MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge https://github.com/MISP/misp-galaxy

pull/44/head
Déborah Servili 2017-04-11 10:26:55 +02:00
parent 50a3576cf3 bbf6716c73
commit 0e7ca5b18e
18 changed files with 2354 additions and 1056 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
.travis.yml
View File

@ -1,17 +1,16 @@
language: bash
language: python
cache: pip
python:
- "3.6"
sudo: required
dist: trusty
install:
- git clone https://github.com/stedolan/jq.git
- pushd jq
- autoreconf -i
- ./configure --disable-maintainer-mode
- make
- sudo make install
- popd
- sudo apt-get update -qq
- sudo apt-get install -y -qq jq moreutils
- pip install jsonschema
script:
- cat */*.json | jq .
- ./validate_all.sh

472
clusters/exploit-kit.json
View File

@ -1,453 +1,447 @@
{
"values": [
{ "value": "Astrum",
"values": [
{
"value": "Astrum",
"description": "Astrum Exploit Kit is a private Exploit Kit used in massive scale malvertising campaigns. It's notable by its use of Steganography",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2014/09/astrum-ek.html",
"http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/"
],
"synonyms": [
"synonyms": [
"Stegano EK"
],
"status": "Unknown - Last Seen 2016-12-07"
}
}
,
{ "value": "DealersChoice",
"status": "Unknown - Last Seen 2016-12-07"
}
},
{
"value": "DealersChoice",
"description": "DealersChoice is a Flash Player Exploit platform triggered by RTF",
"meta": {
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/"
],
"synonyms": [
"synonyms": [
"Sednit RTF EK"
],
"status": "Active"
}
}
,
{ "value": "DNSChanger",
"status": "Active"
}
},
{
"value": "DNSChanger",
"description": "DNSChanger Exploit Kit is an exploit kit targeting Routers via the browser",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html",
"https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices"
],
"synonyms": [
"synonyms": [
"RouterEK"
],
"status": "Active"
}
}
,
{ "value": "Empire",
"status": "Active"
}
},
{
"value": "Empire",
"description": "The Empire Pack is a variation of RIG operated by a load seller. It's being fed by many traffic actors",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html"
],
"synonyms": [
"synonyms": [
"RIG-E"
]
,
"status": "Unknown - Last seen: 2016-12-29"
}
}
,
{ "value": "Hunter",
],
"status": "Unknown - Last seen: 2016-12-29"
}
},
{
"value": "Hunter",
"description": "Hunter EK is an evolution of 3Ros EK",
"meta": {
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/Hunter-Exploit-Kit-Targets-Brazilian-Banking-Customers"
],
"synonyms": [
"synonyms": [
"3ROS Exploit Kit"
]
,
"status": "Active"
}
}
,
{ "value": "Kaixin",
],
"status": "Active"
}
},
{
"value": "Kaixin",
"description": "Kaixin is an exploit kit mainly seen behind compromised website in Asia",
"meta": {
"refs": [
"http://www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/",
"http://www.kahusecurity.com/2012/new-chinese-exploit-pack/"
],
"synonyms": [
"synonyms": [
"CK vip"
] ,
"status": "Active"
}
}
,
{ "value": "Magnitude",
],
"status": "Active"
}
},
{
"value": "Magnitude",
"description": "Magnitude EK",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2013/10/Magnitude.html",
"http://malware.dontneedcoffee.com/2013/10/Magnitude.html",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Peek-Into-the-Lion-s-Den-%E2%80%93-The-Magnitude--aka-PopAds--Exploit-Kit/",
"http://malware.dontneedcoffee.com/2014/02/and-real-name-of-magnitude-is.html"
],
"synonyms": [
"synonyms": [
"Popads EK",
"TopExp"
],
"status": "Active"
}
}
,
{ "value": "MWI",
"status": "Active"
}
},
{
"value": "MWI",
"description": "Microsoft Word Intruder is an exploit kit focused on Word and embedded flash exploits. The author wants to avoid their customer to use it in mass spam campaign, so it's most often connected to semi-targeted attacks",
"meta": {
"refs": [
"https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html",
"https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf"
],
"status": "Active"
}
}
,
{ "value": "Neutrino",
"status": "Active"
}
},
{
"value": "Neutrino",
"description": "Neutrino Exploit Kit has been one of the major exploit kit from its launch in 2013 till september 2016 when it become private (defense name for this variation is Neutrino-v). This EK vanished from march 2014 till november 2014.",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html",
"http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html"
],
"synonyms": [
"synonyms": [
"Job314",
"Neutrino Rebooted",
"Neutrino-v"
]
,
"status": "Active"
}
}
,
{ "value": "RIG",
],
"status": "Active"
}
},
{
"value": "RIG",
"description": "RIG is an exploit kit that takes its source in Infinity EK itself an evolution of Redkit. It became dominant after the fall of Angler, Nuclear Pack and the end of public access to Neutrino. RIG-v is the name given to RIG 4 when it was only accessible by \"vip\" customers and when RIG 3 was still in use.",
"meta": {
"refs": [
"http://www.kahusecurity.com/2014/rig-exploit-pack/",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Reloaded---Examining-the-Architecture-of-RIG-Exploit-Kit-3-0/",
"https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Exploit-Kit-%E2%80%93-Diving-Deeper-into-the-Infrastructure/",
"http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html"
"https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Exploit-Kit-%E2%80%93-Diving-Deeper-into-the-Infrastructure/",
"http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html"
],
"synonyms": [
"synonyms": [
"RIG 3",
"RIG-v",
"RIG 4",
"Meadgive"
"RIG-v",
"RIG 4",
"Meadgive"
],
"status": "Active"
}
}
,
{ "value": "Sednit EK",
"status": "Active"
}
},
{
