MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-23 07:17:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge branch 'master' of https://github.com/MISP/misp-galaxy

Browse source
This commit is contained in:
Deborah Servili 2018-10-22 11:09:37 +02:00
commit bd68ee280e
49 changed files with 6016 additions and 21146 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
clusters/android.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"Unknown" "Unknown"
], ],
"category": "tool",
"description": "Android malware galaxy based on multiple open sources.", "description": "Android malware galaxy based on multiple open sources.",
"name": "Android", "name": "Android",
"source": "Open Sources", "source": "Open Sources",
@ -138,13 +139,6 @@
] ]
}, },
"related": [ "related": [
{
"dest-uuid": "a6f481fe-b6db-4507-bb3c-28f10d800e2f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "b8fa5036-813f-4887-b4d4-bb17b4a7eba0", "dest-uuid": "b8fa5036-813f-4887-b4d4-bb17b4a7eba0",
"tags": [ "tags": [
@ -3802,7 +3796,7 @@
}, },
"related": [ "related": [
{ {
"dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
@ -3821,41 +3815,6 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729", "uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729",
@ -4605,15 +4564,6 @@
"https://researchcenter.paloaltonetworks.com/2018/04/unit42-henbox-inside-coop/" "https://researchcenter.paloaltonetworks.com/2018/04/unit42-henbox-inside-coop/"
] ]
}, },
"related": [
{
"dest-uuid": "36ee04f4-a9df-11e8-b92b-d7ddfd3a8896",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§", "uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§",
"value": "HenBox" "value": "HenBox"
}, },
@ -4676,5 +4626,5 @@
"value": "Triout" "value": "Triout"
} }
], ],
"version": 15 "version": 16
} }

1
clusters/backdoor.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"raw-data" "raw-data"
], ],
"category": "tool",
"description": "A list of backdoor malware.", "description": "A list of backdoor malware.",
"name": "Backdoor", "name": "Backdoor",
"source": "Open Sources", "source": "Open Sources",

73
clusters/banker.json
View file

@ -3,6 +3,7 @@
"Unknown", "Unknown",
"raw-data" "raw-data"
], ],
"category": "tool",
"description": "A list of banker malware.", "description": "A list of banker malware.",
"name": "Banker", "name": "Banker",
"source": "Open Sources", "source": "Open Sources",
@ -99,26 +100,12 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "7ca93488-c357-44c3-b246-3f88391aca5a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", "dest-uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "66781866-f064-467d-925d-5e5f290352f0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "44754726-e1d5-4e5f-a113-234c4a8ca65e", "uuid": "44754726-e1d5-4e5f-a113-234c4a8ca65e",
@ -200,13 +187,6 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "0f96a666-bf26-44e0-8ad6-f2136208c924",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "ffbbbc14-1cdb-4be9-a631-ed53c5407369", "uuid": "ffbbbc14-1cdb-4be9-a631-ed53c5407369",
@ -241,13 +221,6 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "ffbbbc14-1cdb-4be9-a631-ed53c5407369",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "0f96a666-bf26-44e0-8ad6-f2136208c924", "uuid": "0f96a666-bf26-44e0-8ad6-f2136208c924",
@ -480,13 +453,6 @@
] ]
}, },
"related": [ "related": [
{
"dest-uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "75f53ead-1aee-4f91-8cb9-b4170d747cfc", "dest-uuid": "75f53ead-1aee-4f91-8cb9-b4170d747cfc",
"tags": [ "tags": [
@ -559,20 +525,6 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "44754726-e1d5-4e5f-a113-234c4a8ca65e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "66781866-f064-467d-925d-5e5f290352f0", "dest-uuid": "66781866-f064-467d-925d-5e5f290352f0",
"tags": [ "tags": [
@ -643,13 +595,6 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "6e1168e6-7768-4fa2-951f-6d6934531633",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549", "dest-uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549",
"tags": [ "tags": [
@ -757,13 +702,6 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "e159c4f8-3c22-49f9-a60a-16588a9c22b0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "87b69cb4-8b65-47ee-91b0-9b1decdd5c5c", "uuid": "87b69cb4-8b65-47ee-91b0-9b1decdd5c5c",
@ -1000,13 +938,6 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "87b69cb4-8b65-47ee-91b0-9b1decdd5c5c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "e159c4f8-3c22-49f9-a60a-16588a9c22b0", "uuid": "e159c4f8-3c22-49f9-a60a-16588a9c22b0",
@ -1244,5 +1175,5 @@
"value": "CamuBot" "value": "CamuBot"
} }
], ],
"version": 14 "version": 15
} }

45
clusters/botnet.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"Various" "Various"
], ],
"category": "tool",
"description": "botnet galaxy", "description": "botnet galaxy",
"name": "Botnet", "name": "Botnet",
"source": "MISP Project", "source": "MISP Project",
@ -195,20 +196,6 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "b2ec1f16-2a76-4910-adc5-ecb3570e7c1a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "6e1168e6-7768-4fa2-951f-6d6934531633", "uuid": "6e1168e6-7768-4fa2-951f-6d6934531633",
@ -721,6 +708,13 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "17e12216-a303-4a00-8283-d3fe92d0934c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc", "dest-uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc",
"tags": [ "tags": [
@ -734,13 +728,6 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "variant-of" "type": "variant-of"
},
{
"dest-uuid": "17e12216-a303-4a00-8283-d3fe92d0934c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "fcdfd4af-da35-49a8-9610-19be8a487185", "uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
@ -877,6 +864,13 @@
] ]
}, },
"related": [ "related": [
{
"dest-uuid": "ec67f206-6464-48cf-a012-3cdfc1278488",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185", "dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
"tags": [ "tags": [
@ -897,13 +891,6 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "variant-of" "type": "variant-of"
},
{
"dest-uuid": "ec67f206-6464-48cf-a012-3cdfc1278488",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc", "uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc",
@ -1151,5 +1138,5 @@
"value": "Persirai" "value": "Persirai"
} }
], ],
"version": 16 "version": 17
} }

1
clusters/branded_vulnerability.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"Unknown" "Unknown"
], ],
"category": "vulnerability",
"description": "List of known vulnerabilities and attacks with a branding", "description": "List of known vulnerabilities and attacks with a branding",
"name": "Branded Vulnerability", "name": "Branded Vulnerability",
"source": "Open Sources", "source": "Open Sources",

1
clusters/cert-eu-govsector.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"Various" "Various"
], ],
"category": "sector",
"description": "Cert EU GovSector", "description": "Cert EU GovSector",
"name": "Cert EU GovSector", "name": "Cert EU GovSector",
"source": "CERT-EU", "source": "CERT-EU",

17
clusters/exploit-kit.json
View file

@ -4,6 +4,7 @@
"Will Metcalf", "Will Metcalf",
"KahuSecurity" "KahuSecurity"
], ],
"category": "tool",
"description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years", "description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years",
"name": "Exploit-Kit", "name": "Exploit-Kit",
"source": "MISP Project", "source": "MISP Project",
@ -280,20 +281,6 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "5594b171-32ec-4145-b712-e7701effffdd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "5eee35b6-bd21-4b67-b198-e9320fcf2c88",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c", "uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c",
@ -761,5 +748,5 @@
"value": "Unknown" "value": "Unknown"
} }
], ],
"version": 11 "version": 12
} }

139
clusters/malpedia.json
View file

@ -5,6 +5,7 @@
"Andrea Garavaglia", "Andrea Garavaglia",
"Davide Arcuri" "Davide Arcuri"
], ],
"category": "tool",
"description": "Malware galaxy cluster based on Malpedia.", "description": "Malware galaxy cluster based on Malpedia.",
"name": "Malpedia", "name": "Malpedia",
"source": "Malpedia", "source": "Malpedia",
@ -106,7 +107,7 @@
"meta": { "meta": {
"refs": [ "refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites", "https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites",
"https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang", "https://blog.avast.com/new-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang",
"https://www.youtube.com/watch?v=1LOy0ZyjEOk" "https://www.youtube.com/watch?v=1LOy0ZyjEOk"
], ],
"synonyms": [], "synonyms": [],
@ -495,13 +496,6 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "fbda9705-677b-4c5b-9b0b-13b52eff587c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "a6f481fe-b6db-4507-bb3c-28f10d800e2f", "uuid": "a6f481fe-b6db-4507-bb3c-28f10d800e2f",
@ -2812,13 +2806,6 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a",
"tags": [ "tags": [
@ -2840,26 +2827,12 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", "dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", "uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
@ -5280,6 +5253,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "276c2c2e-09da-44cf-a3f7-806b3feb41da",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "16794655-c0e2-4510-9169-f862df104045", "uuid": "16794655-c0e2-4510-9169-f862df104045",
@ -7481,20 +7461,6 @@
"type": [] "type": []
}, },
"related": [ "related": [
{
"dest-uuid": "276c2c2e-09da-44cf-a3f7-806b3feb41da",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "66781866-f064-467d-925d-5e5f290352f0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "44754726-e1d5-4e5f-a113-234c4a8ca65e", "dest-uuid": "44754726-e1d5-4e5f-a113-234c4a8ca65e",
"tags": [ "tags": [
@ -7503,7 +7469,7 @@
"type": "similar" "type": "similar"
}, },
{ {
"dest-uuid": "7ca93488-c357-44c3-b246-3f88391aca5a", "dest-uuid": "276c2c2e-09da-44cf-a3f7-806b3feb41da",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
@ -8294,20 +8260,6 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "44754726-e1d5-4e5f-a113-234c4a8ca65e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "7ca93488-c357-44c3-b246-3f88391aca5a", "dest-uuid": "7ca93488-c357-44c3-b246-3f88391aca5a",
"tags": [ "tags": [
@ -9558,13 +9510,6 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "cd201689-4bf1-4c5b-ac4d-21c4dcc39e7d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "4166ab63-24b0-4448-92ea-21c8deef978d", "uuid": "4166ab63-24b0-4448-92ea-21c8deef978d",
@ -9609,13 +9554,6 @@
"type": [] "type": []
}, },
"related": [ "related": [
{
"dest-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "d7183f66-59ec-4803-be20-237b442259fc", "dest-uuid": "d7183f66-59ec-4803-be20-237b442259fc",
"tags": [ "tags": [
@ -10716,6 +10654,13 @@
"type": [] "type": []
}, },
"related": [ "related": [
{
"dest-uuid": "2a16a1d4-a098-4f17-80f3-3cfc6c60b539",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "74167065-90b3-4c29-807a-79b6f098e45b", "dest-uuid": "74167065-90b3-4c29-807a-79b6f098e45b",
"tags": [ "tags": [
@ -14000,13 +13945,6 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "4166ab63-24b0-4448-92ea-21c8deef978d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "652b5242-b790-4695-ad0e-b79bbf78f351", "dest-uuid": "652b5242-b790-4695-ad0e-b79bbf78f351",
"tags": [ "tags": [
@ -14475,13 +14413,6 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "6e1168e6-7768-4fa2-951f-6d6934531633",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549", "uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549",
@ -16075,7 +16006,7 @@
"type": "similar" "type": "similar"
}, },
{ {
"dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
@ -16101,27 +16032,6 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", "uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c",
@ -16936,7 +16846,7 @@
} }
], ],
"uuid": "39f609e3-e6fe-4c2c-af0e-b28bc81b2ecf", "uuid": "39f609e3-e6fe-4c2c-af0e-b28bc81b2ecf",
"value": "" "value": "Spy-Net"
}, },
{ {
"description": "", "description": "",
@ -17669,13 +17579,6 @@
"type": [] "type": []
}, },
"related": [ "related": [
{
"dest-uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "75f53ead-1aee-4f91-8cb9-b4170d747cfc", "dest-uuid": "75f53ead-1aee-4f91-8cb9-b4170d747cfc",
"tags": [ "tags": [
@ -18154,7 +18057,7 @@
} }
], ],
"uuid": "4db80a62-d318-48e7-b70b-759924ff515e", "uuid": "4db80a62-d318-48e7-b70b-759924ff515e",
"value": "" "value": "unidentified_005"
}, },
{ {
"description": "", "description": "",
@ -19976,5 +19879,5 @@
"value": "Zyklon" "value": "Zyklon"
} }
], ],
"version": 1650 "version": 1651
} }

1
clusters/microsoft-activity-group.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"Various" "Various"
], ],
"category": "actor",
"description": "Activity groups as described by Microsoft", "description": "Activity groups as described by Microsoft",
"name": "Microsoft Activity Group actor", "name": "Microsoft Activity Group actor",
"source": "MISP Project", "source": "MISP Project",

1
clusters/mitre-attack-pattern.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"MITRE" "MITRE"
], ],
"category": "attack-pattern",
"description": "ATT&CK tactic", "description": "ATT&CK tactic",
"name": "Attack Pattern", "name": "Attack Pattern",
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",

1
clusters/mitre-course-of-action.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"MITRE" "MITRE"
], ],
"category": "course-of-action",
"description": "ATT&CK Mitigation", "description": "ATT&CK Mitigation",
"name": "Course of Action", "name": "Course of Action",
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",

1
clusters/mitre-enterprise-attack-attack-pattern.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"MITRE" "MITRE"
], ],
"category": "attack-pattern",
"description": "ATT&CK tactic", "description": "ATT&CK tactic",
"name": "Enterprise Attack - Attack Pattern", "name": "Enterprise Attack - Attack Pattern",
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",

