MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

no change: dump files with sort_keys=True 

This is needed to keep better track of the changes when other tools load and save the json files.
pull/250/head
Christophe Vandeplas 2018-08-13 17:06:29 +02:00
parent 021107e597
commit 5478f0aa45
36 changed files with 16174 additions and 16174 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1722
clusters/android.json
View File

File diff suppressed because it is too large Load Diff

20
clusters/backdoor.json
View File

@ -1,24 +1,24 @@
{
"uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf",
"authors": [
"raw-data"
],
"description": "A list of backdoor malware.",
"name": "Backdoor",
"source": "Open Sources",
"version": 1,
"type": "backdoor",
"uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf",
"values": [
{
"description": "Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.",
"meta": {
"date": "July 2018.",
"refs": [
"https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html"
]
},
"description": "Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.",
"value": "WellMess",
"uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd"
"uuid": "e0e79fab-0f1d-4fc2-b424-208cb019a9cd",
"value": "WellMess"
}
],
"authors": [
"raw-data"
],
"type": "backdoor",
"name": "Backdoor"
"version": 1
}

304
clusters/banker.json
View File

@ -1,10 +1,16 @@
{
"uuid": "59f20cce-5420-4084-afd5-0884c0a83832",
"authors": [
"Unknown",
"raw-data"
],
"description": "A list of banker malware.",
"name": "Banker",
"source": "Open Sources",
"version": 11,
"type": "banker",
"uuid": "59f20cce-5420-4084-afd5-0884c0a83832",
"values": [
{
"description": "Zeus is a trojan horse that is primarily delivered via drive-by-downloads, malvertising, exploit kits and malspam campaigns. It uses man-in-the-browser keystroke logging and form grabbing to steal information from victims. Source was leaked in 2011.",
"meta": {
"date": "Initally discovered between 2006 and 2007. New bankers with Zeus roots still active today.",
"refs": [
@ -14,11 +20,11 @@
"Zbot"
]
},
"description": "Zeus is a trojan horse that is primarily delivered via drive-by-downloads, malvertising, exploit kits and malspam campaigns. It uses man-in-the-browser keystroke logging and form grabbing to steal information from victims. Source was leaked in 2011.",
"value": "Zeus",
"uuid": "f0ec2df5-2e38-4df3-970d-525352006f2e"
"uuid": "f0ec2df5-2e38-4df3-970d-525352006f2e",
"value": "Zeus"
},
{
"description": "Delivered primarily by exploit kits as well as malspam campaigns utilizing macro based Microsoft Office documents as attachments. Vawtrak/Neverquest is a modularized banking trojan designed to steal credentials through harvesting, keylogging, Man-In-The-Browser, etc.",
"meta": {
"date": "Discovered early 2013",
"refs": [
@ -31,11 +37,11 @@
"Neverquest"
]
},
"description": "Delivered primarily by exploit kits as well as malspam campaigns utilizing macro based Microsoft Office documents as attachments. Vawtrak/Neverquest is a modularized banking trojan designed to steal credentials through harvesting, keylogging, Man-In-The-Browser, etc.",
"value": "Vawtrak",
"uuid": "f3813bbd-682c-400d-8165-778be6d3f91f"
"uuid": "f3813bbd-682c-400d-8165-778be6d3f91f",
"value": "Vawtrak"
},
{
"description": " Dridex leverages redirection attacks designed to send victims to malicious replicas of the banking sites they think they're visiting.",
"meta": {
"date": "Discovery in 2014, still active",
"refs": [
@ -46,11 +52,11 @@
"Feodo Version D"
]
},
"description": " Dridex leverages redirection attacks designed to send victims to malicious replicas of the banking sites they think they're visiting.",
"value": "Dridex",
"uuid": "44754726-e1d5-4e5f-a113-234c4a8ca65e"
"uuid": "44754726-e1d5-4e5f-a113-234c4a8ca65e",
"value": "Dridex"
},
{
"description": "Banking trojan delivered primarily via email (typically malspam) and exploit kits. Gozi 1.0 source leaked in 2010",
"meta": {
"date": "First seen ~ 2007",
"refs": [
@ -65,11 +71,11 @@
"Papras"
]
},
"description": "Banking trojan delivered primarily via email (typically malspam) and exploit kits. Gozi 1.0 source leaked in 2010",
"value": "Gozi",
"uuid": "b9448d2a-a23c-4bf2-92a1-d860716ba2f3"
"uuid": "b9448d2a-a23c-4bf2-92a1-d860716ba2f3",
"value": "Gozi"
},
{
"description": "Banking trojan attributed to Project Blitzkrieg targeting U.S. Financial institutions.",
"meta": {
"date": "Fall Oct. 2012 - Spring 2013",
"refs": [
@ -81,11 +87,11 @@
"Prinimalka"
]
},
"description": "Banking trojan attributed to Project Blitzkrieg targeting U.S. Financial institutions.",
"value": "Goziv2",
"uuid": "71ad2c86-b9da-4351-acf9-7005f64062c7"
"uuid": "71ad2c86-b9da-4351-acf9-7005f64062c7",
"value": "Goziv2"
},
{
"description": "Banking trojan based on Gozi source. Features include web injects for the victims browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.",
"meta": {
"date": "Beginning 2010",
"refs": [
@ -95,11 +101,11 @@
"https://lokalhost.pl/gozi_tree.txt"
]
},
"description": "Banking trojan based on Gozi source. Features include web injects for the victims browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.",
"value": "Gozi ISFB",
"uuid": "ffbbbc14-1cdb-4be9-a631-ed53c5407369"
"uuid": "ffbbbc14-1cdb-4be9-a631-ed53c5407369",
"value": "Gozi ISFB"
},
{
"description": "Dreambot is a variant of Gozi ISFB that is spread via numerous exploit kits as well as through malspam email attachments and links.",
"meta": {
"date": "Since 2014",
"refs": [
@ -108,11 +114,11 @@
"https://lokalhost.pl/gozi_tree.txt"
]
},
"description": "Dreambot is a variant of Gozi ISFB that is spread via numerous exploit kits as well as through malspam email attachments and links.",
"value": "Dreambot",
"uuid": "549d1f8c-f76d-4d66-a1a2-2cd048d739ea"
"uuid": "549d1f8c-f76d-4d66-a1a2-2cd048d739ea",
"value": "Dreambot"
},
{
"description": "Gozi ISFB variant ",
"meta": {
"date": "Seen Autumn 2014",
"refs": [
@ -120,11 +126,11 @@
"http://archive.is/I7hi8#selection-217.0-217.6"
]
},
"description": "Gozi ISFB variant ",
"value": "IAP",
"uuid": "0f96a666-bf26-44e0-8ad6-f2136208c924"
"uuid": "0f96a666-bf26-44e0-8ad6-f2136208c924",
"value": "IAP"
},
{
"description": "GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the droppers stealth and persistence; the Gozi ISFB parts add the banking Trojans capabilities to facilitate fraud via infected Internet browsers.",
"meta": {
"date": "Spring 2016",
"refs": [
@ -132,11 +138,11 @@
"https://lokalhost.pl/gozi_tree.txt"
]
},
"description": "GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the droppers stealth and persistence; the Gozi ISFB parts add the banking Trojans capabilities to facilitate fraud via infected Internet browsers.",
"value": "GozNym",
"uuid": "bcefac9a-a928-490f-9cb6-a8863f40c949"
"uuid": "bcefac9a-a928-490f-9cb6-a8863f40c949",
"value": "GozNym"
},
{
"description": "Zloader is a loader that loads different payloads, one of which is a Zeus module. Delivered via exploit kits and malspam emails. ",
"meta": {
"date": "First seen in Fall 2016 and still active today.",
"refs": [
@ -147,11 +153,11 @@
"Zeus Terdot"
]
},
"description": "Zloader is a loader that loads different payloads, one of which is a Zeus module. Delivered via exploit kits and malspam emails. ",
"value": "Zloader Zeus",
"uuid": "2eb658ed-aff4-4253-a21f-9059b133ce17"
"uuid": "2eb658ed-aff4-4253-a21f-9059b133ce17",
"value": "Zloader Zeus"
},
{
"description": "Zeus variant that utilizes steganography in image files to retrieve configuration file. ",
"meta": {
"date": "First seen ~Feb 2014",
"refs": [
@ -162,22 +168,22 @@
"VM Zeus"
]
},
"description": "Zeus variant that utilizes steganography in image files to retrieve configuration file. ",
"value": "Zeus VM",
"uuid": "09d1cad8-6b06-48d7-a968-5b17bbe9ca65"
"uuid": "09d1cad8-6b06-48d7-a968-5b17bbe9ca65",
"value": "Zeus VM"
},
{
"description": "Sphinx is a modular banking trojan that is a commercial offering sold to cybercriminals via underground fraudster boards.",
"meta": {
"date": "First seen ~Aug 2015",
"refs": [
"https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/"
]
},
"description": "Sphinx is a modular banking trojan that is a commercial offering sold to cybercriminals via underground fraudster boards.",
"value": "Zeus Sphinx",
"uuid": "8914802c-3aca-4a0d-874a-85ac7a1bc505"
"uuid": "8914802c-3aca-4a0d-874a-85ac7a1bc505",
"value": "Zeus Sphinx"
},
{
"description": "Zeus like banking trojan that is delivered primarily through malspam emails and exploit kits.",
"meta": {
"date": "First seen ~ Spring 2016",
"refs": [
@ -189,11 +195,11 @@
"Zeus Panda"
]
},
"description": "Zeus like banking trojan that is delivered primarily through malspam emails and exploit kits.",
"value": "Panda Banker",
"uuid": "f1971442-6477-4aa2-aafa-7529b8252455"
"uuid": "f1971442-6477-4aa2-aafa-7529b8252455",
"value": "Panda Banker"
},
{
"description": "Zeus KINS is a modified version of ZeuS 2.0.8.9. It contains an encrypted version of it's config in the registry. ",
"meta": {
"date": "First seen 2014",
"refs": [
@ -205,11 +211,11 @@
"Maple"
]
},
"description": "Zeus KINS is a modified version of ZeuS 2.0.8.9. It contains an encrypted version of it's config in the registry. ",
"value": "Zeus KINS",
"uuid": "bc0be3a4-89d8-4c4c-b2aa-2dddbed1f71d"
"uuid": "bc0be3a4-89d8-4c4c-b2aa-2dddbed1f71d",
"value": "Zeus KINS"
},
{
"description": "Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.",
"meta": {
"date": "First seen fall of 2014",
"refs": [
@ -220,11 +226,11 @@
"Chtonic"
]
},
"description": "Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.",
"value": "Chthonic",
"uuid": "6deb9f26-969b-45aa-9222-c23663fd6ef8"
"uuid": "6deb9f26-969b-45aa-9222-c23663fd6ef8",
"value": "Chthonic"
},
{
"description": "Trickbot is a bot that is delivered via exploit kits and malspam campaigns. The bot is capable of downloading modules, including a banker module. Trickbot also shares roots with the Dyre banking trojan",
"meta": {
"date": "Discovered Fall 2016",
"refs": [
@ -238,11 +244,11 @@
"Trickloader"
]
},
"description": "Trickbot is a bot that is delivered via exploit kits and malspam campaigns. The bot is capable of downloading modules, including a banker module. Trickbot also shares roots with the Dyre banking trojan",
"value": "Trickbot",
"uuid": "07e3260b-d80c-4c86-bd28-8adc111bbec6"
"uuid": "07e3260b-d80c-4c86-bd28-8adc111bbec6",
"value": "Trickbot"
},
{
"description": "Dyre is a banking trojan distributed via exploit kits and malspam emails primarily. It has a modular architectur and utilizes man-in-the-browser functionality. It also leverages a backconnect server that allows threat actors to connect to a bank website through the victim's computer.",
"meta": {
"date": "Discovered ~June 2014",
"refs": [
@ -253,11 +259,11 @@
"Dyreza"
]
},
"description": "Dyre is a banking trojan distributed via exploit kits and malspam emails primarily. It has a modular architectur and utilizes man-in-the-browser functionality. It also leverages a backconnect server that allows threat actors to connect to a bank website through the victim's computer.",
"value": "Dyre",
"uuid": "15e969e6-f031-4441-a49b-f401332e4b00"
"uuid": "15e969e6-f031-4441-a49b-f401332e4b00",
"value": "Dyre"
},
{
"description": "Tinba is a very small banking trojan that hooks into browsers and steals login data and sniffs on network traffic. It also uses Man in The Browser (MiTB) and webinjects. Tinba is primarily delivered via exploit kits, malvertising and malspam email campaigns.",
"meta": {
"date": "Discovered ~Spring 2012",
"refs": [
@ -272,11 +278,11 @@
"illi"
]
},
"description": "Tinba is a very small banking trojan that hooks into browsers and steals login data and sniffs on network traffic. It also uses Man in The Browser (MiTB) and webinjects. Tinba is primarily delivered via exploit kits, malvertising and malspam email campaigns.",
"value": "Tinba",
"uuid": "5594b171-32ec-4145-b712-e7701effffdd"
"uuid": "5594b171-32ec-4145-b712-e7701effffdd",
"value": "Tinba"
},
{
"description": "Geodo is a banking trojan delivered primarily through malspam emails. It is capable of sniffing network activity to steal information by hooking certain network API calls.",
"meta": {
"date": "Discovered ~Summer 2014",
"refs": [
@ -288,11 +294,11 @@
"Emotet"
]
},
"description": "Geodo is a banking trojan delivered primarily through malspam emails. It is capable of sniffing network activity to steal information by hooking certain network API calls.",
"value": "Geodo",
"uuid": "8e002f78-7fb8-4e70-afd7-0b4ac655be26"
"uuid": "8e002f78-7fb8-4e70-afd7-0b4ac655be26",
"value": "Geodo"
},
{
"description": "Feodo is a banking trojan that utilizes web injects and is also capable of monitoring & manipulating cookies. Version A = Port 8080, Version B = Port 80 It is delivered primarily via exploit kits and malspam emails.",
"meta": {
"date": "Discovered ~September 2011",
"refs": [
@ -305,11 +311,11 @@
"Cridex"
]
},
"description": "Feodo is a banking trojan that utilizes web injects and is also capable of monitoring & manipulating cookies. Version A = Port 8080, Version B = Port 80 It is delivered primarily via exploit kits and malspam emails.",
"value": "Feodo",
"uuid": "7ca93488-c357-44c3-b246-3f88391aca5a"
"uuid": "7ca93488-c357-44c3-b246-3f88391aca5a",
"value": "Feodo"
},
{
"description": "Originally not a banking trojan in 2010, Ramnit became a banking trojan after the Zeus source code leak. It is capable of perforrming Man-in-the-Browser attacks. Distributed primarily via exploit kits.",
"meta": {
"date": "Discovered ~2010.",
"refs": [
@ -319,11 +325,11 @@
"Nimnul"
]
},
"description": "Originally not a banking trojan in 2010, Ramnit became a banking trojan after the Zeus source code leak. It is capable of perforrming Man-in-the-Browser attacks. Distributed primarily via exploit kits.",
"value": "Ramnit",
"uuid": "7e2288ec-e7d4-4833-9245-a2bc5ae40ee2"
"uuid": "7e2288ec-e7d4-4833-9245-a2bc5ae40ee2",
"value": "Ramnit"
},
{
"description": "Qakbot is a banking trojan that leverages webinjects to steal banking information from victims. It also utilizes DGA for command and control. It is primarily delivered via exploit kits.",
"meta": {
"date": "Discovered ~2007",
"refs": [
@ -336,11 +342,11 @@
"Pinkslipbot"
]
},
"description": "Qakbot is a banking trojan that leverages webinjects to steal banking information from victims. It also utilizes DGA for command and control. It is primarily delivered via exploit kits.",
"value": "Qakbot",
"uuid": "b2ec1f16-2a76-4910-adc5-ecb3570e7c1a"
"uuid": "b2ec1f16-2a76-4910-adc5-ecb3570e7c1a",
"value": "Qakbot"
},
{
"description": "Corebot is a modular trojan that leverages a banking module that can perform browser hooking, form grabbing, MitM, webinjection to steal financial information from victims. Distributed primarily via malspam emails and exploit kits.",
"meta": {
"date": "Discovered ~Fall 2015",
"refs": [
@ -349,11 +355,11 @@
"https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/"
]
},
"description": "Corebot is a modular trojan that leverages a banking module that can perform browser hooking, form grabbing, MitM, webinjection to steal financial information from victims. Distributed primarily via malspam emails and exploit kits.",
"value": "Corebot",
"uuid": "8a3d46db-d3b4-4f89-99e2-d1f0de3f484c"
"uuid": "8a3d46db-d3b4-4f89-99e2-d1f0de3f484c",
"value": "Corebot"
},
{
"description": "TinyNuke is a modular banking trojan that includes a HiddenDesktop/VNC server and reverse SOCKS 4 server. It's main functionality is to make web injections into specific pages to steal user data. Distributed primarily via malspam emails and exploit kits.",
"meta": {
"date": "Discovered ~December 2016",
"refs": [
@ -370,11 +376,11 @@
"Xbot"
]
},
"description": "TinyNuke is a modular banking trojan that includes a HiddenDesktop/VNC server and reverse SOCKS 4 server. It's main functionality is to make web injections into specific pages to steal user data. Distributed primarily via malspam emails and exploit kits.",
"value": "TinyNuke",
"uuid": "e683cd91-40b4-4e1c-be25-34a27610a22e"
"uuid": "e683cd91-40b4-4e1c-be25-34a27610a22e",
"value": "TinyNuke"
},
{
"description": "Retefe is a banking trojan that is distributed by what SWITCH CERT calls the Retefe gang or Operation Emmental. It uses geolocation based targeting. It also leverages fake root certificate and changes the DNS server for domain name resolution in order to display fake banking websites to victims. It is spread primarily through malspam emails. ",
