mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-30 02:37:17 +00:00
Merge branch 'master' of github.com:MISP/misp-galaxy
This commit is contained in:
commit
c6f9c5261c
28 changed files with 2167 additions and 73 deletions
|
@ -25,13 +25,14 @@ to localized information (which is not shared) or additional information (that c
|
|||
- [clusters/threat-actor.json](clusters/threat-actor.json) - Adversary groups - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. MISP
|
||||
- [clusters/tool.json](clusters/tool.json) - tool is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
|
||||
|
||||
|
||||
- [clusters/mitre_attack-pattern.json](clusters/mitre_attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
|
||||
- [clusters/mitre_course-of-action.json](clusters/mitre_course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
|
||||
- [clusters/mitre_intrusion-set.json](clusters/mitre_intrusion-set.json) - Intrusion Test - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
|
||||
- [clusters/mitre_malware.json](clusters/mitre_malware.json) - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
|
||||
- [clusters/mitre_tool.json](clusters/mitre_tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
|
||||
|
||||
- [clusters/sectors.json](clusters/sectors.json) - Activity sectors
|
||||
- [clusters/cert-eu-govsector,json](clusters/cert-eu-govsector,json) - Cert EU GovSector
|
||||
|
||||
# Available Vocabularies
|
||||
|
||||
|
@ -41,9 +42,13 @@ A [readable PDF overview of the MISP galaxy is available](https://www.misp.softw
|
|||
## Common
|
||||
|
||||
- [vocabularies/common/certainty-level.json](vocabularies/common/certainty-level.json) - Certainty level of an associated element or cluster.
|
||||
- [vocabularies/common/threat-actor-type.json](vocabularies/common/threat-actor-type.json) - threat actor type vocab as defined by Cert EU.
|
||||
- [vocabularies/common/ttp-category.json](vocabularies/common/ttp-category.json) - ttp category vocab as defined by Cert EU.
|
||||
- [vocabularies/common/ttp-type.json](vocabularies/common/ttp-type.json) - ttp type vocab as defined by Cert EU.
|
||||
|
||||
## Threat Actor
|
||||
|
||||
- [vocabularies/threat-actor/cert-eu-motive.json](vocabularies/threat-actor/cert-eu-motive.json) - Motive vocab as defined by Cert EU.
|
||||
- [vocabularies/threat-actor/intended-effect-vocabulary.json](vocabularies/threat-actor/intended-effect.json) - The IntendedEffectVocab is the default STIX vocabulary for expressing the intended effect of a threat actor. STIX 1.2.1
|
||||
- [vocabularies/threat-actor/motivation-vocabulary.json](vocabularies/threat-actor/motivation.json) - The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor. STIX 1.2.1
|
||||
- [vocabularies/threat-actor/planning-and-operational-support-vocabulary.json](vocabularies/threat-actor/planning-and-operational-support.json) - The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions available to a threat actor.
|
||||
|
|
31
clusters/cert-eu-govsector.json
Normal file
31
clusters/cert-eu-govsector.json
Normal file
|
@ -0,0 +1,31 @@
|
|||
{
|
||||
"values": [
|
||||
{
|
||||
"value": "Constituency"
|
||||
},
|
||||
{
|
||||
"value": "EU-Centric"
|
||||
},
|
||||
{
|
||||
"value": "EU-nearby"
|
||||
},
|
||||
{
|
||||
"value": "World-class"
|
||||
},
|
||||
{
|
||||
"value": "Unknown"
|
||||
},
|
||||
{
|
||||
"value": "Outside World"
|
||||
}
|
||||
],
|
||||
"version": 1,
|
||||
"uuid": "69351b20-b898-11e7-a2f1-c3e696a74a48",
|
||||
"description": "Cert EU GovSector",
|
||||
"authors": [
|
||||
"Various"
|
||||
],
|
||||
"source": "CERT-EU",
|
||||
"type": "cert-seu-gocsector",
|
||||
"name": "Cert EU GovSector"
|
||||
}
|
|
@ -128,7 +128,7 @@
|
|||
"type": [
|
||||
"Best Practice"
|
||||
],
|
||||
"possible_issues": "igher administrative costs"
|
||||
"possible_issues": "Higher administrative costs"
|
||||
},
|
||||
"value": "Remove Admin Privileges",
|
||||
"description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to."
|
||||
|
|
|
@ -6482,7 +6482,8 @@
|
|||
"([A-F0-9]{32}).thor",
|
||||
"([A-F0-9]{32}).aesir",
|
||||
"([A-F0-9]{32}).zzzzz",
|
||||
"([A-F0-9]{32}).osiris"
|
||||
"([A-F0-9]{32}).osiris",
|
||||
".lukitus"
|
||||
],
|
||||
"encryption": "AES-128",
|
||||
"ransomnotes": [
|
||||
|
@ -6494,7 +6495,9 @@
|
|||
"_WHAT_is.html",
|
||||
"_INSTRUCTION.html",
|
||||
"DesktopOSIRIS.(bmp|htm)",
|
||||
"OSIRIS-[0-9]{4}.htm"
|
||||
"OSIRIS-[0-9]{4}.htm",
|
||||
"lukitus.htm",
|
||||
"lukitus.bmp."