1938
clusters/mitre-enterprise-attack-course-of-action.json
View file

File diff suppressed because it is too large Load diff

539
clusters/mitre-enterprise-attack-intrusion-set.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"MITRE" "MITRE"
], ],
"category": "actor",
"description": "Name of ATT&CK Group", "description": "Name of ATT&CK Group",
"name": "Enterprise Attack -intrusion Set", "name": "Enterprise Attack -intrusion Set",
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",
@ -27,6 +28,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", "uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446",
@ -44,6 +52,15 @@
"Group5" "Group5"
] ]
}, },
"related": [
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", "uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40",
"value": "Group5 - G0043" "value": "Group5 - G0043"
}, },
@ -67,6 +84,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", "uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647",
@ -91,6 +115,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "b42378e0-f147-496f-992a-26a49705395b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", "uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
@ -108,6 +139,15 @@
"RTM" "RTM"
] ]
}, },
"related": [
{
"dest-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f", "uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f",
"value": "RTM - G0048" "value": "RTM - G0048"
}, },
@ -145,6 +185,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "d1acfbb3-647b-4723-9154-800ec119006e", "uuid": "d1acfbb3-647b-4723-9154-800ec119006e",
@ -216,6 +263,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "f9c06633-dcff-48a1-8588-759e7cec5694", "uuid": "f9c06633-dcff-48a1-8588-759e7cec5694",
@ -237,6 +291,13 @@
] ]
}, },
"related": [ "related": [
{
"dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
"tags": [ "tags": [
@ -244,12 +305,26 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", "dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", "uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
@ -289,6 +364,20 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", "uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
@ -314,6 +403,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", "uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411",
@ -340,6 +436,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656", "uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656",
@ -379,6 +482,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192", "uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192",
@ -403,6 +513,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
@ -427,6 +544,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "ae41895a-243f-4a65-b99b-d85022326c31", "uuid": "ae41895a-243f-4a65-b99b-d85022326c31",
@ -451,6 +575,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "62a64fd3-aaf7-4d09-a375-d6f8bb118481", "uuid": "62a64fd3-aaf7-4d09-a375-d6f8bb118481",
@ -487,6 +618,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "4a2ce82e-1a74-468a-a6fb-bbead541383c", "uuid": "4a2ce82e-1a74-468a-a6fb-bbead541383c",
@ -543,6 +681,13 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"tags": [ "tags": [
@ -631,6 +776,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "025bdaa9-897d-4bad-afa6-013ba5734653", "uuid": "025bdaa9-897d-4bad-afa6-013ba5734653",
@ -655,6 +807,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
@ -679,6 +838,20 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "519630c5-f03f-4882-825c-3af924935817",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f", "uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f",
@ -721,6 +894,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
@ -740,12 +920,26 @@
] ]
}, },
"related": [ "related": [
{
"dest-uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "a9b44750-992c-4743-8922-129880d277ea", "dest-uuid": "a9b44750-992c-4743-8922-129880d277ea",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "b42378e0-f147-496f-992a-26a49705395b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a", "uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a",
@ -797,6 +991,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", "uuid": "fbe9387f-34e6-4828-ac28-3080020c597b",
@ -840,6 +1041,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
@ -864,6 +1072,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "7636484c-adc5-45d4-9bfe-c3e062fbc4a0", "uuid": "7636484c-adc5-45d4-9bfe-c3e062fbc4a0",
@ -883,6 +1098,15 @@
"FIN5" "FIN5"
] ]
}, },
"related": [
{
"dest-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", "uuid": "85403903-15e0-4f9f-9be4-a259ecad4022",
"value": "FIN5 - G0053" "value": "FIN5 - G0053"
}, },
@ -900,6 +1124,15 @@
"BlackOasis" "BlackOasis"
] ]
}, },
"related": [
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "da49b9f1-ca99-443f-9728-0a074db66850", "uuid": "da49b9f1-ca99-443f-9728-0a074db66850",
"value": "BlackOasis - G0063" "value": "BlackOasis - G0063"
}, },
@ -915,6 +1148,15 @@
"Taidoor" "Taidoor"
] ]
}, },
"related": [
{
"dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "59140a2e-d117-4206-9b2c-2a8662bd9d46", "uuid": "59140a2e-d117-4206-9b2c-2a8662bd9d46",
"value": "Taidoor - G0015" "value": "Taidoor - G0015"
}, },
@ -979,6 +1221,20 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
@ -996,6 +1252,15 @@
"Ke3chang" "Ke3chang"
] ]
}, },
"related": [
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"value": "Ke3chang - G0004" "value": "Ke3chang - G0004"
}, },
@ -1027,6 +1292,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
@ -1052,6 +1324,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "269e8108-68c6-4f99-b911-14b2e765dec2", "uuid": "269e8108-68c6-4f99-b911-14b2e765dec2",
@ -1088,6 +1367,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
@ -1107,6 +1393,13 @@
] ]
}, },
"related": [ "related": [
{
"dest-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff",
"tags": [ "tags": [
@ -1127,6 +1420,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", "uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd",
@ -1224,6 +1524,20 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", "uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
@ -1258,6 +1572,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
@ -1282,6 +1603,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f", "uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f",
@ -1318,6 +1646,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
@ -1343,6 +1678,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7", "uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7",
@ -1360,6 +1702,15 @@
"Equation" "Equation"
] ]
}, },
"related": [
{
"dest-uuid": "10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9", "uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9",
"value": "Equation - G0020" "value": "Equation - G0020"
}, },
@ -1375,6 +1726,15 @@
"Darkhotel" "Darkhotel"
] ]
}, },
"related": [
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", "uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383",
"value": "Darkhotel - G0012" "value": "Darkhotel - G0012"
}, },
@ -1398,6 +1758,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
@ -1422,6 +1789,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", "uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d",
@ -1446,6 +1820,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "894aab42-3371-47b1-8859-a4a074c804c8", "uuid": "894aab42-3371-47b1-8859-a4a074c804c8",
@ -1473,6 +1854,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
@ -1497,6 +1885,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7", "uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7",
@ -1515,6 +1910,15 @@
"TG-1314" "TG-1314"
] ]
}, },
"related": [
{
"dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", "uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983",
"value": "Threat Group-1314 - G0028" "value": "Threat Group-1314 - G0028"
}, },
@ -1547,6 +1951,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
@ -1576,6 +1987,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "03506554-5f37-4f8f-9ce4-0e9f01a1b484", "uuid": "03506554-5f37-4f8f-9ce4-0e9f01a1b484",
@ -1604,6 +2022,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
@ -1636,6 +2061,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
@ -1662,6 +2094,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", "uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45",
@ -1684,6 +2123,20 @@
] ]
}, },
"related": [ "related": [
{
"dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
"tags": [ "tags": [
@ -1697,6 +2150,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", "uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
@ -1776,6 +2236,20 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
@ -1801,6 +2275,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "fd19bd82-1b14-49a1-a176-6cdc46b8a826", "uuid": "fd19bd82-1b14-49a1-a176-6cdc46b8a826",
@ -1833,6 +2314,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "efed95ba-d7e8-47ff-8c53-99c42426ee7c", "uuid": "efed95ba-d7e8-47ff-8c53-99c42426ee7c",
@ -1854,12 +2342,26 @@
] ]
}, },
"related": [ "related": [
{
"dest-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb", "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", "uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c",
@ -1892,6 +2394,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "fbd29c89-18ba-4c2d-b792-51c0adee049f", "uuid": "fbd29c89-18ba-4c2d-b792-51c0adee049f",
@ -1933,6 +2442,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", "uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648",
@ -1959,6 +2475,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "7113eaa5-ba79-4fb3-b68a-398ee9cd698e", "uuid": "7113eaa5-ba79-4fb3-b68a-398ee9cd698e",
@ -1985,6 +2508,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", "uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a",
@ -2009,11 +2539,18 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", "uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"value": "Gamaredon Group - G0047" "value": "Gamaredon Group - G0047"
} }
], ],
"version": 5 "version": 7
} }

1567
clusters/mitre-enterprise-attack-malware.json
View file

File diff suppressed because it is too large Load diff

17277
clusters/mitre-enterprise-attack-relationship.json
View file

File diff suppressed because it is too large Load diff

390
clusters/mitre-enterprise-attack-tool.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"MITRE" "MITRE"
], ],
"category": "tool",
"description": "Name of ATT&CK software", "description": "Name of ATT&CK software",
"name": "Enterprise Attack - Tool", "name": "Enterprise Attack - Tool",
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",
@ -28,6 +29,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d", "uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d",
@ -46,6 +54,15 @@
"at.exe" "at.exe"
] ]
}, },
"related": [
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", "uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952",
"value": "at - S0110" "value": "at - S0110"
}, },
@ -62,6 +79,15 @@
"route.exe" "route.exe"
] ]
}, },
"related": [
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de", "uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de",
"value": "route - S0103" "value": "route - S0103"
}, },
@ -77,6 +103,15 @@
"Tasklist" "Tasklist"
] ]
}, },
"related": [
{
"dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f",
"value": "Tasklist - S0057" "value": "Tasklist - S0057"
}, },
@ -93,6 +128,15 @@
"WCE" "WCE"
] ]
}, },
"related": [
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966", "uuid": "242f3da3-4425-4d11-8f5c-b842886da966",
"value": "Windows Credential Editor - S0005" "value": "Windows Credential Editor - S0005"
}, },
@ -108,6 +152,15 @@
"Responder" "Responder"
] ]
}, },
"related": [
{
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", "uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719",
"value": "Responder - S0174" "value": "Responder - S0174"
}, },
@ -124,6 +177,15 @@
"schtasks.exe" "schtasks.exe"
] ]
}, },
"related": [
{
"dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c9703cd3-141c-43a0-a926-380082be5d04", "uuid": "c9703cd3-141c-43a0-a926-380082be5d04",
"value": "schtasks - S0111" "value": "schtasks - S0111"
}, },
@ -146,6 +208,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507", "uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507",
@ -163,6 +232,15 @@
"ifconfig" "ifconfig"
] ]
}, },
"related": [
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5", "uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5",
"value": "ifconfig - S0101" "value": "ifconfig - S0101"
}, },
@ -178,6 +256,15 @@
"BITSAdmin" "BITSAdmin"
] ]
}, },
"related": [
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", "uuid": "64764dc6-a032-495f-8250-1e4c06bdc163",
"value": "BITSAdmin - S0190" "value": "BITSAdmin - S0190"
}, },
@ -201,6 +288,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
@ -218,6 +312,15 @@
"xCmd" "xCmd"
] ]
}, },
"related": [
{
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b", "uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b",
"value": "xCmd - S0123" "value": "xCmd - S0123"
}, },
@ -233,6 +336,15 @@
"MimiPenguin" "MimiPenguin"
] ]
}, },
"related": [
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27", "uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27",
"value": "MimiPenguin - S0179" "value": "MimiPenguin - S0179"
}, },
@ -248,6 +360,15 @@
"SDelete" "SDelete"
] ]
}, },
"related": [
{
"dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", "uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153",
"value": "SDelete - S0195" "value": "SDelete - S0195"
}, },
@ -264,6 +385,15 @@
"systeminfo.exe" "systeminfo.exe"
] ]
}, },
"related": [
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", "uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1",
"value": "Systeminfo - S0096" "value": "Systeminfo - S0096"
}, },
@ -280,6 +410,15 @@
"netsh.exe" "netsh.exe"
] ]
}, },
"related": [
{
"dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71",
"value": "netsh - S0108" "value": "netsh - S0108"
}, },
@ -296,6 +435,15 @@
"dsquery.exe" "dsquery.exe"
] ]
}, },
"related": [
{
"dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", "uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe",
"value": "dsquery - S0105" "value": "dsquery - S0105"
}, },
@ -318,6 +466,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", "uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54",
@ -336,6 +491,15 @@
"ping.exe" "ping.exe"
] ]
}, },
"related": [
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", "uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47",
"value": "Ping - S0097" "value": "Ping - S0097"
}, },
@ -351,6 +515,15 @@
"Fgdump" "Fgdump"
] ]
}, },
"related": [
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe", "uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe",
"value": "Fgdump - S0120" "value": "Fgdump - S0120"
}, },
@ -366,6 +539,15 @@
"Lslsass" "Lslsass"
] ]
}, },
"related": [
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "2fab555f-7664-4623-b4e0-1675ae38190b", "uuid": "2fab555f-7664-4623-b4e0-1675ae38190b",
"value": "Lslsass - S0121" "value": "Lslsass - S0121"
}, },
@ -381,6 +563,15 @@
"Pass-The-Hash Toolkit" "Pass-The-Hash Toolkit"
] ]
}, },
"related": [
{
"dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69", "uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69",
"value": "Pass-The-Hash Toolkit - S0122" "value": "Pass-The-Hash Toolkit - S0122"
}, },
@ -397,6 +588,15 @@
"ftp.exe" "ftp.exe"
] ]
}, },
"related": [
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", "uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565",
"value": "FTP - S0095" "value": "FTP - S0095"
}, },
@ -413,6 +613,15 @@
"ipconfig.exe" "ipconfig.exe"
] ]
}, },
"related": [
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "uuid": "294e2560-bd48-44b2-9da2-833b5588ad11",
"value": "ipconfig - S0100" "value": "ipconfig - S0100"
}, },
@ -429,6 +638,15 @@
"nbtstat.exe" "nbtstat.exe"
] ]
}, },
"related": [
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b35068ec-107a-4266-bda8-eb7036267aea", "uuid": "b35068ec-107a-4266-bda8-eb7036267aea",
"value": "nbtstat - S0102" "value": "nbtstat - S0102"
}, },
@ -452,6 +670,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", "uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e",
@ -469,6 +694,15 @@
"Tor" "Tor"
] ]
}, },
"related": [
{
"dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", "uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68",
"value": "Tor - S0183" "value": "Tor - S0183"
}, },
@ -485,6 +719,15 @@
"netstat.exe" "netstat.exe"
] ]
}, },
"related": [
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "4664b683-f578-434f-919b-1c1aad2a1111", "uuid": "4664b683-f578-434f-919b-1c1aad2a1111",
"value": "netstat - S0104" "value": "netstat - S0104"
}, },
@ -500,6 +743,15 @@
"pwdump" "pwdump"
] ]
}, },
"related": [
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", "uuid": "9de2308e-7bed-43a3-8e58-f194b3586700",
"value": "pwdump - S0006" "value": "pwdump - S0006"
}, },
@ -515,6 +767,15 @@
"Cachedump" "Cachedump"
] ]
}, },
"related": [
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52", "uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52",
"value": "Cachedump - S0119" "value": "Cachedump - S0119"
}, },
@ -530,6 +791,15 @@
"Forfiles" "Forfiles"
] ]
}, },
"related": [
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2", "uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2",
"value": "Forfiles - S0193" "value": "Forfiles - S0193"
}, },
@ -547,6 +817,15 @@
"net.exe" "net.exe"
] ]
}, },
"related": [
{
"dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "03342581-f790-4f03-ba41-e82e67392e23", "uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"value": "Net - S0039" "value": "Net - S0039"
}, },
@ -570,6 +849,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db",
@ -595,6 +881,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc",
@ -613,6 +906,15 @@
"arp.exe" "arp.exe"
] ]
}, },
"related": [
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "30489451-5886-4c46-90c9-0dff9adc5252", "uuid": "30489451-5886-4c46-90c9-0dff9adc5252",
"value": "Arp - S0099" "value": "Arp - S0099"
}, },
@ -632,6 +934,15 @@
"cmd.exe" "cmd.exe"
] ]
}, },
"related": [
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", "uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e",
"value": "cmd - S0106" "value": "cmd - S0106"
}, },
@ -647,6 +958,15 @@
"Havij" "Havij"
] ]
}, },
"related": [
{
"dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5", "uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5",
"value": "Havij - S0224" "value": "Havij - S0224"
}, },
@ -664,6 +984,15 @@
"PowerSploit" "PowerSploit"
] ]
}, },
"related": [
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", "uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d",
"value": "PowerSploit - S0194" "value": "PowerSploit - S0194"
}, },
@ -678,6 +1007,15 @@
"meek" "meek"
] ]
}, },
"related": [
{
"dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830", "uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830",
"value": "meek - S0175" "value": "meek - S0175"
}, },
@ -695,6 +1033,15 @@
"reg.exe" "reg.exe"
] ]
}, },
"related": [
{
"dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", "uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f",
"value": "Reg - S0075" "value": "Reg - S0075"
}, },
@ -710,6 +1057,15 @@
"spwebmember" "spwebmember"
] ]
}, },
"related": [
{
"dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4", "uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4",
"value": "spwebmember - S0227" "value": "spwebmember - S0227"
}, },
@ -732,6 +1088,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4", "uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4",
@ -749,6 +1112,15 @@
"sqlmap" "sqlmap"
] ]
}, },
"related": [
{
"dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555", "uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555",
"value": "sqlmap - S0225" "value": "sqlmap - S0225"
}, },
@ -785,6 +1157,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
@ -802,9 +1181,18 @@
"Invoke-PSImage" "Invoke-PSImage"
] ]
}, },
"related": [
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b52d6583-14a2-4ddc-8527-87fd2142558f", "uuid": "b52d6583-14a2-4ddc-8527-87fd2142558f",
"value": "Invoke-PSImage - S0231" "value": "Invoke-PSImage - S0231"
} }
], ],
"version": 6 "version": 7
} }

150
clusters/mitre-intrusion-set.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"MITRE" "MITRE"
], ],
"category": "actor",
"description": "Name of ATT&CK Group", "description": "Name of ATT&CK Group",
"name": "intrusion Set", "name": "intrusion Set",
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",
@ -177,6 +178,13 @@
"uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff" "uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff"
}, },
"related": [ "related": [
{
"dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
"tags": [ "tags": [
@ -184,6 +192,13 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", "dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"tags": [ "tags": [
@ -228,6 +243,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"value": "Deep Panda" "value": "Deep Panda"
@ -418,6 +440,13 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"tags": [ "tags": [
@ -495,6 +524,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"value": "Moafee" "value": "Moafee"
@ -555,6 +591,13 @@
"uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a" "uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a"
}, },
"related": [ "related": [
{
"dest-uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "a9b44750-992c-4743-8922-129880d277ea", "dest-uuid": "a9b44750-992c-4743-8922-129880d277ea",
"tags": [ "tags": [
@ -663,6 +706,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"value": "Naikon" "value": "Naikon"
@ -728,6 +778,13 @@
"uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd" "uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd"
}, },
"related": [ "related": [
{
"dest-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff",
"tags": [ "tags": [
@ -849,6 +906,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"value": "FIN7" "value": "FIN7"
@ -1017,6 +1081,27 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "11e17436-6ede-4733-8547-4ce0254ea19e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba",
"tags": [ "tags": [
@ -1024,12 +1109,54 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "47204403-34c9-4d25-a006-296a0939d1a2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"value": "OilRig" "value": "OilRig"
@ -1295,6 +1422,13 @@
"uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973" "uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973"
}, },
"related": [ "related": [
{
"dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
"tags": [ "tags": [
@ -1302,6 +1436,13 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", "dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"tags": [ "tags": [
@ -1326,6 +1467,13 @@
"uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c" "uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c"
}, },
"related": [ "related": [
{
"dest-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb", "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb",
"tags": [ "tags": [
@ -1431,5 +1579,5 @@
"value": "Gamaredon Group" "value": "Gamaredon Group"
} }
], ],
"version": 7 "version": 8
} }

108
clusters/mitre-malware.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"MITRE" "MITRE"
], ],
"category": "tool",
"description": "Name of ATT&CK software", "description": "Name of ATT&CK software",
"name": "Malware", "name": "Malware",
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",
@ -263,13 +264,6 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "c04fc02e-f35a-44b6-a9b0-732bf2fc551a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"value": "Backdoor.Oldrea" "value": "Backdoor.Oldrea"
@ -458,6 +452,27 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"value": "Komplex" "value": "Komplex"
@ -1025,6 +1040,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"value": "PoisonIvy" "value": "PoisonIvy"
@ -1887,48 +1909,6 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"value": "CORESHELL" "value": "CORESHELL"
@ -2172,6 +2152,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "da079741-05e6-458c-b434-011263dc691c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"value": "ComRAT" "value": "ComRAT"
@ -2781,13 +2768,6 @@
"uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2" "uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2"
}, },
"related": [ "related": [
{
"dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a",
"tags": [ "tags": [
@ -2809,20 +2789,6 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", "dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
"tags": [ "tags": [
@ -2852,5 +2818,5 @@
"value": "ELMER" "value": "ELMER"
} }
], ],
"version": 6 "version": 7
} }

