Commit graph

2177 commits

Author SHA1 Message Date
34b86e4abc
Merge pull request #859 from jloehel/darkgate
chg [tool] Add DarkGate
2023-08-23 13:52:53 +02:00
12b935a31b
chg: [sigma] updated 2023-08-23 13:51:45 +02:00
Jürgen Löhel
37954a84f1
chg [tool] Add DarkGate
Source: https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate

Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
2023-08-23 11:53:25 +02:00
Daniel Plohmann (Saturn)
e207218534 version bump 2023-08-15 12:34:06 +02:00
Daniel Plohmann (Saturn)
4127ce9694 replaced various broken links with reachable equivalents 2023-08-15 12:32:51 +02:00
Daniel Plohmann
b083ae12bc
jq fix 2023-08-10 15:57:58 +02:00
Daniel Plohmann
c1d3164ef6
adding MoustachedBouncer 2023-08-10 15:49:11 +02:00
Daniel Plohmann
e228ffc432
alias Callisto -> BlueCharlie
not sure, if you also want to have the Microsoft names in here (I think they are tracked separately?), otherwise, that would be Star Blizzard according to the article.
2023-08-03 09:53:10 +02:00
dc29d5875e
chg: [sigma] updated 2023-08-02 23:58:22 +02:00
f5729ac23a
chg: [sigma] updated to the latest version 2023-07-31 10:22:23 +02:00
Rony
bce41d8cdb
Merge branch 'MISP:main' into Sea-Turtle 2023-07-28 16:38:03 +05:30
Rony
9b9ce4777a chg: [threat-actor] added references, origin country, aliases to Sea Turtle 2023-07-28 11:04:11 +00:00
1568583acf
chg: [sigma] updated to the latest version 2023-07-28 11:30:15 +02:00
Thomas Dupuy
2dcd1d3544 upd: Add Worok TA and update APT-Q-12 to APT-C-60 as it was the first
name mention in an article.
2023-07-18 19:53:54 +00:00
caceb504fe
chg: [sigma] updated to the latest rules 2023-07-15 11:29:17 +02:00
Delta-Sierra
c51d177abd add SmugX & RedDelta 2023-07-10 15:46:01 +02:00
7028860c0a
chg: [sigma] updated 2023-06-19 15:00:23 +02:00
Delta-Sierra
baf5bfe5cc add Parties/Observers to the Budapest Convention 2023-06-19 14:14:47 +02:00
Delta-Sierra
20d3b3780a merge 2023-06-19 08:35:48 +02:00
734d57edf5
chg: [sigma] updated 2023-05-31 09:43:33 +02:00
iglocska
14301a9c4c
chg: [threat actors] added Volt Typhoon 2023-05-25 07:29:48 +02:00
Delta-Sierra
e87b7bbf73 complete VENOM SPIDER threat actor 2023-05-23 11:43:20 +02:00
Delta-Sierra
18ee466ae4 add Hagga threat actor 2023-05-22 15:44:18 +02:00
Delta-Sierra
9c9561bce8 fix metasploit desc in value (ty cvandeplas) 2023-05-15 10:23:05 +02:00
Delta-Sierra
d202ed9f3f Merge https://github.com/MISP/misp-galaxy 2023-05-15 09:54:25 +02:00
Delta-Sierra
a3fffacab3 add APT43 + tools 2023-05-15 08:41:17 +02:00
Christophe Vandeplas
02c50184bf
chg: [attck4fraud] Full merge of E.A.S.T. data + updated script 2023-05-13 09:50:14 +02:00
Christophe Vandeplas
1d9f59eb2d
chg: [attck4fraud] more manual updates with E.A.S.T. data 2023-05-13 08:43:21 +02:00
marjatech
21266365da update malpedia 2023-05-11 14:34:41 +02:00
810cbe5b49
chg: [sigma] updated to the latest version 2023-05-11 10:27:48 +02:00
a27fda701b
Merge pull request #849 from danielplohmann/patch-34
adding APT43 (Mandiant) for Kimsuky.