|
||||
],
|
||||
"refs": [
|
||||
"http://www.bleepingcomputer.com/news/security/new-locky-version-adds-the-zepto-extension-to-encrypted-files/",
|
||||
|
@ -8534,12 +8537,56 @@
|
|||
"https://twitter.com/struppigel/status/900238572409823232"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"value": "SynAck",
|
||||
"description": "The ransomware does not use a customized desktop wallpaper to signal its presence, and the only way to discover that SynAck has infected your PC is by the ransom notes dropped on the user's desktop, named in the format: RESTORE_INFO-[id].txt. For example: RESTORE_INFO-4ABFA0EF.txt\n In addition, SynAck also appends its own extension at the end of all files it encrypted. This file extensions format is ten random alpha characters for each file. For example: test.jpg.XbMiJQiuoh. Experts believe the group behind SynAck uses RDP brute-force attacks to access remote computers and manually download and install the ransomware.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-spike-in-activity/"
|
||||
],
|
||||
"synonyms": [
|
||||
"Syn Ack"
|
||||
],
|
||||
"ransomnotes": [
|
||||
"RESTORE_INFO-[id].txt"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"value": "SyncCrypt",
|
||||
"description": "A new ransomware called SyncCrypt was discovered by Emsisoft security researcher xXToffeeXx that is being distributed by spam attachments containing WSF files. When installed these attachments will encrypt a computer and append the .kk extension to encrypted files.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/"
|
||||
],
|
||||
"extension": [
|
||||
".kk"
|
||||
],
|
||||
"ransomnotes": [
|
||||
"readme.html",
|
||||
"readme.png"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"value": "Bad Rabbit",
|
||||
"description": "On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. As was the case in previous situations, we quickly mobilized to assess the situation and ensure that customers remain protected from this and other threats as they emerge across the threat landscape. There have been several large scale ransomware campaigns over the last several months. This appears to have some similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"http://blog.talosintelligence.com/2017/10/bad-rabbit.html"
|
||||
],
|
||||
"synonyms": [
|
||||
"BadRabbit",
|
||||
"Bad-Rabbit"
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"source": "Various",
|
||||
"uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
|
||||
"name": "Ransomware",
|
||||
"version": 2,
|
||||
"version": 3,
|
||||
"type": "ransomware",
|
||||
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar"
|
||||
}
|
||||
|
|
1072
clusters/rat.json
Normal file → Executable file
1072
clusters/rat.json
Normal file → Executable file
File diff suppressed because it is too large
Load diff
370
clusters/sector.json
Normal file
370
clusters/sector.json
Normal file
|
@ -0,0 +1,370 @@
|
|||
{
|
||||
"values": [
|
||||
{
|
||||
"value": "Unknown"
|
||||
},
|
||||
{
|
||||
"value": "Other"
|
||||
},
|
||||
{
|
||||
"value": "Academia - University"
|
||||
},
|
||||
{
|
||||
"value": "Activists"
|
||||
},
|
||||
{
|
||||
"value": "Aerospace"
|
||||
},
|
||||
{
|
||||
"value": "Agriculture"
|
||||
},
|
||||
{
|
||||
"value": "Arts"
|
||||
},
|
||||
{
|
||||
"value": "Bank"
|
||||
},
|
||||
{
|
||||
"value": "Chemical"
|
||||
},
|
||||
{
|
||||
"value": "Citizens"
|
||||
},
|
||||
{
|
||||
"value": "Civil Aviation"
|
||||
},
|
||||
{
|
||||
"value": "Country"
|
||||
},
|
||||
{
|
||||
"value": "Culture"
|
||||
},
|
||||
{
|
||||
"value": "Data Broker"
|
||||
},
|
||||
{
|
||||
"value": "Defense"
|
||||
},
|
||||
{
|
||||
"value": "Development"
|
||||
},
|
||||
{
|
||||
"value": "Diplomacy"
|
||||
},
|
||||
{
|
||||
"value": "Education"
|
||||
},
|
||||
{
|
||||
"value": "Electric"
|
||||
},
|
||||
{
|
||||
"value": "Electronic"
|
||||
},
|
||||
{
|
||||
"value": "Employment"
|
||||
},
|
||||
{
|
||||
"value": "Energy"
|
||||
},
|
||||
{
|
||||
"value": "Entertainment"
|
||||
},
|
||||
{
|
||||
"value": "Environment"
|
||||
},
|
||||
{
|
||||
"value": "Finance"
|
||||
},
|
||||
{
|
||||
"value": "Food"
|
||||
},
|
||||
{
|
||||
"value": "Game"
|
||||
},
|
||||
{
|
||||
"value": "Gas"
|
||||
},
|
||||
{
|
||||
"value": "Government, Administration"
|
||||
},
|
||||
{
|
||||
"value": "Health"
|
||||
},
|
||||
{
|
||||
"value": "Higher education"
|
||||
},
|
||||
{
|
||||
"value": "Hotels"
|
||||
},
|
||||
{
|
||||
"value": "Infrastructure"
|
||||
},
|
||||
{
|
||||
"value": "Intelligence"
|
||||
},
|
||||
{
