This commit is contained in:
Delta-Sierra 2023-04-11 13:57:30 +02:00
commit d30e7357fe
6 changed files with 9540 additions and 9141 deletions

View file

@ -18,6 +18,7 @@ The objective is to have a comment set of clusters for organizations starting an
to localized information (which is not shared) or additional information (that can be shared). to localized information (which is not shared) or additional information (that can be shared).
# Available Galaxy - clusters # Available Galaxy - clusters
## 360.net Threat Actors ## 360.net Threat Actors
[360.net Threat Actors](https://www.misp-project.org/galaxy.html#_360.net_threat_actors) - Known or estimated adversary groups as identified by 360.net. [360.net Threat Actors](https://www.misp-project.org/galaxy.html#_360.net_threat_actors) - Known or estimated adversary groups as identified by 360.net.
@ -148,7 +149,7 @@ Category: *tool* - source: *MISP Project* - total: *52* elements
## FIRST DNS Abuse Techniques Matrix ## FIRST DNS Abuse Techniques Matrix
[FIRST DNS Abuse Techniques Matrix](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internets stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for Tmore information. [FIRST DNS Abuse Techniques Matrix](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internets stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information.
Category: *first-dns* - source: *https://www.first.org/global/sigs/dns/* - total: *21* elements Category: *first-dns* - source: *https://www.first.org/global/sigs/dns/* - total: *21* elements
@ -382,7 +383,7 @@ Category: *measure* - source: *MISP Project* - total: *20* elements
[Ransomware](https://www.misp-project.org/galaxy.html#_ransomware) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar [Ransomware](https://www.misp-project.org/galaxy.html#_ransomware) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar
Category: *tool* - source: *Various* - total: *1624* elements Category: *tool* - source: *Various* - total: *1649* elements
[[HTML](https://www.misp-project.org/galaxy.html#_ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)] [[HTML](https://www.misp-project.org/galaxy.html#_ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)]
@ -422,7 +423,7 @@ Category: *sector* - source: *CERT-EU* - total: *117* elements
[Sigma-Rules](https://www.misp-project.org/galaxy.html#_sigma-rules) - MISP galaxy cluster based on Sigma Rules. [Sigma-Rules](https://www.misp-project.org/galaxy.html#_sigma-rules) - MISP galaxy cluster based on Sigma Rules.
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2665* elements Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2696* elements
[[HTML](https://www.misp-project.org/galaxy.html#_sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)] [[HTML](https://www.misp-project.org/galaxy.html#_sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)]
@ -446,7 +447,7 @@ Category: *sod-matrix* - source: *https://github.com/cudeso/SoD-Matrix* - total:
[Stealer](https://www.misp-project.org/galaxy.html#_stealer) - A list of malware stealer. [Stealer](https://www.misp-project.org/galaxy.html#_stealer) - A list of malware stealer.
Category: *tool* - source: *Open Sources* - total: *11* elements Category: *tool* - source: *Open Sources* - total: *12* elements
[[HTML](https://www.misp-project.org/galaxy.html#_stealer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/stealer.json)] [[HTML](https://www.misp-project.org/galaxy.html#_stealer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/stealer.json)]
@ -470,7 +471,7 @@ Category: *target* - source: *Various* - total: *240* elements
[TDS](https://www.misp-project.org/galaxy.html#_tds) - TDS is a list of Traffic Direction System used by adversaries [TDS](https://www.misp-project.org/galaxy.html#_tds) - TDS is a list of Traffic Direction System used by adversaries
Category: *tool* - source: *MISP Project* - total: *10* elements Category: *tool* - source: *MISP Project* - total: *11* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tds)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tds.json)] [[HTML](https://www.misp-project.org/galaxy.html#_tds)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tds.json)]
@ -486,7 +487,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
[Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. [Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
Category: *actor* - source: *MISP Project* - total: *408* elements Category: *actor* - source: *MISP Project* - total: *418* elements
[[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] [[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
@ -494,7 +495,7 @@ Category: *actor* - source: *MISP Project* - total: *408* elements
[Tool](https://www.misp-project.org/galaxy.html#_tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries. [Tool](https://www.misp-project.org/galaxy.html#_tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
Category: *tool* - source: *MISP Project* - total: *545* elements Category: *tool* - source: *MISP Project* - total: *549* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)] [[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)]

