MISP
/
PyMISP
mirror of https://github.com/MISP/PyMISP
2
0
Fork 0
Code Issues Releases Wiki Activity
PyMISP/tests/reportlab_testfiles/galaxy_1.json

1250 lines
220 KiB
JSON
Raw Normal View History

chg: [exportPDF] add basic handling of clusters
2019-02-28 10:58:49 +01:00
{
"Event": {
"id": "30",
"orgc_id": "2",
"org_id": "1",
"date": "2018-04-09",
"threat_level_id": "3",
"info": "OSINT - PUBG Ransomware Decrypts Your Files If You Play PlayerUnknown's Battlegrounds",
"published": false,
"uuid": "5acc88e9-265c-4f22-9d2b-b702950d210f",
"attribute_count": "10",
"analysis": "2",
"timestamp": "1551342138",
"distribution": "3",
"proposal_email_lock": false,
"locked": false,
"publish_timestamp": "1550506225",
"sharing_group_id": "0",
"disable_correlation": false,
"extends_uuid": "",
"Org": {
"id": "1",
"name": "ORGNAME",
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
},
"Orgc": {
"id": "2",
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Attribute": [
{
"id": "5291",
"type": "link",
"category": "External analysis",
"to_ids": false,
"uuid": "5acc8902-ab3c-4dfc-b0bf-32b6950d210f",
"event_id": "30",
"distribution": "5",
"timestamp": "1523391188",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "https:\/\/www.bleepingcomputer.com\/news\/security\/pubg-ransomware-decrypts-your-files-if-you-play-playerunknowns-battlegrounds\/",
"Galaxy": [],
"ShadowAttribute": [],
"Tag": [
{
"id": "9",
"name": "osint:source-type=\"blog-post\"",
"colour": "#00223b",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
}
]
},
{
"id": "5292",
"type": "comment",
"category": "External analysis",
"to_ids": false,
"uuid": "5acc9143-c550-4cac-9c62-40f9950d210f",
"event_id": "30",
"distribution": "5",
"timestamp": "1523391188",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "In what could only be a joke, a new ransomware has been discovered called \"PUBG Ransomware\" that will decrypt your files if you play the game called PlayerUnknown's Battlegrounds.\r\n\r\nDiscovered by MalwareHunterTeam, when the PUBG Ransomware is launched it will encrypt a user's files and folders on the user's desktop and append the .PUBG extension to them. When it has finished encrypting the files, it will display a screen giving you two methods that you can use to decrypt the encrypted files.",
"Galaxy": [],
"ShadowAttribute": [],
"Tag": [
{
"id": "9",
"name": "osint:source-type=\"blog-post\"",
"colour": "#00223b",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
}
]
},
{
"id": "5293",
"type": "sha256",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5acc9181-5c70-4a02-b2f0-4dae950d210f",
"event_id": "30",
"distribution": "5",
"timestamp": "1523356033",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "3208efe96d14f5a6a2840daecbead6b0f4d73c5a05192a1a8eef8b50bbfb4bc1",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "5294",
"type": "attachment",
"category": "Artifacts dropped",
"to_ids": false,
"uuid": "5acc91b2-bd54-4e44-8aee-35e7950d210f",
"event_id": "30",
"distribution": "5",
"timestamp": "1523391188",
"comment": "ransomnote screen",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "pubg-ransomware.jpg",
"Galaxy": [],