"meta": {
"date": "Discovered in 2014",
"refs": [
@ -389,11 +395,11 @@
"Werdlod"
]
},
"description": "Retefe is a banking trojan that is distributed by what SWITCH CERT calls the Retefe gang or Operation Emmental. It uses geolocation based targeting. It also leverages fake root certificate and changes the DNS server for domain name resolution in order to display fake banking websites to victims. It is spread primarily through malspam emails. ",
"value": "Retefe",
"uuid": "87b69cb4-8b65-47ee-91b0-9b1decdd5c5c"
"uuid": "87b69cb4-8b65-47ee-91b0-9b1decdd5c5c",
"value": "Retefe"
},
{
"description": "ReactorBot is sometimes mistakenly tagged as Rovnix. ReactorBot is a full fledged modular bot that includes a banking module that has roots with the Carberp banking trojan. Distributed primarily via malspam emails.",
"meta": {
"date": "Discovered ~early 2015",
"refs": [
@ -403,22 +409,22 @@
"http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/"
]
},
"description": "ReactorBot is sometimes mistakenly tagged as Rovnix. ReactorBot is a full fledged modular bot that includes a banking module that has roots with the Carberp banking trojan. Distributed primarily via malspam emails.",
"value": "ReactorBot",
"uuid": "d939e802-acb2-4881-bdaf-ece1eccf5699"
"uuid": "d939e802-acb2-4881-bdaf-ece1eccf5699",
"value": "ReactorBot"
},
{
"description": "Matrix Banker is named accordingly because of the Matrix reference in it's C2 panel. Distributed primarily via malspam emails.",
"meta": {
"date": "Discovered ~Spring 2017",
"refs": [
"https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/"
]
},
"description": "Matrix Banker is named accordingly because of the Matrix reference in it's C2 panel. Distributed primarily via malspam emails.",
"value": "Matrix Banker",
"uuid": "aa3fc68c-413c-4bfb-b4cd-bca7094da985"
"uuid": "aa3fc68c-413c-4bfb-b4cd-bca7094da985",
"value": "Matrix Banker"
},
{
"description": "Zeus Gameover captures banking credentials from infected computers, then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the criminals. GameOver has a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin. Distributed primarily via malspam emails and exploit kits.",
"meta": {
"date": "Discovered ~Sept. 2011",
"refs": [
@ -426,11 +432,11 @@
"https://www.us-cert.gov/ncas/alerts/TA14-150A"
]
},
"description": "Zeus Gameover captures banking credentials from infected computers, then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the criminals. GameOver has a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin. Distributed primarily via malspam emails and exploit kits.",
"value": "Zeus Gameover",
"uuid": "8653a94e-3eb3-4d88-8683-a1ae4a524774"
"uuid": "8653a94e-3eb3-4d88-8683-a1ae4a524774",
"value": "Zeus Gameover"
},
{
"description": "SpyEye is a similar to the Zeus botnet banking trojan. It utilizes a web control panel for C2 and can perform form grabbing, autofill credit card modules, ftp grabber, pop3 grabber and HTTP basic access authorization grabber. It also contained a Kill Zeus feature which would remove any Zeus infections if SpyEye was on the system. Distributed primarily via exploit kits and malspam emails.",
"meta": {
"date": "Discovered early 2011",
"refs": [
@ -439,11 +445,11 @@
"https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot"
]
},
"description": "SpyEye is a similar to the Zeus botnet banking trojan. It utilizes a web control panel for C2 and can perform form grabbing, autofill credit card modules, ftp grabber, pop3 grabber and HTTP basic access authorization grabber. It also contained a Kill Zeus feature which would remove any Zeus infections if SpyEye was on the system. Distributed primarily via exploit kits and malspam emails.",
"value": "SpyEye",
"uuid": "ebce18e9-b387-4b7d-bab9-4acd4fca7a7c"
"uuid": "ebce18e9-b387-4b7d-bab9-4acd4fca7a7c",
"value": "SpyEye"
},
{
"description": "Citadel is an offspring of the Zeus banking trojan. Delivered primarily via exploit kits.",
"meta": {
"date": "Discovered ~January 2012",
"refs": [
@ -452,11 +458,11 @@
"https://securityintelligence.com/cybercriminals-use-citadel-compromise-password-management-authentication-solutions/"
]
},
"description": "Citadel is an offspring of the Zeus banking trojan. Delivered primarily via exploit kits.",
"value": "Citadel",
"uuid": "9eb89081-3245-423a-995f-c1d78ce39619"
"uuid": "9eb89081-3245-423a-995f-c1d78ce39619",
"value": "Citadel"
},
{
"description": "Atmos is derived from the Citadel banking trojan. Delivered primarily via exploit kits and malspam emails.",
"meta": {
"date": "Discovered ~spring 2016",
"refs": [
@ -464,33 +470,33 @@
"http://www.xylibox.com/2016/02/citadel-0011-atmos.html"
]
},
"description": "Atmos is derived from the Citadel banking trojan. Delivered primarily via exploit kits and malspam emails.",
"value": "Atmos",
"uuid": "ee021933-929d-4d6c-abca-5827cfb77289"
"uuid": "ee021933-929d-4d6c-abca-5827cfb77289",
"value": "Atmos"
},
{
"description": "Ice IX is a bot created using the source code of ZeuS 2.0.8.9. No major improvements compared to ZeuS 2.0.8.9.",
"meta": {
"date": "Discovered ~Fall 2011",
"refs": [
"https://securelist.com/ice-ix-not-cool-at-all/29111/ "
]
},
"description": "Ice IX is a bot created using the source code of ZeuS 2.0.8.9. No major improvements compared to ZeuS 2.0.8.9.",
"value": "Ice IX",
"uuid": "1d4a5704-c6fb-4bbb-92b2-88dc67f86339"
"uuid": "1d4a5704-c6fb-4bbb-92b2-88dc67f86339",
"value": "Ice IX"
},
{
"description": "Zeus in the mobile. Banking trojan developed for mobile devices such as Windows Mobile, Blackberry and Android.",
"meta": {
"date": "Discovered ~end of 2010",
"refs": [
"https://securelist.com/zeus-in-the-mobile-for-android-10/29258/"
]
},
"description": "Zeus in the mobile. Banking trojan developed for mobile devices such as Windows Mobile, Blackberry and Android.",
"value": "Zitmo",
"uuid": "3b1aff8f-647d-4709-aab0-6db1859c5f11"
"uuid": "3b1aff8f-647d-4709-aab0-6db1859c5f11",
"value": "Zitmo"
},
{
"description": "Banking trojan based on Zeus V2. Murofet is a newer version of Licat found ~end of 2011",
"meta": {
"date": "Discovered in 2010",
"refs": [
@ -502,22 +508,22 @@
"Murofet"
]
},
"description": "Banking trojan based on Zeus V2. Murofet is a newer version of Licat found ~end of 2011",
"value": "Licat",
"uuid": "0b097926-2e1a-4134-8ab9-4c16d0cca0fc"
"uuid": "0b097926-2e1a-4134-8ab9-4c16d0cca0fc",
"value": "Licat"
},
{
"description": "Skynet is a Tor-powered trojan with DDoS, Bitcoin mining and Banking capabilities. Spread via USENET as per rapid7.",
"meta": {
"date": "Discovered end of 2012",
"refs": [
"https://blog.rapid7.com/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit/"
]
},
"description": "Skynet is a Tor-powered trojan with DDoS, Bitcoin mining and Banking capabilities. Spread via USENET as per rapid7.",
"value": "Skynet",
"uuid": "f20791e4-26a7-45e0-90e6-709553b223b2"
"uuid": "f20791e4-26a7-45e0-90e6-709553b223b2",
"value": "Skynet"
},
{
"description": "According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.",
"meta": {
"date": "Discovered in September 2017",
"refs": [
@ -526,41 +532,41 @@
"http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html"
]
},
"description": "According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.",
"value": "IcedID",
"uuid": "9d67069c-b778-486f-8158-53f5dcd05d08"
"uuid": "9d67069c-b778-486f-8158-53f5dcd05d08",
"value": "IcedID"
},
{
"description": "GratefulPOS has the following functions\n1. Access arbitrary processes on the target POS system\n2. Scrape track 1 and 2 payment card data from the process(es)\n3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.",
"meta": {
"refs": [
"https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season"
]
},
"description": "GratefulPOS has the following functions\n1. Access arbitrary processes on the target POS system\n2. Scrape track 1 and 2 payment card data from the process(es)\n3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.",
"value": "GratefulPOS",
"uuid": "7d9362e5-e3cf-4640-88a2-3faf31952963"
"uuid": "7d9362e5-e3cf-4640-88a2-3faf31952963",
"value": "GratefulPOS"
},
{
"description": "A macOS banking trojan that that redirects an infected user's web traffic in order to extract banking credentials.",
"meta": {
"refs": [
"https://objective-see.com/blog/blog_0x25.html#Dok"
]
},
"description": "A macOS banking trojan that that redirects an infected user's web traffic in order to extract banking credentials.",
"value": "Dok",
"uuid": "e159c4f8-3c22-49f9-a60a-16588a9c22b0"
"uuid": "e159c4f8-3c22-49f9-a60a-16588a9c22b0",
"value": "Dok"
},
{
"description": "Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware. The attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent “fileless” banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.",
"meta": {
"refs": [
"https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil/"
]
},
"description": "Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware. The attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent “fileless” banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.",
"value": "downAndExec",
"uuid": "bfff538a-89dd-4bed-9ac1-b4faee373724"
"uuid": "bfff538a-89dd-4bed-9ac1-b4faee373724",
"value": "downAndExec"
},
{
"description": "Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo) has been well-documented, so we will not discuss its post-infection behavior. However, the miners use of Windows Management Infrastructure is unusual among coin mining malware.\nThe speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as “hash power”. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.",
"meta": {
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators"
@ -570,30 +576,29 @@
"lsmo"
]
},
"description": "Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo) has been well-documented, so we will not discuss its post-infection behavior. However, the miners use of Windows Management Infrastructure is unusual among coin mining malware.\nThe speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as “hash power”. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.",
"value": "Smominru",
"uuid": "f93acc85-8d2c-41e0-b0c5-47795b8c6194"
"uuid": "f93acc85-8d2c-41e0-b0c5-47795b8c6194",
"value": "Smominru"
},
{
"description": "It's a Trojan that includes banking site web injections and stealer functions. It consists of a downloader component that downloads an encrypted file containing the main DLL. The DLL, in turn, connects using raw TCP connections to port 443 and downloads additional modules (i.e. VNCDLL.dll, StealerDLL.dll, ProxyDLL.dll)",
"meta": {
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0"
]
},
"description": "It's a Trojan that includes banking site web injections and stealer functions. It consists of a downloader component that downloads an encrypted file containing the main DLL. The DLL, in turn, connects using raw TCP connections to port 443 and downloads additional modules (i.e. VNCDLL.dll, StealerDLL.dll, ProxyDLL.dll)",
"value": "DanaBot",
"uuid": "844417c6-a404-4c4e-8e93-84db596d725b"
"uuid": "844417c6-a404-4c4e-8e93-84db596d725b",
"value": "DanaBot"
},
{
"description": "The banker is distributed through malicious email spam campaigns. Instead of using complex process injection methods to monitor browsing activity, the malware hooks key Windows message loop events in order to inspect values of the window objects for banking activity. The payload is delivered as a modified version of a legitimate application that is partially overwritten by the malicious payload",
"meta": {
"refs": [
"https://www.cert.pl/news/single/analiza-zlosliwego-oprogramowania-backswap/",
"https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/"
]
},
"description": "The banker is distributed through malicious email spam campaigns. Instead of using complex process injection methods to monitor browsing activity, the malware hooks key Windows message loop events in order to inspect values of the window objects for banking activity. The payload is delivered as a modified version of a legitimate application that is partially overwritten by the malicious payload",
"value": "Backswap",
"uuid": "ea0b5f45-6b56-4c92-b22b-0d84c45160a0"
"uuid": "ea0b5f45-6b56-4c92-b22b-0d84c45160a0",
"value": "Backswap"
},
{
"meta": {
@ -606,8 +611,8 @@
"Shiotob"
]
},
"value": "Bebloh",
"uuid": "67a1a317-9f79-42bd-a4b2-fa1867d37d27"
"uuid": "67a1a317-9f79-42bd-a4b2-fa1867d37d27",
"value": "Bebloh"
},
{
"meta": {
@ -620,8 +625,8 @@
"BackPatcher"
]
},
"value": "Banjori",
"uuid": "f68555ff-6fbd-4f5a-bc23-34996f629c52"
"uuid": "f68555ff-6fbd-4f5a-bc23-34996f629c52",
"value": "Banjori"
},
{
"meta": {
@ -629,8 +634,8 @@
"https://www.countercept.com/our-thinking/decrypting-qadars-banking-trojan-c2-traffic/"
]
},
"value": "Qadars",
"uuid": "a717c873-6670-447a-ba98-90db6464c07d"
"uuid": "a717c873-6670-447a-ba98-90db6464c07d",
"value": "Qadars"
},
{
"meta": {
@ -638,8 +643,8 @@
"https://www.johannesbader.ch/2016/06/the-dga-of-sisron/"
]
},
"value": "Sisron",
"uuid": "610a136c-820d-4f5f-b66c-ae298923dc55"
"uuid": "610a136c-820d-4f5f-b66c-ae298923dc55",
"value": "Sisron"
},
{
"meta": {
@ -647,8 +652,8 @@
"https://www.johannesbader.ch/2016/06/the-dga-of-sisron/"
]
},
"value": "Ranbyus",
"uuid": "6720f960-0382-479b-a0f8-f9e008995af4"
"uuid": "6720f960-0382-479b-a0f8-f9e008995af4",
"value": "Ranbyus"
},
{
"meta": {
@ -656,20 +661,21 @@
"https://searchfinancialsecurity.techtarget.com/news/4500249201/Fobber-Drive-by-financial-malware-returns-with-new-tricks"
]
},
"value": "Fobber",
"uuid": "da124511-463c-4514-ad05-7ec8db1b38aa"
"uuid": "da124511-463c-4514-ad05-7ec8db1b38aa",
"value": "Fobber"
},
{
"description": "Trojan under development and already being distributed through the RIG Exploit Kit. Observed code similarities with other well-known bankers such as Ramnit, Vawtrak and TrickBot. Karius works in a rather traditional fashion to other banking malware and consists of three components (injector32\\64.exe, proxy32\\64.dll and mod32\\64.dll), these components essentially work together to deploy webinjects in several browsers.",
"meta": {
"refs": [
"https://research.checkpoint.com/banking-trojans-development/"
]
},
"description": "Trojan under development and already being distributed through the RIG Exploit Kit. Observed code similarities with other well-known bankers such as Ramnit, Vawtrak and TrickBot. Karius works in a rather traditional fashion to other banking malware and consists of three components (injector32\\64.exe, proxy32\\64.dll and mod32\\64.dll), these components essentially work together to deploy webinjects in several browsers.",
"value": "Karius",
"uuid": "a088c428-d0bb-49c8-9ed7-dcced0c74754"
"uuid": "a088c428-d0bb-49c8-9ed7-dcced0c74754",
"value": "Karius"
},
{
"description": "Kronos was a type of banking malware first reported in 2014. It was sold for $7000. As of September 2015, a renew version was reconnecting with infected bots and sending them a brand new configuration file against U.K. banks and one bank in India. Similar to Zeus it was focused on stealing banking login credentials from browser sessions. A new version of this malware appears to have been used in 2018, the main difference is that the 2018 edition uses Tor-hosted C&C control panels.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Kronos_(malware)",
@ -677,15 +683,9 @@
"https://www.bleepingcomputer.com/news/security/new-version-of-the-kronos-banking-trojan-discovered/"
]
},
"description": "Kronos was a type of banking malware first reported in 2014. It was sold for $7000. As of September 2015, a renew version was reconnecting with infected bots and sending them a brand new configuration file against U.K. banks and one bank in India. Similar to Zeus it was focused on stealing banking login credentials from browser sessions. A new version of this malware appears to have been used in 2018, the main difference is that the 2018 edition uses Tor-hosted C&C control panels.",
"value": "Kronos",
"uuid": "5b42af8e-8fdc-11e8-bf48-f32ff64d5502"
"uuid": "5b42af8e-8fdc-11e8-bf48-f32ff64d5502",
"value": "Kronos"
}
],
"authors": [
"Unknown",
"raw-data"
],
"type": "banker",
"name": "Banker"
"version": 11
}