1
clusters/mitre-mobile-attack-attack-pattern.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"MITRE" "MITRE"
], ],
"category": "attack-pattern",
"description": "ATT&CK tactic", "description": "ATT&CK tactic",
"name": "Mobile Attack - Attack Pattern", "name": "Mobile Attack - Attack Pattern",
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",

129
clusters/mitre-mobile-attack-course-of-action.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"MITRE" "MITRE"
], ],
"category": "course-of-action",
"description": "ATT&CK Mitigation", "description": "ATT&CK Mitigation",
"name": "Mobile Attack - Course of Action", "name": "Mobile Attack - Course of Action",
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",
@ -13,6 +14,15 @@
"meta": { "meta": {
"external_id": "MOB-M1010" "external_id": "MOB-M1010"
}, },
"related": [
{
"dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "cf2cccb1-cab8-431a-8ecf-f7874d05f433", "uuid": "cf2cccb1-cab8-431a-8ecf-f7874d05f433",
"value": "Deploy Compromised Device Detection Method - MOB-M1010" "value": "Deploy Compromised Device Detection Method - MOB-M1010"
}, },
@ -21,6 +31,15 @@
"meta": { "meta": {
"external_id": "MOB-M1014" "external_id": "MOB-M1014"
}, },
"related": [
{
"dest-uuid": "fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "e829ee51-1caf-4665-ba15-7f8979634124", "uuid": "e829ee51-1caf-4665-ba15-7f8979634124",
"value": "Interconnection Filtering - MOB-M1014" "value": "Interconnection Filtering - MOB-M1014"
}, },
@ -29,6 +48,15 @@
"meta": { "meta": {
"external_id": "MOB-M1008" "external_id": "MOB-M1008"
}, },
"related": [
{
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "d2a199d2-dfea-4d0c-987d-6195ed17be9c", "uuid": "d2a199d2-dfea-4d0c-987d-6195ed17be9c",
"value": "Use Device-Provided Credential Storage - MOB-M1008" "value": "Use Device-Provided Credential Storage - MOB-M1008"
}, },
@ -37,6 +65,15 @@
"meta": { "meta": {
"external_id": "MOB-M1006" "external_id": "MOB-M1006"
}, },
"related": [
{
"dest-uuid": "a0464539-e1b7-4455-a355-12495987c300",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", "uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564",
"value": "Use Recent OS Version - MOB-M1006" "value": "Use Recent OS Version - MOB-M1006"
}, },
@ -45,6 +82,15 @@
"meta": { "meta": {
"external_id": "MOB-M1001" "external_id": "MOB-M1001"
}, },
"related": [
{
"dest-uuid": "f296fc9c-2ff5-43ee-941e-6b49c438270a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"value": "Security Updates - MOB-M1001" "value": "Security Updates - MOB-M1001"
}, },
@ -53,6 +99,15 @@
"meta": { "meta": {
"external_id": "MOB-M1003" "external_id": "MOB-M1003"
}, },
"related": [
{
"dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58", "uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
"value": "Lock Bootloader - MOB-M1003" "value": "Lock Bootloader - MOB-M1003"
}, },
@ -61,6 +116,15 @@
"meta": { "meta": {
"external_id": "MOB-M1004" "external_id": "MOB-M1004"
}, },
"related": [
{
"dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "7b1cf46f-784b-405a-a8dd-4624c19d8321", "uuid": "7b1cf46f-784b-405a-a8dd-4624c19d8321",
"value": "System Partition Integrity - MOB-M1004" "value": "System Partition Integrity - MOB-M1004"
}, },
@ -69,6 +133,15 @@
"meta": { "meta": {
"external_id": "MOB-M1002" "external_id": "MOB-M1002"
}, },
"related": [
{
"dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c", "uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c",
"value": "Attestation - MOB-M1002" "value": "Attestation - MOB-M1002"
}, },
@ -77,6 +150,15 @@
"meta": { "meta": {
"external_id": "MOB-M1007" "external_id": "MOB-M1007"
}, },
"related": [
{
"dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9", "uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
"value": "Caution with Device Administrator Access - MOB-M1007" "value": "Caution with Device Administrator Access - MOB-M1007"
}, },
@ -85,6 +167,15 @@
"meta": { "meta": {
"external_id": "MOB-M1013" "external_id": "MOB-M1013"
}, },
"related": [
{
"dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "uuid": "25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
"value": "Application Developer Guidance - MOB-M1013" "value": "Application Developer Guidance - MOB-M1013"
}, },
@ -93,6 +184,15 @@
"meta": { "meta": {
"external_id": "MOB-M1005" "external_id": "MOB-M1005"
}, },
"related": [
{
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "1553b156-6767-47f7-9eb4-2a692505666d", "uuid": "1553b156-6767-47f7-9eb4-2a692505666d",
"value": "Application Vetting - MOB-M1005" "value": "Application Vetting - MOB-M1005"
}, },
@ -101,6 +201,15 @@
"meta": { "meta": {
"external_id": "MOB-M1011" "external_id": "MOB-M1011"
}, },
"related": [
{
"dest-uuid": "a0464539-e1b7-4455-a355-12495987c300",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", "uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"value": "User Guidance - MOB-M1011" "value": "User Guidance - MOB-M1011"
}, },
@ -109,6 +218,15 @@
"meta": { "meta": {
"external_id": "MOB-M1012" "external_id": "MOB-M1012"
}, },
"related": [
{
"dest-uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", "uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"value": "Enterprise Policy - MOB-M1012" "value": "Enterprise Policy - MOB-M1012"
}, },
@ -117,9 +235,18 @@
"meta": { "meta": {
"external_id": "MOB-M1009" "external_id": "MOB-M1009"
}, },
"related": [
{
"dest-uuid": "393e8c12-a416-4575-ba90-19cc85656796",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8", "uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8",
"value": "Encrypt Network Traffic - MOB-M1009" "value": "Encrypt Network Traffic - MOB-M1009"
} }
], ],
"version": 3 "version": 4
} }

49
clusters/mitre-mobile-attack-intrusion-set.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"MITRE" "MITRE"
], ],
"category": "actor",
"description": "Name of ATT&CK Group", "description": "Name of ATT&CK Group",
"name": "Mobile Attack - intrusion Set", "name": "Mobile Attack - intrusion Set",
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",
@ -32,56 +33,14 @@
}, },
"related": [ "related": [
{ {
"dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", "dest-uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
}, },
{ {
"dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", "dest-uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
@ -92,5 +51,5 @@
"value": "APT28 - G0007" "value": "APT28 - G0007"
} }
], ],
"version": 5 "version": 6
} }

298
clusters/mitre-mobile-attack-malware.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"MITRE" "MITRE"
], ],
"category": "tool",
"description": "Name of ATT&CK software", "description": "Name of ATT&CK software",
"name": "Mobile Attack - Malware", "name": "Mobile Attack - Malware",
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",
@ -27,6 +28,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93", "uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93",
@ -44,6 +52,15 @@
"Trojan-SMS.AndroidOS.Agent.ao" "Trojan-SMS.AndroidOS.Agent.ao"
] ]
}, },
"related": [
{
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "a1867c56-8c86-455a-96ad-b0d5f7e2bc17", "uuid": "a1867c56-8c86-455a-96ad-b0d5f7e2bc17",
"value": "Trojan-SMS.AndroidOS.Agent.ao - MOB-S0023" "value": "Trojan-SMS.AndroidOS.Agent.ao - MOB-S0023"
}, },
@ -65,6 +82,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "507fe748-5e4a-4b45-9e9f-8b1115f4e878", "uuid": "507fe748-5e4a-4b45-9e9f-8b1115f4e878",
@ -82,6 +106,15 @@
"KeyRaider" "KeyRaider"
] ]
}, },
"related": [
{
"dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", "uuid": "3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50",
"value": "KeyRaider - MOB-S0004" "value": "KeyRaider - MOB-S0004"
}, },
@ -98,6 +131,15 @@
"BrainTest" "BrainTest"
] ]
}, },
"related": [
{
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e", "uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e",
"value": "BrainTest - MOB-S0009" "value": "BrainTest - MOB-S0009"
}, },
@ -123,6 +165,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "c80a6bef-b3ce-44d0-b113-946e93124898", "uuid": "c80a6bef-b3ce-44d0-b113-946e93124898",
@ -140,6 +189,15 @@
"DressCode" "DressCode"
] ]
}, },
"related": [
{
"dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "ff742eeb-1f90-4f5a-8b92-9d40fffd99ca", "uuid": "ff742eeb-1f90-4f5a-8b92-9d40fffd99ca",
"value": "DressCode - MOB-S0016" "value": "DressCode - MOB-S0016"
}, },
@ -156,6 +214,15 @@
"Adups" "Adups"
] ]
}, },
"related": [
{
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"value": "Adups - MOB-S0025" "value": "Adups - MOB-S0025"
}, },
@ -186,6 +253,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", "uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a",
@ -203,6 +277,15 @@
"RuMMS" "RuMMS"
] ]
}, },
"related": [
{
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "936be60d-90eb-4c36-9247-4b31128432c4", "uuid": "936be60d-90eb-4c36-9247-4b31128432c4",
"value": "RuMMS - MOB-S0029" "value": "RuMMS - MOB-S0029"
}, },
@ -225,6 +308,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "c8770c81-c29f-40d2-a140-38544206b2b4", "uuid": "c8770c81-c29f-40d2-a140-38544206b2b4",
@ -242,6 +332,15 @@
"Trojan-SMS.AndroidOS.OpFake.a" "Trojan-SMS.AndroidOS.OpFake.a"
] ]
}, },
"related": [
{
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d89c132d-7752-4c7f-9372-954a71522985", "uuid": "d89c132d-7752-4c7f-9372-954a71522985",
"value": "Trojan-SMS.AndroidOS.OpFake.a - MOB-S0024" "value": "Trojan-SMS.AndroidOS.OpFake.a - MOB-S0024"
}, },
@ -264,6 +363,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "317a2c10-d489-431e-b6b2-f0251fddc88e", "uuid": "317a2c10-d489-431e-b6b2-f0251fddc88e",
@ -281,6 +387,15 @@
"MazarBOT" "MazarBOT"
] ]
}, },
"related": [
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", "uuid": "5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
"value": "MazarBOT - MOB-S0019" "value": "MazarBOT - MOB-S0019"
}, },
@ -297,6 +412,15 @@
"Gooligan" "Gooligan"
] ]
}, },
"related": [
{
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "20d56cd6-8dff-4871-9889-d32d254816de", "uuid": "20d56cd6-8dff-4871-9889-d32d254816de",
"value": "Gooligan - MOB-S0006" "value": "Gooligan - MOB-S0006"
}, },
@ -312,6 +436,15 @@
"OldBoot" "OldBoot"
] ]
}, },
"related": [
{
"dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "2074b2ad-612e-4758-adce-7901c1b49bbc", "uuid": "2074b2ad-612e-4758-adce-7901c1b49bbc",
"value": "OldBoot - MOB-S0001" "value": "OldBoot - MOB-S0001"
}, },
@ -333,6 +466,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", "uuid": "326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb",
@ -351,6 +491,15 @@
"DroidJack RAT" "DroidJack RAT"
] ]
}, },
"related": [
{
"dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"value": "DroidJack RAT - MOB-S0036" "value": "DroidJack RAT - MOB-S0036"
}, },
@ -366,6 +515,15 @@
"HummingWhale" "HummingWhale"
] ]
}, },
"related": [
{
"dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "6447e3a1-ef4d-44b1-99d5-6b1c4888674f", "uuid": "6447e3a1-ef4d-44b1-99d5-6b1c4888674f",
"value": "HummingWhale - MOB-S0037" "value": "HummingWhale - MOB-S0037"
}, },
@ -381,6 +539,15 @@
"ANDROIDOS_ANSERVER.A" "ANDROIDOS_ANSERVER.A"
] ]
}, },
"related": [
{
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8", "uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8",
"value": "ANDROIDOS_ANSERVER.A - MOB-S0026" "value": "ANDROIDOS_ANSERVER.A - MOB-S0026"
}, },
@ -396,6 +563,15 @@
"Trojan-SMS.AndroidOS.FakeInst.a" "Trojan-SMS.AndroidOS.FakeInst.a"
] ]
}, },
"related": [
{
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "28e39395-91e7-4f02-b694-5e079c964da9", "uuid": "28e39395-91e7-4f02-b694-5e079c964da9",
"value": "Trojan-SMS.AndroidOS.FakeInst.a - MOB-S0022" "value": "Trojan-SMS.AndroidOS.FakeInst.a - MOB-S0022"
}, },
@ -411,6 +587,15 @@
"NotCompatible" "NotCompatible"
] ]
}, },
"related": [
{
"dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "23040c15-e7d8-47b5-8c16-8fd3e0e297fe", "uuid": "23040c15-e7d8-47b5-8c16-8fd3e0e297fe",
"value": "NotCompatible - MOB-S0015" "value": "NotCompatible - MOB-S0015"
}, },
@ -454,6 +639,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "56660521-6db4-4e5a-a927-464f22954b7c", "uuid": "56660521-6db4-4e5a-a927-464f22954b7c",
@ -471,6 +663,15 @@
"Twitoor" "Twitoor"
] ]
}, },
"related": [
{
"dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "41e3fd01-7b83-471f-835d-d2b1dc9a770c", "uuid": "41e3fd01-7b83-471f-835d-d2b1dc9a770c",
"value": "Twitoor - MOB-S0018" "value": "Twitoor - MOB-S0018"
}, },
@ -486,6 +687,15 @@
"OBAD" "OBAD"
] ]
}, },
"related": [
{
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "ca4f63b9-a358-4214-bb26-8c912318cfde", "uuid": "ca4f63b9-a358-4214-bb26-8c912318cfde",
"value": "OBAD - MOB-S0002" "value": "OBAD - MOB-S0002"
}, },
@ -501,6 +711,15 @@
"Android/Chuli.A" "Android/Chuli.A"
] ]
}, },
"related": [
{
"dest-uuid": "1f96d624-8409-4472-ad8a-30618ee6b2e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", "uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533",
"value": "Android/Chuli.A - MOB-S0020" "value": "Android/Chuli.A - MOB-S0020"
}, },
@ -516,6 +735,15 @@
"PJApps" "PJApps"
] ]
}, },
"related": [
{
"dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c709da93-20c3-4d17-ab68-48cba76b2137", "uuid": "c709da93-20c3-4d17-ab68-48cba76b2137",
"value": "PJApps - MOB-S0007" "value": "PJApps - MOB-S0007"
}, },
@ -531,6 +759,15 @@
"AndroidOverlayMalware" "AndroidOverlayMalware"
] ]
}, },
"related": [
{
"dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b6d3657a-2d6a-400f-8b7e-4d60391aa1f7", "uuid": "b6d3657a-2d6a-400f-8b7e-4d60391aa1f7",
"value": "AndroidOverlayMalware - MOB-S0012" "value": "AndroidOverlayMalware - MOB-S0012"
}, },
@ -546,6 +783,15 @@
"ZergHelper" "ZergHelper"
] ]
}, },
"related": [
{
"dest-uuid": "b765efd1-02e6-4e67-aebf-0fef5c37e54b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0", "uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0",
"value": "ZergHelper - MOB-S0003" "value": "ZergHelper - MOB-S0003"
}, },
@ -561,6 +807,15 @@
"SpyNote RAT" "SpyNote RAT"
] ]
}, },
"related": [
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", "uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"value": "SpyNote RAT - MOB-S0021" "value": "SpyNote RAT - MOB-S0021"
}, },
@ -576,6 +831,15 @@
"RCSAndroid" "RCSAndroid"
] ]
}, },
"related": [
{
"dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"value": "RCSAndroid - MOB-S0011" "value": "RCSAndroid - MOB-S0011"
}, },
@ -598,6 +862,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "d1c600f8-0fb6-4367-921b-85b71947d950", "uuid": "d1c600f8-0fb6-4367-921b-85b71947d950",
@ -614,6 +885,15 @@
"YiSpecter" "YiSpecter"
] ]
}, },
"related": [
{
"dest-uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "a15c9357-2be0-4836-beec-594f28b9b4a9", "uuid": "a15c9357-2be0-4836-beec-594f28b9b4a9",
"value": "YiSpecter - MOB-S0027" "value": "YiSpecter - MOB-S0027"
}, },
@ -645,6 +925,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", "uuid": "93799a9d-3537-43d8-b6f4-17215de1657c",
@ -663,9 +950,18 @@
"XcodeGhost" "XcodeGhost"
] ]
}, },
"related": [
{
"dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d9e07aea-baad-4b68-bdca-90c77647d7f9", "uuid": "d9e07aea-baad-4b68-bdca-90c77647d7f9",
"value": "XcodeGhost - MOB-S0013" "value": "XcodeGhost - MOB-S0013"
} }
], ],
"version": 5 "version": 6
} }