"data": "\/9j\/4AAQSkZJRgABAQAAAQABAAD\/2wBDABALCwsMCxAMDBAXDw0PFxsUEBAUGx8XFxcXFx8eFxoaGhoXHh4jJSclIx4vLzMzLy9AQEBAQEBAQEBAQEBAQED\/2wBDAREPDxETERUSEhUUERQRFBoUFhYUGiYaGhwaGiYwIx4eHh4jMCsuJycnLis1NTAwNTVAQD9AQEBAQEBAQEBAQED\/wgARCAIHBJ8DASIAAhEBAxEB\/8QAGgAAAgMBAQAAAAAAAAAAAAAAAAMBAgQFBv\/EABkBAQEBAQEBAAAAAAAAAAAAAAABAgMEBf\/aAAwDAQACEAMQAAABa21t81jC1YwFjAWMBYwFjAWMBYwFjAWMBYwFjAWMBYwFjAWMBYwFjAWMBYwFjAWMBYwFjAWMBYwFjAWMBYwFjAWMBYwFjAWMBYwFjAWMBYwFjAWMBYwFjAWMBYwFjAWMBYwFjAWMBYwFjAWMBYwFjAWMBYwFjAWMBYwFjAWMBYwFjAWMBYwFjAWMBYwFjAWMBZMZ0FZllTJ1hlogsVCxULFQsVCxULFQsVCxULFQsVCxULFQsVCxULFQsVCxULFQsVCxULFQsVCxULFQsVCxULFQsVCxULFQsVCxULFQsVCxULFQsVCxULFQsVCxULFQsVCxULFQsVCxULFQsVCxULFQsVCxULFQsVCxULFQsVCxULFQsVCxULFQsVCxULFQsVCxULFQsVCmXWrHWc7yWrid87cjr8m4XJOskxJBIsSASSFq2gklYm0lZtK1sBaCUit4spDCqWvKUGQLLQQSFCSoqyoqraXNZArExYTEkBJBIRIAExEgAFEhAErEgBIQSEEwkElQSJAAAVBIQTAAABEEhASoEgEgBAApIEVYRSbyqxlRZaE6O\/D0OXbLpwTnW8xoOnTBU6i8TB1qoNxzWm0xIOjbk6R7cjR08vqgMBYwFjAWMBYwFjATDMw3Dvwaxfk9blVSSdZgkIJhCJKJiQtWZbWpJdqOlKmd2fOkJ6djk6cvfs4kQal2Ttzec5PYs5tW2jn17Pn9R969s55Ylyr7nFsrC7awOR6TOuFGsMSO\/mOSB0wABIAEwBKwWFrJKQSJEgAAAABQAQSEEwgEkRIQSEEhESEEhBIRIKTEwALIABMTMysTMSxW1UpFos6PQ5\/Q5dmGOudbl5Q13whuMUmwwhuMIapySbTHU3GENxhDcYpNgAAAAAAAC13oRj059YvyuryqpMTvMwAEkkRaKAkgkAJDp8zpyzzu1mzvD38pHK7\/AJ\/0FnAIjc17ufvxeb2OJ3Tz8dq9l\/PdvjHXy9Dkypid2+aaa0TWEvGsU9N5v0mN+ajsFmHqW52dYuzy9G8768jsY1xdy9W8sZl52ddHm+i4KdJzePnfR5GhO8P6DeJm9bmnUrj9PndZK05HdlSzm6Kx9BLLMGmdphzdfCaMWzLHQOPaXXzvQ+f3nsTo4WNO1ZuhYL5nTl5FelzumIJLIJACSJmZYm0kWLSxW9SlbVKklnQ34N\/HqnTzJmumc9B16cyp2F85xtSQWtlDecyh1kc9xsbgWnTXzWq7XzKHWXgg6N+PJ0l58x1rc5B1DOo3ry7hePfg1i\/J6\/J1KEm8AEskSSEqBJBMlZkK9Ln9GVmLTzZXprOsz6HzvbzrjV6OKx2+EZuHucLvHnTTfeOjzutxcb6vPOmcJ8G+exjFY6cuIjryn0fm\/Sc98CyDpnv8h+nnvm9jBrROrkdeXm6c2rUz4t2LWfQ+d9Fw8b0bJ5Z2eVvyR0vP97nVk7\/O1HN6XN6acXucXtnG2GpcqN2A6Utw51pjPuOS3F2OnOmG2fnvu+f9BwNTv+f9BwI3beX1FQYN6ZsW3HqQSakEiRJYixKzMTEzUltWIqK2qABv3Yd3LadPMma6a8aDqHMqdhfOcbUkE3yhvOZQ62fA42NwLTpq5zVdr5lDrLwQdE5UnRpnzHajlXNpk0Doz6CMO7FrN+T12nBPSlnmo9MHmj0pZ5qfSEvmz0gecPRh509EL57R2Q42b0RHnT0RZ51neDBfYZ1zef6Is890OiHOOiHEzekLPN6u0GE3GbyI7BqecPRlnnOl0SPOHoyvP7ukS+f6O8MS+iS8NvXLniJ9CVz+d6EjmaNZLz8HfLOLu2C4sPbDiaOmRwOnsJUK2EvKy98rl5+4JxdHSNTgP7Bc409Ixvn4O+amDB3g4GvqBkXvM3gR6A1PPnoA4B3w4M90OHPbDiz2Q4p2heHHdDhR3g4B3xOfutXOk6eZMvTXjQdQ5lTsL5zjakgm+UN5zKHWz4HGxuBadNXOartfModZeCDonKk6NM+Y7Ucq5rtk0DTPoIx7MlzbDqxUwpNWKxZaKVuWiopwiEeIKfOcTQZxdM4zn22GadY0zlmXQJqPM0Z6azPOuTzPNOjPMrzPNy+M8mgy2XQZy40CIrQZyNBnk0GWy6DPNjxMWaDIzO3iDWHznJdBnkeIAywrj3vbPOWnVztNaDNFmquakuimWJdWziv3z7EZbbzScbMa6Zmt0jxC41mRo4SXDhIOEiuFA0TA8QQ4SK4TA+USNFAwUR0GobKhcno4RS9xLLTC5mlSzPNjJpMoTYpNqk1JIL1GKm0UkmoW+IrejFUXrYTCzTtz6PN3jJrwLbDuwklSrxUsIBCLTSy82UGSJHEJG1sTVtOPupMzz9C5Jz1dRi+3hpatuXrqXm4GoZ18y63rz9FZmM9a2i0pRhrFGxXfJyHK356ljh7qSXarEzclyu+Dksr08yyZ4fQrcnXNNicdaMqwTexcIU1eek53335VXvPP0wMqSrTk6ea1ks5+oi99YuvSmopdWdPW2dZXaSpep3f58SHTzhJEEiwBBFgqWhYJCIsRFossAEBMbNOfXjeLTjmzXOZEdBeStdBeZw5GiBc0B5koblZXK1iFprpkbFdeSlblog0s50mtcZjpGG8OWTTnZ9GbHP6HP1m+DelcsbSsVtYmQ1zWQ1zGQ1hltpFzToDMaRMkbSsUbRMRtizFOwXGbAxmwTGbBcZsDGbAxxtJcVtc1ijcJiNomI2lYjaGI2iY42hjNhWQ2BjNgZDWGQ1hkNZHM5fo8PPpybdaZeZXsKzvmT0ROcvqlnN3adU1lvqnpyyL3pXnZukc+traZ7cMhrLnIawyGsMhrFyGsjIawyGslyGsMhrDIawymolymsMk6gtqU3Gk6eZK9NeNB1DmVOwvnONqSCb5Q3nModbPgcbG4Fp01c5qu18yh1l4IOicqTo0z5jtRyrmuM8mhmfQRz+hz9Yu1XPXtnDk7ZxQ7RxZOyccOwceTsHIDrnJk6py5OmcyTpHNDpHMg6hy4s6pyoOscmTqnKk6hy4OqcojqnKDqnLDqHLK6hyw6hyw6hyw6hzA6ZzIOocuLOqcoOqcoOqcsOocsOocsOocsOocsOicm2b1a8LnZ166fIszv1dvLbq7teazWN0c\/np3jyxL6w47d56ZzCzpnMJemc0Okc0Okc2DpnNDpHNI6RzA6ZzA6ZzRekc0Okc2DpnMDqmXVmp08yV6a8aDqHMqdhfOcbUkE3yhvOZQ62fA42NwLTpq5zVdr5lDrLwQdE5UnRpnzHajlXNcZ5NDM+gjn9Dn6xfn9DnhNZqQkJJCSywWIrNpKTeSk3CszJUsJUvIuGRYurIKTYqs2IqWCpIVJCCQCSqlgrMhBMlSwVLBQtFlS0EEhBIQSESERN0yznTWbvqq1MaOhgitdC8dKdbJdcejR1dYqnZCc6r8Q60v3M0vXc0JmqySVJiCJCAAAAJiAAAUAIJgIkNWvLqzpOnmTL0140HUOZU7C+c42pIJvlDecyh1s+BxsbgWnTVzmq7XzKHWXgg6JypOjTPmO1HKua5y6SbpcRz+hz9Yvz+hgIJmokCZiVmaylprK2tW8TaJlAkgkSJAJgJgAiSoLBWZmKkzS6OqULgsuJUYC5uFC4ULQRIBEwREhBYKEhWbwUGQU0w6WefdOdDd11wx0JswK6c2ef27uLnW1K+0kXCgmIM2mLOO62OXswlliK6c9lZIqYmUiCSo6Yzy2