"value": "Sednit EK",
"description": "Sednit EK is the exploit kit used by APT28",
"meta": {
"refs": [
"http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/"
],
"status": "Active"
}
}
,
{ "value": "Bizarro Sundown",
"status": "Active"
}
},
{
"value": "Bizarro Sundown",
"description": "Bizarro Sundown appears to be a fork of Sundown with added anti-analysis features",
"meta": {
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/",
"https://blog.malwarebytes.com/cybercrime/exploits/2016/10/yet-another-sundown-ek-variant/"
],
"synonyms": [
"synonyms": [
"Sundown-b"
],
"status": "Active"
}
}
,
{ "value": "GreenFlash Sundown",
"status": "Active"
}
},
{
"value": "GreenFlash Sundown",
"description": "GreenFlash Sundown is a variation of Bizarro Sundown without landing",
"meta": {
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/"
],
"synonyms": [
"synonyms": [
"Sundown-GF"
],
"status": "Active"
}
}
,
{ "value": "Sundown",
"status": "Active"
}
},
{
"value": "Sundown",
"description": "Sundown Exploit Kit is mainly built out of stolen code from other exploit kits",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html",
"https://www.virusbulletin.com/virusbulletin/2015/06/beta-exploit-pack-one-more-piece-crimeware-infection-road"
],
"synonyms": [
"synonyms": [
"Beps",
"Xer",
"Beta"
],
"status": "Active",
"colour": "#C03701"
}
}
,
{ "value": "Angler",
"status": "Active",
"colour": "#C03701"
}
},
{
"value": "Angler",
"description": "The Angler Exploit Kit has been the most popular and evolved exploit kit from 2014 to middle of 2016. There was several variation. The historical \"indexm\" variant was used to spread Lurk. A vip version used notabily to spread Poweliks, the \"standard\" commercial version, and a declinaison tied to load selling (mostly bankers) that can be associated to EmpirePPC",
"meta": {
"refs": [
"https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/",
"http://malware.dontneedcoffee.com/2015/12/xxx-is-angler-ek.html",
"http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html"
"http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html"
],
"synonyms": [
"synonyms": [
"XXX",
"AEK",
"Axpergle"
],
"status": "Retired - Last seen: 2016-06-07"
}
}
,
{ "value": "Archie",
"status": "Retired - Last seen: 2016-06-07"
}
},
{
"value": "Archie",
"description": "Archie EK",
"meta": {
"refs": [
"https://www.alienvault.com/blogs/labs-research/archie-just-another-exploit-kit"
],
"status": "Retired"
}
}
,
{ "value": "BlackHole",
"status": "Retired"
}
},
{
"value": "BlackHole",
"description": "The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. Its activity stopped with Paunch's arrest (all activity since then is anecdotal and based on an old leak)",
"meta": {
"refs": [
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Blackhole-Exploit-Kit-v2/",
"https://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/"
],
"synonyms": [
"synonyms": [
"BHEK"
],
"status": "Retired - Last seen: 2013-10-07"
}
}
,
{ "value": "Bleeding Life",
"status": "Retired - Last seen: 2013-10-07"
}
},
{
"value": "Bleeding Life",
"description": "Bleeding Life is an exploit kit that became open source with its version 2",
"meta": {
"refs": [
"http://www.kahusecurity.com/2011/flash-used-in-idol-malvertisement/",
"http://thehackernews.com/2011/10/bleeding-life-2-exploit-pack-released.html"
],
"synonyms": [
"synonyms": [
"BL",
"BL2"
]
,
"status": "Retired"
}
}
,
{ "value": "Cool",
],
"status": "Retired"
}
},
{
"value": "Cool",
"description": "The Cool Exploit Kit was a kind of BlackHole VIP in 2012/2013",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2012/10/newcoolek.html",
"http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html",
"http://blog.trendmicro.com/trendlabs-security-intelligence/styx-exploit-pack-how-it-works/"
"http://blog.trendmicro.com/trendlabs-security-intelligence/styx-exploit-pack-how-it-works/"
],
"synonyms": [
"synonyms": [
"CEK",
"Styxy Cool"
"Styxy Cool"
],
"status": "Retired - Last seen: 2013-10-07"
}
}
,
{ "value": "Fiesta",
"status": "Retired - Last seen: 2013-10-07"
}
},
{
"value": "Fiesta",
"description": "Fiesta Exploit Kit",
"meta": {
"refs": [
"http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an",
"http://www.kahusecurity.com/2011/neosploit-is-back/"
],
"synonyms": [
"synonyms": [
"NeoSploit",
"Fiexp"
]
,
"status": "Retired - Last Seen: beginning of 2015-07"
}
}
,
{ "value": "FlashPack",
],
"status": "Retired - Last Seen: beginning of 2015-07"
}
},
{
"value": "FlashPack",
"description": "FlashPack EK got multiple fork. The most common variant seen was the standalone Flash version",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html",
"http://malware.dontneedcoffee.com/2013/04/meet-safe-pack-v20-again.html"
],
"synonyms": [
"synonyms": [
"FlashEK",
"SafePack",
"CritXPack",
"Vintage Pack"
]
,
"status": "Retired - Last seen: middle of 2015-04"
}
}
,
{ "value": "GrandSoft",
],
"status": "Retired - Last seen: middle of 2015-04"
}
},
{
"value": "GrandSoft",
"description": "GrandSoft Exploit Kit was a quite common exploit kit used in 2012/2013",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft.html",
"http://malware.dontneedcoffee.com/2012/10/neosploit-now-showing-bh-ek-20-like.html",
"https://nakedsecurity.sophos.com/2012/08/24/sophos-sucks-malware/"
"https://nakedsecurity.sophos.com/2012/08/24/sophos-sucks-malware/"
],
"synonyms": [
"synonyms": [
"StampEK",
"SofosFO"
] ,
"status": "Retired - Last seen: 2014-03"
}
}
,
{ "value": "HanJuan",
],
"status": "Retired - Last seen: 2014-03"
}
},
{
"value": "HanJuan",
