MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'main' into master

pull/594/head
Deborah Servili 2020-10-30 16:17:27 +01:00 committed by GitHub
parent 88bbf8851c b56a4d9e5c
commit 28784683db
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
31 changed files with 36008 additions and 6432 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
README.md
View File

@ -31,23 +31,18 @@ to localized information (which is not shared) or additional information (that c
- [clusters/threat-actor.json](clusters/threat-actor.json) - Adversary groups - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. MISP
- [clusters/tool.json](clusters/tool.json) - tool is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
- [clusters/mitre-attack-pattern.json](clusters/mitre-attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
- [clusters/mitre-course-of-action.json](clusters/mitre-course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
- [clusters/mitre-intrusion-set.json](clusters/mitre-intrusion-set.json) - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
- [clusters/mitre-malware.json](clusters/mitre-malware.json) - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
- [clusters/mitre-tool.json](clusters/mitre-tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
- [clusters/mitre-attack-pattern.json](clusters/mitre-attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0
- [clusters/mitre-course-of-action.json](clusters/mitre-course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0
- [clusters/mitre-intrusion-set.json](clusters/mitre-intrusion-set.json) - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0
- [clusters/mitre-malware.json](clusters/mitre-malware.json) - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0
- [clusters/mitre-tool.json](clusters/mitre-tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0
- [clusters/mitre-enterprise-attack-attack-pattern.json](clusters/mitre-enterprise-attack-attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Enterprise Attack
- [clusters/mitre-enterprise-attack-course-of-action.json](clusters/mitre-enterprise-attack-course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Enterprise Attack
- [clusters/mitre-enterprise-attack-intrusion-set.json](clusters/mitre-enterprise-attack-intrusion-set.json) - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Enterprise Attack - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Enterprise Attack
- [clusters/mitre-enterprise-attack-tool.json](clusters/mitre-enterprise-attack-tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Enterprise Attack
- [clusters/mitre-mobile-attack-attack-pattern.json](clusters/mitre-mobile-attack-attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
- [clusters/mitre-mobile-attack-course-of-action.json](clusters/mitre-mobile-attack-course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
- [clusters/mitre-mobile-attack-intrusion-set.json](clusters/mitre-mobile-attack-intrusion-set.json) - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
- [clusters/mitre-mobile-attack-malware.json](clusters/mitre-mobile-attack-malware.json) - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
- [clusters/mitre-mobile-attack-tool.json](clusters/mitre-mobile-attack-tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
- [clusters/mitre-pre-attack-attack-pattern.json](clusters/mitre-pre-attack-attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Pre Attack
- [clusters/mitre-pre-attack-intrusion-set.json](clusters/mitre-pre-attack-intrusion-set.json) - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Pre Attack
- [clusters/mitre-ics-assets.json](clusters/mitre-ics-assets.json) - ICS Assets - A list of asset categories that are commonly found in industrial control systems.
- [clusters/mitre-ics-groups.json](clusters/mitre-ics-groups.json) - ICS Groups - Groups are sets of related intrusion activity that are tracked by a common name in the security community.
- [clusters/mitre-ics-levels.json](clusters/mitre-ics-levels.json) - ICS Levels - Based on the Purdue Model to aid ATT&CK for ICS users to understand which techniques are applicable to their environment.
- [clusters/mitre-ics-software.json](clusters/mitre-ics-software.json) - ICS Software - Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK for ICS.
- [clusters/mitre-ics-tactics.json](clusters/mitre-ics-tactics.json) - ICS Tectics - A list of all tactics in ATT&CK for ICS.
- [clusters/mitre-ics-techniques.json](clusters/mitre-ics-techniques.json) - ICS Techniques - A list of Techniques in ATT&CK for ICS.
- [clusters/sectors.json](clusters/sectors.json) - Activity sectors
- [clusters/cert-eu-govsector.json](clusters/cert-eu-govsector.json) - Cert EU GovSector

12
clusters/backdoor.json
View File

@ -118,7 +118,17 @@
],
"uuid": "201e8794-a93b-476f-9436-1dd859c6e5d9",
"value": "Speculoos"
},
{
"description": "Mori Backdoor has been used by Seedworm.",
"meta": {
"refs": [
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east"
]
},
"uuid": "e663ac1b-9474-4f9a-b0c8-184861327dd7",
"value": "Mori Backdoor"
}
],
"version": 8
"version": 9
}

14
clusters/botnet.json
View File

@ -1169,7 +1169,19 @@
},
"uuid": "e23d0f90-6dc5-46a5-b38d-06f176b7c601",
"value": "Arceus"
},
{
"description": "Mozi infects new devices through weak telnet passwords and exploitation.",
"meta": {
"refs": [
"https://blog.netlab.360.com/mozi-another-botnet-using-dht/",
"https://threatpost.com/mozi-botnet-majority-iot-traffic/159337/",
"https://securityintelligence.com/posts/botnet-attack-mozi-mozied-into-town/"
]
},
"uuid": "ea2906a5-d493-4afa-b770-436c0c246c78",
"value": "Mozi"
}
],
"version": 21
"version": 22
}

48
clusters/cryptominers.json Normal file
View File

@ -0,0 +1,48 @@
{
"authors": [
"Cisco Talos",
"raw-data"
],
"category": "Cryptominers",
"description": "A list of cryptominer and cryptojacker malware.",
"name": "Cryptominers",
"source": "Open Source Intelligence",
"type": "malware",
"uuid": "d7dd3f0c-de73-4148-a786-f8ad3661d293",
"values": [
{
"description": "The infection starts with a PowerShell loading script, which is copied from other infected systems via SMB, email or external USB drives. The actor also employs several exploits for vulnerabilities such as SMBGhost and Eternal Blue.",
"meta": {
"refs": [
"https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html",
"https://success.trendmicro.com/solution/000261916",
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/spam/3697/spammers-use-covid19-to-spread-lemon-duck-cryptominer",
"https://cyberflorida.org/threat-advisory/lemon-duck-cryptominer/"
],
"synonyms": [],
"type": [
"cryptojacker"
]
},
"uuid": "fa9cbe22-0ef7-4fbd-8a33-ce395eaa6df9",
"value": "Lemon Duck"
},
{
"description": "WannaMine is a cryptojacker that takes advantage of EternalBlue.",
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/?utm_campaign=dsa&utm_content=us&utm_medium=sem&utm_source=goog&utm_term=&gclid=EAIaIQobChMIjrayysrX7AIVFUWGCh3sQApKEAAYASAAEgIE6_D_BwE",
"https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/",
"https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry"
],
"synonyms": [],
"type": [
"cryptojacker"
]
},
"uuid": "20e563b0-f0c9-4253-aedd-a4542d6689ed",
"value": "WannaMine"
}
],
"version": 1
}

