "uuid": "06918b9c-26be-4af8-b7bd-9add29798e7c", "value": "Swaziland" @@ -3128,9 +2975,8 @@ "SE", "SWE" ], - "type": "country" + "top-level-domain": ".se" }, - "top-level-domain": ".se", "uuid": "6d3bbf09-dea6-4c99-bf8b-7f75537a8b38", "value": "Sweden" }, @@ -3143,9 +2989,8 @@ "CH", "CHE" ], - "type": "country" + "top-level-domain": ".ch" }, - "top-level-domain": ".ch", "uuid": "56c661d4-471c-4e92-a4e6-349f8edabf41", "value": "Switzerland" }, @@ -3158,9 +3003,8 @@ "SY", "SYR" ], - "type": "country" + "top-level-domain": ".sy" }, - "top-level-domain": ".sy", "uuid": "145a3afd-e9b6-497e-9b8f-a07a3b113c90", "value": "Syria" }, @@ -3173,9 +3017,8 @@ "TW", "TWN" ], - "type": "country" + "top-level-domain": ".tw" }, - "top-level-domain": ".tw", "uuid": "5e8f4b1d-56fb-41ba-8107-1d936679673f", "value": "Taiwan" }, @@ -3188,9 +3031,8 @@ "TJ", "TJK" ], - "type": "country" + "top-level-domain": ".tj" }, - "top-level-domain": ".tj", "uuid": "acc3015b-52f7-46a5-9bcd-b6c69a9af728", "value": "Tajikistan" }, @@ -3203,9 +3045,8 @@ "TZ", "TZA" ], - "type": "country" + "top-level-domain": ".tz" }, - "top-level-domain": ".tz", "uuid": "b63d9a72-3c11-4948-b653-5ea6bdf1ed66", "value": "Tanzania" }, @@ -3218,9 +3059,8 @@ "TH", "THA" ], - "type": "country" + "top-level-domain": ".th" }, - "top-level-domain": ".th", "uuid": "a9a5d54d-933a-41fe-9227-8c44d69e766f", "value": "Thailand" }, @@ -3233,9 +3073,8 @@ "TG", "TGO" ], - "type": "country" + "top-level-domain": ".tg" }, - "top-level-domain": ".tg", "uuid": "6c61d5e6-b9be-466a-a0e0-768def1c5eae", "value": "Togo" }, @@ -3248,9 +3087,8 @@ "TK", "TKL" ], - "type": "country" + "top-level-domain": ".tk" }, - "top-level-domain": ".tk", "uuid": "8e1da827-2562-4c8f-b668-779c7512410c", "value": "Tokelau" }, @@ -3263,9 +3101,8 @@ "TO", "TON" ], - "type": "country" + "top-level-domain": ".to" }, - "top-level-domain": ".to", "uuid": "9d68906f-7e43-4d63-9b81-e3047b4f25e8", "value": "Tonga" }, @@ -3278,9 +3115,8 @@ "TT", "TTO" ], - "type": "country" + "top-level-domain": ".tt" }, - "top-level-domain": ".tt", "uuid": "b42557d5-ec65-41e0-84db-171b3f48e66e", "value": "Trinidad and Tobago" }, @@ -3293,9 +3129,8 @@ "TN", "TUN" ], - "type": "country" + "top-level-domain": ".tn" }, - "top-level-domain": ".tn", "uuid": "7e8d9de1-3e0c-4a9a-809b-e741096d93dc", "value": "Tunisia" }, @@ -3308,9 +3143,8 @@ "TR", "TUR" ], - "type": "country" + "top-level-domain": ".tr" }, - "top-level-domain": ".tr", "uuid": "10cad663-ea15-4803-937d-f1f6bc046f6f", "value": "Turkey" }, @@ -3323,9 +3157,8 @@ "TM", "TKM" ], - "type": "country" + "top-level-domain": ".tm" }, - "top-level-domain": ".tm", "uuid": "b8ac2942-599e-40a4-82d6-dc7d189b1d7f", "value": "Turkmenistan" }, @@ -3338,9 +3171,8 @@ "TC", "TCA" ], - "type": "country" + "top-level-domain": ".tc" }, - "top-level-domain": ".tc", "uuid": "3a7ffa51-20aa-4cf5-ac82-2ba6b9cb0b59", "value": "Turks and Caicos Islands" }, @@ -3353,9 +3185,8 @@ "TV", "TUV" ], - "type": "country" + "top-level-domain": ".tv" }, - "top-level-domain": ".tv", "uuid": "af9953e1-70b7-4925-bdc9-d0799d02aefa", "value": "Tuvalu" }, @@ -3367,8 +3198,7 @@ "iso-code": [ "VI", "VIR" - ], - "type": "country" + ] }, "uuid": "d93523ea-148e-482b-9447-21569b5a7e9d", "value": "U.S. Virgin Islands" @@ -3382,9 +3212,8 @@ "UG", "UGA" ], - "type": "country" + "top-level-domain": ".ug" }, - "top-level-domain": ".ug", "uuid": "5ad9c05c-4725-4cb0-81e7-9d7499bc1f08", "value": "Uganda" }, @@ -3397,9 +3226,8 @@ "UA", "UKR" ], - "type": "country" + "top-level-domain": ".ua" }, - "top-level-domain": ".ua", "uuid": "4e2745c3-2447-4fa4-9e5b-7d32adc01761", "value": "Ukraine" }, @@ -3412,9 +3240,8 @@ "AE", "ARE" ], - "type": "country" + "top-level-domain": ".ae" }, - "top-level-domain": ".ae", "uuid": "ec6d9524-cf39-4081-83e7-f87f5059ab4c", "value": "United Arab Emirates" }, @@ -3427,9 +3254,8 @@ "GB", "GBR" ], - "type": "country" + "top-level-domain": ".uk" }, - "top-level-domain": ".uk", "uuid": "5d0b6a46-f4cf-42ac-b283-e5e28677ec0f", "value": "United Kingdom" }, @@ -3441,8 +3267,7 @@ "iso-code": [ "US", "USA" - ], - "type": "country" + ] }, "uuid": "59b04875-12f9-49d8-b051-2759bba81824", "value": "United States" @@ -3456,9 +3281,8 @@ "UY", "URY" ], - "type": "country" + "top-level-domain": ".uy" }, - "top-level-domain": ".uy", "uuid": "5a5dbbad-e27b-4f47-a3b7-6acfddf0b57c", "value": "Uruguay" }, @@ -3471,9 +3295,8 @@ "UZ", "UZB" ], - "type": "country" + "top-level-domain": ".uz" }, - "top-level-domain": ".uz", "uuid": "46aa0f74-14c1-451a-a269-24141501c861", "value": "Uzbekistan" }, @@ -3486,9 +3309,8 @@ "VU", "VUT" ], - "type": "country" + "top-level-domain": ".vu" }, - "top-level-domain": ".vu", "uuid": "6a1b40ad-b473-46d6-ba02-a66eeb5f9472", "value": "Vanuatu" }, @@ -3500,8 +3322,7 @@ "iso-code": [ "VA", "VAT" - ], - "type": "country" + ] }, "uuid": "29e47ec8-f47e-43e6-8275-0e7ec185bdc0", "value": "Vatican" @@ -3515,9 +3336,8 @@ "VE", "VEN" ], - "type": "country" + "top-level-domain": ".ve" }, - "top-level-domain": ".ve", "uuid": "ff8eae27-8b9f-4a44-98e9-810b74785d5e", "value": "Venezuela" }, @@ -3530,9 +3350,8 @@ "VN", "VNM" ], - "type": "country" + "top-level-domain": ".vn" }, - "top-level-domain": ".vn", "uuid": "7102ea70-2af1-4b23-8d94-a87a9c9aea8e", "value": "Vietnam" }, @@ -3545,9 +3364,8 @@ "WF", "WLF" ], - "type": "country" + "top-level-domain": ".wf" }, - "top-level-domain": ".wf", "uuid": "e343017d-b607-4cd2-8bd9-b3417caa9674", "value": "Wallis and Futuna" }, @@ -3559,8 +3377,7 @@ "iso-code": [ "EH", "ESH" - ], - "type": "country" + ] }, "uuid": "7cca85b2-e06c-4c97-86de-0a2b3f473b59", "value": "Western Sahara" @@ -3574,9 +3391,8 @@ "YE", "YEM" ], - "type": "country" + "top-level-domain": ".ye" }, - "top-level-domain": ".ye", "uuid": "2813a187-0827-4e70-80f1-ffdb261ec478", "value": "Yemen" }, @@ -3589,9 +3405,8 @@ "ZM", "ZMB" ], - "type": "country" + "top-level-domain": ".zm" }, - "top-level-domain": ".zm", "uuid": "4ec0f561-4798-4b7e-a6f4-df8400284ee6", "value": "Zambia" }, @@ -3604,9 +3419,8 @@ "ZW", "ZWE" ], - "type": "country" + "top-level-domain": ".zw" }, - "top-level-domain": ".zw", "uuid": "da228f94-4412-4226-9113-e19a55cd4aa5", "value": "Zimbabwe" } From 17925f3e103ec9bad773ce0aa0457562300e86a3 Mon Sep 17 00:00:00 2001 From: Nils Kuhnert <3c7@users.noreply.github.com> Date: Sat, 3 Aug 2019 18:55:00 +0200 Subject: [PATCH 59/92] Remove local file link :) --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5364b56..2a2fea4 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2384,7 +2384,7 @@ "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf", "https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN", - "file:///D:/Work/ThaiCERT/Cases/researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/", + "https://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/", "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", "https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae", "https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1", From 4bef48b33e4020baca7fc4340efd4e0db68dc99a Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 6 Aug 2019 13:28:32 +0200 Subject: [PATCH 60/92] add Amavaldo --- clusters/tool.json | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index f9779b7..82ec890 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7798,6 +7798,15 @@ }, "uuid": "9ff6e087-6755-447a-b537-8f06c7aa4a85", "value": "Bookworm" + }, + { + "value": "Amavaldo", + "description": "We named the malware family described in the rest of this blog post Amavaldo. This family is still in active development – the latest version we have observed (10.7) has a compilation timestamp of June 10th, 2019.", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/" + ] + } } ], "version": 122 From 53df0908c7268e91a34e53aa2a31d6c2c3a5cdb2 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 6 Aug 2019 15:34:23 +0200 Subject: [PATCH 61/92] update version --- clusters/tool.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 82ec890..3f38728 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7809,5 +7809,5 @@ } } ], - "version": 122 + "version": 123 } From e239619d15f17f86d3e426c06a1af44f4a1cb7fc Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 6 Aug 2019 15:42:20 +0200 Subject: [PATCH 62/92] jq --- clusters/tool.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 3f38728..685b8ef 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7800,13 +7800,14 @@ "value": "Bookworm" }, { - "value": "Amavaldo", "description": "We named the malware family described in the rest of this blog post Amavaldo. This family is still in active development – the latest version we have observed (10.7) has a compilation timestamp of June 10th, 2019.", "meta": { "refs": [ "https://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/" ] - } + }, + "uuid": "c72f8f57-fc2f-4ca2-afbe-ca5bfa5a1747", + "value": "Amavaldo" } ], "version": 123 From 1988662ee5d3a142ac186ccfe7ab657b9963c11e Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Fri, 9 Aug 2019 10:24:06 -0400 Subject: [PATCH 63/92] add APT41 --- clusters/threat-actor.json | 46 +++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2a2fea4..646d309 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7637,7 +7637,51 @@ }, "uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d", "value": "TA428" + }, + { + "description": "APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.", + "meta": { + "cfr-suspected-state-sponsor": "People's Republic of China", + "cfr-suspected-victims": [ + "France", + "India", + "Italy", + "Japan", + "Myanmar", + "Netherlands", + "Singapore", + "South Korea", + "South Africa", + "Switzerland", + "Thailand", + "Turkey", + "United Kingdom", + "United States" + ], + "cfr-target-category": [ + "Healthcare", + "High-tech", + "Media", + "Pharmaceuticals", + "Retail", + "Software companies", + "Telecoms", + "Travel services", + "Education", + "Video games", + "Virtual currencies" + ], + "country": "CN", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html" + ], + "synonyms": [ + "" + ] + }, + "uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", + "value": "APT41" } ], - "version": 125 + "version": 126 } From 320e298549f48c9ec9f2d72c387c2e37ded3c7ae Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Fri, 9 Aug 2019 10:45:10 -0400 Subject: [PATCH 64/92] update victims --- clusters/threat-actor.json | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 646d309..4daea87 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7659,17 +7659,21 @@ "United States" ], "cfr-target-category": [ + "Automotive", + "Business", + "Services", + "Cryptocurrency", + "Education", + "Energy", + "Financial", "Healthcare", - "High-tech", - "Media", + "High-Tech", + "Intergovernmental", + "Media and Entertainment", "Pharmaceuticals", "Retail", - "Software companies", - "Telecoms", - "Travel services", - "Education", - "Video games", - "Virtual currencies" + "Telecommunications", + "Travel" ], "country": "CN", "refs": [ From feac39db6b8679515adbb48ccf40581a24b365cd Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Fri, 9 Aug 2019 22:19:09 +0530 Subject: [PATCH 65/92] added microsoft naming for the groups --- clusters/threat-actor.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2a2fea4..e5f8a79 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4770,6 +4770,9 @@ "refs": [ "https://www.fireeye.com/current-threats/apt-groups.html", "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf" + ], + "synonyms": [ + "MANGANESE" ] }, "uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795", @@ -5749,7 +5752,8 @@ "TEMP.Jumper", "APT 40", "APT40", - "BRONZE MOHAWK" + "BRONZE MOHAWK", + "GADOLINIUM" ] }, "related": [ From d96dc39c5a1644467ec79ef5bca2c6b8677a86cc Mon Sep 17 00:00:00 2001 From: Carlos Borges Date: Fri, 9 Aug 2019 18:00:37 -0300 Subject: [PATCH 66/92] Adding Amavaldo Banking Trojan --- clusters/rat.