276
clusters/botnet.json
View File

@ -1,20 +1,25 @@
{
"authors": [
"Various"
],
"description": "botnet galaxy",
"uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f",
"name": "Botnet",
"source": "MISP Project",
"version": 8,
"type": "botnet",
"uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f",
"values": [
{
"description": "A new botnet appeared over the weekend, and it's targeting Android devices by scanning for open debug ports so it can infect victims with malware that mines the Monero cryptocurrency.\n\nThe botnet came to life on Saturday, February 3, and is targeting port 5555, which on devices running the Android OS is the port used by the operating system's native Android Debug Bridge (ADB), a debugging interface that grants access to some of the operating system's most sensitive features.\n\nOnly devices running the Android OS have been infected until now, such as smartphones, smart TVs, and TV top boxes, according to security researchers from Qihoo 360's Network Security Research Lab [Netlab] division, the ones who discovered the botnet, which the named ADB.miner.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/android-devices-targeted-by-new-monero-mining-botnet/"
]
},
"description": "A new botnet appeared over the weekend, and it's targeting Android devices by scanning for open debug ports so it can infect victims with malware that mines the Monero cryptocurrency.\n\nThe botnet came to life on Saturday, February 3, and is targeting port 5555, which on devices running the Android OS is the port used by the operating system's native Android Debug Bridge (ADB), a debugging interface that grants access to some of the operating system's most sensitive features.\n\nOnly devices running the Android OS have been infected until now, such as smartphones, smart TVs, and TV top boxes, according to security researchers from Qihoo 360's Network Security Research Lab [Netlab] division, the ones who discovered the botnet, which the named ADB.miner.",
"value": "ADB.miner",
"uuid": "6d7fc046-61c8-4f4e-add9-eebe5b5f4f69"
"uuid": "6d7fc046-61c8-4f4e-add9-eebe5b5f4f69",
"value": "ADB.miner"
},
{
"description": "Bagle (also known as Beagle) was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.",
"meta": {
"date": "2004",
"refs": [
@ -26,11 +31,11 @@
"Lodeight"
]
},
"description": "Bagle (also known as Beagle) was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.",
"value": "Bagle",
"uuid": "d530ea76-9bbc-4276-a2e3-df04e0e5a14c"
"uuid": "d530ea76-9bbc-4276-a2e3-df04e0e5a14c",
"value": "Bagle"
},
{
"description": "Around the same time Bagle was sending spam messages all over the world, the Marina Botnet quickly made a name for itself. With over 6 million bots pumping out spam emails every single day, it became apparent these “hacker tools” could get out of hand very quickly. At its peak, Marina Botnet delivered 92 billion spam emails per day.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Botnet"
@ -43,11 +48,11 @@
"Kraken"
]
},
"description": "Around the same time Bagle was sending spam messages all over the world, the Marina Botnet quickly made a name for itself. With over 6 million bots pumping out spam emails every single day, it became apparent these “hacker tools” could get out of hand very quickly. At its peak, Marina Botnet delivered 92 billion spam emails per day.",
"value": "Marina Botnet",
"uuid": "7296f769-9bb7-474d-bbc7-5839f71d052a"
"uuid": "7296f769-9bb7-474d-bbc7-5839f71d052a",
"value": "Marina Botnet"
},
{
"description": "Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data hajimeon the computer, and can perform man-in-the-browser attacks.",
"meta": {
"date": "2005",
"refs": [
@ -58,11 +63,11 @@
"Anserin"
]
},
"description": "Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data hajimeon the computer, and can perform man-in-the-browser attacks.",
"value": "Torpig",
"uuid": "415a3667-4ac4-4718-a6ea-617540a4abb1"
"uuid": "415a3667-4ac4-4718-a6ea-617540a4abb1",
"value": "Torpig"
},
{
"description": "The Storm botnet or Storm worm botnet (also known as Dorf botnet and Ecard malware) is a remotely controlled network of \"zombie\" computers (or \"botnet\") that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as \"230 dead as storm batters Europe,\" giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008, had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.",
"meta": {
"date": "2007",
"refs": [
@ -76,9 +81,8 @@
"Ecard"
]
},
"description": "The Storm botnet or Storm worm botnet (also known as Dorf botnet and Ecard malware) is a remotely controlled network of \"zombie\" computers (or \"botnet\") that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as \"230 dead as storm batters Europe,\" giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008, had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.",
"value": "Storm",
"uuid": "74ebec0c-6db3-47b9-9879-0d125e413e76"
"uuid": "74ebec0c-6db3-47b9-9879-0d125e413e76",
"value": "Storm"
},
{
"meta": {
@ -108,6 +112,7 @@
"value": "Donbot"
},
{
"description": "The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo.] It affects computers running Microsoft Windows. related to: Wigon, Pushdo",
"meta": {
"date": "2007",
"refs": [
@ -118,22 +123,22 @@
"Mutant"
]
},
"description": "The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo.] It affects computers running Microsoft Windows. related to: Wigon, Pushdo",
"value": "Cutwail",
"uuid": "35e25aad-7c39-4a1d-aa17-73fa638362e8"
"uuid": "35e25aad-7c39-4a1d-aa17-73fa638362e8",
"value": "Cutwail"
},
{
"description": "Akbot was a computer virus that infected an estimated 1.3 million computers and added them to a botnet.",
"meta": {
"date": "2007",
"refs": [
"https://en.wikipedia.org/wiki/Akbot"
]
},
"description": "Akbot was a computer virus that infected an estimated 1.3 million computers and added them to a botnet.",
"value": "Akbot",
"uuid": "6e1168e6-7768-4fa2-951f-6d6934531633"
"uuid": "6e1168e6-7768-4fa2-951f-6d6934531633",
"value": "Akbot"
},
{
"description": "Srizbi BotNet, considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.",
"meta": {
"date": "March 2007",
"refs": [
@ -144,20 +149,19 @@
"Exchanger"
]
},
"description": "Srizbi BotNet, considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.",
"value": "Srizbi",
"uuid": "6df98396-b52a-4f84-bec2-0060bc46bdbf"
"uuid": "6df98396-b52a-4f84-bec2-0060bc46bdbf",
"value": "Srizbi"
},
{
"description": "The Lethic Botnet (initially discovered around 2008) is a botnet consisting of an estimated 210 000 - 310 000 individual machines which are mainly involved in pharmaceutical and replica spam. At the peak of its existence the botnet was responsible for 8-10% of all the spam sent worldwide.",
"meta": {
"date": "2008",
"refs": [
"https://en.wikipedia.org/wiki/Lethic_botnet"
]
},
"description": "The Lethic Botnet (initially discovered around 2008) is a botnet consisting of an estimated 210 000 - 310 000 individual machines which are mainly involved in pharmaceutical and replica spam. At the peak of its existence the botnet was responsible for 8-10% of all the spam sent worldwide.",
"value": "Lethic",
"uuid": "a73e150f-1431-4f72-994a-4000405eff07"
"uuid": "a73e150f-1431-4f72-994a-4000405eff07",
"value": "Lethic"
},
{
"meta": {
@ -173,6 +177,7 @@
"value": "Xarvester"
},
{
"description": "Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks (e.g. password cracking). Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.",
"meta": {
"date": "2008",
"refs": [
@ -188,22 +193,22 @@
"Kukacka"
]
},
"description": "Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks (e.g. password cracking). Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.",
"value": "Sality",
"uuid": "6fe5f49d-48b5-4dc2-92f7-8c94397b9c96"
"uuid": "6fe5f49d-48b5-4dc2-92f7-8c94397b9c96",
"value": "Sality"
},
{
"description": "The Mariposa botnet, discovered December 2008, is a botnet mainly involved in cyberscamming and denial-of-service attacks. Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the \"Butterfly (mariposa in Spanish) Bot\", making it one of the largest known botnets.",
"meta": {
"date": "2008",
"refs": [
"https://en.wikipedia.org/wiki/Mariposa_botnet"
]
},
"description": "The Mariposa botnet, discovered December 2008, is a botnet mainly involved in cyberscamming and denial-of-service attacks. Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the \"Butterfly (mariposa in Spanish) Bot\", making it one of the largest known botnets.",
"value": "Mariposa",
"uuid": "f4878385-c6c7-4f6b-8637-08146841d2a2"
"uuid": "f4878385-c6c7-4f6b-8637-08146841d2a2",
"value": "Mariposa"
},
{
"description": "Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 Welchia.",
"meta": {
"date": "November 2008",
"refs": [
@ -216,11 +221,11 @@
"Kido"
]
},
"description": "Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 Welchia.",
"value": "Conficker",
"uuid": "ab49815e-8ba6-41ec-9f51-8a9587334069"
"uuid": "ab49815e-8ba6-41ec-9f51-8a9587334069",
"value": "Conficker"
},
{
"description": "Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.",
"meta": {
"date": "November 2008",
"refs": [
@ -231,19 +236,18 @@
"Waledpak"
]
},
"description": "Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.",
"value": "Waledac",
"uuid": "4e324956-3177-4c8f-b0b6-e3bc4c3ede2f"
"uuid": "4e324956-3177-4c8f-b0b6-e3bc4c3ede2f",
"value": "Waledac"
},
{
"description": "A new botnet, dubbed Maazben, has also been observed and is also growing rapidly. MessageLabs Intelligence has been tracking the growth of Maazben since its infancy in late May and early June. Its dominance in terms of the proportion of spam has been accelerating in the last 30 days from just over 0.5% of all spam, peaking at 4.5% of spam when it is most active. Currently spam from Maazben accounts for approximately 1.4% of all spam, but this is likely to increase significantly over time, particularly since both overall spam per minute sent and spam per bot per minute are increasing.",
"meta": {
"refs": [
"https://www.symantec.com/connect/blogs/evaluating-botnet-capacity"
]
},
"description": "A new botnet, dubbed Maazben, has also been observed and is also growing rapidly. MessageLabs Intelligence has been tracking the growth of Maazben since its infancy in late May and early June. Its dominance in terms of the proportion of spam has been accelerating in the last 30 days from just over 0.5% of all spam, peaking at 4.5% of spam when it is most active. Currently spam from Maazben accounts for approximately 1.4% of all spam, but this is likely to increase significantly over time, particularly since both overall spam per minute sent and spam per bot per minute are increasing.",
"value": "Maazben",
"uuid": "a461f744-ab52-4a78-85e4-aedca1303a4c"
"uuid": "a461f744-ab52-4a78-85e4-aedca1303a4c",
"value": "Maazben"
},
{
"meta": {
@ -255,6 +259,7 @@
"value": "Onewordsub"
},
{
"description": "Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware it consists of the main binary (the one user downloads and infects with), which later downloads several additional modules from the C2 server they modify code by overwriting some of the called functions with their own. An example of some actions these modules perform is spreading by posting click-bait messages on Facebook and VKontakte (Russian social network).",
"meta": {
"refs": [
"https://www.cert.pl/en/news/single/tofsee-en/"
@ -264,9 +269,8 @@
"Mondera"
]
},
"description": "Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware it consists of the main binary (the one user downloads and infects with), which later downloads several additional modules from the C2 server they modify code by overwriting some of the called functions with their own. An example of some actions these modules perform is spreading by posting click-bait messages on Facebook and VKontakte (Russian social network).",
"value": "Gheg",
"uuid": "ca11e3f2-cda1-45dc-bed1-8708fa9e27a6"
"uuid": "ca11e3f2-cda1-45dc-bed1-8708fa9e27a6",
"value": "Gheg"
},
{
"meta": {
@ -287,6 +291,7 @@
"value": "Wopla"
},
{
"description": "The Asprox botnet (discovered around 2008), also known by its aliases Badsrc and Aseljo, is a botnet mostly involved in phishing scams and performing SQL injections into websites in order to spread malware.",
"meta": {
"date": "2008",
"refs": [
@ -299,11 +304,11 @@
"Hydraflux"
]
},
"description": "The Asprox botnet (discovered around 2008), also known by its aliases Badsrc and Aseljo, is a botnet mostly involved in phishing scams and performing SQL injections into websites in order to spread malware.",
"value": "Asprox",
"uuid": "0d58f329-1356-468c-88ab-e21fbb64c02b"
"uuid": "0d58f329-1356-468c-88ab-e21fbb64c02b",
"value": "Asprox"
},
{
"description": "Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor. Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machines processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.",
"meta": {
"refs": [
"http://www.root777.com/security/analysis-of-spam-thru-botnet/"
@ -314,22 +319,22 @@
"Xmiler"
]
},
"description": "Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor. Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machines processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.",
"value": "Spamthru",
"uuid": "3da8c2f9-dbbf-4825-9010-2261b2007d22"
"uuid": "3da8c2f9-dbbf-4825-9010-2261b2007d22",
"value": "Spamthru"
},
{
"description": "Gumblar is a malicious JavaScript trojan horse file that redirects a user's Google searches, and then installs rogue security software. Also known as Troj/JSRedir-R this botnet first appeared in 2009.",
"meta": {
"date": "2008",
"refs": [
"https://en.wikipedia.org/wiki/Gumblar"
]
},
"description": "Gumblar is a malicious JavaScript trojan horse file that redirects a user's Google searches, and then installs rogue security software. Also known as Troj/JSRedir-R this botnet first appeared in 2009.",
"value": "Gumblar",
"uuid": "5b83d0ac-3661-465e-b3ab-ca182d1eacad"
"uuid": "5b83d0ac-3661-465e-b3ab-ca182d1eacad",
"value": "Gumblar"
},
{
"description": "The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.",
"meta": {
"date": "May 2009",
"refs": [
@ -339,11 +344,11 @@
"Oficla"
]
},
"description": "The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.",
"value": "BredoLab",
"uuid": "65a30580-d542-4113-b00f-7fab98bd046c"
"uuid": "65a30580-d542-4113-b00f-7fab98bd046c",
"value": "BredoLab"
},
{
"description": "The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world's largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world's 3rd largest botnet, responsible for 18% of worldwide spam traffic.",
"meta": {
"date": "2009",
"refs": [
@ -354,11 +359,11 @@
"Reddyb"
]
},
"description": "The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world's largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world's 3rd largest botnet, responsible for 18% of worldwide spam traffic.",
"value": "Grum",
"uuid": "a2a601db-2ae7-4695-ac0c-0a3ea8822356"
"uuid": "a2a601db-2ae7-4695-ac0c-0a3ea8822356",
"value": "Grum"
},
{
"description": "The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Mega-D_botnet"
@ -367,11 +372,11 @@
"Ozdok"
]
},
"description": "The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.",
"value": "Mega-D",
"uuid": "c12537fc-1de5-4d12-ae36-649f32919059"
"uuid": "c12537fc-1de5-4d12-ae36-649f32919059",
"value": "Mega-D"
},
{
"description": "The Kraken botnet was the world's largest botnet as of April 2008. Researchers say that Kraken infected machines in at least 50 of the Fortune 500 companies and grew to over 400,000 bots. It was estimated to send 9 billion spam messages per day. Kraken botnet malware may have been designed to evade anti-virus software, and employed techniques to stymie conventional anti-virus software.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Kraken_botnet"
@ -380,11 +385,11 @@
"Kracken"
]
},
"description": "The Kraken botnet was the world's largest botnet as of April 2008. Researchers say that Kraken infected machines in at least 50 of the Fortune 500 companies and grew to over 400,000 bots. It was estimated to send 9 billion spam messages per day. Kraken botnet malware may have been designed to evade anti-virus software, and employed techniques to stymie conventional anti-virus software.",
"value": "Kraken",
"uuid": "e721809b-2785-4ce3-b95a-7fde2762f736"
