MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

add MITRE Galaxies V2.0

pull/159/head
Deborah Servili 2018-02-21 16:28:11 +01:00
parent 0c135fe86a
commit 4ddb598de4
62 changed files with 33945 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
README.md
View File

@ -29,11 +29,26 @@ to localized information (which is not shared) or additional information (that c
- [clusters/threat-actor.json](clusters/threat-actor.json) - Adversary groups - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. MISP
- [clusters/tool.json](clusters/tool.json) - tool is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
- [clusters/mitre_attack-pattern.json](clusters/mitre_attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
- [clusters/mitre_course-of-action.json](clusters/mitre_course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
- [clusters/mitre_intrusion-set.json](clusters/mitre_intrusion-set.json) - Intrusion Test - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
- [clusters/mitre_malware.json](clusters/mitre_malware.json) - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
- [clusters/mitre_tool.json](clusters/mitre_tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
- [clusters/mitre-attack-pattern.json](clusters/mitre-attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
- [clusters/mitre-course-of-action.json](clusters/mitre-course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
- [clusters/mitre-intrusion-set.json](clusters/mitre-intrusion-set.json) - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
- [clusters/mitre-malware.json](clusters/mitre-malware.json) - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
- [clusters/mitre-tool.json](clusters/mitre-tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v1.0
- [clusters/mitre-entreprise-attack-attack-pattern.json](clusters/mitre-entreprise-attack-attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Entreprise Attack
- [clusters/mitre-entreprise-attack-course-of-action.json](clusters/mitre-entreprise-attack-course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Entreprise Attack
- [clusters/mitre-entreprise-attack-intrusion-set.json](clusters/mitre-entreprise-attack-intrusion-set.json) - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Entreprise Attack - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Entreprise Attack
- [clusters/mitre-entreprise-attack-relationship.json](clusters/mitre-entreprise-attack-relationship.json) - Relationship . MITRE Relationship - V2.0 Entreprise Attack
- [clusters/mitre-entreprise-attack-tool.json](clusters/mitre-entreprise-attack-tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Entreprise Attack
- [clusters/mitre-mobile-attack-attack-pattern.json](clusters/mitre-mobile-attack-attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
- [clusters/mitre-mobile-attack-course-of-action.json](clusters/mitre-mobile-attack-course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
- [clusters/mitre-mobile-attack-intrusion-set.json](clusters/mitre-mobile-attack-intrusion-set.json) - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
- [clusters/mitre-mobile-attack-malware.json](clusters/mitre-mobile-attack-malware.json) - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
- [clusters/mitre-mobile-attack-relationship.json](clusters/mitre-mobile-attack-relationship.json) - Relationship . MITRE Relationship - V2.0 Mobile Attack
- [clusters/mitre-mobile-attack-tool.json](clusters/mitre-mobile-attack-tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Mobile Attack
- [clusters/mitre-pre-attack-attack-pattern.json](clusters/mitre-pre-attack-attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Pre Attack
- [clusters/mitre-pre-attack-intrusion-set.json](clusters/mitre-pre-attack-intrusion-set.json) - Intrusion Set - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - v2.0 Pre Attack
- [clusters/mitre-pre-attack-relationship.json](clusters/mitre-pre-attack-relationship.json) - Relationship . MITRE Relationship - V2.0 Pre Attack
- [clusters/sectors.json](clusters/sectors.json) - Activity sectors
- [clusters/cert-eu-govsector.json](clusters/cert-eu-govsector.json) - Cert EU GovSector

0
clusters/mitre_attack-pattern.json → clusters/mitre-attack-pattern.json
View File

0
clusters/mitre_course-of-action.json → clusters/mitre-course-of-action.json
View File

3973
clusters/mitre-entreprise-attack-attack-pattern.json Normal file
View File

File diff suppressed because one or more lines are too long

1111
clusters/mitre-entreprise-attack-course-of-action.json Normal file
View File