"ShadowAttribute": []
}
],
"ShadowAttribute": [],
"RelatedEvent": [
{
"Event": {
"id": "845",
"date": "2018-10-10",
"threat_level_id": "3",
"info": "OSINT - Threat Spotlight: Panda Banker Trojan Targets the US, Canada and Japan",
"published": true,
"uuid": "5bbe09c9-9040-4415-bd25-45b7950d210f",
"analysis": "2",
"timestamp": "1550653998",
"distribution": "3",
"org_id": "1",
"orgc_id": "2",
"Org": {
"id": "1",
"name": "ORGNAME",
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
},
"Orgc": {
"id": "2",
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
}
}
},
{
"Event": {
"id": "251",
"date": "2018-04-26",
"threat_level_id": "2",
"info": "OSINT - Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide",
"published": true,
"uuid": "5ae2129e-15b4-41e9-9428-4f1e02de0b81",
"analysis": "2",
"timestamp": "1550506954",
"distribution": "3",
"org_id": "1",
"orgc_id": "2",
"Org": {
"id": "1",
"name": "ORGNAME",
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
},
"Orgc": {
"id": "2",
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
}
}
},
{
"Event": {
"id": "885",
"date": "2018-03-13",
"threat_level_id": "3",
"info": "OSINT - Gozi ISFB Remains Active in 2018, Leverages \"Dark Cloud\" Botnet For Distribution",
"published": false,
"uuid": "5aa7b639-62d8-46e6-be6c-4db8950d210f",
"analysis": "0",
"timestamp": "1550654228",
"distribution": "3",
"org_id": "1",
"orgc_id": "2",
"Org": {
"id": "1",
"name": "ORGNAME",
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
},
"Orgc": {
"id": "2",
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
}
}
},
{
"Event": {
"id": "1082",
"date": "2018-01-29",
"threat_level_id": "3",
"info": "OSINT - VERMIN: Quasar RAT and Custom Malware Used In Ukraine",
"published": true,
"uuid": "5a6f379d-3854-4457-949e-41bb950d210f",
"analysis": "2",
"timestamp": "1550655231",
"distribution": "3",
"org_id": "1",
"orgc_id": "2",
"Org": {
"id": "1",
"name": "ORGNAME",
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
},
"Orgc": {
"id": "2",
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
}
}
},
{
"Event": {
"id": "483",
"date": "2018-01-25",
"threat_level_id": "3",
"info": "OSINT - Dark Caracal Cyber-espionage at a Global Scale",
"published": true,
"uuid": "5a69ed26-44c8-423c-a8dc-4f7b950d210f",
"analysis": "2",
"timestamp": "1550652819",
"distribution": "3",
"org_id": "1",
"orgc_id": "2",
"Org": {
"id": "1",
"name": "ORGNAME",
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
},
"Orgc": {
"id": "2",
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
}
}
},
{
"Event": {
"id": "161",
"date": "2017-12-14",
"threat_level_id": "3",
"info": "OSINT - Zeus Panda Banking Trojan Targets Online Holiday Shoppers",
"published": true,
"uuid": "5a390de6-4a58-4a19-89fb-4620950d210f",
"analysis": "2",
"timestamp": "1550506663",
"distribution": "3",
"org_id": "1",
"orgc_id": "2",
"Org": {
"id": "1",
"name": "ORGNAME",