"uuid": "e721809b-2785-4ce3-b95a-7fde2762f736",
"value": "Kraken"
},
{
"description": "The Festi botnet, also known by its alias of Spamnost, is a botnet mostly involved in email spam and denial of service attacks.",
"meta": {
"date": "August 2009",
"refs": [
@ -394,20 +399,19 @@
"Spamnost"
]
},
"description": "The Festi botnet, also known by its alias of Spamnost, is a botnet mostly involved in email spam and denial of service attacks.",
"value": "Festi",
"uuid": "b76128e3-cea5-4df8-8d23-d9f3305e5a14"
"uuid": "b76128e3-cea5-4df8-8d23-d9f3305e5a14",
"value": "Festi"
},
{
"description": "Vulcanbot is the name of a botnet predominantly spread in Vietnam, apparently with political motives. It is thought to have begun in late 2009.",
"meta": {
"date": "March 2010",
"refs": [
"https://en.wikipedia.org/wiki/Vulcanbot"
]
},
"description": "Vulcanbot is the name of a botnet predominantly spread in Vietnam, apparently with political motives. It is thought to have begun in late 2009.",
"value": "Vulcanbot",
"uuid": "dfd17a50-65df-4ddc-899e-1052e5001a1f"
"uuid": "dfd17a50-65df-4ddc-899e-1052e5001a1f",
"value": "Vulcanbot"
},
{
"meta": {
@ -422,6 +426,7 @@
"value": "LowSec"
},
{
"description": "Alureon (also known as TDSS or TDL-4) is a trojan and bootkit created to steal data by intercepting a system's network traffic and searching for: banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015,triggered these crashes by breaking assumptions made by the malware author(s).",
"meta": {
"date": "2010",
"refs": [
@ -432,11 +437,11 @@
"Alureon"
]
},
"description": "Alureon (also known as TDSS or TDL-4) is a trojan and bootkit created to steal data by intercepting a system's network traffic and searching for: banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015,triggered these crashes by breaking assumptions made by the malware author(s).",
"value": "TDL4",
"uuid": "61a17703-7837-4cc9-b022-b5ed6b30efc1"
"uuid": "61a17703-7837-4cc9-b022-b5ed6b30efc1",
"value": "TDL4"
},
{
"description": "Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of tech support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Zeus_(malware)"
@ -450,11 +455,11 @@
"Kneber"
]
},
"description": "Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of tech support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.",
"value": "Zeus",
"uuid": "e878d24d-f122-48c4-930c-f6b6d5f0ee28"
"uuid": "e878d24d-f122-48c4-930c-f6b6d5f0ee28",
"value": "Zeus"
},
{
"description": "The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.",
"meta": {
"date": "2010",
"refs": [
@ -464,20 +469,19 @@
"Hlux"
]
},
"description": "The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.",
"value": "Kelihos",
"uuid": "07b10419-e8b5-4b5f-a179-77fc9b127dc6"
"uuid": "07b10419-e8b5-4b5f-a179-77fc9b127dc6",
"value": "Kelihos"
},
{
"description": "Ramnit is a Computer worm affecting Windows users. It was estimated that it infected 800 000 Windows PCs between September and December 2011. The Ramnit botnet was dismantled by Europol and Symantec securities in 2015. In 2015, this infection was estimated at 3 200 000 PCs.",
"meta": {
"date": "2011",
"refs": [
"https://en.wikipedia.org/wiki/Botnet"
]
},
"description": "Ramnit is a Computer worm affecting Windows users. It was estimated that it infected 800 000 Windows PCs between September and December 2011. The Ramnit botnet was dismantled by Europol and Symantec securities in 2015. In 2015, this infection was estimated at 3 200 000 PCs.",
"value": "Ramnit",
"uuid": "8ed81090-f098-4878-b87e-2d801b170759"
"uuid": "8ed81090-f098-4878-b87e-2d801b170759",
"value": "Ramnit"
},
{
"meta": {
@ -492,38 +496,39 @@
"value": "Zer0n3t"
},
{
"description": "The Chameleon botnet is a botnet that was discovered on February 28, 2013 by the security research firm, spider.io. It involved the infection of more than 120,000 computers and generated, on average, 6 million US dollars per month from advertising traffic. This traffic was generated on infected systems and looked to advertising parties as regular end users which browsed the Web, because of which it was seen as legitimate web traffic. The affected computers were all Windows PCs with the majority being private PCs (residential systems).",
"meta": {
"date": "2012",
"refs": [
"https://en.wikipedia.org/wiki/Chameleon_botnet"
]
},
"description": "The Chameleon botnet is a botnet that was discovered on February 28, 2013 by the security research firm, spider.io. It involved the infection of more than 120,000 computers and generated, on average, 6 million US dollars per month from advertising traffic. This traffic was generated on infected systems and looked to advertising parties as regular end users which browsed the Web, because of which it was seen as legitimate web traffic. The affected computers were all Windows PCs with the majority being private PCs (residential systems).",
"value": "Chameleon",
"uuid": "3084cd06-e415-4ff0-abd0-cf8fbf67c53c"
"uuid": "3084cd06-e415-4ff0-abd0-cf8fbf67c53c",
"value": "Chameleon"
},
{
"description": "Mirai (Japanese for \"the future\", 未来) is a malware that turns networked devices running Linux into remotely controlled \"bots\" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs's web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack.",
"meta": {
"date": "August 2016",
"refs": [
"https://en.wikipedia.org/wiki/Mirai_(malware)"
]
},
"description": "Mirai (Japanese for \"the future\", 未来) is a malware that turns networked devices running Linux into remotely controlled \"bots\" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs's web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack.",
"value": "Mirai",
"uuid": "fcdfd4af-da35-49a8-9610-19be8a487185"
"uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
"value": "Mirai"
},
{
"value": "XorDDoS",
"uuid": "5485d149-79b5-451e-b48c-a020eced3515",
"description": "XOR DDOS is a Linux trojan used to perform large-scale DDoS",
"meta": {
"refs": [
"https://en.wikipedia.org/wiki/Xor_DDoS"
]
}
},
"uuid": "5485d149-79b5-451e-b48c-a020eced3515",
"value": "XorDDoS"
},
{
"description": "According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/satori-botnet-has-sudden-awakening-with-over-280-000-active-bots/",
@ -533,9 +538,8 @@
"Okiru"
]
},
"description": "According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.",
"value": "Satori",
"uuid": "e77cf495-632a-4459-aad1-cdf29d73683f"
"uuid": "e77cf495-632a-4459-aad1-cdf29d73683f",
"value": "Satori"
},
{
"meta": {
@ -545,6 +549,7 @@
"value": "BetaBot"
},
{
"description": "Hajime (meaning beginning in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks. One month later we saw the first samples being uploaded from Spain to VT. This worm builds a huge P2P botnet (almost 300,000 devices at the time of publishing this blogpost), but its real purpose remains unknown.\nIt is worth mentioning that in the past, the Hajime IoT botnet was never used for massive DDoS attacks, and its existance was a mystery for many researchers, as the botnet only gathered infected devices but almost never did anything with them (except scan for other vulnerable devices).",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/hajime-botnet-makes-a-comeback-with-massive-scan-for-mikrotik-routers/",
@ -552,21 +557,21 @@
"https://securelist.com/hajime-the-mysterious-evolving-botnet/78160/"
]
},
"description": "Hajime (meaning beginning in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks. One month later we saw the first samples being uploaded from Spain to VT. This worm builds a huge P2P botnet (almost 300,000 devices at the time of publishing this blogpost), but its real purpose remains unknown.\nIt is worth mentioning that in the past, the Hajime IoT botnet was never used for massive DDoS attacks, and its existance was a mystery for many researchers, as the botnet only gathered infected devices but almost never did anything with them (except scan for other vulnerable devices).",
"value": "Hajime",
"uuid": "383fd414-3805-11e8-ac12-c7b5af38ff67"
"uuid": "383fd414-3805-11e8-ac12-c7b5af38ff67",
"value": "Hajime"
},
{
"description": "The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS.\nAt the technical level, Netlab says Muhstik is built on top of Tsunami, a very old strain of malware that has been used for years to create botnets by infecting Linux servers and smart devices running Linux-based firmware.\nCrooks have used Tsunami initially for DDoS attacks, but its feature-set has greatly expanded after its source code leaked online.\nThe Muhstik version of Tsunami, according to a Netlab report published today, can launch DDoS attacks, install the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency on infected hosts. Muhstik operators are using these three payloads to make money via the infected hosts.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/big-iot-botnet-starts-large-scale-exploitation-of-drupalgeddon-2-vulnerability/"
]
},
"description": "The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS.\nAt the technical level, Netlab says Muhstik is built on top of Tsunami, a very old strain of malware that has been used for years to create botnets by infecting Linux servers and smart devices running Linux-based firmware.\nCrooks have used Tsunami initially for DDoS attacks, but its feature-set has greatly expanded after its source code leaked online.\nThe Muhstik version of Tsunami, according to a Netlab report published today, can launch DDoS attacks, install the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency on infected hosts. Muhstik operators are using these three payloads to make money via the infected hosts.",
"value": "Muhstik",
"uuid": "8364b00c-46c6-11e8-a78e-9bcc5609574f"
"uuid": "8364b00c-46c6-11e8-a78e-9bcc5609574f",
"value": "Muhstik"
},
{
"description": "Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise.\nThis is a major game-changing moment in the realm of IoT and router malware. Until today, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device.\nThe reset operation flushed the device's flash memory, where the device would keep all its working data, including IoT malware strains.\nBut today, Bitdefender researchers announced they found an IoT malware strain that under certain circumstances copies itself to /etc/init.d/, a folder that houses daemon scripts on Linux-based operating systems —like the ones on routers and IoT devices.\nBy placing itself in this menu, the device's OS will automatically start the malware's process after the next reboot.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/",
@ -577,43 +582,43 @@
"Hide 'N Seek"
]
},
"description": "Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise.\nThis is a major game-changing moment in the realm of IoT and router malware. Until today, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device.\nThe reset operation flushed the device's flash memory, where the device would keep all its working data, including IoT malware strains.\nBut today, Bitdefender researchers announced they found an IoT malware strain that under certain circumstances copies itself to /etc/init.d/, a folder that houses daemon scripts on Linux-based operating systems —like the ones on routers and IoT devices.\nBy placing itself in this menu, the device's OS will automatically start the malware's process after the next reboot.",
"value": "Hide and Seek",
"uuid": "cdf1148c-5358-11e8-87e5-ab60d455597f"
"uuid": "cdf1148c-5358-11e8-87e5-ab60d455597f",
"value": "Hide and Seek"
},
{
"description": "Command-and-control panel and the scanner of this botnet is hosted on a server residing in Vietnam. Attackers have been utilizing an open-sourced Mettle attack module to implant malware on vulnerable routers.",
"meta": {
"refs": [
"https://thehackernews.com/2018/05/botnet-malware-hacking.html"
]
},
"description": "Command-and-control panel and the scanner of this botnet is hosted on a server residing in Vietnam. Attackers have been utilizing an open-sourced Mettle attack module to implant malware on vulnerable routers.",
"value": "Mettle",
"uuid": "77a308b6-575d-11e8-89a9-3f6a2a9c08bb"
"uuid": "77a308b6-575d-11e8-89a9-3f6a2a9c08bb",
"value": "Mettle"
},
{
"description": "IoT botnet, Mirai variant that has added three exploits to its arsenal. After a successful exploit, this bot downloads its payload, Owari bot - another Mirai variant - or Omni bot.",
"meta": {
"date": "2018",
"refs": [
"https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html"
]
},
"description": "IoT botnet, Mirai variant that has added three exploits to its arsenal. After a successful exploit, this bot downloads its payload, Owari bot - another Mirai variant - or Omni bot.",
"value": "WICKED",
"uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc"
"uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc",
"value": "WICKED"
},
{
"description": "Brain Food is usually the second step in a chain of redirections, its PHP code is polymorphic and obfuscated with multiple layers of base64 encoding. Backdoor functionalities are also embedded in the code allowing remote execution of shell code on web servers which are configured to allow the PHP 'system' command.",
"meta": {
"date": "2018",
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/brain-food-botnet-gives-website-operators-heartburn"
]
},
"description": "Brain Food is usually the second step in a chain of redirections, its PHP code is polymorphic and obfuscated with multiple layers of base64 encoding. Backdoor functionalities are also embedded in the code allowing remote execution of shell code on web servers which are configured to allow the PHP 'system' command.",
"value": "Brain Food",
"uuid": "f293c553-8b03-40b3-a125-f9ae66a72d99"
"uuid": "f293c553-8b03-40b3-a125-f9ae66a72d99",
"value": "Brain Food"
},
{
"description": "The bot gathers information from the infected system through WMI queries (SerialNumber, SystemDrive, operating system, processor architecture), which it then sends back to a remote attacker. It installs a backdoor giving an attacker the possibility to run command such as: download a file, update itself, visit a website and perform HTTP, SYN, UDP flooding",
"meta": {
"date": "2011",
"refs": [
@ -624,9 +629,8 @@
"N0ise"
]
},
"description": "The bot gathers information from the infected system through WMI queries (SerialNumber, SystemDrive, operating system, processor architecture), which it then sends back to a remote attacker. It installs a backdoor giving an attacker the possibility to run command such as: download a file, update itself, visit a website and perform HTTP, SYN, UDP flooding",
"value": "Pontoeb",
"uuid": "bc60de19-27a5-4df8-a835-70781b923125"
"uuid": "bc60de19-27a5-4df8-a835-70781b923125",
"value": "Pontoeb"
},
{
"meta": {
@ -637,8 +641,8 @@
"Trik Trojan"
]
},
"value": "Trik Spam Botnet",
"uuid": "c68d5e64-7485-11e8-8625-2b14141f0501"
"uuid": "c68d5e64-7485-11e8-8625-2b14141f0501",
"value": "Trik Spam Botnet"
},
{
"meta": {
@ -649,8 +653,8 @@
"Mad Max"
]
},
"value": "Madmax",
"uuid": "7a6fcec7-3408-4371-907b-cbf8fc931b66"
"uuid": "7a6fcec7-3408-4371-907b-cbf8fc931b66",
"value": "Madmax"
},
{
"meta": {
@ -658,8 +662,8 @@
"https://labs.bitdefender.com/2013/12/in-depth-analysis-of-pushdo-botnet/"
]
},
"value": "Pushdo",
"uuid": "94d12a03-6ae8-4006-a98f-80c15e6f95c0"
"uuid": "94d12a03-6ae8-4006-a98f-80c15e6f95c0",
"value": "Pushdo"
},
{
"meta": {
@ -667,8 +671,8 @@
"https://www.us-cert.gov/ncas/alerts/TA15-105A"
]
},
"value": "Simda",
"uuid": "347e7a64-8ee2-487f-bcb3-ca7564fa836c"
"uuid": "347e7a64-8ee2-487f-bcb3-ca7564fa836c",
"value": "Simda"
},
{
"meta": {
@ -676,8 +680,8 @@
"https://en.wikipedia.org/wiki/Virut"
]
},
"value": "Virut",
"uuid": "cc1432a1-6580-4338-b119-a43236528ea1"
"uuid": "cc1432a1-6580-4338-b119-a43236528ea1",
"value": "Virut"
},
{
"meta": {
@ -685,8 +689,8 @@
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions"
]
},
"value": "Beebone",
"uuid": "49b13880-9baf-4ae0-9171-814094b03d89"
"uuid": "49b13880-9baf-4ae0-9171-814094b03d89",
"value": "Beebone"
},
{
"meta": {
@ -699,13 +703,9 @@
"Agent-OCF"
]
},
"value": "Bamital",
"uuid": "07815089-e2c6-4084-9a62-3ece7210f33f"
"uuid": "07815089-e2c6-4084-9a62-3ece7210f33f",
"value": "Bamital"
}
],
"authors": [
"Various"
],
"type": "botnet",
"name": "Botnet"
"version": 8
}