File diff suppressed because it is too large Load Diff

971
clusters/mitre-entreprise-attack-intrusion-set.json Normal file
View File

@ -0,0 +1,971 @@
{
"name": "Entreprise Attack -intrusion Set",
"type": "mitre-entreprise-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"version": 1,
"source": "https://github.com/mitre/cti",
"uuid": "01f18402-1708-11e8-ac1c-1ffb3c4a7775",
"authors": [
"MITRE"
],
"values": [
{
"description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm. (Citation: Kaspersky Poseidon Group)",
"value": "Poseidon Group",
"meta": {
"synonyms": [
"Poseidon Group"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0033",
"https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/"
]
},
"uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446"
},
{
"description": "Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)",
"value": "Group5",
"meta": {
"synonyms": [
"Group5"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0043",
"https://citizenlab.org/2016/08/group5-syria/"
]
},
"uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40"
},
{
"description": "PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control. (Citation: Bizeul 2014) (Citation: Villeneuve 2014)",
"value": "PittyTiger",
"meta": {
"synonyms": [
"PittyTiger"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0011",
"http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2",
"https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html"
]
},
"uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647"
},
{
"description": "admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. (Citation: FireEye admin@338)",
"value": "admin@338",
"meta": {
"synonyms": [
"admin@338"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0018",
"https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html"
]
},
"uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756"
},
{
"description": "RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM). (Citation: ESET RTM Feb 2017)",
"value": "RTM",
"meta": {
"synonyms": [
"RTM"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0048",
"https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
]
},
"uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f"
},
{
"description": "APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)",
"value": "APT16",
"meta": {
"synonyms": [
"APT16"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0023",
"https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html"
]
},
"uuid": "d6e88e18-81e8-4709-82d8-973095da1e70"
},
{
"description": "is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. (Citation: Symantec Sowbug Nov 2017)\n\nContributors: Alan Neville, @abnev",
"value": "Sowbug",
"meta": {
"synonyms": [
"Sowbug"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0054",
"https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments"
]
},
"uuid": "d1acfbb3-647b-4723-9154-800ec119006e"
},
{
"description": "APT28 is a threat group that has been attributed to the Russian government. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28) January 2017 (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee in April 2016. (Citation: Crowdstrike DNC June 2016)",
"value": "APT28",
"meta": {
"synonyms": [
"APT28",
"Sednit",
"Sofacy",
"Pawn Storm",
"Fancy Bear",
"STRONTIUM",
"Tsar Team",
"Threat Group-4127",
"TG-4127"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0007",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
]
},
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c"
},
{
"description": "Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Though both this group and Axiom use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015)",
"value": "Winnti Group",
"meta": {
"synonyms": [
"Winnti Group",
"Blackfly"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0044",
"https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf",
"https://securelist.com/games-are-over/70991/",
"http://www.novetta.com/wp-content/uploads/2015/04/novetta%20winntianalysis.pdf"
]
},
"uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff"
},
{
"description": "Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. (Citation: Alperovitch 2014) The intrusion into healthcare company Anthem has been attributed to Deep Panda. (Citation: ThreatConnect Anthem) This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. (Citation: RSA Shell Crew) Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. (Citation: Symantec Black Vine)",
"value": "Deep Panda",
"meta": {
"synonyms": [
"Deep Panda",
"Shell Crew",
"WebMasters",
"KungFu Kittens",
"PinkPanther",
"Black Vine"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0009",
"https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/",
"https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/",
"https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-black-vine-cyberespionage-group.pdf"
]
},
"uuid": "a653431d-6a5e-4600-8ad3-609b5af57064"
},
{
"description": "Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. (Citation: DustySky) (Citation: DustySky)2",
"value": "Molerats",
"meta": {
"synonyms": [
"Molerats",
"Operation Molerats",
"Gaza Cybergang"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0021"
]
},
"uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411"
},
{
"description": "Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda. (Citation: Symantec Strider Blog) (Citation: Kaspersky ProjectSauron Blog)",
"value": "Strider",
"meta": {
"synonyms": [
"Strider",
"ProjectSauron"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0041",
"http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets",
"https://securelist.com/faq-the-projectsauron-apt/75533/"
]
},
"uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656"
},
{
"description": "Sandworm Team is a cyber espionage group that has operated since approximately 2009 and has been attributed to Russia. (Citation: iSIGHT Sandworm 2014)",
"value": "Sandworm Team",
"meta": {
"synonyms": [
"Sandworm Team",
"Quedagh"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0034",
"https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html"
]
},
"uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192"
},
{
"description": "FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. (Citation: FireEye FIN6 April 2016)",
"value": "FIN6",
"meta": {
"synonyms": [
"FIN6"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0037",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf"
]
},
"uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb"
},
{
"description": "Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. (Citation: Cylance Dust Storm)",
"value": "Dust Storm",
"meta": {
"synonyms": [
"Dust Storm"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0031",
"https://www.cylance.com/content/dam/cylance/pdfs/reports/Op%20Dust%20Storm%20Report.pdf"
]
},
"uuid": "ae41895a-243f-4a65-b99b-d85022326c31"
},
{
"description": "Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)",
"value": "Cleaver",
"meta": {
"synonyms": [
"Cleaver",
"TG-2889",
"Threat Group 2889"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0003",
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance%20Operation%20Cleaver%20Report.pdf",
"http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/"
]
},
"uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063"
},
{
"description": "APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)",
"value": "APT12",
"meta": {
"synonyms": [
"APT12",
"IXESHE",
"DynCalc",
"Numbered Panda",
"DNSCALC"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0005",
"http://www.crowdstrike.com/blog/whois-numbered-panda/"
]
},
"uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb"
},
{
"description": "is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)",
"value": "NEODYMIUM",
"meta": {
"synonyms": [
"NEODYMIUM"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0055",
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft%20Security%20Intelligence%20Report%20Volume%2021%20English.pdf"
]
},
"uuid": "025bdaa9-897d-4bad-afa6-013ba5734653"
},
{
"description": "APT34 is an Iranian cyber espionage group that has been active since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. APT34 loosely aligns with public reporting related to OilRig, but may not wholly align due to companies tracking threat groups in different ways. (Citation: FireEye APT34 Dec 2017)",
"value": "APT34",
"meta": {
"synonyms": [
"APT34"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0057",
"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
]
},
"uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6"
},
{
"description": "Moafee is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group DragonOK. (Citation: Haq 2014)",
"value": "Moafee",
"meta": {
"synonyms": [
"Moafee"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0002",
"https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"
]
},
"uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f"
},
{
"description": "Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. (Citation: Dell TG-3390) The group has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors. (Citation: SecureWorks BRONZE UNION June 2017)",
"value": "Threat Group-3390",
"meta": {
"synonyms": [
"Threat Group-3390",
"TG-3390",
"Emissary Panda",
"BRONZE UNION"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0027",
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
"https://www.secureworks.com/research/bronze-union"
]
},
"uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c"
},
{
"description": "DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. (Citation: Operation Quantum Entanglement) It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. (Citation: New DragonOK)",
"value": "DragonOK",
"meta": {
"synonyms": [
"DragonOK"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0017",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
"http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/"
]
},
"uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a"
},
{
"description": "APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People\u2019s Liberation Army (PLA) General Staff Department\u2019s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)",
"value": "APT1",
"meta": {
"synonyms": [
"APT1",
"Comment Crew",
"Comment Group",
"Comment Panda"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0006",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
]
},
"uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662"
},
{
"description": "FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. (Citation: FireEye FIN10 June 2017)",
"value": "FIN10",
"meta": {
"synonyms": [
"FIN10"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0051",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf"
]
},
"uuid": "fbe9387f-34e6-4828-ac28-3080020c597b"
},
{
"description": "OilRig is a threat group with suspected Iranian origins that has targeted Middle Eastern and international victims since at least 2015. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook OilRig Dec 2017) Reporting on OilRig may loosely overlap with APT34, but may not wholly align due to companies tracking groups in different ways. (Citation: FireEye APT34 Dec 2017)\n\nContributors: Robert Falcone, Bryan Lee",
"value": "OilRig",
"meta": {
"synonyms": [
"OilRig"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0049",
"http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/",
"http://www.clearskysec.com/oilrig/",
"http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/",
"http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/",
"https://pan-unit42.github.io/playbook%20viewer/",
"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
]
},
"uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d"
},
{
"description": "is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. usually tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, Rocket Kitten, resulting in reporting that may not distinguish between the two groups' activities. (Citation: ClearSky Charming Kitten Dec 2017)",
"value": "Charming Kitten",
"meta": {
"synonyms": [
"Charming Kitten"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0058",
"http://www.clearskysec.com/wp-content/uploads/2017/12/Charming%20Kitten%202017.pdf"
]
},
"uuid": "7636484c-adc5-45d4-9bfe-c3e062fbc4a0"
},
{
"description": "FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. (Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)\n\nContributors: Walker Johnson",
"value": "FIN5",
"meta": {
"synonyms": [
"FIN5"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0053",
"https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html",
"https://www.youtube.com/watch?v=fevGZs0EQu8",
"https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?"
]
},
"uuid": "85403903-15e0-4f9f-9be4-a259ecad4022"
},
{
"description": "Taidoor is a threat group that has operated since at least 2009 and has primarily targeted the Taiwanese government. (Citation: TrendMicro Taidoor)",
"value": "Taidoor",
"meta": {
"synonyms": [
"Taidoor"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0015",
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp%20the%20taidoor%20campaign.pdf"
]
},
"uuid": "59140a2e-d117-4206-9b2c-2a8662bd9d46"
},
{
"description": "Night Dragon is a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)",
"value": "Night Dragon",
"meta": {
"synonyms": [
"Night Dragon"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0014",
"http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf"
]
},
"uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8"
},
{
"description": "Naikon is a threat group that has focused on targets around the South China Sea. (Citation: Baumgartner Naikon 2015) The group has been attributed to the Chinese People\u2019s Liberation Army\u2019s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). (Citation: CameraShy) While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches. (Citation: Baumgartner Golovkin Naikon 2015)",
"value": "Naikon",
"meta": {
"synonyms": [
"Naikon"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0019",
"https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf",
"http://cdn2.hubspot.net/hubfs/454298/Project%20CAMERASHY%20ThreatConnect%20Copyright%202015.pdf",
"https://securelist.com/the-naikon-apt/69953/"
]
},
"uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050"
},
{
"description": "Ke3chang is a threat group attributed to actors operating out of China. (Citation: Villeneuve et al 2014)",
"value": "Ke3chang",
"meta": {
"synonyms": [
"Ke3chang"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0004",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf"
]
},
"uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c"
},
{
"description": "APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists, and has extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based. (Citation: FireEye APT32 May 2017) (Citation: Volexity OceanLotus Nov 2017)",
"value": "APT32",
"meta": {
"synonyms": [
"APT32",
"OceanLotus Group"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0050",
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html",
"https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/"
]
},
"uuid": "247cb30b-955f-42eb-97a5-a89fef69341e"
},
{
"description": "Patchwork is a threat group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Much of the code used by this group was copied and pasted from online forums. (Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)",
"value": "Patchwork",
"meta": {
"synonyms": [
"Patchwork",
"Dropping Elephant",
"Chinastrats"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0040",
"https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling%20Patchwork.pdf",
"http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries"
]
},
"uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0"
},
{
"description": "APT30 is a threat group suspected to be associated with the Chinese government. (Citation: FireEye APT30) While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches. (Citation: Baumgartner Golovkin Naikon 2015)",
"value": "APT30",
"meta": {
"synonyms": [
"APT30"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0013",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
"https://securelist.com/the-naikon-apt/69953/"
]
},
"uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd"
},
{
"description": "MONSOON is the name of an espionage campaign that apparently started in December 2015 and was ongoing as of July 2016. It is believed that the actors behind MONSOON are the same actors behind Operation Hangover. While attribution is unclear, the campaign has targeted victims with military and political interests in the Indian Subcontinent. (Citation: Forcepoint Monsoon) Operation Hangover has been reported as being Indian in origin, and can be traced back to 2010. (Citation: Operation Hangover May 2013)",
"value": "MONSOON",
"meta": {
"synonyms": [
"MONSOON",
"Operation Hangover"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0042",
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf",
"http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling%20an%20Indian%20Cyberattack%20Infrastructure.pdf"
]
},
"uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772"
},
{
"description": "APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)",
"value": "APT17",
"meta": {
"synonyms": [
"APT17",
"Deputy Dog"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0025",
"https://www2.fireeye.com/rs/fireye/images/APT17%20Report.pdf"
]
},
"uuid": "090242d7-73fc-4738-af68-20162f7a5aae"
},
{
"description": "FIN7 is a financially motivated threat group that has primarily targeted the retail and hospitality sectors, often using point-of-sale malware. It is sometimes referred to as Carbanak Group, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. (Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017)",
"value": "FIN7",
"meta": {
"synonyms": [
"FIN7"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0046",
"https://www.fireeye.com/blog/threat-research/2017/03/fin7%20spear%20phishing.html",
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
]
},
"uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc"
},
{
"description": "APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security. (Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. (Citation: FireEye Clandestine Wolf) (Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. (Citation: Symantec Buckeye)\n\n (Citation: APT3 Adversary Emulation Plan)",
"value": "APT3",
"meta": {
"synonyms": [
"APT3",
"Gothic Panda",
"Pirpi",
"UPS Team",
"Buckeye",
"Threat Group-0110",
"TG-0110"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0022",
"https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html",
"https://www.recordedfuture.com/chinese-mss-behind-apt3/",
"https://www.fireeye.com/blog/threat-research/2014/11/operation%20doubletap.html",
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong",
"https://attack.mitre.org/w/img%20auth.php/6/6c/APT3%20Adversary%20Emulation%20Plan.pdf"
]
},
"uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9"
},
{
"description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services. (Citation: Securelist GCMAN)",
"value": "GCMAN",
"meta": {
"synonyms": [
"GCMAN"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0036",
"https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/"
]
},
"uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f"
},
{
"description": "Lazarus Group is a threat group that has been attributed to the North Korean government. (Citation: US-CERT HIDDEN COBRA June 2017) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster)",
"value": "Lazarus Group",
"meta": {
"synonyms": [
"Lazarus Group",
"HIDDEN COBRA",
"Guardians of Peace",
"ZINC",
"NICKEL ACADEMY"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0032",
"https://www.us-cert.gov/ncas/alerts/TA17-164A",
"https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf"
]
},
"uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a"
},
{
"description": "Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia. (Citation: Lotus Blossom Jun 2015)",
"value": "Lotus Blossom",
"meta": {
"synonyms": [
"Lotus Blossom",
"Spring Dragon"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0030",
"https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html"
]
},
"uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7"
},
{
"description": "Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. (Citation: Kaspersky Equation QA)",
"value": "Equation",
"meta": {
"synonyms": [
"Equation"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0020",
"https://securelist.com/files/2015/02/Equation%20group%20questions%20and%20answers.pdf"
]
},
"uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9"
},
{
"description": "Darkhotel is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center Wi\u2011Fi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing. (Citation: Kaspersky Darkhotel)",
"value": "Darkhotel",
"meta": {
"synonyms": [
"Darkhotel"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0012",
"https://securelist.com/files/2014/11/darkhotel%20kl%2007.11.pdf"
]
},
"uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383"
},
{
"description": "Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. The group appeared to decrease activity following public exposure in 2014, and re-emerged in late 2015 through 2017. (Citation: Symantec Dragonfly) (Citation: Symantec Dragonfly) Sept 2017",
"value": "Dragonfly",
"meta": {
"synonyms": [
"Dragonfly",
"Energetic Bear"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0035",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/Dragonfly%20Threat%20Against%20Western%20Energy%20Suppliers.pdf"
]
},
"uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1"
},
{
"description": "Suckfly is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016)",
"value": "Suckfly",
"meta": {
"synonyms": [
"Suckfly"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0039",
"http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates"
]
},
"uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d"
},
{
"description": "Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. (Citation: Citizen Lab Stealth Falcon May 2016)",
"value": "Stealth Falcon",
"meta": {
"synonyms": [
"Stealth Falcon"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0038",
"https://citizenlab.org/2016/05/stealth-falcon/"
]
},
"uuid": "894aab42-3371-47b1-8859-a4a074c804c8"
},
{
"description": "BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry. (Citation: Trend Micro Daserf Nov 2017) (Citation: Secureworks BRONZE BUTLER Oct 2017)",
"value": "BRONZE BUTLER",
"meta": {
"synonyms": [
"BRONZE BUTLER",
"REDBALDKNIGHT",
"Tick"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0060",
"http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
"https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
]
},
"uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90"
},
{
"description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. (Citation: Scarlet Mimic Jan 2016)",
"value": "Scarlet Mimic",
"meta": {
"synonyms": [
"Scarlet Mimic"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0029",
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
]
},
"uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7"
},
{
"description": "Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. (Citation: Dell TG-1314)",
"value": "Threat Group-1314",
"meta": {
"synonyms": [
"Threat Group-1314",
"TG-1314"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0028",
"http://www.secureworks.com/resources/blog/living-off-the-land/"
]
},
"uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983"
},
{
"description": "Turla is a threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. They are known for conducting watering hole and spearphishing campaigns. (Citation: Kaspersky Turla) (Citation: ESET Gazer Aug 2017)",
"value": "Turla",
"meta": {
"synonyms": [
"Turla",
"Waterbug",
"WhiteBear"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0010",
"https://securelist.com/the-epic-turla-operation/65545/",
"https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf"
]
},
"uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6"
},
{
"description": "APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. (Citation: F-Secure The Dukes) (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (Citation: Crowdstrike DNC June 2016)",
"value": "APT29",
"meta": {
"synonyms": [
"APT29",
"The Dukes",
"Cozy Bear",
"CozyDuke"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0016",
"https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
]
},
"uuid": "899ce53f-13a0-479b-a0e4-67d46e241542"
},
{
"description": "menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university. (Citation: Palo Alto menuPass Feb 2017) (Citation: Crowdstrike CrowdCast Oct 2013) (Citation: FireEye Poison Ivy) (Citation: PWC Cloud Hopper April 2017) (Citation: FireEye APT10 April 2017)",
"value": "menuPass",
"meta": {
"synonyms": [
"menuPass",
"Stone Panda",
"APT10",
"Red Apollo",
"CVNX"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0045",
"http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/",
"https://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf",
"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf",
"https://www.fireeye.com/blog/threat-research/2017/04/apt10%20menupass%20grou.html"
]
},
"uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f"
},
{
"description": "Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA\u2019s 3rd General Staff Department (GSD). (Citation: CrowdStrike Putter Panda)",
"value": "Putter Panda",
"meta": {
"synonyms": [
"Putter Panda",
"APT2",
"MSUpdater"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0024",
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
]
},
"uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45"
},
{
"description": " (Citation: Axiom) is a cyber espionage group suspected to be associated with the Chinese government. It is responsible for the Operation SMN campaign. (Citation: Axiom) Though both this group and Winnti Group use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015)",
"value": "Axiom",
"meta": {
"synonyms": [
"Axiom",
"Group 72"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0001",
"http://www.novetta.com/wp-content/uploads/2014/11/Executive%20Summary-Final%201.pdf",
"https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf",
"https://securelist.com/games-are-over/70991/",
"http://www.novetta.com/wp-content/uploads/2015/04/novetta%20winntianalysis.pdf"
]
},
"uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973"
},
{
"description": "Magic Hound is an espionage campaign operating primarily in the Middle East that dates back to at least mid-2016. The group behind the campaign has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia. (Citation: Unit 42 Magic Hound Feb 2017)\n\nContributors: Bryan Lee",
"value": "Magic Hound",
"meta": {
"synonyms": [
"Magic Hound",
"Rocket Kitten",
"Operation Saffron Rose",
"Ajax Security Team",
"Operation Woolen-Goldfish",
"Newscaster",
"Cobalt Gypsy"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0059",
"https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/"
]
},
"uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13"
},
{
"description": "is an activity group that has been active since at least 2012. The group conducted a campaign in May 2016 and has heavily targeted Turkish victims. has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)",
"value": "PROMETHIUM",
"meta": {
"synonyms": [
"PROMETHIUM"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0056",
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft%20Security%20Intelligence%20Report%20Volume%2021%20English.pdf"
]
},
"uuid": "efed95ba-d7e8-47ff-8c53-99c42426ee7c"
},
{
"description": "Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak). It is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. (Citation: Kaspersky Carbanak) (Citation: FireEye FIN7 April 2017)\n\nContributors: Anastasios Pingios",
"value": "Carbanak",
"meta": {
"synonyms": [
"Carbanak",
"Anunak",
"Carbon Spider"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0008",
"https://securelist.com/files/2015/02/Carbanak%20APT%20eng.pdf",
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
]
},
"uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c"
},
{
"description": "APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. (Citation: Dell Lateral Movement)",
"value": "APT18",
"meta": {
"synonyms": [
"APT18",
"Threat Group-0416",
"TG-0416",
"Dynamite Panda"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0026",
"http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/"
]
},
"uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648"
},
{
"description": "CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. (Citation: ClearSky CopyKittens March 2017) (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)",
"value": "CopyKittens",
"meta": {
"synonyms": [
"CopyKittens"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0052",
"http://www.clearskysec.com/copykitten-jpost/",
"http://www.clearskysec.com/wp-content/uploads/2017/07/Operation%20Wilted%20Tulip.pdf",
"https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf"
]
},
"uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a"
},
{
"description": "Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. (Citation: Palo Alto Gamaredon Feb 2017)",
"value": "Gamaredon Group",
"meta": {
"synonyms": [
"Gamaredon Group"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0047",
"https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
]
},
"uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf"
}
]
}