|
||||
"value": "IT"
|
||||
},
|
||||
{
|
||||
"value": "IT - Hacker"
|
||||
},
|
||||
{
|
||||
"value": "IT - ISP"
|
||||
},
|
||||
{
|
||||
"value": "IT - Security"
|
||||
},
|
||||
{
|
||||
"value": "Justice"
|
||||
},
|
||||
{
|
||||
"value": "Manufacturing"
|
||||
},
|
||||
{
|
||||
"value": "Maritime"
|
||||
},
|
||||
{
|
||||
"value": "Military"
|
||||
},
|
||||
{
|
||||
"value": "Multi-sector"
|
||||
},
|
||||
{
|
||||
"value": "News - Media"
|
||||
},
|
||||
{
|
||||
"value": "NGO"
|
||||
},
|
||||
{
|
||||
"value": "Oil"
|
||||
},
|
||||
{
|
||||
"value": "Payment"
|
||||
},
|
||||
{
|
||||
"value": "Pharmacy"
|
||||
},
|
||||
{
|
||||
"value": "Police - Law enforcement"
|
||||
},
|
||||
{
|
||||
"value": "Research - Innovation"
|
||||
},
|
||||
{
|
||||
"value": "Satellite navigation"
|
||||
},
|
||||
{
|
||||
"value": "Security systems"
|
||||
},
|
||||
{
|
||||
"value": "Social networks"
|
||||
},
|
||||
{
|
||||
"value": "Space"
|
||||
},
|
||||
{
|
||||
"value": "Steel"
|
||||
},
|
||||
{
|
||||
"value": "Telecoms"
|
||||
},
|
||||
{
|
||||
"value": "Think Tanks"
|
||||
},
|
||||
{
|
||||
"value": "Trade"
|
||||
},
|
||||
{
|
||||
"value": "Transport"
|
||||
},
|
||||
{
|
||||
"value": "Travel"
|
||||
},
|
||||
{
|
||||
"value": "Turbine"
|
||||
},
|
||||
{
|
||||
"value": "Tourism"
|
||||
},
|
||||
{
|
||||
"value": "Life science"
|
||||
},
|
||||
{
|
||||
"value": "Biomedical"
|
||||
},
|
||||
{
|
||||
"value": "High tech"
|
||||
},
|
||||
{
|
||||
"value": "Opposition"
|
||||
},
|
||||
{
|
||||
"value": "Political party"
|
||||
},
|
||||
{
|
||||
"value": "Hospitality"
|
||||
},
|
||||
{
|
||||
"value": "Automotive"
|
||||
},
|
||||
{
|
||||
"value": "Metal"
|
||||
},
|
||||
{
|
||||
"value": "Railway"
|
||||
},
|
||||
{
|
||||
"value": "Water"
|
||||
},
|
||||
{
|
||||
"value": "Smart meter"
|
||||
},
|
||||
{
|
||||
"value": "Retai"
|
||||
},
|
||||
{
|
||||
"value": "Retail"
|
||||
},
|
||||
{
|
||||
"value": "Technology"
|
||||
},
|
||||
{
|
||||
"value": "engineering"
|
||||
},
|
||||
{
|
||||
"value": "Mining"
|
||||
},
|
||||
{
|
||||
"value": "Sport"
|
||||
},
|
||||
{
|
||||
"value": "Restaurant"
|
||||
},
|
||||
{
|
||||
"value": "Semi-conductors"
|
||||
},
|
||||
{
|
||||
"value": "Insurance"
|
||||
},
|
||||
{
|
||||
"value": "Legal"
|
||||
},
|
||||
{
|
||||
"value": "Shipping"
|
||||
},
|
||||
{
|
||||
"value": "Logistic"
|
||||
},
|
||||
{
|
||||
"value": "Construction"
|
||||
},
|
||||
{
|
||||
"value": "Industrial"
|
||||
},
|
||||
{
|
||||
"value": "Communication equipment"
|
||||
},
|
||||
{
|
||||
"value": "Security Service"
|
||||
},
|
||||
{
|
||||
"value": "Tax firm"
|
||||
},
|
||||
{
|
||||
"value": "Television broadcast"
|
||||
},
|
||||
{
|
||||
"value": "Separatists"
|
||||
},
|
||||
{
|
||||
"value": "Dissidents"
|
||||
},
|
||||
{
|
||||
"value": "Digital services"
|
||||
},
|
||||
{
|
||||
"value": "Digital infrastructure"
|
||||
},
|
||||
{
|
||||
"value": "Security actors"
|
||||
},
|
||||
{
|
||||
"value": "eCommerce"
|
||||
},
|
||||
{
|
||||
"value": "Islamic forums"
|
||||
},
|
||||
{
|
||||
"value": "Journalist"
|
||||
},
|
||||
{
|
||||
"value": "Streaming service"
|
||||
},
|
||||
{
|
||||
"value": "Puplishing industry"
|
||||
},
|
||||
{
|
||||
"value": "Publishing industry"
|
||||
},
|
||||
{
|
||||
"value": "Islamic organisation"
|
||||
},
|
||||
{
|
||||
"value": "Casino"
|
||||
},
|
||||
{
|
||||
"value": "Consulting"
|
||||
},
|
||||
{
|
||||
"value": "Online marketplace"
|
||||
},
|
||||
{
|
||||
"value": "DNS service provider"
|
||||
},
|
||||
{
|
||||
"value": "Veterinary"
|
||||
},
|
||||
{
|
||||
"value": "Marketing"
|
||||
},
|
||||
{
|
||||
"value": "Video Sharing"
|
||||
},
|
||||
{
|
||||
"value": "Advertising"
|
||||
},
|
||||
{
|
||||
"value": "Investment"
|
||||
},
|
||||
{
|
||||
"value": "Accounting"
|
||||
},
|
||||
{
|
||||
"value": "Programming"
|
||||
},
|
||||
{
|
||||
"value": "Managed Services Provider"
|
||||
},
|
||||
{
|
||||
"value": "Lawyers"
|
||||
},
|
||||
{
|
||||
"value": "Civil society"
|
||||
},
|
||||
{
|
||||
"value": "Petrochemical"
|
||||
},
|
||||
{
|
||||
"value": "Immigration"
|
||||
}
|
||||
],
|
||||
"version": 1,
|
||||
"uuid": "141deecc-ae4e-11e7-8dfe-f3397ba8cc8",
|
||||
"description": "Activity sectors",
|
||||
"authors": [
|
||||
"Various"
|
||||
],
|
||||
"source": "CERT-EU",
|
||||
"type": "sector",
|
||||
"name": "Sector"
|
||||
}
|
|
@ -663,6 +663,17 @@
|
|||
"value": "Charming Kitten",
|
||||
"description": "Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors."