"description": "Hanjuan EK was a one actor fed variation of Angler EK used in evolved malvertising chain targeting USA. It has been using a 0day (CVE-2015-0313) from beginning of December 2014 till beginning of February 2015",
"meta": {
"refs": [
"http://www.malwaresigs.com/2013/10/14/unknown-ek/",
"https://blog.malwarebytes.com/threat-analysis/2014/08/shining-some-light-on-the-unknown-exploit-kit/",
"http://www.malwaresigs.com/2013/10/14/unknown-ek/",
"https://blog.malwarebytes.com/threat-analysis/2014/08/shining-some-light-on-the-unknown-exploit-kit/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-exploit-kit-in-cve-2015-0313-attack",
"https://twitter.com/kafeine/status/562575744501428226"
],
"status": "Retired - Last seen: 2015-07"
}
}
,
{ "value": "Himan",
"status": "Retired - Last seen: 2015-07"
}
},
{
"value": "Himan",
"description": "Himan Exploit Kit",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2013/10/HiMan.html"
],
"synonyms": [
"synonyms": [
"High Load"
],
"status": "Retired - Last seen: 2014-04"
}
}
,
{ "value": "Impact",
"status": "Retired - Last seen: 2014-04"
}
},
{
"value": "Impact",
"description": "Impact EK",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html"
]
,
"status": "Retired"
}
}
,
{ "value": "Infinity",
],
"status": "Retired"
}
},
{
"value": "Infinity",
"description": "Infinity is an evolution of Redkit",
"meta": {
"refs": [
"http://blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html",
"http://www.kahusecurity.com/2014/the-resurrection-of-redkit/"
"http://www.kahusecurity.com/2014/the-resurrection-of-redkit/"
],
"synonyms": [
"synonyms": [
"Redkit v2.0",
"Goon"
],
"status": "Retired - Last seen: 2014-07"
}
}
,
{ "value": "Lightsout",
"status": "Retired - Last seen: 2014-07"
}
},
{
"value": "Lightsout",
"description": "Lightsout Exploit Kit has been used in Watering Hole attack performed by the APT Group havex",
"meta": {
"refs": [
"http://blog.talosintel.com/2014/03/hello-new-exploit-kit.html",
"http://blog.talosintel.com/2014/05/continued-analysis-of-lightsout-exploit.html",
"http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html"
"http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html"
],
"status": "Unknown - Last seen: 2014-03"
}
}
,
{ "value": "Niteris",
"status": "Unknown - Last seen: 2014-03"
}
},
{
"value": "Niteris",
"description": "Niteris was used mainly to target Russian.",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2014/06/cottoncastle.html",
"http://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html"
],
"synonyms": [
"synonyms": [
"CottonCastle"
],
"status": "Unknown - Last seen: 2015-11"
}
}
,
{ "value": "Nuclear",
"status": "Unknown - Last seen: 2015-11"
}
},
{
"value": "Nuclear",
"description": "The Nuclear Pack appeared in 2009 and has been one of the longer living one. Spartan EK was a landing less variation of Nuclear Pack",
"meta": {
"refs": [
"http://blog.checkpoint.com/2016/05/17/inside-nuclears-core-unraveling-a-ransomware-as-a-service-infrastructure/"
],
"synonyms": [
"synonyms": [
"NEK",
"Nuclear Pack",
"Spartan",
"Neclu"
] ,
"status": "Retired - Last seen: 2015-04-30"
}
}
,
{ "value": "Phoenix",
"Spartan",
"Neclu"
],
"status": "Retired - Last seen: 2015-04-30"
}
},
{
"value": "Phoenix",
"description": "Phoenix Exploit Kit",
"meta": {
"refs": [
"http://malwareint.blogspot.fr/2010/09/phoenix-exploits-kit-v21-inside.html",
"http://blog.trendmicro.com/trendlabs-security-intelligence/now-exploiting-phoenix-exploit-kit-version-2-5/"
],
"synonyms": [
"synonyms": [
"PEK"
],
"status": "Retired"
}
}
,
{ "value": "Private Exploit Pack",
"status": "Retired"
}
},
{
"value": "Private Exploit Pack",
"description": "Private Exploit Pack",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2013/07/pep-new-bep.html",
"http://malwageddon.blogspot.fr/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html"
],
"synonyms": [
"synonyms": [
"PEP"
],
"status": "Retired"
}
}
,
{ "value": "Redkit",
"status": "Retired"
}
},
{
"value": "Redkit",
"description": "Redkit has been a major exploit kit in 2012. One of its specific features was to allow its access against a share of a percentage of the customer's traffic",
"meta": {
"refs": [
@ -455,35 +449,35 @@
"http://malware.dontneedcoffee.com/2012/05/inside-redkit.html",
"https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/"
],
"status": "Retired"
}
}
,
{ "value": "Sakura",
"status": "Retired"
}
},
{
"value": "Sakura",
"description": "Description Here",
"meta": {
"refs": [
"http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html"
],
"status": "Retired - Last seen: 2013-09"
}
}
,
{ "value": "Sweet-Orange",
"status": "Retired - Last seen: 2013-09"
}
},
{
"value": "Sweet-Orange",
"description": "Sweet Orange",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html"
],
"synonyms": [
"synonyms": [
"SWO",
"Anogre"
],
"status": "Retired - Last seen: 2015-04-05"
}
}
,
{ "value": "Styx",
"status": "Retired - Last seen: 2015-04-05"
}
},
{
"value": "Styx",
"description": "Styx Exploit Kit",
"meta": {
"refs": [
@ -491,11 +485,11 @@
"https://krebsonsecurity.com/2013/07/styx-exploit-pack-domo-arigato-pc-roboto/",
"http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html"
],
"status":"Retired - Last seen: 2014-06"
}
}
,
{ "value": "Unknown",
"status": "Retired - Last seen: 2014-06"
}
},
{
"value": "Unknown",
"description": "Unknown Exploit Kit. This is a place holder for any undocumented Exploit Kit. If you use this tag, we will be more than happy to give the associated EK a deep look.",
"meta": {
"refs": [
@ -503,9 +497,9 @@
"https://twitter.com/node5",
"https://twitter.com/kahusecurity"
]
}
}
}
],
],
"version": 3,
"uuid": "454f4e78-bd7c-11e6-a4a6-cec0c932ce01",
"description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years",