2291
clusters/mitre-entreprise-attack-malware.json Normal file
View File

File diff suppressed because it is too large Load Diff

17277
clusters/mitre-entreprise-attack-relationship.json Normal file
View File

File diff suppressed because it is too large Load Diff

527
clusters/mitre-entreprise-attack-tool.json Normal file
View File

@ -0,0 +1,527 @@
{
"name": "Entreprise Attack - Tool",
"type": "mitre-entreprise-attack-tool",
"description": "Name of ATT&CK software",
"version": 1,
"source": "https://github.com/mitre/cti",
"uuid": "fc1ea6e0-1707-11e8-ac05-2b70d00c354e",
"authors": [
"MITRE"
],
"values": [
{
"description": "at is used to schedule tasks on a system to run at a specified date or time. (Citation: TechNet At)\n\nAliases: at, at.exe",
"value": "at",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0110",
"https://technet.microsoft.com/en-us/library/bb490866.aspx"
],
"synonyms": [
"at",
"at.exe"
]
},
"uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952"
},
{
"description": "route can be used to find or change information within the local system IP routing table. (Citation: TechNet Route)\n\nAliases: route, route.exe",
"value": "route",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0103",
"https://technet.microsoft.com/en-us/library/bb490991.aspx"
],
"synonyms": [
"route",
"route.exe"
]
},
"uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de"
},
{
"description": "The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. (Citation: Microsoft Tasklist)\n\nAliases: Tasklist",
"value": "Tasklist",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0057",
"https://technet.microsoft.com/en-us/library/bb491010.aspx"
],
"synonyms": [
"Tasklist"
]
},
"uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f"
},
{
"description": "Windows Credential Editor is a password dumping tool. (Citation: Amplia WCE)\n\nAliases: Windows Credential Editor, WCE",
"value": "Windows Credential Editor",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0005",
"http://www.ampliasecurity.com/research/wcefaq.html"
],
"synonyms": [
"Windows Credential Editor",
"WCE"
]
},
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966"
},
{
"description": "Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. (Citation: GitHub Responder)\n\nAliases: Responder",
"value": "Responder",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0174",
"https://github.com/SpiderLabs/Responder"
],
"synonyms": [
"Responder"
]
},
"uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719"
},
{
"description": "schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. (Citation: TechNet Schtasks)\n\nAliases: schtasks, schtasks.exe",
"value": "schtasks",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0111",
"https://technet.microsoft.com/en-us/library/bb490996.aspx"
],
"synonyms": [
"schtasks",
"schtasks.exe"
]
},
"uuid": "c9703cd3-141c-43a0-a926-380082be5d04"
},
{
"description": "UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. (Citation: Github UACMe)\n\nAliases: UACMe",
"value": "UACMe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0116",
"https://github.com/hfiref0x/UACME"
],
"synonyms": [
"UACMe"
]
},
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507"
},
{
"description": "ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)\n\nAliases: ifconfig",
"value": "ifconfig",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0101",
"https://en.wikipedia.org/wiki/Ifconfig"
],
"synonyms": [
"ifconfig"
]
},
"uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5"
},
{
"description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide)\n\nAliases: Mimikatz\n\nContributors: Vincent Le Toux",
"value": "Mimikatz",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0002",
"https://github.com/gentilkiwi/mimikatz",
"https://adsecurity.org/?page%20id=1821"
],
"synonyms": [
"Mimikatz"
]
},
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
},
{
"description": " (Citation: xCmd) is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems. (Citation: xCmd)\n\nAliases: (Citation: xCmd)",
"value": "xCmd",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0123",
"https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/"
],
"synonyms": [
"xCmd"
]
},
"uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b"
},
{
"description": "is a credential dumper, similar to Mimikatz, designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)\n\nAliases: MimiPenguin\n\nContributors: Vincent Le Toux",
"value": "MimiPenguin",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0179",
"https://github.com/huntergregal/mimipenguin"
],
"synonyms": [
"MimiPenguin"
]
},
"uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27"
},
{
"description": "Systeminfo is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)\n\nAliases: Systeminfo, systeminfo.exe",
"value": "Systeminfo",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0096",
"https://technet.microsoft.com/en-us/library/bb491007.aspx"
],
"synonyms": [
"Systeminfo",
"systeminfo.exe"
]
},
"uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1"
},
{
"description": "netsh is a scripting utility used to interact with networking components on local or remote systems. (Citation: TechNet Netsh)\n\nAliases: netsh, netsh.exe",
"value": "netsh",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0108",
"https://technet.microsoft.com/library/bb490939.aspx"
],
"synonyms": [
"netsh",
"netsh.exe"
]
},
"uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71"
},
{
"description": "dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. (Citation: TechNet Dsquery) It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.\n\nAliases: dsquery, dsquery.exe",
"value": "dsquery",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0105",
"https://technet.microsoft.com/en-us/library/cc732952.aspx"
],
"synonyms": [
"dsquery",
"dsquery.exe"
]
},
"uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe"
},
{
"description": "gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. (Citation: TrueSec Gsecdump)\n\nAliases: gsecdump",
"value": "gsecdump",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0008",
"https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump%20v2.0b5"
],
"synonyms": [
"gsecdump"
]
},
"uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54"
},
{
"description": "Ping is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)\n\nAliases: Ping, ping.exe",
"value": "Ping",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0097",
"https://technet.microsoft.com/en-us/library/bb490968.aspx"
],
"synonyms": [
"Ping",
"ping.exe"
]
},
"uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47"
},
{
"description": "Fgdump is a Windows password hash dumper. (Citation: Mandiant APT1)\n\nAliases: Fgdump",
"value": "Fgdump",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0120",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": [
"Fgdump"
]
},
"uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe"
},
{
"description": "Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process. (Citation: Mandiant APT1)\n\nAliases: Lslsass",
"value": "Lslsass",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0121",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": [
"Lslsass"
]
},
"uuid": "2fab555f-7664-4623-b4e0-1675ae38190b"
},
{
"description": "Pass-The-Hash Toolkit is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)\n\nAliases: Pass-The-Hash Toolkit",
"value": "Pass-The-Hash Toolkit",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0122",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": [
"Pass-The-Hash Toolkit"
]
},
"uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69"
},
{
"description": "FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data. (Citation: Wikipedia FTP)\n\nAliases: FTP, ftp.exe",
"value": "FTP",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0095",
"https://en.wikipedia.org/wiki/File%20Transfer%20Protocol"
],
"synonyms": [
"FTP",
"ftp.exe"
]
},
"uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565"
},
{
"description": "ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)\n\nAliases: ipconfig, ipconfig.exe",
"value": "ipconfig",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0100",
"https://technet.microsoft.com/en-us/library/bb490921.aspx"
],
"synonyms": [
"ipconfig",
"ipconfig.exe"
]
},
"uuid": "294e2560-bd48-44b2-9da2-833b5588ad11"
},
{
"description": "nbtstat is a utility used to troubleshoot NetBIOS name resolution. (Citation: TechNet Nbtstat)\n\nAliases: nbtstat, nbtstat.exe",
"value": "nbtstat",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0102",
"https://technet.microsoft.com/en-us/library/cc940106.aspx"
],
"synonyms": [
"nbtstat",
"nbtstat.exe"
]
},
"uuid": "b35068ec-107a-4266-bda8-eb7036267aea"
},
{
"description": "HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. (Citation: Operation Quantum Entanglement)\n\nAliases: HTRAN, HUC Packet Transmit Tool",
"value": "HTRAN",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0040",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf"
],
"synonyms": [
"HTRAN",
"HUC Packet Transmit Tool"
]
},
"uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e"
},
{
"description": "Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes \"Onion Routing,\" in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. (Citation: Dingledine Tor The Second-Generation Onion Router)\n\nAliases: Tor",
"value": "Tor",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0183",
"http://www.dtic.mil/dtic/tr/fulltext/u2/a465464.pdf"
],
"synonyms": [
"Tor"
]
},
"uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68"
},
{
"description": "netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)\n\nAliases: netstat, netstat.exe",
"value": "netstat",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0104",
"https://technet.microsoft.com/en-us/library/bb490947.aspx"
],
"synonyms": [
"netstat",
"netstat.exe"
]
},
"uuid": "4664b683-f578-434f-919b-1c1aad2a1111"
},
{
"description": "pwdump is a credential dumper. (Citation: Wikipedia pwdump)\n\nAliases: pwdump",
"value": "pwdump",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0006",
"https://en.wikipedia.org/wiki/Pwdump"
],
"synonyms": [
"pwdump"
]
},
"uuid": "9de2308e-7bed-43a3-8e58-f194b3586700"
},
{
"description": "Cachedump is a publicly-available tool that program extracts cached password hashes from a system\u2019s registry. (Citation: Mandiant APT1)\n\nAliases: Cachedump",
"value": "Cachedump",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0119",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": [
"Cachedump"
]
},
"uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52"
},
{
"description": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\nNet has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through Windows admin shares using <code>net use</code> commands, and interacting with services.\n\nAliases: Net, net.exe",
"value": "Net",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0039",
"https://msdn.microsoft.com/en-us/library/aa939914",
"http://windowsitpro.com/windows/netexe-reference"
],
"synonyms": [
"Net",
"net.exe"
]
},
"uuid": "03342581-f790-4f03-ba41-e82e67392e23"
},
{
"description": "PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers. (Citation: Russinovich Sysinternals) (Citation: SANS PsExec)\n\nAliases: PsExec",
"value": "PsExec",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0029",
"https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx",
"https://digital-forensics.sans.org/blog/2012/12/17/protecting-privileged-domain-accounts-psexec-deep-dive"
],
"synonyms": [
"PsExec"
]
},
"uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
},
{
"description": "Certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)\n\nAliases: certutil, certutil.exe",
"value": "certutil",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0160",
"https://technet.microsoft.com/library/cc732443.aspx"
],
"synonyms": [
"certutil",
"certutil.exe"
]
},
"uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc"
},
{
"description": "Arp displays information about a system's Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp)\n\nAliases: Arp, arp.exe",
"value": "Arp",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0099",
"https://technet.microsoft.com/en-us/library/bb490864.aspx"
],
"synonyms": [
"Arp",
"arp.exe"
]
},
"uuid": "30489451-5886-4c46-90c9-0dff9adc5252"
},
{
"description": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd)\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code> (Citation: TechNet Dir)), deleting files (e.g., <code>del</code> (Citation: TechNet Del)), and copying files (e.g., <code>copy</code> (Citation: TechNet Copy)).\n\nAliases: cmd, cmd.exe",
"value": "cmd",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0106",
"https://technet.microsoft.com/en-us/library/bb490880.aspx",
"https://technet.microsoft.com/en-us/library/cc755121.aspx",
"https://technet.microsoft.com/en-us/library/cc771049.aspx",
"https://technet.microsoft.com/en-us/library/bb490886.aspx"
],
"synonyms": [
"cmd",
"cmd.exe"
]
},
"uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e"
},
{
"description": "is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.\n\nAliases: meek",
"value": "meek",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0175"
],
"synonyms": [
"meek"
]
},
"uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830"
},
{
"description": "Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation: Microsoft Reg)\n\nUtilities such as Reg are known to be used by persistent threats. (Citation: Windows Commands JPCERT)\n\nAliases: Reg, reg.exe",
"value": "Reg",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0075",
"https://technet.microsoft.com/en-us/library/cc732643.aspx",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html"
],
"synonyms": [
"Reg",
"reg.exe"
]
},
"uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f"
},
{
"description": "Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as \u201cadversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors\u201d. Cobalt Strike\u2019s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. (Citation: cobaltstrike manual)\n\nAliases: Cobalt Strike",
"value": "Cobalt Strike",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0154",
"https://cobaltstrike.com/downloads/csmanual38.pdf"
],
"synonyms": [
"Cobalt Strike"
]
},
"uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39"
}
]
}

0
clusters/mitre_intrusion-set.json → clusters/mitre-intrusion-set.json
View File

0
clusters/mitre_malware.json → clusters/mitre-malware.json
View File

1217
clusters/mitre-mobile-attack-attack-pattern.json Normal file
View File

File diff suppressed because it is too large Load Diff

97
clusters/mitre-mobile-attack-course-of-action.json Normal file
View File

@ -0,0 +1,97 @@
{
"name": "Mobile Attack - Course of Action",
"type": "mitre-mobile-attack-course-of-action",
"description": "ATT&CK Mitigation",
"version": 1,
"source": "https://github.com/mitre/cti",
"uuid": "03956f9e-1708-11e8-8395-976b24233e15",
"authors": [
"MITRE"
],
"values": [
{
"description": "A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.",
"value": "Deploy Compromised Device Detection Method",
"meta": {},
"uuid": "cf2cccb1-cab8-431a-8ecf-f7874d05f433"
},
{
"description": "In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).",
"value": "Interconnection Filtering",
"meta": {},
"uuid": "e829ee51-1caf-4665-ba15-7f8979634124"
},
{
"description": "Application developers should use device-provided credential storage mechanisms such as Android's KeyStore or iOS's KeyChain. These can prevent credentials from being exposed to an adversary.",
"value": "Use Device-Provided Credential Storage",
"meta": {},
"uuid": "d2a199d2-dfea-4d0c-987d-6195ed17be9c"
},
{
"description": "New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.",
"value": "Use Recent OS Version",
"meta": {},
"uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564"
},
{
"description": "Install security updates in response to discovered vulnerabilities.\n\nPurchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.\n\nDecommission devices that will no longer receive security updates.\n\nLimit or block access to enterprise resources from devices that have not installed recent security updates.\n* On Android devices, access can be controlled based on each device's security patch level.\n* On iOS devices, access can be controlled based on the iOS version.",
"value": "Security Updates",
"meta": {},
"uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d"
},
{
"description": "On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.",
"value": "Lock Bootloader",
"meta": {},
"uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58"
},
{
"description": "Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.",
"value": "System Partition Integrity",
"meta": {},
"uuid": "7b1cf46f-784b-405a-a8dd-4624c19d8321"
},
{
"description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.",
"value": "Attestation",
"meta": {},
"uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c"
},
{
"description": "Warn device users not to accept requests to grant Device Administrator access to applications without good reason.\n\nAdditionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.",
"value": "Caution with Device Administrator Access",
"meta": {},
"uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9"
},
{
"description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
"value": "Application Developer Guidance",
"meta": {},
"uuid": "25dc1ce8-eb55-4333-ae30-a7cb4f5894a1"
},
{
"description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as Detect App Analysis Environment exist that can enable adversaries to bypass vetting.",
"value": "Application Vetting",
"meta": {},
"uuid": "1553b156-6767-47f7-9eb4-2a692505666d"
},
{
"description": "Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.",
"value": "User Guidance",
"meta": {},
"uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1"
},
{
"description": "An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.",
"value": "Enterprise Policy",
"meta": {},
"uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee"
},
{
"description": "Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.\n\niOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.\n\nAndroid's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected (Citation: Android-NetworkSecurityConfig).\n\nUse of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.",
"value": "Encrypt Network Traffic",
"meta": {},
"uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8"
}
]
}

37
clusters/mitre-mobile-attack-intrusion-set.json Normal file
View File

@ -0,0 +1,37 @@
{
"name": "Mobile Attack - intrusion Set",
"type": "mitre-mobile-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"version": 1,
"source": "https://github.com/mitre/cti",
"uuid": "02ab4018-1708-11e8-8f9d-e735aabdfa53",
"authors": [
"MITRE"
],
"values": [
{
"description": "APT28 is a threat group that has been attributed to the Russian government. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28) January 2017 (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee in April 2016. (Citation: Crowdstrike DNC June 2016)",
"value": "APT28",
"meta": {
"synonyms": [
"APT28",
"Sednit",
"Sofacy",
"Pawn Storm",
"Fancy Bear",
"STRONTIUM",
"Tsar Team",
"Threat Group-4127",
"TG-4127"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0007",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
]
},
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c"
}
]
}