1973
clusters/mitre-mobile-attack-relationship.json
View file

File diff suppressed because it is too large Load diff

10
clusters/mitre-mobile-attack-tool.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"MITRE" "MITRE"
], ],
"category": "tool",
"description": "Name of ATT&CK software", "description": "Name of ATT&CK software",
"name": "Mobile Attack - Tool", "name": "Mobile Attack - Tool",
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",
@ -41,11 +42,18 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4", "uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4",
"value": "Xbot - MOB-S0014" "value": "Xbot - MOB-S0014"
} }
], ],
"version": 5 "version": 6
} }

300
clusters/mitre-pre-attack-attack-pattern.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"MITRE" "MITRE"
], ],
"category": "attack-pattern",
"description": "ATT&CK tactic", "description": "ATT&CK tactic",
"name": "Pre Attack - Attack Pattern", "name": "Pre Attack - Attack Pattern",
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",
@ -33,6 +34,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1108" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1108"
] ]
}, },
"related": [
{
"dest-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39", "uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39",
"value": "Obfuscate infrastructure - PRE-T1108" "value": "Obfuscate infrastructure - PRE-T1108"
}, },
@ -173,6 +183,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1025" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1025"
] ]
}, },
"related": [
{
"dest-uuid": "7718e92f-b011-4f88-b822-ae245a1de407",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "c721b235-679a-4d76-9ae9-e08921fccf84", "uuid": "c721b235-679a-4d76-9ae9-e08921fccf84",
"value": "Identify job postings and needs/gaps - PRE-T1025" "value": "Identify job postings and needs/gaps - PRE-T1025"
}, },
@ -369,6 +388,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1077" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1077"
] ]
}, },
"related": [
{
"dest-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc", "uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc",
"value": "Analyze organizational skillsets and deficiencies - PRE-T1077" "value": "Analyze organizational skillsets and deficiencies - PRE-T1077"
}, },
@ -439,6 +467,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1026" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1026"
] ]
}, },
"related": [
{
"dest-uuid": "af358cad-eb71-4e91-a752-236edc237dae",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1", "uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1",
"value": "Conduct social engineering - PRE-T1026" "value": "Conduct social engineering - PRE-T1026"
}, },
@ -453,6 +490,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1106" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1106"
] ]
}, },
"related": [
{
"dest-uuid": "286cc500-4291-45c2-99a1-e760db176402",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6", "uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6",
"value": "Acquire and/or use 3rd party infrastructure services - PRE-T1106" "value": "Acquire and/or use 3rd party infrastructure services - PRE-T1106"
}, },
@ -481,6 +527,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1074" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1074"
] ]
}, },
"related": [
{
"dest-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41", "uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41",
"value": "Analyze organizational skillsets and deficiencies - PRE-T1074" "value": "Analyze organizational skillsets and deficiencies - PRE-T1074"
}, },
@ -509,6 +564,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1109" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1109"
] ]
}, },
"related": [
{
"dest-uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983", "uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983",
"value": "Acquire or compromise 3rd party signing certificates - PRE-T1109" "value": "Acquire or compromise 3rd party signing certificates - PRE-T1109"
}, },
@ -593,6 +657,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1023" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1023"
] ]
}, },
"related": [
{
"dest-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "78e41091-d10d-4001-b202-89612892b6ff", "uuid": "78e41091-d10d-4001-b202-89612892b6ff",
"value": "Identify supply chains - PRE-T1023" "value": "Identify supply chains - PRE-T1023"
}, },
@ -635,6 +708,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1060" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1060"
] ]
}, },
"related": [
{
"dest-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a", "uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a",
"value": "Identify business relationships - PRE-T1060" "value": "Identify business relationships - PRE-T1060"
}, },
@ -747,6 +829,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1049" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1049"
] ]
}, },
"related": [
{
"dest-uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549", "uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549",
"value": "Identify business relationships - PRE-T1049" "value": "Identify business relationships - PRE-T1049"
}, },
@ -803,6 +894,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1088" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1088"
] ]
}, },
"related": [
{
"dest-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "20a66013-8dab-4ca3-a67d-766c842c561c", "uuid": "20a66013-8dab-4ca3-a67d-766c842c561c",
"value": "Dynamic DNS - PRE-T1088" "value": "Dynamic DNS - PRE-T1088"
}, },
@ -929,6 +1029,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1037" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1037"
] ]
}, },
"related": [
{
"dest-uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "856a9371-4f0f-4ea9-946e-f3144204240f", "uuid": "856a9371-4f0f-4ea9-946e-f3144204240f",
"value": "Determine 3rd party infrastructure services - PRE-T1037" "value": "Determine 3rd party infrastructure services - PRE-T1037"
}, },
@ -957,6 +1066,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1141" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1141"
] ]
}, },
"related": [
{
"dest-uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d", "uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d",
"value": "Friend/Follow/Connect to targets of interest - PRE-T1141" "value": "Friend/Follow/Connect to targets of interest - PRE-T1141"
}, },
@ -1027,6 +1145,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1084" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1084"
] ]
}, },
"related": [
{
"dest-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "286cc500-4291-45c2-99a1-e760db176402", "uuid": "286cc500-4291-45c2-99a1-e760db176402",
"value": "Acquire and/or use 3rd party infrastructure services - PRE-T1084" "value": "Acquire and/or use 3rd party infrastructure services - PRE-T1084"
}, },
@ -1265,6 +1392,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1055" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1055"
] ]
}, },
"related": [
{
"dest-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "7718e92f-b011-4f88-b822-ae245a1de407", "uuid": "7718e92f-b011-4f88-b822-ae245a1de407",
"value": "Identify job postings and needs/gaps - PRE-T1055" "value": "Identify job postings and needs/gaps - PRE-T1055"
}, },
@ -1279,6 +1415,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1056" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1056"
] ]
}, },
"related": [
{
"dest-uuid": "af358cad-eb71-4e91-a752-236edc237dae",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "a757670d-d600-48d9-8ae9-601d42c184a5", "uuid": "a757670d-d600-48d9-8ae9-601d42c184a5",
"value": "Conduct social engineering - PRE-T1056" "value": "Conduct social engineering - PRE-T1056"
}, },
@ -1293,6 +1438,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1053" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1053"
] ]
}, },
"related": [
{
"dest-uuid": "59369f72-3005-4e54-9095-3d00efcece73",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c", "uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c",
"value": "Identify supply chains - PRE-T1053" "value": "Identify supply chains - PRE-T1053"
}, },
@ -1321,6 +1475,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1111" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1111"
] ]
}, },
"related": [
{
"dest-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b", "uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b",
"value": "Compromise 3rd party infrastructure to support delivery - PRE-T1111" "value": "Compromise 3rd party infrastructure to support delivery - PRE-T1111"
}, },
@ -1335,6 +1498,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1086" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1086"
] ]
}, },
"related": [
{
"dest-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6", "uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6",
"value": "Obfuscate infrastructure - PRE-T1086" "value": "Obfuscate infrastructure - PRE-T1086"
}, },
@ -1517,6 +1689,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1121" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1121"
] ]
}, },
"related": [
{
"dest-uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33", "uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33",
"value": "Friend/Follow/Connect to targets of interest - PRE-T1121" "value": "Friend/Follow/Connect to targets of interest - PRE-T1121"
}, },
@ -1559,6 +1740,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1054" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1054"
] ]
}, },
"related": [
{
"dest-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "028ad431-84c5-4eb7-a364-2b797c234f88", "uuid": "028ad431-84c5-4eb7-a364-2b797c234f88",
"value": "Acquire OSINT data sets and information - PRE-T1054" "value": "Acquire OSINT data sets and information - PRE-T1054"
}, },
@ -1629,6 +1819,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1061" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1061"
] ]
}, },
"related": [
{
"dest-uuid": "856a9371-4f0f-4ea9-946e-f3144204240f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05", "uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05",
"value": "Determine 3rd party infrastructure services - PRE-T1061" "value": "Determine 3rd party infrastructure services - PRE-T1061"
}, },
@ -1657,6 +1856,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1089" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1089"
] ]
}, },
"related": [
{
"dest-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "4900fabf-1142-4c1f-92f5-0b590e049077", "uuid": "4900fabf-1142-4c1f-92f5-0b590e049077",
"value": "Compromise 3rd party infrastructure to support delivery - PRE-T1089" "value": "Compromise 3rd party infrastructure to support delivery - PRE-T1089"
}, },
@ -1769,6 +1977,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1087" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1087"
] ]
}, },
"related": [
{
"dest-uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59", "uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59",
"value": "Acquire or compromise 3rd party signing certificates - PRE-T1087" "value": "Acquire or compromise 3rd party signing certificates - PRE-T1087"
}, },
@ -1881,6 +2098,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1024" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1024"
] ]
}, },
"related": [
{
"dest-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b", "uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b",
"value": "Acquire OSINT data sets and information - PRE-T1024" "value": "Acquire OSINT data sets and information - PRE-T1024"
}, },
@ -1895,6 +2121,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1085" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1085"
] ]
}, },
"related": [
{
"dest-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "1a295f87-af63-4d94-b130-039d6221fb11", "uuid": "1a295f87-af63-4d94-b130-039d6221fb11",
"value": "Acquire and/or use 3rd party software services - PRE-T1085" "value": "Acquire and/or use 3rd party software services - PRE-T1085"
}, },
@ -1923,6 +2158,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1044" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1044"
] ]
}, },
"related": [
{
"dest-uuid": "7718e92f-b011-4f88-b822-ae245a1de407",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "0722cd65-0c83-4c89-9502-539198467ab1", "uuid": "0722cd65-0c83-4c89-9502-539198467ab1",
"value": "Identify job postings and needs/gaps - PRE-T1044" "value": "Identify job postings and needs/gaps - PRE-T1044"
}, },
@ -1951,6 +2195,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1107" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1107"
] ]
}, },
"related": [
{
"dest-uuid": "1a295f87-af63-4d94-b130-039d6221fb11",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6", "uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6",
"value": "Acquire and/or use 3rd party software services - PRE-T1107" "value": "Acquire and/or use 3rd party software services - PRE-T1107"
}, },
@ -1979,6 +2232,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1110" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1110"
] ]
}, },
"related": [
{
"dest-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe", "uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe",
"value": "Dynamic DNS - PRE-T1110" "value": "Dynamic DNS - PRE-T1110"
}, },
@ -2021,6 +2283,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1043" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1043"
] ]
}, },
"related": [
{
"dest-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a", "uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a",
"value": "Acquire OSINT data sets and information - PRE-T1043" "value": "Acquire OSINT data sets and information - PRE-T1043"
}, },
@ -2077,6 +2348,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1066" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1066"
] ]
}, },
"related": [
{
"dest-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc", "uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc",
"value": "Analyze organizational skillsets and deficiencies - PRE-T1066" "value": "Analyze organizational skillsets and deficiencies - PRE-T1066"
}, },
@ -2147,6 +2427,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1042" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1042"
] ]
}, },
"related": [
{
"dest-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "59369f72-3005-4e54-9095-3d00efcece73", "uuid": "59369f72-3005-4e54-9095-3d00efcece73",
"value": "Identify supply chains - PRE-T1042" "value": "Identify supply chains - PRE-T1042"
}, },
@ -2357,6 +2646,15 @@
"https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1045" "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1045"
] ]
}, },
"related": [
{
"dest-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "related-to"
}
],
"uuid": "af358cad-eb71-4e91-a752-236edc237dae", "uuid": "af358cad-eb71-4e91-a752-236edc237dae",
"value": "Conduct social engineering - PRE-T1045" "value": "Conduct social engineering - PRE-T1045"
}, },
@ -2445,5 +2743,5 @@
"value": "Data Hiding - PRE-T1097" "value": "Data Hiding - PRE-T1097"
} }
], ],
"version": 3 "version": 4
} }

61
clusters/mitre-pre-attack-intrusion-set.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"MITRE" "MITRE"
], ],
"category": "actor",
"description": "Name of ATT&CK Group", "description": "Name of ATT&CK Group",
"name": "Pre Attack - intrusion Set", "name": "Pre Attack - intrusion Set",
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",
@ -20,6 +21,15 @@
"APT16" "APT16"
] ]
}, },
"related": [
{
"dest-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", "uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"value": "APT16 - G0023" "value": "APT16 - G0023"
}, },
@ -59,6 +69,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
@ -115,6 +132,13 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"tags": [ "tags": [
@ -142,6 +166,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", "uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
@ -170,6 +201,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", "uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
@ -197,6 +235,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
@ -223,6 +268,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", "uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
@ -269,11 +321,18 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"uuid": "090242d7-73fc-4738-af68-20162f7a5aae", "uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"value": "APT17 - G0025" "value": "APT17 - G0025"
} }
], ],
"version": 4 "version": 6
} }