121
clusters/microsoft-activity-group.json
View File

@ -1,30 +1,49 @@
{
"version": 3,
"uuid": "28b5e55d-acba-4748-a79d-0afa3512689a",
"description": "Activity groups as described by Microsoft",
"authors": [
"Various"
],
"source": "MISP Project",
"type": "microsoft-activity-group",
"name": "Microsoft Activity Group actor",
"values": [
{
"value": "PROMETHIUM",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
},
"description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.",
"meta": {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"]
}
"value": "PROMETHIUM"
},
{
"value": "NEODYMIUM",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
},
"description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoors characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.",
"meta": {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"]
}
"value": "NEODYMIUM"
},
{
"value": "TERBIUM",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"
]
},
"description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.",
"meta" : {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"]
}
"value": "TERBIUM"
},
{
"value": "STRONTIUM",
"description": "STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims computer. ",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/",
"http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_A_Profile_Of_A_Persistent_Adversary_English.pdf",
"https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/"
],
"country": "RU",
"synonyms": [
"APT 28",
"APT28",
@ -36,62 +55,62 @@
"Group-4127",
"Sofacy",
"Grey-Cloud"
],
"country": "RU",
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/",
"http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_A_Profile_Of_A_Persistent_Adversary_English.pdf",
"https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/"
]
}
},
"description": "STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims computer. ",
"value": "STRONTIUM"
},
{
"description": "DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features.",
"value": "DUBNIUM",
"meta": {
"synonyms": [
"darkhotel"
],
"refs": [
"https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/",
"https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2",
"https://blogs.technet.microsoft.com/mmpc/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/",
"https://blogs.technet.microsoft.com/mmpc/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/"
],
"synonyms": [
"darkhotel"
]
},
"value": "DUBNIUM",
"description": "DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features."
}
},
{
"description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The groups persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.",
"value": "PLATINUM",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/",
"http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf"
]
},
"value": "PLATINUM",
"description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The groups persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat."
},
{
"value": "BARIUM",
"description": "Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.",
"meta": {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"]
}
},
{
"value": "LEAD",
"description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEADs victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEADs objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEADs attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.",
"meta": {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"] }
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
]
},
"description": "Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.",
"value": "BARIUM"
},
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
]
},
"description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEADs victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEADs objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEADs attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.",
"value": "LEAD"
},
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/"
]
},
"description": "In addition to strengthening generic detection of EoP exploits, Microsoft security researchers are actively gathering threat intelligence and indicators attributable to ZIRCONIUM, the activity group using the CVE-2017-0005 exploit. ",
"value": "ZIRCONIUM"
}
],
"name": "Microsoft Activity Group actor",
"type": "microsoft-activity-group",
"source": "MISP Project",
"authors": [
"Various"
],
"description": "Activity groups as described by Microsoft",
"uuid": "28b5e55d-acba-4748-a79d-0afa3512689a",
"version": 2
]
}

198
clusters/preventive-measure.json
View File

@ -5,10 +5,12 @@
"refs": [
"http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7."
],
"Complexity": "Medium",
"Effectiveness": "High",
"Impact": "Low",
"Type": "Recovery"
"complexity": "Medium",
"effectiveness": "High",
"impact": "Low",
"type": [
"Recovery"
]
},
"value": "Backup and Restore Process",
"description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schrödinger's backup - it is both existent and non-existent until you've tried a restore"
@ -19,10 +21,12 @@
"https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US",
"https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitter"
],
"Complexity": "Low",
"Effectiveness": "High",
"Impact": "Low",
"Type": "GPO"
"complexity": "Low",
"effectiveness": "High",
"impact": "Low",
"type": [
"GPO"
]
},
"value": "Block Macros",
"description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros"
@ -32,60 +36,70 @@
"refs": [
"http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html"
],
"Complexity": "Low",
"Effectiveness": "Medium",
"Impact": "Medium",
"Type": "GPO"
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Administrative VBS scripts on Workstations"
},
"value": "Disable WSH",
"description": "Disable Windows Script Host",
"Possible Issues": "Administrative VBS scripts on Workstations"
"description": "Disable Windows Script Host"
},
{
"meta": {
"Complexity": "Low",
"Effectiveness": "Medium",
"Impact": "Low",
"Type": "Mail Gateway"
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Low",
"type": [
"Mail Gateway"
]
},
"value": "Filter Attachments Level 1",
"description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub"
},
{
"meta": {
"Complexity": "Low",
"Effectiveness": "High",
"Impact": "High",
"Type": "Mail Gateway"
"complexity": "Low",
"effectiveness": "High",
"impact": "High",
"type": [
"Mail Gateway"
],
"possible_issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) "
},
"value": "Filter Attachments Level 2",
"description": "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm",
"Possible Issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) "
"description": "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm"
},
{
"meta": {
"refs": [
"http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/",
"http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/",
"http://www.thirdtier.net/ransomware-prevention-kit/"
],
"Complexity": "Medium",
"Effectiveness": "Medium",
"Impact": "Medium",
"Type": "GPO"
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Web embedded software installers"
},
"value": "Restrict program execution",
"description": "Block all program executions from the %LocalAppData% and %AppData% folder",
"Possible Issues": "Web embedded software installers"
"description": "Block all program executions from the %LocalAppData% and %AppData% folder"
},
{
"meta": {
"refs": [
"http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htm"
],
"Complexity": "Low",
"Effectiveness": "Low",
"Impact": "Low",
"Type": "User Assistence"
"complexity": "Low",
"effectiveness": "Low",
"impact": "Low",
"type": [
"User Assistence"
]
},
"value": "Show File Extensions",
"description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")"
@ -95,50 +109,60 @@
"refs": [
"https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx"
],
"Complexity": "Low",
"Effectiveness": "Medium",
"Impact": "Low",
"Type": "GPO"
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Low",
"type": [
"GPO"
],
"possible_issues": "administrator resentment"
},
"value": "Enforce UAC Prompt",
"description": "Enforce administrative users to confirm an action that requires elevated rights",
"Possible Issues": "administrator resentment"
"description": "Enforce administrative users to confirm an action that requires elevated rights"
},
{
"meta": {
"Complexity": "Medium",
"Effectiveness": "Medium",
"Impact": "Medium",
"Type": "Best Practice"
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"Best Practice"
],
"possible_issues": "igher administrative costs"
},
"value": "Remove Admin Privileges",
"description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.",
"Possible Issues": "igher administrative costs"
"description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to."
},
{
"meta": {
"Complexity": "Medium",
"Effectiveness": "Low",
"Impact": "Low",
"Type": "Best Practice"
"complexity": "Medium",
"effectiveness": "Low",
"impact": "Low",
"type": [
"Best Practice"
]
},
"value": "Restrict Workstation Communication",
"description": "Activate the Windows Firewall to restrict workstation to workstation communication"
},
{
"meta": {
"Complexity": "Medium",
"Effectiveness": "High",
"Type": "Advanced Malware Protection"
"complexity": "Medium",
"effectiveness": "High",
"type": [
"Advanced Malware Protection"
]
},
"value": "Sandboxing Email Input",
"description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis"
},
{
"meta": {
"Complexity": "Medium",
"Effectiveness": "Medium",
"Type": "3rd Party Tools"
"complexity": "Medium",
"effectiveness": "Medium",
"type": [
"3rd Party Tools"
]
},
"value": "Execution Prevention",
"description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor"
@ -148,24 +172,28 @@
"refs": [
"https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/"
],
"Complexity": "Low",
"Effectiveness": "Medium",
"Impact": "Medium",
"Type": "GPO"
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts."
},
"value": "Change Default \"Open With\" to Notepad",
"description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer",
"Possible Issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts."
"description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer"
},
{
"meta": {
"refs": [
"http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm"
],
"Complexity": "Low",
"Effectiveness": "Medium",
"Impact": "Low",
"Type": "Monitoring"
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Low",
"type": [
"Monitoring"
]
},
"value": "File Screening",
"description": "Server-side file screening with the help of File Server Resource Manager"
@ -176,14 +204,16 @@
"https://technet.microsoft.com/en-us/library/dd759117%28v=ws.11%29.aspx",
"http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx"
],
"Complexity": "Medium",
"Effectiveness": "Medium",
"Impact": "Medium",
"Type": "GPO"
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Configure & test extensively"
},
"value": "Restrict program execution #2",
"description": "Block program executions (AppLocker)",
"Possible Issues": "Configure & test extensively"
"description": "Block program executions (AppLocker)"
},
{
"meta": {
@ -191,10 +221,12 @@
"www.microsoft.com/emet",
"http://windowsitpro.com/security/control-emet-group-policy"
],
"Complexity": "Medium",
"Effectiveness": "Medium",
"Impact": "Low",
"Type": "GPO"
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Low",
"type": [
"GPO"
]
},
"value": "EMET",
"description": "Detect and block exploitation techniques"
@ -204,10 +236,12 @@
"refs": [
"https://twitter.com/JohnLaTwC/status/799792296883388416"
],
"Complexity": "Medium",
"Effectiveness": "Low",
"Impact": "Low",
"Type": "3rd Party Tools"
"complexity": "Medium",
"effectiveness": "Low",
"impact": "Low",
"type": [
"3rd Party Tools"
]
},
"value": "Sysmon",
"description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring"
@ -221,5 +255,5 @@
],
"description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.",
"uuid": "1a8e55eb-a0ff-425b-80e0-30df866f8f65",
"version": 1
"version": 2
}