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
},
"Orgc": {
"id": "2",
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
}
}
},
{
"Event": {
"id": "953",
"date": "2017-12-14",
"threat_level_id": "3",
"info": "OSINT - Zeus Panda Banking Trojan Targets Online Holiday Shoppers",
"published": true,
"uuid": "5a8ab58a-213c-409a-97af-4eb5950d210f",
"analysis": "2",
"timestamp": "1550654740",
"distribution": "3",
"org_id": "1",
"orgc_id": "2",
"Org": {
"id": "1",
"name": "ORGNAME",
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
},
"Orgc": {
"id": "2",
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
}
}
},
{
"Event": {
"id": "453",
"date": "2014-10-28",
"threat_level_id": "2",
"info": "OSINT - Operation SMN (Novetta)",
"published": true,
"uuid": "544f8aa7-9224-46ad-a73f-30f9950d210b",
"analysis": "2",
"timestamp": "1550652720",
"distribution": "3",
"org_id": "1",
"orgc_id": "2",
"Org": {
"id": "1",
"name": "ORGNAME",
"uuid": "5c6983c8-3af8-4304-869c-4800d6c1883c"
},
"Orgc": {
"id": "2",
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
}
}
}
],
"Galaxy": [
{
"id": "32",
"uuid": "c1dc03b2-89b3-42a5-9d41-782ef726435a",
"name": "Election guidelines",
"type": "guidelines",
"description": "Universal Development and Security Guidelines as Applicable to Election Technology.",
"version": "1",
"icon": "map",
"namespace": "misp",
"GalaxyCluster": [
{
"id": "4135",
"collection_uuid": "5079fa10-1df3-43f8-b0bf-cea7d342f5e1",
"type": "guidelines",
"value": "Defacement, DoS or overload of websites or other systems used for publication of the results",
"tag_name": "misp-galaxy:guidelines=\"Defacement, DoS or overload of websites or other systems used for publication of the results\"",
"description": "Defacement, DoS or overload of websites or other systems used for publication of the results",
"galaxy_id": "32",
"source": "Open Sources",
"authors": [
"NIS Cooperation Group"
],
"version": "1",
"uuid": "",
"tag_id": "723",
"meta": {
"date": [
"March 2018."
],
"kill_chain": [
"example-of-threats:campaign\/public-communication | media\/press"
],
"refs": [
"https:\/\/www.ria.ee\/sites\/default\/files\/content-editors\/kuberturve\/cyber_security_of_election_technology.pdf"
]
}
},
{
"id": "4122",
"collection_uuid": "650642c7-ab31-4844-a69f-22294925edeb",
"type": "guidelines",
"value": "Leak of confidential information",
"tag_name": "misp-galaxy:guidelines=\"Leak of confidential information\"",
"description": "Leak of confidential information",
"galaxy_id": "32",
"source": "Open Sources",
"authors": [
"NIS Cooperation Group"
],
"version": "1",
"uuid": "",
"tag_id": "724",
"meta": {
"date": [
"March 2018."
],
"kill_chain": [
"example-of-threats:campaign | campaign-IT"
],
"refs": [
"https:\/\/www.ria.ee\/sites\/default\/files\/content-editors\/kuberturve\/cyber_security_of_election_technology.pdf"
]
}
},
{
"id": "4131",
"collection_uuid": "3c817f6f-08f3-4e8c-8d94-e23b823beb8f",
"type": "guidelines",
"value": "Tampering or DoS of communication links uesd to transfer (interim) results",
"tag_name": "misp-galaxy:guidelines=\"Tampering or DoS of communication links uesd to transfer (interim) results\"",
"description": "Tampering or DoS of communication links uesd to transfer (interim) results",
"galaxy_id": "32",
"source": "Open Sources",
"authors": [
"NIS Cooperation Group"
],
"version": "1",
"uuid": "",
"tag_id": "725",
"meta": {
"date": [
"March 2018."