|
||||
},
|
||||
{
|
||||
"meta": {
|
||||
"country": "IR",
|
||||
"synonyms": [],
|
||||
"refs": [
|
||||
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"
|
||||
]
|
||||
},
|
||||
"description": "Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.",
|
||||
"value": "APT33"
|
||||
},
|
||||
{
|
||||
"meta": {
|
||||
"country": "IR",
|
||||
|
|
|
@ -2616,6 +2616,9 @@
|
|||
"meta": {
|
||||
"refs": [
|
||||
"https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html"
|
||||
],
|
||||
"synonyms": [
|
||||
"BlackOasis"
|
||||
]
|
||||
},
|
||||
"description": "Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.",
|
||||
|
@ -2971,6 +2974,24 @@
|
|||
"https://www.cylance.com/en_us/blog/threat-spotlight-is-fireball-adware-or-malware.html"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"value": "ShadowPad",
|
||||
"description": "ShadowPad is a modular cyber-attack platform that attackers deploy in victim networks to gain flexible remote control capabilities. The platform is designed to run in two stages. The first stage is a shellcode that was embedded in a legitimate nssock2.dll used by Xshell, Xmanager and other software packages produced by NetSarang. This stage is responsible for connecting to “validation” command and control (C&C) servers and getting configuration information including the location of the real C&C server, which may be unique per victim. The second stage acts as an orchestrator for five main modules responsible for C&C communication, working with the DNS protocol, loading and injecting additional plugins into the memory of other processes.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf"
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"value": "IoT_reaper",
|
||||
"description": "IoT_reaper is fairly large now and is actively expanding. For example, there are multiple C2s we are tracking, the most recently data (October 19) from just one C2 shows the number of unique active bot IP address is more than 10k per day. While at the same time, there are millions of potential vulnerable device IPs being queued into the c2 system waiting to be processed by an automatic loader that injects malicious code to the devices to expand the size of the botnet.",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
8
galaxies/cert-eu-govsector.json
Normal file
8
galaxies/cert-eu-govsector.json
Normal file
|
@ -0,0 +1,8 @@
|
|||
{
|
||||
"type": "cert-seu-gocsector",
|
||||
"name": "Cert EU GovSector",
|
||||
"description": "Cert EU GovSector",
|
||||
"version": 1,
|
||||
"icon": "globe",
|
||||
"uuid": "68858a48-b898-11e7-91ce-bf424ef9b662"
|
||||
}
|
|
@ -2,6 +2,7 @@
|
|||
"type": "exploit-kit",
|
||||
"name": "Exploit-Kit",
|
||||
"description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years",
|
||||
"version": 2,
|
||||
"version": 3,
|
||||
"icon": "internet-explorer",
|
||||
"uuid": "6ab240ec-bd79-11e6-a4a6-cec0c932ce01"
|
||||
}
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
"name": "Microsoft Activity Group actor",
|
||||
"type": "microsoft-activity-group",
|
||||
"description": "Activity groups as described by Microsoft",
|
||||
"version": 1,
|
||||
"version": 2,
|
||||
"icon": "user-secret",
|
||||
"uuid": "74c869e8-0b8e-4e5f-96e6-cd992e07a505"
|
||||
}
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
{
|
||||
"version": 2,
|
||||
"version": 3,
|
||||
"uuid": "c4e851fa-775f-11e7-8163-b774922098cd",
|
||||
"type": "mitre-attack-pattern",
|
||||
"name": "Attack Pattern",
|
||||
"icon": "map",
|
||||
"description": "ATT&CK Tactic"
|
||||
}
|
||||
|
|
|
@ -3,5 +3,6 @@
|
|||
"name": "Course of Action",
|
||||
"description": "ATT&CK Mitigation",
|
||||