173
clusters/tds.json
View File

@ -1,79 +1,94 @@
{
"values": [
{ "value": "Keitaro",
"description": "Keitaro TDS is among the mostly used TDS in drive by infection chains",
"meta": {
"refs": [
"https://keitarotds.com/"
]
},
"type":"Commercial"
}
,
{ "value": "Sutra",
"description": "Sutra TDS was dominant from 2012 till 2015",
"meta": {
"refs": [
"http://kytoon.com/sutra-tds.html"
],
"type":"Commercial"
}
}
,
{ "value": "SimpleTDS",
"description": "SimpleTDS is a basic open source TDS",
"meta": {
"refs": [
"https://sourceforge.net/projects/simpletds/"
],
"synonyms": [
"Stds"
],
"type":"OpenSource"
}
}
,
{ "value": "BossTDS",
"description": "BossTDS",
"meta": {
"refs": [
"http://bosstds.com/"
],
"type":"Commercial"
}
}
,
{ "value": "BlackHat TDS",
"description": "BlackHat TDS is sold underground.",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html"
],
"type":"Underground"
}
}
,
{ "value": "Futuristic TDS",
"description": "Futuristic TDS is the TDS component of BlackOS/CookieBomb/NorthTale Iframer",
"meta": {
"type":"Underground"
}
}
,
{ "value": "Orchid TDS",
"description": "Orchid TDS was sold underground. Rare usage",
"meta": {
"type":"Underground"
}
}
],
"version": 1,
"uuid": "ab5fffaa-c5f6-11e6-9d9d-cec0c932ce01",
"description": "TDS is a list of Traffic Direction System used by adversaries",
"authors": [
"Kafeine"
],
"source": "MISP Project",
"type": "tds",
"name": "TDS"
}
{
"values": [
{
"value": "Keitaro",
"description": "Keitaro TDS is among the mostly used TDS in drive by infection chains",
"meta": {
"refs": [
"https://keitarotds.com/"
],
"type": [
"Commercial"
]
}
},
{
"value": "Sutra",
"description": "Sutra TDS was dominant from 2012 till 2015",
"meta": {
"refs": [
"http://kytoon.com/sutra-tds.html"
],
"type": [
"Commercial"
]
}
},
{
"value": "SimpleTDS",
"description": "SimpleTDS is a basic open source TDS",
"meta": {
"refs": [
"https://sourceforge.net/projects/simpletds/"
],
"synonyms": [
"Stds"
],
"type": [
"OpenSource"
]
}
},
{
"value": "BossTDS",
"description": "BossTDS",
"meta": {
"refs": [
"http://bosstds.com/"
],
"type": [
"Commercial"
]
}
},
{
"value": "BlackHat TDS",
"description": "BlackHat TDS is sold underground.",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html"
],
"type": [
"Underground"
]
}
},
{
"value": "Futuristic TDS",
"description": "Futuristic TDS is the TDS component of BlackOS/CookieBomb/NorthTale Iframer",
"meta": {
"type": [
"Underground"
]
}
},
{
"value": "Orchid TDS",
"description": "Orchid TDS was sold underground. Rare usage",
"meta": {
"type": [
"Underground"
]
}
}
],
"version": 2,
"uuid": "ab5fffaa-c5f6-11e6-9d9d-cec0c932ce01",
"description": "TDS is a list of Traffic Direction System used by adversaries",
"authors": [
"Kafeine"
],
"source": "MISP Project",
"type": "tds",
"name": "TDS"
}