925
clusters/mitre-pre-attack-relationship.json
View file

@ -1,925 +0,0 @@
{
"authors": [
"MITRE"
],
"description": "MITRE Relationship",
"name": "Pre Attack - Relationship",
"source": "https://github.com/mitre/cti",
"type": "mitre-pre-attack-relationship",
"uuid": "1ffd3108-1708-11e8-9f98-67b378d9094c",
"values": [
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "58d0b955-ae3d-424a-a537-2804dab38793"
},
"uuid": "1eed277b-a2a7-43f9-bf12-6e30abf0841a",
"value": "APT28 (G0007) uses Unconditional client-side exploitation/Injected Website/Driveby (PRE-T1149)"
},
{
"meta": {
"source-uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d",
"target-uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33"
},
"uuid": "4a69750c-47d5-40f5-b753-c6bb2a27a359",
"value": "Friend/Follow/Connect to targets of interest (PRE-T1141) related-to Friend/Follow/Connect to targets of interest (PRE-T1121)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "15ef4da5-3b93-4bb1-a39a-5396661956d3"
},
"uuid": "2b6a71e4-e5d5-41d2-a193-9a95c94dc924",
"value": "APT1 (G0006) uses Build and configure delivery systems (PRE-T1124)"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97"
},
"uuid": "57723021-1eb3-4bf2-86eb-fdbf8a1b8125",
"value": "Night Dragon (G0014) uses Spear phishing messages with malicious attachments (PRE-T1144)"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "9755ecdc-deb0-40e6-af49-713cb0f8ed92"
},
"uuid": "a34c16e9-bc7e-45f5-a9a2-8b05d868e6a0",
"value": "Night Dragon (G0014) uses Remote access tool development (PRE-T1128)"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "d69c3e06-8311-4093-8e3e-0a8e06b15d92"
},
"uuid": "307e24f8-4d7c-49a8-88f6-fb0a99fe8ff4",
"value": "APT16 (G0023) uses Assess targeting options (PRE-T1073)"
},
{
"meta": {
"source-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc",
"target-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc"
},
"uuid": "2dbdcf5e-af75-4f92-b4ad-942a06aab259",
"value": "Analyze organizational skillsets and deficiencies (PRE-T1077) related-to Analyze organizational skillsets and deficiencies (PRE-T1066)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "f4c5d1d9-8f0e-46f1-a9fa-f9a440926046"
},
"uuid": "9af7194c-1eea-4aef-bab1-49bd29be069c",
"value": "APT1 (G0006) uses Confirmation of launched compromise achieved (PRE-T1160)"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "89a79d91-53e0-4ef5-ba28-558cb8b01f76"
},
"uuid": "f6dd74d9-ed02-4fe4-aff6-9ef25906592f",
"value": "Night Dragon (G0014) uses Identify groups/roles (PRE-T1047)"
},
{
"meta": {
"source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"target-uuid": "271e6d40-e191-421a-8f87-a8102452c201"
},
"uuid": "614f64d8-c221-4789-b1e1-787e9326a37b",
"value": "APT17 (G0025) uses Develop social network persona digital footprint (PRE-T1119)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97"
},
"uuid": "84943231-1b44-4029-ae09-0dbf05440bef",
"value": "APT1 (G0006) uses Spear phishing messages with malicious attachments (PRE-T1144)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "d3999268-740f-467e-a075-c82e2d04be62"
},
"uuid": "51d03816-347c-4716-9524-da99a58f5ea6",
"value": "APT1 (G0006) uses Assess leadership areas of interest (PRE-T1001)"
},
{
"meta": {
"source-uuid": "af358cad-eb71-4e91-a752-236edc237dae",
"target-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1"
},
"uuid": "ad510f42-e745-42d0-8b54-4bf7a2f3cf34",
"value": "Conduct social engineering (PRE-T1045) related-to Conduct social engineering (PRE-T1026)"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4"
},
"uuid": "ab356c7a-6922-4143-90eb-5be632e2f6cd",
"value": "Cleaver (G0003) uses Build social network persona (PRE-T1118)"
},
{
"meta": {
"source-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84",
"target-uuid": "7718e92f-b011-4f88-b822-ae245a1de407"
},
"uuid": "ab313887-ff00-4aa9-8edb-ab107c517c19",
"value": "Identify job postings and needs/gaps (PRE-T1025) related-to Identify job postings and needs/gaps (PRE-T1055)"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b"
},
"uuid": "edb31962-2310-4618-bd4f-d34f8e7d58e8",
"value": "APT16 (G0023) uses Acquire OSINT data sets and information (PRE-T1024)"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "286cc500-4291-45c2-99a1-e760db176402"
},
"uuid": "0adf353d-688b-46ce-88bb-62a008675fe0",
"value": "Night Dragon (G0014) uses Acquire and/or use 3rd party infrastructure services (PRE-T1084)"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "d778cb83-2292-4995-b006-d38f52bc1e64"
},
"uuid": "e95ea206-3962-43af-aac1-042ac9928679",
"value": "Night Dragon (G0014) uses Identify gap areas (PRE-T1002)"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "fddd81e9-dd3d-477e-9773-4fb8ae227234"
},
"uuid": "b09b41c4-670f-4f00-b8d5-a8c6a2dcfcfb",
"value": "Cleaver (G0003) uses Create custom payloads (PRE-T1122)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "c860af4a-376e-46d7-afbf-262c41012227"
},
"uuid": "26bf68a4-af3c-4d39-bad3-5f0ce824f4a3",
"value": "APT28 (G0007) uses Determine operational element (PRE-T1019)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "45242287-2964-4a3e-9373-159fad4d8195"
},
"uuid": "3d65fc7e-87a5-4113-bd9c-09453fba4d1e",
"value": "APT28 (G0007) uses Buy domain name (PRE-T1105)"
},
{
"meta": {
"source-uuid": "7718e92f-b011-4f88-b822-ae245a1de407",
"target-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84"
},
"uuid": "22d4f32c-63c1-400f-8e2c-10e4a200d133",
"value": "Identify job postings and needs/gaps (PRE-T1055) related-to Identify job postings and needs/gaps (PRE-T1025)"
},
{
"meta": {
"source-uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a",
"target-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549"
},
"uuid": "ac1dfc58-d5a2-4b6f-9bf4-c6c0d2d3ae80",
"value": "Identify business relationships (PRE-T1060) related-to Identify business relationships (PRE-T1049)"
},
{
"meta": {
"source-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549",
"target-uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a"
},
"uuid": "9524754d-7743-47b3-8395-3cbfb633c020",
"value": "Identify business relationships (PRE-T1049) related-to Identify business relationships (PRE-T1060)"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "271e6d40-e191-421a-8f87-a8102452c201"
},
"uuid": "d26a1746-b577-4a89-be5e-c49611e8c65a",
"value": "Cleaver (G0003) uses Develop social network persona digital footprint (PRE-T1119)"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "c2ffd229-11bb-4fd8-9208-edbe97b14c93"
},
"uuid": "f43faad4-a016-4da0-8de6-53103d429268",
"value": "Cleaver (G0003) uses Obfuscation or cryptography (PRE-T1090)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c"
},
"uuid": "0e7905fd-77c8-43cb-b499-7d6e37fefbeb",
"value": "APT1 (G0006) uses Dynamic DNS (PRE-T1088)"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "b79a1960-d0be-4b51-bb62-b27e91e1dea0"
},
"uuid": "3f8694fa-8e16-465b-8357-ec0a85316e9c",
"value": "Cleaver (G0003) uses Conduct social engineering or HUMINT operation (PRE-T1153)"
},
{
"meta": {
"source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"target-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39"
},
"uuid": "9c87b627-de61-42da-a658-7bdb33358754",
"value": "APT17 (G0025) uses Obfuscate infrastructure (PRE-T1108)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "fddd81e9-dd3d-477e-9773-4fb8ae227234"
},
"uuid": "6d809b32-a5db-4e1e-bea6-ef29a2c680e5",
"value": "APT28 (G0007) uses Create custom payloads (PRE-T1122)"
},
{
"meta": {
"source-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c",
"target-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe"
},
"uuid": "f24a6bf4-c60f-4fa6-8f6a-f2806ae92cdd",
"value": "Dynamic DNS (PRE-T1088) related-to Dynamic DNS (PRE-T1110)"
},
{
"meta": {
"source-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe",
"target-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c"
},
"uuid": "94daf955-fb3e-4f13-af60-0e3ffa185be0",
"value": "Dynamic DNS (PRE-T1110) related-to Dynamic DNS (PRE-T1088)"
},
{
"meta": {
"source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4"
},
"uuid": "545cd36e-572e-413d-82b9-db65788791f9",
"value": "APT17 (G0025) uses Build social network persona (PRE-T1118)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b"
},
"uuid": "8a2c46d3-92f2-4ff7-a912-8d47189a7d79",
"value": "APT1 (G0006) uses Compromise 3rd party infrastructure to support delivery (PRE-T1111)"
},
{
"meta": {
"source-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b",
"target-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88"
},
"uuid": "60b6c9a6-7705-4c72-93bb-67de0caf11f4",
"value": "Acquire OSINT data sets and information (PRE-T1024) related-to Acquire OSINT data sets and information (PRE-T1054)"
},
{
"meta": {
"source-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c",
"target-uuid": "78e41091-d10d-4001-b202-89612892b6ff"
},
"uuid": "9c44b2ec-70b0-4f5c-800e-426477330658",
"value": "Identify supply chains (PRE-T1053) related-to Identify supply chains (PRE-T1023)"
},
{
"meta": {
"source-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b",
"target-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077"
},
"uuid": "bc165934-7ef6-4aed-a0d7-81d3372589f4",
"value": "Compromise 3rd party infrastructure to support delivery (PRE-T1111) related-to Compromise 3rd party infrastructure to support delivery (PRE-T1089)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "288b3cc3-f4da-4250-ab8c-d8b5dbed94ca"
},
"uuid": "643d984b-0c82-4e14-8ba9-1b8dec0c91e2",
"value": "APT28 (G0007) uses Identify web defensive services (PRE-T1033)"
},
{
"meta": {
"source-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc",
"target-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41"
},
"uuid": "715a66b4-7925-40b4-868a-e47aba879f8b",
"value": "Analyze organizational skillsets and deficiencies (PRE-T1077) related-to Analyze organizational skillsets and deficiencies (PRE-T1074)"
},
{
"meta": {
"source-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a",
"target-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88"
},
"uuid": "28bf7e8b-9948-40a8-945b-6b5f2c78ec53",
"value": "Acquire OSINT data sets and information (PRE-T1043) related-to Acquire OSINT data sets and information (PRE-T1054)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768"
},
"uuid": "2b0ec032-eaca-4f0c-be55-39471f0f2bf5",
"value": "APT1 (G0006) uses Obtain/re-use payloads (PRE-T1123)"
},
{
"meta": {
"source-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b",
"target-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a"
},
"uuid": "1143e6a6-deef-4dbd-8c91-7bf537d8f5ce",
"value": "Acquire OSINT data sets and information (PRE-T1024) related-to Acquire OSINT data sets and information (PRE-T1043)"
},
{
"meta": {
"source-uuid": "78e41091-d10d-4001-b202-89612892b6ff",
"target-uuid": "59369f72-3005-4e54-9095-3d00efcece73"
},
"uuid": "a29f2adc-c328-4cf3-9984-2c0c72ec7061",
"value": "Identify supply chains (PRE-T1023) related-to Identify supply chains (PRE-T1042)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "abd5bed1-4c12-45de-a623-ab8dc4ff862a"
},
"uuid": "eab3be4e-4130-4898-a7b6-d9e9eb34f2bd",
"value": "APT28 (G0007) uses Research relevant vulnerabilities/CVEs (PRE-T1068)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11"
},
"uuid": "39db1df8-f786-480c-9faf-5b870de2250b",
"value": "APT1 (G0006) uses Acquire and/or use 3rd party software services (PRE-T1085)"
},
{
"meta": {
"source-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88",
"target-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a"
},
"uuid": "6ba71250-1dc7-4b8d-88e7-698440ea18a0",
"value": "Acquire OSINT data sets and information (PRE-T1054) related-to Acquire OSINT data sets and information (PRE-T1043)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97"
},
"uuid": "6238613d-8683-420d-baf7-6050aa27eb9d",
"value": "APT28 (G0007) uses Spear phishing messages with malicious attachments (PRE-T1144)"
},
{
"meta": {
"source-uuid": "286cc500-4291-45c2-99a1-e760db176402",
"target-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6"
},
"uuid": "5dc0b076-5f25-4bda-83c7-1d8bd214b81a",
"value": "Acquire and/or use 3rd party infrastructure services (PRE-T1084) related-to Acquire and/or use 3rd party infrastructure services (PRE-T1106)"
},
{
"meta": {
"source-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c",
"target-uuid": "59369f72-3005-4e54-9095-3d00efcece73"
},
"uuid": "7aaa32b6-73f3-4b6e-98ae-da16976e6003",
"value": "Identify supply chains (PRE-T1053) related-to Identify supply chains (PRE-T1042)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077"
},
"uuid": "cc22ab71-f2fc-4885-832b-e75dadeefa2d",
"value": "APT1 (G0006) uses Compromise 3rd party infrastructure to support delivery (PRE-T1089)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b"
},
"uuid": "60e79ac2-3dc1-4005-a1f8-260d58117dab",
"value": "APT28 (G0007) uses Acquire OSINT data sets and information (PRE-T1024)"
},
{
"meta": {
"source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"target-uuid": "9a8c47f6-ae69-4044-917d-4b1602af64d9"
},
"uuid": "7da16587-3861-4404-9043-0076e4766ac4",
"value": "APT12 (G0005) uses Choose pre-compromised persona and affiliated accounts (PRE-T1120)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "6cfc9229-9928-414e-bfaf-f63e815b4c84",
"value": "APT28 (G0007) uses Determine strategic target (PRE-T1018)"
},
{
"meta": {
"source-uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05",
"target-uuid": "856a9371-4f0f-4ea9-946e-f3144204240f"
},
"uuid": "a7f177e4-7e7f-4883-af3d-c95db9ea7a53",
"value": "Determine 3rd party infrastructure services (PRE-T1061) related-to Determine 3rd party infrastructure services (PRE-T1037)"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768"
},
"uuid": "515e7665-040c-44ac-a379-44d4399d6e2b",
"value": "Cleaver (G0003) uses Obtain/re-use payloads (PRE-T1123)"
},
{
"meta": {
"source-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41",
"target-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc"
},
"uuid": "b180dee5-0d48-448f-94b9-4997f0c584d5",
"value": "Analyze organizational skillsets and deficiencies (PRE-T1074) related-to Analyze organizational skillsets and deficiencies (PRE-T1077)"
},
{
"meta": {
"source-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077",
"target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b"
},
"uuid": "28815a00-1cf4-4fbc-9039-306a9542c7fd",
"value": "Compromise 3rd party infrastructure to support delivery (PRE-T1089) related-to Compromise 3rd party infrastructure to support delivery (PRE-T1111)"
},
{
"meta": {
"source-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84",
"target-uuid": "0722cd65-0c83-4c89-9502-539198467ab1"
},
"uuid": "8bcaccd1-403b-40f1-82d3-ac4d873263f8",
"value": "Identify job postings and needs/gaps (PRE-T1025) related-to Identify job postings and needs/gaps (PRE-T1044)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "ef0f816a-d561-4953-84c6-2a2936c96957"
},
"uuid": "5aab758c-79d2-4219-9053-f50791d98531",
"value": "APT28 (G0007) uses Discover target logon/email address format (PRE-T1032)"
},
{
"meta": {
"source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"target-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6"
},
"uuid": "b55534ba-37ce-47f2-a961-edeaeedcb399",
"value": "APT12 (G0005) uses Obfuscate infrastructure (PRE-T1086)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768"
},
"uuid": "709bb5af-c484-48f2-bb19-bd7630e42e2d",
"value": "APT28 (G0007) uses Obtain/re-use payloads (PRE-T1123)"
},
{
"meta": {
"source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "4e06cf53-00b1-46a6-a6b6-8e33e761b83f",
"value": "APT12 (G0005) uses Determine strategic target (PRE-T1018)"
},
{
"meta": {
"source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "89754a0d-03b1-44e3-94c5-7a892d171a28",
"value": "APT17 (G0025) uses Determine strategic target (PRE-T1018)"
},
{
"meta": {
"source-uuid": "af358cad-eb71-4e91-a752-236edc237dae",
"target-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5"
},
"uuid": "984d13eb-ba9c-4e7c-8675-85dde9877a81",
"value": "Conduct social engineering (PRE-T1045) related-to Conduct social engineering (PRE-T1056)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "d3999268-740f-467e-a075-c82e2d04be62"
},
"uuid": "2daad934-bf08-4a2f-b656-4f7d197eb8fa",
"value": "APT28 (G0007) uses Assess leadership areas of interest (PRE-T1001)"
},
{
"meta": {
"source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97"
},
"uuid": "1895866a-4689-4527-8460-95e9cd7dd037",
"value": "APT12 (G0005) uses Spear phishing messages with malicious attachments (PRE-T1144)"
},
{
"meta": {
"source-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5",
"target-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1"
},
"uuid": "51c20b46-16cc-4b58-80d7-89d48b14b064",
"value": "Conduct social engineering (PRE-T1056) related-to Conduct social engineering (PRE-T1026)"
},
{
"meta": {
"source-uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983",
"target-uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59"
},
"uuid": "fe31fa7c-be01-47ca-90bb-0fb49b49eb03",
"value": "Acquire or compromise 3rd party signing certificates (PRE-T1109) related-to Acquire or compromise 3rd party signing certificates (PRE-T1087)"
},
{
"meta": {
"source-uuid": "59369f72-3005-4e54-9095-3d00efcece73",
"target-uuid": "78e41091-d10d-4001-b202-89612892b6ff"
},
"uuid": "432c700b-4bf3-4824-a530-a6e86882c4b7",
"value": "Identify supply chains (PRE-T1042) related-to Identify supply chains (PRE-T1023)"
},
{
"meta": {
"source-uuid": "7718e92f-b011-4f88-b822-ae245a1de407",
"target-uuid": "0722cd65-0c83-4c89-9502-539198467ab1"
},
"uuid": "ef32147c-d309-4867-aaba-998088290e32",
"value": "Identify job postings and needs/gaps (PRE-T1055) related-to Identify job postings and needs/gaps (PRE-T1044)"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b"
},
"uuid": "f8559304-7ef6-4c48-8d76-a56ebf37c0be",
"value": "APT16 (G0023) uses Compromise 3rd party infrastructure to support delivery (PRE-T1111)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "2141aea0-cf38-49aa-9e51-ac34092bc30a"
},
"uuid": "3d3eb711-5054-4b32-8006-15ba67d3bb25",
"value": "APT1 (G0006) uses Procure required equipment and software (PRE-T1112)"
},
{
"meta": {
"source-uuid": "0722cd65-0c83-4c89-9502-539198467ab1",
"target-uuid": "7718e92f-b011-4f88-b822-ae245a1de407"
},
"uuid": "689ebb39-52f4-4b2f-8678-72cfed67cb9f",
"value": "Identify job postings and needs/gaps (PRE-T1044) related-to Identify job postings and needs/gaps (PRE-T1055)"
},
{
"meta": {
"source-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41",
"target-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc"
},
"uuid": "36990d75-9fbd-43f0-9966-ae58f0388e1d",
"value": "Analyze organizational skillsets and deficiencies (PRE-T1074) related-to Analyze organizational skillsets and deficiencies (PRE-T1066)"
},
{
"meta": {
"source-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6",
"target-uuid": "286cc500-4291-45c2-99a1-e760db176402"
},
"uuid": "9a1f729c-72a9-4735-9d48-ecb54ea018a9",
"value": "Acquire and/or use 3rd party infrastructure services (PRE-T1106) related-to Acquire and/or use 3rd party infrastructure services (PRE-T1084)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "eb517589-eefc-480e-b8e3-7a8b1066f6f1"
},
"uuid": "7c68bb22-457e-4942-9e07-36f6cd5ac5ba",
"value": "APT1 (G0006) uses Targeted social media phishing (PRE-T1143)"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "0440f60f-9056-4791-a740-8eae96eb61fa"
},
"uuid": "75c781d7-f9ef-42c8-b610-0dc1ecb3b350",
"value": "Cleaver (G0003) uses Authorized user performs requested cyber action (PRE-T1163)"
},
{
"meta": {
"source-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc",
"target-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc"
},
"uuid": "d5bd7a33-a249-46e5-bb19-a498eba42bdb",
"value": "Analyze organizational skillsets and deficiencies (PRE-T1066) related-to Analyze organizational skillsets and deficiencies (PRE-T1077)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "15d5eaa4-597a-47fd-a692-f2bed434d904"
},
"uuid": "8a2549fa-9e7c-4d47-9678-8ed0bb8fa3aa",
"value": "APT1 (G0006) uses Derive intelligence requirements (PRE-T1007)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "0440f60f-9056-4791-a740-8eae96eb61fa"
},
"uuid": "0f97c2ae-2b89-4dd5-a270-42b1dcb5d403",
"value": "APT1 (G0006) uses Authorized user performs requested cyber action (PRE-T1163)"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97"
},
"uuid": "c90a4d6a-af21-4103-ba57-3ddeb6e973e7",
"value": "APT16 (G0023) uses Spear phishing messages with malicious attachments (PRE-T1144)"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "c860af4a-376e-46d7-afbf-262c41012227"
},
"uuid": "eca0f05c-5025-4149-9826-3715cc243180",
"value": "Cleaver (G0003) uses Determine operational element (PRE-T1019)"
},
{
"meta": {
"source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"target-uuid": "d778cb83-2292-4995-b006-d38f52bc1e64"
},
"uuid": "683d4e44-f763-492c-b510-fa469a923798",
"value": "APT12 (G0005) uses Identify gap areas (PRE-T1002)"
},
{
"meta": {
"source-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39",
"target-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6"
},
"uuid": "db4dfa09-7f19-437a-9d79-15f2dc8ba0da",
"value": "Obfuscate infrastructure (PRE-T1108) related-to Obfuscate infrastructure (PRE-T1086)"
},
{
"meta": {
"source-uuid": "0722cd65-0c83-4c89-9502-539198467ab1",
"target-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84"
},
"uuid": "bbb1c074-a93a-4e40-b11e-2151403f7f1d",
"value": "Identify job postings and needs/gaps (PRE-T1044) related-to Identify job postings and needs/gaps (PRE-T1025)"
},
{
"meta": {
"source-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88",
"target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b"
},
"uuid": "0e52753e-0a02-4bec-88f9-f8ee21b46bae",
"value": "Acquire OSINT data sets and information (PRE-T1054) related-to Acquire OSINT data sets and information (PRE-T1024)"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "3c7c0851-1cf8-458f-862d-4e4827f8f474",
"value": "Cleaver (G0003) uses Determine strategic target (PRE-T1018)"
},
{
"meta": {
"source-uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59",
"target-uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983"
},
"uuid": "c388ed7c-3820-41a3-98af-a48dd7e4d88b",
"value": "Acquire or compromise 3rd party signing certificates (PRE-T1087) related-to Acquire or compromise 3rd party signing certificates (PRE-T1109)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4"
},
"uuid": "34ba5998-4e43-4669-9701-1877aa267354",
"value": "APT1 (G0006) uses Build social network persona (PRE-T1118)"
},
{
"meta": {
"source-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1",
"target-uuid": "af358cad-eb71-4e91-a752-236edc237dae"
},
"uuid": "f8504a07-758c-4c51-ac94-c2e7ba652e29",
"value": "Conduct social engineering (PRE-T1026) related-to Conduct social engineering (PRE-T1045)"
},
{
"meta": {
"source-uuid": "78e41091-d10d-4001-b202-89612892b6ff",
"target-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c"
},
"uuid": "9ad9966d-4a8d-4b15-b503-c5d27104fcdd",
"value": "Identify supply chains (PRE-T1023) related-to Identify supply chains (PRE-T1053)"
},
{
"meta": {
"source-uuid": "856a9371-4f0f-4ea9-946e-f3144204240f",
"target-uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05"
},
"uuid": "e4501560-7850-4467-8422-2cf336429e8a",
"value": "Determine 3rd party infrastructure services (PRE-T1037) related-to Determine 3rd party infrastructure services (PRE-T1061)"
},
{
"meta": {
"source-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1",
"target-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5"
},
"uuid": "66e4da4a-6eb6-46e0-9baf-74059f341b4a",
"value": "Conduct social engineering (PRE-T1026) related-to Conduct social engineering (PRE-T1056)"
},
{
"meta": {
"source-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6",
"target-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39"
},
"uuid": "41be9f31-9d2b-44b8-a7dc-31f8c4519751",
"value": "Obfuscate infrastructure (PRE-T1086) related-to Obfuscate infrastructure (PRE-T1108)"
},
{
"meta": {
"source-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a",
"target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b"
},
"uuid": "be031f72-737b-4afd-b2c1-c565f5ab7369",
"value": "Acquire OSINT data sets and information (PRE-T1043) related-to Acquire OSINT data sets and information (PRE-T1024)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "df42286d-dfbd-4455-bc9d-aef52ac29aa7"
},
"uuid": "90d7f0f0-6e41-431a-a024-9375cbc18d2b",
"value": "APT1 (G0006) uses Post compromise tool development (PRE-T1130)"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "e60a165e-cfad-43e5-ba83-ea2430a377c5",
"value": "APT16 (G0023) uses Determine strategic target (PRE-T1018)"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "a071fc8f-6323-420b-9812-b51f12fc7956",
"value": "Night Dragon (G0014) uses Determine strategic target (PRE-T1018)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "ec739e26-d097-4804-b04a-54dd81ff11e0"
},
"uuid": "970531a2-4927-41a3-b2cd-09d445322f51",
"value": "APT1 (G0006) uses Create strategic plan (PRE-T1008)"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "4aeafdb3-eb0b-4e8e-b93f-95cd499088b4"
},
"uuid": "c2571ca8-98c4-490d-b8f8-f3678b0ce74d",
"value": "Night Dragon (G0014) uses Compromise of externally facing system (PRE-T1165)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "489a7797-01c3-4706-8cd1-ec56a9db3adc"
},
"uuid": "e78023e7-98de-4973-9331-843bfa28c9f7",
"value": "APT1 (G0006) uses Spear phishing messages with malicious links (PRE-T1146)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "357e137c-7589-4af1-895c-3fbad35ea4d2"
},
"uuid": "f76d74b6-c797-487c-8388-536367d1b922",
"value": "APT1 (G0006) uses Obfuscate or encrypt code (PRE-T1096)"
},
{
"meta": {
"source-uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33",
"target-uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d"
},
"uuid": "87239038-7693-49b3-b595-b828cc2be1ba",
"value": "Friend/Follow/Connect to targets of interest (PRE-T1121) related-to Friend/Follow/Connect to targets of interest (PRE-T1141)"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11"
},
"uuid": "c6e43693-2a6d-4ba8-8fa7-ec1ab5239528",
"value": "Night Dragon (G0014) uses Acquire and/or use 3rd party software services (PRE-T1085)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "5ed44a06-bcb4-4293-8bf4-aaebefddc09c",
"value": "APT1 (G0006) uses Determine strategic target (PRE-T1018)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "aadaee0d-794c-4642-8293-7ec22a99fb1a"
},
"uuid": "db10491f-a854-4404-9271-600349484bc3",
"value": "APT1 (G0006) uses Domain registration hijacking (PRE-T1103)"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549"
},
"uuid": "4eb0e01c-85ae-466a-a8ff-0cf7891c5ab2",
"value": "APT16 (G0023) uses Identify business relationships (PRE-T1049)"
},
{
"meta": {
"source-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc",
"target-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41"
},
"uuid": "7bd3d2ba-f114-4835-97b6-1c3e2208d3f3",
"value": "Analyze organizational skillsets and deficiencies (PRE-T1066) related-to Analyze organizational skillsets and deficiencies (PRE-T1074)"
},
{
"meta": {
"source-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6",
"target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11"
},
"uuid": "2bf984b5-1a48-4d9a-a4f2-e97801254b84",
"value": "Acquire and/or use 3rd party software services (PRE-T1107) related-to Acquire and/or use 3rd party software services (PRE-T1085)"
},
{
"meta": {
"source-uuid": "59369f72-3005-4e54-9095-3d00efcece73",
"target-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c"
},
"uuid": "c124f0ba-f4bc-430a-b40c-eebe0577f812",
"value": "Identify supply chains (PRE-T1042) related-to Identify supply chains (PRE-T1053)"
},
{
"meta": {
"source-uuid": "1a295f87-af63-4d94-b130-039d6221fb11",
"target-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6"
},
"uuid": "3d781e9a-d3f8-4e9f-bb23-ba6c2ff22267",
"value": "Acquire and/or use 3rd party software services (PRE-T1085) related-to Acquire and/or use 3rd party software services (PRE-T1107)"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "ef0f816a-d561-4953-84c6-2a2936c96957"
},
"uuid": "597be8e7-58a4-4aff-a803-48a7a08164a2",
"value": "APT16 (G0023) uses Discover target logon/email address format (PRE-T1032)"
},
{
"meta": {
"source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"target-uuid": "df42286d-dfbd-4455-bc9d-aef52ac29aa7"
},
"uuid": "7a254f4d-c7cf-4b98-94e9-3937785b7d68",
"value": "APT12 (G0005) uses Post compromise tool development (PRE-T1130)"
},
{
"meta": {
"source-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5",
"target-uuid": "af358cad-eb71-4e91-a752-236edc237dae"
},
"uuid": "46f1e7d4-4d73-4e33-b88b-b3bcde5d81fb",
"value": "Conduct social engineering (PRE-T1056) related-to Conduct social engineering (PRE-T1045)"
}
],
"version": 2
}