14131
clusters/mitre-attack-pattern.json
View File

File diff suppressed because one or more lines are too long

4969
clusters/mitre-course-of-action.json
View File

File diff suppressed because it is too large Load Diff

287
clusters/mitre-ics-assets.json Normal file
View File

@ -0,0 +1,287 @@
{
"authors": [
"MITRE"
],
"category": "asset",
"description": "A list of asset categories that are commonly found in industrial control systems.",
"name": "Assets",
"source": "https://collaborate.mitre.org/attackics/index.php/All_Assets",
"type": "mitre-ics-assets",
"uuid": "0594fbc2-6267-479b-85a3-c4be8e044454",
"values": [
{
"description": "A device which acts as both a server and controller, that hosts the control software used in communicating with lower-level control devices in an ICS network (e.g. Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs)).",
"meta": {
"Levels": [
"Level 2 https://collaborate.mitre.org/attackics/index.php/Level_2"
],
"Notes": [
"A control server may also be referred to with these terms in a SCADA system: MTU, supervisory controller, or SCADA server."
],
"Techniques That Apply": [
"Automated Collection https://collaborate.mitre.org/attackics/index.php/Technique/T802",
"Brute Force I/O https://collaborate.mitre.org/attackics/index.php/Technique/T806",
"Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Data Destruction https://collaborate.mitre.org/attackics/index.php/Technique/T809",
"Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811",
"Default Credentials https://collaborate.mitre.org/attackics/index.php/Technique/T812",
"External Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Location Identification https://collaborate.mitre.org/attackics/index.php/Technique/T825",
"Man in the Middle https://collaborate.mitre.org/attackics/index.php/Technique/T830",
"Masquerading https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838",
"Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836",
"Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801 ",
"Point & Tag Identification https://collaborate.mitre.org/attackics/index.php/Technique/T861",
"Remote File Copy https://collaborate.mitre.org/attackics/index.php/Technique/T867",
"Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Replication Through Removable Media https://collaborate.mitre.org/attackics/index.php/Technique/T847",
"Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848",
"Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881",
"Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Spoof Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T856",
"Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"refs": [
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
]
},
"uuid": "834fab50-be52-4611-95b6-6330d1db65c3",
"value": "Control Server"
},
{
"description": "A centralized database located on a computer installed in the control system DMZ supporting external corporate user data access for archival and analysis using statistical process control and other techniques.",
"meta": {
"Levels": [
"Level 2 https://collaborate.mitre.org/attackics/index.php/Level_2"
],
"Techniques That Apply": [
"Data Historian Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T810",
"Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811",
"Exploitation of Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T866",
"Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801",
"Point & Tag Identification https://collaborate.mitre.org/attackics/index.php/Technique/T861",
"Remote File Copy https://collaborate.mitre.org/attackics/index.php/Technique/T867",
"Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Replication Through Removable Media https://collaborate.mitre.org/attackics/index.php/Technique/T847",
"Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881",
"Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"refs": [
"https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions"
]
},
"uuid": "da06d4aa-2471-4582-aadf-e1653dd6575c",
"value": "Data Historian"
},
{
"description": "The engineering workstation is usually a high-end very reliable computing platform designed for configuration, maintenance and diagnostics of the control system applications and other control system equipment. The system is usually made up of redundant hard disk drives, high speed network interface, reliable CPUs, performance graphics hardware, and applications that provide configuration and monitoring tools to perform control system application development, compilation and distribution of system modifications.",
"meta": {
"Levels": [
"Level 0 https://collaborate.mitre.org/attackics/index.php/Level_0 ",
"Level 1 https://collaborate.mitre.org/attackics/index.php/Level_1",
"Level 2 https://collaborate.mitre.org/attackics/index.php/Level_2"
],
"Notes": [
"Many engineering workstations are laptops. Because of their mobile nature, lack of desktop standard, and frequent connection to control system devices and network, engineering workstations can serve as entry points for attacks."
],
"Techniques That Apply": [
"Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811",
"Default Credentials https://collaborate.mitre.org/attackics/index.php/Technique/T812",
"Engineering Workstation Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T818",
"Exploitation of Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T866",
"Hooking https://collaborate.mitre.org/attackics/index.php/Technique/T874 ",
"Loss of View https://collaborate.mitre.org/attackics/index.php/Technique/T829",
"Manipulation of View https://collaborate.mitre.org/attackics/index.php/Technique/T832",
"Project File Infection https://collaborate.mitre.org/attackics/index.php/Technique/T873",
"Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848",
"Scripting https://collaborate.mitre.org/attackics/index.php/Technique/T853",
"Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881",
"Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"User Execution https://collaborate.mitre.org/attackics/index.php/Technique/T863",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"refss": [
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
]
},
"uuid": "b34cba3b-4294-4149-b119-214fadef0d01",
"value": "Engineering Workstation"
},
{
"description": "Controller terminology depends on the type of system they are associated with. They provide typical processing capabilities. Controllers, sometimes referred to as Remote Terminal Units (RTU) and Programmable Logic Controllers (PLC), are computerized control units that are typically rack or panel mounted with modular processing and interface cards. The units are collocated with the process equipment and interface through input and output modules to the various sensors and controlled devices. Most utilize a programmable logic-based application that provides scanning and writing of data to and from the IO interface modules and communicates with the control system network via various communications methods, including serial and network communications",
"meta": {
"Levels": [
"Level 0 https://collaborate.mitre.org/attackics/index.php/Level_0",
"Level 1 https://collaborate.mitre.org/attackics/index.php/Level_1"
],
"Notes": [
"Typically programmed in an IEC 61131 programming language, a PLC is designed for real time use in rugged, industrial environments. Connected to sensors and actuators, PLCs are categorized by the number and type of I/O ports they provide and by their I/O scan rate. \nAn RTU is a special purpose field device that supports SCADA remote stations with both wired and wireless communication capabilities, in order to communicate with the supervisory controller. Wireless radio is leveraged in remote situations where wired communications are not available; typically with field equipment. This role may also be fulfilled by PLCs with radio communication capabilities. The PLC may still be referred to as an RTU in this case."
],
"Techniques That Apply": [
"Activate Firmware Update Mode https://collaborate.mitre.org/attackics/index.php/Technique/T800",
"Alarm Suppression https://collaborate.mitre.org/attackics/index.php/Technique/T878",
"Automated Collection https://collaborate.mitre.org/attackics/index.php/Technique/T802",
"Block Command Message https://collaborate.mitre.org/attackics/index.php/Technique/T803",
"Block Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T804",
"Block Serial COM https://collaborate.mitre.org/attackics/index.php/Technique/T805 ",
"Brute Force I/O https://collaborate.mitre.org/attackics/index.php/Technique/T806",
"Change Program State https://collaborate.mitre.org/attackics/index.php/Technique/T875",
"Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Control Device Identification https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"Data Destruction https://collaborate.mitre.org/attackics/index.php/Technique/T809",
"Default Credentials https://collaborate.mitre.org/attackics/index.php/Technique/T812",
"Denial of Service https://collaborate.mitre.org/attackics/index.php/Technique/T814",
"Detect Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T868",
"Detect Program State https://collaborate.mitre.org/attackics/index.php/Technique/T870",
"Device Restart/Shutdown https://collaborate.mitre.org/attackics/index.php/Technique/T816",
"Execution through API https://collaborate.mitre.org/attackics/index.php/Technique/T871",
"Exploitation for Evasion https://collaborate.mitre.org/attackics/index.php/Technique/T820",
"I/O Image https://collaborate.mitre.org/attackics/index.php/Technique/T877",
"I/O Module Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T824",
"Man in the Middle https://collaborate.mitre.org/attackics/index.php/Technique/T830",
"Manipulate I/O Image https://collaborate.mitre.org/attackics/index.php/Technique/T835",
"Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838 ",
"Modify Control Logic https://collaborate.mitre.org/attackics/index.php/Technique/T833",
"Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836",
"Module Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T839",
"Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801",
"Network Service Scanning https://collaborate.mitre.org/attackics/index.php/Technique/T841",
"Network Sniffing https://collaborate.mitre.org/attackics/index.php/Technique/T842",
"Program Download https://collaborate.mitre.org/attackics/index.php/Technique/T843",
"Program Organisational Units https://collaborate.mitre.org/attackics/index.php/Technique/T844",
"Program Upload https://collaborate.mitre.org/attackics/index.php/Technique/T845",
"Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Rootkit https://collaborate.mitre.org/attackics/index.php/Technique/T851",
"Serial Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T854",
"System Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T857",
"Unauthorised Command Message https://collaborate.mitre.org/attackics/index.php/Technique/T855",
"Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"refss": [
"https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions",
"http://isa99.isa.org/ISA99%20Wiki/WP-2-1.aspx",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
]
},
"uuid": "1de9f3b2-07fc-4614-b07f-d5468e51770a",
"value": "Field Controller/RTU/PLC/IED"
},
{
"description": "In computer science and human-computer interaction, the Human-Machine Interface (HMI) refers to the graphical, textual and auditory information the program presents to the user (operator) using computer monitors and audio subsystems, and the control sequences (such as keystrokes with the computer keyboard, movements of the computer mouse, and selections with the touchscreen) the user employs to control the program. Currently the following types of HMI are the most common: \nGraphical user interfaces(GUI) accept input via devices such as computer keyboard and mouse and provide articulated graphical output on the computer monitor. \nWeb-based user interfaces accept input and provide output by generating web pages which are transported via the network and viewed by the user using a web browser program. The operations user must be able to control the system and assess the state of the system. Each control system vendor provides a unique look-and-feel to their basic HMI applications. An older, not gender-neutral version of the term is man-machine interface (MMI). \nThe system may expose several user interfaces to serve different kinds of users. User interface screens may be optimized to provide the appropriate information and control interface to operations users, engineering users and management users.",
"meta": {
"Levels": [
"Level 1 https://collaborate.mitre.org/attackics/index.php/Level_1",
"Level 2 https://collaborate.mitre.org/attackics/index.php/Level_2"
],
"Notes": [
"In many cases, these involve video screens or computer terminals, push buttons, auditory feedback, flashing lights, etc. The human-machine interface provides means of: \nInput - allowing the users to control the machine \nOutput - allowing the machine to inform the users"
],
"Techniques That Apply": [
"Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Data Destruction https://collaborate.mitre.org/attackics/index.php/Technique/T809",
"Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811",
"Default Credentials https://collaborate.mitre.org/attackics/index.php/Technique/T812",
"Exploit of Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T866",
"Graphical User Interface https://collaborate.mitre.org/attackics/index.php/Technique/T823",
"Indicator Removal on host https://collaborate.mitre.org/attackics/index.php/Technique/T872",
"Loss of View https://collaborate.mitre.org/attackics/index.php/Technique/T829",
"Man in the Middle https://collaborate.mitre.org/attackics/index.php/Technique/T830",
"Manipulation of View https://collaborate.mitre.org/attackics/index.php/Technique/T832",
"Masquerading https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838",
"Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836",
"Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801",
"Network Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T840",
"Point and Tag Identification https://collaborate.mitre.org/attackics/index.php/Technique/T861",
"Project File Infection https://collaborate.mitre.org/attackics/index.php/Technique/T873",
"Remote File Copy https://collaborate.mitre.org/attackics/index.php/Technique/T867",
"Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Replication Through Removable Media https://collaborate.mitre.org/attackics/index.php/Technique/T847",
"Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848",
"Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Screen Capture https://collaborate.mitre.org/attackics/index.php/Technique/T852",
"Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881",
"Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"User Execution https://collaborate.mitre.org/attackics/index.php/Technique/T863",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"refss": [
"https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions",
"http://isa99.isa.org/ISA99%20Wiki/WP-2-1.aspx"
]
},
"uuid": "3894cc68-79e0-4673-8548-c6e1b57a93e2",
"value": "Human-Machine Interface"
},
{
"description": "The Input/Output (I/O) server provides the interface between the control system LAN applications and the field equipment monitored and controlled by the control system applications. The I/O server, sometimes referred to as a Front-End Processor (FEP) or Data Acquisition Server (DAS), converts the control system application data into packets that are transmitted over various types of communications media to the end device locations. The I/O server also converts data received from the various end devices over different communications mediums into data formatted to communicate with the control system networked applications.",
"meta": {
"Levels": [
"Level 2 https://collaborate.mitre.org/attackics/index.php/Level_2"
],
"Techniques That Apply": [
"Blocking Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T804",
"Block Serial COM https://collaborate.mitre.org/attackics/index.php/Technique/T805",
"External Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Serial Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T854",
"System Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T857",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"refss": [
"https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions"
]
},
"uuid": "c98dda59-afe3-4154-b672-96f18cb5991b",
"value": "Input/Output Server"
},
{
"description": "A safety instrumented system (SIS) takes automated action to keep a plant in a safe state, or to put it into a safe state, when abnormal conditions are present. The SIS may implement a single function or multiple functions to protect against various process hazards in your plant. The function of protective relaying is to cause the prompt removal from service of an element of a power system when it suffers a short circuit or when it starts to operate in any abnormal manner that might cause damage or otherwise interfere with the effective operation of the rest of the system.",
"meta": {
"Levels": [
"Level 0 https://collaborate.mitre.org/attackics/index.php/Level_0",
"Level 1 https://collaborate.mitre.org/attackics/index.php/Level_1"
],
"Techniques That Apply": [
"Activate Firmware Update Mode https://collaborate.mitre.org/attackics/index.php/Technique/T800",
"Alarm Suppression https://collaborate.mitre.org/attackics/index.php/Technique/T878",
"Automated Collection https://collaborate.mitre.org/attackics/index.php/Technique/T802",
"Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885 ",
"Default Credentials https://collaborate.mitre.org/attackics/index.php/Technique/T812",
"Denial of Service https://collaborate.mitre.org/attackics/index.php/Technique/T814",
"Exploitation for Evasion https://collaborate.mitre.org/attackics/index.php/Technique/T820",
"Indicator Removal on host https://collaborate.mitre.org/attackics/index.php/Technique/T872",
"Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838",
"Modify Control Logic https://collaborate.mitre.org/attackics/index.php/Technique/T833",
"Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836",
"Module Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T839 ",
"Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801",
"Program Download https://collaborate.mitre.org/attackics/index.php/Technique/T843",
"Program Organisation Units https://collaborate.mitre.org/attackics/index.php/Technique/T844",
"Program Upload https://collaborate.mitre.org/attackics/index.php/Technique/T845",
"Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"System Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T857",
"Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858",
"Valid Accounts https://collaborate.mitre.org/attackics/index.php/Technique/T859 "
],
"refss": [
"http://sache.org/beacon/files/2009/07/en/read/2009-07-Beacon-s.pdf",
"http://www.gegridsolutions.com/multilin/notes/artsci/artsci.pdf"
]
},
"uuid": "01ce6089-11cb-422f-ab05-ffe61ee4b21c",
"value": "Safety Instrumented System/Protection Relay"
}
],
"version": 1
}

