Clusters and elements to attach to MISP events or attributes (like threat actors)
Find a file
2024-04-24 14:56:01 +02:00
.github/workflows fix: [tests] missing sudo 2023-12-21 08:16:36 +01:00
.vscode new: [interpol] Addition of INTERPOL Darknet- and Cryptoasset Ecosystems taxonomy 2024-04-23 10:22:48 +02:00
clusters Merge https://github.com/MISP/misp-galaxy 2024-04-24 14:56:01 +02:00
doc/images new: [doc] screenshot added with galaxy 2.0 in MISP 2022-01-07 16:52:30 +01:00
galaxies Merge https://github.com/MISP/misp-galaxy 2024-04-24 14:56:01 +02:00
misp Mapping triples/machine tags with galaxy, clusters and so on 2016-08-12 09:43:26 +02:00
tools chg: [interpol] add Abuses together with Entities 2024-04-23 11:20:22 +02:00
vocabularies Update cert-eu-motive.json 2019-02-20 22:08:24 +00:00
.gitchangelog.rc chg: [ransomware] COLT (Compromise to Leak Time) added on Darkside and Pysa 2021-05-03 07:41:43 +02:00
.gitignore chg: [rels] more relations on cluster "value" 2023-04-23 17:36:02 +02:00
.travis.yml chg: Bump travis 2020-07-02 11:27:08 +02:00
CONTRIBUTE.md add: [doc] contribution doc added 2018-12-01 11:06:49 +01:00
jq_all_the_things.sh fix: automatically fix missing uuids 2018-10-12 10:55:24 +02:00
LICENSE.md chg: [licensing] 2-clause BSD added in addition to CC0 2018-12-10 12:38:21 +01:00
README.md chg: [doc] index updated 2024-04-24 08:46:50 +02:00
schema_clusters.json fix-tentative 2019-12-05 10:52:22 +01:00
schema_galaxies.json chg: [schema] optional kill_chain_order field added 2019-02-15 08:57:45 +01:00
schema_misp.json Add validators for vocabularies and misp 2017-07-25 17:39:06 +02:00
schema_vocabularies.json Add validators for vocabularies and misp 2017-07-25 17:39:06 +02:00
validate_all.sh fix: [tools] clarify validate all output 2023-05-13 09:54:38 +02:00

misp-galaxy

Python application

Screenshot - MISP galaxy integeration in MISP threat intelligence platform

MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There are default knowledge base (such as Threat Actors, Tools, Ransomware, ATT&CK matrixes) available in MISP galaxy but those can be overwritten, replaced, updated, forked and shared as you wish.

Existing clusters and vocabularies can be used as-is or as a common knowledge base. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme.

Galaxies can be also used to expressed existing matrix-like standards such as MITRE ATT&CK(tm) or custom ones.

The objective is to have a comment set of clusters for organizations starting analysis but that can be expanded to localized information (which is not shared) or additional information (that can be shared).

Available Galaxy - clusters

360.net Threat Actors

360.net Threat Actors - Known or estimated adversary groups as identified by 360.net.

Category: actor - source: https://apt.360.net/aptlist - total: 42 elements

[HTML] - [JSON]

Ammunitions

Ammunitions - Common ammunitions galaxy

Category: firearm - source: https://ammo.com/ - total: 410 elements

[HTML] - [JSON]

Android

Android - Android malware galaxy based on multiple open sources.

Category: tool - source: Open Sources - total: 433 elements

[HTML] - [JSON]

Azure Threat Research Matrix

Azure Threat Research Matrix - The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.

Category: atrm - source: https://github.com/microsoft/Azure-Threat-Research-Matrix - total: 90 elements

[HTML] - [JSON]

attck4fraud

attck4fraud - attck4fraud - Principles of MITRE ATT&CK in the fraud domain

Category: guidelines - source: Open Sources - total: 71 elements

[HTML] - [JSON]

Backdoor

Backdoor - A list of backdoor malware.

Category: tool - source: Open Sources - total: 28 elements

[HTML] - [JSON]

Banker

Banker - A list of banker malware.