1
clusters/mitre-tool.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"MITRE" "MITRE"
], ],
"category": "tool",
"description": "Name of ATT&CK software", "description": "Name of ATT&CK software",
"name": "Tool", "name": "Tool",
"source": "https://github.com/mitre/cti", "source": "https://github.com/mitre/cti",

1
clusters/preventive-measure.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"Various" "Various"
], ],
"category": "measure",
"description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.", "description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.",
"name": "Preventive Measure", "name": "Preventive Measure",
"source": "MISP Project", "source": "MISP Project",

28
clusters/ransomware.json
View file

@ -3,6 +3,7 @@
"https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml", "https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml",
"http://pastebin.com/raw/GHgpWjar" "http://pastebin.com/raw/GHgpWjar"
], ],
"category": "tool",
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar", "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar",
"name": "Ransomware", "name": "Ransomware",
"source": "Various", "source": "Various",
@ -3290,15 +3291,6 @@
"https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/" "https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/"
] ]
}, },
"related": [
{
"dest-uuid": "15a30d84-4f5f-4b75-a162-e36107d30215",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b", "uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b",
"value": "Dharma Ransomware" "value": "Dharma Ransomware"
}, },
@ -9483,15 +9475,6 @@
"CrySiS" "CrySiS"
] ]
}, },
"related": [
{
"dest-uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "15a30d84-4f5f-4b75-a162-e36107d30215", "uuid": "15a30d84-4f5f-4b75-a162-e36107d30215",
"value": "Virus-Encoder" "value": "Virus-Encoder"
}, },
@ -9891,6 +9874,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "00c31914-bc0e-11e8-8241-3ff3b5e4671d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "e8af6388-6575-4812-94a8-9df1567294c5", "uuid": "e8af6388-6575-4812-94a8-9df1567294c5",
@ -11119,5 +11109,5 @@
"value": "SAVEfiles" "value": "SAVEfiles"
} }
], ],
"version": 38 "version": 39
} }

22
clusters/rat.json
View file

@ -3,6 +3,7 @@
"Various", "Various",
"raw-data" "raw-data"
], ],
"category": "tool",
"description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.", "description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.",
"name": "RAT", "name": "RAT",
"source": "MISP Project", "source": "MISP Project",
@ -105,6 +106,13 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", "dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7",
"tags": [ "tags": [
@ -1827,6 +1835,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "da079741-05e6-458c-b434-011263dc691c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "9223bf17-7e32-4833-9574-9ffd8c929765", "uuid": "9223bf17-7e32-4833-9574-9ffd8c929765",
@ -3035,6 +3050,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "0a52e73b-d7e9-45ae-9bda-46568f753931",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "e0bea149-2def-484f-b658-f782a4f94815", "uuid": "e0bea149-2def-484f-b658-f782a4f94815",

1
clusters/sector.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"Various" "Various"
], ],
"category": "sector",
"description": "Activity sectors", "description": "Activity sectors",
"name": "Sector", "name": "Sector",
"source": "CERT-EU", "source": "CERT-EU",

1
clusters/stealer.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"raw-data" "raw-data"
], ],
"category": "tool",
"description": "A list of malware stealer.", "description": "A list of malware stealer.",
"name": "Stealer", "name": "Stealer",
"source": "Open Sources", "source": "Open Sources",

1
clusters/tds.json
View file

@ -2,6 +2,7 @@
"authors": [ "authors": [
"Kafeine" "Kafeine"
], ],
"category": "tool",
"description": "TDS is a list of Traffic Direction System used by adversaries", "description": "TDS is a list of Traffic Direction System used by adversaries",
"name": "TDS", "name": "TDS",
"source": "MISP Project", "source": "MISP Project",

141
clusters/threat-actor.json
View file

@ -6,6 +6,7 @@
"Timo Steffens", "Timo Steffens",
"Various" "Various"
], ],
"category": "actor",
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
"name": "Threat actor", "name": "Threat actor",
"source": "MISP Project", "source": "MISP Project",
@ -127,6 +128,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c", "uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c",
@ -476,7 +484,14 @@
"type": "similar" "type": "similar"
}, },
{ {
"dest-uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10", "dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
@ -628,13 +643,6 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "24110866-cb22-4c85-a7d2-0413e126694b", "uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
@ -1111,15 +1119,6 @@
"Royal APT" "Royal APT"
] ]
}, },
"related": [
{
"dest-uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8", "uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8",
"value": "Mirage" "value": "Mirage"
}, },
@ -1542,6 +1541,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48",
@ -1613,6 +1619,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "11e17436-6ede-4733-8547-4ce0254ea19e", "uuid": "11e17436-6ede-4733-8547-4ce0254ea19e",
@ -1718,6 +1731,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "f98bac6b-12fd-4cad-be84-c84666932232", "uuid": "f98bac6b-12fd-4cad-be84-c84666932232",
@ -1867,6 +1887,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "f873db71-3d53-41d5-b141-530675ade27a", "uuid": "f873db71-3d53-41d5-b141-530675ade27a",
@ -1955,6 +1982,13 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"tags": [ "tags": [
@ -3641,6 +3675,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "47204403-34c9-4d25-a006-296a0939d1a2", "uuid": "47204403-34c9-4d25-a006-296a0939d1a2",
@ -4587,6 +4628,13 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"tags": [ "tags": [
@ -5616,29 +5664,6 @@
"https://www.cfr.org/interactive/cyber-operations/winnti-umbrella" "https://www.cfr.org/interactive/cyber-operations/winnti-umbrella"
] ]
}, },
"related": [
{
"dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10", "uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10",
"value": "Winnti Umbrella" "value": "Winnti Umbrella"
}, },
@ -5658,15 +5683,6 @@
"https://www.cfr.org/interactive/cyber-operations/henbox" "https://www.cfr.org/interactive/cyber-operations/henbox"
] ]
}, },
"related": [
{
"dest-uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "36ee04f4-a9df-11e8-b92b-d7ddfd3a8896", "uuid": "36ee04f4-a9df-11e8-b92b-d7ddfd3a8896",
"value": "HenBox" "value": "HenBox"
}, },
@ -5825,15 +5841,6 @@
"the Rocra" "the Rocra"
] ]
}, },
"related": [
{
"dest-uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "same-as"
}
],
"uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0", "uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0",
"value": "Red October" "value": "Red October"
}, },
@ -5857,15 +5864,6 @@
"https://www.cfr.org/interactive/cyber-operations/cloud-atlas" "https://www.cfr.org/interactive/cyber-operations/cloud-atlas"
] ]
}, },
"related": [
{
"dest-uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "same-as"
}
],
"uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126", "uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126",
"value": "Cloud Atlas" "value": "Cloud Atlas"
}, },
@ -5930,15 +5928,6 @@
}, },
{ {
"description": "Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.", "description": "Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.",
"related": [
{
"dest-uuid": "e306fe62-c708-11e8-89f2-073e396e5403",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e38d32a2-c708-11e8-8785-472c4cfccd85", "uuid": "e38d32a2-c708-11e8-8785-472c4cfccd85",
"value": "FASTCash" "value": "FASTCash"
}, },