270
clusters/mitre-ics-groups.json Normal file
View File

@ -0,0 +1,270 @@
{
"authors": [
"MITRE"
],
"category": "actor",
"description": "Groups are sets of related intrusion activity that are tracked by a common name in the security community. Groups are also sometimes referred to as campaigns or intrusion sets. Some groups have multiple names associated with the same set of activities due to various organizations tracking the same set of activities by different names. Groups are mapped to publicly reported technique use and referenced in the ATT&CK for ICS knowledge base. Groups are also mapped to reported software used during intrusions.",
"name": "Groups",
"source": "https://collaborate.mitre.org/attackics/index.php/Groups",
"type": "mitre-ics-groups",
"uuid": "8fb1c036-8904-4d4b-82d5-0286da77eb7e",
"values": [
{
"description": "ALLANITE is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to Dragonfly / Dragonfly 2.0, although ALLANITEs technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence.",
"meta": {
"Associated Group Descriptions": [
"ALLANITE",
"Palmetto Fusion"
],
"Techniques Used": [
"Screen Capture - ALLANITE has been identified to collect and distribute screenshots of ICS systems such as HMIs https://collaborate.mitre.org/attackics/index.php/Technique/T852",
"Drive-by Compromise - ALLANITE leverages watering hole attacks to gain access into electric utilities https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"Valid Accounts - ALLANITE utilized credentials collected through phishing and watering hole attacks https://collaborate.mitre.org/attackics/index.php/Technique/T859",
"Spearphishing Attachment - ALLANITE utilized spear phishing to gain access into energy sector environments"
],
"refs": [
"https://dragos.com/resource/allanite/",
"https://www.us-cert.gov/ncas/alerts/TA17-293A",
"https://www.securityweek.com/allanite-group-targets-ics-networks-electric-utilities-us-uk",
"https://www.eisac.com/public-news-detail?id=115909"
]
},
"uuid": "fd28d200-2f1f-464a-af1f-fcadac7640a1",
"value": "ALLANITE"
},
{
"description": "APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.",
"meta": {
"Associated Group Descriptions": [
"APT33 - Fireeye noted a potential link between APT33 and Shamoon based on similar dropper malware DROPSHOT",
"Elfin - Symantec mentioned a potential link between Elfin and Shamoon based on such close occurances of the attacks within a particular organization",
"MAGNALLIUM"
],
"Techniques Used": [
"Spearphishing Attachment - APT33 sent spear phishing emails containing links to HTML application files, which were embedded with malicious code.2 APT33 has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Scripting - APT33 utilized PowerShell scripts to establish command and control and install files for execution https://collaborate.mitre.org/attackics/index.php/Technique/T853",
"Screen Capture - APT33 utilize backdoors capable of capturing screenshots once installed on a system https://collaborate.mitre.org/attackics/index.php/Technique/T852"
],
"refs": [
"https://attack.mitre.org/groups/G0064/",
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
"https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage",
"https://dragos.com/resource/magnallium/",
"https://www.wired.com/story/iran-hackers-us-phishing-tensions/",
"https://www.symantec.com/security-center/writeup/2017-030708-4403-99"
]
},
"uuid": "8f6f8a49-8a22-4494-a4c0-5a341444339a",
"value": "APT33"
},
{
"description": "Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. A similar group emerged in 2015 and was identified by Symantec as Dragonfly 2.0. There is debate over the extent of the overlap between Dragonfly and Dragonfly 2.0, but there is sufficient evidence to lead to these being tracked as two separate groups.",
"meta": {
"Associated Group Descriptions": [
"Dragonfly",
"Energetic Bear"
],
"Software": [
"Backdoor.Oldrea"
],
"Techniques Used": [
"Screen Capture - Dragonfly has been reported to take screenshots of the GUI for ICS equipment, such as HMIs https://collaborate.mitre.org/attackics/index.php/Technique/T852",
"Spearphishing Attachment - Dragonfly sent pdf documents over email which contained links to malicious sites and downloads https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Drive-by Compromise - Dragonfly used intermediate targets for watering hole attacks on an intended target. A line of code is injected into the header.php file, this is used to redirect the visitors to an adversary controlled IP https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"Valid Accounts - Dragonfly leveraged compromised user credentials to access the targets networks and download tools from a remote server https://collaborate.mitre.org/attackics/index.php/Technique/T859",
"Commonly Used Port - Dragonfly communicated with command and control over TCP ports 445 and 139 or UDP 137 or 138 https://collaborate.mitre.org/attackics/index.php/Technique/T885"
],
"refs": [
"https://attack.mitre.org/groups/G0035/",
"https://dragos.com/resource/dymalloy/",
"https://www.us-cert.gov/ncas/alerts/TA17-293A",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf",
"https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group"
]
},
"uuid": "9b4143ce-253c-45c4-a160-0d0a7450aace",
"value": "Dragonfly"
},
{
"description": "Dragonfly 2.0 is a suspected Russian threat group which has been active since at least late 2015. Dragonfly 2.0's initial reported targets were a part of the energy sector, located within the United States, Switzerland, and Turkey. There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups.",
"meta": {
"Associated Group Descriptions": [
"Dragonfly 2.0",
"Beserk Bear",
"DYMALLOY"
],
"Techniques Used": [
"Spearphishing Attachment - Dragonfly 2.0 used the Phishery tool kit to conduct spear phishing attacks and gather credentials.14 Dragonfly 2.0 conducted a targeted spear phishing campaign against multiple electric utilities in the North America https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Supply Chain Compromise - Dragonfly 2.0 trojanized legitimate software to deliver malware disguised as standard windows applications https://collaborate.mitre.org/attackics/index.php/Technique/T862",
"https://collaborate.mitre.org/attackics/index.php/Technique/T817 https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"Valid Accounts - Dragonfly 2.0 used credentials collected through spear phishing and watering hole attacks https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"refs": [
"https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group",
"https://fortune.com/2017/09/06/hack-energy-grid-symantec/",
"https://dragos.com/resource/dymalloy/",
"https://blog.talosintelligence.com/2017/07/template-injection.html",
"https://dragos.com/wp-content/uploads/Sample-WorldView-Report.pdf",
"https://dragos.com/wp-content/uploads/yir-ics-activity-groups-threat-landscape-2018.pdf"
]
},
"uuid": "790c3072-49d1-4c4f-8fd0-dc3db50887c1",
"value": "Dragonfly 2.0"
},
{
"description": "HEXANE is a threat group that has targeted ICS organization within the oil & gas, and telecommunications sectors. Many of the targeted organizations have been located in the Middle East including Kuwait. HEXANE's targeting of telecommunications has been speculated to be part of an effort to establish man-in-the-middle capabilities throughout the region. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.",
"meta": {
"Associated Group Descriptions": [
"HEXANE",
"Lyceum"
],
"Techniques Used": [
"Spearphishing Attachment - HEXANE has used malicious documents to drop malware and gain access into an environment https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Standard Application Layer Protocol - HEXANE communicated with command and control over HTTP and DNS https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"Valid Accounts - HEXANE has used valid IT accounts to extend their spearphishing campaign within an organization https://collaborate.mitre.org/attackics/index.php/Technique/T859",
"Man in the Middle - HEXANE targeted telecommunication providers in the greater Middle East, Central Asia, and Africa, potentially as a stepping stone to network-focused man-in-the-middle and related attacks https://collaborate.mitre.org/attackics/index.php/Technique/T830",
"Scripting - HEXANE utilizes VBA macros and Powershell scripts such as DanDrop and kl.ps1 tools https://collaborate.mitre.org/attackics/index.php/Technique/T853"
],
"refs": [
"https://dragos.com/resource/hexane/",
"https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign",
"https://www.securityweek.com/researchers-analyze-tools-used-hexane-attackers-against-industrial-firms",
"https://www.bankinfosecurity.com/lyceum-apt-group-new-threat-to-oil-gas-companies-a-13003"
]
},
"uuid": "a529ddda-9a44-4a0f-912e-4681f442b488",
"value": "HEXANE"
},
{
"description": "Lazarus group is a suspected North Korean adversary group that has targeted networks associated with civilian electric energy in Europe, East Asia, and North America. Links have been established associating this group with the WannaCry ransomware from 2017.3 While WannaCry was not an ICS focused attack, Lazarus group is considered to be a threat to ICS. North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.",
"meta": {
"Associated Group Descriptions": [
"Lazarus group",
"COVELLITE",
"HIDDEN COBRA",
"ZINC",
"Guardians of Peace"
],
"Software": [
"WannaCry"
],
"Techniques Used": [
"Spearphishing Attachment - Lazarus group has been observed targeting organizations using spearphishing documents with embedded malicious payloads. Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company https://collaborate.mitre.org/attackics/index.php/Technique/T865"
],
"refs": [
"https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity",
"https://dragos.com/resource/covellite/",
"https://www.us-cert.gov/ncas/alerts/TA17-132A",
"https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf",
"https://www.us-cert.gov/ncas/alerts/TA17-164A",
"https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/",
"https://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos",
"https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group"
]
},
"uuid": "3bbf3f0f-346d-49ad-9300-3bb0f23c83ef",
"value": "Lazarus group"
},
{
"description": "Leafminer is a threat group that has targeted Saudi Arabia, Japan, Europe and the United States. Within the US, Leafminer has targeted electric utilities and initial access into those organizations. Reporting indicates that Leafminer has not demonstrated ICS specific or destructive capabilities.",
"meta": {
"Associated Group Descriptions": [
"Leafminer",
"RASPITE"
],
"refs": [
"https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east",
"https://dragos.com/resource/raspite/"
]
},
"uuid": "956a44f1-0d5c-4f3c-a9a7-16f96f9656e4",
"value": "Leafminer"
},
{
"description": "OilRig is a suspected Iranian threat group that has targeted the financial, government, energy, chemical, and telecommunication sectors as well as petrochemical, oil & gas. OilRig has been observed operating in Iraq, Pakistan, Israel, and the UK, and has been linked to the Shamoon attacks in 2012 on Saudi Aramco. ",
"meta": {
"Associated Group Descriptions": [
"OilRig",
"CHRYSENE",
"Greenbug",
"APT 34"
],
"Techniques Used": [
"Spearphishing Attachment - OilRig used spearphishing emails with malicious Microsoft Excel spreadsheet attachments https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Scripting - OilRig has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script https://collaborate.mitre.org/attackics/index.php/Technique/T853",
"Standard Application Layer Protocol - OilRig communicated with its command and control using HTTP requests https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"Drive-by Compromise - OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"Valid Accounts - OilRig utilized stolen credentials to gain access to victim machines https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"refs": [
"https://www.fireeye.com/current-threats/apt-groups.html#apt34",
"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html",
"https://dragos.com/resource/chrysene/",
"https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/",
"https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/",
"https://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-middle-east-and-uk/"
]
},
"uuid": "4945c0e7-9f4b-404d-83b2-e5cd3f26c32f",
"value": "OilRig"
},
{
"description": "Sandworm is a threat group associated with the Kiev, Ukraine electrical transmission substation attacks which resulted in the impact of electric grid operations on December 17th, 2016. Sandworm has been cited as the authors of the Industroyer malware which was used in the 2016 Ukraine attacks.",
"meta": {
"Associated Group Descriptions": [
"Sandworm",
"ELECTRUM"
],
"Software": [
"Industroyer",
"Notpetya"
],
"Techniques Used": [
"Internet Accessible Device - Sandworm actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet https://collaborate.mitre.org/attackics/index.php/Technique/T883",
"Valid Accounts - Sandworm used valid accounts to laterally move through VPN connections and dual-homed systems https://collaborate.mitre.org/attackics/index.php/Technique/T859"
],
"refs": [
"https://dragos.com/resource/electrum/",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
"https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html",
"https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B",
"https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B",
"https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf",
"https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/",
"https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/"
]
},
"uuid": "b4fbf3b0-1a5e-4bdc-8977-74fff1db19ff",
"value": "Sandworm"
},
{
"description": "XENOTIME is a threat group that has targeted and compromised industrial systems, specifically safety instrumented systems that are designed to provide safety and protective functions. Xenotime has previously targeted oil & gas, as well as electric sectors within the Middle east, Europe, and North America. Xenotime has also been reported to target ICS vendors, manufacturers, and organizations in the middle east. This group is one of the few with reported destructive capabilities.",
"meta": {
"Associated Group Descriptions": [
"XENOTIME",
"TEMP.Veles - Fireeye attributes with high confidence that intrusion activity and Triton development was supported by a Russian government-owned technical research institution."
],
"Software": [
"Triton"
],
"Techniques Used": [
"Drive-by Compromise - XENOTIME utilizes watering hole websites to target industrial employees https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"External Remote Services - XENOTIME utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Valid Accounts - XENOTIME used valid credentials when laterally moving through RDP jump boxes into the ICS environment https://collaborate.mitre.org/attackics/index.php/Technique/T859",
"Supply Chain Compromise - XENOTIME targeted several ICS vendors and manufacturers https://collaborate.mitre.org/attackics/index.php/Technique/T862"
],
"refs": [
"https://dragos.com/resource/xenotime/",
"https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html",
"https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/",
"https://dragos.com/blog/trisis/TRISIS-01.pdf",
"https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf"
]
},
"uuid": "acb04037-e160-4a4e-a8cf-8a53a2f8221b",
"value": "XENOTIME"
}
],
"version": 1
}

53
clusters/mitre-ics-levels.json Normal file
View File

@ -0,0 +1,53 @@
{
"authors": [
"MITRE"
],
"category": "level",
"description": "Based on the Purdue Model to aid ATT&CK for ICS users to understand which techniques are applicable to their environment.",
"name": "Levels",
"source": "https://collaborate.mitre.org/attackics/index.php/All_Levels",
"type": "mitre-ics-levels",
"uuid": "952bcf79-eccd-45ac-9769-f61886bd0264",
"values": [
{
"description": "The I/O network level includes the actual physical processes and sensors and actuators that are directly connected to process equipment.",
"meta": {
"Related Assets": [
"Engineering Workstation https://collaborate.mitre.org/attackics/index.php/Engineering_Workstation",
"Field Controller/RTU/PLC/IED https://collaborate.mitre.org/attackics/index.php/Field_Controller/RTU/PLC/IED",
"Safety Instrumented System/Protection Relay https://collaborate.mitre.org/attackics/index.php/Safety_Instrumented_System/Protection_Relay"
]
},
"uuid": "614c4df5-b65f-4f3c-bb9f-b67549dfce2f",
"value": "Level 0"
},
{
"description": "The control network level includes the functions involved in sensing and manipulating physical processes. Typical devices at this level are programmable logic controllers (PLCs), distributed control systems, safety instrumented systems and remote terminal units (RTUs).",
"meta": {
"Related Assets": [
"Engineering Workstation https://collaborate.mitre.org/attackics/index.php/Engineering_Workstation",
"Field Controller/RTU/PLC/IED https://collaborate.mitre.org/attackics/index.php/Field_Controller/RTU/PLC/IED",
"Human-Machine Interface https://collaborate.mitre.org/attackics/index.php/Human-Machine_Interface",
"Safety Instrumented System/Protection Relay https://collaborate.mitre.org/attackics/index.php/Safety_Instrumented_System/Protection_Relay"
]
},
"uuid": "b9b1c942-b419-4919-ba14-40b24b0fbbd5",
"value": "Level 1"
},
{
"description": "The supervisory control LAN level includes the functions involved in monitoring and controlling physical processes and the general deployment of systems such as human-machine interfaces (HMIs), engineering workstations and historians.",
"meta": {
"Related Assets": [
"Control Server https://collaborate.mitre.org/attackics/index.php/Control_Server",
"Data Historian https://collaborate.mitre.org/attackics/index.php/Data_Historian",
"Engineering Workstation https://collaborate.mitre.org/attackics/index.php/Engineering_Workstation",
"Human-Machine Interface https://collaborate.mitre.org/attackics/index.php/Human-Machine_Interface",
"Input/Output Server https://collaborate.mitre.org/attackics/index.php/Input/Output_Server"
]
},
"uuid": "358d768d-5a97-4b1b-b185-044c1dd14357",
"value": "Level 2"
}
],
"version": 1
}