"type": "mitre-course-of-action",
|
||||
"version": 3
|
||||
"icon": "chain",
|
||||
"version": 4
|
||||
}
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
"type": "mitre-intrusion-set",
|
||||
"uuid": "1023f364-7831-11e7-8318-43b5531983ab",
|
||||
"description": "Name of ATT&CK Group",
|
||||
"version": 3,
|
||||
"version": 5,
|
||||
"icon": "user-secret",
|
||||
"name": "Intrusion Set"
|
||||
}
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
{
|
||||
"version": 2,
|
||||
"version": 3,
|
||||
"uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4",
|
||||
"description": "Name of ATT&CK software",
|
||||
"name": "Malware",
|
||||
"icon": "optin-monster",
|
||||
"type": "mitre-malware"
|
||||
}
|
||||
|
|
|
@ -3,5 +3,6 @@
|
|||
"type": "mitre-tool",
|
||||
"description": "Name of ATT&CK software",
|
||||
"uuid": "d5cbd1a2-78f6-11e7-a833-7b9bccca9649",
|
||||
"version": 2
|
||||
"icon": "gavel",
|
||||
"version": 3
|
||||
}
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
"name": "Preventive Measure",
|
||||
"type": "preventive-measure",
|
||||
"description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.",
|
||||
"version": 1,
|
||||
"version": 2,
|
||||
"icon": "shield",
|
||||
"uuid": "8168995b-adcd-4684-9e37-206c5771505a"
|
||||
}
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
{
|
||||
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml",
|
||||
"type": "ransomware",
|
||||
"version": 1,
|
||||
"version": 3,
|
||||
"name": "Ransomware",
|
||||
"icon": "btc",
|
||||
"uuid": "3f44af2e-1480-4b6b-9aa8-f9bb21341078"
|
||||
}
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
"type": "rat",
|
||||
"name": "RAT",
|
||||
"description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.",
|
||||
"version": 1,
|
||||
"version": 2,
|
||||
"icon": "eye",
|
||||
"uuid": "06825db6-4797-11e7-ac4d-af25fdcdd299"
|
||||
}
|
||||
|
|
8
galaxies/sector.json
Normal file
8
galaxies/sector.json
Normal file
|
@ -0,0 +1,8 @@
|
|||
{
|
||||
"type": "sector",
|
||||
"name": "Sector",
|
||||
"description": "Activity sectors",
|
||||
"version": 1,
|
||||
"icon": "industry",
|
||||
"uuid": "e1bb134c-ae4d-11e7-8aa9-f78a37325439"
|
||||
}
|
|
@ -2,6 +2,7 @@
|
|||
"type": "tds",
|
||||
"name": "TDS",
|
||||
"description": "TDS is a list of Traffic Direction System used by adversaries",
|
||||
"version": 2,
|
||||
"version": 3,
|
||||
"icon": "cart-arrow-down",
|
||||
"uuid": "1b9a7d8e-bd7a-11e6-a4a6-cec0c932ce01"
|
||||
}
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
"name": "Threat Actor",
|
||||
"type": "threat-actor",
|
||||
"description": "Threat actors are characteristics of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behaviour.",
|
||||
"version": 1,
|
||||
"version": 2,
|
||||
"icon": "user-secret",
|
||||
"uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3"
|
||||
}
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
"type": "tool",
|
||||
"name": "Tool",
|
||||
"description": "Threat actors tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
|
||||
"version": 1,
|
||||
"version": 2,
|
||||
"icon": "optin-monster",
|
||||
"uuid": "9b8037f7-bc8f-4de1-a797-37266619bc0b"
|
||||
}
|
||||
|
|
|
@ -17,6 +17,9 @@
|
|||
"name": {
|
||||
"type": "string"
|
||||
},
|
||||
"icon": {
|
||||
"type": "string"
|
||||
},
|
||||
"uuid": {
|
||||
"type": "string"
|
||||
}
|
||||
|
|
25
vocabularies/common/threat-actor-type.json
Normal file
25
vocabularies/common/threat-actor-type.json
Normal file
|
@ -0,0 +1,25 @@
|
|||
{
|
||||
"values": [
|
||||
{
|
||||
"value": "Independent Group"
|
||||
},
|
||||
{
|
||||
"value": "State or state-sponsored Group"
|
||||
},
|
||||
{
|
||||
"value": "Individual"