511
clusters/mitre-mobile-attack-malware.json Normal file
View File

@ -0,0 +1,511 @@
{
"name": "Mobile Attack - Malware",
"type": "mitre-mobile-attack-malware",
"description": "Name of ATT&CK software",
"version": 1,
"source": "https://github.com/mitre/cti",
"uuid": "04a165aa-1708-11e8-b2da-c7d7625f4a4f",
"authors": [
"MITRE"
],
"values": [
{
"description": "AndroRAT \"allows a third party to control the device and collect information such as contacts, call logs, text messages, device location, and audio from the microphone. It is now used maliciously by other actors.\" (Citation: Lookout-EnterpriseApps)\n\nAliases: AndroRAT",
"value": "AndroRAT",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0008",
"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
],
"synonyms": [
"AndroRAT"
]
},
"uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93"
},
{
"description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.Agent.ao",
"value": "Trojan-SMS.AndroidOS.Agent.ao",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0023",
"https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
],
"synonyms": [
"Trojan-SMS.AndroidOS.Agent.ao"
]
},
"uuid": "a1867c56-8c86-455a-96ad-b0d5f7e2bc17"
},
{
"description": "DualToy is Windows malware that installs malicious applications onto Android and iOS devices connected over USB (Citation: PaloAlto-DualToy).\n\nAliases: DualToy",
"value": "DualToy",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0031"
],
"synonyms": [
"DualToy"
]
},
"uuid": "507fe748-5e4a-4b45-9e9f-8b1115f4e878"
},
{
"description": "On jailbroken iOS devices, (Citation: KeyRaider) steals Apple account credentials and other data. It \"also has built-in functionality to hold iOS devices for ransom.\" (Citation: KeyRaider)\n\nAliases: (Citation: KeyRaider)",
"value": "KeyRaider",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0004",
"http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
],
"synonyms": [
"KeyRaider"
]
},
"uuid": "3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50"
},
{
"description": "Brain Test is a family of Android malware described by CheckPoint (Citation: CheckPoint-BrainTest) and Lookout (Citation: Lookout-BrainTest).\n\nAliases: BrainTest",
"value": "BrainTest",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0009",
"http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/",
"https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
],
"synonyms": [
"BrainTest"
]
},
"uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e"
},
{
"description": "Lookout states that some variants of the Shedun, Shuanet, and ShiftyBug/Kemoge Android malware families \"have 71 percent to 82 percent code similarity\" (Citation: Lookout-Adware), even though they \"don\u2019t believe these apps were all created by the same author or group\".\n\nAliases: Shedun, Shuanet, ShiftyBug, Kemoge",
"value": "Shedun",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0010",
"https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"
],
"synonyms": [
"Shedun",
"Shuanet",
"ShiftyBug",
"Kemoge"
]
},
"uuid": "c80a6bef-b3ce-44d0-b113-946e93124898"
},
{
"description": "Android malware family analyzed by Trend Micro (Citation: TrendMicro-DressCode)\n\nAliases: DressCode",
"value": "DressCode",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0016",
"http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/"
],
"synonyms": [
"DressCode"
]
},
"uuid": "ff742eeb-1f90-4f5a-8b92-9d40fffd99ca"
},
{
"description": "Adups, software pre-installed onto Android devices including those made by BLU Products, reportedly transmitted sensitive data to a Chinese server. The capability was reportedly designed \"to help a Chinese phone manufacturer monitor user behavior\" and \"was not intended for American phones\". (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor).\n\nAliases: Adups",
"value": "Adups",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0025",
"https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html",
"http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534"
],
"synonyms": [
"Adups"
]
},
"uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf"
},
{
"description": "Discovered by Lookout (Citation: Lookout-Pegasus) and Citizen Lab (Citation: PegasusCitizenLab), Pegasus escalates privileges on iOS devices and uses its privileged access to collect a variety of sensitive information.\n\nAliases: Pegasus",
"value": "Pegasus",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0005",
"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf",
"https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/"
],
"synonyms": [
"Pegasus"
]
},
"uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a"
},
{
"description": "RuMMS is a family of Android malware (Citation: FireEye-RuMMS).\n\nAliases: RuMMS",
"value": "RuMMS",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0029",
"https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
],
"synonyms": [
"RuMMS"
]
},
"uuid": "936be60d-90eb-4c36-9247-4b31128432c4"
},
{
"description": "HummingBad is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android (Citation: ArsTechnica-HummingBad).\n\nAliases: HummingBad",
"value": "HummingBad",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0038",
"http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"
],
"synonyms": [
"HummingBad"
]
},
"uuid": "c8770c81-c29f-40d2-a140-38544206b2b4"
},
{
"description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.OpFake.a",
"value": "Trojan-SMS.AndroidOS.OpFake.a",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0024",
"https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
],
"synonyms": [
"Trojan-SMS.AndroidOS.OpFake.a"
]
},
"uuid": "d89c132d-7752-4c7f-9372-954a71522985"
},
{
"description": "Android malware family analyzed by Lookout (Citation: Lookout-Dendroid).\n\nAliases: Dendroid",
"value": "Dendroid",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0017",
"https://blog.lookout.com/blog/2014/03/06/dendroid/"
],
"synonyms": [
"Dendroid"
]
},
"uuid": "317a2c10-d489-431e-b6b2-f0251fddc88e"
},
{
"description": "Android malware analyzed by Scandinavian security group CSIS as described in a Tripwire post (Citation: Tripwire-MazarBOT).\n\nAliases: MazarBOT",
"value": "MazarBOT",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0019",
"https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
],
"synonyms": [
"MazarBOT"
]
},
"uuid": "5ddf81ea-2c06-497b-8c30-5f1ab89a40f9"
},
{
"description": "The (Citation: Gooligan) malware family, revealed by Check Point, runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal \"authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.\" (Citation: Gooligan)\n\nGoogle (Citation: Ludwig-GhostPush) and LookoutLookout- (Citation: Gooligan) describe (Citation: Gooligan) as part of the Ghost Push Android malware family.\n\nAliases: (Citation: Gooligan)",
"value": "Gooligan",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0006",
"http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/",
"https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi"
],
"synonyms": [
"Gooligan"
]
},
"uuid": "20d56cd6-8dff-4871-9889-d32d254816de"
},
{
"description": "OldBoot is a family of Android malware described in a report from The Hacker News (Citation: HackerNews-OldBoot).\n\nAliases: OldBoot",
"value": "OldBoot",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0001",
"http://thehackernews.com/2014/01/first-widely-distributed-android.html"
],
"synonyms": [
"OldBoot"
]
},
"uuid": "2074b2ad-612e-4758-adce-7901c1b49bbc"
},
{
"description": "WireLurker is a family of macOS malware that targets iOS devices connected over USB (Citation: PaloAlto-WireLurker).\n\nAliases: WireLurker",
"value": "WireLurker",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0028"
],
"synonyms": [
"WireLurker"
]
},
"uuid": "326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb"
},
{
"description": "Android remote access trojan (RAT) that has been observed to pose as legitimate applications including the Super Mario Run (Citation: Zscaler-SuperMarioRun) and Pokemon GO games (Citation: Proofpoint-Droidjack).\n\nAliases: DroidJack RAT",
"value": "DroidJack RAT",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0036",
"https://www.zscaler.com/blogs/research/super-mario-run-malware-2-\u2013-droidjack-rat",
"https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app"
],
"synonyms": [
"DroidJack RAT"
]
},
"uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1"
},
{
"description": "The HummingWhale Android malware family \"includes new virtual machine techniques that allow the malware to perform ad fraud better than ever\". (Citation: ArsTechnica-HummingWhale)\n\nAliases: HummingWhale",
"value": "HummingWhale",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0037",
"http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/"
],
"synonyms": [
"HummingWhale"
]
},
"uuid": "6447e3a1-ef4d-44b1-99d5-6b1c4888674f"
},
{
"description": "ANDROIDOS_ANSERVER.A is Android malware novel for using encrypted content within a blog site for command and control (Citation: TrendMicro-Anserver).\n\nAliases: ANDROIDOS_ANSERVER.A",
"value": "ANDROIDOS_ANSERVER.A",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0026",
"http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/"
],
"synonyms": [
"ANDROIDOS_ANSERVER.A"
]
},
"uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8"
},
{
"description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.FakeInst.a",
"value": "Trojan-SMS.AndroidOS.FakeInst.a",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0022",
"https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
],
"synonyms": [
"Trojan-SMS.AndroidOS.FakeInst.a"
]
},
"uuid": "28e39395-91e7-4f02-b694-5e079c964da9"
},
{
"description": "Android malware family analyzed by Lookout (Citation: Lookout-NotCompatible)\n\nAliases: NotCompatible",
"value": "NotCompatible",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0015",
"https://blog.lookout.com/blog/2014/11/19/notcompatible/"
],
"synonyms": [
"NotCompatible"
]
},
"uuid": "23040c15-e7d8-47b5-8c16-8fd3e0e297fe"
},
{
"description": "The X-Agent Android malware was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data for where it was used and hence the potential location of Ukrainian artillery (Citation: CrowdStrike-Android).\n\nAliases: X-Agent",
"value": "X-Agent",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0030",
"https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"
],
"synonyms": [
"X-Agent"
]
},
"uuid": "56660521-6db4-4e5a-a927-464f22954b7c"
},
{
"description": "Twitoor is a family of Android malware described by ESET (Citation: ESET-Twitoor).\n\nAliases: Twitoor",
"value": "Twitoor",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0018",
"http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/"
],
"synonyms": [
"Twitoor"
]
},
"uuid": "41e3fd01-7b83-471f-835d-d2b1dc9a770c"
},
{
"description": "OBAD is a family of Android malware (Citation: TrendMicro-Obad).\n\nAliases: OBAD",
"value": "OBAD",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0002",
"http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"
],
"synonyms": [
"OBAD"
]
},
"uuid": "ca4f63b9-a358-4214-bb26-8c912318cfde"
},
{
"description": "As reported by Kaspersky (Citation: Kaspersky-WUC), a spear phishing message was sent to activist groups containing a malicious Android application as an attachment.\n\nAliases: Android/Chuli.A",
"value": "Android/Chuli.A",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0020",
"https://securelist.com/blog/incidents/35552/android-trojan-found-in-targeted-attack-58/"
],
"synonyms": [
"Android/Chuli.A"
]
},
"uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533"
},
{
"description": "According to Lookout (Citation: Lookout-EnterpriseApps), the PJApps Android malware family \"may collect and leak the victim\u2019s phone number, mobile device unique identifier (IMEI), and location. In order to make money, it may send messages to premium SMS numbers. PJApps also has the ability to download further applications to the device.\"\n\nAliases: PJApps",
"value": "PJApps",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0007",
"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
],
"synonyms": [
"PJApps"
]
},
"uuid": "c709da93-20c3-4d17-ab68-48cba76b2137"
},
{
"description": "Android malware analyzed by FireEye (Citation: FireEye-AndroidOverlay).\nAccording to their analysis, \"three campaigns in Europe used view overlay techniques...to present nearly identical credential input UIs as seen in benign apps, subsequently tricking unwary users into providing their banking credentials.\"\n\nAliases: AndroidOverlayMalware",
"value": "AndroidOverlayMalware",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0012",
"https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay-malware-spreading-in-europe.html"
],
"synonyms": [
"AndroidOverlayMalware"
]
},
"uuid": "b6d3657a-2d6a-400f-8b7e-4d60391aa1f7"
},
{
"description": "As described by Palo Alto Networks (Citation: ZergHelper), the (Citation: ZergHelper) app uses techniques to evade Apple's App Store review process for itself and uses techniques to install additional applications that are not in Apple's App Store.\n\nAliases: (Citation: ZergHelper)",
"value": "ZergHelper",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0003",
"http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
],
"synonyms": [
"ZergHelper"
]
},
"uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0"
},
{
"description": "SpyNote RAT (Citation: Zscaler-SpyNote) (Remote Access Trojan) is a family of malicious Android apps. The \"SpyNote RAT builder\" tool can be used to develop malicious apps with the SpyNote RAT functionality.\n\nAliases: SpyNote RAT",
"value": "SpyNote RAT",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0021",
"https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
],
"synonyms": [
"SpyNote RAT"
]
},
"uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23"
},
{
"description": " (Citation: RCSAndroid) (Citation: RCSAndroid) is Android malware allegedly distributed by Hacking Team.\n\nAliases: (Citation: RCSAndroid)",
"value": "RCSAndroid",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0011",
"https://github.com/hackedteam/core-android/tree/master/RCSAndroid"
],
"synonyms": [
"RCSAndroid"
]
},
"uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b"
},
{
"description": "The Charger Android malware steals \"steals contacts and SMS messages from the user's device\". It also \"asks for admin permissions\" and \"[i]f granted, the ransomware locks the device and displays a message demanding payment\". (Citation: CheckPoint-Charger)\n\nAliases: Charger",
"value": "Charger",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0039",
"http://blog.checkpoint.com/2017/01/24/charger-malware/"
],
"synonyms": [
"Charger"
]
},
"uuid": "d1c600f8-0fb6-4367-921b-85b71947d950"
},
{
"description": "iOS malware that \"is different from previous seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices\" and \"abuses private APIs in the iOS system to implement malicious functionalities\" (Citation: PaloAlto-YiSpecter).\n\nAliases: YiSpecter",
"value": "YiSpecter",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0027"
],
"synonyms": [
"YiSpecter"
]
},
"uuid": "a15c9357-2be0-4836-beec-594f28b9b4a9"
},
{
"description": "Discovered and analyzed by Lookout (Citation: Lookout-PegasusAndroid) and Google (Citation: Google-Chrysaor), Pegasus for Android (also known as Chrysaor) is spyware that was used in targeted attacks. Pegasus for Android does not use zero day vulnerabilities. It attempts to escalate privileges using well-known vulnerabilities, and even if the attempts fail, it still performs some subset of spyware functions that do not require escalated privileges.\n\nAliases: Pegasus for Android, Chrysaor",
"value": "Pegasus for Android",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0032",
"https://blog.lookout.com/blog/2017/04/03/pegasus-android/",
"https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html"
],
"synonyms": [
"Pegasus for Android",
"Chrysaor"
]
},
"uuid": "93799a9d-3537-43d8-b6f4-17215de1657c"
},
{
"description": "iOS malware analyzed by Palo Alto Networks (Citation: (Citation: PaloAlto-XcodeGhost)1) (Citation: PaloAlto-XcodeGhost)\n\nAliases: XcodeGhost",
"value": "XcodeGhost",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0013",
"http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/",
"http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
],
"synonyms": [
"XcodeGhost"
]
},
"uuid": "d9e07aea-baad-4b68-bdca-90c77647d7f9"
}
]
}

1973
clusters/mitre-mobile-attack-relationship.json Normal file
View File

File diff suppressed because it is too large Load Diff

27
clusters/mitre-mobile-attack-tool.json Normal file
View File

@ -0,0 +1,27 @@
{
"name": "Mobile Attack - Tool",
"type": "mitre-mobile-attack-tool",
"description": "Name of ATT&CK software",
"version": 1,
"source": "https://github.com/mitre/cti",
"uuid": "02cee87e-1708-11e8-8f15-8b33e4d6194b",
"authors": [
"MITRE"
],
"values": [
{
"description": "Xbot is a family of Android malware analyzed by Palo Alto Networks (Citation: PaloAlto-Xbot) that \"tries to steal victims' banking credentials and credit card information\", \"can also remotely lock infected Android devices, encrypt the user's files in external storage (e.g., SD card), and then ask for a U.S. $100 PayPal cash card as ransom\" and \"will steal all SMS message and contact information, intercept certain SMS messages, and parse SMS messages for mTANs (Mobile Transaction Authentication Number) from banks.\"\n\nAliases: Xbot",
"value": "Xbot",
"meta": {
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0014",
"http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
],
"synonyms": [
"Xbot"
]
},
"uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4"
}
]
}