],
"kill_chain": [
"example-of-threats:voting | election-technology"
],
"refs": [
"https:\/\/www.ria.ee\/sites\/default\/files\/content-editors\/kuberturve\/cyber_security_of_election_technology.pdf"
]
}
}
]
},
{
"id": "30",
"uuid": "1023f364-7831-11e7-8318-43b5531983ab",
"name": "Intrusion Set",
"type": "mitre-intrusion-set",
"description": "Name of ATT&CK Group",
"version": "8",
"icon": "user-secret",
"namespace": "mitre-attack",
"GalaxyCluster": [
{
"id": "4012",
"collection_uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"type": "mitre-intrusion-set",
"value": "APT1 - G0006",
"tag_name": "misp-galaxy:mitre-intrusion-set=\"APT1 - G0006\"",
"description": "[APT1](https:\/\/attack.mitre.org\/groups\/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People\u2019s Liberation Army (PLA) General Staff Department\u2019s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)",
"galaxy_id": "30",
"source": "https:\/\/github.com\/mitre\/cti",
"authors": [
"MITRE"
],
"version": "12",
"uuid": "",
"tag_id": "726",
"meta": {
"external_id": [
"G0006"
],
"refs": [
"https:\/\/attack.mitre.org\/groups\/G0006",
"https:\/\/www.fireeye.com\/content\/dam\/fireeye-www\/services\/pdfs\/mandiant-apt1-report.pdf",
"http:\/\/cdn0.vox-cdn.com\/assets\/4589853\/crowdstrike-intelligence-report-putter-panda.original.pdf"
],
"synonyms": [
"APT1",
"Comment Crew",
"Comment Group",
"Comment Panda"
]
}
},
{
"id": "4010",
"collection_uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"type": "mitre-intrusion-set",
"value": "APT12 - G0005",
"tag_name": "misp-galaxy:mitre-intrusion-set=\"APT12 - G0005\"",
"description": "[APT12](https:\/\/attack.mitre.org\/groups\/G0005) is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)",
"galaxy_id": "30",
"source": "https:\/\/github.com\/mitre\/cti",
"authors": [
"MITRE"
],
"version": "12",
"uuid": "",
"tag_id": "727",
"meta": {
"external_id": [
"G0005"
],
"refs": [
"https:\/\/attack.mitre.org\/groups\/G0005",
"http:\/\/www.crowdstrike.com\/blog\/whois-numbered-panda\/",
"https:\/\/www.fireeye.com\/blog\/threat-research\/2014\/09\/darwins-favorite-apt-group-2.html"
],
"synonyms": [
"APT12",
"IXESHE",
"DynCalc",
"Numbered Panda",
"DNSCALC"
]
}
}
]
},
{
"id": "12",
"uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4",
"name": "Malware",
"type": "mitre-malware",
"description": "Name of ATT&CK software",
"version": "6",
"icon": "optin-monster",
"namespace": "mitre-attack",
"GalaxyCluster": [
{
"id": "2221",
"collection_uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8",
"type": "mitre-malware",
"value": "ANDROIDOS_ANSERVER.A - S0310",
"tag_name": "misp-galaxy:mitre-malware=\"ANDROIDOS_ANSERVER.A - S0310\"",
"description": "[ANDROIDOS_ANSERVER.A](https:\/\/attack.mitre.org\/software\/S0310) is Android malware that is unique because it uses encrypted content within a blog site for command and control. (Citation: TrendMicro-Anserver)",
"galaxy_id": "12",
"source": "https:\/\/github.com\/mitre\/cti",
"authors": [
"MITRE"
],
"version": "11",
"uuid": "",
"tag_id": "728",
"meta": {
"external_id": [
"S0310"
],
"mitre_platforms": [
"Android"
],
"refs": [
"https:\/\/attack.mitre.org\/software\/S0310",
"http:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/android-malware-uses-blog-posts-as-cc\/"
],
"synonyms": [
"ANDROIDOS_ANSERVER.A"
]
}
},
{
"id": "2246",
"collection_uuid": "fb261c56-b80e-43a9-8351-c84081e7213d",
"type": "mitre-malware",
"value": "BACKSPACE - S0031",
"tag_name": "misp-galaxy:mitre-malware=\"BACKSPACE - S0031\"",
"description": "[BACKSPACE](https:\/\/attack.mitre.org\/software\/S0031) is a backdoor used by [APT30](https:\/\/attack.mitre.org\/groups\/G0013) that dates back to at least 2005. (Citation: FireEye APT30)",
"galaxy_id": "12",
"source": "https:\/\/github.com\/mitre\/cti",
"authors": [
"MITRE"
],
"version": "11",
"uuid": "",
"tag_id": "729",
"meta": {
"external_id": [
"S0031"
],
"mitre_platforms": [
"Windows"
],
"refs": [
"https:\/\/attack.mitre.org\/software\/S0031",
"https:\/\/www2.fireeye.com\/rs\/fireye\/images\/rpt-apt30.pdf"
],
"synonyms": [
"BACKSPACE",
"Lecna"
]
}
}
]
}
],
"Object": [
{
"id": "165",
"name": "file",
"meta-category": "file",
"description": "File object describing a file with meta-information",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "7",
"event_id": "30",
"uuid": "2ba7f152-381c-470f-a732-792397b424d4",
"timestamp": "1523391192",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"ObjectReference": [
{
"id": "43",
"uuid": "5acd1ad7-df04-4155-bc1c-464602de0b81",
"timestamp": "1550506225",
"object_id": "165",
"event_id": "30",