2023-05-09 18:29:34 +02:00
Daniel Plohmann
094d56057c
adding APT43 (Mandiant) for Kimsuky. 2023-05-09 14:35:41 +02:00
Thomas Dupuy
bbbd006215 chg: [mitre] bump to v13. 2023-05-08 14:04:50 +00:00
Christophe Vandeplas
3c808921c3
chg: [attck4fraud] initial updates with E.A.S.T. data
https://www.association-secure-transactions.eu/industry-information/fraud-definitions/
2023-05-07 21:13:52 +02:00
c86c2a83ab
chg: [sigma] rules updated 2023-04-30 10:30:54 +02:00
3dff8e65cb
Merge pull request #847 from Delta-Sierra/main
add VEILEDSIGNAL and more
2023-04-27 17:21:35 +02:00
Delta-Sierra
1649c3dfca Merge https://github.com/MISP/misp-galaxy 2023-04-27 10:04:30 +02:00
Delta-Sierra
bd050668ef add VEILEDSIGNALand more 2023-04-27 09:53:49 +02:00
Sebastien Larinier
ddc285581d Update threat-actor.json 2023-04-26 21:52:57 +02:00
Sebastien Larinier
d60cca9302 Update threat-actor.json
fix mistake
2023-04-26 21:46:33 +02:00
Sebastien Larinier
142d4aeaef Update threat-actor.json 2023-04-26 14:26:48 +02:00
095c44e2ac
chg: [attck4fraud] add ATM cash trapping in the matrix 2023-04-26 07:48:29 +02:00
Jürgen Löhel
15297c7b5f
chg [threat-actors] Add RedGolf
Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
2023-04-24 16:59:18 -06:00
Christophe Vandeplas
79b80b0869
chg: [rels] more threat actor relations 2023-04-23 17:54:58 +02:00
Christophe Vandeplas
3c6c204f01
chg: [rels] more threat actor relations 2023-04-23 17:45:58 +02:00
Christophe Vandeplas
138c7c7ba8
chg: [rels] more relations on cluster "value" 2023-04-23 17:36:02 +02:00
Christophe Vandeplas
bf7c5f1dd9
chg: [rels] threat-actor & MS activity group - on synonym 2023-04-23 11:56:41 +02:00
Christophe Vandeplas
a5e7e0c95f
chg: [rels] threat-actor & MS activity group - on value 2023-04-23 11:55:57 +02:00
Christophe Vandeplas
f070943ee9
chg: [atrm] updated to latest version 2023-04-23 07:45:16 +02:00
adc7a70cf9
chg: [microsoft-activity-group] country code added 2023-04-21 07:39:37 +02:00
8688c41796
chg: [microsoft activity group] remove duplicate 2023-04-20 17:25:32 +02:00
592361826a
fix: [microsoft activity group] duplicate in Microsoft source 2023-04-20 17:20:57 +02:00
309f4f2ea5
chg: [microsoft-activity-group] updated following contribution from @botlabsDev script 2023-04-20 17:04:05 +02:00
2cc6bdfbc1
chg: [sigma] rules updated 2023-04-20 12:17:46 +02:00
Sebastien Larinier
862badf2c9 Update threat-actor.json 2023-04-19 17:41:44 +02:00
Sebastien Larinier
1c751b1ea8 Update threat-actor.json 2023-04-19 17:34:50 +02:00
Sebastien Larinier
165ce70a28
Merge branch 'MISP:main' into main 2023-04-19 16:48:02 +02:00
Sebastien Larinier
87ef0a400e Update threat-actor.json 2023-04-19 15:42:14 +02:00
Sebastien Larinier
a77dc82c0a Update threat-actor.json
new apt30 group
2023-04-19 15:35:36 +02:00
Delta-Sierra
063ac9fc71 jq? 2023-04-19 15:10:25 +02:00
Delta-Sierra
ecb7e79a6e Merge https://github.com/MISP/misp-galaxy 2023-04-19 15:06:51 +02:00
Tobias Mainka
8d2b9537f1
replace "sector" tag with "country" for matching data. this allows to be confirm with existing clusters. 2023-04-19 12:38:37 +02:00
Sebastien Larinier
926035633f
Merge branch 'MISP:main' into main 2023-04-19 11:55:57 +02:00
ccc8f0f801
chg: [microsoft-activity-group] updated to map the new funky Microsoft "taxonomy"
Script to generate the cluster is the following, UUIDv5 based on
standard misp-stix source UUIDv4.