1743
clusters/mitre-pre-attack-attack-pattern.json Normal file
View File

File diff suppressed because it is too large Load Diff

132
clusters/mitre-pre-attack-intrusion-set.json Normal file
View File

@ -0,0 +1,132 @@
{
"name": "Pre Attack - intrusion Set",
"type": "mitre-pre-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"version": 1,
"source": "https://github.com/mitre/cti",
"uuid": "1fdc8fa2-1708-11e8-99a3-67b4efc13c4f",
"authors": [
"MITRE"
],
"values": [
{
"description": "APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)",
"value": "APT16",
"meta": {
"synonyms": [
"APT16"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0023",
"https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html"
]
},
"uuid": "d6e88e18-81e8-4709-82d8-973095da1e70"
},
{
"description": "APT28 is a threat group that has been attributed to the Russian government. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28) January 2017 (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee in April 2016. (Citation: Crowdstrike DNC June 2016)",
"value": "APT28",
"meta": {
"synonyms": [
"APT28",
"Sednit",
"Sofacy",
"Pawn Storm",
"Fancy Bear",
"STRONTIUM",
"Tsar Team",
"Threat Group-4127",
"TG-4127"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0007",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
]
},
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c"
},
{
"description": "Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)",
"value": "Cleaver",
"meta": {
"synonyms": [
"Cleaver",
"TG-2889",
"Threat Group 2889"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0003",
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance%20Operation%20Cleaver%20Report.pdf",
"http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/"
]
},
"uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063"
},
{
"description": "APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)",
"value": "APT12",
"meta": {
"synonyms": [
"APT12",
"IXESHE",
"DynCalc",
"Numbered Panda",
"DNSCALC"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0005",
"http://www.crowdstrike.com/blog/whois-numbered-panda/"
]
},
"uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb"
},
{
"description": "APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People\u2019s Liberation Army (PLA) General Staff Department\u2019s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)",
"value": "APT1",
"meta": {
"synonyms": [
"APT1",
"Comment Crew",
"Comment Group",
"Comment Panda"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0006",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
]
},
"uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662"
},
{
"description": "Night Dragon is a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)",
"value": "Night Dragon",
"meta": {
"synonyms": [
"Night Dragon"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0014",
"http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf"
]
},
"uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8"
},
{
"description": "APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)",
"value": "APT17",
"meta": {
"synonyms": [
"APT17",
"Deputy Dog"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0025",
"https://www2.fireeye.com/rs/fireye/images/APT17%20Report.pdf"
]
},
"uuid": "090242d7-73fc-4738-af68-20162f7a5aae"
}
]
}

925
clusters/mitre-pre-attack-relationship.json Normal file
View File

@ -0,0 +1,925 @@
{
"name": "Pre Attack - Relationship",
"type": "mitre-pre-attack-relationship",
"description": "MITRE Relationship",
"version": 1,
"source": "https://github.com/mitre/cti",
"uuid": "1ffd3108-1708-11e8-9f98-67b378d9094c",
"authors": [
"MITRE"
],
"values": [
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "58d0b955-ae3d-424a-a537-2804dab38793"
},
"uuid": "1eed277b-a2a7-43f9-bf12-6e30abf0841a",
"value": "APT28 uses Unconditional client-side exploitation/Injected Website/Driveby"
},
{
"meta": {
"source-uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d",
"target-uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33"
},
"uuid": "4a69750c-47d5-40f5-b753-c6bb2a27a359",
"value": "Friend/Follow/Connect to targets of interest related-to Friend/Follow/Connect to targets of interest"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "15ef4da5-3b93-4bb1-a39a-5396661956d3"
},
"uuid": "2b6a71e4-e5d5-41d2-a193-9a95c94dc924",
"value": "APT1 uses Build and configure delivery systems"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97"
},
"uuid": "57723021-1eb3-4bf2-86eb-fdbf8a1b8125",
"value": "Night Dragon uses Spear phishing messages with malicious attachments"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "9755ecdc-deb0-40e6-af49-713cb0f8ed92"
},
"uuid": "a34c16e9-bc7e-45f5-a9a2-8b05d868e6a0",
"value": "Night Dragon uses Remote access tool development"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "d69c3e06-8311-4093-8e3e-0a8e06b15d92"
},
"uuid": "307e24f8-4d7c-49a8-88f6-fb0a99fe8ff4",
"value": "APT16 uses Assess targeting options"
},
{
"meta": {
"source-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc",
"target-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc"
},
"uuid": "2dbdcf5e-af75-4f92-b4ad-942a06aab259",
"value": "Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "f4c5d1d9-8f0e-46f1-a9fa-f9a440926046"
},
"uuid": "9af7194c-1eea-4aef-bab1-49bd29be069c",
"value": "APT1 uses Confirmation of launched compromise achieved"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "89a79d91-53e0-4ef5-ba28-558cb8b01f76"
},
"uuid": "f6dd74d9-ed02-4fe4-aff6-9ef25906592f",
"value": "Night Dragon uses Identify groups/roles"
},
{
"meta": {
"source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"target-uuid": "271e6d40-e191-421a-8f87-a8102452c201"
},
"uuid": "614f64d8-c221-4789-b1e1-787e9326a37b",
"value": "APT17 uses Develop social network persona digital footprint"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97"
},
"uuid": "84943231-1b44-4029-ae09-0dbf05440bef",
"value": "APT1 uses Spear phishing messages with malicious attachments"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "d3999268-740f-467e-a075-c82e2d04be62"
},
"uuid": "51d03816-347c-4716-9524-da99a58f5ea6",
"value": "APT1 uses Assess leadership areas of interest"
},
{
"meta": {
"source-uuid": "af358cad-eb71-4e91-a752-236edc237dae",
"target-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1"
},
"uuid": "ad510f42-e745-42d0-8b54-4bf7a2f3cf34",
"value": "Conduct social engineering related-to Conduct social engineering"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4"
},
"uuid": "ab356c7a-6922-4143-90eb-5be632e2f6cd",
"value": "Cleaver uses Build social network persona"
},
{
"meta": {
"source-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84",
"target-uuid": "7718e92f-b011-4f88-b822-ae245a1de407"
},
"uuid": "ab313887-ff00-4aa9-8edb-ab107c517c19",
"value": "Identify job postings and needs/gaps related-to Identify job postings and needs/gaps"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b"
},
"uuid": "edb31962-2310-4618-bd4f-d34f8e7d58e8",
"value": "APT16 uses Acquire OSINT data sets and information"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "286cc500-4291-45c2-99a1-e760db176402"
},
"uuid": "0adf353d-688b-46ce-88bb-62a008675fe0",
"value": "Night Dragon uses Acquire and/or use 3rd party infrastructure services"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "d778cb83-2292-4995-b006-d38f52bc1e64"
},
"uuid": "e95ea206-3962-43af-aac1-042ac9928679",
"value": "Night Dragon uses Identify gap areas"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "fddd81e9-dd3d-477e-9773-4fb8ae227234"
},
"uuid": "b09b41c4-670f-4f00-b8d5-a8c6a2dcfcfb",
"value": "Cleaver uses Create custom payloads"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "c860af4a-376e-46d7-afbf-262c41012227"
},
"uuid": "26bf68a4-af3c-4d39-bad3-5f0ce824f4a3",
"value": "APT28 uses Determine operational element"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "45242287-2964-4a3e-9373-159fad4d8195"
},
"uuid": "3d65fc7e-87a5-4113-bd9c-09453fba4d1e",
"value": "APT28 uses Buy domain name"
},
{
"meta": {
"source-uuid": "7718e92f-b011-4f88-b822-ae245a1de407",
"target-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84"
},
"uuid": "22d4f32c-63c1-400f-8e2c-10e4a200d133",
"value": "Identify job postings and needs/gaps related-to Identify job postings and needs/gaps"
},
{
"meta": {
"source-uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a",
"target-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549"
},
"uuid": "ac1dfc58-d5a2-4b6f-9bf4-c6c0d2d3ae80",
"value": "Identify business relationships related-to Identify business relationships"
},
{
"meta": {
"source-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549",
"target-uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a"
},
"uuid": "9524754d-7743-47b3-8395-3cbfb633c020",
"value": "Identify business relationships related-to Identify business relationships"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "271e6d40-e191-421a-8f87-a8102452c201"
},
"uuid": "d26a1746-b577-4a89-be5e-c49611e8c65a",
"value": "Cleaver uses Develop social network persona digital footprint"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "c2ffd229-11bb-4fd8-9208-edbe97b14c93"
},
"uuid": "f43faad4-a016-4da0-8de6-53103d429268",
"value": "Cleaver uses Obfuscation or cryptography"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c"
},
"uuid": "0e7905fd-77c8-43cb-b499-7d6e37fefbeb",
"value": "APT1 uses Dynamic DNS"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "b79a1960-d0be-4b51-bb62-b27e91e1dea0"
},
"uuid": "3f8694fa-8e16-465b-8357-ec0a85316e9c",
"value": "Cleaver uses Conduct social engineering or HUMINT operation"
},
{
"meta": {
"source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"target-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39"
},
"uuid": "9c87b627-de61-42da-a658-7bdb33358754",
"value": "APT17 uses Obfuscate infrastructure"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "fddd81e9-dd3d-477e-9773-4fb8ae227234"
},
"uuid": "6d809b32-a5db-4e1e-bea6-ef29a2c680e5",
"value": "APT28 uses Create custom payloads"
},
{
"meta": {
"source-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c",
"target-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe"
},
"uuid": "f24a6bf4-c60f-4fa6-8f6a-f2806ae92cdd",
"value": "Dynamic DNS related-to Dynamic DNS"
},
{
"meta": {
"source-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe",
"target-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c"
},
"uuid": "94daf955-fb3e-4f13-af60-0e3ffa185be0",
"value": "Dynamic DNS related-to Dynamic DNS"
},
{
"meta": {
"source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4"
},
"uuid": "545cd36e-572e-413d-82b9-db65788791f9",
"value": "APT17 uses Build social network persona"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b"
},
"uuid": "8a2c46d3-92f2-4ff7-a912-8d47189a7d79",
"value": "APT1 uses Compromise 3rd party infrastructure to support delivery"
},
{
"meta": {
"source-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b",
"target-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88"
},
"uuid": "60b6c9a6-7705-4c72-93bb-67de0caf11f4",
"value": "Acquire OSINT data sets and information related-to Acquire OSINT data sets and information"
},
{
"meta": {
"source-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c",
"target-uuid": "78e41091-d10d-4001-b202-89612892b6ff"
},
"uuid": "9c44b2ec-70b0-4f5c-800e-426477330658",
"value": "Identify supply chains related-to Identify supply chains"
},
{
"meta": {
"source-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b",
"target-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077"
},
"uuid": "bc165934-7ef6-4aed-a0d7-81d3372589f4",
"value": "Compromise 3rd party infrastructure to support delivery related-to Compromise 3rd party infrastructure to support delivery"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "288b3cc3-f4da-4250-ab8c-d8b5dbed94ca"
},
"uuid": "643d984b-0c82-4e14-8ba9-1b8dec0c91e2",
"value": "APT28 uses Identify web defensive services"
},
{
"meta": {
"source-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc",
"target-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41"
},
"uuid": "715a66b4-7925-40b4-868a-e47aba879f8b",
"value": "Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies"
},
{
"meta": {
"source-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a",
"target-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88"
},
"uuid": "28bf7e8b-9948-40a8-945b-6b5f2c78ec53",
"value": "Acquire OSINT data sets and information related-to Acquire OSINT data sets and information"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768"
},
"uuid": "2b0ec032-eaca-4f0c-be55-39471f0f2bf5",
"value": "APT1 uses Obtain/re-use payloads"
},
{
"meta": {
"source-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b",
"target-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a"
},
"uuid": "1143e6a6-deef-4dbd-8c91-7bf537d8f5ce",
"value": "Acquire OSINT data sets and information related-to Acquire OSINT data sets and information"
},
{
"meta": {
"source-uuid": "78e41091-d10d-4001-b202-89612892b6ff",
"target-uuid": "59369f72-3005-4e54-9095-3d00efcece73"
},
"uuid": "a29f2adc-c328-4cf3-9984-2c0c72ec7061",
"value": "Identify supply chains related-to Identify supply chains"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "abd5bed1-4c12-45de-a623-ab8dc4ff862a"
},
"uuid": "eab3be4e-4130-4898-a7b6-d9e9eb34f2bd",
"value": "APT28 uses Research relevant vulnerabilities/CVEs"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11"
},
"uuid": "39db1df8-f786-480c-9faf-5b870de2250b",
"value": "APT1 uses Acquire and/or use 3rd party software services"
},
{
"meta": {
"source-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88",
"target-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a"
},
"uuid": "6ba71250-1dc7-4b8d-88e7-698440ea18a0",
"value": "Acquire OSINT data sets and information related-to Acquire OSINT data sets and information"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97"
},
"uuid": "6238613d-8683-420d-baf7-6050aa27eb9d",
"value": "APT28 uses Spear phishing messages with malicious attachments"
},
{
"meta": {
"source-uuid": "286cc500-4291-45c2-99a1-e760db176402",
"target-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6"
},
"uuid": "5dc0b076-5f25-4bda-83c7-1d8bd214b81a",
"value": "Acquire and/or use 3rd party infrastructure services related-to Acquire and/or use 3rd party infrastructure services"
},
{
"meta": {
"source-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c",
"target-uuid": "59369f72-3005-4e54-9095-3d00efcece73"
},
"uuid": "7aaa32b6-73f3-4b6e-98ae-da16976e6003",
"value": "Identify supply chains related-to Identify supply chains"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077"
},
"uuid": "cc22ab71-f2fc-4885-832b-e75dadeefa2d",
"value": "APT1 uses Compromise 3rd party infrastructure to support delivery"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b"
},
"uuid": "60e79ac2-3dc1-4005-a1f8-260d58117dab",
"value": "APT28 uses Acquire OSINT data sets and information"
},
{
"meta": {
"source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"target-uuid": "9a8c47f6-ae69-4044-917d-4b1602af64d9"
},
"uuid": "7da16587-3861-4404-9043-0076e4766ac4",
"value": "APT12 uses Choose pre-compromised persona and affiliated accounts"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "6cfc9229-9928-414e-bfaf-f63e815b4c84",
"value": "APT28 uses Determine strategic target"
},
{
"meta": {
"source-uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05",
"target-uuid": "856a9371-4f0f-4ea9-946e-f3144204240f"
},
"uuid": "a7f177e4-7e7f-4883-af3d-c95db9ea7a53",
"value": "Determine 3rd party infrastructure services related-to Determine 3rd party infrastructure services"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768"
},
"uuid": "515e7665-040c-44ac-a379-44d4399d6e2b",
"value": "Cleaver uses Obtain/re-use payloads"
},
{
"meta": {
"source-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41",
"target-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc"
},
"uuid": "b180dee5-0d48-448f-94b9-4997f0c584d5",
"value": "Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies"
},
{
"meta": {
"source-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077",
"target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b"
},
"uuid": "28815a00-1cf4-4fbc-9039-306a9542c7fd",
"value": "Compromise 3rd party infrastructure to support delivery related-to Compromise 3rd party infrastructure to support delivery"
},
{
"meta": {
"source-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84",
"target-uuid": "0722cd65-0c83-4c89-9502-539198467ab1"
},
"uuid": "8bcaccd1-403b-40f1-82d3-ac4d873263f8",
"value": "Identify job postings and needs/gaps related-to Identify job postings and needs/gaps"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "ef0f816a-d561-4953-84c6-2a2936c96957"
},
"uuid": "5aab758c-79d2-4219-9053-f50791d98531",
"value": "APT28 uses Discover target logon/email address format"
},
{
"meta": {
"source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"target-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6"
},
"uuid": "b55534ba-37ce-47f2-a961-edeaeedcb399",
"value": "APT12 uses Obfuscate infrastructure"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768"
},
"uuid": "709bb5af-c484-48f2-bb19-bd7630e42e2d",
"value": "APT28 uses Obtain/re-use payloads"
},
{
"meta": {
"source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "4e06cf53-00b1-46a6-a6b6-8e33e761b83f",
"value": "APT12 uses Determine strategic target"
},
{
"meta": {
"source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "89754a0d-03b1-44e3-94c5-7a892d171a28",
"value": "APT17 uses Determine strategic target"
},
{
"meta": {
"source-uuid": "af358cad-eb71-4e91-a752-236edc237dae",
"target-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5"
},
"uuid": "984d13eb-ba9c-4e7c-8675-85dde9877a81",
"value": "Conduct social engineering related-to Conduct social engineering"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "d3999268-740f-467e-a075-c82e2d04be62"
},
"uuid": "2daad934-bf08-4a2f-b656-4f7d197eb8fa",
"value": "APT28 uses Assess leadership areas of interest"
},
{
"meta": {
"source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97"
},
"uuid": "1895866a-4689-4527-8460-95e9cd7dd037",
"value": "APT12 uses Spear phishing messages with malicious attachments"
},
{
"meta": {
"source-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5",
"target-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1"
},
"uuid": "51c20b46-16cc-4b58-80d7-89d48b14b064",
"value": "Conduct social engineering related-to Conduct social engineering"
},
{
"meta": {
"source-uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983",
"target-uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59"
},
"uuid": "fe31fa7c-be01-47ca-90bb-0fb49b49eb03",
"value": "Acquire or compromise 3rd party signing certificates related-to Acquire or compromise 3rd party signing certificates"
},
{
"meta": {
"source-uuid": "59369f72-3005-4e54-9095-3d00efcece73",
"target-uuid": "78e41091-d10d-4001-b202-89612892b6ff"
},
"uuid": "432c700b-4bf3-4824-a530-a6e86882c4b7",
"value": "Identify supply chains related-to Identify supply chains"
},
{
"meta": {
"source-uuid": "7718e92f-b011-4f88-b822-ae245a1de407",
"target-uuid": "0722cd65-0c83-4c89-9502-539198467ab1"
},
"uuid": "ef32147c-d309-4867-aaba-998088290e32",
"value": "Identify job postings and needs/gaps related-to Identify job postings and needs/gaps"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b"
},
"uuid": "f8559304-7ef6-4c48-8d76-a56ebf37c0be",
"value": "APT16 uses Compromise 3rd party infrastructure to support delivery"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "2141aea0-cf38-49aa-9e51-ac34092bc30a"
},
"uuid": "3d3eb711-5054-4b32-8006-15ba67d3bb25",
"value": "APT1 uses Procure required equipment and software"
},
{
"meta": {
"source-uuid": "0722cd65-0c83-4c89-9502-539198467ab1",
"target-uuid": "7718e92f-b011-4f88-b822-ae245a1de407"
},
"uuid": "689ebb39-52f4-4b2f-8678-72cfed67cb9f",
"value": "Identify job postings and needs/gaps related-to Identify job postings and needs/gaps"
},
{
"meta": {
"source-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41",
"target-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc"
},
"uuid": "36990d75-9fbd-43f0-9966-ae58f0388e1d",
"value": "Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies"
},
{
"meta": {
"source-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6",
"target-uuid": "286cc500-4291-45c2-99a1-e760db176402"
},
"uuid": "9a1f729c-72a9-4735-9d48-ecb54ea018a9",
"value": "Acquire and/or use 3rd party infrastructure services related-to Acquire and/or use 3rd party infrastructure services"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "eb517589-eefc-480e-b8e3-7a8b1066f6f1"
},
"uuid": "7c68bb22-457e-4942-9e07-36f6cd5ac5ba",
"value": "APT1 uses Targeted social media phishing"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "0440f60f-9056-4791-a740-8eae96eb61fa"
},
"uuid": "75c781d7-f9ef-42c8-b610-0dc1ecb3b350",
"value": "Cleaver uses Authorized user performs requested cyber action"
},
{
"meta": {
"source-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc",
"target-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc"
},
"uuid": "d5bd7a33-a249-46e5-bb19-a498eba42bdb",
"value": "Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "15d5eaa4-597a-47fd-a692-f2bed434d904"
},
"uuid": "8a2549fa-9e7c-4d47-9678-8ed0bb8fa3aa",
"value": "APT1 uses Derive intelligence requirements"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "0440f60f-9056-4791-a740-8eae96eb61fa"
},
"uuid": "0f97c2ae-2b89-4dd5-a270-42b1dcb5d403",
"value": "APT1 uses Authorized user performs requested cyber action"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97"
},
"uuid": "c90a4d6a-af21-4103-ba57-3ddeb6e973e7",
"value": "APT16 uses Spear phishing messages with malicious attachments"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "c860af4a-376e-46d7-afbf-262c41012227"
},
"uuid": "eca0f05c-5025-4149-9826-3715cc243180",
"value": "Cleaver uses Determine operational element"
},
{
"meta": {
"source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"target-uuid": "d778cb83-2292-4995-b006-d38f52bc1e64"
},
"uuid": "683d4e44-f763-492c-b510-fa469a923798",
"value": "APT12 uses Identify gap areas"
},
{
"meta": {
"source-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39",
"target-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6"
},
"uuid": "db4dfa09-7f19-437a-9d79-15f2dc8ba0da",
"value": "Obfuscate infrastructure related-to Obfuscate infrastructure"
},
{
"meta": {
"source-uuid": "0722cd65-0c83-4c89-9502-539198467ab1",
"target-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84"
},
"uuid": "bbb1c074-a93a-4e40-b11e-2151403f7f1d",
"value": "Identify job postings and needs/gaps related-to Identify job postings and needs/gaps"
},
{
"meta": {
"source-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88",
"target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b"
},
"uuid": "0e52753e-0a02-4bec-88f9-f8ee21b46bae",
"value": "Acquire OSINT data sets and information related-to Acquire OSINT data sets and information"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "3c7c0851-1cf8-458f-862d-4e4827f8f474",
"value": "Cleaver uses Determine strategic target"
},
{
"meta": {
"source-uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59",
"target-uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983"
},
"uuid": "c388ed7c-3820-41a3-98af-a48dd7e4d88b",
"value": "Acquire or compromise 3rd party signing certificates related-to Acquire or compromise 3rd party signing certificates"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4"
},
"uuid": "34ba5998-4e43-4669-9701-1877aa267354",
"value": "APT1 uses Build social network persona"
},
{
"meta": {
"source-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1",
"target-uuid": "af358cad-eb71-4e91-a752-236edc237dae"
},
"uuid": "f8504a07-758c-4c51-ac94-c2e7ba652e29",
"value": "Conduct social engineering related-to Conduct social engineering"
},
{
"meta": {
"source-uuid": "78e41091-d10d-4001-b202-89612892b6ff",
"target-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c"
},
"uuid": "9ad9966d-4a8d-4b15-b503-c5d27104fcdd",
"value": "Identify supply chains related-to Identify supply chains"
},
{
"meta": {
"source-uuid": "856a9371-4f0f-4ea9-946e-f3144204240f",
"target-uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05"
},
"uuid": "e4501560-7850-4467-8422-2cf336429e8a",
"value": "Determine 3rd party infrastructure services related-to Determine 3rd party infrastructure services"
},
{
"meta": {
"source-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1",
"target-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5"
},
"uuid": "66e4da4a-6eb6-46e0-9baf-74059f341b4a",
"value": "Conduct social engineering related-to Conduct social engineering"
},
{
"meta": {
"source-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6",
"target-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39"
},
"uuid": "41be9f31-9d2b-44b8-a7dc-31f8c4519751",
"value": "Obfuscate infrastructure related-to Obfuscate infrastructure"
},
{
"meta": {
"source-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a",
"target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b"
},
"uuid": "be031f72-737b-4afd-b2c1-c565f5ab7369",
"value": "Acquire OSINT data sets and information related-to Acquire OSINT data sets and information"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "df42286d-dfbd-4455-bc9d-aef52ac29aa7"
},
"uuid": "90d7f0f0-6e41-431a-a024-9375cbc18d2b",
"value": "APT1 uses Post compromise tool development"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "e60a165e-cfad-43e5-ba83-ea2430a377c5",
"value": "APT16 uses Determine strategic target"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "a071fc8f-6323-420b-9812-b51f12fc7956",
"value": "Night Dragon uses Determine strategic target"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "ec739e26-d097-4804-b04a-54dd81ff11e0"
},
"uuid": "970531a2-4927-41a3-b2cd-09d445322f51",
"value": "APT1 uses Create strategic plan"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "4aeafdb3-eb0b-4e8e-b93f-95cd499088b4"
},
"uuid": "c2571ca8-98c4-490d-b8f8-f3678b0ce74d",
"value": "Night Dragon uses Compromise of externally facing system"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "489a7797-01c3-4706-8cd1-ec56a9db3adc"
},
"uuid": "e78023e7-98de-4973-9331-843bfa28c9f7",
"value": "APT1 uses Spear phishing messages with malicious links"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "357e137c-7589-4af1-895c-3fbad35ea4d2"
},
"uuid": "f76d74b6-c797-487c-8388-536367d1b922",
"value": "APT1 uses Obfuscate or encrypt code"
},
{
"meta": {
"source-uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33",
"target-uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d"
},
"uuid": "87239038-7693-49b3-b595-b828cc2be1ba",
"value": "Friend/Follow/Connect to targets of interest related-to Friend/Follow/Connect to targets of interest"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11"
},
"uuid": "c6e43693-2a6d-4ba8-8fa7-ec1ab5239528",
"value": "Night Dragon uses Acquire and/or use 3rd party software services"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877"
},
"uuid": "5ed44a06-bcb4-4293-8bf4-aaebefddc09c",
"value": "APT1 uses Determine strategic target"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "aadaee0d-794c-4642-8293-7ec22a99fb1a"
},
"uuid": "db10491f-a854-4404-9271-600349484bc3",
"value": "APT1 uses Domain registration hijacking"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549"
},
"uuid": "4eb0e01c-85ae-466a-a8ff-0cf7891c5ab2",
"value": "APT16 uses Identify business relationships"
},
{
"meta": {
"source-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc",
"target-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41"
},
"uuid": "7bd3d2ba-f114-4835-97b6-1c3e2208d3f3",
"value": "Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies"
},
{
"meta": {
"source-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6",
"target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11"
},
"uuid": "2bf984b5-1a48-4d9a-a4f2-e97801254b84",
"value": "Acquire and/or use 3rd party software services related-to Acquire and/or use 3rd party software services"
},
{
"meta": {
"source-uuid": "59369f72-3005-4e54-9095-3d00efcece73",
"target-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c"
},
"uuid": "c124f0ba-f4bc-430a-b40c-eebe0577f812",
"value": "Identify supply chains related-to Identify supply chains"
},
{
"meta": {
"source-uuid": "1a295f87-af63-4d94-b130-039d6221fb11",
"target-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6"
},
"uuid": "3d781e9a-d3f8-4e9f-bb23-ba6c2ff22267",
"value": "Acquire and/or use 3rd party software services related-to Acquire and/or use 3rd party software services"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "ef0f816a-d561-4953-84c6-2a2936c96957"
},
"uuid": "597be8e7-58a4-4aff-a803-48a7a08164a2",
"value": "APT16 uses Discover target logon/email address format"
},
{
"meta": {
"source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"target-uuid": "df42286d-dfbd-4455-bc9d-aef52ac29aa7"
},
"uuid": "7a254f4d-c7cf-4b98-94e9-3937785b7d68",
"value": "APT12 uses Post compromise tool development"
},
{
"meta": {
"source-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5",
"target-uuid": "af358cad-eb71-4e91-a752-236edc237dae"
},
"uuid": "46f1e7d4-4d73-4e33-b88b-b3bcde5d81fb",
"value": "Conduct social engineering related-to Conduct social engineering"
}
]
}