62
clusters/branded_vulnerability.json
View File

@ -1,7 +1,14 @@
{
"authors": [
"Unknown"
],
"description": "List of known vulnerabilities and attacks with a branding",
"name": "Branded Vulnerability",
"source": "Open Sources",
"type": "branded-vulnerability",
"uuid": "93715a12-f45b-11e7-bcf9-3767161e9ebd",
"values": [
{
"value": "Meltdown",
"description": "Meltdown exploits the out-of-order execution feature of modern processors, allowing user-level programs to access kernel memory using processor caches as covert side channels. This is specific to the way out-of-order execution is implemented in the processors. This vulnerability has been assigned CVE-2017-5754.",
"meta": {
"aliases": [
@ -11,10 +18,10 @@
"https://upload.wikimedia.org/wikipedia/commons/thumb/5/56/Meltdown_with_text.svg/300px-Meltdown_with_text.svg.png"
]
},
"uuid": "70bee5b7-0fa3-4a4d-98ee-d8ab787c6db1"
"uuid": "70bee5b7-0fa3-4a4d-98ee-d8ab787c6db1",
"value": "Meltdown"
},
{
"value": "Spectre",
"description": "Spectre exploits the speculative execution feature that is present in almost all processors in existence today. Two variants of Spectre are known and seem to depend on what is used to influence erroneous speculative execution. The first variant triggers speculative execution by performing a bounds check bypass and has been assigned CVE-2017-5753. The second variant uses branch target injection for the same effect and has been assigned CVE-2017-5715.",
"meta": {
"aliases": [
@ -25,10 +32,10 @@
"https://en.wikipedia.org/wiki/File:Spectre_with_text.svg"
]
},
"uuid": "36168188-6d14-463a-9713-f88764a83329"
"uuid": "36168188-6d14-463a-9713-f88764a83329",
"value": "Spectre"
},
{
"value": "Heartbleed",
"description": "Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug's name derives from heartbeat. The vulnerability is classified as a buffer over-read,[5] a situation where more data can be read than should be allowed.",
"meta": {
"aliases": [
@ -38,10 +45,10 @@
"https://upload.wikimedia.org/wikipedia/commons/thumb/d/dc/Heartbleed.svg/440px-Heartbleed.svg.png"
]
},
"uuid": "d6d85947-e6ee-4d2e-bb48-437f31c7a270"
"uuid": "d6d85947-e6ee-4d2e-bb48-437f31c7a270",
"value": "Heartbleed"
},
{
"value": "Shellshock",
"description": "Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.",
"meta": {
"aliases": [
@ -53,10 +60,10 @@
"https://cdn-images-1.medium.com/max/1600/1*bopQcJtKouPOJ_isSzanLw.png"
]
},
"uuid": "2102db77-5a51-40c1-bfc1-38fb7dcb7f05"
"uuid": "2102db77-5a51-40c1-bfc1-38fb7dcb7f05",
"value": "Shellshock"
},
{
"value": "Ghost",
"description": "The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.\nDuring a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.",
"meta": {
"aliases": [
@ -66,10 +73,10 @@
"https://cdn-images-1.medium.com/max/1600/1*HnCEOo0RUT1fliJjRT02lA.png"
]
},
"uuid": "a1640081-aa8d-4070-84b2-d23e2ae82799"
"uuid": "a1640081-aa8d-4070-84b2-d23e2ae82799",
"value": "Ghost"
},
{
"value": "Stagefright",
"description": "Stagefright is the name given to a group of software bugs that affect versions 2.2 (\"Froyo\") and newer of the Android operating system. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesnt have to do anything to accept the bug, it happens in the background. The phone number is the only target information.",
"meta": {
"aliases": [
@ -87,10 +94,10 @@
"https://cdn-images-1.medium.com/max/1600/1*-Ivm3lZHNaOUwmklT4Rb1g.png"
]
},
"uuid": "352916e7-62bf-4b0c-bce7-da759d1a4f5f"
"uuid": "352916e7-62bf-4b0c-bce7-da759d1a4f5f",
"value": "Stagefright"
},
{
"value": "Badlock",
"description": "Badlock is a security bug disclosed on April 12, 2016 affecting the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols[1] supported by Windows and Samba servers.",
"meta": {
"logo": [
@ -98,10 +105,10 @@
"https://cdn-images-1.medium.com/max/1600/1*EVbwwxEBOU83NKxgQrPG9w.png"
]
},
"uuid": "74f2bd2c-69f1-4d28-8d42-94b7ef89f31e"
"uuid": "74f2bd2c-69f1-4d28-8d42-94b7ef89f31e",
"value": "Badlock"
},
{
"value": "Dirty COW",
"description": "Dirty COW (Dirty copy-on-write) is a computer security vulnerability for the Linux kernel that affects all Linux-based operating systems including Android. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem. The vulnerability was discovered by Phil Oester. Because of the race condition, with the right timing, a local attacker can exploit the copy-on-write mechanism to turn a read-only mapping of a file into a writable mapping. Although it is a local privilege escalation, remote attackers can use it in conjunction with other exploits that allow remote execution of non-privileged code to achieve remote root access on a computer. The attack itself does not leave traces in the system log.",
"meta": {
"aliases": [
@ -111,25 +118,25 @@
"https://upload.wikimedia.org/wikipedia/commons/thumb/1/1b/DirtyCow.svg/440px-DirtyCow.svg.png"
]
},
"uuid": "54196537-cb0c-425c-83d6-437d41b4cc65"
"uuid": "54196537-cb0c-425c-83d6-437d41b4cc65",
"value": "Dirty COW"
},
{
"value": "POODLE",
"description": "The POODLE attack (which stands for \"Padding Oracle On Downgraded Legacy Encryptio\") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated \"September 2014\" ). Ivan Ristic does not consider the POODLE attack as serious as the Heartbleed and Shellshock attacks. On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.",
"meta": {
"aliases": [
"CVE-2014-3566"
]
},
"uuid": "22b9af72-48c9-4da1-b13d-15667dbdd998"
"uuid": "22b9af72-48c9-4da1-b13d-15667dbdd998",
"value": "POODLE"
},
{
"value": "BadUSB",
"description": "The BadUSB vulnerability exploits unprotected firmware in order to deliver malicious code to computers and networks. This is achieved by reverse-engineering the device and reprogramming it. As the reprogrammed firmware is not monitored or assessed by modern security software, this attack method is extremely difficult for antivirus/security software to detect and prevent.",
"uuid": "bc3a3299-1443-4390-8b25-4bb280c1abd7"
"uuid": "bc3a3299-1443-4390-8b25-4bb280c1abd7",
"value": "BadUSB"
},
{
"value": "ImageTragick",
"meta": {
"aliases": [
"CVE-20163714"
@ -138,16 +145,9 @@
"https://imagetragick.com/img/logo-medium.png"
]
},
"uuid": "e85e1270-eec5-4331-8004-a063125a54b4"
"uuid": "e85e1270-eec5-4331-8004-a063125a54b4",
"value": "ImageTragick"
}
],
"version": 1,
"uuid": "93715a12-f45b-11e7-bcf9-3767161e9ebd",
"description": "List of known vulnerabilities and attacks with a branding",
"authors": [
"Unknown"
],
"source": "Open Sources",
"type": "branded-vulnerability",
"name": "Branded Vulnerability"
"version": 1
}