~~~python
lcluster = []
for v in data:
    cluster = {}
    cluster['value'] = v['threat_actor']
    cluster['meta'] = {}
    cluster['meta']['sector'] = v['sector']
    cluster['meta']['synonyms'] = v['synonyms']
    cluster['meta']['refs'] = []
    cluster['meta']['refs'].append('https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide')
    _uuid = uuid.uuid5(uuid.UUID("76beed5f-7251-457e-8c2a-b45f7b589d3d"), "{}".format(cluster['value']))
    cluster['uuid'] = str(_uuid)
    lcluster.append(cluster)
~~~

Relationships might be added in a later stage to map with the MISP threat actor galaxy.
2023-04-19 10:47:11 +02:00
Daniel Plohmann
41afab1c06
adding Trend Micro alias Earth Smilodon for APT27 2023-04-18 20:11:57 +02:00
Delta-Sierra
6b8994271e add relationships for HALFRIG & QUATTERRIG 2023-04-18 12:20:20 +02:00
Daniel Plohmann
02e23a9a47
adding Google alias HOODOO for APT41 2023-04-17 22:32:50 +02:00
Delta-Sierra
4a4fa6d16f fix versions 2023-04-17 11:32:51 +02:00
Delta-Sierra
6d5df91efa add relationship SNOWYAMBER & Notion 2023-04-17 11:31:48 +02:00
Delta-Sierra
233a066a03 Merge https://github.com/MISP/misp-galaxy 2023-04-17 11:16:23 +02:00
Delta-Sierra
d4225c5469 add some SNOWYAMBER relationships 2023-04-17 11:16:21 +02:00
91af071bae
new: [online-service] online service added 2023-04-17 10:59:18 +02:00
5f9760923f
Merge pull request #838 from Delta-Sierra/main
Adding SNOWYAMBER, HALFRIG, QUARTERRIG tools & PowerMagic backdoor
2023-04-14 16:03:57 +02:00
Delta-Sierra
8e9880d932 Add SNOWYAMBER, HALFRIG, QUARTERRIG tools 2023-04-14 15:59:42 +02:00
Delta-Sierra
c5590ff79a add PowerMagic backdoor 2023-04-13 14:11:36 +02:00
Daniel Plohmann
a966b3ff88
adding Trend Micro alias Earth Preta for Mustang Panda 2023-04-12 16:59:36 +02:00
2763cdd72b
chg:[sigma] Sigma rules updated 2023-04-12 11:44:43 +02:00
Delta-Sierra
8c831d70c8 jq 2023-04-11 15:06:59 +02:00
Delta-Sierra
d30e7357fe merge 2023-04-11 13:57:30 +02:00
Delta-Sierra
eb9254713a Add more ransomwares from ransomlook 2023-04-11 13:56:29 +02:00
3cc7e03af6
new: [stealer] add Sordeal Stealer 2023-04-11 09:54:02 +02:00
cbf12d9289
Merge pull request #833 from jloehel/HinataBot
chg[botnet]: Add HinataBot
2023-04-04 10:17:07 +02:00
Jürgen Löhel
647fc025d7
chg[botnet]: Add HinataBot
Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
2023-04-03 11:19:08 -06:00
15a03e877e
chg: [sigma] updated 2023-03-29 10:33:57 +02:00
Sebdraven
8713618777 Update threat-actor.json
add new ref for sidecopy
2023-03-23 09:13:23 +01:00
Sebdraven
f5d68aa08d Update threat-actor.json
delete ref to APT30 for Naikon
2023-03-23 08:49:17 +01:00
Sebdraven
d5843d46e2 Update threat-actor.json
add ref to Aoqin Dragon
2023-03-21 18:40:10 +01:00
122a0bd39b
fix: [ransomware] fix duplicate Value "Cuba" 2023-03-19 11:03:12 +01:00
f2305dc165
Merge pull request #829 from Delta-Sierra/main
update based on ransomlook+1
2023-03-16 19:18:54 +01:00
Delta-Sierra
12f69a6082 update based on ransomlook 2023-03-16 15:24:44 +01:00
Mathieu Beligon
d82ff1ecfb [threat-actors] Add Anonymous Sudan 2023-03-15 17:38:03 -05:00
Daniel Plohmann
c39b46e9d5
Update threat-actor.json
when value "Sofacy" was changed to "APT28", it seems Sofacy was not added to aliases, so it's missing right now.