453
clusters/mitre-ics-software.json Normal file
View File

@ -0,0 +1,453 @@
{
"authors": [
"MITRE"
],
"category": "tool",
"description": "Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK for ICS.",
"name": "Software",
"source": "https://collaborate.mitre.org/attackics/index.php/Software",
"type": "mitre-ics-software",
"uuid": "7d259f36-6e80-472e-9a42-9d4a83519825",
"values": [
{
"description": "ACAD/Medre.A is a worm that steals operational information. The worm collects AutoCAD files with drawings. ACAD/Medre.A has the capability to be used for industrial espionage.",
"meta": {
"Techniques Used": [
"Theft of Operational Information - ACAD/Medre.A can collect AutoCad files with drawings. These drawings may contain operational information https://collaborate.mitre.org/attackics/index.php/Technique/T882",
"Data from Information Repositories - ACAD/Medre.A collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from information repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811"
],
"refs": []
},
"uuid": "73f55487-1e11-4cec-b57f-4cabe4633928",
"value": "ACAD/Medre.A"
},
{
"description": "Backdoor.Oldrea is a Remote Access Trojan (RAT) that communicates with a Command and Control (C2) server. The C2 server can deploy payloads that provide additional functionality. One payload has been identified and analyzed that enumerates all connected network resources, such as computers or shared resources, and uses the classic DCOM-based (Distributed Component Object Model) version of the Open Platform Communications (OPC) standard to gather information about connected control system devices and resources within the network.",
"meta": {
"Associated Software Descriptions": [
"Backdoor.Oldrea",
"Havex"
],
"Groups": [
"Dragonfly https://collaborate.mitre.org/attackics/index.php/Group/G0002"
],
"Techniques Used": [
"Role Identification - The Backdoor.Oldrea payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Control Device Identification - The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"Remote System Discovery - The Backdoor.Oldrea ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Location Identification - The Backdoor.Oldrea payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The tag names, depending on the naming convention, can provide information about facilities and locations https://collaborate.mitre.org/attackics/index.php/Technique/T825",
"Denial of Service - The Backdoor.Oldrea payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications https://collaborate.mitre.org/attackics/index.php/Technique/T814",
"Supply Chain Compromise - The Backdoor.Oldrea RAT is distributed through trojanized installers planted on compromised vendor sites https://collaborate.mitre.org/attackics/index.php/Technique/T862",
"Spearphishing Attachment - The Backdoor.Oldrea RAT is distributed through a trojanized installer attached to emails https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Automated Collection - Using OPC, a component of Backdoor.Oldrea gathers any details about connected devices and sends them back to the C2 for the attackers to analyze https://collaborate.mitre.org/attackics/index.php/Technique/T802",
"User Execution - Execution of Backdoor.Oldrea relies on a user opening a trojanized installer attached to an email https://collaborate.mitre.org/attackics/index.php/Technique/T863",
"Point & Tag Identification - Backdoor.Oldrea enumerates all OPC tags and queries for specific fields such as server state, tag name, type, access, and id Point & Tag Identification - Backdoor.Oldrea enumerates all OPC tags and queries for specific fields such as server state, tag name, type, access, and id https://collaborate.mitre.org/attackics/index.php/Technique/T861"
],
"refs": [
"https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01",
"https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-176-02A",
"https://www.f-secure.com/weblog/archives/00002718.html",
"https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf",
"https://www.fireeye.com/blog/threat-research/2014/07/havex-its-down-with-opc.html",
"https://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat",
"https://www.youtube.com/watch?v=eywmb7UDODY&feature=youtu.be&t=939",
"https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672"
]
},
"uuid": "1a2b786f-6ed2-47f6-969c-8d9c62fb8f22",
"value": "Backdoor.Oldrea, Havex"
},
{
"description": "Bad Rabbit is a self-propagating (“wormable”) ransomware that affected the transportation sector in Ukraine.",
"meta": {
"Associated Software Descriptions": [
"Bad Rabbit",
"Diskcoder.D"
],
"Techniques Used": [
"Drive-by Compromise - Bad Rabbit ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"User Execution - Bad Rabbit is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer https://collaborate.mitre.org/attackics/index.php/Technique/T863",
"Loss of Productivity and Revenue - Several transportation organizations in Ukraine have suffered from being infected by Bad Rabbit, resulting in some computers becoming encrypted, according to media reports https://collaborate.mitre.org/attackics/index.php/Technique/T828",
"Exploitation of Remote Services - Bad Rabbit initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T866",
"External Remote Services - Bad Rabbit can utilize exposed SMB services to access industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Remote File Copy - Bad Rabbit can move laterally through industrial networks by means of the SMB service https://collaborate.mitre.org/attackics/index.php/Technique/T867"
],
"refs": [
"https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/",
"https://securelist.com/bad-rabbit-ransomware/82851/",
"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"
]
},
"uuid": "625cba2e-43ba-4abd-81e9-6fa78c442e6f",
"value": "Bad Rabbit, Diskcoder.D"
},
{
"description": "BlackEnergy 3 is a malware toolkit that has been used by both criminal and APT actors. It support various plug-ins including a variant of KillDisk. It is known to have been used against the Ukrainian power grid.",
"meta": {
"Associated Software Descriptions": [
"BlackEnergy 3"
],
"Techniques Used": [
"Valid Accounts - BlackEnergy utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence https://collaborate.mitre.org/attackics/index.php/Technique/T859",
"Standard Application Layer Protocol - BlackEnergy uses HTTP POST request to contact external command and control servers https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"Spearphishing Attachment - BlackEnergy targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments https://collaborate.mitre.org/attackics/index.php/Technique/T865"
],
"refs": [
"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
]
},
"uuid": "5ce0966c-0e03-4df7-8678-7d10781c0006",
"value": "BlackEnergy 3"
},
{
"description": "Conficker is a computer worm that targets Microsoft Windows and was first detected in November 2008. It targets a vulnerability (MS08-067) in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet. Conficker made its way onto computers and removable disk drives in a nuclear power plant.",
"meta": {
"Associated Software Descriptions": [
"Conficker",
"Downadup",
"Kido"
],
"Techniques Used": [
"Loss of Availability - A Conficker infection at a nuclear power plant forced the facility to temporarily shutdown https://collaborate.mitre.org/attackics/index.php/Technique/T826",
"Replication Through Removable Media - Conficker exploits Windows drive shares. Once it has infected a computer, Conficker automatically copies itself to all visible open drive shares on other computers inside the network.2 Nuclear power plant officials suspect someone brought in Conficker by accident on a USB thumb drive, either from home or computers found in the power plant's facility https://collaborate.mitre.org/attackics/index.php/Technique/T847",
"Loss of Productivity and Revenue - A Conficker infection at a nuclear power plant forced the facility to shutdown and go through security procedures involved with such events, with its staff scanning computer systems and going through all the regular checks and motions before putting the plant back into production https://collaborate.mitre.org/attackics/index.php/Technique/T828"
],
"refs": [
"https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml"
]
},
"uuid": "88b08418-dbcc-457b-b28a-9deeeac26745",
"value": "Conficker"
},
{
"description": "Duqu is a collection of computer malware discovered in 2011. It is reportedly related to the Stuxnet worm, although Duqu is not self-replicating.",
"meta": {
"Associated Software Descriptions": [
"Duqu"
],
"Techniques Used": [
"Theft of Operational Information - Duqus purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party https://collaborate.mitre.org/attackics/index.php/Technique/T882",
"Data from Information Repositories - Duqu downloads additional modules for the collection of data in information repositories. The modules are named: infostealer 1, infostealer 2 and reconnaissance https://collaborate.mitre.org/attackics/index.php/Technique/T811"
],
"refs": [
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf"
]
},
"uuid": "7bc3d4cd-786f-4913-983f-0d1fa9eb132f",
"value": "Duqu"
},
{
"description": "Flame is an attacker-instructed worm which may open a backdoor and steal information from a compromised computer. Flame has the capability to be used for industrial espionage.",
"meta": {
"Associated Software Descriptions": [
"Flame",
"Flamer",
"sKyWIper"
],
"Techniques Used": [
"Theft of Operational Information - Flame can collect AutoCAD design data and visio diagrams as well as other documents that may contain operational information https://collaborate.mitre.org/attackics/index.php/Technique/T882",
"Data from Information Repositories - Flame has built-in modules to gather information from compromised computers https://collaborate.mitre.org/attackics/index.php/Technique/T811"
],
"refs": [
"https://www.symantec.com/security-center/writeup/2012-052811-0308-99",
"https://www.welivesecurity.com/2012/07/20/flame-in-depth-code-analysis-of-mssecmgr-ocx/",
"https://www.fireeye.com/blog/threat-research/2012/05/flamerskywiper-analysis.html"
]
},
"uuid": "ed2618d4-0450-4466-92c4-61b89a46960e",
"value": "Flame"
},
{
"description": "Industroyer is a sophisticated piece of malware designed to cause an Impact to the working processes of Industrial Control Systems (ICS), specifically ICSs used in electrical substations.1 Industroyer was alleged to be used in the attacks on the Ukrainian power grid in December 2016.",
"meta": {
"Associated Software Descriptions": [
"Industroyer",
"CRASHOVERRIDE"
],
"Groups": [
"Sandworm"
],
"Techniques Used": [
"Data Historian Compromise - In Industroyer, after pivoting into the ICS environment, the adversary gained Initial Access to devices involved with critical process operations through a Microsoft Windows Server 2003 running a SQL Server https://collaborate.mitre.org/attackics/index.php/Technique/T810",
"Block Command Message - In Industroyer the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device https://collaborate.mitre.org/attackics/index.php/Technique/T803",
"Block Serial COM - In Industroyer the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device https://collaborate.mitre.org/attackics/index.php/Technique/T805",
"Data Destruction - Industroyer has a destructive wiper that overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files https://collaborate.mitre.org/attackics/index.php/Technique/T809",
"Masquerading - Industroyer modules operate by inhibiting the normal SCADA master communication functions and then activate a replacement master communication module managed by the malware, which executes a script of commands to issue normal protocol messages https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Network Connection Enumeration - Industroyer contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks https://collaborate.mitre.org/attackics/index.php/Technique/T840",
"Remote System Discovery - The Industroyer IEC 61850 payload enumerates all possible IP addresses for each of the subnet masks for the interfaces on the infected machine, and tries to connect to port 102 on each of those addresses. Therefore, this component has the ability to discover relevant devices in the network automatically https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Control Device Identification - Industroyer contains an OPC DA module that enumerates all OPC servers using the ICatInformation::EnumClassesOfCategories method with CATID_OPCDAServer20 category identifier and IOPCServer::GetStatus to identify the ones running. The OPC DA module also uses IOPCBrowseServerAddressSpace to look for items with the following strings: ctlSelOn, ctlOperOn, ctlSelOff, ctlOperOff, Pos and stVal https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"Serial Connection Enumeration - Industroyer contains modules for IEC 101 and IEC 104 communications.1 IEC 101 uses serial for the physical connection and IEC 104 uses Ethernet. Analysis of the malware by Dragos states that both of the modules have equivalent functionality.2 The IEC 104 module uses Network Connection Enumeration to determine the Ethernet adapters on the device. Since functionality between the two modules are equivalent, this implies that the IEC 101 module is able to detect serial interfaces on the device https://collaborate.mitre.org/attackics/index.php/Technique/T854",
"Control Device Identification - If the target device responds appropriately, the Industroyer IEC 61850 payload then sends an InitiateRequest packet using the Manufacturing Message Specification (MMS). If the expected answer is received, it continues, sending an MMS getNameList request. Thereby, the component compiles a list of object names in a Virtual Manufacturing Device https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"Role Identification - The Industroyer IEC 61850 component enumerates the objects discovered in the previous step and sends the domain-specific getNameList requests with each object name. This enumerates named variables in a specific domain https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Activate Firmware Update Mode - The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually.1 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E https://collaborate.mitre.org/attackics/index.php/Technique/T800",
"Unauthorized Command Message - The Industroyer IEC 101 module has the capability to communicate with devices (likely RTUs) via the IEC 101 protocol. The module will attempt to find all Information Object Addresses (IOAs) for the device and attempt to change their state in the following sequence: OFF, ON, OFF https://collaborate.mitre.org/attackics/index.php/Technique/T855",
"Brute Force I/O - The Industroyer IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends select and execute packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values https://collaborate.mitre.org/attackics/index.php/Technique/T806",
"Device Restart/Shutdown - The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually.1 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E https://collaborate.mitre.org/attackics/index.php/Technique/T816",
"Denial of Service - The Industroyer SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. Once this vulnerability is successfully exploited, the target device stops responding to any commands until it is rebooted manually.1 Once the tool is executed it sends specifically crafted packets to port 50,000 of the target IP addresses using UDP. The UDP packet contains the following 18 byte payload: 0x11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E https://collaborate.mitre.org/attackics/index.php/Technique/T814",
"Activate Firmware Update Mode - The Industroyer SPIROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SPIROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission https://collaborate.mitre.org/attackics/index.php/Technique/T800",
"Automated Collection - Industroyer automatically collects protocol object data to learn about control devices in the environment https://collaborate.mitre.org/attackics/index.php/Technique/T802",
"Loss of Control - Industroyer's data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable https://collaborate.mitre.org/attackics/index.php/Technique/T827",
"Loss of View - Industroyer's data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable https://collaborate.mitre.org/attackics/index.php/Technique/T829",
"Manipulation of Control - Industroyer toggles breakers to the open state utilizing unauthorized command messages https://collaborate.mitre.org/attackics/index.php/Technique/T831",
"Service Stop - Industroyer has the capability to stop a service itself, or to login as a user and stop a service as that user https://collaborate.mitre.org/attackics/index.php/Technique/T881",
"Block Reporting Message - Industroyer uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device. https://collaborate.mitre.org/attackics/index.php/Technique/T804",
"Denial of Control - Industroyer is able to block serial COM channels temporarily causing a denial of control https://collaborate.mitre.org/attackics/index.php/Technique/T813",
"Denial of View - Industroyer is able to block serial COM channels temporarily causing a denial of view https://collaborate.mitre.org/attackics/index.php/Technique/T815",
"Command-Line Interface - The name of the Industroyer payload DLL is supplied by the attackers via a command line parameter supplied in one of the main backdoors “execute a shell command” commands https://collaborate.mitre.org/attackics/index.php/Technique/T807",
"Manipulation of View - Industroyer's OPC module can brute force values and will send out a 0x01 status which for the target systems equates to a “Primary Variable Out of Limits” misdirecting operators from understanding protective relay status https://collaborate.mitre.org/attackics/index.php/Technique/T832",
"Loss of Safety - Industroyer contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays https://collaborate.mitre.org/attackics/index.php/Technique/T880"
],
"refs": [
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
"https://www.us-cert.gov/ncas/alerts/TA17-163A",
"https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf",
"https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf"
]
},
"uuid": "d13b0ff8-9125-4990-8ec1-94782b4e22df",
"value": "Industroyer"
},
{
"description": "In 2015 the BlackEnergy malware contained a component called KillDisk. KillDisk's main functionality is to overwrite files with random data, rendering the OS unbootable.",
"meta": {
"Associated Software Descriptions": [
"KillDisk"
],
"Techniques Used": [
"Loss of View - KillDisk erases the master boot record (MBR) and system logs, leaving the system unusable https://collaborate.mitre.org/attackics/index.php/Technique/T829",
"Data Destruction - KillDisk is able to delete system files to make the system unbootable and targets 35 different types of files for deletion https://collaborate.mitre.org/attackics/index.php/Technique/T809",
"Indicator Removal on Host - KillDisk deletes application, security, setup, and system event logs from Windows systems https://collaborate.mitre.org/attackics/index.php/Technique/T872",
"Service Stop - KillDisk looks for and terminates two non-standard processes, one of which is an ICS application https://collaborate.mitre.org/attackics/index.php/Technique/T881"
],
"refs": [
"https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/",
"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
]
},
"uuid": "df960d5e-481a-47fe-8577-427057553a1b",
"value": "KillDisk"
},
{
"description": "LockerGoga is ransomware that has been tied to various attacks on industrial and manufacturing firms with apparently catastrophic consequences.",
"meta": {
"Associated Software Descriptions": [
"LockerGoga"
],
"Techniques Used": [
"Loss of Productivity and Revenue - While Norsk Hydro attempted to recover from a LockerGoga infection, most of its 160 manufacturing locations switched to manual (non-IT driven) operations. Manual operations can result in a loss of productivity https://collaborate.mitre.org/attackics/index.php/Technique/T828",
"Loss of View - Some of Norsk Hydro's production systems were impacted by a LockerGoga infection. This resulted in a loss of view which forced the company to switch to manual operations https://collaborate.mitre.org/attackics/index.php/Technique/T829",
"Loss of Control - Some of Norsk Hydro's production systems were impacted by a LockerGoga infection. This resulted in a loss of control which forced the company to switch to manual operations https://collaborate.mitre.org/attackics/index.php/Technique/T827"
],
"refs": [
"https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/",
"https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880",
"https://www.hydro.com/en/media/on-the-agenda/cyber-attack/"
]
},
"uuid": "6187b975-7d80-4eb3-9c5a-89d07f2e3512",
"value": "LockerGoga"
},
{
"description": "NotPetya is malware that was first seen in a worldwide attack starting on June 27, 2017. The main purpose of the malware appeared to be to effectively destroy data and disk structures on compromised systems. Though NotPetya presents itself as a form of ransomware, it appears likely that the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains self-propagating (“wormable”) features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.",
"meta": {
"Associated Software Descriptions": [
"NotPetya"
],
"Groups": [
"Sandworm"
],
"Techniques Used": [
"Exploitation of Remote Services - NotPetya initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T866",