"source_uuid": "2ba7f152-381c-470f-a732-792397b424d4",
"referenced_uuid": "eefb6d88-9cc1-4d65-b266-b2e82a2464b9",
"referenced_id": "166",
"referenced_type": "1",
"relationship_type": "analysed-with",
"comment": "",
"deleted": false,
"Object": {
"distribution": "5",
"sharing_group_id": "0",
"uuid": "eefb6d88-9cc1-4d65-b266-b2e82a2464b9",
"name": "virustotal-report",
"meta-category": "misc"
}
}
],
"Attribute": [
{
"id": "5295",
"type": "sha1",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5acd1ad5-d454-4166-aa3a-498d02de0b81",
"event_id": "30",
"distribution": "5",
"timestamp": "1523391189",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "165",
"object_relation": "sha1",
"value": "d63ff86f05b6f2fb86abf0dcd16cd2008fa3c158",
"Galaxy": [
{
"id": "33",
"uuid": "fa7016a8-1707-11e8-82d0-1b73d76eb204",
"name": "Enterprise Attack - Attack Pattern",
"type": "mitre-enterprise-attack-attack-pattern",
"description": "ATT&CK Tactic",
"version": "5",
"icon": "map",
"namespace": "deprecated",
"GalaxyCluster": [
{
"id": "4292",
"collection_uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27",
"type": "mitre-enterprise-attack-attack-pattern",
"value": "Account Manipulation - T1098",
"tag_name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Account Manipulation - T1098\"",
"description": "Account manipulation may aid adversaries in maintaining access to credentials and certain permission levels within an environment. Manipulation could consist of modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.\n\nDetection: Collect events that correlate with changes to account objects on systems and the domain, such as event ID 4738. (Citation: Microsoft User Modified Event) Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ (Citation: InsiderThreat ChangeNTLM July 2017) or that include additional flags such as changing a password without knowledge of the old password. (Citation: GitHub Mimikatz Issue 92 June 2017)\n\nUse of credentials may also occur at unusual times or to unusual systems or services and may correlate with other suspicious activity.\n\nPlatforms: Windows\n\nData Sources: Authentication logs, API monitoring, Windows event logs, Packet capture\n\nPermissions Required: Administrator",
"galaxy_id": "33",
"source": "https:\/\/github.com\/mitre\/cti",
"authors": [
"MITRE"
],
"version": "4",
"uuid": "",
"tag_id": "716",
"meta": {
"external_id": [
"T1098"
],
"kill_chain": [
"mitre-attack:enterprise-attack:credential-access"
],
"mitre_data_sources": [
"Authentication logs",
"API monitoring",
"Windows event logs",
"Packet capture"
],
"mitre_platforms": [
"Windows"
],
"refs": [
"https:\/\/attack.mitre.org\/wiki\/Technique\/T1098",
"https:\/\/docs.microsoft.com\/windows\/device-security\/auditing\/event-4738",
"https:\/\/blog.stealthbits.com\/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM",
"https:\/\/github.com\/gentilkiwi\/mimikatz\/issues\/92"
]
}
}
]
}
],
"ShadowAttribute": [],
"Tag": [
{
"id": "716",
"name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Account Manipulation - T1098\"",
"colour": "#0088cc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
}
]
},
{
"id": "5296",
"type": "sha256",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5acd1ad5-0c3c-4e72-8ca1-40d102de0b81",
"event_id": "30",
"distribution": "5",
"timestamp": "1523391189",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "165",
"object_relation": "sha256",
"value": "3208efe96d14f5a6a2840daecbead6b0f4d73c5a05192a1a8eef8b50bbfb4bc1",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "5297",
"type": "md5",
"category": "Payload delivery",
"to_ids": true,
"uuid": "5acd1ad6-9458-43ed-8bda-48b202de0b81",
"event_id": "30",
"distribution": "5",
"timestamp": "1523391190",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "165",
"object_relation": "md5",
"value": "0997ba7292ddbac1c7e7ade6766ed53c",
"Galaxy": [
{
"id": "32",
"uuid": "c1dc03b2-89b3-42a5-9d41-782ef726435a",
"name": "Election guidelines",
"type": "guidelines",
"description": "Universal Development and Security Guidelines as Applicable to Election Technology.",
"version": "1",
"icon": "map",
"namespace": "misp",
"GalaxyCluster": [
{
"id": "4125",
"collection_uuid": "b7eef207-ae5d-472d-bf7c-9f539c2c4bbc",
"type": "guidelines",
"value": "DoS or overload of government websites",
"tag_name": "misp-galaxy:guidelines=\"DoS or overload of government websites\"",
"description": "DoS or overload of government websites",
"galaxy_id": "32",
"source": "Open Sources",
"authors": [
"NIS Cooperation Group"
],
"version": "1",
"uuid": "",
"tag_id": "717",
"meta": {
"date": [
"March 2018."