177
clusters/tool.json
View file

@ -7,6 +7,7 @@
"Dennis Rand", "Dennis Rand",
"raw-data" "raw-data"
], ],
"category": "tool",
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"name": "Tool", "name": "Tool",
"source": "MISP Project", "source": "MISP Project",
@ -160,6 +161,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54", "uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54",
@ -833,6 +841,20 @@
] ]
}, },
"related": [ "related": [
{
"dest-uuid": "9223bf17-7e32-4833-9574-9ffd8c929765",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8", "dest-uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8",
"tags": [ "tags": [
@ -1167,7 +1189,7 @@
"type": "similar" "type": "similar"
}, },
{ {
"dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "dest-uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
@ -1188,14 +1210,14 @@
"type": "similar" "type": "similar"
}, },
{ {
"dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", "dest-uuid": "75c79f95-4c84-4650-9158-510f0ce4831d",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
}, },
{ {
"dest-uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729", "dest-uuid": "f108215f-3487-489d-be8b-80e346d32518",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
@ -1259,14 +1281,21 @@
"type": "similar" "type": "similar"
}, },
{ {
"dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
}, },
{ {
"dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", "dest-uuid": "75c79f95-4c84-4650-9158-510f0ce4831d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f108215f-3487-489d-be8b-80e346d32518",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
@ -1358,14 +1387,21 @@
"type": "similar" "type": "similar"
}, },
{ {
"dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
}, },
{ {
"dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", "dest-uuid": "75c79f95-4c84-4650-9158-510f0ce4831d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f108215f-3487-489d-be8b-80e346d32518",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
@ -2231,6 +2267,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "652b5242-b790-4695-ad0e-b79bbf78f351",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "ff0404a1-465f-4dd5-8b66-ee773628ca64", "uuid": "ff0404a1-465f-4dd5-8b66-ee773628ca64",
@ -2659,6 +2702,13 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "7ca93488-c357-44c3-b246-3f88391aca5a", "dest-uuid": "7ca93488-c357-44c3-b246-3f88391aca5a",
"tags": [ "tags": [
@ -2667,7 +2717,7 @@
"type": "similar" "type": "similar"
}, },
{ {
"dest-uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", "dest-uuid": "16794655-c0e2-4510-9169-f862df104045",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
@ -2692,6 +2742,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "ff0404a1-465f-4dd5-8b66-ee773628ca64",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "652b5242-b790-4695-ad0e-b79bbf78f351", "uuid": "652b5242-b790-4695-ad0e-b79bbf78f351",
@ -2890,6 +2947,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "2a16a1d4-a098-4f17-80f3-3cfc6c60b539",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "74167065-90b3-4c29-807a-79b6f098e45b", "uuid": "74167065-90b3-4c29-807a-79b6f098e45b",
@ -2906,12 +2970,26 @@
] ]
}, },
"related": [ "related": [
{
"dest-uuid": "28c13455-7f95-40a5-9568-1e8732503507",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "a673b4fb-a864-4a5b-94ab-3fc4f5606cc8", "dest-uuid": "a673b4fb-a864-4a5b-94ab-3fc4f5606cc8",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "74167065-90b3-4c29-807a-79b6f098e45b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "2a16a1d4-a098-4f17-80f3-3cfc6c60b539", "uuid": "2a16a1d4-a098-4f17-80f3-3cfc6c60b539",
@ -2940,6 +3018,13 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "17e12216-a303-4a00-8283-d3fe92d0934c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc", "dest-uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc",
"tags": [ "tags": [
@ -2953,13 +3038,6 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "variant-of" "type": "variant-of"
},
{
"dest-uuid": "17e12216-a303-4a00-8283-d3fe92d0934c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5", "uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5",
@ -3108,14 +3186,14 @@
}, },
"related": [ "related": [
{ {
"dest-uuid": "e6085ce0-af6d-41f7-8bcb-7f2eed246941", "dest-uuid": "6e668c0c-7085-4951-87d4-0334b6a5cdb3",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
}, },
{ {
"dest-uuid": "6e668c0c-7085-4951-87d4-0334b6a5cdb3", "dest-uuid": "e6085ce0-af6d-41f7-8bcb-7f2eed246941",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
@ -3530,12 +3608,33 @@
] ]
}, },
"related": [ "related": [
{
"dest-uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b42378e0-f147-496f-992a-26a49705395b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", "dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7",
"tags": [ "tags": [
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5", "uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5",
@ -5311,6 +5410,20 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "e0bea149-2def-484f-b658-f782a4f94815",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f", "dest-uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f",
"tags": [ "tags": [
@ -5841,6 +5954,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "d1482c9e-6af3-11e8-aa8e-279274bd10c7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "a71ed71f-b8f4-416d-9c57-910a42e59430", "uuid": "a71ed71f-b8f4-416d-9c57-910a42e59430",
@ -6583,6 +6703,13 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "a71ed71f-b8f4-416d-9c57-910a42e59430",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "d1482c9e-6af3-11e8-aa8e-279274bd10c7", "uuid": "d1482c9e-6af3-11e8-aa8e-279274bd10c7",
@ -7059,6 +7186,13 @@
] ]
}, },
"related": [ "related": [
{
"dest-uuid": "e8af6388-6575-4812-94a8-9df1567294c5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "6f736038-4f74-435b-8904-6870ee0e23ba", "dest-uuid": "6f736038-4f74-435b-8904-6870ee0e23ba",
"tags": [ "tags": [
@ -7112,15 +7246,6 @@
}, },
{ {
"description": "Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.", "description": "Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.",
"related": [
{
"dest-uuid": "e38d32a2-c708-11e8-8785-472c4cfccd85",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e306fe62-c708-11e8-89f2-073e396e5403", "uuid": "e306fe62-c708-11e8-89f2-073e396e5403",
"value": "FASTCash" "value": "FASTCash"
}, },

9
galaxies/mitre-enterprise-attack-relationship.json
View file

@ -1,9 +0,0 @@
{
"description": "Mitre Relationship",
"icon": "link",
"name": "Enterprise Attack - Relationship",
"namespace": "mitre-attack",
"type": "mitre-enterprise-attack-relationship",
"uuid": "fc404638-1707-11e8-a5cf-b78b9b562766",
"version": 4
}

9
galaxies/mitre-mobile-attack-relationship.json
View file

@ -1,9 +0,0 @@
{
"description": "Mitre Relationship",
"icon": "link",
"name": "Mobile Attack - Relationship",
"namespace": "mitre-attack",
"type": "mitre-mobile-attack-relationship",
"uuid": "fc8471aa-1707-11e8-b306-33cbe96a1ede",
"version": 4
}

9
galaxies/mitre-pre-attack-relationship.json
View file

@ -1,9 +0,0 @@
{
"description": "Mitre Relationship",
"icon": "link",
"name": "Pre Attack - Relationship",
"namespace": "mitre-attack",
"type": "mitre-pre-attack-relationship",
"uuid": "1f8e3bae-1708-11e8-8e97-4bd2150e5aae",
"version": 5
}

6
schema_clusters.json
View file

@ -23,6 +23,9 @@
"source": { "source": {
"type": "string" "type": "string"
}, },
"category": {
"type": "string"
},
"values": { "values": {
"type": "array", "type": "array",
"uniqueItems": true, "uniqueItems": true,
@ -154,6 +157,7 @@
"uuid", "uuid",
"values", "values",
"authors", "authors",
"source" "source",
"category"
] ]
} }

105
tools/adoc_galaxy.py Normal file → Executable file
View file

@ -1,4 +1,4 @@
#!/usr/bin/env python #!/usr/bin/env python3
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
# #
# #
@ -35,41 +35,50 @@ for f in os.listdir(pathClusters):
clusters.sort() clusters.sort()
# build a mapping between uuids and Clusters
cluster_uuids = {}
for cluster in clusters:
fullPathClusters = os.path.join(pathClusters, cluster)
with open(fullPathClusters) as fp:
c = json.load(fp)
for v in c['values']:
if 'uuid' not in v:
continue
cluster_uuids[v['uuid']] = 'misp-galaxy:{}="{}"'.format(c['type'], v['value'])
argParser = argparse.ArgumentParser(description='Generate documentation from MISP galaxy clusters', epilog='Available galaxy clusters are {0}'.format(clusters)) argParser = argparse.ArgumentParser(description='Generate documentation from MISP galaxy clusters', epilog='Available galaxy clusters are {0}'.format(clusters))
argParser.add_argument('-v', action='store_true', help='Verbose mode') argParser.add_argument('-v', action='store_true', help='Verbose mode')
args = argParser.parse_args() args = argParser.parse_args()
def header(adoc=False): def header():
if adoc is False: doc = []
return False
dedication = "\n[dedication]\n== Funding and Support\nThe MISP project is financially and resource supported by https://www.circl.lu/[CIRCL Computer Incident Response Center Luxembourg ].\n\nimage:{images-misp}logo.png[CIRCL logo]\n\nA CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security has been granted from 1st September 2017 until 31th August 2019 as ***Improving MISP as building blocks for next-generation information sharing***.\n\nimage:{images-misp}en_cef.png[CEF funding]\n\nIf you are interested to co-fund projects around MISP, feel free to get in touch with us.\n\n" dedication = "\n[dedication]\n== Funding and Support\nThe MISP project is financially and resource supported by https://www.circl.lu/[CIRCL Computer Incident Response Center Luxembourg ].\n\nimage:{images-misp}logo.png[CIRCL logo]\n\nA CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security has been granted from 1st September 2017 until 31th August 2019 as ***Improving MISP as building blocks for next-generation information sharing***.\n\nimage:{images-misp}en_cef.png[CEF funding]\n\nIf you are interested to co-fund projects around MISP, feel free to get in touch with us.\n\n"
doc = adoc doc += ":toc: right\n"
doc = doc + ":toc: right\n" doc += ":toclevels: 1\n"
doc = doc + ":toclevels: 1\n" doc += ":toc-title: MISP Galaxy Cluster\n"
doc = doc + ":toc-title: MISP Galaxy Cluster\n" doc += ":icons: font\n"
doc = doc + ":icons: font\n" doc += ":sectanchors:\n"
doc = doc + ":sectanchors:\n" doc += ":sectlinks:\n"
doc = doc + ":sectlinks:\n" doc += ":images-cdn: https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/logos/\n"
doc = doc + ":images-cdn: https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/logos/\n" doc += ":images-misp: https://www.misp-project.org/assets/images/\n"
doc = doc + ":images-misp: https://www.misp-project.org/assets/images/\n" doc += "\n= MISP Galaxy Clusters\n\n"
doc = doc + "\n= MISP Galaxy Clusters\n\n" doc += "= Introduction\n"
doc = doc + "= Introduction\n" doc += "\nimage::{images-cdn}misp-logo.png[MISP logo]\n\n"
doc = doc + "\nimage::{images-cdn}misp-logo.png[MISP logo]\n\n" doc += "The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators, financial fraud or counter-terrorism information. The MISP project includes multiple sub-projects to support the operational requirements of analysts and improve the overall quality of information shared.\n\n"
doc = doc + "The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators, financial fraud or counter-terrorism information. The MISP project includes multiple sub-projects to support the operational requirements of analysts and improve the overall quality of information shared.\n\n" doc += ""
doc = doc + "" doc += "\nMISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish. Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme.\n"
doc = "{}{}".format(doc, "\nMISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish. Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme.\n") doc += "The following document is generated from the machine-readable JSON describing the https://github.com/MISP/misp-galaxy[MISP galaxy]."
doc = doc + "The following document is generated from the machine-readable JSON describing the https://github.com/MISP/misp-galaxy[MISP galaxy]." doc += "\n\n"
doc = doc + "\n\n" doc += "<<<\n"
doc = doc + "<<<\n" doc += dedication
doc = doc + dedication doc += "<<<\n"
doc = doc + "<<<\n" doc += "= MISP galaxy\n"
doc = doc + "= MISP galaxy\n"
return doc return doc
def asciidoc(content=False, adoc=None, t='title',title='', typename=''): def asciidoc(content=False, t='title',title='', typename=''):
adoc = []
adoc = adoc + "\n" adoc += "\n"
output = "" output = ""
if t == 'title': if t == 'title':
output = '== ' + content output = '== ' + content
@ -81,21 +90,31 @@ def asciidoc(content=False, adoc=None, t='title',title='', typename=''):
output = '=== ' + content output = '=== ' + content
elif t == 'description': elif t == 'description':
output = '\n{}\n'.format(content) output = '\n{}\n'.format(content)
elif t == 'meta': elif t == 'meta-synonyms':
if 'synonyms' in content: if 'synonyms' in content:
for s in content['synonyms']: for s in content['synonyms']:
output = "{}\n* {}\n".format(output,s) output = "{}\n* {}\n".format(output,s)
output = '{} is also known as:\n{}\n'.format(title,output) output = '{} is also known as:\n{}\n'.format(title,output)
elif t == 'meta-refs':
if 'refs' in content: if 'refs' in content:
output = '{}{}'.format(output,'\n.Table References\n|===\n|Links\n') output = '{}{}'.format(output,'\n.Table References\n|===\n|Links\n')
for r in content['refs']: for r in content['refs']:
output = '{}|{}[{}]\n'.format(output, r, r) output = '{}|{}[{}]\n'.format(output, r, r)
output = '{}{}'.format(output,'|===\n') output = '{}{}'.format(output,'|===\n')
adoc = adoc + output elif t == 'related':
for r in content:
try:
output = "{}\n* {}: {} with {}\n".format(output, r['type'], cluster_uuids[r['dest-uuid']], ', '.join(r['tags']))
except Exception:
pass # ignore lookup errors
if output:
output = '{} has relationships with:\n{}\n'.format(title,output)
adoc += output
return adoc return adoc
adoc = ""
print (header(adoc=adoc)) adoc = []
adoc += header()
for cluster in clusters: for cluster in clusters:
fullPathClusters = os.path.join(pathClusters, cluster) fullPathClusters = os.path.join(pathClusters, cluster)
@ -103,16 +122,18 @@ for cluster in clusters:
c = json.load(fp) c = json.load(fp)
title = c['name'] title = c['name']
typename = c['type'] typename = c['type']
adoc = asciidoc(content=title, adoc=adoc, t='title') adoc += asciidoc(content=title, t='title')
adoc = asciidoc(content=c['description'], adoc=adoc, t='info', title=title, typename = typename) adoc += asciidoc(content=c['description'], t='info', title=title, typename = typename)
if 'authors' in c: if 'authors' in c:
adoc = asciidoc(content=c['authors'], adoc=adoc, t='author', title=title) adoc += asciidoc(content=c['authors'], t='author', title=title)
for v in c['values']: for v in c['values']:
adoc = asciidoc(content=v['value'], adoc=adoc, t='value', title=title) adoc += asciidoc(content=v['value'], t='value', title=title)
if 'description' in v: if 'description' in v:
adoc = asciidoc(content=v['description'], adoc=adoc, t='description') adoc += asciidoc(content=v['description'], t='description')
if 'meta' in v: if 'meta' in v:
adoc = asciidoc(content=v['meta'], adoc=adoc, t='meta', title=v['value']) adoc += asciidoc(content=v['meta'], t='meta-synonyms', title=v['value'])
if 'related' in v:
adoc += asciidoc(content=v['related'], t='related', title=v['value'])
print (adoc) if 'meta' in v:
adoc += asciidoc(content=v['meta'], t='meta-refs', title=v['value'])
print (''.join(adoc))

0
tools/gen.sh → tools/gen_adoc_galaxy.sh Normal file → Executable file
View file

2
tools/gen_mapping.py
View file

@ -36,7 +36,7 @@ type_mapping = {
'mitre-mobile-attack-tool': 'tool', 'mitre-mobile-attack-tool': 'tool',
'backdoor': 'tool', 'backdoor': 'tool',
# 'mitre-pre-attack-attack-pattern': '', # 'mitre-pre-attack-attack-pattern': '',
'mitre-mobile-attack-intrusion-set': 'tool', 'mitre-mobile-attack-intrusion-set': 'actor',
'mitre-tool': 'tool', 'mitre-tool': 'tool',
# 'mitre-mobile-attack-attack-pattern': '', # 'mitre-mobile-attack-attack-pattern': '',
'mitre-mobile-attack-malware': 'tool', 'mitre-mobile-attack-malware': 'tool',