"External Remote Services - NotPetya can utilize exposed SMB services to access industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Remote File Copy - NotPetya can move laterally through industrial networks by means of the SMB service https://collaborate.mitre.org/attackics/index.php/Technique/T867",
"Loss of Productivity and Revenue - NotPetya disrupted manufacturing facilities supplying vaccines, resulting in a halt of production and the inability to meet demand for specific vaccines https://collaborate.mitre.org/attackics/index.php/Technique/T828"
],
"refs": [
"https://attack.mitre.org/software/S0368/",
"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/",
"https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war"
]
},
"uuid": "564c7c31-234f-4427-aab7-80d40183a1e9",
"value": "NotPetya"
},
{
"description": "PLC-Blaster is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules.",
"meta": {
"Associated Software Descriptions": [
"PLC-Blaster"
],
"Techniques Used": [
"Remote System Discovery - PLC-Blaster scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102 https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Control Device Identification - The PLC-Blaster worm starts by scanning for probable targets. Siemens SIMATIC PLCs may be identified by the port 102/tcp https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"Program Organization Units - PLC-Blaster copies itself to various Program Organization Units (POU) on the target device. The POUs include the Organization Block, Data Block, Function, and Function Block https://collaborate.mitre.org/attackics/index.php/Technique/T844",
"Manipulate I/O Image - PLC-Blaster may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified https://collaborate.mitre.org/attackics/index.php/Technique/T835",
"Execution through API - PLC-Blaster utilizes the PLC communication and management API to load executable Program Organization Units https://collaborate.mitre.org/attackics/index.php/Technique/T871",
"Change Program State - After PLC-Blaster is transferred to a PLC, the PLC begins execution of PLC-Blaster https://collaborate.mitre.org/attackics/index.php/Technique/T875",
"Denial of Service - The execution on the PLC can be stopped by violating the cycle time limit. The PLC-Blaster implements an endless loop triggering an error condition within the PLC with the impact of a DoS https://collaborate.mitre.org/attackics/index.php/Technique/T814"
],
"refs": [
"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"
]
},
"uuid": "f0db07ce-a13b-4c6e-9ba5-fe2be3080ace",
"value": "PLC-Blaster"
},
{
"description": "Ryuk is ransomware that was first seen targeting large organizations for high-value ransoms in August of 2018. Ryuk temporarily disrupted operations at a manufacturing firm in 2018.",
"meta": {
"Associated Software Descriptions": [
"Ryuk"
],
"Techniques Used": [
"Loss of Productivity and Revenue - An enterprise resource planning (ERP) manufacturing server was lost to the Ryuk attack. The manufacturing process had to rely on paper and existing orders to keep the shop floor open https://collaborate.mitre.org/attackics/index.php/Technique/T828"
],
"refs": [
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
"https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760"
]
},
"uuid": "707075af-cabd-404d-8eb9-7c1ba063ac88",
"value": "Ryuk"
},
{
"description": "Stuxnet was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different complex tactics including multiple zero-day vulnerabilites, a sophisticated Windows rootkit, and network infection routines.",
"meta": {
"Associated Software Descriptions": [
"Stuxnet"
],
"Techniques Used": [
"Remote System Discovery - Stuxnet scanned the network to identify the Siemens PLCs that it was targeting https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Rootkit - One of Stuxnet's rootkits is contained entirely in the fake s7otbxdx.dll. In order to continue existing undetected on the PLC it needs to account for at least the following situations: read requests for its own malicious code blocks, read requests for infected blocks (OB1, OB35, DP_RECV), and write requests that could overwrite Stuxnets own code. Stuxnet contains code to monitor and intercept these types of requests. The rootkit modifies these requests so that Stuxnets PLC code is not discovered or damaged https://collaborate.mitre.org/attackics/index.php/Technique/T851",
"Manipulate I/O Image - When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, Stuxnet prevents an operator from noticing unauthorized commands sent to the peripheral https://collaborate.mitre.org/attackics/index.php/Technique/T835",
"Control Device Identification - The Siemens s7otbxdx.dll is responsible for handling PLC block exchange between the programming device (i.e., a computer running a Simatic manager on Windows) and the PLC. s7db_open function is an export hook that is used to obtain information used to create handles to manage a PLC (such a handle is used by APIs that manipulate the PLC). Stuxnet utilized this export hook to gain information about targeted PLCs such as model information. Stuxnet was specifically targeting CPUs 6ES7-315-2 (Series 300) with special system data block characteristics for sequence A or B and 6ES7-315-2 for sequence C. The PLC type can also be checked using the s7ag_read_szl API https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"I/O Module Discovery - Stuxnet enumerates and parses the System Data Blocks (SDB). Stuxnet must find an SDB with the DWORD at offset 50h equal to 0100CB2Ch. This specifies that the system uses the Profibus communications processor module CP 342-5. In addition, specific values are searched for and counted: 7050h and 9500h. 7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland https://collaborate.mitre.org/attackics/index.php/Technique/T824",
"Network Sniffing - DP_RECV is the name of a standard function block used by network coprocessors. It is used to receive network frames on the Profibus a standard industrial network bus used for distributed I/O. The original block is copied to FC1869, and then replaced by a malicious block. Each time the function is used to receive a packet, the malicious Stuxnet block takes control: it will call the original DP_RECV in FC1869 and then perform postprocessing on the packet data. This secondary thread is used to monitor a data block DB890 of sequence A or B. Though constantly running and probing this block (every 5 minutes), this thread has no purpose if the PLC is not infected. The purpose of the thread is to monitor each S7-315 on the bus. The replaced DP_RECV block (later on referred to as the “DP_RECV monitor”) is meant to monitor data sent by the frequency converter drives to the 315-2 CPU via CP 342-5 Profibus communication modules https://collaborate.mitre.org/attackics/index.php/Technique/T842",
"Monitor Process State - Stuxnet examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation https://collaborate.mitre.org/attackics/index.php/Technique/T801",
"Modify Parameter - In states 3 and 4 Stuxnet sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives. For example one of the frames contains records that change the maximum frequency (the speed at which the motor will operate). The frequency converter drives consist of parameters, which can be remotely configured via Profibus. One can write new values to these parameters changing the behavior of the device https://collaborate.mitre.org/attackics/index.php/Technique/T836",
"Manipulation of Control - Stuxnet can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property https://collaborate.mitre.org/attackics/index.php/Technique/T831",
"Program Download - Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior https://collaborate.mitre.org/attackics/index.php/Technique/T843",
"Program Organization Units - Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior https://collaborate.mitre.org/attackics/index.php/Technique/T844",
"Project File Infection - Stuxnet copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded https://collaborate.mitre.org/attackics/index.php/Technique/T873",
"Hooking - Stuxnet modifies the Import Address Tables DLLs to hook specific APIs that are used to open project files https://collaborate.mitre.org/attackics/index.php/Technique/T874",
"Unauthorized Command Message - In states 3 and 4 Stuxnet sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives https://collaborate.mitre.org/attackics/index.php/Technique/T855",
"Change Program State - Stuxnet halts the original PLC code and the malicious PLC code begins sending frames of data based on the recorded values during the DP_RECV monitor phase https://collaborate.mitre.org/attackics/index.php/Technique/T875",
"I/O Image - Stuxnet copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area. The input area contains information being passed to the PLC from a peripheral. For example, the current state of a valve or the temperature of a device https://collaborate.mitre.org/attackics/index.php/Technique/T877",
"Rootkit - When the peripheral output is written to, sequence C of Stuxnet intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, Stuxnet prevents an operator from noticing unauthorized commands sent to the peripheral https://collaborate.mitre.org/attackics/index.php/Technique/T851",
"Masquerading - Stuxnet renames a dll responsible for handling communications with a PLC. It replaces the original .dll file with its own version that allows it to intercept any calls that are made to access the PLC https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Execution through API - Stuxnet utilizes the PLC communication and management API to load executable Program Organization Units https://collaborate.mitre.org/attackics/index.php/Technique/T871",
"Standard Application Layer Protocol - Stuxnet attempts to contact command and control servers over HTTP to send basic information about the computer it has compromised https://collaborate.mitre.org/attackics/index.php/Technique/T869",
"Commonly Used Port - Stuxnet attempts to contact command and control servers on port 80 to send basic information about the computer it has compromised https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Replication Through Removable Media - Stuxnet was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment.1 The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened https://collaborate.mitre.org/attackics/index.php/Technique/T847",
"Man in the Middle - Stuxnet de-couples all inputs and signals from the legitimate code on a PLC and chooses what is passed to the original code. STUXNET effectively creates a man in the middle attack with the input and output signals and control logic https://collaborate.mitre.org/attackics/index.php/Technique/T830",
"Program Upload - Stuxnet replaces the DLL responsible for reading projects from a PLC to the step7 software. This allows Stuxnet the ability to upload a program from the PLC https://collaborate.mitre.org/attackics/index.php/Technique/T845",
"Manipulation of View - Stuxnet manipulates the view of operators replaying process input and manipulating the I/O image to evade detection and inhibit protection functions https://collaborate.mitre.org/attackics/index.php/Technique/T832",
"Engineering Workstation Compromise - Stuxnet utilized an engineering workstation as the initial access point for PLC devices https://collaborate.mitre.org/attackics/index.php/Technique/T818",
"Damage to Property - Stuxnet attacks were designed to over-pressure and damage centrifuge rotors by manipulating process pressure and rotor speeds over time. One focused on a routine to change centrifuge rotor speeds, while the other manipulated critical resonance speeds to over-pressure them https://collaborate.mitre.org/attackics/index.php/Technique/T879"
],
"refs": [
"https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf",
"https://www.symantec.com/security-center/writeup/2010-071400-3123-99",
"https://www.us-cert.gov/ics/advisories/ICSA-10-238-01B",
"https://scadahacker.com/resources/stuxnet-mitigation.html",
"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf"
]
},
"uuid": "119f4adc-b15c-48e0-8208-dae63673bb46",
"value": "Stuxnet"
},
{
"description": "Triton is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers",
"meta": {
"Associated Software Descriptions": [
"Triton",
"TRISIS",
"Hatman"
],
"Groups": [
"XENOTIME"
],
"Techniques Used": [
"Utilize/Change Operating Mode - Triton is able to modify code if the Triconex SIS Controller is configured with the physical keyswitch in program mode during operation. If the controller is placed in Run mode (program changes not permitted), arbitrary changes in logic are not possible substantially reducing the likelihood of manipulation. Once the Triton implant is installed on the SIS it is able to conduct any operation regardless of any future position of the keyswitch https://collaborate.mitre.org/attackics/index.php/Technique/T858",
"Unauthorized Command Message - Using Triton, an adversary can manipulate the process into an unsafe state from the DCS while preventing the SIS from functioning appropriately https://collaborate.mitre.org/attackics/index.php/Technique/T855",
"Masquerading - The Triton malware was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Modify Control Logic - Triton can reprogram the SIS logic to cause it to trip and shutdown a process that is, in actuality, in a safe state. In other words, trigger a false positive. Triton also can reprogram the SIS logic to allow unsafe conditions to persist.1 The Triton malware is able to add a malicious program to the execution table of the controller. This action leaves the legitimate programs in place. If the controller failed, Triton would attempt to return it to a running state. If the controller did not recover within a certain time window, the sample would overwrite the malicious program to cover its tracks https://collaborate.mitre.org/attackics/index.php/Technique/T833",
"Scripting - In the version of Triton available at the time of publication, the component that programs the Triconex controllers is written entirely in Python. The modules that implement the communciation protocol and other supporting components are found in a separate file -- library.zip -- which the main script that employs this functionality is compiled into a standalone Windows executable -- trilog.exe -- that includes a Python environment https://collaborate.mitre.org/attackics/index.php/Technique/T853",
"Remote System Discovery - Triton uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502 https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"System Firmware - The malicious shellcode Triton uses is split into two separate pieces -- inject.bin and imain.bin. The former program is more generic code that handles injecting the payload into the running firmware, while the latter is the payload that actually performs the additional malicious functionality. The payload --imain.bin-- is designed to take a TriStation protocol get main processor diagnostic data command, look for a specially crafted packet body, and perform custom actions on demand. It is able to read and write memory on the safety controller and execute code at an arbitrary address within the firmware. In addition, if the memory address it writes to is within the firmware region, it disables address translation, writes the code at the provided address, flushes the instruction cache, and re-enables address translation. This allows the malware to make changes to the running firmware in memory. This allows Triton to change how the device operates and would allow for the modification of other actions that the Triton controller might make https://collaborate.mitre.org/attackics/index.php/Technique/T857",
"Scripting - A Python script seen in Triton communicates using four Python modules—TsBase, TsLow, TsHi, and TS_cnames—that collectively implement the TriStation network protocol (“TS”, via UDP 1502); this is the protocol that the TriStation TS1131 software uses to communicate with Triconex safety PLCs https://collaborate.mitre.org/attackics/index.php/Technique/T853",
"Exploitation for Evasion - Triton disables a firmware RAM/ROM consistency check, injects a payload (imain.bin) into the firmware memory region, and changes a jumptable entry to point to the added code 384. In Schneider Electric Triconex Tricon MP model 3008 firmware versions 10.0-10.4, system calls read directly from memory addresses within the control program area without any verification. Manipulating this data could allow adversary data to be copied anywhere within memory.910 Triconex systems include continuous means of detection including checksums for firmware and program integrity, memory and memory reference integrity, and configuration https://collaborate.mitre.org/attackics/index.php/Technique/T820",
"Control Device Identification - The Triton Python script is also capable of autodetecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502 https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"Engineering Workstation Compromise - The Triton malware gained remote access to an SIS engineering workstation https://collaborate.mitre.org/attackics/index.php/Technique/T818",
"Loss of Safety - Triton has the capability to reprogram the SIS logic to allow unsafe conditions to persist or reprogram the SIS to allow an unsafe state while using the DCS to create an unsafe state or hazard https://collaborate.mitre.org/attackics/index.php/Technique/T880",
"Program Download - Triton leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System https://collaborate.mitre.org/attackics/index.php/Technique/T843",
"ndicator Removal on Host - Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics https://collaborate.mitre.org/attackics/index.php/Technique/T872",
"Commonly Used Port - Triton framework can communicate with the implant utilizing the TriStation 'get main processor diagnostic data' command and looks for a specifically crafted packet body from which it extracts a command value and its arguments https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Execution through API - Triton leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes https://collaborate.mitre.org/attackics/index.php/Technique/T871",
"Detect Program State - Triton contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py https://collaborate.mitre.org/attackics/index.php/Technique/T870",
"Detect Operating Mode - Triton contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py https://collaborate.mitre.org/attackics/index.php/Technique/T868",
"Change Program State - Triton has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed https://collaborate.mitre.org/attackics/index.php/Technique/T875"
],
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html",
"https://dragos.com/blog/trisis/TRISIS-01.pdf",
"https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf",
"https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s",
"https://www.youtube.com/watch?v=XwSJ8hloGvY",
"https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2017-347-01+Triconex+V3.pdf&p_Doc_Ref=SEVD-2017-347-01",
"https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware",
"https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02",
"https://nvd.nist.gov/vuln/detail/CVE-2018-8872",
"https://cwe.mitre.org/data/definitions/119.html",
"https://www.nrc.gov/docs/ML1209/ML120900890.pdf",
"https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library"
]
},
"uuid": "e98dca35-5141-4b6c-87e1-9ee36a92d54e",
"value": "Triton"
},
{
"description": "VPNFilter is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. VPNFilter modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols",
"meta": {
"Associated Software Descriptions": [
"VPNFilter"
],
"Techniques Used": [
"Network Sniffing - The VPNFilter packet sniffer looks for basic authentication as well as monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. Packets that are not on port 502, are scanned for BasicAuth, and that information is logged. This may have allowed credential harvesting from communications between devices accessing a modbus-enabled HMI https://collaborate.mitre.org/attackics/index.php/Technique/T842",
"Control Device Identification - The VPNFilter packet sniffer monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. 'ps' identifies and logs on IPs and ports, but not the packet contents on port 502 (Modbus traffic). It does not validate the traffic as Modbus https://collaborate.mitre.org/attackics/index.php/Technique/T808"
],
"refs": [
"https://blog.talosintelligence.com/2018/06/vpnfilter-update.html",
"https://www.youtube.com/watch?v=yuZazP22rpI"
]
},
"uuid": "cea7e5ff-cfde-4856-9829-acd7166cd1f9",
"value": "VPNFilter"
},
{
"description": "WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains self-propagating (“wormable”) features to spread itself across a computer network using the SMBv1 exploit EternalBlue.",
"meta": {
"Associated Software Descriptions": [
"WannaCry"
],
"Groups": [
"Lazarus group"
],
"Techniques Used": [
"Exploitation of Remote Services - WannaCry initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T866",
"External Remote Services - WannaCry can utilize exposed SMB services to access industrial networks https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Remote File Copy - WannaCry can move laterally through industrial networks by means of the SMB service https://collaborate.mitre.org/attackics/index.php/Technique/T867"
],
"refs": [
"https://attack.mitre.org/software/S0366/",
"https://www.us-cert.gov/ncas/alerts/TA17-132A",
"https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"
]
},
"uuid": "2901adef-0da6-4c1e-854b-b4e4e0d8e15a",
"value": "WannaCry"
}
],
"version": 1
}