285
clusters/threat-actor.json
View File

@ -9,7 +9,8 @@
"Advanced Persistent Threat 1",
"Byzantine Candor",
"Group 3",
"TG-8223"
"TG-8223",
"Comment Group"
],
"country": "CN",
"refs": [
@ -28,6 +29,7 @@
},
{
"value": "Nitro",
"description": "These attackers were the subject of an extensive report by Symantec in 2011, which termed the attackers Nitro and stated: 'The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks.' Palo Alto Networks reported on continued activity by the attackers in 2014. ",
"meta": {
"country": "CN",
"refs": [
@ -40,10 +42,12 @@
},
{
"value": "Codoso",
"description": "The New York Times described Codoso as: 'A collection of hackers for hire that the security industry has been tracking for years. Over the years, the group has breached banks, law firms and tech companies, and once hijacked the Forbes website to try to infect visitors computers with malware.'",
"meta": {
"country": "CN",
"refs": [
"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks",
"https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html"
],
"synonyms": [
"C0d0so",
@ -137,7 +141,7 @@
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
]
},
"description": "The CrowdStrike Intelligence team has been tracking this particular unit since 2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486. ",
"description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'",
"value": "Putter Panda"
},
{
@ -157,19 +161,22 @@
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong"
]
},
"value": "UPS"
"value": "UPS",
"description": "Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'"
},
{
"meta": {
"synonyms": [
"DUBNIUM"
"DUBNIUM",
"Fallout Team"
],
"refs": [
"https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/",
"https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2"
]
},
"value": "darkhotel"
"value": "DarkHotel",
"description": "Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'"
},
{
"meta": {
@ -215,7 +222,8 @@
"http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html"
]
},
"value": "Aurora Panda"
"value": "Aurora Panda",
"description": "FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'"
},
{
"meta": {
@ -231,7 +239,8 @@
"https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828"
]
},
"value": "Wekby"
"value": "Wekby",
"description": "Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero - day exploit.'"
},
{
"meta": {
@ -243,7 +252,8 @@
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf"
]
},
"value": "Tropic Trooper"
"value": "Tropic Trooper",
"description": "TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'"
},
{
"meta": {
@ -254,15 +264,19 @@
"Group72",
"Tailgater",
"Ragebeast",
"Blackfly"
"Blackfly",
"Lead",
"Wicked Spider"
],
"country": "CN",
"refs": [
"http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/",
"http://williamshowalter.com/a-universal-windows-bootkit/"
"http://williamshowalter.com/a-universal-windows-bootkit/",
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp"
]
},
"value": "Axiom"
"value": "Axiom",
"description": "The Winnti grouping of activity is large and may actually be a number of linked groups rather than a single discrete entity. Kaspersky describe Winnti as: 'The Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active. The groups objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. The majority of the victims are from South East Asia.'"
},
{
"meta": {
@ -299,7 +313,8 @@
"http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html"
]
},
"value": "Naikon"
"value": "Naikon",
"description": "Kaspersky described Naikon in a 2015 report as: 'The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way.'"
},
{
"meta": {
@ -359,9 +374,13 @@
"APT 10",
"menuPass",
"happyyongzi",
"POTASSIUM"
"POTASSIUM",
"DustStorm"
],
"country": "CN"
"country": "CN",
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/"
]
},
"value": "Stone Panda"
},
@ -432,10 +451,10 @@
"refs": [
"http://www.crowdstrike.com/blog/whois-anchor-panda/"
],
"Motive": "Espionage"
"motive": "Espionage"
},
"value": "Anchor Panda",
"Description": "PLA Navy"
"description": "PLA Navy"
},
{
"meta": {
@ -451,7 +470,7 @@
},
{
"meta": {
"synomyns": [
"synonyms": [
"IceFog",
"Dagger Panda"
],
@ -469,7 +488,10 @@
"PittyTiger",
"MANGANESE"
],
"country": "CN"
"country": "CN",
"refs": [
"http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2"
]
},
"value": "Pitty Panda",
"description": "The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials"
@ -544,6 +566,9 @@
{
"meta": {
"country": "CN",
"refs": [
"http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/"
],
"synonyms": [
"APT20",
"APT 20",
@ -582,6 +607,9 @@
{
"meta": {
"country": "CN",
"refs": [
"https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india"
],
"synonyms": [
"APT23",
"KeyBoy"
@ -598,6 +626,9 @@
"AjaxSecurityTeam",
"Ajax Security Team",
"Group 26"
],
"refs": [
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf"
]
},
"value": "Flying Kitten",
@ -627,6 +658,9 @@
"Parastoo",
"Group 83",
"Newsbeef"
],
"refs": [
"https://en.wikipedia.org/wiki/Operation_Newscaster"
]
},
"value": "Charming Kitten",
@ -670,7 +704,9 @@
"synonyms": [
"Operation Cleaver",
"Tarh Andishan",
"Alibaba"
"Alibaba",
"2889",
"TG-2889"
],
"refs": [
"http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
@ -717,8 +753,8 @@
"TG-4127",
"Group-4127",
"STRONTIUM",
"Grey-Cloud",
"TAG_0700"
"TAG_0700",
"IRON TWILIGHT"
],
"country": "RU",
"refs": [
@ -752,7 +788,8 @@
"https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/"
]
},
"value": "APT 29"
"value": "APT 29",
"description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering '"
},
{
"meta": {
@ -772,11 +809,13 @@
],
"refs": [
"https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf",
"https://www.circl.lu/pub/tr-25/"
"https://www.circl.lu/pub/tr-25/",
"https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec"
],
"country": "RU"
},
"value": "Turla Group"
"value": "Turla Group",
"description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'"
},
{
"meta": {
@ -829,6 +868,9 @@
"Carbon Spider"
],
"country": "RU",
"refs": [
"https://en.wikipedia.org/wiki/Carbanak"
],
"motive": "Cybercrime"
},
"description": "Groups targeting financial organizations or people with significant financial assets.",
@ -929,7 +971,10 @@
"Appin",
"OperationHangover"
],
"country": "IN"
"country": "IN",
"refs": [
"http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf"
]
},
"value": "Viceroy Tiger"
},
@ -956,11 +1001,14 @@
"value": "SNOWGLOBE",
"meta": {
"country": "FR",
"refs": [
"https://securelist.com/blog/research/69114/animals-in-the-apt-farm/"
],
"synonyms": [
"Animal Farm"
],
"description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007."
}
]
},
"description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007."
},
{
"meta": {
@ -990,24 +1038,28 @@
"description": "Group targeting Indian Army or related assets in India. Attribution to a Pakistani connection has been made by TrendMicro."
},
{
"refs": [
"https://citizenlab.org/2016/05/stealth-falcon/"
],
"country": "UAE",
"meta": {
"refs": [
"https://citizenlab.org/2016/05/stealth-falcon/"
],
"synonyms": [
"FruityArmor"
],
"country": "UAE"
},
"value": "Stealth Falcon",
"description": "Group targeting Emirati journalists, activists, and dissidents.",
"synonyms": [
"FruityArmor"
]
"description": "Group targeting Emirati journalists, activists, and dissidents."
},
{
"synonyms": [
"Operation Daybreak",
"Operation Erebus"
],
"refs": [
"https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/"
],
"meta": {
"synonyms": [
"Operation Daybreak",
"Operation Erebus"
],
"refs": [
"https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/"
]
},
"value": "ScarCruft",
"description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer."
},
@ -1015,7 +1067,12 @@
"meta": {
"refs": [
"http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf"
]
],
"synonyms": [
"Skipper",
"Popeye"
],
"country": "RU"
},
"value": "Pacifier APT",
"description": "Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail."
@ -1096,6 +1153,10 @@
},
{
"meta": {
"synonyms": [
"TG-3390",
"Emissary Panda"
],
"refs": [
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
"https://attack.mitre.org"
@ -1125,12 +1186,12 @@
"https://attack.mitre.org/wiki/Group/G0013"
],
"synonyms": [
"APT 30"
"APT30"
],
"country": "CN"
},
"value": "APT30",
"description": "APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches."
"value": "APT 30",
"description": "APT 30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches."
},
{
"meta": {
@ -1175,15 +1236,6 @@
"description": "Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.",
"value": "Libyan Scorpions"
},
{
"meta": {
"refs": [
"https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users"
],
"country": "TU"
},
"value": "StrongPity"
},
{
"meta": {
"synonyms": [
@ -1218,16 +1270,12 @@
{
"meta": {
"synonyms": [
"Grey-Pro",
"Coldriver",
"Reuse team",
"Malware reusers",
"Callisto Group",
"Dancing Salome"
]
},
"description": "Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.",
"value": "Callisto"
"value": "Malware reusers"
},
{
"value": "TERBIUM",
@ -1243,12 +1291,14 @@
"description": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”",
"meta": {
"refs": [
"https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html"
"https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html",
"http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks"
],
"synonyms": [
"Gaza Hackers Team",
"Operation Molerats",
"Extreme Jackal"
"Extreme Jackal",
"Moonlight"
]
}
},
@ -1257,8 +1307,13 @@
"description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
"https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users"
],
"synonyms": [
"StrongPity"
],
"country": "TU"
}
},
{
@ -1356,15 +1411,107 @@
"description": "The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame",
"meta": {
"country": "US",
"refs": ["https://en.wikipedia.org/wiki/Equation_Group"]
"refs": [
"https://en.wikipedia.org/wiki/Equation_Group"
]
}
},
{
"value": "Greenbug",
"description": "Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.",
"meta": {
"refs": ["https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon"]
"refs": [
"https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon"
]
}
},
{
"value": "Gamaredon Group",
"description": "Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.",
"meta": {
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution"
]
}
},
{
"meta": {
"country": "CHN",
"synonyms": [
"Zhenbao"
],
"refs": [
"http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242"
]
},
"value": "Hammer Panda",
"description": "Hammer Panda is a group of suspected Chinese origin targeting organisations in Russia."
},
{
"meta": {
"country": "CHN",
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp"
]
},
"value": "Barium",
"description": "Barium is one of the groups using Winnti."
},
{
"meta": {
"country": "IRN",
"synonyms": [
"Operation Mermaid"
],
"refs": [
"https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf"
]
},
"value": "Infy",
"description": "Infy is a group of suspected Iranian origin."
},
{
"meta": {
"country": "IRN",
"refs": [
"https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf"
]
},
"value": "Sima",
"description": "Sima is a group of suspected Iranian origin targeting Iranians in diaspora."
},
{
"meta": {
"country": "CHN",
"synonyms": [
"Cloudy Omega"
],
"refs": [
"https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/"
]
},
"value": "Blue Termite",
"description": "Blue Termite is a group of suspected Chinese origin active in Japan."
},
{
"meta": {
"country": "UKR",
"refs": [
"http://www.welivesecurity.com/2016/05/18/groundbait"
]
},
"value": "Groundbait",
"description": "Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk Peoples Republics."
},
{
"meta": {
"refs": [
"https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7"
],
"country": "US"
},
"value": "Longhorn",
"description": "Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally."
}
],
"name": "Threat actor",
@ -1379,5 +1526,5 @@
],
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
"uuid": "7cdff317-a673-4474-84ec-4f1754947823",
"version": 13
"version": 19
}