195
tools/graph.py Executable file
View file

@ -0,0 +1,195 @@
#!/usr/bin/env python3
# TODO
# - define strength between relations based on 'type' - similar should be closer than the others
# - use different colors / shapes
import json
import os
import argparse
from graphviz import Digraph
parser = argparse.ArgumentParser(description='Generate a DOT file to graph a Galaxy cluster and its relations.')
parser.add_argument("-u", "--uuid", help="Start UUID of a cluster.")
parser.add_argument("-a", "--all", action='store_true', help='generate all graphs as PNGs')
args = parser.parse_args()
def gen_galaxy_tag(galaxy_name, cluster_name):
# return 'misp-galaxy:{}="{}"'.format(galaxy_name, cluster_name)
return '{}={}'.format(galaxy_name, cluster_name)
files_to_ignore = ['mitre-attack-pattern.json', 'mitre-course-of-action.json', 'mitre-intrusion-set.json',
'mitre-malware.json', 'mitre-tool.json']
galaxies_fnames = []
pathClusters = '../clusters'
for f in os.listdir(pathClusters):
if '.json' in f and f not in files_to_ignore:
galaxies_fnames.append(f)
galaxies_fnames.sort()
cluster_uuids = {}
galaxies = []
for galaxy_fname in galaxies_fnames:
fullPathClusters = os.path.join(pathClusters, galaxy_fname)
with open(fullPathClusters) as fp:
json_data = json.load(fp)
galaxies.append(json_data)
for cluster in json_data['values']:
if 'uuid' not in cluster:
continue
cluster_uuids[cluster['uuid']] = {
'tag': gen_galaxy_tag(json_data['type'], cluster['value']),
'galaxy': json_data['type'],
'value': cluster['value'],
'synonyms': cluster.get('synonyms')
}
# for k, v in cluster_uuids.items():
# print("{}\t{}".format(k, v))
type_mapping = {
'ransomware': 'tool',
# 'mitre-pre-attack-relationship': '',
# 'mitre-enterprise-attack-course-of-action': '',
'mitre-enterprise-attack-intrusion-set': 'actor',
'mitre-intrusion-set': 'actor',
'rat': 'tool',
'stealer': 'tool',
'mitre-enterprise-attack-malware': 'tool',
# 'mitre-attack-pattern': '',
# 'mitre-mobile-attack-relationship': '',
# 'mitre-enterprise-attack-attack-pattern': '',
'microsoft-activity-group': 'actor',
# 'mitre-course-of-action': '',
'exploit-kit': 'tool',
'mitre-mobile-attack-tool': 'tool',
'backdoor': 'tool',
# 'mitre-pre-attack-attack-pattern': '',
'mitre-mobile-attack-intrusion-set': 'actor',
'mitre-tool': 'tool',
# 'mitre-mobile-attack-attack-pattern': '',
'mitre-mobile-attack-malware': 'tool',
'tool': 'tool',
# 'preventive-measure': '',
# 'sector': '',
'mitre-malware': 'tool',
'banker': 'tool',
# 'branded-vulnerability': '',
'botnet': 'tool',
# 'cert-eu-govsector': '',
'threat-actor': 'actor',
'mitre-enterprise-attack-tool': 'tool',
'android': 'tool',
# 'mitre-mobile-attack-course-of-action': '',
'mitre-pre-attack-intrusion-set': 'actor',
# 'mitre-enterprise-attack-relationship': '',
'tds': 'tool',
'malpedia': 'tool'
}
def gen_dot(uuid):
things_to_keep = [uuid] # '5b4ee3ea-eee3-4c8e-8323-85ae32658754' = threat-actor=Sofacy
# ' 5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8' = APT30
things_seen = things_to_keep.copy()
dot = []
while len(things_to_keep) > 0:
new_things_to_keep = []
for galaxy in galaxies:
for cluster in galaxy['values']:
if 'related' not in cluster:
continue
src_tag = gen_galaxy_tag(galaxy['type'], cluster['value'])
if cluster['uuid'] not in things_to_keep:
continue
node_params = []
node_params.append('label="{}&#92;n{}"'.format(galaxy['type'], cluster['value']))
if type_mapping.get(galaxy['type']) == 'actor':
node_params.append('shape=octagon')
node_params.append('style=filled,color=indianred1')
elif type_mapping.get(galaxy['type']) == 'tool':
node_params.append('shape=box')
node_params.append('style=filled,color=deepskyblue')
else:
node_params.append('shape=ellipse')
dot.append('"{src}" [{params}];'.format(
src=src_tag,
params=','.join(node_params)
))
for relation in cluster['related']:
try:
dest_tag = cluster_uuids[relation['dest-uuid']]['tag']
extra = []
if relation['type'] == 'similar':
# make arrow bidirectional
extra.append('dir="both"')
# prevent double links for 'similar' types
if relation['dest-uuid'] in things_seen:
continue
dot.append('"{src}" -> "{dst}" [label="{lbl}",{extra}];'.format(
# dot.append('"{src}" -> "{dst}" [{extra}];'.format(
src=src_tag,
dst=dest_tag,
lbl=relation['type'],
extra=','.join(extra)
))
# FIXME - add a separate node with the color, type, format of the source-node
# prevent something to be processed twice
if relation['dest-uuid'] not in things_seen:
new_things_to_keep.append(relation['dest-uuid'])
things_seen.append(relation['dest-uuid'])
except KeyError:
# skip uuids not found
pass
# print(new_things_to_keep)
things_to_keep = new_things_to_keep.copy()
return dot
if args.uuid:
uuid = args.uuid
dot = []
# dot.append('digraph G {')
dot.append('concentrate=true;')
dot.append('overlap=scale;')
generated_dot = gen_dot(uuid)
if len(generated_dot) == 0:
print("Empty graph for uuid: {}".format(uuid))
exit()
print("Generating graph for uuid: {}".format(uuid))
dot += generated_dot
# dot.append('}')
# dg.source = '\n'.join(dot)
dg = Digraph(engine='neato', format='png', body=dot)
# print(dg.source)
dg.render(filename='graphs/{}'.format(uuid), cleanup=False)
elif args.all:
for uuid in cluster_uuids.keys():
dot = []
# dot.append('digraph G {')
dot.append('concentrate=true;')
dot.append('overlap=scale;')
generated_dot = gen_dot(uuid)
if len(generated_dot) == 0:
print("Empty graph for uuid: {}".format(uuid))
continue
print("Generating graph for uuid: {}".format(uuid))
dot += generated_dot
# dot.append('}')
# dg.source = '\n'.join(dot)
dg = Digraph(format='png', body=dot)
#print(dg.source)
dg.render(filename='graphs/{}'.format(uuid))
else:
exit("No parameters given, use --help for more info.")

102
tools/mitre-cti/v2.0/create_mitre-enterprise-attack-relationship_galaxy.py
View file

@ -1,102 +0,0 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s relationship\nMust be in the mitre/cti/enterprise-attack/relationship folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
path = "relationship/"
for element in os.listdir(path):
with open(path+element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
source = temp['source_ref']
target = temp['target_ref']
relationship = temp['relationship_type']
if source.startswith('attack-pattern'):
paths = "attack-pattern/"
elif source.startswith('course-of-action'):
paths = "course-of-action/"
elif source.startswith('identity'):
paths = "identity/"
elif source.startswith('intrusion-set'):
paths = "intrusion-set/"
elif source.startswith('malware'):
paths = "malware/"
elif source.startswith('marking-definition'):
paths = "marking-definition/"
elif source.startswith('tool'):
paths = "tool/"
else:
print('Invalid value')
continue
with open(paths+source+'.json') as json_data:
s = json.load(json_data)
json_data.close()
if target.startswith('attack-pattern'):
patht = "attack-pattern/"
elif target.startswith('course-of-action'):
patht = "course-of-action/"
elif target.startswith('identity'):
patht = "identity/"
elif target.startswith('intrusion-set'):
patht = "intrusion-set/"
elif target.startswith('malware'):
patht = "malware/"
elif target.startswith('marking-definition'):
patht = "marking-definition/"
elif target.startswith('tool'):
patht = "tool/"
else:
print('Invalid value')
continue
with open(patht+target+'.json') as json_data:
t = json.load(json_data)
json_data.close()
value = {}
value['meta'] = {}
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['meta']['source-uuid'] = re.search('--(.*)$', s['objects'][0]['id']).group(0)[2:]
value['meta']['target-uuid'] = re.search('--(.*)$', t['objects'][0]['id']).group(0)[2:]
value['value'] = s['objects'][0]['name'] + ' (' + s['objects'][0]['external_references'][0]['external_id'] + ') ' + relationship + ' ' + t['objects'][0]['name'] + ' (' + t['objects'][0]['external_references'][0]['external_id'] + ')'
# value['value'] = s['objects'][0]['name'] + ' ' + relationship + ' ' + t['objects'][0]['name']
values.append(value)
galaxy = {}
galaxy['name'] = "Enterprise Attack - Relationship"
galaxy['type'] = "mitre-enterprise-attack-relationship"
galaxy['description'] = "Mitre Relationship"
galaxy['uuid' ] = "fc404638-1707-11e8-a5cf-b78b9b562766"
galaxy['version'] = args.version
galaxy['icon'] = "link"
galaxy['namespace'] = "mitre-attack"
cluster = {}
cluster['name'] = "Enterprise Attack - Relationship"
cluster['type'] = "mitre-enterprise-attack-relationship"
cluster['description'] = "MITRE Relationship"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "fc605f90-1707-11e8-9d6a-9f165ac2ab5c"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-enterprise-attack-relationship.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-enterprise-attack-relationship.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

101
tools/mitre-cti/v2.0/create_mitre-mobile-attack-relationship_galaxy.py
View file

@ -1,101 +0,0 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s relationship\nMust be in the mitre/cti/mobile-attack/relationship folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
path = "relationship/"
for element in os.listdir(path):
with open(path+element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
source = temp['source_ref']
target = temp['target_ref']
relationship = temp['relationship_type']
if source.startswith('attack-pattern'):
paths = "attack-pattern/"
elif source.startswith('course-of-action'):
paths = "course-of-action/"
elif source.startswith('identity'):
paths = "identity/"
elif source.startswith('intrusion-set'):
paths = "intrusion-set/"
elif source.startswith('malware'):
paths = "malware/"
elif source.startswith('marking-definition'):
paths = "marking-definition/"
elif source.startswith('tool'):
paths = "tool/"
else:
print('Invalid value')
continue
with open(paths+source+'.json') as json_data:
s = json.load(json_data)
json_data.close()
if target.startswith('attack-pattern'):
patht = "attack-pattern/"
elif target.startswith('course-of-action'):
patht = "course-of-action/"
elif target.startswith('identity'):
patht = "identity/"
elif target.startswith('intrusion-set'):
patht = "intrusion-set/"
elif target.startswith('malware'):
patht = "malware/"
elif target.startswith('marking-definition'):
patht = "marking-definition/"
elif target.startswith('tool'):
patht = "tool/"
else:
print('Invalid value')
continue
with open(patht+target+'.json') as json_data:
t = json.load(json_data)
json_data.close()
value = {}
value['meta'] = {}
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['meta']['source-uuid'] = re.search('--(.*)$', s['objects'][0]['id']).group(0)[2:]
value['meta']['target-uuid'] = re.search('--(.*)$', t['objects'][0]['id']).group(0)[2:]
value['value'] = s['objects'][0]['name'] + ' (' + s['objects'][0]['external_references'][0]['external_id'] + ') ' + relationship + ' ' + t['objects'][0]['name'] + ' (' + t['objects'][0]['external_references'][0]['external_id'] + ')'
values.append(value)
galaxy = {}
galaxy['name'] = "Mobile Attack - Relationship"
galaxy['type'] = "mitre-mobile-attack-relationship"
galaxy['description'] = "Mitre Relationship"
galaxy['uuid' ] = "fc8471aa-1707-11e8-b306-33cbe96a1ede"
galaxy['version'] = args.version
galaxy['icon'] = "link"
galaxy['namespace'] = "mitre-attack"
cluster = {}
cluster['name'] = "Mobile Attack - Relationship"
cluster['type'] = "mitre-mobile-attack-relationship"
cluster['description'] = "MITRE Relationship"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "02f1fc42-1708-11e8-a4f2-eb70472c5901"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-mobile-attack-relationship.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-mobile-attack-relationship.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

102
tools/mitre-cti/v2.0/create_mitre-pre-attack-relationship_galaxy.py
View file

@ -1,102 +0,0 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s relationship\nMust be in the mitre/cti/pre-attack/relationship folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
path = "relationship/"
for element in os.listdir(path):
with open(path+element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
source = temp['source_ref']
target = temp['target_ref']
relationship = temp['relationship_type']
if source.startswith('attack-pattern'):
paths = "attack-pattern/"
elif source.startswith('course-of-action'):
paths = "course-of-action/"
elif source.startswith('identity'):
paths = "identity/"
elif source.startswith('intrusion-set'):
paths = "intrusion-set/"
elif source.startswith('malware'):
paths = "malware/"
elif source.startswith('marking-definition'):
paths = "marking-definition/"
elif source.startswith('tool'):
paths = "tool/"
else:
print('Invalid value')
continue
with open(paths+source+'.json') as json_data:
s = json.load(json_data)
json_data.close()
if target.startswith('attack-pattern'):
patht = "attack-pattern/"
elif target.startswith('course-of-action'):
patht = "course-of-action/"
elif target.startswith('identity'):
patht = "identity/"
elif target.startswith('intrusion-set'):
patht = "intrusion-set/"
elif target.startswith('malware'):
patht = "malware/"
elif target.startswith('marking-definition'):
patht = "marking-definition/"
elif target.startswith('tool'):
patht = "tool/"
else:
print('Invalid value')
continue
with open(patht+target+'.json') as json_data:
t = json.load(json_data)
json_data.close()
value = {}
value['meta'] = {}
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['meta']['source-uuid'] = re.search('--(.*)$', s['objects'][0]['id']).group(0)[2:]
value['meta']['target-uuid'] = re.search('--(.*)$', t['objects'][0]['id']).group(0)[2:]
value['value'] = s['objects'][0]['name'] + ' (' + s['objects'][0]['external_references'][0]['external_id'] + ') ' + relationship + ' ' + t['objects'][0]['name'] + ' (' + t['objects'][0]['external_references'][0]['external_id'] + ')'
# value['value'] = s['objects'][0]['name'] + ' ' + relationship + ' ' + t['objects'][0]['name']
values.append(value)
galaxy = {}
galaxy['name'] = "Pre Attack - Relationship"
galaxy['type'] = "mitre-pre-attack-relationship"
galaxy['description'] = "Mitre Relationship"
galaxy['uuid' ] = "1f8e3bae-1708-11e8-8e97-4bd2150e5aae"
galaxy['version'] = args.version
galaxy['icon'] = "link"
galaxy['namespace'] = "mitre-attack"
cluster = {}
cluster['name'] = "Pre Attack - Relationship"
cluster['type'] = "mitre-pre-attack-relationship"
cluster['description'] = "MITRE Relationship"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "1ffd3108-1708-11e8-9f98-67b378d9094c"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-pre-attack-relationship.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-pre-attack-relationship.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

97
tools/mitre-cti/v2.0/create_mitre_relationships.py Executable file
View file

@ -0,0 +1,97 @@
#!/usr/bin/env python3
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s relationship\nMust be in the mitre/cti/enterprise-attack/relationship folder')
parser.add_argument("-p", "--path", required=True, help="Path of the mitre/cti folder")
args = parser.parse_args()
# read out all clusters and map them based on uuid
# build a mapping between uuids and Clusters
clusters = []
pathClusters = '../../../clusters'
for f in os.listdir(pathClusters):
if '.json' in f:
clusters.append(f)
clusters.sort()
cluster_uuids = {}
for cluster in clusters:
fullPathClusters = os.path.join(pathClusters, cluster)
with open(fullPathClusters) as fp:
c = json.load(fp)
for v in c['values']:
if 'uuid' not in v:
continue
cluster_uuids[v['uuid']] = cluster
# read out all STIX mappings and store them in a list
stix_relations = {}
for subfolder in ['mobile-attack', 'pre-attack', 'enterprise-attack']:
curr_dir = os.path.join(args.path, subfolder, 'relationship')
for stix_fname in os.listdir(curr_dir):
with open(os.path.join(curr_dir, stix_fname)) as f:
json_data = json.load(f)
for o in json_data['objects']:
rel_type = o['relationship_type']
dest_uuid = re.findall(r'--([0-9a-f-]+)', o['target_ref']).pop()
uuid = re.findall(r'--([0-9a-f-]+)', o['source_ref']).pop()
tags = []
galaxy_fname = cluster_uuids[uuid]
# print("{} \t {} \t {} \t {}".format(rel_type, uuid, dest_uuid, galaxy_fname))
if not stix_relations.get(galaxy_fname):
stix_relations[galaxy_fname] = {}
stix_relations[galaxy_fname][uuid] = {
"dest-uuid": dest_uuid,
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": rel_type
}
# for each correlation per galaxy-file ,
# open the file,
# add the relationship,
# and save the galaxy file
for galaxy_fname, relations in stix_relations.items():
print("############# {}".format(galaxy_fname))
with open(os.path.join(pathClusters, galaxy_fname)) as f_in:
file_json = json.load(f_in)
for k, v in relations.items():
# print("{} \t {}".format(k, v))
for cluster in file_json['values']:
if cluster['uuid'] == k:
# skip if mapping already exists
skip = False
if 'related' in cluster:
for r in cluster['related']:
if r['dest-uuid'] == v['dest-uuid']:
print(" Mapping already exists! skipping... {}".format(v))
skip = True
break
if skip:
break
if 'related' not in cluster:
cluster['related'] = []
cluster['related'].append(v)
print(" Adding mapping: {}".format(v))
break
# increment version
file_json['version'] += 1
with open(os.path.join(pathClusters, galaxy_fname), 'w') as f_out:
json.dump(file_json, f_out, indent=2, sort_keys=True, ensure_ascii=False)
file_json = None