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/rat.json b/clusters/rat.json index cd041ba..9309583 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3382,6 +3382,17 @@ }, "uuid": "0f117f50-9657-11e9-8e2b-83e391e0ce57", "value": "Felipe" + }, + { + "description": "Amavaldo is banking trojan writen in Delphi and known to targeting Spanish or Portuguese speaking countries. It contains backdoor functionality and can work as multi stage. Amavaldo also abuses legitimate tools and softwares", + "meta": { + "date": "2019", + "refs": [ + "https://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/" + ] + }, + "uuid": "39c65b1d-7799-43d6-a963-4a058b1c756e", + "value": "Amavaldo Banking Trojan" } ], "version": 30 From df5c9057a15a2a797f3c6b7a0a19e05c1c75741e Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Fri, 9 Aug 2019 17:34:22 -0400 Subject: [PATCH 67/92] add synonyme for Turla --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4daea87..2ebe022 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2575,7 +2575,8 @@ "Pacifier APT", "Popeye", "SIG23", - "Iron Hunter" + "Iron Hunter", + "MAKERSMARK" ] }, "related": [ From e946ce66db5cf31e62b09aeb839ffc5234f03133 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 13 Aug 2019 11:55:18 +0200 Subject: [PATCH 68/92] complete some clusters --- clusters/target-information.json | 51 +++++++++++++++++++++++++++++--- 1 file changed, 47 insertions(+), 4 deletions(-) diff --git a/clusters/target-information.json b/clusters/target-information.json index 3431c8c..ce59a62 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -174,7 +174,24 @@ "AD", "AND" ], - "top-level-domain": ".ad" + "top-level-domain": ".ad", + +"capital": "Andorra la Vella", + "currency": [ + "€", + "EUR", + "EURO" + ], + "official-languages": [ + "Catalan" + ], + "synomyms": [ + "Principality of Andorra", + "Principat d'Andorra", + "Principality of the Valleys of Andorra", + "Principat de les Valls d'Andorra" + ], + "type": "microstate" }, "uuid": "5f8aeaac-8654-4b12-99c6-d3bf5ba43c7a", "value": "Andorra" @@ -188,7 +205,24 @@ "AO", "AGO" ], - "top-level-domain": ".ao" + "top-level-domain": ".ao", + "capital": "Luanda", + "currency": [ + "Kwanza", + "AOA" + ], + "official-languages": [ + "Portuguese", + "Kikongo", + "Kimbundu", + "Umbundu" + ], + "synomyms": [ + "Republic of Angola", + "República de Angola", + "Repubilika ya Ngola" + ], + "type": "country" }, "uuid": "ec22a747-be01-4bf8-bb3b-4dac8ec033dc", "value": "Angola" @@ -202,7 +236,16 @@ "AI", "AIA" ], - "top-level-domain": ".ai" + "top-level-domain": ".ai", + "capital": "The Valley", + "currency": [ + "East Caribbean dollar", + "(XCD)" + ], + "official-languages": [ + "English" + ], + "type": "British Overseas Territory" }, "uuid": "eaeca984-4c51-4bff-8389-4b66c8fddb1c", "value": "Anguilla" @@ -216,7 +259,7 @@ "AQ", "ATA" ], - "top-level-domain": ".aq" + "top-level-domain": ".aq", }, "uuid": "09dbf944-5c73-4ff7-8b1b-b43b42282acb", "value": "Antarctica" From 389a82701ac0d0d9c1c05d84b209fbb1d790a0f7 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 13 Aug 2019 11:57:28 +0200 Subject: [PATCH 69/92] jq --- clusters/target-information.json | 57 ++++++++++++++++---------------- 1 file changed, 28 insertions(+), 29 deletions(-) diff --git a/clusters/target-information.json b/clusters/target-information.json index ce59a62..714aded 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -170,27 +170,26 @@ "calling-code": [ "+376" ], + "capital": "Andorra la Vella", + "currency": [ + "€", + "EUR", + "EURO" + ], "iso-code": [ "AD", "AND" ], + "official-languages": [ + "Catalan" + ], + "synomyms": [ + "Principality of Andorra", + "Principat d'Andorra", + "Principality of the Valleys of Andorra", + "Principat de les Valls d'Andorra" + ], "top-level-domain": ".ad", - -"capital": "Andorra la Vella", - "currency": [ - "€", - "EUR", - "EURO" - ], - "official-languages": [ - "Catalan" - ], - "synomyms": [ - "Principality of Andorra", - "Principat d'Andorra", - "Principality of the Valleys of Andorra", - "Principat de les Valls d'Andorra" - ], "type": "microstate" }, "uuid": "5f8aeaac-8654-4b12-99c6-d3bf5ba43c7a", @@ -201,16 +200,15 @@ "calling-code": [ "+244" ], - "iso-code": [ - "AO", - "AGO" - ], - "top-level-domain": ".ao", - "capital": "Luanda", + "capital": "Luanda", "currency": [ "Kwanza", "AOA" ], + "iso-code": [ + "AO", + "AGO" + ], "official-languages": [ "Portuguese", "Kikongo", @@ -222,6 +220,7 @@ "República de Angola", "Repubilika ya Ngola" ], + "top-level-domain": ".ao", "type": "country" }, "uuid": "ec22a747-be01-4bf8-bb3b-4dac8ec033dc", @@ -232,19 +231,19 @@ "calling-code": [ "+1-264" ], - "iso-code": [ - "AI", - "AIA" - ], - "top-level-domain": ".ai", - "capital": "The Valley", + "capital": "The Valley", "currency": [ "East Caribbean dollar", "(XCD)" ], + "iso-code": [ + "AI", + "AIA" + ], "official-languages": [ "English" ], + "top-level-domain": ".ai", "type": "British Overseas Territory" }, "uuid": "eaeca984-4c51-4bff-8389-4b66c8fddb1c", @@ -259,7 +258,7 @@ "AQ", "ATA" ], - "top-level-domain": ".aq", + "top-level-domain": ".aq" }, "uuid": "09dbf944-5c73-4ff7-8b1b-b43b42282acb", "value": "Antarctica" From 9accc832e330f275b2894050231b76a9ee2a2bdb Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 13 Aug 2019 12:08:03 +0200 Subject: [PATCH 70/92] change attribute name --- clusters/target-information.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/clusters/target-information.json b/clusters/target-information.json index 714aded..6a8d4a5 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -38,7 +38,7 @@ "Großherzogtum Luxemburg" ], "top-level-domain": "lu", - "type": "country" + "territory-type": "country" }, "uuid": "f9a1d7f4-980a-11e9-a8b6-23162ddc4255", "value": "Luxembourg" @@ -69,7 +69,7 @@ "Islamic Republic of Afghanistan" ], "top-level-domain": ".af", - "type": "country" + "territory-type": "country" }, "uuid": "2d0b4ddc-4b46-4e75-8c8b-02f4f7446507", "value": "Afghanistan" @@ -101,7 +101,7 @@ "Republic of Albania" ], "top-level-domain": ".al", - "type": "country" + "territory-type": "country" }, "uuid": "bc4c6bf6-c5f1-4927-b928-e9e2434e9ec4", "value": "Albania" @@ -132,7 +132,7 @@ "People's Democratic Republic of Algeria" ], "top-level-domain": ".dz", - "type": "country" + "territory-type": "country" }, "uuid": "13612aed-8efb-444f-8e29-5b93bd821d0e", "value": "Algeria" @@ -160,7 +160,7 @@ "Amelika Sāmoa", "Sāmoa Amelika" ], - "type": "unincorporated territory" + "territory-type": "unincorporated territory" }, "uuid": "9856b948-5662-4ce3-beef-9a777e758e5c", "value": "American Samoa" @@ -190,7 +190,7 @@ "Principat de les Valls d'Andorra" ], "top-level-domain": ".ad", - "type": "microstate" + "territory-type": "microstate" }, "uuid": "5f8aeaac-8654-4b12-99c6-d3bf5ba43c7a", "value": "Andorra" @@ -221,7 +221,7 @@ "Repubilika ya Ngola" ], "top-level-domain": ".ao", - "type": "country" + "territory-type": "country" }, "uuid": "ec22a747-be01-4bf8-bb3b-4dac8ec033dc", "value": "Angola" @@ -244,7 +244,7 @@ "English" ], "top-level-domain": ".ai", - "type": "British Overseas Territory" + "territory-type": "British Overseas Territory" }, "uuid": "eaeca984-4c51-4bff-8389-4b66c8fddb1c", "value": "Anguilla" From e00f139fa2332f8a6472481104b8cdbea3bab4c9 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 13 Aug 2019 13:01:36 +0200 Subject: [PATCH 71/92] jq --- clusters/target-information.json | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/clusters/target-information.json b/clusters/target-information.json index 6a8d4a5..ed572fa 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -37,8 +37,8 @@ "Luxemburg", "Großherzogtum Luxemburg" ], - "top-level-domain": "lu", - "territory-type": "country" + "territory-type": "country", + "top-level-domain": "lu" }, "uuid": "f9a1d7f4-980a-11e9-a8b6-23162ddc4255", "value": "Luxembourg" @@ -68,8 +68,8 @@ "Afġānestān", "Islamic Republic of Afghanistan" ], - "top-level-domain": ".af", - "territory-type": "country" + "territory-type": "country", + "top-level-domain": ".af" }, "uuid": "2d0b4ddc-4b46-4e75-8c8b-02f4f7446507", "value": "Afghanistan" @@ -100,8 +100,8 @@ "Shqypnia", "Republic of Albania" ], - "top-level-domain": ".al", - "territory-type": "country" + "territory-type": "country", + "top-level-domain": ".al" }, "uuid": "bc4c6bf6-c5f1-4927-b928-e9e2434e9ec4", "value": "Albania" @@ -131,8 +131,8 @@ "al-dzāyīr", "People's Democratic Republic of Algeria" ], - "top-level-domain": ".dz", - "territory-type": "country" + "territory-type": "country", + "top-level-domain": ".dz" }, "uuid": "13612aed-8efb-444f-8e29-5b93bd821d0e", "value": "Algeria" @@ -189,8 +189,8 @@ "Principality of the Valleys of Andorra", "Principat de les Valls d'Andorra" ], - "top-level-domain": ".ad", - "territory-type": "microstate" + "territory-type": "microstate", + "top-level-domain": ".ad" }, "uuid": "5f8aeaac-8654-4b12-99c6-d3bf5ba43c7a", "value": "Andorra" @@ -220,8 +220,8 @@ "República de Angola", "Repubilika ya Ngola" ], - "top-level-domain": ".ao", - "territory-type": "country" + "territory-type": "country", + "top-level-domain": ".ao" }, "uuid": "ec22a747-be01-4bf8-bb3b-4dac8ec033dc", "value": "Angola" @@ -243,8 +243,8 @@ "official-languages": [ "English" ], - "top-level-domain": ".ai", - "territory-type": "British Overseas Territory" + "territory-type": "British Overseas Territory", + "top-level-domain": ".ai" }, "uuid": "eaeca984-4c51-4bff-8389-4b66c8fddb1c", "value": "Anguilla" From 3e651e2d74b30cf78ec7d7ade7e96f229b3d6cd8 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 13 Aug 2019 15:36:10 +0200 Subject: [PATCH 72/92] target-informatione - add membership member-of attribute - Example:member-of NATO --- clusters/target-information.json | 116 ++++++++++++++++++++++++++++++- 1 file changed, 115 insertions(+), 1 deletion(-) diff --git a/clusters/target-information.json b/clusters/target-information.json index ed572fa..9ef8535 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -24,6 +24,9 @@ "LU", "LUX" ], + "member-of": [ + "NATO" + ], "official-languages": [ "French", "Luxembourgish", @@ -88,6 +91,9 @@ "AL", "ALB" ], + "member-of": [ + "NATO" + ], "official-languages": [ "Albanian" ], @@ -268,10 +274,19 @@ "calling-code": [ "+1-268" ], + "capital": "St. John's", + "currency": [ + "East Caribbean dollar", + "XCD" + ], "iso-code": [ "AG", "ATG" ], + "official-languages": [ + "English" + ], + "territory-type": "country", "top-level-domain": ".ag" }, "uuid": "b0d7f6d5-8f5e-4bd8-98d7-92fcc4c195b9", @@ -282,10 +297,24 @@ "calling-code": [ "+54" ], + "capital": "Buenos Aires", + "currency": [ + "Peso", + "$", + "ARS" + ], "iso-code": [ "AR", "ARG" ], + "official-languages": [ + "Spanish" + ], + "synomyms": [ + "Argentine Republic", + "República Argentina" + ], + "territory-type": "", "top-level-domain": ".ar" }, "uuid": "f21ecd23-c3c8-4308-8363-c1260a57e695", @@ -439,6 +468,9 @@ "BE", "BEL" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".be" }, "uuid": "30f35478-7961-464f-bd3c-732a8f5e1fe5", @@ -607,6 +639,9 @@ "BG", "BGR" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".bg" }, "uuid": "61766ec7-b1aa-4d92-afaa-883842d4f6ac", @@ -677,6 +712,9 @@ "CA", "CAN" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".ca" }, "uuid": "d0e51f88-2a01-4a9d-b080-464bb6f5172f", @@ -857,6 +895,9 @@ "HR", "HRV" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".hr" }, "uuid": "c753504c-9fe3-41f3-a423-86f64eff2af4", @@ -912,6 +953,9 @@ "CZ", "CZE" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".cz" }, "uuid": "ef6651eb-1168-422c-9853-5200c737b332", @@ -940,6 +984,9 @@ "DK", "DNK" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".dk" }, "uuid": "2890ae27-cc54-42df-8c0c-47285145bd49", @@ -1081,6 +1128,9 @@ "EE", "EST" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".ee" }, "uuid": "c8ea4824-7ed2-473a-906d-745bd73a2612", @@ -1164,6 +1214,9 @@ "FR", "FRA" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".fr" }, "uuid": "0cc6ad08-fac6-42bc-a7c7-09a53ea6b968", @@ -1232,6 +1285,9 @@ "DE", "DEU" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".de" }, "uuid": "4121d334-39d0-49c4-8a0e-0442c6bdcbc4", @@ -1273,6 +1329,9 @@ "GR", "GRC" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".gr" }, "uuid": "505730f7-2637-4efb-845d-f1af7cdca109", @@ -1438,6 +1497,9 @@ "HU", "HUN" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".hu" }, "uuid": "adc52cee-5668-498d-8111-db1c38a584c5", @@ -1452,6 +1514,9 @@ "IS", "ISL" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".is" }, "uuid": "5bcfbed4-d9af-40ab-bcbd-013cad252570", @@ -1563,6 +1628,9 @@ "IT", "ITA" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".it" }, "uuid": "1bcc0b11-d906-40ea-910c-a1124c4d82bd", @@ -1743,6 +1811,9 @@ "LV", "LVA" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".lv" }, "uuid": "367122b1-2645-49a9-b871-23a9c74d430e", @@ -1827,6 +1898,9 @@ "LT", "LTU" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".lt" }, "uuid": "f32136ed-0727-4842-a9b7-9ea8f5d6f3fe", @@ -2077,6 +2151,9 @@ "ME", "MNE" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".me" }, "uuid": "b4eab2e9-f67a-449f-8f19-bf22c9bb2cac", @@ -2189,6 +2266,9 @@ "NL", "NLD" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".nl" }, "uuid": "1c016908-33df-485c-ba9a-3e629e6f92d9", @@ -2326,6 +2406,9 @@ "NO", "NOR" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".no" }, "uuid": "a39f40d3-8fa5-4024-8c92-58c6a7362af8", @@ -2478,6 +2561,9 @@ "PL", "POL" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".pl" }, "uuid": "8e73397d-5c08-477e-9b5c-2ef279b5883b", @@ -2492,6 +2578,9 @@ "PT", "PRT" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".pt" }, "uuid": "fb9b1e68-2b99-467b-935d-1e98f312d9d6", @@ -2561,6 +2650,9 @@ "RO", "ROU" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".ro" }, "uuid": "afa8ac3d-723d-4f10-8756-d8bbefc9eb2e", @@ -2837,6 +2929,9 @@ "SK", "SVK" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".sk" }, "uuid": "707adc52-2c97-4e56-99fb-9661319117b4", @@ -2851,6 +2946,9 @@ "SI", "SVN" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".si" }, "uuid": "66b0e8f0-7f94-420b-ac26-b7d874ca6f85", @@ -2935,6 +3033,9 @@ "ES", "ESP" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".es" }, "uuid": "d3400ce2-5701-4141-83ba-66f4fea068ca", @@ -3185,6 +3286,9 @@ "TR", "TUR" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".tr" }, "uuid": "10cad663-ea15-4803-937d-f1f6bc046f6f", @@ -3296,6 +3400,9 @@ "GB", "GBR" ], + "member-of": [ + "NATO" + ], "top-level-domain": ".uk" }, "uuid": "5d0b6a46-f4cf-42ac-b283-e5e28677ec0f", @@ -3309,7 +3416,14 @@ "iso-code": [ "US", "USA" - ] + ], + "member-of": [ + "NATO" + ], + "synonyms": [ + "United States of America" + ], + "top-level-domain": ".us" }, "uuid": "59b04875-12f9-49d8-b051-2759bba81824", "value": "United States" From 754f8f2a4841b10232fb60d2a5ffcbb50a3eaa07 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 14 Aug 2019 16:30:28 +0200 Subject: [PATCH 73/92] complete more cluster + country is now an array --- clusters/target-information.json | 351 +++++++++++++++++++++++++++++-- 1 file changed, 339 insertions(+), 12 deletions(-) diff --git a/clusters/target-information.json b/clusters/target-information.json index 9ef8535..4ba36dc 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -14,7 +14,9 @@ "calling-code": [ "+352" ], - "capital": "Luxembourg", + "capital": [ + "Luxembourg" + ], "currency": [ "€", "EUR", @@ -51,7 +53,9 @@ "calling-code": [ "+93" ], - "capital": "Kabul", + "capital": [ + "Kabul" + ], "currency": [ "AFN", "Afs", @@ -82,7 +86,9 @@ "calling-code": [ "+355" ], - "capital": "Tirana", + "capital": [ + "Tirana" + ], "currency": [ "Lek", "ALL" @@ -117,7 +123,9 @@ "calling-code": [ "+213" ], - "capital": "Algiers", + "capital": [ + "Algiers" + ], "currency": [ "Dinar", "DZD" @@ -148,7 +156,9 @@ "calling-code": [ "+1-684" ], - "capital": "Pago Pago", + "capital": [ + "Pago Pago" + ], "currency": [ "United States dollar", "USD" @@ -176,7 +186,9 @@ "calling-code": [ "+376" ], - "capital": "Andorra la Vella", + "capital": [ + "Andorra la Vella" + ], "currency": [ "€", "EUR", @@ -206,7 +218,9 @@ "calling-code": [ "+244" ], - "capital": "Luanda", + "capital": [ + "Luanda" + ], "currency": [ "Kwanza", "AOA" @@ -237,7 +251,9 @@ "calling-code": [ "+1-264" ], - "capital": "The Valley", + "capital": [ + "The Valley" + ], "currency": [ "East Caribbean dollar", "(XCD)" @@ -274,7 +290,9 @@ "calling-code": [ "+1-268" ], - "capital": "St. John's", + "capital": [ + "St. John's" + ], "currency": [ "East Caribbean dollar", "XCD" @@ -297,7 +315,9 @@ "calling-code": [ "+54" ], - "capital": "Buenos Aires", + "capital": [ + "Buenos Aires" + ], "currency": [ "Peso", "$", @@ -314,7 +334,7 @@ "Argentine Republic", "República Argentina" ], - "territory-type": "", + "territory-type": "country", "top-level-domain": ".ar" }, "uuid": "f21ecd23-c3c8-4308-8363-c1260a57e695", @@ -325,10 +345,29 @@ "calling-code": [ "+374" ], + "capital": [ + "Yerevan" + ], + "currency": [ + "Dram", + "֏", + "AMD)" + ], "iso-code": [ "AM", "ARM" ], + "official-languages": [ + "Armenian" + ], + "synomyms": [ + "Հայաստան", + "Hayastan", + "Republic of Armenia", + "Հայաստանի Հանրապետություն", + "Hayastani Hanrapetut'yun" + ], + "territory-type": "country", "top-level-domain": ".am" }, "uuid": "e1a61736-a7d4-4c31-aeda-bd49beabdb40", @@ -339,10 +378,25 @@ "calling-code": [ "+297" ], + "capital": [ + "Oranjestad" + ], + "currency": [ + "Aruban florin", + "AWG" + ], "iso-code": [ "AW", "ABW" - ] + ], + "official-languages": [ + "Dutch", + "Papiamento" + ], + "synomyms": [ + "Papiamento" + ], + "territory-type": "country" }, "uuid": "d9684c43-0ced-48eb-86e6-d2802ff31cde", "value": "Aruba" @@ -352,10 +406,24 @@ "calling-code": [ "+61" ], + "capital": [ + "Canberra" + ], + "currency": [ + "Australian dollar", + "AUD" + ], "iso-code": [ "AU", "AUS" ], + "official-languages": [ + "English" + ], + "synomyms": [ + "Commonwealth of Australia" + ], + "territory-type": "country", "top-level-domain": ".au" }, "uuid": "ca250c03-aead-41e3-a077-085d66211186", @@ -366,10 +434,27 @@ "calling-code": [ "+43" ], + "capital": [ + "Vienna" + ], + "currency": [ + "€", + "EUR", + "EURO" + ], "iso-code": [ "AT", "AUT" ], + "official-languages": [ + "German" + ], + "synomyms": [ + "Österreich", + "Republic of Austria", + "Republik Österreich" + ], + "territory-type": "country", "top-level-domain": ".at" }, "uuid": "e88f7003-09e9-4275-b176-d4246e59a0d5", @@ -380,10 +465,27 @@ "calling-code": [ "+994" ], + "capital": [ + "Baku" + ], + "currency": [ + "Manat", + "₼", + "AZN" + ], "iso-code": [ "AZ", "AZE" ], + "official-languages": [ + "Azerbaijani" + ], + "synomyms": [ + "Azərbaycan", + "Republic of Azerbaijan", + "Azərbaycan Respublikası" + ], + "territory-type": "country", "top-level-domain": ".az" }, "uuid": "4dac6eec-948d-4df5-946b-21ac0aaf5471", @@ -394,10 +496,25 @@ "calling-code": [ "+1-242" ], + "capital": [ + "Nassau" + ], + "currency": [ + "Bahamian dollar", + "BSD" + ], "iso-code": [ "BS", "BHS" ], + "official-languages": [ + "English" + ], + "synomyms": [ + "Commonwealth of The Bahamas", + "The Bahamas" + ], + "territory-type": "country", "top-level-domain": ".bs" }, "uuid": "5029a486-9c17-454a-bbcd-6e9b774705f9", @@ -408,10 +525,28 @@ "calling-code": [ "+973" ], + "capital": [ + "Manama" + ], + "currency": [ + "Bahraini dinar", + "BHD" + ], "iso-code": [ "BH", "BHR" ], + "official-languages": [ + "Arabic" + ], + "synomyms": [ + "al-Baḥrayn", + "Kingdom of Bahrain", + "مملكة البحرين‎", + "Mamlakat al-Baḥrayn", + "البحرين" + ], + "territory-type": "country", "top-level-domain": ".bh" }, "uuid": "819805c9-8f06-4f0c-af79-926960b4c23f", @@ -422,10 +557,29 @@ "calling-code": [ "+880" ], + "capital": [ + "Dhaka" + ], + "currency": [ + "Bangladeshi taka", + "৳", + "BDT" + ], "iso-code": [ "BD", "BGD" ], + "official-languages": [ + "Bengali" + ], + "synomyms": [ + "বাংলাদেশ", + "The country of Bengal", + "People's Republic of Bangladesh", + "গণপ্রজাতন্ত্রী বাংলাদেশ", + "Gônoprojatontri Bangladesh" + ], + "territory-type": "country", "top-level-domain": ".bd" }, "uuid": "cb78009e-1355-4afa-a655-0cf03d7fd947", @@ -436,10 +590,22 @@ "calling-code": [ "+1-246" ], + "capital": [ + "Bridgetown" + ], + "currency": [ + "Barbadian dollar", + "$", + "BBD" + ], "iso-code": [ "BB", "BRB" ], + "official-languages": [ + "English" + ], + "territory-type": "country", "top-level-domain": ".bb" }, "uuid": "062daa09-7c4a-4dec-ba9d-625d96871708", @@ -450,10 +616,31 @@ "calling-code": [ "+375" ], + "capital": [ + "Minsk" + ], + "currency": [ + "Belarusian ruble", + "BYN" + ], "iso-code": [ "BY", "BLR" ], + "official-languages": [ + "Belarusian", + "Russian" + ], + "synomyms": [ + "Беларусь", + "Republic of Belarus", + "Рэспубліка Беларусь", + "Республика Беларусь", + "Byelorussia", + "Belorussia", + "Белоруссия" + ], + "territory-type": "country", "top-level-domain": ".by" }, "uuid": "9e5e118a-ebe8-464a-bd38-350af4d645c4", @@ -464,6 +651,14 @@ "calling-code": [ "+32" ], + "capital": [ + "Brussels" + ], + "currency": [ + "€", + "EUR", + "EURO" + ], "iso-code": [ "BE", "BEL" @@ -471,6 +666,21 @@ "member-of": [ "NATO" ], + "official-languages": [ + "Dutch", + "French", + "German" + ], + "synomyms": [ + "België", + "Royaume de Belgique", + "Königreich Belgien", + "Kingdom of Belgium", + "Koninkrijk België", + "Royaume de Belgique", + "Königreich Belgien" + ], + "territory-type": "country", "top-level-domain": ".be" }, "uuid": "30f35478-7961-464f-bd3c-732a8f5e1fe5", @@ -481,10 +691,21 @@ "calling-code": [ "+501" ], + "capital": [ + "Belmopan" + ], + "currency": [ + "Belize dollar", + "BZD" + ], "iso-code": [ "BZ", "BLZ" ], + "official-languages": [ + "English" + ], + "territory-type": "country", "top-level-domain": ".bz" }, "uuid": "4b7f2038-cc17-4bb1-bc28-dacc9772e6fc", @@ -495,10 +716,26 @@ "calling-code": [ "+229" ], + "capital": [ + "Porto-Novo" + ], + "currency": [ + "West African CFA franc", + "XOF" + ], "iso-code": [ "BJ", "BEN" ], + "official-languages": [ + "French" + ], + "synomyms": [ + "Bénin", + "Republic of Benin", + "République du Bénin" + ], + "territory-type": "", "top-level-domain": ".bj" }, "uuid": "5c68d3ce-0beb-4b9a-a81d-e5d64f14b9a1", @@ -509,10 +746,24 @@ "calling-code": [ "+1-441" ], + "capital": [ + "Hamilton" + ], + "currency": [ + "Bermudian dollar", + "BMD" + ], "iso-code": [ "BM", "BMU" ], + "official-languages": [ + "English" + ], + "synomyms": [ + "Islands of Bermuda" + ], + "territory-type": "British Overseas Territory", "top-level-domain": ".bm" }, "uuid": "67e9dd29-9da1-4585-b0e6-303defa1e751", @@ -523,10 +774,28 @@ "calling-code": [ "+975" ], + "capital": [ + "Thimphu" + ], + "currency": [ + "Ngultrum", + "BTN" + ], "iso-code": [ "BT", "BTN" ], + "official-languages": [ + "Dzongkha" + ], + "synomyms": [ + "འབྲུག་ཡུལ", + "Druk Yul", + "Kingdom of Bhutan", + "འབྲུག་རྒྱལ་ཁབ", + "Druk Gyal Khap" + ], + "territory-type": "country", "top-level-domain": ".bt" }, "uuid": "7a431a2e-623b-4fb0-8316-a5d42266070d", @@ -537,10 +806,68 @@ "calling-code": [ "+591" ], + "capital": [ + "Sucre", + "La Paz" + ], + "currency": [ + "Boliviano", + "BOB)" + ], "iso-code": [ "BO", "BOL" ], + "official-languages": [ + "Spanish", + "Araona", + "Aymara", + "Ayoreo", + "Baure", + "Canichana", + "Cavineña", + "Cayuvava", + "Chácobo", + "Chimane", + "Chiquitano", + "Eastern Bolivian Guaraní", + "Ese Ejja", + "Guaraní", + "Guarayu", + "Ignaciano", + "Itene", + "Itonama", + "Kallawaya", + "Leco", + "Mosetén", + "Movima", + "Pakawara", + "Pauserna", + "Piro", + "Puquina", + "Quechua", + "Reyesano", + "Sirionó", + "Tacana", + "Toromono", + "Trinitario", + "Uru-Chipaya", + "Wichí Lhamtés Nocten", + "Yaminawa", + "Yuki", + "Yuracaré" + ], + "synomyms": [ + "Mborivia", + "Puliwya", + "Wuliwya", + "Plurinational State of Bolivia", + "Estado Plurinacional de Bolivia", + "Tetã Hetãvoregua Mborivia", + "Puliwya Mamallaqta", + "Wuliwya Suyu" + ], + "territory-type": "country", "top-level-domain": ".bo" }, "uuid": "06c20eb8-bec1-4f56-a5af-91f5fb826e4d", From 38aebbf42a611d5dcbbb83d796b4e1d12b4addee Mon Sep 17 00:00:00 2001 From: Sebastian Wagner Date: Mon, 19 Aug 2019 16:53:29 +0200 Subject: [PATCH 74/92] remove empty strings --- clusters/exploit-kit.json | 3 --- clusters/ransomware.json | 3 +-- clusters/threat-actor.json | 6 +----- 3 files changed, 2 insertions(+), 10 deletions(-) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 197d7bb..872cf17 100644 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -218,9 +218,6 @@ { "description": "Taurus Builder is a tool used to generate malicious MS Word documents that contain macros. The kit is advertised on forums by the user \"badbullzvenom\". ", "meta": { - "refs": [ - "" - ], "status": "Active" }, "uuid": "63988ca2-46c8-4bda-be46-96a8670af357", diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 144fcaf..10ea030 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -12889,8 +12889,7 @@ "read_me_for_recover_your_files.txt" ], "refs": [ - "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/", - "" + "https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/" ] }, "uuid": "3675e50d-3f76-45f8-b3f3-4a645779e14d", diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index aee3539..31bdae9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7423,8 +7423,7 @@ "meta": { "refs": [ "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_luckycat_hackers.pdf", - "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf", - "" + "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf" ] }, "uuid": "e502802e-8d0a-11e9-bd72-9f046529b3fd", @@ -7683,9 +7682,6 @@ "country": "CN", "refs": [ "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html" - ], - "synonyms": [ - "" ] }, "uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", From 694423694337b8aedd983d9326203bf4b6b3392f Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 20 Aug 2019 15:24:16 +0200 Subject: [PATCH 75/92] more countries --- clusters/target-information.json | 279 ++++++++++++++++++++++++++----- 1 file changed, 241 insertions(+), 38 deletions(-) diff --git a/clusters/target-information.json b/clusters/target-information.json index 4ba36dc..e098b33 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -42,7 +42,7 @@ "Luxemburg", "Großherzogtum Luxemburg" ], - "territory-type": "country", + "territory-type": ["Country"], "top-level-domain": "lu" }, "uuid": "f9a1d7f4-980a-11e9-a8b6-23162ddc4255", @@ -75,7 +75,7 @@ "Afġānestān", "Islamic Republic of Afghanistan" ], - "territory-type": "country", + "territory-type": ["Country"], "top-level-domain": ".af" }, "uuid": "2d0b4ddc-4b46-4e75-8c8b-02f4f7446507", @@ -112,7 +112,7 @@ "Shqypnia", "Republic of Albania" ], - "territory-type": "country", + "territory-type": ["Country"], "top-level-domain": ".al" }, "uuid": "bc4c6bf6-c5f1-4927-b928-e9e2434e9ec4", @@ -145,7 +145,7 @@ "al-dzāyīr", "People's Democratic Republic of Algeria" ], - "territory-type": "country", + "territory-type": ["Country"], "top-level-domain": ".dz" }, "uuid": "13612aed-8efb-444f-8e29-5b93bd821d0e", @@ -176,7 +176,7 @@ "Amelika Sāmoa", "Sāmoa Amelika" ], - "territory-type": "unincorporated territory" + "territory-type": ["unincorporated and unorganized territory"] }, "uuid": "9856b948-5662-4ce3-beef-9a777e758e5c", "value": "American Samoa" @@ -207,7 +207,7 @@ "Principality of the Valleys of Andorra", "Principat de les Valls d'Andorra" ], - "territory-type": "microstate", + "territory-type": ["microstate"], "top-level-domain": ".ad" }, "uuid": "5f8aeaac-8654-4b12-99c6-d3bf5ba43c7a", @@ -240,7 +240,7 @@ "República de Angola", "Repubilika ya Ngola" ], - "territory-type": "country", + "territory-type": ["Country"], "top-level-domain": ".ao" }, "uuid": "ec22a747-be01-4bf8-bb3b-4dac8ec033dc", @@ -265,7 +265,7 @@ "official-languages": [ "English" ], - "territory-type": "British Overseas Territory", + "territory-type": ["British Overseas Territory"], "top-level-domain": ".ai" }, "uuid": "eaeca984-4c51-4bff-8389-4b66c8fddb1c", @@ -304,7 +304,7 @@ "official-languages": [ "English" ], - "territory-type": "country", + "territory-type": ["Country"], "top-level-domain": ".ag" }, "uuid": "b0d7f6d5-8f5e-4bd8-98d7-92fcc4c195b9", @@ -334,7 +334,7 @@ "Argentine Republic", "República Argentina" ], - "territory-type": "country", + "territory-type": ["Country"], "top-level-domain": ".ar" }, "uuid": "f21ecd23-c3c8-4308-8363-c1260a57e695", @@ -367,7 +367,7 @@ "Հայաստանի Հանրապետություն", "Hayastani Hanrapetut'yun" ], - "territory-type": "country", + "territory-type": ["Country"], "top-level-domain": ".am" }, "uuid": "e1a61736-a7d4-4c31-aeda-bd49beabdb40", @@ -396,7 +396,7 @@ "synomyms": [ "Papiamento" ], - "territory-type": "country" + "territory-type": ["Country"] }, "uuid": "d9684c43-0ced-48eb-86e6-d2802ff31cde", "value": "Aruba" @@ -423,7 +423,7 @@ "synomyms": [ "Commonwealth of Australia" ], - "territory-type": "country", + "territory-type": ["Country"], "top-level-domain": ".au" }, "uuid": "ca250c03-aead-41e3-a077-085d66211186", @@ -454,7 +454,7 @@ "Republic of Austria", "Republik Österreich" ], - "territory-type": "country", + "territory-type": ["Country"], "top-level-domain": ".at" }, "uuid": "e88f7003-09e9-4275-b176-d4246e59a0d5", @@ -485,7 +485,7 @@ "Republic of Azerbaijan", "Azərbaycan Respublikası" ], - "territory-type": "country", + "territory-type": ["Country"], "top-level-domain": ".az" }, "uuid": "4dac6eec-948d-4df5-946b-21ac0aaf5471", @@ -514,7 +514,7 @@ "Commonwealth of The Bahamas", "The Bahamas" ], - "territory-type": "country", + "territory-type": ["Country"], "top-level-domain": ".bs" }, "uuid": "5029a486-9c17-454a-bbcd-6e9b774705f9", @@ -546,7 +546,7 @@ "Mamlakat al-Baḥrayn", "البحرين" ], - "territory-type": "country", + "territory-type": ["Country"], "top-level-domain": ".bh" }, "uuid": "819805c9-8f06-4f0c-af79-926960b4c23f", @@ -579,7 +579,7 @@ "গণপ্রজাতন্ত্রী বাংলাদেশ", "Gônoprojatontri Bangladesh" ], - "territory-type": "country", + "territory-type": ["Country"], "top-level-domain": ".bd" }, "uuid": "cb78009e-1355-4afa-a655-0cf03d7fd947", @@ -605,7 +605,7 @@ "official-languages": [ "English" ], - "territory-type": "country", + "territory-type": ["Country"], "top-level-domain": ".bb" }, "uuid": "062daa09-7c4a-4dec-ba9d-625d96871708", @@ -640,7 +640,7 @@ "Belorussia", "Белоруссия" ], - "territory-type": "country", + "territory-type": ["Country"], "top-level-domain": ".by" }, "uuid": "9e5e118a-ebe8-464a-bd38-350af4d645c4", @@ -680,7 +680,7 @@ "Royaume de Belgique", "Königreich Belgien" ], - "territory-type": "country", + "territory-type": ["Country"], "top-level-domain": ".be" }, "uuid": "30f35478-7961-464f-bd3c-732a8f5e1fe5", @@ -705,7 +705,7 @@ "official-languages": [ "English" ], - "territory-type": "country", + "territory-type": ["Country"], "top-level-domain": ".bz" }, "uuid": "4b7f2038-cc17-4bb1-bc28-dacc9772e6fc", @@ -735,7 +735,7 @@ "Republic of Benin", "République du Bénin" ], - "territory-type": "", + "territory-type": ["Country"], "top-level-domain": ".bj" }, "uuid": "5c68d3ce-0beb-4b9a-a81d-e5d64f14b9a1", @@ -763,7 +763,7 @@ "synomyms": [ "Islands of Bermuda" ], - "territory-type": "British Overseas Territory", + "territory-type": ["British Overseas Territory"], "top-level-domain": ".bm" }, "uuid": "67e9dd29-9da1-4585-b0e6-303defa1e751", @@ -795,7 +795,7 @@ "འབྲུག་རྒྱལ་ཁབ", "Druk Gyal Khap" ], - "territory-type": "country", + "territory-type": ["Country"], "top-level-domain": ".bt" }, "uuid": "7a431a2e-623b-4fb0-8316-a5d42266070d", @@ -867,7 +867,7 @@ "Puliwya Mamallaqta", "Wuliwya Suyu" ], - "territory-type": "country", + "territory-type": ["Country"], "top-level-domain": ".bo" }, "uuid": "06c20eb8-bec1-4f56-a5af-91f5fb826e4d", @@ -882,7 +882,23 @@ "BA", "BIH" ], - "top-level-domain": ".ba" + "top-level-domain": ".ba" , + "capital": [ + "Sarajevo" + ], + "currency": [ + "Convertible mark", + "BAM" + ], + "synomyms": [ + "BiH", + "B&H", + "Bosnia–Herzegovina", + "Bosnia" + ], + "territory-type": [ + "Country" + ] }, "uuid": "eccea7a8-d7f5-4b33-b948-ac8595e92500", "value": "Bosnia and Herzegovina" @@ -910,7 +926,24 @@ "BR", "BRA" ], - "top-level-domain": ".br" + "top-level-domain": ".br" , + "capital": [ + "Gaborone" + ], + "currency": [ + "Botswana pula","BWP" + ], + "official-languages": [ + "English", "Setswana" + ], + "synomyms": [ + "Republic of Botswana", + "Lefatshe la Botswana" + ], + "territory-type": [ + "Country" + ] + }, "uuid": "75fe4c94-f864-41dc-8dd2-758e2e2d4deb", "value": "Brazil" @@ -924,7 +957,25 @@ "IO", "IOT" ], - "top-level-domain": ".io" + "top-level-domain": ".io" , + "capital": [ + "Canp Justice" + ], + "currency": [ + "United States Dollar", + "USD", + "Pound sterling", + "GBP" + ], + "official-languages": [ + "English" + ], + "synomyms": [ + "BIOT" + ], + "territory-type": [ + "British Overseas Territory" + ] }, "uuid": "f974dd18-3a6b-4910-af8f-1d6256369b05", "value": "British Indian Ocean Territory" @@ -938,7 +989,22 @@ "VG", "VGB" ], - "top-level-domain": ".vg" + "top-level-domain": ".vg" , + "capital": [ + "Road Town" + ], + "currency": [ + "United States dollar","USD" + ], + "official-languages": [ + "English" + ], + "synomyms": [ + "BVI","Virgin Islands" + ], + "territory-type": [ + "British Overseas Territory" + ] }, "uuid": "9feffe01-624f-46fd-9e55-baec2098db69", "value": "British Virgin Islands" @@ -952,7 +1018,25 @@ "BN", "BRN" ], - "top-level-domain": ".bn" + "top-level-domain": ".bn" , + "capital": [ + "Bandar Seri Begawan" + ], + "currency": [ + "Brunei dollar","BND" + ], + "official-languages": [ + "Malay", + "English" + ], + "synomyms": [ + "Nation of Brunei, the Abode of Peace", + "Negara Brunei Darussalam (Rumi script)", + "نڬارا بروني دارالسلام" + ], + "territory-type": [ + "Country" + ] }, "uuid": "a039c8f7-1a7a-46e6-b16b-a9648a280f77", "value": "Brunei" @@ -969,7 +1053,26 @@ "member-of": [ "NATO" ], - "top-level-domain": ".bg" + "top-level-domain": ".bg" , + "capital": [ + "Sofia" + ], + "currency": [ + "Lev","BGN" + ], + "official-languages": [ + "Bulgarian" + ], + "synomyms": [ + "България", + "Bǎlgariya", + "Republic of Bulgaria", + "Република България", + "Republika Bǎlgariya" + ], + "territory-type": [ + "Country" + ] }, "uuid": "61766ec7-b1aa-4d92-afaa-883842d4f6ac", "value": "Bulgaria" @@ -983,7 +1086,19 @@ "BF", "BFA" ], - "top-level-domain": ".bf" + "top-level-domain": ".bf" , + "capital": [ + "Ouagadougou" + ], + "currency": [ + "West African CFA franc","XOF" + ], + "official-languages": [ + "French" + ], + "territory-type": [ + "Counry" + ] }, "uuid": "dfb27e34-f6dc-4db3-b3fa-313a8125ddf2", "value": "Burkina Faso" @@ -997,7 +1112,24 @@ "BI", "BDI" ], - "top-level-domain": ".bi" + "top-level-domain": ".bi" , + "capital": [ + "Gitega" + ], + "currency": [ + "Burundian franc","FBu","BIF" + ], + "official-languages": [ + "Kirundi","French","English" + ], + "synomyms": [ + "Republic of Burundi", + "Republika y'Uburundi", + "République du Burundi" + ], + "territory-type": [ + "Country" + ] }, "uuid": "f545307d-db22-49d3-858f-8d03db4428da", "value": "Burundi" @@ -1011,7 +1143,27 @@ "KH", "KHM" ], - "top-level-domain": ".kh" + "top-level-domain": ".kh" , + "capital": [ + "Phnom Penh" + ], + "currency": [ + "Riel", + "KHR" + ], + "official-languages": [ + "Khmer" + ], + "synomyms": [ + "Kampuchea", + "Cambodge", + "ព្រះរាជាណាចក្រកម្ពុជ", + "prĕəh riəciənaacak kampuciə", + "Royaume du Cambodge" + ], + "territory-type": [ + "Country" + ] }, "uuid": "03757eb3-f75a-48e1-a4ef-18a62c7d1838", "value": "Cambodia" @@ -1025,7 +1177,26 @@ "CM", "CMR" ], - "top-level-domain": ".cm" + "top-level-domain": ".cm" , + "capital": [ + " Yaoundé" + ], + "currency": [ + "Central African CFA franc","XAF" + ], + "official-languages": [ + "English", +"French" + ], + "synomyms": [ + "Cameroun", + "Republic of Cameroon", + "République du Cameroun", + "Renndaandi Kamerun" + ], + "territory-type": [ + "Country" + ] }, "uuid": "68e9ed03-4954-4a2a-8971-1224fa3ab760", "value": "Cameroon" @@ -1042,7 +1213,20 @@ "member-of": [ "NATO" ], - "top-level-domain": ".ca" + "top-level-domain": ".ca" , + "capital": [ + " Ottawa" + ], + "currency": [ + " Canadian dollar","$","CAD" + ], + "official-languages": [ + "English", + "French" + ], + "territory-type": [ + "Country" + ] }, "uuid": "d0e51f88-2a01-4a9d-b080-464bb6f5172f", "value": "Canada" @@ -1056,7 +1240,26 @@ "CV", "CPV" ], - "top-level-domain": ".cv" + "top-level-domain": ".cv" , + "capital": [ + "Praia" + ], + "currency": [ + " Cape Verdean escudo","CVE" + ], + "official-languages": [ + "Portuguese" + ], + "synomyms": [ + "Cabo Verde", + "Republic of Cabo Verde", + +"República de Cabo Verde", +"Repúblika di Kabu Verdi" + ], + "territory-type": [ + "Country" + ] }, "uuid": "457e880a-0d5a-4729-b7b1-fcfeccf61f07", "value": "Cape Verde" From b7a97d1baf90d5afdb73cc07382e6dee2c728d1e Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 22 Aug 2019 11:49:09 +0200 Subject: [PATCH 76/92] More clusters improved --- clusters/target-information.json | 634 ++++++++++++++++++++++++------- 1 file changed, 501 insertions(+), 133 deletions(-) diff --git a/clusters/target-information.json b/clusters/target-information.json index e098b33..c9a85d9 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -42,7 +42,9 @@ "Luxemburg", "Großherzogtum Luxemburg" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": "lu" }, "uuid": "f9a1d7f4-980a-11e9-a8b6-23162ddc4255", @@ -75,7 +77,9 @@ "Afġānestān", "Islamic Republic of Afghanistan" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": ".af" }, "uuid": "2d0b4ddc-4b46-4e75-8c8b-02f4f7446507", @@ -112,7 +116,9 @@ "Shqypnia", "Republic of Albania" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": ".al" }, "uuid": "bc4c6bf6-c5f1-4927-b928-e9e2434e9ec4", @@ -145,7 +151,9 @@ "al-dzāyīr", "People's Democratic Republic of Algeria" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": ".dz" }, "uuid": "13612aed-8efb-444f-8e29-5b93bd821d0e", @@ -176,7 +184,9 @@ "Amelika Sāmoa", "Sāmoa Amelika" ], - "territory-type": ["unincorporated and unorganized territory"] + "territory-type": [ + "unincorporated and unorganized territory" + ] }, "uuid": "9856b948-5662-4ce3-beef-9a777e758e5c", "value": "American Samoa" @@ -207,7 +217,9 @@ "Principality of the Valleys of Andorra", "Principat de les Valls d'Andorra" ], - "territory-type": ["microstate"], + "territory-type": [ + "microstate" + ], "top-level-domain": ".ad" }, "uuid": "5f8aeaac-8654-4b12-99c6-d3bf5ba43c7a", @@ -240,7 +252,9 @@ "República de Angola", "Repubilika ya Ngola" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": ".ao" }, "uuid": "ec22a747-be01-4bf8-bb3b-4dac8ec033dc", @@ -265,7 +279,9 @@ "official-languages": [ "English" ], - "territory-type": ["British Overseas Territory"], + "territory-type": [ + "British Overseas Territory" + ], "top-level-domain": ".ai" }, "uuid": "eaeca984-4c51-4bff-8389-4b66c8fddb1c", @@ -304,7 +320,9 @@ "official-languages": [ "English" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": ".ag" }, "uuid": "b0d7f6d5-8f5e-4bd8-98d7-92fcc4c195b9", @@ -334,7 +352,9 @@ "Argentine Republic", "República Argentina" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": ".ar" }, "uuid": "f21ecd23-c3c8-4308-8363-c1260a57e695", @@ -367,7 +387,9 @@ "Հայաստանի Հանրապետություն", "Hayastani Hanrapetut'yun" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": ".am" }, "uuid": "e1a61736-a7d4-4c31-aeda-bd49beabdb40", @@ -396,7 +418,9 @@ "synomyms": [ "Papiamento" ], - "territory-type": ["Country"] + "territory-type": [ + "Country" + ] }, "uuid": "d9684c43-0ced-48eb-86e6-d2802ff31cde", "value": "Aruba" @@ -423,7 +447,9 @@ "synomyms": [ "Commonwealth of Australia" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": ".au" }, "uuid": "ca250c03-aead-41e3-a077-085d66211186", @@ -454,7 +480,9 @@ "Republic of Austria", "Republik Österreich" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": ".at" }, "uuid": "e88f7003-09e9-4275-b176-d4246e59a0d5", @@ -485,7 +513,9 @@ "Republic of Azerbaijan", "Azərbaycan Respublikası" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": ".az" }, "uuid": "4dac6eec-948d-4df5-946b-21ac0aaf5471", @@ -514,7 +544,9 @@ "Commonwealth of The Bahamas", "The Bahamas" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": ".bs" }, "uuid": "5029a486-9c17-454a-bbcd-6e9b774705f9", @@ -546,7 +578,9 @@ "Mamlakat al-Baḥrayn", "البحرين" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": ".bh" }, "uuid": "819805c9-8f06-4f0c-af79-926960b4c23f", @@ -579,7 +613,9 @@ "গণপ্রজাতন্ত্রী বাংলাদেশ", "Gônoprojatontri Bangladesh" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": ".bd" }, "uuid": "cb78009e-1355-4afa-a655-0cf03d7fd947", @@ -605,7 +641,9 @@ "official-languages": [ "English" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": ".bb" }, "uuid": "062daa09-7c4a-4dec-ba9d-625d96871708", @@ -640,7 +678,9 @@ "Belorussia", "Белоруссия" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": ".by" }, "uuid": "9e5e118a-ebe8-464a-bd38-350af4d645c4", @@ -680,7 +720,9 @@ "Royaume de Belgique", "Königreich Belgien" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": ".be" }, "uuid": "30f35478-7961-464f-bd3c-732a8f5e1fe5", @@ -705,7 +747,9 @@ "official-languages": [ "English" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": ".bz" }, "uuid": "4b7f2038-cc17-4bb1-bc28-dacc9772e6fc", @@ -735,7 +779,9 @@ "Republic of Benin", "République du Bénin" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": ".bj" }, "uuid": "5c68d3ce-0beb-4b9a-a81d-e5d64f14b9a1", @@ -763,7 +809,9 @@ "synomyms": [ "Islands of Bermuda" ], - "territory-type": ["British Overseas Territory"], + "territory-type": [ + "British Overseas Territory" + ], "top-level-domain": ".bm" }, "uuid": "67e9dd29-9da1-4585-b0e6-303defa1e751", @@ -795,7 +843,9 @@ "འབྲུག་རྒྱལ་ཁབ", "Druk Gyal Khap" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": ".bt" }, "uuid": "7a431a2e-623b-4fb0-8316-a5d42266070d", @@ -867,7 +917,9 @@ "Puliwya Mamallaqta", "Wuliwya Suyu" ], - "territory-type": ["Country"], + "territory-type": [ + "Country" + ], "top-level-domain": ".bo" }, "uuid": "06c20eb8-bec1-4f56-a5af-91f5fb826e4d", @@ -878,18 +930,17 @@ "calling-code": [ "+387" ], - "iso-code": [ - "BA", - "BIH" + "capital": [ + "Sarajevo" ], - "top-level-domain": ".ba" , - "capital": [ - "Sarajevo" - ], "currency": [ "Convertible mark", "BAM" ], + "iso-code": [ + "BA", + "BIH" + ], "synomyms": [ "BiH", "B&H", @@ -898,7 +949,8 @@ ], "territory-type": [ "Country" - ] + ], + "top-level-domain": ".ba" }, "uuid": "eccea7a8-d7f5-4b33-b948-ac8595e92500", "value": "Bosnia and Herzegovina" @@ -922,19 +974,20 @@ "calling-code": [ "+55" ], + "capital": [ + "Gaborone" + ], + "currency": [ + "Botswana pula", + "BWP" + ], "iso-code": [ "BR", "BRA" ], - "top-level-domain": ".br" , - "capital": [ - "Gaborone" - ], - "currency": [ - "Botswana pula","BWP" - ], "official-languages": [ - "English", "Setswana" + "English", + "Setswana" ], "synomyms": [ "Republic of Botswana", @@ -942,8 +995,8 @@ ], "territory-type": [ "Country" - ] - + ], + "top-level-domain": ".br" }, "uuid": "75fe4c94-f864-41dc-8dd2-758e2e2d4deb", "value": "Brazil" @@ -953,20 +1006,19 @@ "calling-code": [ "+246" ], - "iso-code": [ - "IO", - "IOT" + "capital": [ + "Canp Justice" ], - "top-level-domain": ".io" , - "capital": [ - "Canp Justice" - ], "currency": [ "United States Dollar", "USD", "Pound sterling", "GBP" ], + "iso-code": [ + "IO", + "IOT" + ], "official-languages": [ "English" ], @@ -975,7 +1027,8 @@ ], "territory-type": [ "British Overseas Territory" - ] + ], + "top-level-domain": ".io" }, "uuid": "f974dd18-3a6b-4910-af8f-1d6256369b05", "value": "British Indian Ocean Territory" @@ -985,26 +1038,28 @@ "calling-code": [ "+1-284" ], + "capital": [ + "Road Town" + ], + "currency": [ + "United States dollar", + "USD" + ], "iso-code": [ "VG", "VGB" ], - "top-level-domain": ".vg" , - "capital": [ - "Road Town" - ], - "currency": [ - "United States dollar","USD" - ], "official-languages": [ "English" ], "synomyms": [ - "BVI","Virgin Islands" + "BVI", + "Virgin Islands" ], "territory-type": [ "British Overseas Territory" - ] + ], + "top-level-domain": ".vg" }, "uuid": "9feffe01-624f-46fd-9e55-baec2098db69", "value": "British Virgin Islands" @@ -1014,17 +1069,17 @@ "calling-code": [ "+673" ], + "capital": [ + "Bandar Seri Begawan" + ], + "currency": [ + "Brunei dollar", + "BND" + ], "iso-code": [ "BN", "BRN" ], - "top-level-domain": ".bn" , - "capital": [ - "Bandar Seri Begawan" - ], - "currency": [ - "Brunei dollar","BND" - ], "official-languages": [ "Malay", "English" @@ -1032,11 +1087,12 @@ "synomyms": [ "Nation of Brunei, the Abode of Peace", "Negara Brunei Darussalam (Rumi script)", - "نڬارا بروني دارالسلام" + "نڬارا بروني دارالسلام" ], "territory-type": [ "Country" - ] + ], + "top-level-domain": ".bn" }, "uuid": "a039c8f7-1a7a-46e6-b16b-a9648a280f77", "value": "Brunei" @@ -1046,6 +1102,13 @@ "calling-code": [ "+359" ], + "capital": [ + "Sofia" + ], + "currency": [ + "Lev", + "BGN" + ], "iso-code": [ "BG", "BGR" @@ -1053,13 +1116,6 @@ "member-of": [ "NATO" ], - "top-level-domain": ".bg" , - "capital": [ - "Sofia" - ], - "currency": [ - "Lev","BGN" - ], "official-languages": [ "Bulgarian" ], @@ -1072,7 +1128,8 @@ ], "territory-type": [ "Country" - ] + ], + "top-level-domain": ".bg" }, "uuid": "61766ec7-b1aa-4d92-afaa-883842d4f6ac", "value": "Bulgaria" @@ -1082,23 +1139,24 @@ "calling-code": [ "+226" ], + "capital": [ + "Ouagadougou" + ], + "currency": [ + "West African CFA franc", + "XOF" + ], "iso-code": [ "BF", "BFA" ], - "top-level-domain": ".bf" , - "capital": [ - "Ouagadougou" - ], - "currency": [ - "West African CFA franc","XOF" - ], "official-languages": [ "French" ], "territory-type": [ "Counry" - ] + ], + "top-level-domain": ".bf" }, "uuid": "dfb27e34-f6dc-4db3-b3fa-313a8125ddf2", "value": "Burkina Faso" @@ -1108,19 +1166,22 @@ "calling-code": [ "+257" ], + "capital": [ + "Gitega" + ], + "currency": [ + "Burundian franc", + "FBu", + "BIF" + ], "iso-code": [ "BI", "BDI" ], - "top-level-domain": ".bi" , - "capital": [ - "Gitega" - ], - "currency": [ - "Burundian franc","FBu","BIF" - ], "official-languages": [ - "Kirundi","French","English" + "Kirundi", + "French", + "English" ], "synomyms": [ "Republic of Burundi", @@ -1129,7 +1190,8 @@ ], "territory-type": [ "Country" - ] + ], + "top-level-domain": ".bi" }, "uuid": "f545307d-db22-49d3-858f-8d03db4428da", "value": "Burundi" @@ -1139,18 +1201,17 @@ "calling-code": [ "+855" ], - "iso-code": [ - "KH", - "KHM" + "capital": [ + "Phnom Penh" ], - "top-level-domain": ".kh" , - "capital": [ - "Phnom Penh" - ], "currency": [ "Riel", "KHR" ], + "iso-code": [ + "KH", + "KHM" + ], "official-languages": [ "Khmer" ], @@ -1163,7 +1224,8 @@ ], "territory-type": [ "Country" - ] + ], + "top-level-domain": ".kh" }, "uuid": "03757eb3-f75a-48e1-a4ef-18a62c7d1838", "value": "Cambodia" @@ -1173,20 +1235,20 @@ "calling-code": [ "+237" ], + "capital": [ + "Yaoundé" + ], + "currency": [ + "Central African CFA franc", + "XAF" + ], "iso-code": [ "CM", "CMR" ], - "top-level-domain": ".cm" , - "capital": [ - " Yaoundé" - ], - "currency": [ - "Central African CFA franc","XAF" - ], "official-languages": [ "English", -"French" + "French" ], "synomyms": [ "Cameroun", @@ -1196,7 +1258,8 @@ ], "territory-type": [ "Country" - ] + ], + "top-level-domain": ".cm" }, "uuid": "68e9ed03-4954-4a2a-8971-1224fa3ab760", "value": "Cameroon" @@ -1206,6 +1269,14 @@ "calling-code": [ "+1" ], + "capital": [ + "Ottawa" + ], + "currency": [ + "Canadian dollar", + "$", + "CAD" + ], "iso-code": [ "CA", "CAN" @@ -1213,20 +1284,14 @@ "member-of": [ "NATO" ], - "top-level-domain": ".ca" , - "capital": [ - " Ottawa" - ], - "currency": [ - " Canadian dollar","$","CAD" - ], "official-languages": [ "English", "French" ], "territory-type": [ "Country" - ] + ], + "top-level-domain": ".ca" }, "uuid": "d0e51f88-2a01-4a9d-b080-464bb6f5172f", "value": "Canada" @@ -1236,30 +1301,30 @@ "calling-code": [ "+238" ], + "capital": [ + "Praia" + ], + "currency": [ + "Cape Verdean escudo", + "CVE" + ], "iso-code": [ "CV", "CPV" ], - "top-level-domain": ".cv" , - "capital": [ - "Praia" - ], - "currency": [ - " Cape Verdean escudo","CVE" - ], "official-languages": [ "Portuguese" ], "synomyms": [ "Cabo Verde", "Republic of Cabo Verde", - -"República de Cabo Verde", -"Repúblika di Kabu Verdi" + "República de Cabo Verde", + "Repúblika di Kabu Verdi" ], "territory-type": [ "Country" - ] + ], + "top-level-domain": ".cv" }, "uuid": "457e880a-0d5a-4729-b7b1-fcfeccf61f07", "value": "Cape Verde" @@ -1269,10 +1334,23 @@ "calling-code": [ "+1-345" ], + "capital": [ + "George Town" + ], + "currency": [ + "Cayman Islands dollar", + "KYD" + ], "iso-code": [ "KY", "CYM" ], + "official-languages": [ + "English" + ], + "territory-type": [ + "British Overseas Territory" + ], "top-level-domain": ".ky" }, "uuid": "036ac306-bedd-44a6-807a-69314d59dfef", @@ -1283,10 +1361,31 @@ "calling-code": [ "+236" ], + "capital": [ + "Bangui" + ], + "currency": [ + "Central African CFA franc", + "XAF" + ], "iso-code": [ "CF", "CAF" ], + "official-languages": [ + "French", + "Sango" + ], + "synomyms": [ + "CAR", + "Renndaandi Afirka Cakaari", + "Ködörösêse tî Bêafrîka", + "République centrafricaine", + "Centrafrique" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".cf" }, "uuid": "4abded58-faa1-4a2b-ae16-01a12409df7c", @@ -1297,10 +1396,33 @@ "calling-code": [ "+235" ], + "capital": [ + "N'Djamena" + ], + "currency": [ + "Central African CFA franc", + "XAF" + ], "iso-code": [ "TD", "TCD" ], + "official-languages": [ + "Arabic", + "French" + ], + "synomyms": [ + "تشاد‎", + "Tshād", + "Tchad", + "Republic of Chad", + "République du Tchad", + "جمهورية تشاد", + "Jumhūriyyat Tshād" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".td" }, "uuid": "da6f9a8b-91f0-400f-ad1b-47b49fe48412", @@ -1311,10 +1433,31 @@ "calling-code": [ "+56" ], + "capital": [ + "Santiago" + ], + "currency": [ + "Peso", + "CLP" + ], "iso-code": [ "CL", "CHL" ], + "official-languages": [ + "Spanish" + ], + "synomyms": [ + "Republic of Chile", + "República de Chile (Spanish)", + "Chile Wüdalmapu", + "Chili Suyu", + "Chili Ripuwlika", + "Repūvirika o Tire" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".cl" }, "uuid": "bb81858f-5803-4f3b-9aac-92869b750f9e", @@ -1325,9 +1468,32 @@ "calling-code": [ "+86" ], + "capital": [ + "Beijing" + ], + "currency": [ + "Renminbi", + "yuan", + "¥", + "CNY" + ], "iso-code": [ "CN", "CHN" + ], + "official-languages": [ + "Standard Chinese" + ], + "synomyms": [ + "中国", + "Zhōngguó", + "People's Republic of China", + "PRC", + "中华人民共和国", + "Zhōnghuá Rénmín Gònghéguó" + ], + "territory-type": [ + "" ] }, "uuid": "53d3d205-db31-4ec9-86aa-c2bf11fd18e6", @@ -1338,10 +1504,27 @@ "calling-code": [ "+61" ], + "capital": [ + "Flying Fish Cove" + ], + "currency": [ + "Australian dollar", + "AUD" + ], "iso-code": [ "CX", "CXR" ], + "official-languages": [ + "English" + ], + "synomyms": [ + "Territory of Christmas Island" + ], + "territory-type": [ + "Australian external territory", + "External Territory" + ], "top-level-domain": ".cx" }, "uuid": "0ccf619a-927a-4963-9ec3-34598e898d46", @@ -1352,9 +1535,23 @@ "calling-code": [ "+61" ], + "currency": [ + "Australian dollar", + "AUD" + ], "iso-code": [ "CC", "CCK" + ], + "synomyms": [ + "Cocos (Keeling) Islands", + "Territory of Cocos (Keeling) Islands", + "Pulu Kokos (Keeling)", + "Wilayah Kepulauan Cocos (Keeling)" + ], + "territory-type": [ + "Australian external territory", + "External Territory" ] }, "uuid": "a5752a1e-1306-4a6c-8ed4-c9d0f627d397", @@ -1365,10 +1562,28 @@ "calling-code": [ "+57" ], + "capital": [ + "Bogotá" + ], + "currency": [ + "Peso", + "COP" + ], "iso-code": [ "CO", "COL" ], + "official-languages": [ + "Spanish", + "English" + ], + "synomyms": [ + "Republic of Colombia", + "República de Colombia" + ], + "territory-type": [ + "sovereign state" + ], "top-level-domain": ".co" }, "uuid": "25f47423-5005-4caa-b4b0-6b9ada986611", @@ -1379,10 +1594,34 @@ "calling-code": [ "+269" ], + "capital": [ + "Moroni" + ], + "currency": [ + "Comorian franc", + "KMF" + ], "iso-code": [ "KM", "COM" ], + "official-languages": [ + "Comorian", + "Arabic", + "French" + ], + "synomyms": [ + "جزر القمر", + "Juzur al-Qumur/Qamar", + "Union of the Comoros", + "الاتحاد القمري", + "al-Ittiḥād al-Qumurī/Qamarī", + "Union des Comores", + "Umoja wa Komori" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".km" }, "uuid": "3a9ec602-9f36-4943-baee-f873ee3c3691", @@ -1393,10 +1632,28 @@ "calling-code": [ "+682" ], + "capital": [ + "Avarua" + ], + "currency": [ + "New Zealand dollar", + "NZD", + "Cook Islands dollar" + ], "iso-code": [ "CK", "COK" ], + "official-languages": [ + "English", + "Cook Islands Māori" + ], + "synomyms": [ + "Kūki 'Āirani" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".ck" }, "uuid": "704756d4-9e33-48c3-8d25-037b00e94888", @@ -1407,10 +1664,27 @@ "calling-code": [ "+506" ], + "capital": [ + "San José" + ], + "currency": [ + "Costa Rican colón", + "CRC" + ], "iso-code": [ "CR", "CRI" ], + "official-languages": [ + "Spanish" + ], + "synomyms": [ + "Republic of Costa Rica", + "República de Costa Rica" + ], + "territory-type": [ + "sovereign state" + ], "top-level-domain": ".cr" }, "uuid": "a568be65-88ff-4290-9562-9a5227eb346a", @@ -1421,6 +1695,13 @@ "calling-code": [ "+385" ], + "capital": [ + "Zagreb" + ], + "currency": [ + "Kuna", + "HRK" + ], "iso-code": [ "HR", "HRV" @@ -1428,6 +1709,17 @@ "member-of": [ "NATO" ], + "official-languages": [ + "Croatian" + ], + "synomyms": [ + "Hrvatska", + "Republic of Croatia", + "Republika Hrvatska" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".hr" }, "uuid": "c753504c-9fe3-41f3-a423-86f64eff2af4", @@ -1438,10 +1730,29 @@ "calling-code": [ "+53" ], + "capital": [ + "Havana" + ], + "currency": [ + "Peso", + "CUP", + "Convertible peso", + "CUC" + ], "iso-code": [ "CU", "CUB" ], + "official-languages": [ + "Spanish" + ], + "synomyms": [ + "Republic of Cuba", + "República de Cuba" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".cu" }, "uuid": "7abd8189-65d8-4682-8091-7350d8e8ea9f", @@ -1452,23 +1763,62 @@ "calling-code": [ "+599" ], + "capital": [ + "Willemstad" + ], + "currency": [ + "Netherlands Antillean guilder", + "ANG" + ], "iso-code": [ "CW", "CUW" - ] + ], + "official-languages": [ + "Papiamentu", + "Dutch", + "English" + ], + "synomyms": [ + "Curacao" + ], + "top-level-domain": ".cw" }, "uuid": "2f8fc176-c26d-48a9-a441-2f0e7b04e74b", - "value": "Curacao" + "value": "Curaçao" }, { "meta": { "calling-code": [ "+357" ], + "capital": [ + "Nicosia" + ], + "currency": [ + "€", + "EUR", + "EURO" + ], "iso-code": [ "CY", "CYP" ], + "official-languages": [ + "Greek", + "Turkish" + ], + "synomyms": [ + "Κύπρος", + "Kıbrıs", + "Republic of Cyprus", + "Κυπριακή Δημοκρατία", + "Cypriot Republic", + "Kıbrıs Cumhuriyeti" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".cy" }, "uuid": "95e86a29-0ee0-4ac5-8ec0-57036298c141", @@ -1479,6 +1829,13 @@ "calling-code": [ "+420" ], + "capital": [ + "Prague" + ], + "currency": [ + "Czech koruna", + "CZK" + ], "iso-code": [ "CZ", "CZE" @@ -1486,6 +1843,17 @@ "member-of": [ "NATO" ], + "official-languages": [ + "Czech" + ], + "synomyms": [ + "Česká republika", + "Czechia", + "Česko" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".cz" }, "uuid": "ef6651eb-1168-422c-9853-5200c737b332", From a579c041d2f923be057055a0ea4189febc5816b3 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 22 Aug 2019 15:59:11 +0200 Subject: [PATCH 77/92] More clusters improved --- clusters/target-information.json | 242 +++++++++++++++++++++++++++++++ 1 file changed, 242 insertions(+) diff --git a/clusters/target-information.json b/clusters/target-information.json index c9a85d9..3283162 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -1864,10 +1864,35 @@ "calling-code": [ "+243" ], + "capital": [ + "Kinshasa" + ], + "currency": [ + "Congolese franc", + "CDF" + ], "iso-code": [ "CD", "COD" ], + "official-languages": [ + "French" + ], + "synomyms": [ + "DR Congo", + "DRC", + "DROC", + "Congo-Kinshasa", + "Congo", + "République démocratique du Congo", + "Repubilika ya Kôngo ya Dimokalasi", + "Republíki ya Kongó Demokratíki", + "Jamhuri ya Kidemokrasia ya Kongo", + "Ditunga dia Kongu wa Mungalaata" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".cd" }, "uuid": "5a266a76-fc45-4457-8838-3e490bd26dc1", @@ -1878,6 +1903,13 @@ "calling-code": [ "+45" ], + "capital": [ + "Copenhagen" + ], + "currency": [ + "Danish krone", + "DKK" + ], "iso-code": [ "DK", "DNK" @@ -1885,6 +1917,17 @@ "member-of": [ "NATO" ], + "official-languages": [ + "Danish" + ], + "synomyms": [ + "Danmark", + "Kingdom of Denmark", + "Kongeriget Danmark" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".dk" }, "uuid": "2890ae27-cc54-42df-8c0c-47285145bd49", @@ -1895,10 +1938,34 @@ "calling-code": [ "+253" ], + "capital": [ + "Djibouti" + ], + "currency": [ + "Djiboutian franc", + "DJF" + ], "iso-code": [ "DJ", "DJI" ], + "official-languages": [ + "French", + "Arabic" + ], + "synomyms": [ + "Yibuuti", + "جيبوتي", + "Jabuuti", + "Republic of Djibouti", + "République de Djibouti", + "جمهورية جيبوتي", + "Jamhuuriyadda Jabuuti", + "Gabuutih Ummuuno" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".dj" }, "uuid": "543afec2-19b2-4769-aacb-dd69a380c2cc", @@ -1909,10 +1976,27 @@ "calling-code": [ "+1-767" ], + "capital": [ + "Roseau" + ], + "currency": [ + "East Caribbean dollar", + "XCD" + ], "iso-code": [ "DM", "DMA" ], + "official-languages": [ + "English" + ], + "synomyms": [ + "Wai‘tu kubuli", + "Commonwealth of Dominica" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".dm" }, "uuid": "151ff291-da46-41aa-b8c2-62faecefbe4a", @@ -1925,10 +2009,26 @@ "+1-829", "+1-849" ], + "capital": [ + "Santo Domingo" + ], + "currency": [ + "Peso", + "DOP" + ], "iso-code": [ "DO", "DOM" ], + "official-languages": [ + "Spanish" + ], + "synomyms": [ + "República Dominicana" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".do" }, "uuid": "a621624f-5c1a-403d-b5dd-89da7af7555f", @@ -1939,10 +2039,32 @@ "calling-code": [ "+670" ], + "capital": [ + "Dili" + ], + "currency": [ + "United States dollar", + "USD", + "$" + ], "iso-code": [ "TL", "TLS" ], + "official-languages": [ + "Portuguese", + "Titum" + ], + "synomyms": [ + "Timor-Leste", + "Timór Lorosa'e", + "Democratic Republic of Timor-Leste", + "Repúblika Demokrátika Timór-Leste", + "República Democrática de Timor-Leste" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".tl" }, "uuid": "b5371e8a-00bb-4653-abe3-2e9b92454b15", @@ -1953,10 +2075,34 @@ "calling-code": [ "+593" ], + "capital": [ + "Quito" + ], + "currency": [ + "United States dollar", + "USD", + "$" + ], "iso-code": [ "EC", "ECU" ], + "official-languages": [ + "Spanish" + ], + "synomyms": [ + "Ikwayur", + "Ecuador", + "Ekuatur", + "Republic of Ecuador", + "República del Ecuador", + "Ikwayur Runaq Imayka", + "Ekuatur Nunka", + "Ikwadur Ripuwlika" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".ec" }, "uuid": "9e4f2bc9-9ef5-4369-a275-b3df56e5a35e", @@ -1967,10 +2113,31 @@ "calling-code": [ "+20" ], + "capital": [ + "Cairo" + ], + "currency": [ + "Egyptian pound", + "E£", + "EGP)" + ], "iso-code": [ "EG", "EGY" ], + "official-languages": [ + "Arabic" + ], + "synomyms": [ + "مِصر‎", + "مَصر‎", + "Ⲭⲏⲙⲓ", + "Arab Republic of Egypt", + "جمهورية مصر العربية" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".eg" }, "uuid": "7fbebdc8-5a13-430e-9248-58d2b1a9af0f", @@ -1981,10 +2148,25 @@ "calling-code": [ "+503" ], + "capital": [ + "" + ], + "currency": [ + "" + ], "iso-code": [ "SV", "SLV" ], + "official-languages": [ + "" + ], + "synomyms": [ + "" + ], + "territory-type": [ + "" + ], "top-level-domain": ".sv" }, "uuid": "1822e12a-1f4b-4675-8e2a-a6d123b3ea24", @@ -1995,10 +2177,25 @@ "calling-code": [ "+240" ], + "capital": [ + "" + ], + "currency": [ + "" + ], "iso-code": [ "GQ", "GNQ" ], + "official-languages": [ + "" + ], + "synomyms": [ + "" + ], + "territory-type": [ + "" + ], "top-level-domain": ".gq" }, "uuid": "5c3d7a8e-9cd6-4d3d-ab6b-3cb8acaa208f", @@ -2009,9 +2206,24 @@ "calling-code": [ "+291" ], + "capital": [ + "" + ], + "currency": [ + "" + ], "iso-code": [ "ER", "ERI" + ], + "official-languages": [ + "" + ], + "synomyms": [ + "" + ], + "territory-type": [ + "" ] }, "uuid": "aea99d00-9675-4289-9f3b-acb1ddf13f49", @@ -2022,6 +2234,12 @@ "calling-code": [ "+372" ], + "capital": [ + "" + ], + "currency": [ + "" + ], "iso-code": [ "EE", "EST" @@ -2029,6 +2247,15 @@ "member-of": [ "NATO" ], + "official-languages": [ + "" + ], + "synomyms": [ + "" + ], + "territory-type": [ + "" + ], "top-level-domain": ".ee" }, "uuid": "c8ea4824-7ed2-473a-906d-745bd73a2612", @@ -2039,10 +2266,25 @@ "calling-code": [ "+251" ], + "capital": [ + "" + ], + "currency": [ + "" + ], "iso-code": [ "ET", "ETH" ], + "official-languages": [ + "" + ], + "synomyms": [ + "" + ], + "territory-type": [ + "" + ], "top-level-domain": ".et" }, "uuid": "b25e700a-6b79-4c86-90ff-304032b182db", From bae47241f06eafd81ddff31461cfda5e7e323b4e Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 23 Aug 2019 11:14:14 +0200 Subject: [PATCH 78/92] More clusters improved --- clusters/target-information.json | 79 +++++++++++++++++++++----------- 1 file changed, 52 insertions(+), 27 deletions(-) diff --git a/clusters/target-information.json b/clusters/target-information.json index 3283162..e7a793e 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -2149,23 +2149,26 @@ "+503" ], "capital": [ - "" + "San Salvador" ], "currency": [ - "" + "$", + "USD", + "United States dollara" ], "iso-code": [ "SV", "SLV" ], "official-languages": [ - "" + "Spanish" ], "synomyms": [ - "" + "Republic of El Salvador", + "República de El Salvador" ], "territory-type": [ - "" + "Country" ], "top-level-domain": ".sv" }, @@ -2178,23 +2181,32 @@ "+240" ], "capital": [ - "" + "Malabo" ], "currency": [ - "" + "Central African CFA franc", + "XAF" ], "iso-code": [ "GQ", "GNQ" ], "official-languages": [ - "" + "Spanish", + "French", + "Portuguese" ], "synomyms": [ - "" + "Guinea Ecuatorial", + "Guinée équatoriale", + "Guiné Equatorial", + "Republic of Equatorial Guinea", + "República de Guinea Ecuatorial", + "République de Guinée équatoriale", + "República da Guiné Equatorial" ], "territory-type": [ - "" + "Country" ], "top-level-domain": ".gq" }, @@ -2207,23 +2219,22 @@ "+291" ], "capital": [ - "" + "Asmara" ], "currency": [ - "" + "Nakfa", + "ERN" ], "iso-code": [ "ER", "ERI" ], - "official-languages": [ - "" - ], "synomyms": [ - "" + "ኤርትራ", + "State of Eritrea" ], "territory-type": [ - "" + "Country" ] }, "uuid": "aea99d00-9675-4289-9f3b-acb1ddf13f49", @@ -2235,10 +2246,12 @@ "+372" ], "capital": [ - "" + "Tallinn" ], "currency": [ - "" + "€", + "EUR", + "EURO" ], "iso-code": [ "EE", @@ -2248,13 +2261,15 @@ "NATO" ], "official-languages": [ - "" + "Estonian" ], "synomyms": [ - "" + "Eesti", + "Republic of Estonia", + "Eesti Vabariik" ], "territory-type": [ - "" + "Country" ], "top-level-domain": ".ee" }, @@ -2267,23 +2282,33 @@ "+251" ], "capital": [ - "" + "Addis Ababa" ], "currency": [ - "" + "Birr", + "ETB" ], "iso-code": [ "ET", "ETH" ], "official-languages": [ - "" + "Amharic" ], "synomyms": [ - "" + "ኢትዮጵያ", + "ኢትዮጵያ", + "Itoophiyaa", + "Itoobiya", + "Federal Democratic Republic of Ethiopia", + "የኢትዮጵያ ፌዴራላዊ ዴሞክራሲያዊ ሪፐብሊክ ", + "ityoppiah federalih demokrasih ummuno", + "Rippabliikii Federaalawaa Dimokraatawaa Itiyoophiyaa", + "Jamhuuriyadda Dimuqraadiga Federaalka Itoobiya", + "ናይኢትዮጵያ ፌዴራላዊ ዴሞክራሲያዊ ሪፐብሊክ " ], "territory-type": [ - "" + "Country" ], "top-level-domain": ".et" }, From fcded146c2f50072bd03754d7589c2921ac57f4d Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 23 Aug 2019 16:01:12 +0200 Subject: [PATCH 79/92] More clusters improved --- clusters/target-information.json | 112 +++++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) diff --git a/clusters/target-information.json b/clusters/target-information.json index e7a793e..c316597 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -2320,10 +2320,26 @@ "calling-code": [ "+500" ], + "capital": [ + "Stanley" + ], + "currency": [ + "Falklands pound", + "FKP" + ], "iso-code": [ "FK", "FLK" ], + "official-languages": [ + "English" + ], + "synomyms": [ + "Islas Malvinas" + ], + "territory-type": [ + "British Overseas Territory" + ], "top-level-domain": ".fk" }, "uuid": "8041a1dc-e9a6-460e-8dd8-d37e45b787dd", @@ -2334,9 +2350,28 @@ "calling-code": [ "+298" ], + "capital": [ + "Tórshavn" + ], + "currency": [ + "Faroese króna", + "DKK" + ], "iso-code": [ "FO", "FRO" + ], + "official-languages": [ + "Faroese", + "Danish" + ], + "synomyms": [ + "Føroyar", + "Færøerne", + "Faeroe Islands" + ], + "territory-type": [ + "Country" ] }, "uuid": "3aa1d642-9b8d-4dcd-bd4a-5368602555a4", @@ -2347,10 +2382,31 @@ "calling-code": [ "+679" ], + "capital": [ + "Suva" + ], + "currency": [ + "Fijian dollar", + "FJD" + ], "iso-code": [ "FJ", "FJI" ], + "official-languages": [ + "English", + "Fijian" + ], + "synomyms": [ + "Viti", + "फ़िजी", + "Republic of Fiji", + "Matanitu Tugalala o Viti", + "फ़िजी गणराज्य" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".fj" }, "uuid": "218bcbfe-46cb-4fd0-852c-3a7fc64a2908", @@ -2361,10 +2417,31 @@ "calling-code": [ "+358" ], + "capital": [ + "Helsinki" + ], + "currency": [ + "€", + "EUR", + "EURO" + ], "iso-code": [ "FI", "FIN" ], + "official-languages": [ + "Finnish", + "Swedish" + ], + "synomyms": [ + "Suomi", + "Republic of Finland", + "Suomen tasavalta", + "Republiken Finland" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".fi" }, "uuid": "bde60aea-b748-4bd9-8d6d-f0174af0b36e", @@ -2375,6 +2452,14 @@ "calling-code": [ "+33" ], + "capital": [ + "Paris" + ], + "currency": [ + "€", + "EUR", + "EURO" + ], "iso-code": [ "FR", "FRA" @@ -2382,6 +2467,16 @@ "member-of": [ "NATO" ], + "official-languages": [ + "French" + ], + "synomyms": [ + "French Republic", + "République française" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".fr" }, "uuid": "0cc6ad08-fac6-42bc-a7c7-09a53ea6b968", @@ -2392,9 +2487,26 @@ "calling-code": [ "+689" ], + "capital": [ + "Papeete" + ], + "currency": [ + "CFP franc", + "XPF" + ], "iso-code": [ "PF", "PYF" + ], + "official-languages": [ + "French" + ], + "synomyms": [ + "Polynésie française", + "Pōrīnetia Farāni " + ], + "territory-type": [ + "Overseas country of the French Republic" ] }, "uuid": "df751036-8c01-41ce-ab02-139119ce9213", From 300e3c2bfbda6ca93367d2e5e2bd06ea39721a49 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 26 Aug 2019 17:50:20 +0200 Subject: [PATCH 80/92] More clusters improved --- clusters/target-information.json | 286 ++++++++++++++++++++++++++++++- 1 file changed, 280 insertions(+), 6 deletions(-) diff --git a/clusters/target-information.json b/clusters/target-information.json index c316597..69521a3 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -2154,7 +2154,7 @@ "currency": [ "$", "USD", - "United States dollara" + "United States dollar" ], "iso-code": [ "SV", @@ -2517,10 +2517,27 @@ "calling-code": [ "+241" ], + "capital": [ + "Libreville" + ], + "currency": [ + "Central African CFA franc", + "XAF" + ], "iso-code": [ "GA", "GAB" ], + "official-languages": [ + "French" + ], + "synomyms": [ + "Gabonese Republic", + "République gabonaise" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".ga" }, "uuid": "8e70d742-c708-4a9e-8ab1-6a8a90306ccf", @@ -2531,10 +2548,28 @@ "calling-code": [ "+220" ], + "capital": [ + "Banjul" + ], + "currency": [ + "Dalasi", + "GMD" + ], "iso-code": [ "GM", "GMB" - ] + ], + "official-languages": [ + "English" + ], + "synomyms": [ + "The Gambia", + "Republic of The Gambia" + ], + "territory-type": [ + "Country" + ], + "top-level-domain": ".gm" }, "uuid": "2ded2689-16c3-4476-a2d8-04c4bc51ae4a", "value": "Gambia" @@ -2544,10 +2579,32 @@ "calling-code": [ "+995" ], + "capital": [ + "Tbilisi" + ], + "currency": [ + "Georgian lari", + "₾", + "GEL" + ], "iso-code": [ "GE", "GEO" ], + "official-languages": [ + "Georgian", + "Abkhazian" + ], + "synomyms": [ + "საქართველო", + "sakartvelo", + "Republic of Georgia", + "საქართველოს რესპუბლიკა", + "sakartvelos resp'ublik'a" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".ge" }, "uuid": "76c2f2fe-ce68-4008-aa30-1ac8de38d617", @@ -2558,6 +2615,14 @@ "calling-code": [ "+49" ], + "capital": [ + "Berlin" + ], + "currency": [ + "€", + "EUR", + "EURO" + ], "iso-code": [ "DE", "DEU" @@ -2565,6 +2630,17 @@ "member-of": [ "NATO" ], + "official-languages": [ + "German" + ], + "synomyms": [ + "Deutschland", + "Federal Republic of Germany", + "Bundesrepublik Deutschland" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".de" }, "uuid": "4121d334-39d0-49c4-8a0e-0442c6bdcbc4", @@ -2575,10 +2651,26 @@ "calling-code": [ "+233" ], + "capital": [ + "Accra" + ], + "currency": [ + "Ghanaian cedi", + "GHS" + ], "iso-code": [ "GH", "GHA" ], + "official-languages": [ + "English" + ], + "synomyms": [ + "Republic of Ghana" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".gh" }, "uuid": "6f7a0f04-8299-4a2d-95d0-a8305a1ae23e", @@ -2589,10 +2681,29 @@ "calling-code": [ "+350" ], + "capital": [ + "Gibraltar" + ], + "currency": [ + "Gibraltar pound", + "£", + "GIP" + ], "iso-code": [ "GI", "GIB" - ] + ], + "official-languages": [ + "English" + ], + "synomyms": [ + "جبل طارق", + "Jabal Ṭāriq" + ], + "territory-type": [ + "British Overseas Territory" + ], + "top-level-domain": ".gi" }, "uuid": "078a914d-7ef3-413b-8a62-2473b8db1c12", "value": "Gibraltar" @@ -2602,6 +2713,14 @@ "calling-code": [ "+30" ], + "capital": [ + "Athens" + ], + "currency": [ + "€", + "EUR", + "EURO" + ], "iso-code": [ "GR", "GRC" @@ -2609,6 +2728,19 @@ "member-of": [ "NATO" ], + "official-languages": [ + "Greek" + ], + "synomyms": [ + "Hellas", + "Ελλάς", + "Hellenic Republic", + "Ελληνική Δημοκρατία", + "Ellinikí Dimokratía" + ], + "territory-type": [ + "sovereign state" + ], "top-level-domain": ".gr" }, "uuid": "505730f7-2637-4efb-845d-f1af7cdca109", @@ -2619,10 +2751,28 @@ "calling-code": [ "+299" ], + "capital": [ + "Nuuk" + ], + "currency": [ + "Danish krone", + "DKK" + ], "iso-code": [ "GL", "GRL" - ] + ], + "official-languages": [ + "Greenandic" + ], + "synomyms": [ + "Kalaallit Nunaat", + "Grønland" + ], + "territory-type": [ + "Country" + ], + "top-level-domain": ".gl" }, "uuid": "20f2c544-093d-4964-84ae-7d5fd54ad6d0", "value": "Greenland" @@ -2632,10 +2782,23 @@ "calling-code": [ "+1-473" ], + "capital": [ + "St. George's" + ], + "currency": [ + "East Caribbean dollar", + "XCD" + ], "iso-code": [ "GD", "GRD" ], + "official-languages": [ + "English" + ], + "territory-type": [ + "sovereign state" + ], "top-level-domain": ".gd" }, "uuid": "1aea4486-eef7-496b-9a69-a2d2bdbe7b77", @@ -2646,10 +2809,30 @@ "calling-code": [ "+1-671" ], + "capital": [ + "Hagåtña" + ], + "currency": [ + "$", + "USD", + "United States dollar" + ], "iso-code": [ "GU", "GUM" - ] + ], + "official-languages": [ + "English", + "Chamorro" + ], + "synomyms": [ + "Guåhån", + "Territory of Guam" + ], + "territory-type": [ + "Unincorporated organized territory" + ], + "top-level-domain": ".gu" }, "uuid": "4dc24d07-79ee-43b7-98a0-53bc79a29708", "value": "Guam" @@ -2659,10 +2842,27 @@ "calling-code": [ "+502" ], + "capital": [ + "Guatemala City" + ], + "currency": [ + "Quetzal", + "GTQ" + ], "iso-code": [ "GT", "GTM" ], + "official-languages": [ + "Spanish" + ], + "synomyms": [ + "Republic of Guatemala", + "República de Guatemala" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".gt" }, "uuid": "3e3e89d2-07f3-4ddc-addf-2d5cb05bedd1", @@ -2673,10 +2873,30 @@ "calling-code": [ "+44-1481" ], + "capital": [ + "St Peter Port" + ], + "currency": [ + "Guernsey Pound", + "Pound sterling", + "GGP", + "GBP" + ], "iso-code": [ "GG", "GGY" - ] + ], + "official-languages": [ + "English", + "French" + ], + "synomyms": [ + "Guernési" + ], + "territory-type": [ + "Jurisdiction" + ], + "top-level-domain": ".gg" }, "uuid": "dd42b40e-2740-46f5-9bb1-6d0799a081c7", "value": "Guernsey" @@ -2686,10 +2906,30 @@ "calling-code": [ "+224" ], + "capital": [ + "Conakry" + ], + "currency": [ + "Guinean franc", + "GNF" + ], "iso-code": [ "GN", "GIN" ], + "official-languages": [ + "French" + ], + "synomyms": [ + "Ginee", + "Guinée", + "Republic of Guinea", + "Renndaandi Ginee", + "République de Guinée (French)" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".gn" }, "uuid": "f227edf8-e538-45b8-8a70-1a05ea5a605b", @@ -2700,10 +2940,28 @@ "calling-code": [ "+245" ], + "capital": [ + "Bisseau" + ], + "currency": [ + "West African CFA franc", + "XOF" + ], "iso-code": [ "GW", "GNB" ], + "official-languages": [ + "Portuguese" + ], + "synomyms": [ + "Guiné-Bissau", + "Republic of Guinea-Bissau", + "República da Guiné-Bissau" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".gw" }, "uuid": "3b5824bc-936e-4403-bdc9-4dd9a7db36e3", @@ -2714,10 +2972,26 @@ "calling-code": [ "+592" ], + "capital": [ + "Georgetown" + ], + "currency": [ + "Guyanese dollar", + "GYD" + ], "iso-code": [ "GY", "GUY" ], + "official-languages": [ + "English" + ], + "synomyms": [ + "Co-operative Republic of Guyana" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".gy" }, "uuid": "cb9fbca4-6cc6-4f83-9ebc-4e975cddea69", From ea68336b969559e01dbeba951837768721587d27 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 27 Aug 2019 08:28:58 +0200 Subject: [PATCH 81/92] add ref for Gamaredon --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 31bdae9..4ebb4e1 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4257,7 +4257,8 @@ "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution", "https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/", - "https://attack.mitre.org/groups/G0047/" + "https://attack.mitre.org/groups/G0047/", + "https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon" ] }, "related": [ From 9926ea88262d06a8155fb2756a53c487f282ba1f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 28 Aug 2019 14:35:12 +0200 Subject: [PATCH 82/92] chg: [threat-actor] LYCEUM added - 443 #fixed --- clusters/threat-actor.json | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 31bdae9..a99c16d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7642,6 +7642,15 @@ "uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d", "value": "TA428" }, + { + "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", + "value": "LYCEUM", + "meta": { + "refs": [ + "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" + ] + } + }, { "description": "APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.", "meta": { @@ -7688,5 +7697,5 @@ "value": "APT41" } ], - "version": 126 + "version": 128 } From 395dd93e0f11e879f5f404d476eb91b2b3919c26 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 28 Aug 2019 15:40:03 +0200 Subject: [PATCH 83/92] add Asruex Backdoor --- clusters/backdoor.json | 12 +++++++++++- clusters/threat-actor.json | 2 +- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/clusters/backdoor.json b/clusters/backdoor.json index 4bb7a60..ac2cc9b 100644 --- a/clusters/backdoor.json +++ b/clusters/backdoor.json @@ -80,7 +80,17 @@ ], "uuid": "a4757e11-0837-42c0-958a-7490cff58687", "value": "SLUB" + }, + { + "description": "Since it first emerged in 2015, Asruex has been known for its backdoor capabilities and connection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities CVE-2012-0158 and CVE-2010-2883, which inject code in Word and PDF files respectively.", + "meta": { + "refs": [ + "https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/" + ] + }, + "uuid": "b7ad60a0-d648-4775-adec-c78b1a92fc34", + "value": "Asruex" } ], - "version": 5 + "version": 6 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4ebb4e1..24eb9ea 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7689,5 +7689,5 @@ "value": "APT41" } ], - "version": 126 + "version": 128 } From 025cc937653e39150375ecb73436a89ac03d3c9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Wed, 28 Aug 2019 16:49:39 +0200 Subject: [PATCH 84/92] fix: Make tests happy --- clusters/threat-actor.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a99c16d..f392bf3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7643,13 +7643,13 @@ "value": "TA428" }, { - "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", - "value": "LYCEUM", "meta": { "refs": [ "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" ] - } + }, + "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", + "value": "LYCEUM" }, { "description": "APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.", From 8d78a2a108c78173cb6c02f374b3ed7a1f2e8988 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 29 Aug 2019 08:31:10 +0200 Subject: [PATCH 85/92] chg: [threat-actor] jq all --- clusters/threat-actor.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d5a6142..7250d68 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7644,13 +7644,13 @@ "value": "TA428" }, { - "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", - "value": "LYCEUM", "meta": { "refs": [ "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" ] - } + }, + "uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a", + "value": "LYCEUM" }, { "description": "APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.", From 49f8f60a85d21f9518c5173002cd2697fa2b97e3 Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Thu, 29 Aug 2019 13:13:00 +0200 Subject: [PATCH 86/92] Update threat-actor.json Add ITG08 as synonym for FIN6 --- clusters/threat-actor.