Category: tool - source: Open Sources - total: 53 elements

[HTML] - [JSON]

Bhadra Framework

Bhadra Framework - Bhadra Threat Modeling Framework

Category: mobile - source: https://arxiv.org/pdf/2005.05110.pdf - total: 47 elements

[HTML] - [JSON]

Botnet

Botnet - botnet galaxy

Category: tool - source: MISP Project - total: 130 elements

[HTML] - [JSON]

Branded Vulnerability

Branded Vulnerability - List of known vulnerabilities and attacks with a branding

Category: vulnerability - source: Open Sources - total: 14 elements

[HTML] - [JSON]

Cert EU GovSector

Cert EU GovSector - Cert EU GovSector

Category: sector - source: CERT-EU - total: 6 elements

[HTML] - [JSON]

China Defence Universities Tracker

China Defence Universities Tracker - The China Defence Universities Tracker is a database of Chinese institutions engaged in military or security-related science and technology research. It was created by ASPIs International Cyber Policy Centre.

Category: academic-institution - source: ASPI International Cyber Policy Centre - total: 159 elements

[HTML] - [JSON]

CONCORDIA Mobile Modelling Framework - Attack Pattern

CONCORDIA Mobile Modelling Framework - Attack Pattern - A list of Techniques in CONCORDIA Mobile Modelling Framework.

Category: cmtmf-attack-pattern - source: https://5g4iot.vlab.cs.hioa.no/ - total: 93 elements

[HTML] - [JSON]

Country

Country - Country meta information based on the database provided by geonames.org.

Category: country - source: MISP Project - total: 252 elements

[HTML] - [JSON]

Cryptominers

Cryptominers - A list of cryptominer and cryptojacker malware.

Category: Cryptominers - source: Open Source Intelligence - total: 5 elements

[HTML] - [JSON]

Actor Types

Actor Types - DISARM is a framework designed for describing and understanding disinformation incidents.

Category: disarm - source: https://github.com/DISARMFoundation/DISARMframeworks - total: 33 elements

[HTML] - [JSON]

Countermeasures

Countermeasures - DISARM is a framework designed for describing and understanding disinformation incidents.

Category: disarm - source: https://github.com/DISARMFoundation/DISARMframeworks - total: 139 elements

[HTML] - [JSON]

Detections

Detections - DISARM is a framework designed for describing and understanding disinformation incidents.

Category: disarm - source: https://github.com/DISARMFoundation/DISARMframeworks - total: 94 elements

[HTML] - [JSON]

Techniques

Techniques - DISARM is a framework designed for describing and understanding disinformation incidents.

Category: disarm - source: https://github.com/DISARMFoundation/DISARMframeworks - total: 298 elements

[HTML] - [JSON]

Election guidelines

Election guidelines - Universal Development and Security Guidelines as Applicable to Election Technology.

Category: guidelines - source: Open Sources - total: 23 elements

[HTML] - [JSON]

Exploit-Kit

Exploit-Kit - Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years

Category: tool - source: MISP Project - total: 52 elements

[HTML] - [JSON]

Firearms

Firearms - Common firearms galaxy

Category: firearm - source: https://www.impactguns.com - total: 5953 elements

[HTML] - [JSON]

FIRST DNS Abuse Techniques Matrix

FIRST DNS Abuse Techniques Matrix - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internets stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information.

Category: first-dns - source: https://www.first.org/global/sigs/dns/ - total: 21 elements

[HTML] - [JSON]

Intelligence Agencies

Intelligence Agencies - List of intelligence agencies

Category: Intelligence Agencies - source: https://en.wikipedia.org/wiki/List_of_intelligence_agencies - total: 436 elements

[HTML] - [JSON]

INTERPOL DWVA Taxonomy

INTERPOL DWVA Taxonomy - This taxonomy defines common forms of abuses and entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems.

Category: dwva - source: https://interpol-innovation-centre.github.io/DW-VA-Taxonomy/ - total: 94 elements

[HTML] - [JSON]

Malpedia

Malpedia - Malware galaxy cluster based on Malpedia.