278
clusters/mitre-ics-tactics.json Normal file
View File

@ -0,0 +1,278 @@
{
"authors": [
"MITRE"
],
"category": "tactic",
"description": "A list of all 11 tactics in ATT&CK for ICS",
"name": "Tactics",
"source": "https://collaborate.mitre.org/attackics/index.php/All_Tactics",
"type": "mitre-ics-tactics",
"uuid": "ae92140f-7816-45b6-aa7c-9ff3e8536f10",
"values": [
{
"description": "The adversary is trying to gather data of interest and domain knowledge on your ICS environment to inform their goal. Collection consists of techniques adversaries use to gather domain knowledge and obtain contextual feedback in an ICS environment. This tactic is often performed as part of Discovery, to compile data on control systems and targets of interest that may be used to follow through on the adversarys objective. Examples of these techniques include observing operation states, capturing screenshots, identifying unique device roles, and gathering system and diagram schematics. Collection of this data can play a key role in planning, executing, and even revising an ICS-targeted attack. Methods of collection depend on the categories of data being targeted, which can include protocol specific, device specific, and process specific configurations and functionality. Information collected may pertain to a combination of system, supervisory, device, and network related data, which conceptually fall under high, medium, and low levels of plan operations. For example, information repositories on plant data at a high level or device specific programs at a low level. Sensitive floor plans, vendor device manuals, and other refs may also be at risk and exposed on the internet or otherwise publicly accessible.",
"meta": {
"Techniques in this Tactics Category": [
"Automated Collection https://collaborate.mitre.org/attackics/index.php/Technique/T802",
"Data from Information Repositories https://collaborate.mitre.org/attackics/index.php/Technique/T811",
"Detect Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T868",
"Detect Program State https://collaborate.mitre.org/attackics/index.php/Technique/T870",
"I/O Image https://collaborate.mitre.org/attackics/index.php/Technique/T877",
"Location Identification https://collaborate.mitre.org/attackics/index.php/Technique/T825",
"Monitor Process State https://collaborate.mitre.org/attackics/index.php/Technique/T801",
"Point & Tag Identification https://collaborate.mitre.org/attackics/index.php/Technique/T861",
"Program Upload https://collaborate.mitre.org/attackics/index.php/Technique/T845",
"Role Identification https://collaborate.mitre.org/attackics/index.php/Technique/T850",
"Screen Capture https://collaborate.mitre.org/attackics/index.php/Technique/T852"
],
"refs": [
"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf",
"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf",
"http://www.research.lancs.ac.uk/portal/files/196578358/sample_sigconf.pdf",
"https://www.us-cert.gov/ncas/alerts/TA17-293A"
]
},
"uuid": "834fab50-be52-4611-95b6-6330d1db65c2",
"value": "Collection"
},
{
"description": "The adversary is trying to communicate with and control compromised systems, controllers, and platforms with access to your ICS environment. Command and Control consists of techniques that adversaries use to communicate with and send commands to compromised systems, devices, controllers, and platforms with specialized applications used in ICS environments. Examples of these specialized communication devices include human machine interfaces (HMIs), data historians, SCADA servers, and engineering workstations (EWS). Adversaries often seek to use commonly available resources and mimic expected network traffic to avoid detection and suspicion. For instance, commonly used ports and protocols in ICS environments, and even expected IT resources, depending on the target network. Command and Control may be established to varying degrees of stealth, often depending on the victims network structure and defenses.",
"meta": {
"Techniques in this Tactics Category": [
"Commonly Used Port https://collaborate.mitre.org/attackics/index.php/Technique/T885",
"Connection Proxy https://collaborate.mitre.org/attackics/index.php/Technique/T884",
"Standard Application Layer Protocol https://collaborate.mitre.org/attackics/index.php/Technique/T869"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1090"
]
},
"uuid": "4fd3b7b1-6d05-4cab-8182-6ea52ecbde63",
"value": "Command and Control"
},
{
"description": "The adversary is trying to figure out your ICS environment. Discovery consists of techniques that adversaries use to survey your ICS environment and gain knowledge about the internal network, control system devices, and how their processes interact. These techniques help adversaries observe the environment and determine next steps for target selection and Lateral Movement. They also allow adversaries to explore what they can control and gain insight on interactions between various control system processes. Discovery techniques are often an act of progression into the environment which enable the adversary to orient themselves before deciding how to act. Adversaries may use Discovery techniques that result in Collection, to help determine how available resources benefit their current objective. A combination of native device communications and functions, and custom tools are often used toward this post-compromise information-gathering objective.",
"meta": {
"Techniques in this Tactics Category": [
"Control Device Identification https://collaborate.mitre.org/attackics/index.php/Technique/T808",
"I/O Module Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T824",
"Network Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T840",
"Network Service Scanning https://collaborate.mitre.org/attackics/index.php/Technique/T841",
"Network Sniffing https://collaborate.mitre.org/attackics/index.php/Technique/T842",
"Remote System Discovery https://collaborate.mitre.org/attackics/index.php/Technique/T846",
"Serial Connection Enumeration https://collaborate.mitre.org/attackics/index.php/Technique/T854"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1049",
"https://attack.mitre.org/wiki/Technique/T1040",
"https://attack.mitre.org/wiki/Technique/T1018"
]
},
"uuid": "021d9d90-a792-4b84-a9f8-892b11c7db55",
"value": "Discovery"
},
{
"description": "The adversary is trying to avoid being detected.Evasion consists of techniques that adversaries use to avoid detection by both human operators and technical defenses throughout their compromise. Techniques used for evasion include removal of indicators of compromise, spoofing communications and reporting, and exploiting software vulnerabilities. Adversaries may also leverage and abuse trusted devices and processes to hide their activity, possibly by masquerading as master devices or native software. Methods of defense and operator evasion for this purpose are often more passive in nature, as opposed to Inhibit Response Function techniques. They may also vary depending on whether the target of evasion is human or technological in nature, such as security controls. Techniques under other tactics are cross-listed to evasion when those techniques include the added benefit of subverting operators and defenses. ",
"meta": {
"Techniques in this Tactics Category": [
"Exploitation for Evasion https://collaborate.mitre.org/attackics/index.php/Technique/T820",
"Indicator Removal on Host https://collaborate.mitre.org/attackics/index.php/Technique/T872",
"Masquerading https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848",
"Rootkit https://collaborate.mitre.org/attackics/index.php/Technique/T851",
"Spoof Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T856",
"Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858"
],
"refs": [
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://attack.mitre.org/wiki/Technique/T1014",
"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
]
},
"uuid": "099fdd9a-8894-4599-8e7f-59e82e285df6",
"value": "Evasion"
},
{
"description": "The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system, device, or other asset. This execution may also rely on unknowing end users or the manipulation of device operating modes to run. Adversaries may infect remote targets with programmed executables or malicious project files that operate according to specified behavior and may alter expected device behavior in subtle ways. Commands for execution may also be issued from command-line interfaces, APIs, GUIs, or other available interfaces. Techniques that run malicious code may also be paired with techniques from other tactics, particularly to aid network Discovery and Collection, impact operations, and inhibit response functions.",
"meta": {
"Techniques in this Tactics Category": [
"Change Program State https://collaborate.mitre.org/attackics/index.php/Technique/T875",
"Command-Line Interface https://collaborate.mitre.org/attackics/index.php/Technique/T807",
"Execution through API https://collaborate.mitre.org/attackics/index.php/Technique/T871",
"Graphical User Interface https://collaborate.mitre.org/attackics/index.php/Technique/T823",
"Man in the Middle https://collaborate.mitre.org/attackics/index.php/Technique/T830",
"Program Organization Units https://collaborate.mitre.org/attackics/index.php/Technique/T844",
"Project File Infection https://collaborate.mitre.org/attackics/index.php/Technique/T873",
"Scripting https://collaborate.mitre.org/attackics/index.php/Technique/T853",
"User Execution https://collaborate.mitre.org/attackics/index.php/Technique/T863"
],
"refs": [
"https://attack.mitre.org/wiki/Technique/T1059",
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf",
"https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095",
"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258",
"http://www.dee.ufrj.br/controle_automatico/cursos/IEC61131-3_Programming_Industrial_Automation_Systems.pdf",
"https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6560_PracticalApplications_MW_20120224_Web.pdf?v=20151125-003051",
"https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf",
"https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf",
"https://infosys.beckhoff.com/english.php?content=../content/1033/tc3_sourcecontrol/18014398915785483.html&id=",
"http://www.plcdev.com/book/export/html/373",
"https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf",
"https://www.f-secure.com/weblog/archives/00002718.html"
]
},
"uuid": "7779ec85-b841-44b8-9c5e-9c9d670a3938",
"value": "Execution"
},
{
"description": "The adversary is trying to manipulate, interrupt, or destroy your ICS systems, data, and their surrounding environment. Impact consists of techniques that adversaries use to disrupt, compromise, destroy, and manipulate the integrity and availability of control system operations, processes, devices, and data. These techniques encompass the influence and effects resulting from adversarial efforts to attack the ICS environment or that tangentially impact it. Impact techniques can result in more instantaneous disruption to control processes and the operator, or may result in more long term damage or loss to the ICS environment and related operations. The adversary may leverage Impair Process Control techniques, which often manifest in more self-revealing impacts on operations, or Inhibit Response Function techniques to hinder safeguards and alarms in order to follow through with and provide cover for Impact. In some scenarios, control system processes can appear to function as expected, but may have been altered to benefit the adversarys goal over the course of a longer duration. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach. Loss of Productivity and Revenue, Theft of Operational Information, and Damage to Property are meant to encompass some of the more granular goals of adversaries in targeted and untargeted attacks. These techniques in and of themselves are not necessarily detectable, but the associated adversary behavior can potentially be mitigated and/or detected.",
"meta": {
"Techniques in this Tactics Category": [
"Damage to Property https://collaborate.mitre.org/attackics/index.php/Technique/T879",
"Denial of Control https://collaborate.mitre.org/attackics/index.php/Technique/T813",
"Denial of View https://collaborate.mitre.org/attackics/index.php/Technique/T815",
"Loss of Availability https://collaborate.mitre.org/attackics/index.php/Technique/T826",
"Loss of Control https://collaborate.mitre.org/attackics/index.php/Technique/T827",
"Loss of Productivity and Revenue https://collaborate.mitre.org/attackics/index.php/Technique/T828",
"Loss of Safety https://collaborate.mitre.org/attackics/index.php/Technique/T880",
"Loss of View https://collaborate.mitre.org/attackics/index.php/Technique/T829",
"Manipulation of Control https://collaborate.mitre.org/attackics/index.php/Technique/T831",
"Manipulation of View https://collaborate.mitre.org/attackics/index.php/Technique/T832",
"Theft of Operational Information https://collaborate.mitre.org/attackics/index.php/Technique/T882"
],
"refs": [
"https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3",
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://www.londonreconnections.com/2017/hacked-cyber-security-railways/",
"https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/",
"https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html",
"https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf",
"https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297",
"https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false",
"https://time.com/4270728/iran-cyber-attack-dam-fbi/",
"https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559"
]
},
"uuid": "40c9594e-ae8b-48f1-8e11-0e08ead4d44b",
"value": "Impact"
},
{
"description": "The adversary is trying to manipulate, disable, or damage physical control processes. Impair Process Control consists of techniques that adversaries use to disrupt control logic and cause determinantal effects to processes being controlled in the target environment. Targets of interest may include active procedures or parameters that manipulate the physical environment. These techniques can also include prevention or manipulation of reporting elements and control logic. If an adversary has modified process functionality, then they may also obfuscate the results, which are often self-revealing in their impact on the outcome of a product or the environment. The direct physical control these techniques exert may also threaten the safety of operators and downstream users, which can prompt response mechanisms. Adversaries may follow up with or use Inhibit Response Function techniques in tandem, to assist with the successful abuse of control processes to result in Impact.",
"meta": {
"Techniques in this Tactics Category": [
"Brute Force I/O https://collaborate.mitre.org/attackics/index.php/Technique/T806",
"Change Program State https://collaborate.mitre.org/attackics/index.php/Technique/T875",
"Masquerading https://collaborate.mitre.org/attackics/index.php/Technique/T849",
"Modify Control Logic https://collaborate.mitre.org/attackics/index.php/Technique/T833",
"Modify Parameter https://collaborate.mitre.org/attackics/index.php/Technique/T836",
"Module Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T839",
"Program Download https://collaborate.mitre.org/attackics/index.php/Technique/T843",
"Rogue Master Device https://collaborate.mitre.org/attackics/index.php/Technique/T848",
"Service Stop https://collaborate.mitre.org/attackics/index.php/Technique/T881",
"Spoof Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T856",
"Unauthorized Command Message https://collaborate.mitre.org/attackics/index.php/Technique/T855"
],
"refs": [
"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf",
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices",
"https://attack.mitre.org/techniques/T1489/",
"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258",
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf"
]
},
"uuid": "aa3913db-52ce-4856-b0db-fce6af13e4d6",
"value": "Impair Process Control"
},
{
"description": "The adversary is trying to manipulate, disable, or damage physical control processes. Impair Process Control consists of techniques that adversaries use to disrupt control logic and cause determinantal effects to processes being controlled in the target environment. Targets of interest may include active procedures or parameters that manipulate the physical environment. These techniques can also include prevention or manipulation of reporting elements and control logic. If an adversary has modified process functionality, then they may also obfuscate the results, which are often self-revealing in their impact on the outcome of a product or the environment. The direct physical control these techniques exert may also threaten the safety of operators and downstream users, which can prompt response mechanisms. Adversaries may follow up with or use Inhibit Response Function techniques in tandem, to assist with the successful abuse of control processes to result in Impact.",
"meta": {
"Techniques in this Tactics Category": [
"Activate Firmware Update Mode https://collaborate.mitre.org/attackics/index.php/Technique/T800",
"Alarm Suppression https://collaborate.mitre.org/attackics/index.php/Technique/T878",
"Block Command Message https://collaborate.mitre.org/attackics/index.php/Technique/T803",
"Block Reporting Message https://collaborate.mitre.org/attackics/index.php/Technique/T804",
"Block Serial COM https://collaborate.mitre.org/attackics/index.php/Technique/T805",
"Data Destruction https://collaborate.mitre.org/attackics/index.php/Technique/T809",
"Denial of Service https://collaborate.mitre.org/attackics/index.php/Technique/T814",
"Device Restart/Shutdown https://collaborate.mitre.org/attackics/index.php/Technique/T816",
"Manipulate I/O Image https://collaborate.mitre.org/attackics/index.php/Technique/T835",
"Modify Alarm Settings https://collaborate.mitre.org/attackics/index.php/Technique/T838",
"Modify Control Logic https://collaborate.mitre.org/attackics/index.php/Technique/T833",
"Program Download https://collaborate.mitre.org/attackics/index.php/Technique/T843",
"Rootkit https://collaborate.mitre.org/attackics/index.php/Technique/T851",
"System Firmware https://collaborate.mitre.org/attackics/index.php/Technique/T857",
"Utilize/Change Operating Mode https://collaborate.mitre.org/attackics/index.php/Technique/T858"
],
"refs": [
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf",
"http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258",
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf",
"https://attack.mitre.org/wiki/Technique/T1107",
"https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-102-01A",
"https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01",
"http://cwe.mitre.org/data/definitions/400.html",
"https://nvd.nist.gov/vuln/detail/CVE-2015-5374",
"https://www.isa.org/standards-and-publications/isa-publications/intech/2010/december/programmable-logic-controller-hardware/",
"https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf",
"https://attack.mitre.org/wiki/Technique/T1014",
"http://www.sciencedirect.com/science/article/pii/S1874548213000231"
]
},
"uuid": "35bf4454-d73b-43ff-8a38-85342f595009",
"value": "Inhibit Response Function"
},
{
"description": "The adversary is trying to get into your ICS environment. Initial Access consists of techniques that adversaries may use as entry vectors to gain an initial foothold within an ICS environment. These techniques include compromising operational technology assets, IT resources in the OT network, and external remote services and websites. They may also target third party entities and users with privileged access. In particular, these initial access footholds may include devices and communication mechanisms with access to and privileges in both the IT and OT environments. IT resources in the OT environment are also potentially vulnerable to the same attacks as enterprise IT systems. Trusted third parties of concern may include vendors, maintenance personnel, engineers, external integrators, and other outside entities involved in expected ICS operations. Vendor maintained assets may include physical devices, software, and operational equipment. Initial access techniques may also leverage outside devices, such as radios, controllers, or removable media, to remotely interfere with and possibly infect OT operations. ",
"meta": {
"Techniques in this Tactics Category": [
"Data Historian Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T810",
"Drive-by Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T817",
"Engineering Workstation Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T818",
"Exploit Public-Facing Application https://collaborate.mitre.org/attackics/index.php/Technique/T819",
"External Remote Services https://collaborate.mitre.org/attackics/index.php/Technique/T822",
"Internet Accessible Device https://collaborate.mitre.org/attackics/index.php/Technique/T883",
"Replication Through Removable Media https://collaborate.mitre.org/attackics/index.php/Technique/T847",
"Spearphishing Attachment https://collaborate.mitre.org/attackics/index.php/Technique/T865",
"Supply Chain Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T862",
"Wireless Compromise https://collaborate.mitre.org/attackics/index.php/Technique/T860"
],
"refs": [
"https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf",
"https://www.us-cert.gov/ncas/alerts/TA18-074A",
"https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B",
"https://attack.mitre.org/wiki/Technique/T1133",
"https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf",
"https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/",
"https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01",
"https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html",
"https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jan-April2014.pdf",
"https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559",
"https://time.com/4270728/iran-cyber-attack-dam-fbi/",
"https://www.kkw-gundremmingen.de/presse.php?id=571",
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/malware-discovered-in-german-nuclear-power-plant",
"https://www.reuters.com/article/us-nuclearpower-cyber-germany/german-nuclear-plant-infected-with-computer-viruses-operator-says-idUSKCN0XN2OS",
"https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml",
"https://www.sciencealert.com/multiple-computer-viruses-have-been-discovered-in-this-german-nuclear-plant",
"https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/",
"https://arstechnica.com/information-technology/2016/04/german-nuclear-plants-fuel-rod-system-swarming-with-old-malware/",
"https://www.darkreading.com/endpoint/german-nuclear-power-plant-infected-with-malware/d/d-id/1325298",
"https://www.bbc.com/news/technology-36158606",
"https://www.welivesecurity.com/2016/04/28/malware-found-german-nuclear-power-plant/",
"https://attack.mitre.org/techniques/T1193/",
"https://www.f-secure.com/weblog/archives/00002718.html",
"https://www.blackhat.com/docs/us-14/materials/us-14-Bolshev-ICSCorsair-How-I-Will-PWN-Your-ERP-Through-4-20mA-Current-Loop-WP.pdf",
"https://www.slideshare.net/dgpeters/17-bolshev-1-13",
"https://www.mitre.org/sites/default/files/pdf/08_1145.pdf",
"https://www.londonreconnections.com/2017/hacked-cyber-security-railways/",
"https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/",
"https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html"
]
},
"uuid": "2366ffb0-91ba-4b8e-bfad-d460c98d43a8",
"value": "Innitial Access"
}
],
"version": 1
}