],
"kill_chain": [
"example-of-threats:all-phases | governement-IT"
],
"refs": [
"https:\/\/www.ria.ee\/sites\/default\/files\/content-editors\/kuberturve\/cyber_security_of_election_technology.pdf"
]
}
}
]
},
{
"id": "2",
"uuid": "6fcb4472-6de4-11e7-b5f7-37771619e14e",
"name": "Course of Action",
"type": "mitre-course-of-action",
"description": "ATT&CK Mitigation",
"version": "7",
"icon": "chain",
"namespace": "mitre-attack",
"GalaxyCluster": [
{
"id": "166",
"collection_uuid": "5c49bc54-9929-48ca-b581-7018219b5a97",
"type": "mitre-course-of-action",
"value": "Account Discovery Mitigation - T1087",
"tag_name": "misp-galaxy:mitre-course-of-action=\"Account Discovery Mitigation - T1087\"",
"description": "Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located <code>HKLM\\ SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI\\EnumerateAdministrators<\/code>. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. (Citation: UCF STIG Elevation Account Enumeration)\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to acquire information about system and domain accounts, and audit and\/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)",
"galaxy_id": "2",
"source": "https:\/\/github.com\/mitre\/cti",
"authors": [
"MITRE"
],
"version": "9",
"uuid": "",
"tag_id": "718",
"meta": {
"external_id": [
"T1087"
],
"refs": [
"https:\/\/attack.mitre.org\/techniques\/T1087",
"http:\/\/technet.microsoft.com\/en-us\/magazine\/2008.06.srp.aspx",
"http:\/\/www.sans.org\/reading-room\/whitepapers\/application\/application-whitelisting-panacea-propaganda-33599",
"http:\/\/blog.jpcert.or.jp\/2016\/01\/windows-commands-abused-by-attackers.html",
"https:\/\/www.iad.gov\/iad\/library\/ia-guidance\/tech-briefs\/application-whitelisting-using-microsoft-applocker.cfm",
"https:\/\/technet.microsoft.com\/en-us\/library\/ee791851.aspx",
"https:\/\/www.stigviewer.com\/stig\/microsoft_windows_server_2012_member_server\/2013-07-25\/finding\/WN12-CC-000077"
]
}
}
]
}
],
"ShadowAttribute": [],
"Tag": [
{
"id": "717",
"name": "misp-galaxy:guidelines=\"DoS or overload of government websites\"",
"colour": "#0088cc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
},
{
"id": "718",
"name": "misp-galaxy:mitre-course-of-action=\"Account Discovery Mitigation - T1087\"",
"colour": "#0088cc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
}
]
}
]
},
{
"id": "166",
"name": "virustotal-report",
"meta-category": "misc",
"description": "VirusTotal report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "1",
"event_id": "30",
"uuid": "eefb6d88-9cc1-4d65-b266-b2e82a2464b9",
"timestamp": "1523391190",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"ObjectReference": [],
"Attribute": [
{
"id": "5298",
"type": "link",
"category": "External analysis",
"to_ids": false,
"uuid": "5acd1ad6-61c4-45e4-98f6-4bb802de0b81",
"event_id": "30",
"distribution": "5",
"timestamp": "1523391190",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "166",
"object_relation": "permalink",
"value": "https:\/\/www.virustotal.com\/file\/3208efe96d14f5a6a2840daecbead6b0f4d73c5a05192a1a8eef8b50bbfb4bc1\/analysis\/1523371298\/",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "5299",
"type": "text",
"category": "Other",
"to_ids": false,
"uuid": "5acd1ad7-b308-4547-96b5-41f902de0b81",
"event_id": "30",
"distribution": "5",
"timestamp": "1523391191",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "166",
"object_relation": "detection-ratio",
"value": "44\/66",
"Galaxy": [
{
"id": "12",
"uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4",
"name": "Malware",
"type": "mitre-malware",
"description": "Name of ATT&CK software",
"version": "6",
"icon": "optin-monster",
"namespace": "mitre-attack",
"GalaxyCluster": [
{
"id": "2306",
"collection_uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"type": "mitre-malware",
"value": "ADVSTORESHELL - S0045",
"tag_name": "misp-galaxy:mitre-malware=\"ADVSTORESHELL - S0045\"",
"description": "[ADVSTORESHELL](https:\/\/attack.mitre.org\/software\/S0045) is a spying backdoor that has been used by [APT28](https:\/\/attack.mitre.org\/groups\/G0007) from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 2)",
"galaxy_id": "12",
"source": "https:\/\/github.com\/mitre\/cti",
"authors": [
"MITRE"
],
"version": "11",
"uuid": "",
"tag_id": "719",
"meta": {
"external_id": [
"S0045"
],
"mitre_platforms": [
"Windows"
],
"refs": [
"https:\/\/attack.mitre.org\/software\/S0045",
"https:\/\/securelist.com\/sofacy-apt-hits-high-profile-targets-with-updated-toolset\/72924\/",
"http:\/\/www.welivesecurity.com\/wp-content\/uploads\/2016\/10\/eset-sednit-part-2.pdf"
],
"synonyms": [
"ADVSTORESHELL",
"AZZY",
"EVILTOSS",
"NETUI",
"Sedreco"
]
}
}
]
}
],
"ShadowAttribute": [],
"Tag": [
{
"id": "719",
"name": "misp-galaxy:mitre-malware=\"ADVSTORESHELL - S0045\"",
"colour": "#0088cc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
}
]
},
{
"id": "5300",
"type": "datetime",
"category": "Other",
"to_ids": false,
"uuid": "5acd1ad7-c180-4b13-bb89-45ba02de0b81",
"event_id": "30",
"distribution": "5",
"timestamp": "1523391191",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "166",
"object_relation": "last-submission",
"value": "2018-04-10 14:41:38",
"Galaxy": [
{
"id": "22",
"uuid": "c4e851fa-775f-11e7-8163-b774922098cd",
"name": "Attack Pattern",
"type": "mitre-attack-pattern",
"description": "ATT&CK Tactic",
"version": "7",
"icon": "map",
"namespace": "mitre-attack",
"GalaxyCluster": [
{
"id": "2925",
"collection_uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce",
"type": "mitre-attack-pattern",
"value": "Permission Groups Discovery - T1069",