2023-03-15 14:55:25 +01:00
Delta-Sierra
74390b27c5 Merge https://github.com/MISP/misp-galaxy 2023-03-13 09:59:04 +01:00
Delta-Sierra
c4eca7dfe1 more from ransomlook 2023-03-13 09:59:00 +01:00
Jürgen Löhel
9f9a263394
chg [tool]: Add tools used by TA866 during the Screentime campaign
Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
2023-03-08 21:46:11 -06:00
Jürgen Löhel
031a4c8030
chg [stealer]: Add Rhadamanthys
Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
2023-03-08 21:45:39 -06:00
Jürgen Löhel
437d4a30e5
chg [tds]: Add 404 TDS
Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
2023-03-08 21:45:13 -06:00
Jürgen Löhel
2d30785af5
chg [threat-actors] Add TA866
Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
2023-03-08 21:44:16 -06:00
57f3e46273
chg: [sigma] updated 2023-03-07 12:14:48 +01:00
e7b97edaa4
chg: [ransomware] fixing duplicate cluster element Avaddon 2023-03-07 12:06:56 +01:00
6db5b0b0cb
Merge pull request #824 from Delta-Sierra/main
update based on ransomlook
2023-03-06 16:23:48 +01:00
Delta-Sierra
bed6bf8dd6 fix stupid duplicate-bis 2023-03-06 16:10:23 +01:00
Delta-Sierra
d561350f7b fix stupid duplicate 2023-03-06 16:04:28 +01:00
Delta-Sierra
96cb1e22ba update based on ransomlook 2023-03-06 15:55:46 +01:00
Mathieu Beligon
395ffda94f [threat-actors] bump version 2023-03-02 10:29:52 -08:00
Mathieu Beligon
e1407c3c3f [threat-actors] Add SLIPPY SPIDER alias to LAPSUS 2023-03-02 10:29:29 -08:00
Mathieu Beligon
4bbee8c1e7 [threat-actors] Add PROPHET SPIDER 2023-03-02 10:19:24 -08:00
Mathieu Beligon
61cb24a3fc [threat-actors] Add Nemesis Kitten 2023-03-01 16:37:42 -08:00
Mathieu Beligon
84faa3c92b [threat-actors] Add Karakurt 2023-03-01 16:34:03 -08:00
Mathieu Beligon
7d371b4c80 [threat-actors] Add CYBORG SPIDER alias to GOCLD BURLAP 2023-03-01 15:45:41 -08:00
Mathieu Beligon
fa57354471 [threat-actors] Add Chamelgang 2023-03-01 15:40:23 -08:00
Mathieu Beligon
bff978e4d1 [threat-actors] Add TA453 2023-03-01 15:24:55 -08:00
Mathieu Beligon
3406ad3aa9 [threat-actors] Add APT42 2023-03-01 15:18:53 -08:00
Mathieu Beligon
2567d6f1f8 [threat-actors] Add TA406 2023-03-01 15:01:22 -08:00
Rony
50624af741 add DEV-0147 https://twitter.com/MsftSecIntel/status/1625181255754039318 2023-02-25 20:18:09 +00:00
Rony
cf727f034c
add other actor synonyms from Google's report https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf 2023-02-26 01:05:50 +05:30
Delta-Sierra
27f4c9fcdc synonyms must be an array 2023-02-23 14:26:20 +01:00
Delta-Sierra
0ca7675a5f Merge https://github.com/MISP/misp-galaxy 2023-02-23 14:16:00 +01:00
Delta-Sierra
55725c771e add/update ransomware based on ransomlook 2023-02-23 14:15:09 +01:00
Tom King
e52eefa0e7 chg: [mitre] updated with correct ID parsing 2023-02-21 10:36:37 +00:00
Christophe Vandeplas
9f73ff73ac fix: [first-dns] corrected typo 2023-02-21 10:54:30 +08:00
Christophe Vandeplas
e2f2026fea chg: [first-dns] Adds FIRST DNS Abuse Techniques Matrix 2023-02-21 10:26:46 +08:00
Christophe Vandeplas