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7250d68..222569b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3735,10 +3735,12 @@ "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", - "https://attack.mitre.org/groups/G0037/" + "https://attack.mitre.org/groups/G0037/", + "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/" ], "synonyms": [ - "Skeleton Spider" + "Skeleton Spider", + "ITG08" ] }, "related": [ @@ -7698,5 +7700,5 @@ "value": "APT41" } ], - "version": 128 + "version": 129 } From c93103bba17c501a5cebe49b9646ccad1b8fe86e Mon Sep 17 00:00:00 2001 From: Sebastian Wagner Date: Fri, 30 Aug 2019 09:57:05 +0200 Subject: [PATCH 87/92] Add test for empty strings Should prevent MISP/misp-galaxy#438 --- .gitignore | 1 + tools/__init__.py | 0 tools/chk_dup.py | 33 ++++++++++++++++++++++++--------- tools/chk_empty_strings.py | 24 ++++++++++++++++++++++++ validate_all.sh | 3 +++ 5 files changed, 52 insertions(+), 9 deletions(-) create mode 100644 .gitignore create mode 100644 tools/__init__.py create mode 100755 tools/chk_empty_strings.py diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..bee8a64 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +__pycache__ diff --git a/tools/__init__.py b/tools/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/tools/chk_dup.py b/tools/chk_dup.py index 2ed2f89..9df3000 100755 --- a/tools/chk_dup.py +++ b/tools/chk_dup.py @@ -8,9 +8,19 @@ import os import collections -def loadjsons(path): +def loadjsons(path, return_paths=False): """ - Find all Jsons and load them in a dict + Find all Jsons and load them in a dict + + Parameters: + path: string + return_names: boolean, if the name of the file should be returned, + default: False + + Returns: + List of parsed file contents. + If return_paths is True, then every list item is a tuple of the + file name and the file content """ files = [] data = [] @@ -18,9 +28,14 @@ def loadjsons(path): if os.path.isfile(os.path.join(path, name)) and name.endswith('.json'): files.append(name) for jfile in files: - data.append(json.load(open("%s/%s" % (path, jfile)))) + filepath = os.path.join(path, jfile) + if return_paths: + data.append((filepath, json.load(open(filepath)))) + else: + data.append(json.load(json.load(open(filepath)))) return data + if __name__ == '__main__': """ Iterate all name + synonyms @@ -33,19 +48,19 @@ if __name__ == '__main__': items = djson.get('values') for entry in items: name = entry.get('value').strip().lower() - counter[name]+=1 + counter[name] += 1 namespace.append([name, djson.get('name')]) try: for synonym in entry.get('meta').get('synonyms'): name = synonym.strip().lower() - counter[name]+=1 + counter[name] += 1 namespace.append([name, djson.get('name')]) except (AttributeError, TypeError): pass counter = dict(counter) for key, val in counter.items(): - if val>1: - print ("Warning duplicate %s" % key) + if val > 1: + print("Warning duplicate %s" % key) for item in namespace: - if item[0]==key: - print (item) + if item[0] == key: + print(item) diff --git a/tools/chk_empty_strings.py b/tools/chk_empty_strings.py new file mode 100755 index 0000000..1ccac24 --- /dev/null +++ b/tools/chk_empty_strings.py @@ -0,0 +1,24 @@ +#!/usr/bin/env python3 +# coding=utf-8 +""" + Tools to find empty string entries in galaxies +""" +from .chk_dup import loadjsons +import sys + + +if __name__ == '__main__': + jsons = loadjsons("clusters", return_paths=True) + retval = 0 + for clustername, djson in jsons: + items = djson.get('values') + for entry in items: + name = entry.get('value') + for key, value in entry.get('meta', {}).items(): + if isinstance(value, list): + if '' in value: + retval = 1 + print("Empty string found in Cluster %r: values/%s/meta/%s" + "" % (clustername, name, key), + file=sys.stderr) + sys.exit(retval) diff --git a/validate_all.sh b/validate_all.sh index 7d1a842..f797c55 100755 --- a/validate_all.sh +++ b/validate_all.sh @@ -84,3 +84,6 @@ do fi echo '' done + +# check for empyt strings in clusters +python3 -m tools.chk_empty_strings From e13087a9c4d92021edef20017ed70ef8f3057014 Mon Sep 17 00:00:00 2001 From: Sebastian Wagner Date: Fri, 30 Aug 2019 10:05:29 +0200 Subject: [PATCH 88/92] target-information: fix territory-type for China --- clusters/target-information.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/target-information.json b/clusters/target-information.json index c316597..8bcc969 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -1493,7 +1493,7 @@ "Zhōnghuá Rénmín Gònghéguó" ], "territory-type": [ - "" + "Country" ] }, "uuid": "53d3d205-db31-4ec9-86aa-c2bf11fd18e6", From f5056ff02e8e08947a76839824d78a5959f7a266 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 30 Aug 2019 11:03:30 +0200 Subject: [PATCH 89/92] chg: [threat-actor] add machete-apt synonyms as reported in #445 --- clusters/threat-actor.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7250d68..cf48517 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4675,7 +4675,8 @@ "https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html" ], "synonyms": [ - "Machete" + "Machete", + "machete-apt" ] }, "uuid": "827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3", @@ -7698,5 +7699,5 @@ "value": "APT41" } ], - "version": 128 + "version": 129 } From 5504c10e3d098d2260ac926a06661113d5b60bd7 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 30 Aug 2019 16:32:02 +0200 Subject: [PATCH 90/92] improve more clusters --- clusters/target-information.json | 270 ++++++++++++++++++++++++++++++- 1 file changed, 269 insertions(+), 1 deletion(-) diff --git a/clusters/target-information.json b/clusters/target-information.json index 69521a3..a9ef9b1 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -3002,10 +3002,33 @@ "calling-code": [ "+509" ], + "capital": [ + "Port-au-Prince" + ], + "currency": [ + "Haitian gourde", + "G", + "HTG" + ], "iso-code": [ "HT", "HTI" ], + "official-languages": [ + "French", + "Haitian Creole" + ], + "synomyms": [ + "Haïti", + "Ayiti", + "Republic of Haiti", + "République d'Haïti", + "Repiblik Ayiti", + "Hayti" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".ht" }, "uuid": "595dd000-64ac-43b5-be17-0f52eff47459", @@ -3016,10 +3039,27 @@ "calling-code": [ "+504" ], + "capital": [ + "Tegucigalpa" + ], + "currency": [ + "Lempira", + "HNL" + ], "iso-code": [ "HN", "HND" ], + "official-languages": [ + "Spanish" + ], + "synomyms": [ + "Republic of Honduras", + "República de Honduras" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".hn" }, "uuid": "74a66006-ce2b-4280-abd1-e6f14ff9b926", @@ -3030,10 +3070,25 @@ "calling-code": [ "+852" ], + "currency": [ + "Hong Kong dollar", + "HK$", + "HKD" + ], "iso-code": [ "HK", "HKG" ], + "official-languages": [ + "Chinese", + "English" + ], + "synomyms": [ + "Hong Kong Special Administrative Region of the People's Republic of China" + ], + "territory-type": [ + "special administrative region" + ], "top-level-domain": ".hk" }, "uuid": "51c8ffc5-5453-4bf8-b100-74186d9a0de0", @@ -3044,6 +3099,13 @@ "calling-code": [ "+36" ], + "capital": [ + "Budapest" + ], + "currency": [ + "Forint", + "HUF" + ], "iso-code": [ "HU", "HUN" @@ -3051,6 +3113,15 @@ "member-of": [ "NATO" ], + "official-languages": [ + "Hungarian" + ], + "synomyms": [ + "Magyarország" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".hu" }, "uuid": "adc52cee-5668-498d-8111-db1c38a584c5", @@ -3061,6 +3132,13 @@ "calling-code": [ "+354" ], + "capital": [ + "Reykjavík" + ], + "currency": [ + "Icelandic króna", + "ISK" + ], "iso-code": [ "IS", "ISL" @@ -3068,6 +3146,15 @@ "member-of": [ "NATO" ], + "official-languages": [ + "Icelandic" + ], + "synomyms": [ + "Ísland" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".is" }, "uuid": "5bcfbed4-d9af-40ab-bcbd-013cad252570", @@ -3078,10 +3165,29 @@ "calling-code": [ "+91" ], + "capital": [ + "New Delhi" + ], + "currency": [ + "Indian rupee", + "₹", + "INR" + ], "iso-code": [ "IN", "IND" ], + "official-languages": [ + "Hindi", + "English" + ], + "synomyms": [ + "Republic of India", + "Bhārat Gaṇarājya" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".in" }, "uuid": "283a7b58-9fa6-48c8-95bc-9ece77b5b2ea", @@ -3092,10 +3198,28 @@ "calling-code": [ "+62" ], + "capital": [ + "Jakarta" + ], + "currency": [ + "Indonesian rupiah", + "Rp", + "IDR" + ], "iso-code": [ "ID", "IDN" ], + "official-languages": [ + "Indonesian" + ], + "synomyms": [ + "Republic of Indonesia", + "Republik Indonesia" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".id" }, "uuid": "417b5c63-a388-45d1-b104-cede98b13fe0", @@ -3106,10 +3230,30 @@ "calling-code": [ "+98" ], + "capital": [ + "Tehran" + ], + "currency": [ + "Rial", + "ریال", + "IRR" + ], "iso-code": [ "IR", "IRN" ], + "official-languages": [ + "Persian" + ], + "synomyms": [ + "Persia", + "Islamic Republic of Iran", + "جمهوری اسلامی ایران", + "Jomhuri-ye Eslāmi-ye Irān" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".ir" }, "uuid": "12b32332-ead1-4f69-be61-69ab1ed27d01", @@ -3120,10 +3264,36 @@ "calling-code": [ "+964" ], + "capital": [ + "Baghdad" + ], + "currency": [ + "Iraqi dinar", + "IQD" + ], "iso-code": [ "IQ", "IRQ" ], + "official-languages": [ + "Arabic", + "Kurdish" + ], + "synomyms": [ + "العراق", + "al-'Irāq", + "عێراق‎", + "Êraq", + "Republic of Iraq", + "جمهورية العراق", + "کۆماری عێراق", + "کۆمارا ئێـراقێ", + "Jumhūrīyyat al-'Irāq", + "Komarî Êraq" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".iq" }, "uuid": "625f37bd-fe48-4791-ac1e-be8d069643a1", @@ -3134,10 +3304,29 @@ "calling-code": [ "+353" ], + "capital": [ + "Dublin" + ], + "currency": [ + "€", + "EUR", + "EURO" + ], "iso-code": [ "IE", "IRL" ], + "official-languages": [ + "Irish", + "English" + ], + "synomyms": [ + "Éire", + "Republic of Ireland" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".ie" }, "uuid": "b1243ef1-78f4-4e10-841d-bc61361f21f8", @@ -3148,10 +3337,32 @@ "calling-code": [ "+44-1624" ], + "capital": [ + "Douglas" + ], + "currency": [ + "Pound sterling", + "GBP", + "Manx pound", + "IMP" + ], "iso-code": [ "IM", "IMN" - ] + ], + "official-languages": [ + "English", + "Manx" + ], + "synomyms": [ + "Mannin", + "Ellan Vannin", + "Mann" + ], + "territory-type": [ + "Crown dependency" + ], + "top-level-domain": ".im" }, "uuid": "57855966-b290-47e2-b098-1d903f4163b8", "value": "Isle of Man" @@ -3161,10 +3372,29 @@ "calling-code": [ "+972" ], + "capital": [ + "Jerusalem" + ], + "currency": [ + "New shekel", + "₪", + "‎ILS" + ], "iso-code": [ "IL", "ISR" ], + "official-languages": [ + "Hebrew" + ], + "synomyms": [ + "יִשְׂרָאֵל", + "إِسْرَائِيل‎", + "State of Israel" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".il" }, "uuid": "3273414a-8331-44cc-b3f6-890bf2363607", @@ -3175,6 +3405,14 @@ "calling-code": [ "+39" ], + "capital": [ + "Rome" + ], + "currency": [ + "€", + "EUR", + "EURO" + ], "iso-code": [ "IT", "ITA" @@ -3182,6 +3420,17 @@ "member-of": [ "NATO" ], + "official-languages": [ + "Italian" + ], + "synomyms": [ + "Italia", + "Italian Republic", + "Repubblica Italiana" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".it" }, "uuid": "1bcc0b11-d906-40ea-910c-a1124c4d82bd", @@ -3192,10 +3441,29 @@ "calling-code": [ "+225" ], + "capital": [ + "Yamoussoukro", + "Abidjan" + ], + "currency": [ + "West African CFA franc", + "XOF" + ], "iso-code": [ "CI", "CIV" ], + "official-languages": [ + "French" + ], + "synomyms": [ + "Côte d'Ivoire", + "Republic of Côte d'Ivoire", + "République de Côte d'Ivoire" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".ci" }, "uuid": "c1aac71f-b060-4816-9369-451df1550883", From f40b7dd132cb67153644b5856621e6fedfbdca5f Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Sun, 1 Sep 2019 15:46:36 +0200 Subject: [PATCH 91/92] 'SectorJ04 Group' as alias introduced by NSHC for TA505 Not explicitly mentioned in the blog post but it looks like we just got an alias for TA505... https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/ --- clusters/threat-actor.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2d0799c..7a23f1e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6914,7 +6914,11 @@ "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware", "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", "https://threatpost.com/ta505-servhelper-malware/140792/", - "https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/" + "https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/", + "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/" + ], + "synonyms": [ + "SectorJ04 Group" ] }, "uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", @@ -7701,5 +7705,5 @@ "value": "APT41" } ], - "version": 129 + "version": 130 } From 9e3a998dfc711ec2be5cb48bc9356903e2fcfd24 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 3 Sep 2019 15:51:21 +0200 Subject: [PATCH 92/92] aff SectorJ04 group --- clusters/threat-actor.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 24eb9ea..30ad8d0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7687,7 +7687,12 @@ }, "uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", "value": "APT41" + }, + { + "description": "SectorJ04 is a Russian-based cybercrime group that began operating about five years ago and conducted hacking activities for financial profit using malware such as banking trojans and ransomware against national and industrial sectors located across Europe, North America and West Africa.\nIn 2019, the SectorJ04 group expanded its hacking activities to cover various industrial sectors located across Southeast Asia and East Asia, and is changing the pattern of their attacks from targeted attacks to searching for random victims. This report includes details related to the major hacking targets of the SectorJ04 group in 2019, how those targets were hacked, characteristics of their hacking activities this year and recent cases of the SectorJ04 group’s hacking.", + "uuid": "50e25cfb-8b4d-408d-a7c6-bd0672662d39", + "value": "SectorJ04" } ], - "version": 128 + "version": 129 }