60
clusters/cert-eu-govsector.json
View File

@ -1,37 +1,37 @@
{
"values": [
{
"value": "Constituency",
"uuid": "8ebd301f-067f-499d-8718-f63c8ced73ac"
},
{
"value": "EU-Centric",
"uuid": "bf3fd6a1-692e-4d77-b17d-496f71eebac9"
},
{
"value": "EU-nearby",
"uuid": "536dada1-30e5-453a-9611-33597ab5c373"
},
{
"value": "World-class",
"uuid": "8024aa5d-d0b0-4114-87c9-92e358c96850"
},
{
"value": "Unknown",
"uuid": "32f8b3dd-defc-47c8-a070-378f5e0e1be8"
},
{
"value": "Outside World",
"uuid": "adc80f46-86ef-4de8-95d1-15c45c15d002"
}
],
"version": 1,
"uuid": "69351b20-b898-11e7-a2f1-c3e696a74a48",
"description": "Cert EU GovSector",
"authors": [
"Various"
],
"description": "Cert EU GovSector",
"name": "Cert EU GovSector",
"source": "CERT-EU",
"type": "cert-eu-govsector",
"name": "Cert EU GovSector"
"uuid": "69351b20-b898-11e7-a2f1-c3e696a74a48",
"values": [
{
"uuid": "8ebd301f-067f-499d-8718-f63c8ced73ac",
"value": "Constituency"
},
{
"uuid": "bf3fd6a1-692e-4d77-b17d-496f71eebac9",
"value": "EU-Centric"
},
{
"uuid": "536dada1-30e5-453a-9611-33597ab5c373",
"value": "EU-nearby"
},
{
"uuid": "8024aa5d-d0b0-4114-87c9-92e358c96850",
"value": "World-class"
},
{
"uuid": "32f8b3dd-defc-47c8-a070-378f5e0e1be8",
"value": "Unknown"
},
{
"uuid": "adc80f46-86ef-4de8-95d1-15c45c15d002",
"value": "Outside World"
}
],
"version": 1
}