0
clusters/mitre_tool.json → clusters/mitre-tool.json
View File

9
clusters/ransomware.json
View File

@ -5023,7 +5023,8 @@
".0000",
".XZZX",
".TEST",
".WORK"
".WORK",
".SYSTEM"
],
"ransomnotes": [
"HELP_YOUR_FILES.html (CryptXXX)",
@ -5036,7 +5037,8 @@
"Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ny0000@tuta.io\n\ny0000@protonmail.com\n\ny0000z@yandex.com\n\ny0000s@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id]",
"Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nxzzx@tuta.io\n\nxzzx1@protonmail.com\n\nxzzx10@yandex.com\n\nxzzx101@yandex.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nDECRYPT-ID-[id] number",
"Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\ntest757@tuta.io\n\ntest757@protonmail.com\n\ntest757xz@yandex.com\n\ntest757xy@yandex.com\n\ntest757@consultant.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number",
"Attention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nworknow@keemail.me\n\nworknow@protonmail.com\n\nworknow8@yandex.com\n\nworknow9@yandex.com\n\nworknow@techie.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number"
"Attention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nworknow@keemail.me\n\nworknow@protonmail.com\n\nworknow8@yandex.com\n\nworknow9@yandex.com\n\nworknow@techie.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-[id] number",
"Hello!\n\nAttention! All Your data was encrypted!\n\nFor specific informartion, please send us an email with Your ID number:\n\nsystemwall@keemail.me\n\nsystemwall@protonmail.com\n\nsystemwall@yandex.com\n\nsystemwall1@yandex.com\n\nemily.w@dr.com\n\nPlease send email to all email addresses! We will help You as soon as possible!\n\nIMPORTANT: DO NOT USE ANY PUBLIC SOFTWARE! IT MAY DAMAGE YOUR DATA FOREVER!\n\nDECRYPT-ID-%s number"
],
"refs": [
"http://www.nyxbone.com/malware/CryptoMix.html",
@ -5046,7 +5048,8 @@
"https://www.bleepingcomputer.com/news/security/0000-cryptomix-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/xzzx-cryptomix-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/test-cryptomix-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/"
"https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/",
"https://www.bleepingcomputer.com/news/security/system-cryptomix-ransomware-variant-released/"
]
}
},