a6a9a73ae5 chg: [360net] updated to latest online version 2023-02-20 20:03:36 +08:00
6460fde2e4
chg: [threat-actor] version updated 2023-02-16 14:43:45 +01:00
Daniel Plohmann
91255413d8
adding Google names for RU threat actors
https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/
2023-02-16 14:30:05 +01:00
73bd7d0983
Merge pull request #818 from Mathieu4141/threat-actors/proofpoint-aliases
[threat actors] Adding some actors from ProofPoint
2023-02-14 06:40:22 +01:00
Mathieu Beligon
9f09699047 [threat-actors] Fix: country was in the wrong place 2023-02-13 16:47:38 -08:00
Mathieu Beligon
ac067a236e [threat-actors] fix: Add missing uuids 2023-02-13 16:36:41 -08:00
Mathieu Beligon
a792115dd8 fix 2023-02-13 16:26:10 -08:00
Mathieu Beligon
8193b05e14 [threat-actors] bump version 2023-02-13 14:18:58 -08:00
Mathieu Beligon
d34e894d2d [threat-actors] Add TA2536 2023-02-13 13:45:41 -08:00
Mathieu Beligon
20c31a5d10 [threat-actors] Add TA577 2023-02-13 13:32:24 -08:00
Mathieu Beligon
e836a4a63c [threat-actors] Add TA575 2023-02-13 12:02:32 -08:00
Mathieu Beligon
c52ac53765 [threat-actors] Add TA570 2023-02-13 11:54:47 -08:00
Mathieu Beligon
5f274f58c9 [threat-actors] Add Moskalvzapoe 2023-02-13 11:44:59 -08:00
Daniel Plohmann
62256854bc
adding Broadcom name for SaintBear. 2023-02-13 14:05:35 +01:00
Mathieu Beligon
33ff650327 [threat-actors] Add more information about NoName057(16) 2023-02-10 14:14:52 -08:00
9645b9348b
chg: [tools] TgToxic added 2023-02-09 16:24:45 +01:00
o1mate
239883e2a9 Merging the handguns and shotguns clusters into a single firearm cluster. 2023-02-06 03:28:49 -05:00
385826063b
chg: [sigma] updated to the latest version 2023-02-05 11:26:16 +01:00
Daniel Plohmann
9710e09e17
new APT29 name used by Recorded Future
cf. https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf
2023-02-02 11:46:50 +01:00
3d6ec1b187
chg: [sigma] updated to the latest version 2023-02-02 11:25:19 +01:00
Jürgen Löhel
cf492d9931
chg: [stealer] Adds Album Stealer
Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
2023-02-01 17:30:56 -06:00
033895b052
Merge pull request #812 from jloehel/boldmove
chg: [backdoor] Adds BOLDMOVE
2023-01-31 06:24:59 +01:00
Jürgen Löhel
c7c2b8441a
chg: [stealer] Removes BluStealer
The BluStealer is already in the malpedia cluster.

Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
2023-01-30 18:35:28 -06:00
Jürgen Löhel
ca635cc3fc
chg: [stealer] Adds DarkCloud and BluStealer
Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
2023-01-30 18:29:25 -06:00
Jürgen Löhel
33513241bd
chg: [backdoor] Adds BOLDMOVE
Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
2023-01-30 16:39:11 -06:00
150e3152cc
Merge pull request #809 from MISP/dev
Updated the `region` cluster
2023-01-27 15:08:16 +01:00
b7543c5012
Merge pull request #789 from Mathieu4141/threat-actors/fix-sectorj04
[threat-actors] Remove SectorJ04 duplicate
2023-01-27 15:05:37 +01:00
Mathieu Beligon
a452263ace [threat-actors] pr.review: Add SectorJ04 as alias of TA505 2023-01-27 13:32:58 +01:00