324
clusters/exploit-kit.json
View File

@ -1,45 +1,54 @@
{
"authors": [
"Kafeine",
"Will Metcalf",
"KahuSecurity"
],
"description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years",
"name": "Exploit-Kit",
"source": "MISP Project",
"type": "exploit-kit",
"uuid": "454f4e78-bd7c-11e6-a4a6-cec0c932ce01",
"values": [
{
"value": "Astrum",
"description": "Astrum Exploit Kit is a private Exploit Kit used in massive scale malvertising campaigns. It's notable by its use of Steganography",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2014/09/astrum-ek.html",
"http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/"
],
"status": "Active",
"synonyms": [
"Stegano EK"
],
"status": "Active"
]
},
"uuid": "e9ca60cd-94fc-4a54-ac98-30e675a46b3e"
"uuid": "e9ca60cd-94fc-4a54-ac98-30e675a46b3e",
"value": "Astrum"
},
{
"value": "Bingo",
"description": "Bingo EK is the name chosen by the defense for a Fiesta-ish EK first spotted in March 2017 and targetting at that times mostly Russia",
"meta": {
"status": "Active"
},
"uuid": "9e864c01-3d9e-4b8d-811e-46471ff866e9"
"uuid": "9e864c01-3d9e-4b8d-811e-46471ff866e9",
"value": "Bingo"
},
{
"value": "Terror EK",
"description": "Terror EK is built on Hunter, Sundown and RIG EK code",
"meta": {
"refs": [
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit--More-like-Error-Exploit-Kit/"
],
"status": "Active",
"synonyms": [
"Blaze EK",
"Neptune EK"
],
"status": "Active"
]
},
"uuid": "f15f9264-854e-4e25-8641-cde2faeb86e9"
"uuid": "f15f9264-854e-4e25-8641-cde2faeb86e9",
"value": "Terror EK"
},
{
"value": "DealersChoice",
"description": "DealersChoice is a Flash Player Exploit platform triggered by RTF.\n\nDealersChoice is a platform that generates malicious documents containing embedded Adobe Flash files. Palo Alto Network researchers analyzed two variantsvariant A, which is a standalone variant including Flash exploit code packaged with a payload, and variant B, which is a modular variant that loads exploit code on demand. This new component appeared in 2016 and is still in use.",
"meta": {
"refs": [
@ -47,30 +56,30 @@
"http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/",
"https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/"
],
"status": "Active",
"synonyms": [
"Sednit RTF EK"
],
"status": "Active"
]
},
"uuid": "0f116533-a755-4cfc-815a-fa6bcb85efb7"
"uuid": "0f116533-a755-4cfc-815a-fa6bcb85efb7",
"value": "DealersChoice"
},
{
"value": "DNSChanger",
"description": "DNSChanger Exploit Kit is an exploit kit targeting Routers via the browser",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html",
"https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices"
],
"status": "Active",
"synonyms": [
"RouterEK"
],
"status": "Active"
]
},
"uuid": "74fb6a14-1279-4a5b-939a-76478d36d3e1"
"uuid": "74fb6a14-1279-4a5b-939a-76478d36d3e1",
"value": "DNSChanger"
},
{
"value": "Disdain",
"description": "Disdain EK has been introduced on underground forum on 2017-08-07. The panel is stolen from Sundown, the pattern are Terror alike and the obfuscation reminds Nebula",
"meta": {
"refs": [
@ -78,25 +87,25 @@
],
"status": "Active"
},
"uuid": "1ded776d-6772-4cc8-a27f-f61e24a58d96"
"uuid": "1ded776d-6772-4cc8-a27f-f61e24a58d96",
"value": "Disdain"
},
{
"value": "Kaixin",
"description": "Kaixin is an exploit kit mainly seen behind compromised website in Asia",
"meta": {
"refs": [
"http://www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/",
"http://www.kahusecurity.com/2012/new-chinese-exploit-pack/"
],
"status": "Active",
"synonyms": [
"CK vip"
],
"status": "Active"
]
},
"uuid": "e6c1cfcf-3e37-4f5a-9494-989dd8c43d88"
"uuid": "e6c1cfcf-3e37-4f5a-9494-989dd8c43d88",
"value": "Kaixin"
},
{
"value": "Magnitude",
"description": "Magnitude EK",
"meta": {
"refs": [
@ -105,16 +114,16 @@
"http://malware.dontneedcoffee.com/2014/02/and-real-name-of-magnitude-is.html",
"https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood"
],
"status": "Active",
"synonyms": [
"Popads EK",
"TopExp"
],
"status": "Active"
]
},
"uuid": "6a313e11-5bb2-40ed-8cde-9de768b783b1"
"uuid": "6a313e11-5bb2-40ed-8cde-9de768b783b1",
"value": "Magnitude"
},
{
"value": "MWI",
"description": "Microsoft Word Intruder is an exploit kit focused on Word and embedded flash exploits. The author wants to avoid their customer to use it in mass spam campaign, so it's most often connected to semi-targeted attacks",
"meta": {
"refs": [
@ -123,10 +132,10 @@
],
"status": "Active"
},
"uuid": "489acbf2-d80b-4bb5-ac7d-c8573dcb6324"
"uuid": "489acbf2-d80b-4bb5-ac7d-c8573dcb6324",
"value": "MWI"
},
{
"value": "ThreadKit",
"description": "ThreadKit is the name given to a widely used Microsoft Office document exploit builder kit that appeared in June 2017",
"meta": {
"refs": [
@ -134,10 +143,10 @@
],
"status": "Active"
},
"uuid": "b8be783c-69a8-11e8-adc0-fa7ae01bbebc"
"uuid": "b8be783c-69a8-11e8-adc0-fa7ae01bbebc",
"value": "ThreadKit"
},
{
"value": "VenomKit",
"description": "VenomKit is the name given to a kit sold since april 2017 as \"Word 1day exploit builder\" by user badbullzvenom. Author allows only use in targeted campaign. Is used for instance by the \"Cobalt Gang\"",
"meta": {
"refs": [
@ -145,10 +154,10 @@
],
"status": "Active"
},
"uuid": "b8be7af8-69a8-11e8-adc0-fa7ae01bbebc"
"uuid": "b8be7af8-69a8-11e8-adc0-fa7ae01bbebc",
"value": "VenomKit"
},
{
"value": "RIG",
"description": "RIG is an exploit kit that takes its source in Infinity EK itself an evolution of Redkit. It became dominant after the fall of Angler, Nuclear Pack and the end of public access to Neutrino. RIG-v is the name given to RIG 4 when it was only accessible by \"vip\" customers and when RIG 3 was still in use.",
"meta": {
"refs": [
@ -157,91 +166,91 @@
"https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Exploit-Kit-%E2%80%93-Diving-Deeper-into-the-Infrastructure/",
"http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html"
],
"status": "Active",
"synonyms": [
"RIG 3",
"RIG-v",
"RIG 4",
"Meadgive"
],
"status": "Active"
]
},
"uuid": "0545e5c0-ed0d-4a02-a69d-31e9e2b31e8a"
"uuid": "0545e5c0-ed0d-4a02-a69d-31e9e2b31e8a",
"value": "RIG"
},
{
"value": "Sednit EK",
"description": "Sednit EK is the exploit kit used by APT28",
"meta": {
"refs": [
"http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/",
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/"
],
"status": "Active",
"synonyms": [
"SedKit"
],
"status": "Active"
]
},
"uuid": "c8b9578a-78be-420c-a29b-9214d09685c8"
"uuid": "c8b9578a-78be-420c-a29b-9214d09685c8",
"value": "Sednit EK"
},
{
"value": "Sundown-P",
"description": "Sundown-P/Sundown-Pirate is a rip of Sundown seen used in a private way (One group using it only) - First spotted at the end of June 2017, branded as CaptainBlack in August 2017",
"meta": {
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/promediads-malvertising-sundown-pirate-exploit-kit/"
],
"status": "Active",
"synonyms": [
"Sundown-Pirate",
"CaptainBlack"
],
"status": "Active"
]
},
"uuid": "3235ae90-598b-45dc-b336-852817b271a8"
"uuid": "3235ae90-598b-45dc-b336-852817b271a8",
"value": "Sundown-P"
},
{
"value": "Bizarro Sundown",
"description": "Bizarro Sundown appears to be a fork of Sundown with added anti-analysis features",
"meta": {
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/",
"https://blog.malwarebytes.com/cybercrime/exploits/2016/10/yet-another-sundown-ek-variant/"
],
"status": "Retired",
"synonyms": [
"Sundown-b"
],
"status": "Retired"
]
},
"uuid": "ef3b170e-3fbe-420b-b202-4689da137c50"
"uuid": "ef3b170e-3fbe-420b-b202-4689da137c50",
"value": "Bizarro Sundown"
},
{
"value": "Hunter",
"description": "Hunter EK is an evolution of 3Ros EK",
"meta": {
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/Hunter-Exploit-Kit-Targets-Brazilian-Banking-Customers"
],
"status": "Retired - Last seen 2017-02-06",
"synonyms": [
"3ROS Exploit Kit"
],
"status": "Retired - Last seen 2017-02-06"
]
},
"uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c"
"uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c",
"value": "Hunter"
},
{
"value": "GreenFlash Sundown",
"description": "GreenFlash Sundown is a variation of Bizarro Sundown without landing",
"meta": {
"refs": [
"http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/"
],
"status": "Active",
"synonyms": [
"Sundown-GF"
],
"status": "Active"
]
},
"uuid": "6e5c0dbb-fb0b-45ea-ac6c-bb6d8324bbd2"
"uuid": "6e5c0dbb-fb0b-45ea-ac6c-bb6d8324bbd2",
"value": "GreenFlash Sundown"
},
{
"value": "Angler",
"description": "The Angler Exploit Kit has been the most popular and evolved exploit kit from 2014 to middle of 2016. There was several variation. The historical \"indexm\" variant was used to spread Lurk. A vip version used notabily to spread Poweliks, the \"standard\" commercial version, and a declinaison tied to load selling (mostly bankers) that can be associated to EmpirePPC",
"meta": {
"refs": [
@ -249,17 +258,17 @@
"http://malware.dontneedcoffee.com/2015/12/xxx-is-angler-ek.html",
"http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html"
],
"status": "Retired - Last seen: 2016-06-07",
"synonyms": [
"XXX",
"AEK",
"Axpergle"
],
"status": "Retired - Last seen: 2016-06-07"
]
},
"uuid": "5daf41c7-b297-4228-85d1-eb040d5b7c90"
"uuid": "5daf41c7-b297-4228-85d1-eb040d5b7c90",
"value": "Angler"
},
{
"value": "Archie",
"description": "Archie EK",
"meta": {
"refs": [
@ -267,41 +276,41 @@
],
"status": "Retired"
},
"uuid": "2756caae-d2c5-4170-9e76-2b7f1b1fccb1"
"uuid": "2756caae-d2c5-4170-9e76-2b7f1b1fccb1",
"value": "Archie"
},
{
"value": "BlackHole",
"description": "The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. Its activity stopped with Paunch's arrest (all activity since then is anecdotal and based on an old leak)",
"meta": {
"refs": [
"https://www.trustwave.com/Resources/SpiderLabs-Blog/Blackhole-Exploit-Kit-v2/",
"https://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/"
],
"status": "Retired - Last seen: 2013-10-07",
"synonyms": [
"BHEK"
],
"status": "Retired - Last seen: 2013-10-07"
]
},
"uuid": "e6201dc3-01a7-40c5-ba72-02fa470ada53"
"uuid": "e6201dc3-01a7-40c5-ba72-02fa470ada53",
"value": "BlackHole"
},
{
"value": "Bleeding Life",
"description": "Bleeding Life is an exploit kit that became open source with its version 2",
"meta": {
"refs": [
"http://www.kahusecurity.com/2011/flash-used-in-idol-malvertisement/",
"http://thehackernews.com/2011/10/bleeding-life-2-exploit-pack-released.html"
],
"status": "Retired",
"synonyms": [
"BL",
"BL2"
],
"status": "Retired"
]
},
"uuid": "5abe6240-dce2-4455-8125-ddae2e651243"
"uuid": "5abe6240-dce2-4455-8125-ddae2e651243",
"value": "Bleeding Life"
},
{
"value": "Cool",
"description": "The Cool Exploit Kit was a kind of BlackHole VIP in 2012/2013",
"meta": {
"refs": [
@ -309,64 +318,64 @@
"http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html",
"http://blog.trendmicro.com/trendlabs-security-intelligence/styx-exploit-pack-how-it-works/"
],
"status": "Retired - Last seen: 2013-10-07",
"synonyms": [
"CEK",
"Styxy Cool"
],
"status": "Retired - Last seen: 2013-10-07"
]
},
"uuid": "9bb229b0-80f9-48e5-b8fb-00ee7af070cb"
"uuid": "9bb229b0-80f9-48e5-b8fb-00ee7af070cb",
"value": "Cool"
},
{
"value": "Fiesta",
"description": "Fiesta Exploit Kit",
"meta": {
"refs": [
"http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an",
"http://www.kahusecurity.com/2011/neosploit-is-back/"
],
"status": "Retired - Last Seen: beginning of 2015-07",
"synonyms": [
"NeoSploit",
"Fiexp"
],
"status": "Retired - Last Seen: beginning of 2015-07"
]
},
"uuid": "f50f860a-d795-4f4e-a170-8190f65499ad"
"uuid": "f50f860a-d795-4f4e-a170-8190f65499ad",
"value": "Fiesta"
},
{
"value": "Empire",
"description": "The Empire Pack is a variation of RIG operated by a load seller. It's being fed by many traffic actors",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html"
],
"status": "Retired - Last seen: 2016-12-29",
"synonyms": [
"RIG-E"
],
"status": "Retired - Last seen: 2016-12-29"
]
},
"uuid": "6eb15569-4ddd-4820-9a44-7bca5b303b86"
"uuid": "6eb15569-4ddd-4820-9a44-7bca5b303b86",
"value": "Empire"
},
{
"value": "FlashPack",
"description": "FlashPack EK got multiple fork. The most common variant seen was the standalone Flash version",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html",
"http://malware.dontneedcoffee.com/2013/04/meet-safe-pack-v20-again.html"
],
"status": "Retired - Last seen: middle of 2015-04",
"synonyms": [
"FlashEK",
"SafePack",
"CritXPack",
"Vintage Pack"
],
"status": "Retired - Last seen: middle of 2015-04"
]
},
"uuid": "55a30ccc-8905-4af2-a498-5c0010815cc1"
"uuid": "55a30ccc-8905-4af2-a498-5c0010815cc1",
"value": "FlashPack"
},
{
"value": "Glazunov",
"description": "Glazunov is an exploit kit mainly seen behind compromised website in 2012 and 2013. Glazunov compromission is likely the ancestor activity of what became EITest in July 2014. Sibhost and Flimkit later shown similarities with this Exploit Kit",
"meta": {
"refs": [
@ -374,10 +383,10 @@
],
"status": "Retired - Last seen: maybe end of 2013"
},
"uuid": "897374fa-6a35-11e8-adc0-fa7ae01bbebc"
"uuid": "897374fa-6a35-11e8-adc0-fa7ae01bbebc",
"value": "Glazunov"
},
{
"value": "GrandSoft",
"description": "GrandSoft Exploit Kit was a quite common exploit kit used in 2012/2013. Disappeared between march 2014 and September 2017",
"meta": {
"refs": [
@ -385,16 +394,16 @@
"http://malware.dontneedcoffee.com/2012/10/neosploit-now-showing-bh-ek-20-like.html",
"https://nakedsecurity.sophos.com/2012/08/24/sophos-sucks-malware/"
],
"status": "Active",
"synonyms": [
"StampEK",
"SofosFO"
],
"status": "Active"
]
},
"uuid": "180b6969-2aca-4642-b684-b57db8f0eff8"
"uuid": "180b6969-2aca-4642-b684-b57db8f0eff8",
"value": "GrandSoft"
},
{
"value": "HanJuan",
"description": "Hanjuan EK was a one actor fed variation of Angler EK used in evolved malvertising chain targeting USA. It has been using a 0day (CVE-2015-0313) from beginning of December 2014 till beginning of February 2015",
"meta": {
"refs": [
@ -405,24 +414,24 @@
],
"status": "Retired - Last seen: 2015-07"
},
"uuid": "886abdc6-db1a-4fc5-afe0-e17d65a83614"
"uuid": "886abdc6-db1a-4fc5-afe0-e17d65a83614",
"value": "HanJuan"
},
{
"value": "Himan",
"description": "Himan Exploit Kit",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2013/10/HiMan.html"
],
"status": "Retired - Last seen: 2014-04",
"synonyms": [
"High Load"
],
"status": "Retired - Last seen: 2014-04"
]
},
"uuid": "3d0cb558-7f04-4be8-963e-5f137566b07b"
"uuid": "3d0cb558-7f04-4be8-963e-5f137566b07b",
"value": "Himan"
},
{
"value": "Impact",
"description": "Impact EK",
"meta": {
"refs": [
@ -430,26 +439,26 @@
],
"status": "Retired"
},
"uuid": "319357b4-3041-4a71-89c5-51be08041d1b"
"uuid": "319357b4-3041-4a71-89c5-51be08041d1b",
"value": "Impact"
},
{
"value": "Infinity",
"description": "Infinity is an evolution of Redkit",
"meta": {
"refs": [
"http://blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html",
"http://www.kahusecurity.com/2014/the-resurrection-of-redkit/"
],
"status": "Retired - Last seen: 2014-07",
"synonyms": [
"Redkit v2.0",
"Goon"
],
"status": "Retired - Last seen: 2014-07"
]
},
"uuid": "4b858835-7b31-4b94-8144-b5175da1551f"
"uuid": "4b858835-7b31-4b94-8144-b5175da1551f",
"value": "Infinity"
},
{
"value": "Lightsout",
"description": "Lightsout Exploit Kit has been used in Watering Hole attack performed by the APT Group havex",
"meta": {
"refs": [
@ -459,10 +468,10 @@
],
"status": "Unknown - Last seen: 2014-03"
},
"uuid": "244c05f8-1a2f-47fb-9dcf-2eaa99ab6aa1"
"uuid": "244c05f8-1a2f-47fb-9dcf-2eaa99ab6aa1",
"value": "Lightsout"
},
{
"value": "Nebula",
"description": "Nebula Exploit Kit has been built on Sundown source and features an internal TDS",
"meta": {
"refs": [
@ -470,89 +479,89 @@
],
"status": "Retired - Last seen 2017-03-09"
},
"uuid": "4ca96067-8fdd-4b48-bd34-d2e175e27bad"
"uuid": "4ca96067-8fdd-4b48-bd34-d2e175e27bad",
"value": "Nebula"
},
{
"value": "Neutrino",
"description": "Neutrino Exploit Kit has been one of the major exploit kit from its launch in 2013 till september 2016 when it become private (defense name for this variation is Neutrino-v). This EK vanished from march 2014 till november 2014.",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html",
"http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html"
],
"status": "Retired - Last seen 2017-04-10",
"synonyms": [
"Job314",
"Neutrino Rebooted",
"Neutrino-v"
],
"status": "Retired - Last seen 2017-04-10"
]
},
"uuid": "218ae39b-2f92-4355-91c6-50cce319d26d"
"uuid": "218ae39b-2f92-4355-91c6-50cce319d26d",
"value": "Neutrino"
},
{
"value": "Niteris",
"description": "Niteris was used mainly to target Russian.",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2014/06/cottoncastle.html",
"http://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html"
],
"status": "Unknown - Last seen: 2015-11",
"synonyms": [
"CottonCastle"
],
"status": "Unknown - Last seen: 2015-11"
]
},
"uuid": "b344133f-e223-4fda-8fb2-88ad7999e549"
"uuid": "b344133f-e223-4fda-8fb2-88ad7999e549",
"value": "Niteris"
},
{
"value": "Nuclear",
"description": "The Nuclear Pack appeared in 2009 and has been one of the longer living one. Spartan EK was a landing less variation of Nuclear Pack",
"meta": {
"refs": [
"http://blog.checkpoint.com/2016/05/17/inside-nuclears-core-unraveling-a-ransomware-as-a-service-infrastructure/"
],
"status": "Retired - Last seen: 2015-04-30",
"synonyms": [
"NEK",
"Nuclear Pack",
"Spartan",
"Neclu"
],
"status": "Retired - Last seen: 2015-04-30"
]
},
"uuid": "e7c516f9-5222-4f0d-b80b-ae9f4c24583d"
"uuid": "e7c516f9-5222-4f0d-b80b-ae9f4c24583d",
"value": "Nuclear"
},
{
"value": "Phoenix",
"description": "Phoenix Exploit Kit",
"meta": {
"refs": [
"http://malwareint.blogspot.fr/2010/09/phoenix-exploits-kit-v21-inside.html",
"http://blog.trendmicro.com/trendlabs-security-intelligence/now-exploiting-phoenix-exploit-kit-version-2-5/"
],
"status": "Retired",
"synonyms": [
"PEK"
],
"status": "Retired"
]
},
"uuid": "0df2c7a6-046f-4489-8c77-0999c92c839d"
"uuid": "0df2c7a6-046f-4489-8c77-0999c92c839d",
"value": "Phoenix"
},
{
"value": "Private Exploit Pack",
"description": "Private Exploit Pack",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2013/07/pep-new-bep.html",
"http://malwageddon.blogspot.fr/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html"
],
"status": "Retired",
"synonyms": [
"PEP"
],
"status": "Retired"
]
},
"uuid": "cfd0a4af-f559-496f-b56b-97145ea4e4c3"
"uuid": "cfd0a4af-f559-496f-b56b-97145ea4e4c3",
"value": "Private Exploit Pack"
},
{
"value": "Redkit",
"description": "Redkit has been a major exploit kit in 2012. One of its specific features was to allow its access against a share of a percentage of the customer's traffic",
"meta": {
"refs": [
@ -562,10 +571,10 @@
],
"status": "Retired"
},
"uuid": "6958ff90-75e8-47ee-ab07-daa8d487130c"
"uuid": "6958ff90-75e8-47ee-ab07-daa8d487130c",
"value": "Redkit"
},
{
"value": "Sakura",
"description": "Sakura Exploit Kit appeared in 2012 and was adopted by several big actor",
"meta": {
"refs": [
@ -573,10 +582,10 @@
],
"status": "Retired - Last seen: 2013-09"
},
"uuid": "12af9112-3ac5-4422-858e-a22c293c6117"
"uuid": "12af9112-3ac5-4422-858e-a22c293c6117",
"value": "Sakura"
},
{
"value": "SPL",
"description": "SPL exploit kit was mainly seen in 2012/2013 most often associated with ZeroAccess and Scareware/FakeAV",
"meta": {
"refs": [
@ -589,43 +598,43 @@
"SPL2"
]
},
"uuid": "15936d30-c151-4051-835e-df327143ce76"
"uuid": "15936d30-c151-4051-835e-df327143ce76",
"value": "SPL"
},
{
"value": "Sundown",
"description": "Sundown Exploit Kit is mainly built out of stolen code from other exploit kits",
"meta": {
"colour": "#C03701",
"refs": [
"http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html",
"https://www.virusbulletin.com/virusbulletin/2015/06/beta-exploit-pack-one-more-piece-crimeware-infection-road"
],
"status": "Retired - Last seen 2017-03-08",
"synonyms": [
"Beps",
"Xer",
"Beta"
],
"status": "Retired - Last seen 2017-03-08",
"colour": "#C03701"
]
},
"uuid": "670e28c4-001a-4ba4-b276-441620225123"
"uuid": "670e28c4-001a-4ba4-b276-441620225123",
"value": "Sundown"
},
{
"value": "Sweet-Orange",
"description": "Sweet Orange",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html"
],
"status": "Retired - Last seen: 2015-04-05",
"synonyms": [
"SWO",
"Anogre"
],
"status": "Retired - Last seen: 2015-04-05"
]
},
"uuid": "222bc508-4d8d-4972-9cac-65192cfefd43"
"uuid": "222bc508-4d8d-4972-9cac-65192cfefd43",
"value": "Sweet-Orange"
},
{
"value": "Styx",
"description": "Styx Exploit Kit",
"meta": {
"refs": [
@ -635,10 +644,10 @@
],
"status": "Retired - Last seen: 2014-06"
},
"uuid": "006eaa87-e8a6-4808-93ff-302b52c628b0"
"uuid": "006eaa87-e8a6-4808-93ff-302b52c628b0",
"value": "Styx"
},
{
"value": "WhiteHole",
"description": "WhiteHole Exploit Kit appeared in January 2013 in the tail of the CVE-2013-0422",
"meta": {
"refs": [
@ -646,10 +655,10 @@
],
"status": "Retired - Last seen: 2013-12"
},
"uuid": "570bc715-7fe8-430b-bd2e-5512c95f2370"
"uuid": "570bc715-7fe8-430b-bd2e-5512c95f2370",
"value": "WhiteHole"
},
{
"value": "Unknown",
"description": "Unknown Exploit Kit. This is a place holder for any undocumented Exploit Kit. If you use this tag, we will be more than happy to give the associated EK a deep look.",
"meta": {
"refs": [
@ -658,18 +667,9 @@
"https://twitter.com/kahusecurity"
]
},
"uuid": "00815961-3249-4e2e-9421-bb57feb73bb2"
"uuid": "00815961-3249-4e2e-9421-bb57feb73bb2",
"value": "Unknown"
}
],
"version": 7,
"uuid": "454f4e78-bd7c-11e6-a4a6-cec0c932ce01",
"description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years",
"authors": [
"Kafeine",
"Will Metcalf",
"KahuSecurity"
],
"source": "MISP Project",
"type": "exploit-kit",
"name": "Exploit-Kit"
"version": 7
}