0
galaxies/mitre_attack-pattern.json → galaxies/mitre-attack-pattern.json
View File

0
galaxies/mitre_course-of-action.json → galaxies/mitre-course-of-action.json
View File

8
galaxies/mitre-entreprise-attack-attack-pattern.json Normal file
View File

@ -0,0 +1,8 @@
{
"name": "Entreprise Attack - Attack Pattern",
"type": "mitre-entreprise-attack-attack-pattern",
"description": "ATT&CK Tactic",
"uuid": "fa7016a8-1707-11e8-82d0-1b73d76eb204",
"version": 1,
"icon": "map"
}

8
galaxies/mitre-entreprise-attack-course-of-action.json Normal file
View File

@ -0,0 +1,8 @@
{
"name": "Entreprise Attack - Course of Action",
"type": "mitre-entreprise-attack-course-of-action",
"description": "ATT&CK Mitigation",
"uuid": "fb5a36c0-1707-11e8-81f5-d732b22a4982",
"version": 1,
"icon": "chain"
}

8
galaxies/mitre-entreprise-attack-intrusion-set.json Normal file
View File

@ -0,0 +1,8 @@
{
"name": "Entreprise Attack -Intrusion Set",
"type": "mitre-entreprise-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"uuid": "1f3b8c56-1708-11e8-b211-17a60c0f73ee",
"version": 1,
"icon": "user-secret"
}

8
galaxies/mitre-entreprise-attack-malware.json Normal file
View File

@ -0,0 +1,8 @@
{
"name": "Entreprise Attack - Malware",
"type": "mitre-entreprise-attack-malware",
"description": "Name of ATT&CK software",
"uuid": "fbb19af0-1707-11e8-9fd6-dbd88a04d33a",
"version": 1,
"icon": "optin-monster"
}

8
galaxies/mitre-entreprise-attack-relationship.json Normal file
View File

@ -0,0 +1,8 @@
{
"name": "Entreprise Attack - Relationship",
"type": "mitre-entreprise-attack-relationship",
"description": "Mitre Relationship",
"uuid": "fc404638-1707-11e8-a5cf-b78b9b562766",
"version": 1,
"icon": "link"
}

8
galaxies/mitre-entreprise-attack-tool.json Normal file
View File

@ -0,0 +1,8 @@
{
"name": "Entreprise Attack - Tool",
"type": "mitre-entreprise-attack-tool",
"description": "Name of ATT&CK software",
"uuid": "fbfa0470-1707-11e8-be22-eb46b373fdd3",
"version": 1,
"icon": "gavel"
}

0
galaxies/mitre_intrusion-set.json → galaxies/mitre-intrusion-set.json
View File

0
galaxies/mitre_malware.json → galaxies/mitre-malware.json
View File

8
galaxies/mitre-mobile-attack-attack-pattern.json Normal file
View File

@ -0,0 +1,8 @@
{
"name": "Mobile Attack - Attack Pattern",
"type": "mitre-mobile-attack-attack-pattern",
"description": "ATT&CK Tactic",
"uuid": "1c6d1332-1708-11e8-847c-e3c5643c41a5",
"version": 1,
"icon": "map"
}

8
galaxies/mitre-mobile-attack-course-of-action.json Normal file
View File

@ -0,0 +1,8 @@
{
"name": "Mobile Attack - Course of Action",
"type": "mitre-mobile-attack-course-of-action",
"description": "ATT&CK Mitigation",
"uuid": "0282356a-1708-11e8-8f53-975633d5c03c",
"version": 1,
"icon": "chain"
}

8
galaxies/mitre-mobile-attack-intrusion-set.json Normal file
View File

@ -0,0 +1,8 @@
{
"name": "Mobile Attack - Intrusion Set",
"type": "mitre-mobile-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"uuid": "0314e554-1708-11e8-b049-8f8a42b5bb62",
"version": 1,
"icon": "user-secret"
}

8
galaxies/mitre-mobile-attack-malware.json Normal file
View File

@ -0,0 +1,8 @@
{
"name": "Mobile Attack - Malware",
"type": "mitre-mobile-attack-malware",
"description": "Name of ATT&CK software",
"uuid": "03e3853a-1708-11e8-95c1-67cf3f801a18",
"version": 1,
"icon": "optin-monster"
}

8
galaxies/mitre-mobile-attack-relationship.json Normal file
View File

@ -0,0 +1,8 @@
{
"name": "Mobile Attack - Relationship",
"type": "mitre-mobile-attack-relationship",
"description": "Mitre Relationship",
"uuid": "fc8471aa-1707-11e8-b306-33cbe96a1ede",
"version": 1,
"icon": "link"
}

8
galaxies/mitre-mobile-attack-tool.json Normal file
View File

@ -0,0 +1,8 @@
{
"name": "Mobile Attack - Tool",
"type": "mitre-mobile-attack-tool",
"description": "Name of ATT&CK software",
"uuid": "1d0b4bce-1708-11e8-9e6e-1b130c9b0a91",
"version": 1,
"icon": "gavel"
}

8
galaxies/mitre-pre-attack-attack-pattern.json Normal file
View File

@ -0,0 +1,8 @@
{
"name": "Pre Attack - Attack Pattern",
"type": "mitre-pre-attack-attack-pattern",
"description": "ATT&CK Tactic",
"uuid": "1f665850-1708-11e8-9cfe-4792b2a91402",
"version": 1,
"icon": "map"
}

8
galaxies/mitre-pre-attack-intrusion-set.json Normal file
View File

@ -0,0 +1,8 @@
{
"name": "Pre Attack - Intrusion Set",
"type": "mitre-pre-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"uuid": "1fb6d5b4-1708-11e8-9836-8bbc8ce6866e",
"version": 1,
"icon": "user-secret"
}

8
galaxies/mitre-pre-attack-relationship.json Normal file
View File

@ -0,0 +1,8 @@
{
"name": "Pre Attack - Relationship",
"type": "mitre-pre-attack-relashipship",
"description": "Mitre Relationship",
"uuid": "1f8e3bae-1708-11e8-8e97-4bd2150e5aae",
"version": 1,
"icon": "link"
}

0
galaxies/mitre_tool.json → galaxies/mitre-tool.json
View File

0
tools/mitre-cti/create_attack-pattern_galaxy.py → tools/mitre-cti/v1.0/create_attack-pattern_galaxy.py
View File

0
tools/mitre-cti/create_course-of-action_galaxy.py → tools/mitre-cti/v1.0/create_course-of-action_galaxy.py
View File

0
tools/mitre-cti/create_intrusion-set_galaxy.py → tools/mitre-cti/v1.0/create_intrusion-set_galaxy.py
View File

0
tools/mitre-cti/create_malware_galaxy.py → tools/mitre-cti/v1.0/create_malware_galaxy.py
View File

0
tools/mitre-cti/create_tool_galaxy.py → tools/mitre-cti/v1.0/create_tool_galaxy.py
View File

60
tools/mitre-cti/v2.0/create_mitre-enterprise-attack-attack-pattern_galaxy.py Normal file
View File

@ -0,0 +1,60 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s attack-patterns\nMust be in the mitre/cti/entreprise-attack/attack-pattern folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
for reference in temp['external_references']:
if 'url' in reference:
value['meta']['refs'].append(reference['url'])
if 'x_mitre_data_sources' in temp:
value['meta']['mitre_data_sources'] = temp['x_mitre_data_sources']
if 'x_mitre_platforms' in temp:
value['meta']['mitre_platforms'] = temp['x_mitre_platforms']
values.append(value)
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
galaxy = {}
galaxy['name'] = "Entreprise Attack - Attack Pattern"
galaxy['type'] = "mitre-entreprise-attack-attack-pattern"
galaxy['description'] = "ATT&CK Tactic"
galaxy['uuid' ] = "fa7016a8-1707-11e8-82d0-1b73d76eb204"
galaxy['version'] = args.version
galaxy['icon'] = "map"
cluster = {}
cluster['name'] = "Entreprise Attack - Attack Pattern"
cluster['type'] = "mitre-entreprise-attack-attack-pattern"
cluster['description'] = "ATT&CK tactic"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "fb2242d8-1707-11e8-ab20-6fa7448c3640"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-entreprise-attack-attack-pattern.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-entreprise-attack-attack-pattern.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

52
tools/mitre-cti/v2.0/create_mitre-enterprise-attack-course-of-action_galaxy.py Normal file
View File

@ -0,0 +1,52 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s courses-of-action.\nMust be in the mitre/cti/entreprise-attack/course-of-action folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Entreprise Attack - Course of Action"
galaxy['type'] = "mitre-entreprise-attack-course-of-action"
galaxy['description'] = "ATT&CK Mitigation"
galaxy['uuid' ] = "fb5a36c0-1707-11e8-81f5-d732b22a4982"
galaxy['version'] = args.version
galaxy['icon'] = "chain"
cluster = {}
cluster['name'] = "Entreprise Attack - Course of Action"
cluster['type'] = "mitre-entreprise-attack-course-of-action"
cluster['description'] = "ATT&CK Mitigation"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "fb870a6a-1707-11e8-b548-17523e4d0670"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-entreprise-attack-course-of-action.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-entreprise-attack-course-of-action.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

57
tools/mitre-cti/v2.0/create_mitre-enterprise-attack-intrusion-set_galaxy.py Normal file
View File

@ -0,0 +1,57 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s intrusion-sets\nMust be in the mitre/cti/entreprise-attack/intrusion-set folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['synonyms'] = temp['aliases']
value['meta']['refs']= []
for reference in temp['external_references']:
if 'url' in reference:
value['meta']['refs'].append(reference['url'])
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Entreprise Attack -Intrusion Set"
galaxy['type'] = "mitre-entreprise-attack-intrusion-set"
galaxy['description'] = "Name of ATT&CK Group"
galaxy['uuid' ] = "1f3b8c56-1708-11e8-b211-17a60c0f73ee"
galaxy['version'] = args.version
galaxy['icon'] = "user-secret"
cluster = {}
cluster['name'] = "Entreprise Attack -intrusion Set"
cluster['type'] = "mitre-entreprise-attack-intrusion-set"
cluster['description'] = "Name of ATT&CK Group"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "01f18402-1708-11e8-ac1c-1ffb3c4a7775"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-entreprise-attack-intrusion-set.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-entreprise-attack-intrusion-set.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

58
tools/mitre-cti/v2.0/create_mitre-enterprise-attack-malware_galaxy.py Normal file
View File

@ -0,0 +1,58 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s malwares\nMust be in the mitre/cti/entreprise-attack/malware folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
for reference in temp['external_references']:
if 'url' in reference:
value['meta']['refs'].append(reference['url'])
if'x_mitre_aliases' in temp:
value['meta']['synonyms'] = temp['x_mitre_aliases']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Entreprise Attack - Malware"
galaxy['type'] = "mitre-entreprise-attack-malware"
galaxy['description'] = "Name of ATT&CK software"
galaxy['uuid' ] = "fbb19af0-1707-11e8-9fd6-dbd88a04d33a"
galaxy['version'] = args.version
galaxy['icon'] = "optin-monster"
cluster = {}
cluster['name'] = "Entreprise Attack - Malware"
cluster['type'] = "mitre-entreprise-attack-malware"
cluster['description'] = "Name of ATT&CK software"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "fbd79f02-1707-11e8-b1c7-87406102276a"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-entreprise-attack-malware.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-entreprise-attack-malware.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

100
tools/mitre-cti/v2.0/create_mitre-enterprise-attack-relationship_galaxy.py Normal file
View File

@ -0,0 +1,100 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s relationship\nMust be in the mitre/cti/entreprise-attack/relationship folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
path = "relationship/"
for element in os.listdir(path):
with open(path+element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
source = temp['source_ref']
target = temp['target_ref']
relationship = temp['relationship_type']
if source.startswith('attack-pattern'):
paths = "attack-pattern/"
elif source.startswith('course-of-action'):
paths = "course-of-action/"
elif source.startswith('identity'):
paths = "identity/"
elif source.startswith('intrusion-set'):
paths = "intrusion-set/"
elif source.startswith('malware'):
paths = "malware/"
elif source.startswith('marking-definition'):
paths = "marking-definition/"
elif source.startswith('tool'):
paths = "tool/"
else:
print('Invalid value')
continue
with open(paths+source+'.json') as json_data:
s = json.load(json_data)
json_data.close()
if target.startswith('attack-pattern'):
patht = "attack-pattern/"
elif target.startswith('course-of-action'):
patht = "course-of-action/"
elif target.startswith('identity'):
patht = "identity/"
elif target.startswith('intrusion-set'):
patht = "intrusion-set/"
elif target.startswith('malware'):
patht = "malware/"
elif target.startswith('marking-definition'):
patht = "marking-definition/"
elif target.startswith('tool'):
patht = "tool/"
else:
print('Invalid value')
continue
with open(patht+target+'.json') as json_data:
t = json.load(json_data)
json_data.close()
value = {}
value['meta'] = {}
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['meta']['source-uuid'] = re.search('--(.*)$', s['objects'][0]['id']).group(0)[2:]
value['meta']['target-uuid'] = re.search('--(.*)$', t['objects'][0]['id']).group(0)[2:]
value['value'] = s['objects'][0]['name'] + ' ' + relationship + ' ' + t['objects'][0]['name']
values.append(value)
galaxy = {}
galaxy['name'] = "Entreprise Attack - Relationship"
galaxy['type'] = "mitre-entreprise-attack-relationship"
galaxy['description'] = "Mitre Relationship"
galaxy['uuid' ] = "fc404638-1707-11e8-a5cf-b78b9b562766"
galaxy['version'] = args.version
galaxy['icon'] = "link"
cluster = {}
cluster['name'] = "Entreprise Attack - Relationship"
cluster['type'] = "mitre-entreprise-attack-relationship"
cluster['description'] = "MITRE Relationship"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "fc605f90-1707-11e8-9d6a-9f165ac2ab5c"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-entreprise-attack-relationship.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-entreprise-attack-relationship.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

58
tools/mitre-cti/v2.0/create_mitre-enterprise-attack-tool_galaxy.py Normal file
View File