2038
clusters/mitre-ics-techniques.json Normal file
View File

File diff suppressed because it is too large Load Diff

6057
clusters/mitre-intrusion-set.json
View File

File diff suppressed because it is too large Load Diff

12268
clusters/mitre-malware.json
View File

File diff suppressed because it is too large Load Diff

1153
clusters/mitre-tool.json
View File

File diff suppressed because it is too large Load Diff

73
clusters/ransomware.json
View File

@ -13877,7 +13877,78 @@
},
"uuid": "f3ded787-783e-4c6b-909a-8da01254380c",
"value": "eCh0raix"
},
{
"description": "The threat group behind this malware seems to operate by hacking into companies, stealing sensitive data, and then running Egregor to encrypt all the files. According to the ransom note, if the ransom is not paid by the company within 3 days, and aside from leaking part of the stolen data, they will distribute via mass media where the company's partners and clients will know that the company was attacked.",
"meta": {
"ransomnotes-filenames": [
"RECOVER-FILES.txt"
],
"ransomnotes-refs": [
"https://www.bleepstatic.com/images/news/columns/week-in-ransomware/2020/september/25/egregor.jpg"
],
"refs": [
"https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor",
"https://www.bleepingcomputer.com/news/security/crytek-hit-by-egregor-ransomware-ubisoft-data-leaked/",
"https://cybersecuritynews.com/egregor-ransomware/"
]
},
"uuid": "8bd094a7-103f-465f-8640-18dcc53042e5",
"value": "Egregor"
},
{
"description": "SunCrypt ransomware was discovered in October 2019 and in August 2020 it was added to Maze ransomwares cartel. It also follows some of Mazes tactics, techniques, and procedures. SunCrypt is launched and installed using an obfuscated PowerShell script. Infected email attachments (macros), torrent websites, malicious ads act as carriers for this ransomware.",
"meta": {
"ransomnotes-filenames": [
"YOUR_FILES_ARE_ENCRYPTED.HTML"
],
"ransomnotes-refs": [
"https://www.bleepstatic.com/images/news/ransomware/s/suncrypt/maze-cartel/ransom-note.jpg"
],
"refs": [
"https://www.acronis.com/en-us/blog/posts/suncrypt-adopts-attacking-techniques-netwalker-and-maze-ransomware",
"https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/",
"https://securityboulevard.com/2020/09/the-curious-case-of-suncrypt/"
]
},
"uuid": "4fa25527-99f6-42ee-aaf2-7ca395e5fabc",
"value": "SunCrypt"
},
{
"description": "LockBit operators tend to be very indiscriminate and opportunistic in their targeting. Actors behind this attack will use a variety of methods to gain initial access, up to and including basic methods such as brute force.\nAfter gaining initial access the actor follows a fairly typical escalation, lateral movement and ransomware execution playbook. LockBit operators tend to have a very brief dwell time, executing the final ransomware payload as quickly as they are able to. LockBit ransomware has the built-in lateral movement features; given adequate permissions throughout the targeted environment.",
"meta": {
"ransomnotes-filenames": [
"Restore-My-Files.txt"
],
"ransomnotes-refs": [
"https://www.mcafee.com/wp-content/uploads/2020/04/content-in-restore-my-files.png"
],
"refs": [
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/",
"https://usa.kaspersky.com/resource-center/threats/lockbit-ransomware"
]
},
"uuid": "8eda8bf1-db5a-412d-8511-45e2f7621d51",
"value": "LockBit"
},
{
"description": "WastedLocker primarily targets corporate networks. Upon initial compromise, often using a fake browser update containing SocGholish, the actor then takes advantage of dual-use and LoLBin tools in an attempt to evade detection.\n Key observations include lateral movement and privilege escalation. The WastedLocker ransomware has been tied back to EvilCorp.",
"meta": {
"ransomnotes-filenames": [
"<encrypted_filename>_info"
],
"ransomnotes-refs": [
"https://blog.malwarebytes.com/wp-content/uploads/2020/06/ransomnote.png"
],
"refs": [
"https://blogs.cisco.com/security/talos/wastedlocker-goes-big-game-hunting-in-2020",
"https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/",
"https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/"
]
},
"uuid": "6955c28e-e698-4bb2-8c70-ccc6d11ba1ee",
"value": "WastedLocker"
}
],
"version": 87
"version": 88
}

13
clusters/rat.json
View File

@ -3465,7 +3465,18 @@
},
"uuid": "d0ed7527-cd1b-4b05-bbac-2e409ca46104",
"value": "Sepulcher"
},
{
"description": "The campaign spreads via phishing emails posing as invoices, tax reports, invitations and similar types of messages containing a ZIP archive attachment with a malicious LNK file. When a user opens the malicious LNK file, it abuses the Windows Management Instrumentation Command-line tool and silently downloads a malicious XSL file. The XSL file downloads all of Guildmas modules and executes a first stage loader, which loads the rest of the modules. The malware is then active and waits for commands from the C&C server and/or specific user interactions, such as opening a webpage of one of the targeted banks.",
"meta": {
"refs": [
"https://www.securityweek.com/guildma-malware-expands-targets-beyond-brazil"
],
"synonyms": []
},
"uuid": "833ed94d-97c1-4b57-9634-c27bf42eb867",
"value": "Guildma"
}
],
"version": 34
"version": 36
}