Category: tool - source: Malpedia - total: 3039 elements

[HTML] - [JSON]

Microsoft Activity Group actor

Microsoft Activity Group actor - Activity groups as described by Microsoft

Category: actor - source: MISP Project - total: 79 elements

[HTML] - [JSON]

Misinformation Pattern

Misinformation Pattern - AM!TT Technique

Category: misinformation-pattern - source: https://github.com/misinfosecproject/amitt_framework - total: 61 elements

[HTML] - [JSON]

MITRE ATLAS Attack Pattern

MITRE ATLAS Attack Pattern - MITRE ATLAS Attack Pattern - Adversarial Threat Landscape for Artificial-Intelligence Systems

Category: attack-pattern - source: https://github.com/mitre-atlas/atlas-navigator-data - total: 82 elements

[HTML] - [JSON]

MITRE ATLAS Course of Action

MITRE ATLAS Course of Action - MITRE ATLAS Mitigation - Adversarial Threat Landscape for Artificial-Intelligence Systems

Category: course-of-action - source: https://github.com/mitre-atlas/atlas-navigator-data - total: 19 elements

[HTML] - [JSON]

Attack Pattern

Attack Pattern - ATT&CK tactic

Category: attack-pattern - source: https://github.com/mitre/cti - total: 1141 elements

[HTML] - [JSON]

Course of Action

Course of Action - ATT&CK Mitigation

Category: course-of-action - source: https://github.com/mitre/cti - total: 281 elements

[HTML] - [JSON]

mitre-data-component

mitre-data-component - Data components are parts of data sources.

Category: data-component - source: https://github.com/mitre/cti - total: 117 elements

[HTML] - [JSON]

mitre-data-source

mitre-data-source - Data sources represent the various subjects/topics of information that can be collected by sensors/logs.

Category: data-source - source: https://github.com/mitre/cti - total: 40 elements

[HTML] - [JSON]

Enterprise Attack - Attack Pattern

Enterprise Attack - Attack Pattern - ATT&CK tactic

Category: attack-pattern - source: https://github.com/mitre/cti - total: 219 elements

[HTML] - [JSON]

Enterprise Attack - Course of Action

Enterprise Attack - Course of Action - ATT&CK Mitigation

Category: course-of-action - source: https://github.com/mitre/cti - total: 215 elements

[HTML] - [JSON]

Enterprise Attack - Intrusion Set

Enterprise Attack - Intrusion Set - Name of ATT&CK Group

Category: actor - source: https://github.com/mitre/cti - total: 69 elements

[HTML] - [JSON]

Enterprise Attack - Malware

Enterprise Attack - Malware - Name of ATT&CK software

Category: tool - source: https://github.com/mitre/cti - total: 188 elements

[HTML] - [JSON]

Enterprise Attack - Tool

Enterprise Attack - Tool - Name of ATT&CK software

Category: tool - source: https://github.com/mitre/cti - total: 45 elements

[HTML] - [JSON]

Assets

Assets - A list of asset categories that are commonly found in industrial control systems.

Category: asset - source: https://collaborate.mitre.org/attackics/index.php/All_Assets - total: 7 elements

[HTML] - [JSON]

Groups

Groups - Groups are sets of related intrusion activity that are tracked by a common name in the security community. Groups are also sometimes referred to as campaigns or intrusion sets. Some groups have multiple names associated with the same set of activities due to various organizations tracking the same set of activities by different names. Groups are mapped to publicly reported technique use and referenced in the ATT&CK for ICS knowledge base. Groups are also mapped to reported software used during intrusions.

Category: actor - source: https://collaborate.mitre.org/attackics/index.php/Groups - total: 10 elements

[HTML] - [JSON]

Levels

Levels - Based on the Purdue Model to aid ATT&CK for ICS users to understand which techniques are applicable to their environment.

Category: level - source: https://collaborate.mitre.org/attackics/index.php/All_Levels - total: 3 elements

[HTML] - [JSON]

Software

Software - Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK for ICS.

Category: tool - source: https://collaborate.mitre.org/attackics/index.php/Software - total: 17 elements

[HTML] - [JSON]

Tactics

Tactics - A list of all 11 tactics in ATT&CK for ICS

Category: tactic - source: https://collaborate.mitre.org/attackics/index.php/All_Tactics - total: 9 elements

[HTML] - [JSON]

Techniques

Techniques - A list of Techniques in ATT&CK for ICS.