|
||||
},
|
||||
{
|
||||
"value": "Other"
|
||||
},
|
||||
{
|
||||
"value": "Unknown"
|
||||
}
|
||||
],
|
||||
"version" : 1,
|
||||
"description": "threat actor type vocab as defined by Cert EU.",
|
||||
"source": "Cert EU",
|
||||
"author": ["Cert EU"],
|
||||
"uuid": "549d040e-b017-11e7-b30c-2fa231749902",
|
||||
"type": "threat-actor-type"
|
||||
}
|
40
vocabularies/common/ttp-category.json
Normal file
40
vocabularies/common/ttp-category.json
Normal file
|
@ -0,0 +1,40 @@
|
|||
{
|
||||
"values": [
|
||||
{
|
||||
"value": "Exploits"
|
||||
},
|
||||
{
|
||||
"value": "Infrastructure"
|
||||
},
|
||||
{
|
||||
"value": "Malware"
|
||||
},
|
||||
{
|
||||
"value": "Tools"
|
||||
},
|
||||
{
|
||||
"value": "Other"
|
||||
},
|
||||
{
|
||||
"value": "Unknown"
|
||||
},
|
||||
{
|
||||
"value": "Attack Patterns (S)"
|
||||
},
|
||||
{
|
||||
"value": "Attack Patterns (G)"
|
||||
},
|
||||
{
|
||||
"value": "Tactic"
|
||||
},
|
||||
{
|
||||
"value": "Targeting"
|
||||
}
|
||||
],
|
||||
"version" : 1,
|
||||
"description": "ttp category vocab as defined by Cert EU.",
|
||||
"source": "Cert EU",
|
||||
"author": ["Cert EU"],
|
||||
"uuid": "54e405b6-b017-11e7-b2f7-df581d1a8587",
|
||||
"type": "ttp-category-vocabulary"
|
||||
}
|
511
vocabularies/common/ttp-type.json
Normal file
511
vocabularies/common/ttp-type.json
Normal file
|
@ -0,0 +1,511 @@
|
|||
{
|
||||
"values": [
|
||||
{
|
||||
"value": "Android Trojan"
|
||||
},
|
||||
{
|
||||
"value": "Backdoor"
|
||||
},
|
||||
{
|
||||
"value": "Banking Trojan"
|
||||
},
|
||||
{
|
||||
"value": "Bot"
|
||||
},
|
||||
{
|
||||
"value": "DDoS malware"
|
||||
},
|
||||
{
|
||||
"value": "Espionage malware"
|
||||
},
|
||||
{
|
||||
"value": "Exploit kit"
|
||||
},
|
||||
{
|
||||
"value": "Keylogger"
|
||||
},
|
||||
{
|
||||
"value": "Mac Backdoor"
|
||||
},
|
||||
{
|
||||
"value": "Mac Trojan"
|
||||
},
|
||||
{
|
||||
"value": "Malware site"
|
||||
},
|
||||
{
|
||||
"value": "RAT"
|
||||
},
|
||||
{
|
||||
"value": "Rootkit"
|
||||
},
|
||||
{
|
||||
"value": "SQLI malware"
|
||||
},
|
||||
{
|
||||
"value": "Toolkit"
|
||||
},
|
||||
{
|
||||
"value": "Trojan"
|
||||
},
|
||||
{
|
||||
"value": "Other"
|
||||
},
|
||||
{
|
||||
"value": "Unknown"
|
||||
},
|
||||
{
|
||||
"value": "Ransomware"
|
||||
},
|
||||
{
|
||||
"value": "Dark Net Market"
|
||||
},
|
||||
{
|
||||
"value": "Destructive"
|
||||
},
|
||||
{
|
||||
"value": "Forums"
|
||||
},
|
||||
{
|
||||
"value": "Domain Registration"
|
||||
},
|
||||
{
|
||||
"value": "POS malware"
|
||||
},
|
||||
{
|
||||
"value": "Hosting"
|
||||
},
|
||||
{
|
||||
"value": "ICS"
|
||||
},
|
||||
{
|
||||
"value": "Android app"
|
||||
},
|
||||
{
|
||||
"value": "Privacy"
|
||||
},
|
||||
{
|
||||
"value": "Safe browsing"
|
||||
},
|
||||
{
|
||||
"value": "Safe internet search"
|
||||
},
|
||||
{
|
||||
"value": "Peer-to-peer"
|
||||
},
|
||||
{
|
||||
"value": "Crypto"
|
||||
},
|
||||
{
|
||||
"value": "Social media"
|
||||
},
|
||||
{
|
||||
"value": "Identity Theft"
|
||||
},
|
||||
{
|
||||
"value": "VPN"
|
||||
},
|
||||
{
|
||||
"value": "Speech recognition software"
|
||||
},
|
||||
{
|
||||
"value": "Encrypted email"
|
||||
},
|
||||
{
|
||||
"value": "Messaging"
|
||||
},
|
||||
{
|
||||
"value": "ATM malware"
|
||||
},
|
||||
{
|
||||
"value": "Network mapper"
|
||||
},
|
||||
{
|
||||
"value": "Pentest tool"
|
||||
},
|
||||
{
|
||||
"value": "Authentication bypass"
|
||||
},
|
||||
{
|
||||
"value": "Phishing infra"
|
||||
},
|
||||
{
|
||||
"value": "Dox and ransom"
|
||||
},
|
||||
{
|
||||
"value": "Hot patching"
|
||||
},
|
||||
{
|
||||
"value": "Arsenal"
|
||||
},
|
||||
{
|
||||