"tag_name": "misp-galaxy:mitre-attack-pattern=\"Permission Groups Discovery - T1069\"",
"description": "Adversaries may attempt to find local system or domain-level groups and permissions settings. \n\n### Windows\n\nExamples of commands that can list groups are <code>net group \/domain<\/code> and <code>net localgroup<\/code> using the [Net](https:\/\/attack.mitre.org\/software\/S0039) utility.\n\n### Mac\n\nOn Mac, this same thing can be accomplished with the <code>dscacheutil -q group<\/code> for the domain, or <code>dscl . -list \/Groups<\/code> for local groups.\n\n### Linux\n\nOn Linux, local groups can be enumerated with the <code>groups<\/code> command and domain groups via the <code>ldapsearch<\/code> command.",
"galaxy_id": "22",
"source": "https:\/\/github.com\/mitre\/cti",
"authors": [
"MITRE"
],
"version": "8",
"uuid": "",
"tag_id": "720",
"meta": {
"external_id": [
"CAPEC-576"
],
"kill_chain": [
"mitre-attack:discovery"
],
"mitre_data_sources": [
"API monitoring",
"Process monitoring",
"Process command-line parameters"
],
"mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"refs": [
"https:\/\/attack.mitre.org\/techniques\/T1069",
"https:\/\/capec.mitre.org\/data\/definitions\/576.html"
]
}
}
]
},
{
"id": "24",
"uuid": "f2ef4033-9001-4427-a418-df8c48e6d054",
"name": "Stealer",
"type": "stealer",
"description": "Malware stealer galaxy.",
"version": "1",
"icon": "key",
"namespace": "misp",
"GalaxyCluster": [
{
"id": "3230",
"collection_uuid": "a6780288-24eb-4006-9ddd-062870c6feec",
"type": "stealer",
"value": "TeleGrab",
"tag_name": "misp-galaxy:stealer=\"TeleGrab\"",
"description": "The first version stole browser credentials and cookies, along with all text files it can find on the system. The second variant added the ability to collect Telegram's desktop cache and key files, as well as login information for the video game storefront Steam.",
"galaxy_id": "24",
"source": "Open Sources",
"authors": [
"raw-data"
],
"version": "4",
"uuid": "",
"tag_id": "721",
"meta": {
"date": [
"March 2018."
],
"refs": [
"https:\/\/blog.talosintelligence.com\/2018\/05\/telegrab.html"
]
}
}
]
},
{
"id": "27",
"uuid": "84310ba3-fa6a-44aa-b378-b9e3271c58fa",
"name": "Android",
"type": "android",
"description": "Android malware galaxy based on multiple open sources.",
"version": "3",
"icon": "android",
"namespace": "misp",
"GalaxyCluster": [
{
"id": "3539",
"collection_uuid": "ce1a9641-5bb8-4a61-990a-870e9ef36ac1",
"type": "android",
"value": "Adwind",
"tag_name": "misp-galaxy:android=\"Adwind\"",
"description": "Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download\/execute files, and download\/load plugins. According to the author, the backdoor component can run on Windows, Mac OS, Linux and Android platforms providing rich capabilities for remote control, data gathering, data exfiltration and lateral movement.",
"galaxy_id": "27",
"source": "Open Sources",
"authors": [
"Unknown"
],
"version": "18",
"uuid": "",
"tag_id": "722",
"meta": {
"refs": [
"https:\/\/securelist.com\/adwind-faq\/73660\/"
],
"synonyms": [
"AlienSpy",
"Frutas",
"Unrecom",
"Sockrat",
"Jsocket",
"jRat",
"Backdoor:Java\/Adwind"
]
}
}
]
}
],
"ShadowAttribute": [],
"Tag": [
{
"id": "720",
"name": "misp-galaxy:mitre-attack-pattern=\"Permission Groups Discovery - T1069\"",
"colour": "#0088cc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
},
{
"id": "721",
"name": "misp-galaxy:stealer=\"TeleGrab\"",
"colour": "#0088cc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
},
{
"id": "722",
"name": "misp-galaxy:android=\"Adwind\"",
"colour": "#0088cc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
}
]
}
]
}
],
"Tag": [
{
"id": "4",
"name": "tlp:white",
"colour": "#ffffff",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
},
{
"id": "12",
"name": "malware_classification:malware-category=\"Ransomware\"",
"colour": "#2c4f00",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
},
{
"id": "57",
"name": "circl:incident-classification=\"malware\"",
"colour": "#3c7700",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
},
{
"id": "68",
"name": "ms-caro-malware-full:malware-type=\"Joke\"",
"colour": "#001637",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
},
{
"id": "19",
"name": "workflow:todo=\"create-missing-misp-galaxy-cluster-values\"",
"colour": "#850048",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
},
{
"id": "723",
"name": "misp-galaxy:guidelines=\"Defacement, DoS or overload of websites or other systems used for publication of the results\"",
"colour": "#0088cc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
},
{
"id": "724",
"name": "misp-galaxy:guidelines=\"Leak of confidential information\"",
"colour": "#0088cc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
},
{
"id": "725",
"name": "misp-galaxy:guidelines=\"Tampering or DoS of communication links uesd to transfer (interim) results\"",
"colour": "#0088cc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
},
{
"id": "726",
"name": "misp-galaxy:mitre-intrusion-set=\"APT1 - G0006\"",
"colour": "#0088cc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
},
{
"id": "727",
"name": "misp-galaxy:mitre-intrusion-set=\"APT12 - G0005\"",
"colour": "#0088cc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
},
{
"id": "728",
"name": "misp-galaxy:mitre-malware=\"ANDROIDOS_ANSERVER.A - S0310\"",
"colour": "#0088cc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
},
{
"id": "729",
"name": "misp-galaxy:mitre-malware=\"BACKSPACE - S0031\"",
"colour": "#0088cc",
"exportable": true,
"user_id": "0",
"hide_tag": false,
"numerical_value": null
}
]
}
}