Category: attack-pattern - source: https://collaborate.mitre.org/attackics/index.php/All_Techniques - total: 78 elements

[HTML] - [JSON]

Intrusion Set

Intrusion Set - Name of ATT&CK Group

Category: actor - source: https://github.com/mitre/cti - total: 165 elements

[HTML] - [JSON]

Malware

Malware - Name of ATT&CK software

Category: tool - source: https://github.com/mitre/cti - total: 705 elements

[HTML] - [JSON]

Mobile Attack - Attack Pattern

Mobile Attack - Attack Pattern - ATT&CK tactic

Category: attack-pattern - source: https://github.com/mitre/cti - total: 76 elements

[HTML] - [JSON]

Mobile Attack - Course of Action

Mobile Attack - Course of Action - ATT&CK Mitigation

Category: course-of-action - source: https://github.com/mitre/cti - total: 14 elements

[HTML] - [JSON]

Mobile Attack - Intrusion Set

Mobile Attack - Intrusion Set - Name of ATT&CK Group

Category: actor - source: https://github.com/mitre/cti - total: 1 elements

[HTML] - [JSON]

Mobile Attack - Malware

Mobile Attack - Malware - Name of ATT&CK software

Category: tool - source: https://github.com/mitre/cti - total: 35 elements

[HTML] - [JSON]

Mobile Attack - Tool

Mobile Attack - Tool - Name of ATT&CK software

Category: tool - source: https://github.com/mitre/cti - total: 1 elements

[HTML] - [JSON]

Pre Attack - Attack Pattern

Pre Attack - Attack Pattern - ATT&CK tactic

Category: attack-pattern - source: https://github.com/mitre/cti - total: 174 elements

[HTML] - [JSON]

Pre Attack - Intrusion Set

Pre Attack - Intrusion Set - Name of ATT&CK Group

Category: actor - source: https://github.com/mitre/cti - total: 7 elements

[HTML] - [JSON]

mitre-tool

mitre-tool - Name of ATT&CK software

Category: tool - source: https://github.com/mitre/cti - total: 87 elements

[HTML] - [JSON]

NAICS

NAICS - The North American Industry Classification System or NAICS is a classification of business establishments by type of economic activity (the process of production).

Category: sector - source: North American Industry Classification System - NAICS - total: 2125 elements

[HTML] - [JSON]

o365-exchange-techniques

o365-exchange-techniques - o365-exchange-techniques - Office365/Exchange related techniques by @johnLaTwC and @inversecos

Category: guidelines - source: Open Sources, https://www.inversecos.com/2021/09/office365-attacks-bypassing-mfa.html - total: 62 elements

[HTML] - [JSON]

online-service

online-service - Known public online services.

Category: tool - source: Open Sources - total: 1 elements

[HTML] - [JSON]

Preventive Measure

Preventive Measure - Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.

Category: measure - source: MISP Project - total: 20 elements

[HTML] - [JSON]

Producer

Producer - List of threat intelligence producer from security vendors to CERTs including any producer of intelligence at large.

Category: actor - source: MISP Project - total: 15 elements

[HTML] - [JSON]

Ransomware

Ransomware - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar

Category: tool - source: Various - total: 1706 elements

[HTML] - [JSON]

RAT

RAT - remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system.

Category: tool - source: MISP Project - total: 266 elements

[HTML] - [JSON]

Regions UN M49

Regions UN M49 - Regions based on UN M49.

Category: location - source: https://unstats.un.org/unsd/methodology/m49/overview/ - total: 32 elements

[HTML] - [JSON]

rsit

rsit - rsit

Category: rsit - source: https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force - total: 39 elements

[HTML] - [JSON]

Sector

Sector - Activity sectors

Category: sector - source: CERT-EU - total: 118 elements

[HTML] - [JSON]

Sigma-Rules

Sigma-Rules - MISP galaxy cluster based on Sigma Rules.

Category: rules - source: https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma - total: 2876 elements

[HTML] - [JSON]

Dark Patterns

Dark Patterns - Dark Patterns are user interface that tricks users into making decisions that benefit the interface's holder to the expense of the user.

Category: dark-patterns - source: CIRCL - total: 19 elements

[HTML] - [JSON]

SoD Matrix

SoD Matrix - SOD Matrix

Category: sod-matrix - source: https://github.com/cudeso/SoD-Matrix - total: 276 elements

[HTML] - [JSON]

Stealer

Stealer - A list of malware stealer.