"value": "CVE"
|
||||
},
|
||||
{
|
||||
"value": "Fake website"
|
||||
},
|
||||
{
|
||||
"value": "Information stealer"
|
||||
},
|
||||
{
|
||||
"value": "DoS"
|
||||
},
|
||||
{
|
||||
"value": "Worm"
|
||||
},
|
||||
{
|
||||
"value": "Downloader"
|
||||
},
|
||||
{
|
||||
"value": "Loader"
|
||||
},
|
||||
{
|
||||
"value": "Infostealer"
|
||||
},
|
||||
{
|
||||
"value": "RF Signals Intercepter"
|
||||
},
|
||||
{
|
||||
"value": "Wireless Keystroke Logger"
|
||||
},
|
||||
{
|
||||
"value": "Recon tool"
|
||||
},
|
||||
{
|
||||
"value": "Website"
|
||||
},
|
||||
{
|
||||
"value": "Website recon"
|
||||
},
|
||||
{
|
||||
"value": "Malware features"
|
||||
},
|
||||
{
|
||||
"value": "URL shortener service"
|
||||
},
|
||||
{
|
||||
"value": "Information Warfare"
|
||||
},
|
||||
{
|
||||
"value": "Programming language"
|
||||
},
|
||||
{
|
||||
"value": "Port scanner"
|
||||
},
|
||||
{
|
||||
"value": "Installer"
|
||||
},
|
||||
{
|
||||
"value": "CMS exploitation"
|
||||
},
|
||||
{
|
||||
"value": "Remote execution tool"
|
||||
},
|
||||
{
|
||||
"value": "Service"
|
||||
},
|
||||
{
|
||||
"value": "Money miner"
|
||||
},
|
||||
{
|
||||
"value": "Remote administration tool"
|
||||
},
|
||||
{
|
||||
"value": "First-stage"
|
||||
},
|
||||
{
|
||||
"value": "Dropper"
|
||||
},
|
||||
{
|
||||
"value": "Virtual server penetration"
|
||||
},
|
||||
{
|
||||
"value": "Scripting language"
|
||||
},
|
||||
{
|
||||
"value": "Adware"
|
||||
},
|
||||
{
|
||||
"value": "Obfuscation technique"
|
||||
},
|
||||
{
|
||||
"value": "Drive-by attack"
|
||||
},
|
||||
{
|
||||
"value": "PLC worm"
|
||||
},
|
||||
{
|
||||
"value": "Blog"
|
||||
},
|
||||
{
|
||||
"value": "Account checker"
|
||||
},
|
||||
{
|
||||
"value": "Internet Control"
|
||||
},
|
||||
{
|
||||
"value": "C2"
|
||||
},
|
||||
{
|
||||
"value": "Scanning routers"
|
||||
},
|
||||
{
|
||||
"value": "Take over"
|
||||
},
|
||||
{
|
||||
"value": "Credit Card Fraud"
|
||||
},
|
||||
{
|
||||
"value": "DDoS Tool"
|
||||
},
|
||||
{
|
||||
"value": "IoT bot"
|
||||
},
|
||||
{
|
||||
"value": "Targeting"
|
||||
},
|
||||
{
|
||||
"value": "cryptocurrency"
|
||||
},
|
||||
{
|
||||
"value": "Anti-analysis"
|
||||
},
|
||||
{
|
||||
"value": "persistence"
|
||||
},
|
||||
{
|
||||
"value": "Anti-detection"
|
||||
},
|
||||
{
|
||||
"value": "Phishing-theme"
|
||||
},
|
||||
{
|
||||
"value": "OpSec"
|
||||
},
|
||||
{
|
||||
"value": "Automatic phone calls"
|
||||
},
|
||||
{
|
||||
"value": "Selling"
|
||||
},
|
||||
{
|
||||
"value": "Extortion"
|
||||
},
|
||||
{
|
||||
"value": "Watering hole"
|
||||
},
|
||||
{
|
||||
"value": "Sharing platform"
|
||||
},
|
||||
{
|
||||
"value": "Sideloading"
|
||||
},
|
||||
{"value": "Operating System"
|
||||
},
|
||||
{"value": "Sample"
|
||||
},
|
||||
{"value": "Buffer overflow"
|
||||
},
|
||||
{
|
||||
"value": "Online magazine"
|
||||
},
|
||||
{
|
||||
"value": "Spoofing"
|
||||
},
|
||||
{
|
||||
"value": "Ransomware-as-a-Service"
|
||||
},
|
||||
{
|
||||
"value": "Spambot"
|
||||
},
|
||||
{
|
||||
"value": "HTTP bot"
|
||||
},
|
||||
{
|
||||
"value": "Shop"
|
||||
},
|
||||
{
|
||||
"value": "Password recovery"
|
||||
},
|
||||
{
|
||||
"value": "Password manager"
|
||||
},
|
||||
{
|
||||
"value": "Certificate exploit"
|
||||
},
|
||||
{
|
||||
"value": "Mailer"
|
||||
},
|
||||
{
|
||||
"value": "Card"
|
||||
},
|
||||
{
|
||||
"value": "Powershell agent"
|
||||
},
|
||||
{
|
||||
"value": "Skimmer"
|
||||
},
|
||||
{
|
||||
"value": "Exploit"
|
||||
},
|
||||
{
|
||||
"value": "Medical device tampering"
|
||||
},
|
||||
{
|
||||
"value": "App store"
|
||||
},
|
||||
{
|
||||
"value": "Scareware"