99
clusters/tea-matrix.json Normal file
View File

@ -0,0 +1,99 @@
{
"authors": [
"Alexandre Dulaunoy"
],
"category": "tea-matrix",
"description": "Tea Matrix",
"name": "Tea Matrix",
"source": "",
"type": "tea-matrix",
"uuid": "7eacd736-b093-4cc0-a56c-5f84de725dfb",
"values": [
{
"description": "Multi infusion is allow and recommended",
"meta": {
"kill_chain": [
"tea:post-fermented",
"tea:green",
"tea:white",
"tea:oolong"
]
},
"uuid": "fc255880-0ea7-44b3-81e9-ef6c183bef4b",
"value": "Multi infusion"
},
{
"description": "Single infusion is recommended",
"meta": {
"kill_chain": [
"tea:black",
"tea:blend",
"tea:white",
"tea:yellow"
]
},
"uuid": "21a43f8f-6ea3-4337-8fe4-0ce5b7cf386d",
"value": "Single infusion"
},
{
"description": "Water temperature 90-95 degC",
"meta": {
"kill_chain": [
"tea:black",
"tea:blend",
"tea:post-fermented"
]
},
"uuid": "4cf3cb45-b68e-4a23-8ef9-99655e136c50",
"value": "Water temp 90-95 degC"
},
{
"description": "Water temperature 80 degC",
"meta": {
"kill_chain": [
"tea:green",
"tea:white",
"tea:oolong",
"tea:yellow"
]
},
"uuid": "02cf7340-9648-4c3f-837c-df1b6598c87d",
"value": "Water temp 80 degC"
},
{
"description": "Brewing time 2-3 minutes",
"meta": {
"kill_chain": [
"tea:green",
"tea:white",
"tea:yellow"
]
},
"uuid": "d2080900-d8a3-426f-b4e1-4c8e4f978c0e",
"value": "Brewing time 2-3 min"
},
{
"description": "Brewing time 3-4 minutes",
"meta": {
"kill_chain": [
"tea:black",
"tea:blend",
"tea:post-fermented"
]
},
"uuid": "b7d97aa8-4924-4215-ba33-0e8765d6197b",
"value": "Brewing time 3-4 min"
},
{
"description": "Milk in tea",
"meta": {
"kill_chain": [
"tea:black"
]
},
"uuid": "24430dc6-9c27-4b3c-a5e7-6dda478fffa0",
"value": "Milk in tea"
}
],
"version": 2
}

56
clusters/threat-actor.json
View File

@ -2389,7 +2389,9 @@
"https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1",
"https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf",
"https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/",
"https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/"
"https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/",
"https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/",
"https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/"
],
"synonyms": [
"APT 28",
@ -3036,7 +3038,7 @@
"https://securelist.com/operation-applejeus/87553/",
"https://securelist.com/lazarus-under-the-hood/77908/",
"https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity",
"http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf",
"https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf",
"https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/",
"https://www.cfr.org/interactive/cyber-operations/lazarus-group",
"https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret",
@ -3078,7 +3080,8 @@
"https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678",
"https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/",
"https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html",
"https://www.secureworks.com/research/threat-profiles/nickel-gladstone"
"https://www.secureworks.com/research/threat-profiles/nickel-gladstone",
"https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html"
],
"synonyms": [
"Operation DarkSeoul",
@ -4692,11 +4695,13 @@
"https://securelist.com/el-machete/66108/",
"https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html",
"https://www.cfr.org/interactive/cyber-operations/machete",
"https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html"
"https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html",
"https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/"
],
"synonyms": [
"Machete",
"machete-apt"
"machete-apt",
"APT-C-43"
]
},
"uuid": "827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3",
@ -5175,7 +5180,8 @@
"https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1",
"https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia",
"https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/",
"https://attack.mitre.org/groups/G0086/"
"https://attack.mitre.org/groups/G0086/",
"https://us-cert.cisa.gov/ncas/alerts/aa20-301a"
],
"synonyms": [
"Velvet Chollima",
@ -5812,7 +5818,8 @@
"https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40",
"https://www.secureworks.com/research/threat-profiles/bronze-mohawk",
"https://www.mycert.org.my/portal/advisory?id=MA-774.022020",
"https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign"
"https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign",
"https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/"
],
"synonyms": [
"TEMP.Periscope",
@ -6605,7 +6612,11 @@
"description": "Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online.\n\nA security researcher who uses the online name SandboxEscaper on August 27 released the source code for exploiting a security bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler.\n\nMore specifically, the problem is with the SchRpcSetSecurity API function, which fails to properly check user's permissions, allowing write privileges on files in C:\\Windows\\Task.\n\nThe vulnerability affects Windows versions 7 through 10 and can be used by an attacker to escalate their privileges to all-access SYSTEM account level.\n\nA couple of days after the exploit code became available (source and binary), malware researchers at ESET noticed its use in active malicious campaigns from a threat actor they call PowerPool, because of their tendency to use tools mostly written in PowerShell for lateral movement.\n\nThe group appears to have a small number of victims in the following countries: Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.\n\nThe researchers say that PowerPool developers did not use the binary version of the exploit, deciding instead to make some subtle changes to the source code before recompiling it.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/"
"https://www.bleepingcomputer.com/news/security/windows-task-scheduler-zero-day-exploited-by-malware/",
"https://twitter.com/craiu/status/1311920398259367942"
],
"synonyms": [
"IAmTheKing"
]
},
"uuid": "abd89986-b1b0-11e8-b857-efe290264006",
@ -7005,7 +7016,8 @@
"https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/",
"https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672",
"https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104",
"https://www.secureworks.com/research/threat-profiles/gold-tahoe"
"https://www.secureworks.com/research/threat-profiles/gold-tahoe",
"https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546"
],
"synonyms": [
"SectorJ04 Group",
@ -8397,7 +8409,31 @@
},
"uuid": "bfb0bc20-5bdf-47ff-b07f-dbd9a3cb9772",
"value": "Fox Kitten"
},
{
"description": "Rare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously undocumented espionage group that has been active since 2011. It has attracted very little public attention, with the exception of an advisory from the Belarusian CERT in February 2020. In the interim, the group has compromised many government agencies and private companies in Eastern Europe and the Balkans.",
"meta": {
"refs": [
"https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/",
"https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf",
"https://github.com/eset/malware-ioc/tree/master/xdspy/"
]
},
"uuid": "b205584e-db93-433a-b97a-7f2e19d8c188",
"value": "XDSpy"
},
{
"description": "Evil Corp is an internaltional cybercrime network. In December of 2019 the US Federal Government offered a $5M bounty for information leading to the arrest and conviction of Maksim V. Yakubets for allegedly orchestrating Evil Corp operations. Responsible for stealing over $100M from businesses and consumers. The Evil Corp organization is known for utilizing custom strains of malware such as JabberZeus, Bugat and Dridex to steal banking credentials.",
"meta": {
"refs": [
"https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/",
"https://en.wikipedia.org/wiki/Maksim_Yakubets",
"https://www.bbc.com/news/world-us-canada-53195749"
]
},
"uuid": "c30fbdc8-b66d-4242-a02a-e01946bc86d8",
"value": "Evil Corp"
}
],
"version": 179
"version": 185
}

35
clusters/tool.json
View File

@ -8142,7 +8142,40 @@
"related": [],
"uuid": "a0a46c1b-e774-410e-a84b-020b2558d851",
"value": "Drovorub"
},
{
"description": "The adware DealPly (sometimes also referred to as IsErIk) and malicious Chrome extension ManageX, for instance, can come bundled under the guise of a legitimate installer and other potentially unwanted applications (PUAs). Because various write-ups cover Dealply or IsErik separately, the technical discussion and representation of both are discussed separately. ",
"meta": {
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/exposing-modular-adware-how-dealply-iserik-and-managex-persist-in-systems/"
],
"synonyms": [
"DealPly",
"ManageX"
],
"type": [
"PUA"
]
},
"related": [],
"uuid": "9f9daf7b-3530-4e2d-9d2c-d1036bafc825",
"value": "IsErIk"
},
{
"description": "Attackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.",
"meta": {
"refs": [
"https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/",
"https://www.tripwire.com/state-of-security/featured/ransomware-characteristics-attack-chains-recent-campaigns/"
],
"type": [
"Loader"
]
},
"related": [],
"uuid": "2a838144-b42d-4c12-bf41-4e99de1935e9",
"value": "Vatet"
}
],
"version": 138
"version": 139
}

9
galaxies/cryptominers.json Normal file
View File

@ -0,0 +1,9 @@
{
"description": "Cryptominers is a collection of cryptomining and cryptojacking malwares.",
"icon": "optin-monster",
"name": "Cryptominers",
"namespace": "misp",
"type": "Cryptominers",
"uuid": "917734cb-6bbf-4568-83b6-ad2b912fc5e4",
"version": 3
}

9
galaxies/mitre-ics-assets.json Normal file
View File

@ -0,0 +1,9 @@
{
"description": "ATT&CK for ICS Assets",
"icon": "certificate",
"name": "Assets",
"namespace": "mitre-attack-ics",
"type": "mitre-ics-assets",
"uuid": "86b19468-784e-4ec9-9af9-f069aa4cf70d",
"version": 1
}

9
galaxies/mitre-ics-groups.json Normal file
View File

@ -0,0 +1,9 @@
{
"description": "ATT&CK for ICS Groups",
"icon": "skull-crossbones",
"name": "Groups",
"namespace": "mitre-attack-ics",
"type": "mitre-ics-groups",
"uuid": "abb28bd9-fa79-4815-b5b3-fb138f433e55",
"version": 1
}

9
galaxies/mitre-ics-levels.json Normal file
View File

@ -0,0 +1,9 @@
{
"description": "ATT&CK for ICS Levels",
"icon": "layer-group",
"name": "Levels",
"namespace": "mitre-attack-ics",
"type": "mitre-ics-levels",
"uuid": "34d60262-0e7d-4c91-859b-de1fa9c54ae7",
"version": 1
}

9
galaxies/mitre-ics-software.json Normal file
View File

@ -0,0 +1,9 @@
{
"description": "ATT&CK for ICS Software",
"icon": "file-code",
"name": "Software",
"namespace": "mitre-attack-ics",
"type": "mitre-ics-software",
"uuid": "9443a27f-f8b0-4bc7-ba88-7c023d727932",
"version": 1
}

9
galaxies/mitre-ics-tactics.json Normal file
View File

@ -0,0 +1,9 @@
{
"description": "ATT&CK for ICS Tactics",
"icon": "chess-pawn",
"name": "Tactics",
"namespace": "mitre-attack-ics",
"type": "mitre-ics-tactics",
"uuid": "e521606c-3c66-4621-9040-6f0f792fc999",
"version": 1
}

9
galaxies/mitre-ics-techniques.json Normal file
View File

@ -0,0 +1,9 @@
{
"description": "ATT&CK for ICS Techniques",
"icon": "user-ninja",
"name": "Techniques",
"namespace": "mitre-attack-ics",
"type": "mitre-ics-techniques",
"uuid": "99261a7e-2270-40eb-823f-834cc1ad3159",
"version": 1
}

20
galaxies/tea-matrix.json Normal file
View File

@ -0,0 +1,20 @@
{
"description": "Tea Matrix",
"icon": "map",
"kill_chain_order": {
"tea": [
"black",
"blend",
"green",
"white",
"yellow",
"oolong",
"post-fermented"
]
},
"name": "Tea Matrix",
"namespace": "tea-matrix",
"type": "tea-matrix",
"uuid": "c5f2dfb4-21a1-42d8-a452-1d3c36a204ff",
"version": 1
}

4
tools/gen_adoc_galaxy.sh
View File

@ -3,5 +3,5 @@ asciidoctor -a allow-uri-read a.txt
asciidoctor-pdf -a allow-uri-read a.txt
cp a.html ../../misp-website/galaxy.html
cp a.pdf ../../misp-website/galaxy.pdf
scp a.html circl@cpab.circl.lu:/var/www/nwww.circl.lu/doc/misp-galaxy/index.html
scp a.pdf circl@cpab.circl.lu:/var/www/nwww.circl.lu/doc/misp-galaxy/galaxy.pdf
scp -l 81920 a.html circl@cpab.circl.lu:/var/www/nwww.circl.lu/doc/misp-galaxy/index.html
scp -l 81920 a.pdf circl@cpab.circl.lu:/var/www/nwww.circl.lu/doc/misp-galaxy/galaxy.pdf

7
tools/mitre-cti/v2.0/create_mitre-galaxy.py
View File

@ -143,11 +143,12 @@ for domain in domains:
# add the relation in the defined way
rel_source = {
"dest-uuid": dest_uuid,
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": rel_type
}
if rel_type != 'subtechnique-of':
rel_source['tags'] = [
"estimative-language:likelihood-probability=\"almost-certain\""
]
if 'related' not in all_data_uuid[source_uuid]:
all_data_uuid[source_uuid]['related'] = []
if rel_source not in all_data_uuid[source_uuid]['related']:

12
validate_all.sh
View File

@ -18,7 +18,7 @@ set -x
diffs=`git status --porcelain | wc -l`
if ! [ $diffs -eq 0 ]; then
echo "Please make sure you run ./jq_all_the_things.sh before commiting."
echo "ERROR: Please commit your changes, and make sure you run ./jq_all_the_things.sh before committing."
if [ $# -eq 0 ]; then
exit 1
fi
@ -31,7 +31,7 @@ find -name "*.json" -exec chmod -x "{}" \;
diffs=`git status --porcelain | wc -l`
if ! [ $diffs -eq 0 ]; then
echo "Please make sure you run remove the executable flag on the json files before commiting: find -name "*.json" -exec chmod -x \"{}\" \\;"
echo "ERROR: Please make sure you run remove the executable flag on the json files before committing: find -name "*.json" -exec chmod -x \"{}\" \\;"
exit 1
fi
@ -43,7 +43,7 @@ do
jsonschema -i ${dir} schema_clusters.json
rc=$?
if [[ $rc != 0 ]]; then
echo "Error on ${dir}"
echo "ERROR on ${dir}"
exit $rc
fi
echo ''
@ -55,7 +55,7 @@ do
jsonschema -i ${dir} schema_galaxies.json
rc=$?
if [[ $rc != 0 ]]; then
echo "Error on ${dir}"
echo "ERROR on ${dir}"
exit $rc
fi
echo ''
@ -67,7 +67,7 @@ do
jsonschema -i ${dir} schema_misp.json
rc=$?
if [[ $rc != 0 ]]; then
echo "Error on ${dir}"
echo "ERROR on ${dir}"
exit $rc
fi
echo ''
@ -79,7 +79,7 @@ do
jsonschema -i ${dir} schema_vocabularies.json
rc=$?
if [[ $rc != 0 ]]; then
echo "Error on ${dir}"
echo "ERROR on ${dir}"
exit $rc
fi
echo ''