Category: tool - source: Open Sources - total: 16 elements

[HTML] - [JSON]

Surveillance Vendor

Surveillance Vendor - List of vendors selling surveillance technologies including malware, interception devices or computer exploitation services.

Category: actor - source: MISP Project - total: 50 elements

[HTML] - [JSON]

Target Information

Target Information - Description of targets of threat actors.

Category: target - source: Various - total: 241 elements

[HTML] - [JSON]

TDS

TDS - TDS is a list of Traffic Direction System used by adversaries

Category: tool - source: MISP Project - total: 11 elements

[HTML] - [JSON]

Tea Matrix

Tea Matrix - Tea Matrix

Category: tea-matrix - source: ** - total: 7 elements

[HTML] - [JSON]

Threat Actor

Threat Actor - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.

Category: actor - source: MISP Project - total: 671 elements

[HTML] - [JSON]

Tidal Campaigns

Tidal Campaigns - Tidal Campaigns Cluster

Category: Campaigns - source: https://app-api.tidalcyber.com/api/v1/campaigns/ - total: 41 elements

[HTML] - [JSON]

Tidal Groups

Tidal Groups - Tidal Groups Galaxy

Category: Threat Groups - source: https://app-api.tidalcyber.com/api/v1/groups/ - total: 163 elements

[HTML] - [JSON]

Tidal References

Tidal References - Tidal References Cluster

Category: References - source: https://app-api.tidalcyber.com/api/v1/references/ - total: 3872 elements

[HTML] - [JSON]

Tidal Software

Tidal Software - Tidal Software Cluster

Category: Software - source: https://app-api.tidalcyber.com/api/v1/software/ - total: 931 elements

[HTML] - [JSON]

Tidal Tactic

Tidal Tactic - Tidal Tactic Cluster

Category: Tactic - source: https://app-api.tidalcyber.com/api/v1/tactic/ - total: 14 elements

[HTML] - [JSON]

Tidal Technique

Tidal Technique - Tidal Technique Cluster

Category: Technique - source: https://app-api.tidalcyber.com/api/v1/technique/ - total: 201 elements

[HTML] - [JSON]

Threat Matrix for storage services

Threat Matrix for storage services - Microsoft Defender for Cloud threat matrix for storage services contains attack tactics, techniques and mitigations relevant storage services delivered by cloud providers.

Category: tmss - source: https://github.com/microsoft/Threat-matrix-for-storage-services - total: 40 elements

[HTML] - [JSON]

Tool

Tool - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.

Category: tool - source: MISP Project - total: 603 elements

[HTML] - [JSON]

UAVs/UCAVs

UAVs/UCAVs - Unmanned Aerial Vehicles / Unmanned Combat Aerial Vehicles

Category: military equipment - source: Popular Mechanics - total: 36 elements

[HTML] - [JSON]

UKHSA Culture Collections

UKHSA Culture Collections - UK Health Security Agency Culture Collections represent deposits of cultures that consist of expertly preserved, authenticated cell lines and microbial strains of known provenance.

Category: virus - source: https://www.culturecollections.org.uk - total: 6667 elements

[HTML] - [JSON]

Online documentation

The misp-galaxy.org website provides an easily navigable resource for all MISP galaxy clusters.

A readable PDF overview of the MISP galaxy is available or HTML and generated from the JSON.

How to contribute?

License

The MISP galaxy (JSON files) are dual-licensed under:

or

 Copyright (c) 2015-2024 Alexandre Dulaunoy - a@foo.be
 Copyright (c) 2015-2024 CIRCL - Computer Incident Response Center Luxembourg
 Copyright (c) 2015-2024 Andras Iklody
 Copyright (c) 2015-2024 Raphael Vinot
 Copyright (c) 2015-2024 Deborah Servili
 Copyright (c) 2016-2024 Various contributors to MISP Project

 Redistribution and use in source and binary forms, with or without modification,
 are permitted provided that the following conditions are met:

    1. Redistributions of source code must retain the above copyright notice,
       this list of conditions and the following disclaimer.
    2. Redistributions in binary form must reproduce the above copyright notice,
       this list of conditions and the following disclaimer in the documentation
       and/or other materials provided with the distribution.

 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
 INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 OF THE POSSIBILITY OF SUCH DAMAGE.