View file

@ -1402,7 +1402,27 @@
}, },
"uuid": "b6919400-9b16-48ae-8379-fab26a506e32", "uuid": "b6919400-9b16-48ae-8379-fab26a506e32",
"value": "KmsdBot" "value": "KmsdBot"
},
{
"description": "Akamai researchers on the Security Intelligence Response Team (SIRT) have discovered a new Go-based, DDoS-focused botnet. The malware appears to have been named “Hinata” by the malware author after a character from the popular anime series, Naruto. We are calling it “HinataBot.” Looks like an attempt to rewrite Mirai in Go. The threat actors behind HinataBot originally distributed Mirai binaries.",
"meta": {
"refs": [
"https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet",
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.hinata_bot"
]
},
"related": [
{
"dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "040f2e89-b8be-4150-9426-c30f75e858a2",
"value": "HinataBot"
} }
], ],
"version": 30 "version": 31
} }

View file

@ -20413,11 +20413,6 @@
"uuid": "ce5eb940-5fd6-4d2f-bfa8-2191ae3e4239", "uuid": "ce5eb940-5fd6-4d2f-bfa8-2191ae3e4239",
"value": "CTF" "value": "CTF"
}, },
{
"description": "Ransomware",
"uuid": "2a95f6b9-3ce7-40b9-bda8-0832e0d9d07f",
"value": "Cuba"
},
{ {
"description": "Ransomware", "description": "Ransomware",
"uuid": "ed087a5a-41f7-4997-9701-ef46c984d89d", "uuid": "ed087a5a-41f7-4997-9701-ef46c984d89d",

File diff suppressed because it is too large Load diff

View file

@ -209,7 +209,21 @@
}, },
"uuid": "9eb2a417-2bb6-496c-816b-bccb3f3074f6", "uuid": "9eb2a417-2bb6-496c-816b-bccb3f3074f6",
"value": "Rhadamanthys" "value": "Rhadamanthys"
},
{
"description": "Python-based Stealer including Discord, Steam...",
"meta": {
"refs": [
"https://github.com/SOrdeal/Sordeal-Stealer"
],
"synonyms": [
"Sordeal",
"Sordeal Stealer"
]
},
"uuid": "0266302b-52d3-44da-ab63-a8a6f16de737",
"value": "Sordeal-Stealer"
} }
], ],
"version": 12 "version": 13
} }

View file

@ -2185,7 +2185,8 @@
"T-APT-12", "T-APT-12",
"APT-C-20", "APT-C-20",
"UAC-0028", "UAC-0028",
"FROZENLAKE" "FROZENLAKE",
"Sofacy"
] ]
}, },
"related": [ "related": [
@ -9780,7 +9781,8 @@
], ],
"country": "CN", "country": "CN",
"refs": [ "refs": [
"https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" "https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/",
"https://khonggianmang.vn/uploads/CB_941_Canhbao_APT_36c5a857fa.pdf"
], ],
"synonyms": [ "synonyms": [
"UNC94" "UNC94"
@ -10612,7 +10614,25 @@
], ],
"uuid": "a3c22f46-5135-4b39-a33f-92906ac12c31", "uuid": "a3c22f46-5135-4b39-a33f-92906ac12c31",
"value": "TA866" "value": "TA866"
},
{
"description": "Since January 23, 2023, a threat actor identifying as \"Anonymous Sudan\" has been conducting denial of service (DDoS) attacks against multiple organizations in Sweden. This group claims to be \"hacktivists,\" politically motivated hackers from Sudan. According to Truesecs report, the threat actor has nothing to do with the online activists collectively known as Anonymous.",
"meta": {
"cfr-suspected-victims": [
"Denmark",
"Sweden"
],
"cfr-type-of-incident": [
"Denial of service"
],
"references": [
"https://files.truesec.com/hubfs/Reports/Anonymous%20Sudan%20-%20Publish%201.2%20-%20a%20Truesec%20Report.pdf",
"https://www.truesec.com/hub/blog/what-is-anonymous-sudan"
]
},
"uuid": "8ca38564-5515-45f5-9f3b-a4091546e10b",
"value": "Anonymous Sudan"
} }
], ],
"version": 262 "version": 263
} }