1797
clusters/tool.json
View File

File diff suppressed because it is too large Load Diff

10
galaxies/exploit-kit.json
View File

@ -1,7 +1,7 @@
{
"type" : "exploit-kit",
"name" : "Exploit-Kit",
"description":"Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years",
"version": 2,
"uuid": "6ab240ec-bd79-11e6-a4a6-cec0c932ce01"
"type": "exploit-kit",
"name": "Exploit-Kit",
"description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years",
"version": 2,
"uuid": "6ab240ec-bd79-11e6-a4a6-cec0c932ce01"
}

10
galaxies/microsoft-activity-group.json
View File

@ -1,7 +1,7 @@
{
"name": "Microsoft Activity Group actor",
"type": "microsoft-activity-group",
"description": "Activity groups as described by Microsoft",
"version": 1,
"uuid": "74c869e8-0b8e-4e5f-96e6-cd992e07a505"
"name": "Microsoft Activity Group actor",
"type": "microsoft-activity-group",
"description": "Activity groups as described by Microsoft",
"version": 1,
"uuid": "74c869e8-0b8e-4e5f-96e6-cd992e07a505"
}

10
galaxies/preventive-measure.json
View File

@ -1,7 +1,7 @@
{
"name": "Preventive Measure",
"type": "preventive-measure",
"description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.",
"version": 1,
"uuid": "8168995b-adcd-4684-9e37-206c5771505a"
"name": "Preventive Measure",
"type": "preventive-measure",
"description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.",
"version": 1,
"uuid": "8168995b-adcd-4684-9e37-206c5771505a"
}