@ -0,0 +1,58 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s tools\nMust be in the mitre/cti/entreprise-attack/tool folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
for reference in temp['external_references']:
if 'url' in reference:
value['meta']['refs'].append(reference['url'])
if'x_mitre_aliases' in temp:
value['meta']['synonyms'] = temp['x_mitre_aliases']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Entreprise Attack - Tool"
galaxy['type'] = "mitre-entreprise-attack-tool"
galaxy['description'] = "Name of ATT&CK software"
galaxy['uuid' ] = "fbfa0470-1707-11e8-be22-eb46b373fdd3"
galaxy['version'] = args.version
galaxy['icon'] = "gavel"
cluster = {}
cluster['name'] = "Entreprise Attack - Tool"
cluster['type'] = "mitre-entreprise-attack-tool"
cluster['description'] = "Name of ATT&CK software"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "fc1ea6e0-1707-11e8-ac05-2b70d00c354e"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-entreprise-attack-tool.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-entreprise-attack-tool.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

60
tools/mitre-cti/v2.0/create_mitre-mobile-attack-attack-pattern_galaxy.py Normal file
View File

@ -0,0 +1,60 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s attack-patterns\nMust be in the mitre/cti/mobile-attack/attack-pattern folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
for reference in temp['external_references']:
if 'url' in reference:
value['meta']['refs'].append(reference['url'])
if 'x_mitre_data_sources' in temp:
value['meta']['mitre_data_sources'] = temp['x_mitre_data_sources']
if 'x_mitre_platforms' in temp:
value['meta']['mitre_platforms'] = temp['x_mitre_platforms']
values.append(value)
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
galaxy = {}
galaxy['name'] = "Mobile Attack - Attack Pattern"
galaxy['type'] = "mitre-mobile-attack-attack-pattern"
galaxy['description'] = "ATT&CK Tactic"
galaxy['uuid' ] = "1c6d1332-1708-11e8-847c-e3c5643c41a5"
galaxy['version'] = args.version
galaxy['icon'] = "map"
cluster = {}
cluster['name'] = "Mobile Attack - Attack Pattern"
cluster['type'] = "mitre-mobile-attack-attack-pattern"
cluster['description'] = "ATT&CK tactic"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "1e606d06-1708-11e8-8a43-df11c8cf9ae2"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-mobile-attack-attack-pattern.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-mobile-attack-attack-pattern.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

52
tools/mitre-cti/v2.0/create_mitre-mobile-attack-course-of-action_galaxy.py Normal file
View File

@ -0,0 +1,52 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s courses-of-action.\nMust be in the mitre/cti/mobile-attack/course-of-action folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Mobile Attack - Course of Action"
galaxy['type'] = "mitre-mobile-attack-course-of-action"
galaxy['description'] = "ATT&CK Mitigation"
galaxy['uuid' ] = "0282356a-1708-11e8-8f53-975633d5c03c"
galaxy['version'] = args.version
galaxy['icon'] = "chain"
cluster = {}
cluster['name'] = "Mobile Attack - Course of Action"
cluster['type'] = "mitre-mobile-attack-course-of-action"
cluster['description'] = "ATT&CK Mitigation"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "03956f9e-1708-11e8-8395-976b24233e15"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-mobile-attack-course-of-action.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-mobile-attack-course-of-action.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

57
tools/mitre-cti/v2.0/create_mitre-mobile-attack-intrusion-set_galaxy.py Normal file
View File

@ -0,0 +1,57 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s intrusion-sets\nMust be in the mitre/cti/mobile-attack/intrusion-set folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['synonyms'] = temp['aliases']
value['meta']['refs']= []
for reference in temp['external_references']:
if 'url' in reference:
value['meta']['refs'].append(reference['url'])
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Mobile Attack - Intrusion Set"
galaxy['type'] = "mitre-mobile-attack-intrusion-set"
galaxy['description'] = "Name of ATT&CK Group"
galaxy['uuid' ] = "0314e554-1708-11e8-b049-8f8a42b5bb62"
galaxy['version'] = args.version
galaxy['icon'] = "user-secret"
cluster = {}
cluster['name'] = "Mobile Attack - intrusion Set"
cluster['type'] = "mitre-mobile-attack-intrusion-set"
cluster['description'] = "Name of ATT&CK Group"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "02ab4018-1708-11e8-8f9d-e735aabdfa53"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-mobile-attack-intrusion-set.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-mobile-attack-intrusion-set.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

58
tools/mitre-cti/v2.0/create_mitre-mobile-attack-malware_galaxy.py Normal file
View File

@ -0,0 +1,58 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s malwares\nMust be in the mitre/cti/mobile-attack/malware folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
for reference in temp['external_references']:
if 'url' in reference:
value['meta']['refs'].append(reference['url'])
if'x_mitre_aliases' in temp:
value['meta']['synonyms'] = temp['x_mitre_aliases']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Mobile Attack - Malware"
galaxy['type'] = "mitre-mobile-attack-malware"
galaxy['description'] = "Name of ATT&CK software"
galaxy['uuid' ] = "03e3853a-1708-11e8-95c1-67cf3f801a18"
galaxy['version'] = args.version
galaxy['icon'] = "optin-monster"
cluster = {}
cluster['name'] = "Mobile Attack - Malware"
cluster['type'] = "mitre-mobile-attack-malware"
cluster['description'] = "Name of ATT&CK software"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "04a165aa-1708-11e8-b2da-c7d7625f4a4f"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-mobile-attack-malware.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-mobile-attack-malware.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

100
tools/mitre-cti/v2.0/create_mitre-mobile-attack-relationship_galaxy.py Normal file
View File

@ -0,0 +1,100 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s relationship\nMust be in the mitre/cti/mobile-attack/relationship folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
path = "relationship/"
for element in os.listdir(path):
with open(path+element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
source = temp['source_ref']
target = temp['target_ref']
relationship = temp['relationship_type']
if source.startswith('attack-pattern'):
paths = "attack-pattern/"
elif source.startswith('course-of-action'):
paths = "course-of-action/"
elif source.startswith('identity'):
paths = "identity/"
elif source.startswith('intrusion-set'):
paths = "intrusion-set/"
elif source.startswith('malware'):
paths = "malware/"
elif source.startswith('marking-definition'):
paths = "marking-definition/"
elif source.startswith('tool'):
paths = "tool/"
else:
print('Invalid value')
continue
with open(paths+source+'.json') as json_data:
s = json.load(json_data)
json_data.close()
if target.startswith('attack-pattern'):
patht = "attack-pattern/"
elif target.startswith('course-of-action'):
patht = "course-of-action/"
elif target.startswith('identity'):
patht = "identity/"
elif target.startswith('intrusion-set'):
patht = "intrusion-set/"
elif target.startswith('malware'):
patht = "malware/"
elif target.startswith('marking-definition'):
patht = "marking-definition/"
elif target.startswith('tool'):
patht = "tool/"
else:
print('Invalid value')
continue
with open(patht+target+'.json') as json_data:
t = json.load(json_data)
json_data.close()
value = {}
value['meta'] = {}
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['meta']['source-uuid'] = re.search('--(.*)$', s['objects'][0]['id']).group(0)[2:]
value['meta']['target-uuid'] = re.search('--(.*)$', t['objects'][0]['id']).group(0)[2:]
value['value'] = s['objects'][0]['name'] + ' ' + relationship + ' ' + t['objects'][0]['name']
values.append(value)
galaxy = {}
galaxy['name'] = "Mobile Attack - Relationship"
galaxy['type'] = "mitre-mobile-attack-relationship"
galaxy['description'] = "Mitre Relationship"
galaxy['uuid' ] = "fc8471aa-1707-11e8-b306-33cbe96a1ede"
galaxy['version'] = args.version
galaxy['icon'] = "link"
cluster = {}
cluster['name'] = "Mobile Attack - Relationship"
cluster['type'] = "mitre-mobile-attack-relationship"
cluster['description'] = "MITRE Relationship"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "02f1fc42-1708-11e8-a4f2-eb70472c5901"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-mobile-attack-relationship.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-mobile-attack-relationship.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

58
tools/mitre-cti/v2.0/create_mitre-mobile-attack-tool_galaxy.py Normal file
View File

@ -0,0 +1,58 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s tools\nMust be in the mitre/cti/mobile-attack/tool folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
for reference in temp['external_references']:
if 'url' in reference:
value['meta']['refs'].append(reference['url'])
if'x_mitre_aliases' in temp:
value['meta']['synonyms'] = temp['x_mitre_aliases']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Mobile Attack - Tool"
galaxy['type'] = "mitre-mobile-attack-tool"
galaxy['description'] = "Name of ATT&CK software"
galaxy['uuid' ] = "1d0b4bce-1708-11e8-9e6e-1b130c9b0a91"
galaxy['version'] = args.version
galaxy['icon'] = "gavel"
cluster = {}
cluster['name'] = "Mobile Attack - Tool"
cluster['type'] = "mitre-mobile-attack-tool"
cluster['description'] = "Name of ATT&CK software"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "02cee87e-1708-11e8-8f15-8b33e4d6194b"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-mobile-attack-tool.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-mobile-attack-tool.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

60
tools/mitre-cti/v2.0/create_mitre-pre-attack-attack-pattern_galaxy.py Normal file
View File

@ -0,0 +1,60 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s attack-patterns\nMust be in the mitre/cti/pre-attack/attack-pattern folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
for reference in temp['external_references']:
if 'url' in reference:
value['meta']['refs'].append(reference['url'])
if 'x_mitre_data_sources' in temp:
value['meta']['mitre_data_sources'] = temp['x_mitre_data_sources']
if 'x_mitre_platforms' in temp:
value['meta']['mitre_platforms'] = temp['x_mitre_platforms']
values.append(value)
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
galaxy = {}
galaxy['name'] = "Pre Attack - Attack Pattern"
galaxy['type'] = "mitre-pre-attack-attack-pattern"
galaxy['description'] = "ATT&CK Tactic"
galaxy['uuid' ] = "1f665850-1708-11e8-9cfe-4792b2a91402"
galaxy['version'] = args.version
galaxy['icon'] = "map"
cluster = {}
cluster['name'] = "Pre Attack - Attack Pattern"
cluster['type'] = "mitre-pre-attack-attack-pattern"
cluster['description'] = "ATT&CK tactic"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "03c13bec-1708-11e8-92a0-a747c0787089"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-pre-attack-attack-pattern.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-pre-attack-attack-pattern.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

57
tools/mitre-cti/v2.0/create_mitre-pre-attack-intrusion-set_galaxy.py Normal file
View File

@ -0,0 +1,57 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s intrusion-sets\nMust be in the mitre/cti/pre-attack/intrusion-set folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
for element in os.listdir('.'):
if element.endswith('.json'):
with open(element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
value = {}
value['description'] = temp['description']
value['value'] = temp['name']
value['meta'] = {}
value['meta']['synonyms'] = temp['aliases']
value['meta']['refs']= []
for reference in temp['external_references']:
if 'url' in reference:
value['meta']['refs'].append(reference['url'])
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}
galaxy['name'] = "Pre Attack - Intrusion Set"
galaxy['type'] = "mitre-pre-attack-intrusion-set"
galaxy['description'] = "Name of ATT&CK Group"
galaxy['uuid' ] = "1fb6d5b4-1708-11e8-9836-8bbc8ce6866e"
galaxy['version'] = args.version
galaxy['icon'] = "user-secret"
cluster = {}
cluster['name'] = "Pre Attack - intrusion Set"
cluster['type'] = "mitre-pre-attack-intrusion-set"
cluster['description'] = "Name of ATT&CK Group"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "1fdc8fa2-1708-11e8-99a3-67b4efc13c4f"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-pre-attack-intrusion-set.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-pre-attack-intrusion-set.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)

100
tools/mitre-cti/v2.0/create_mitre-pre-attack-relationship_galaxy.py Normal file
View File

@ -0,0 +1,100 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
import os
import argparse
parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s relationship\nMust be in the mitre/cti/pre-attack/relationship folder')
parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one")
args = parser.parse_args()
values = []
path = "relationship/"
for element in os.listdir(path):
with open(path+element) as json_data:
d = json.load(json_data)
json_data.close()
temp = d['objects'][0]
source = temp['source_ref']
target = temp['target_ref']
relationship = temp['relationship_type']
if source.startswith('attack-pattern'):
paths = "attack-pattern/"
elif source.startswith('course-of-action'):
paths = "course-of-action/"
elif source.startswith('identity'):
paths = "identity/"
elif source.startswith('intrusion-set'):
paths = "intrusion-set/"
elif source.startswith('malware'):
paths = "malware/"
elif source.startswith('marking-definition'):
paths = "marking-definition/"
elif source.startswith('tool'):
paths = "tool/"
else:
print('Invalid value')
continue
with open(paths+source+'.json') as json_data:
s = json.load(json_data)
json_data.close()
if target.startswith('attack-pattern'):
patht = "attack-pattern/"
elif target.startswith('course-of-action'):
patht = "course-of-action/"
elif target.startswith('identity'):
patht = "identity/"
elif target.startswith('intrusion-set'):
patht = "intrusion-set/"
elif target.startswith('malware'):
patht = "malware/"
elif target.startswith('marking-definition'):
patht = "marking-definition/"
elif target.startswith('tool'):
patht = "tool/"
else:
print('Invalid value')
continue
with open(patht+target+'.json') as json_data:
t = json.load(json_data)
json_data.close()
value = {}
value['meta'] = {}
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['meta']['source-uuid'] = re.search('--(.*)$', s['objects'][0]['id']).group(0)[2:]
value['meta']['target-uuid'] = re.search('--(.*)$', t['objects'][0]['id']).group(0)[2:]
value['value'] = s['objects'][0]['name'] + ' ' + relationship + ' ' + t['objects'][0]['name']
values.append(value)
galaxy = {}
galaxy['name'] = "Pre Attack - Relationship"
galaxy['type'] = "mitre-pre-attack-relashipship"
galaxy['description'] = "Mitre Relationship"
galaxy['uuid' ] = "1f8e3bae-1708-11e8-8e97-4bd2150e5aae"
galaxy['version'] = args.version
galaxy['icon'] = "link"
cluster = {}
cluster['name'] = "Pre Attack - Relationship"
cluster['type'] = "mitre-pre-attack-relationship"
cluster['description'] = "MITRE Relationship"
cluster['version'] = args.version
cluster['source'] = "https://github.com/mitre/cti"
cluster['uuid' ] = "1ffd3108-1708-11e8-9f98-67b378d9094c"
cluster['authors'] = ["MITRE"]
cluster['values'] = values
with open('generate/galaxies/mitre-pre-attack-relationship.json', 'w') as galaxy_file:
json.dump(galaxy, galaxy_file, indent=4)
with open('generate/clusters/mitre-pre-attack-relationship.json', 'w') as cluster_file:
json.dump(cluster, cluster_file, indent=4)