|
||||
},
|
||||
{
|
||||
"value": "Payment platform"
|
||||
},
|
||||
{
|
||||
"value": "Man-in-the-middle"
|
||||
},
|
||||
{
|
||||
"value": "Switch ttack"
|
||||
},
|
||||
{
|
||||
"value": "Switch attack"
|
||||
},
|
||||
{
|
||||
"value": "Browser hijacker"
|
||||
},
|
||||
{
|
||||
"value": "Supply chain attack"
|
||||
},
|
||||
{
|
||||
"value": "Powershell scripts"
|
||||
},
|
||||
{
|
||||
"value": "Malicious iFrame injects"
|
||||
},
|
||||
{
|
||||
"value": "Dumps grabber"
|
||||
},
|
||||
{
|
||||
"value": "Exfiltration tool"
|
||||
},
|
||||
{
|
||||
"value": "Code injection"
|
||||
},
|
||||
{
|
||||
"value": "Mobile malware"
|
||||
},
|
||||
{
|
||||
"value": "Zero-Day"
|
||||
},
|
||||
{
|
||||
"value": "Multi-stage implant framework"
|
||||
},
|
||||
{
|
||||
"value": "Second-stage"
|
||||
},
|
||||
{
|
||||
"value": "IRC"
|
||||
},
|
||||
{
|
||||
"value": "Administration"
|
||||
},
|
||||
{
|
||||
"value": "XSS tool"
|
||||
},
|
||||
{
|
||||
"value": "Tracking program"
|
||||
},
|
||||
{
|
||||
"value": "HTTP loader"
|
||||
},
|
||||
{
|
||||
"value": "Spyware"
|
||||
},
|
||||
{
|
||||
"value": "Bitcoin stealer"
|
||||
},
|
||||
{
|
||||
"value": "Phone bot"
|
||||
},
|
||||
{
|
||||
"value": "Video editor"
|
||||
},
|
||||
{
|
||||
"value": "URL shortening service"
|
||||
},
|
||||
{
|
||||
"value": "Fraud"
|
||||
},
|
||||
{
|
||||
"value": "Spreading mechanisms"
|
||||
},
|
||||
{
|
||||
"value": "Android bot"
|
||||
},
|
||||
{
|
||||
"value": "Disinformation"
|
||||
},
|
||||
{
|
||||
"value": "Mineware"
|
||||
},
|
||||
{
|
||||
"value": "CWE"
|
||||
},
|
||||
{
|
||||
"value": "SCADA malware"
|
||||
},
|
||||
{
|
||||
"value": "Crypter"
|
||||
},
|
||||
{
|
||||
"value": "Phishing"
|
||||
},
|
||||
{
|
||||
"value": "Template injection"
|
||||
},
|
||||
{
|
||||
"value": "Credential stealer"
|
||||
},
|
||||
{
|
||||
"value": "Crypto currency exchange and trading platform"
|
||||
},
|
||||
{
|
||||
"value": "cryptocurrency mining malware"
|
||||
},
|
||||
{
|
||||
"value": "Card shop"
|
||||
},
|
||||
{
|
||||
"value": "Evasion"
|
||||
},
|
||||
{
|
||||
"value": "Browser"
|
||||
},
|
||||
{
|
||||
"value": "Wiper"
|
||||
},
|
||||
{
|
||||
"value": "cryptocurrency cloud mining"
|
||||
},
|
||||
{
|
||||
"value": "Distribution vector"
|
||||
},
|
||||
{
|
||||
"value": "Postscript Abuse"
|
||||
},
|
||||
{
|
||||
"value": "Bolware"
|
||||
},
|
||||
{
|
||||
"value": "Software"
|
||||
},
|
||||
{
|
||||
"value": "Proxy malware"
|
||||
}
|
||||
],
|
||||
"version" : 1,
|
||||
"description": "ttp type vocab as defined by Cert EU.",
|
||||
"source": "Cert EU",
|
||||
"author": ["Cert EU"],
|
||||
"uuid": "55224678-b017-11e7-874d-971b517d8cba",
|
||||
"type": "ttp-type-vocabulary"
|
||||
}
|
37
vocabularies/threat-actor/cert-eu-motive.json
Normal file
37
vocabularies/threat-actor/cert-eu-motive.json
Normal file
|
@ -0,0 +1,37 @@
|
|||
{
|
||||
"values": [
|
||||
{
|
||||
"value": "Cybercrime"
|
||||
},
|
||||
{
|
||||
"value": "Cyberwar"
|
||||
},
|
||||
{
|
||||
"value": "Espionage"
|
||||
},
|
||||
{
|
||||
"value": "Hacktivists"
|
||||
},
|
||||
{
|
||||
"value": "Hacktivists-Nationalists"
|
||||
},
|
||||
{
|
||||
"value": "Other"
|
||||
},
|
||||
{
|
||||
"value": "Unknown"
|
||||
},
|
||||
{
|
||||
"value": "Jihadism"
|
||||
},
|
||||
{
|
||||
"value": "Censorhip"
|
||||
}
|
||||
],
|
||||
"version" : 1,
|
||||
"description": "Motive vocab as defined by Cert EU.",
|
||||
"source": "Cert EU",
|
||||
"author": ["Cert EU"],
|
||||
"uuid": "fe16ec3e-aff4-11e7-80d0-13582aacbd16",
|
||||
"type": "threat-actor-cert-eu-motives-vocabulary"
|
||||
}
|
Loading…
Reference in a new issue