10
galaxies/tds.json
View File

@ -1,7 +1,7 @@
{
"type" : "tds",
"name" : "TDS",
"description": "TDS is a list of Traffic Direction System used by adversaries",
"version": 2,
"uuid": "1b9a7d8e-bd7a-11e6-a4a6-cec0c932ce01"
"type": "tds",
"name": "TDS",
"description": "TDS is a list of Traffic Direction System used by adversaries",
"version": 2,
"uuid": "1b9a7d8e-bd7a-11e6-a4a6-cec0c932ce01"
}

10
galaxies/threat-actor.json
View File

@ -1,7 +1,7 @@
{
"name" : "Threat Actor",
"type" : "threat-actor",
"description": "Threat actors are characteristics of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behaviour.",
"version": 1,
"uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3"
"name": "Threat Actor",
"type": "threat-actor",
"description": "Threat actors are characteristics of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behaviour.",
"version": 1,
"uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3"
}

10
galaxies/tool.json
View File

@ -1,7 +1,7 @@
{
"type" : "tool",
"name" : "Tool",
"description": "Threat actors tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"version": 1,
"uuid": "9b8037f7-bc8f-4de1-a797-37266619bc0b"
"type": "tool",
"name": "Tool",
"description": "Threat actors tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"version": 1,
"uuid": "9b8037f7-bc8f-4de1-a797-37266619bc0b"
}

30
jq_all_the_things.sh Executable file
View File

@ -0,0 +1,30 @@
#!/bin/bash
# Seeds sponge, from moreutils
#Validate all Jsons first
for dir in `find . -name "*.json"`
do
echo validating ${dir}
cat ${dir} | jq . >/dev/null
rc=$?
if [[ $rc != 0 ]]; then exit $rc; fi
done
set -e
set -x
for dir in clusters/*.json
do
# Beautify it
cat ${dir} | jq . | sponge ${dir}
done
for dir in galaxies/*.json
do
# Beautify it
cat ${dir} | jq . | sponge ${dir}
done
cat schema_clusters.json | jq . | sponge schema_clusters.json
cat schema_galaxies.json | jq . | sponge schema_galaxies.json

121
schema_clusters.json Normal file
View File

@ -0,0 +1,121 @@
{
"$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-galaxies",
"id": "https://www.github.com/MISP/misp-galaxies/schema.json",
"type": "object",
"additionalProperties": false,
"properties": {
"description": {
"type": "string"
},
"type": {
"type": "string"
},
"version": {
"type": "integer"
},
"name": {
"type": "string"
},
"uuid": {
"type": "string"
},
"source": {
"type": "string"
},
"values": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"description": {
"type": "string"
},
"value": {
"type": "string"
},
"meta": {
"type": "object",
"additionalProperties": false,
"properties": {
"type": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"complexity": {
"type": "string"
},
"effectiveness": {
"type": "string"
},
"country": {
"type": "string"
},
"possible_issues": {
"type": "string"
},
"colour": {
"type": "string"
},
"motive": {
"type": "string"
},
"impact": {
"type": "string"
},
"refs": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"synonyms": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"derivated_from": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"status": {
"type": "string"
}
}
}
},
"required": [
"value"
]
}
},
"authors": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
}
},
"required": [
"description",
"type",
"version",
"name",
"uuid",
"values",
"authors",
"source"
]
}

31
schema_galaxies.json Normal file
View File

@ -0,0 +1,31 @@
{
"$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-galaxies",
"id": "https://www.github.com/MISP/misp-galaxies/schema.json",
"type": "object",
"additionalProperties": false,
"properties": {
"description": {
"type": "string"
},
"type": {
"type": "string"
},
"version": {
"type": "integer"
},
"name": {
"type": "string"
},
"uuid": {
"type": "string"
}
},
"required": [
"description",
"type",
"version",
"name",
"uuid"
]
}

51
tools/chk_dup.py Executable file
View File

@ -0,0 +1,51 @@
#!/usr/bin/env python3
# coding=utf-8
"""
Tools to find duplicate in galaxies
"""
import json
import os
import collections
def loadjsons(path):
"""
Find all Jsons and load them in a dict
"""
files = []
data = []
for name in os.listdir(path):
if os.path.isfile(os.path.join(path, name)) and name.endswith('.json'):
files.append(name)
for jfile in files:
data.append(json.load(open("%s/%s" % (path, jfile))))
return data
if __name__ == '__main__':
"""
Iterate all name + synonyms
tell what is duplicated.
"""
jsons = loadjsons("../clusters")
counter = collections.Counter()
namespace = []
for djson in jsons:
items = djson.get('values')
for entry in items:
name = entry.get('value').strip().lower()
counter[name]+=1
namespace.append([name, djson.get('name')])
try:
for synonym in entry.get('meta').get('synonyms'):
name = synonym.strip().lower()
counter[name]+=1
namespace.append([name, djson.get('name')])
except (AttributeError, TypeError):
pass
counter = dict(counter)
for key, val in counter.items():
if val>1:
print ("Warning duplicate %s" % key)
for item in namespace:
if item[0]==key:
print (item)

50
validate_all.sh Executable file
View File

@ -0,0 +1,50 @@
#!/bin/bash
# This file launch all validation of the jsons and schemas
# By default, It stop on file not commited.
# you could test with command ./validate_all.sh something
# Check Jsons format, and beautify
./jq_all_the_things.sh
rc=$?
if [[ $rc != 0 ]]; then
exit $rc
fi
set -e
set -x
diffs=`git status --porcelain | wc -l`
if ! [ $diffs -eq 0 ]; then
echo "Please make sure you run ./jq_all_the_things.sh before commiting."
if [ $# -eq 0 ]; then
exit 1
fi
fi
# Validate schemas
for dir in clusters/*.json
do
echo -n "${dir}: "
jsonschema -i ${dir} schema_clusters.json
rc=$?
if [[ $rc != 0 ]]; then
echo "Error on ${dir}"
exit $rc
fi
echo ''
done
for dir in galaxies/*.json
do
echo -n "${dir}: "
jsonschema -i ${dir} schema_galaxies.json
rc=$?
if [[ $rc != 0 ]]; then
echo "Error on ${dir}"
exit $rc
fi
echo ''
done