86
clusters/microsoft-activity-group.json
View File

@ -1,52 +1,52 @@
{
"version": 3,
"uuid": "28b5e55d-acba-4748-a79d-0afa3512689a",
"description": "Activity groups as described by Microsoft",
"authors": [
"Various"
],
"description": "Activity groups as described by Microsoft",
"name": "Microsoft Activity Group actor",
"source": "MISP Project",
"type": "microsoft-activity-group",
"name": "Microsoft Activity Group actor",
"uuid": "28b5e55d-acba-4748-a79d-0afa3512689a",
"values": [
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
},
"description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.",
"value": "PROMETHIUM",
"uuid": "5744f91a-d2d8-4f92-920f-943dd80c578f"
},
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
},
"description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoors characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.",
"value": "NEODYMIUM",
"uuid": "47b5007a-3fb1-466a-9578-629e6e735493"
"uuid": "5744f91a-d2d8-4f92-920f-943dd80c578f",
"value": "PROMETHIUM"
},
{
"description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoors characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
},
"uuid": "47b5007a-3fb1-466a-9578-629e6e735493",
"value": "NEODYMIUM"
},
{
"description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"
]
},
"description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.",
"value": "TERBIUM",
"uuid": "99784b80-6298-45ba-885c-0ed37bfd8324"
"uuid": "99784b80-6298-45ba-885c-0ed37bfd8324",
"value": "TERBIUM"
},
{
"description": "STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims computer. ",
"meta": {
"country": "RU",
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/",
"http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_A_Profile_Of_A_Persistent_Adversary_English.pdf",
"https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/"
],
"country": "RU",
"synonyms": [
"APT 28",
"APT28",
@ -60,13 +60,11 @@
"Grey-Cloud"
]
},
"description": "STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims computer. ",
"value": "STRONTIUM",
"uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec"
"uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec",
"value": "STRONTIUM"
},
{
"description": "DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features.",
"value": "DUBNIUM",
"meta": {
"refs": [
"https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/",
@ -78,48 +76,50 @@
"darkhotel"
]
},
"uuid": "b56af6ab-69f8-457a-bf50-c3aefa6dc14a"
"uuid": "b56af6ab-69f8-457a-bf50-c3aefa6dc14a",
"value": "DUBNIUM"
},
{
"description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The groups persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.",
"value": "PLATINUM",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/",
"http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf"
]
},
"uuid": "154e97b5-47ef-415a-99a6-2157f1b50339"
"uuid": "154e97b5-47ef-415a-99a6-2157f1b50339",
"value": "PLATINUM"
},
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
]
},
"description": "Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.",
"value": "BARIUM",
"uuid": "cc70bdbd-afa7-4e19-bba2-2443811ef3af"
},
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
]
},
"description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEADs victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEADs objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEADs attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.",
"value": "LEAD",
"uuid": "f542442e-ba0f-425d-b386-6c10351a468e"
"uuid": "cc70bdbd-afa7-4e19-bba2-2443811ef3af",
"value": "BARIUM"
},
{
"description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEADs victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEADs objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEADs attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
]
},
"uuid": "f542442e-ba0f-425d-b386-6c10351a468e",
"value": "LEAD"
},
{
"description": "In addition to strengthening generic detection of EoP exploits, Microsoft security researchers are actively gathering threat intelligence and indicators attributable to ZIRCONIUM, the activity group using the CVE-2017-0005 exploit. ",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/"
]
},
"description": "In addition to strengthening generic detection of EoP exploits, Microsoft security researchers are actively gathering threat intelligence and indicators attributable to ZIRCONIUM, the activity group using the CVE-2017-0005 exploit. ",
"value": "ZIRCONIUM",
"uuid": "2d19c573-252b-49d8-8c2e-3b529b91e72d"
"uuid": "2d19c573-252b-49d8-8c2e-3b529b91e72d",
"value": "ZIRCONIUM"
}
]
],
"version": 3
}

3040
clusters/mitre-attack-pattern.json
View File

File diff suppressed because it is too large Load Diff

16
clusters/mitre-course-of-action.json
View File

@ -1,6 +1,12 @@
{
"version": 5,
"authors": [
"MITRE"
],
"description": "ATT&CK Mitigation",
"name": "Course of Action",
"source": "https://github.com/mitre/cti",
"type": "mitre-course-of-action",
"uuid": "a8825ae8-6dea-11e7-8d57-7728f3cfe086",
"values": [
{
"description": "Restrict users from being able to create their own login items. Additionally, holding the shift key during login prevents apps from opening automatically[[CiteRef::Re-Open windows on Mac]].",
@ -1151,11 +1157,5 @@
"value": "Security Software Discovery Mitigation"
}
],
"authors": [
"MITRE"
],
"name": "Course of Action",
"description": "ATT&CK Mitigation",
"type": "mitre-course-of-action",
"uuid": "a8825ae8-6dea-11e7-8d57-7728f3cfe086"
"version": 5
}

3294
clusters/mitre-enterprise-attack-attack-pattern.json
View File

File diff suppressed because one or more lines are too long

1304
clusters/mitre-enterprise-attack-course-of-action.json
View File

File diff suppressed because it is too large Load Diff

974
clusters/mitre-enterprise-attack-intrusion-set.json
View File

File diff suppressed because it is too large Load Diff

1142
clusters/mitre-enterprise-attack-malware.json
View File

File diff suppressed because it is too large Load Diff

14
clusters/mitre-enterprise-attack-relationship.json
View File

@ -1,13 +1,12 @@
{
"name": "Enterprise Attack - Relationship",
"type": "mitre-enterprise-attack-relationship",
"description": "MITRE Relationship",
"version": 3,
"source": "https://github.com/mitre/cti",
"uuid": "fc605f90-1707-11e8-9d6a-9f165ac2ab5c",
"authors": [
"MITRE"
],
"description": "MITRE Relationship",
"name": "Enterprise Attack - Relationship",
"source": "https://github.com/mitre/cti",
"type": "mitre-enterprise-attack-relationship",
"uuid": "fc605f90-1707-11e8-9d6a-9f165ac2ab5c",
"values": [
{
"meta": {
@ -17273,5 +17272,6 @@
"uuid": "7f695d14-17e1-46c6-92eb-7c2f57fc6553",
"value": "Lazarus Group (G0032) uses Input Capture (T1056)"
}
]
],
"version": 3
}

284
clusters/mitre-enterprise-attack-tool.json
View File

@ -1,563 +1,562 @@
{
"name": "Enterprise Attack - Tool",
"type": "mitre-enterprise-attack-tool",
"description": "Name of ATT&CK software",
"version": 4,
"source": "https://github.com/mitre/cti",
"uuid": "fc1ea6e0-1707-11e8-ac05-2b70d00c354e",
"authors": [
"MITRE"
],
"description": "Name of ATT&CK software",
"name": "Enterprise Attack - Tool",
"source": "https://github.com/mitre/cti",
"type": "mitre-enterprise-attack-tool",
"uuid": "fc1ea6e0-1707-11e8-ac05-2b70d00c354e",
"values": [
{
"description": "is a lightweight, open source tool similar to PsExec designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) is unique in that it is a GNU/Linux based client. (Citation: Überwachung APT28 Forfiles June 2015)\n\nAliases: Winexe",
"value": "Winexe - S0191",
"meta": {
"external_id": "S0191",
"refs": [
"https://attack.mitre.org/wiki/Software/S0191",
"https://github.com/skalkoto/winexe/",
"https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/"
],
"external_id": "S0191",
"synonyms": [
"Winexe"
]
},
"uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d"
"uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d",
"value": "Winexe - S0191"
},
{
"description": "at is used to schedule tasks on a system to run at a specified date or time. (Citation: TechNet At)\n\nAliases: at, at.exe",
"value": "at - S0110",
"meta": {
"external_id": "S0110",
"refs": [
"https://attack.mitre.org/wiki/Software/S0110",
"https://technet.microsoft.com/en-us/library/bb490866.aspx"
],
"external_id": "S0110",
"synonyms": [
"at",
"at.exe"
]
},
"uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952"
"uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952",
"value": "at - S0110"
},
{
"description": "route can be used to find or change information within the local system IP routing table. (Citation: TechNet Route)\n\nAliases: route, route.exe",
"value": "route - S0103",
"meta": {
"external_id": "S0103",
"refs": [
"https://attack.mitre.org/wiki/Software/S0103",
"https://technet.microsoft.com/en-us/library/bb490991.aspx"
],
"external_id": "S0103",
"synonyms": [
"route",
"route.exe"
]
},
"uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de"
"uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de",
"value": "route - S0103"
},
{
"description": "The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. (Citation: Microsoft Tasklist)\n\nAliases: Tasklist",
"value": "Tasklist - S0057",
"meta": {
"external_id": "S0057",
"refs": [
"https://attack.mitre.org/wiki/Software/S0057",
"https://technet.microsoft.com/en-us/library/bb491010.aspx"
],
"external_id": "S0057",
"synonyms": [
"Tasklist"
]
},
"uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f"
"uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f",
"value": "Tasklist - S0057"
},
{
"description": "Windows Credential Editor is a password dumping tool. (Citation: Amplia WCE)\n\nAliases: Windows Credential Editor, WCE",
"value": "Windows Credential Editor - S0005",
"meta": {
"external_id": "S0005",
"refs": [
"https://attack.mitre.org/wiki/Software/S0005",
"http://www.ampliasecurity.com/research/wcefaq.html"
],
"external_id": "S0005",
"synonyms": [
"Windows Credential Editor",
"WCE"
]
},
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966"
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966",
"value": "Windows Credential Editor - S0005"
},
{
"description": "Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. (Citation: GitHub Responder)\n\nAliases: Responder",
"value": "Responder - S0174",
"meta": {
"external_id": "S0174",
"refs": [
"https://attack.mitre.org/wiki/Software/S0174",
"https://github.com/SpiderLabs/Responder"
],
"external_id": "S0174",
"synonyms": [
"Responder"
]
},
"uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719"
"uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719",
"value": "Responder - S0174"
},
{
"description": "schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. (Citation: TechNet Schtasks)\n\nAliases: schtasks, schtasks.exe",
"value": "schtasks - S0111",
"meta": {
"external_id": "S0111",
"refs": [
"https://attack.mitre.org/wiki/Software/S0111",
"https://technet.microsoft.com/en-us/library/bb490996.aspx"
],
"external_id": "S0111",
"synonyms": [
"schtasks",
"schtasks.exe"
]
},
"uuid": "c9703cd3-141c-43a0-a926-380082be5d04"
"uuid": "c9703cd3-141c-43a0-a926-380082be5d04",
"value": "schtasks - S0111"
},
{
"description": "UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. (Citation: Github UACMe)\n\nAliases: UACMe",
"value": "UACMe - S0116",
"meta": {
"external_id": "S0116",
"refs": [
"https://attack.mitre.org/wiki/Software/S0116",
"https://github.com/hfiref0x/UACME"
],
"external_id": "S0116",
"synonyms": [
"UACMe"
]
},
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507"
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507",
"value": "UACMe - S0116"
},
{
"description": "ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)\n\nAliases: ifconfig",
"value": "ifconfig - S0101",
"meta": {
"external_id": "S0101",
"refs": [
"https://attack.mitre.org/wiki/Software/S0101",
"https://en.wikipedia.org/wiki/Ifconfig"
],
"external_id": "S0101",
"synonyms": [
"ifconfig"
]
},
"uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5"
"uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5",
"value": "ifconfig - S0101"
},
{
"description": "is a command line tool used to create and manage BITS Jobs. (Citation: Microsoft BITSAdmin)\n\nAliases: BITSAdmin",
"value": "BITSAdmin - S0190",
"meta": {
"external_id": "S0190",
"refs": [
"https://attack.mitre.org/wiki/Software/S0190",
"https://msdn.microsoft.com/library/aa362813.aspx"
],
"external_id": "S0190",
"synonyms": [
"BITSAdmin"
]
},
"uuid": "64764dc6-a032-495f-8250-1e4c06bdc163"
"uuid": "64764dc6-a032-495f-8250-1e4c06bdc163",
"value": "BITSAdmin - S0190"
},
{
"description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide)\n\nAliases: Mimikatz\n\nContributors: Vincent Le Toux",
"value": "Mimikatz - S0002",
"meta": {
"external_id": "S0002",
"refs": [
"https://attack.mitre.org/wiki/Software/S0002",
"https://github.com/gentilkiwi/mimikatz",
"https://adsecurity.org/?page%20id=1821"
],
"external_id": "S0002",
"synonyms": [
"Mimikatz"
]
},
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
"value": "Mimikatz - S0002"
},
{
"description": " (Citation: xCmd) is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems. (Citation: xCmd)\n\nAliases: (Citation: xCmd)",
"value": "xCmd - S0123",
"meta": {
"external_id": "S0123",
"refs": [
"https://attack.mitre.org/wiki/Software/S0123",
"https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/"
],
"external_id": "S0123",
"synonyms": [
"xCmd"
]
},
"uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b"
"uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b",
"value": "xCmd - S0123"
},
{
"description": "MimiPenguin is a credential dumper, similar to Mimikatz, designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)\n\nAliases: MimiPenguin\n\nContributors: Vincent Le Toux",
"value": "MimiPenguin - S0179",
"meta": {
"external_id": "S0179",
"refs": [
"https://attack.mitre.org/wiki/Software/S0179",
"https://github.com/huntergregal/mimipenguin"
],
"external_id": "S0179",
"synonyms": [
"MimiPenguin"
]
},
"uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27"
"uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27",
"value": "MimiPenguin - S0179"
},
{
"description": "is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. (Citation: Microsoft SDelete July 2016)\n\nAliases: SDelete",
"value": "SDelete - S0195",
"meta": {
"external_id": "S0195",
"refs": [
"https://attack.mitre.org/wiki/Software/S0195",
"https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete"
],
"external_id": "S0195",
"synonyms": [
"SDelete"
]
},
"uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153"
"uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153",
"value": "SDelete - S0195"
},
{
"description": "Systeminfo is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)\n\nAliases: Systeminfo, systeminfo.exe",
"value": "Systeminfo - S0096",
"meta": {
"external_id": "S0096",
"refs": [
"https://attack.mitre.org/wiki/Software/S0096",
"https://technet.microsoft.com/en-us/library/bb491007.aspx"
],
"external_id": "S0096",
"synonyms": [
"Systeminfo",
"systeminfo.exe"
]
},
"uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1"
"uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1",
"value": "Systeminfo - S0096"
},
{
"description": "netsh is a scripting utility used to interact with networking components on local or remote systems. (Citation: TechNet Netsh)\n\nAliases: netsh, netsh.exe",
"value": "netsh - S0108",
"meta": {
"external_id": "S0108",
"refs": [
"https://attack.mitre.org/wiki/Software/S0108",
"https://technet.microsoft.com/library/bb490939.aspx"
],
"external_id": "S0108",
"synonyms": [
"netsh",
"netsh.exe"
]
},
"uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71"
"uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71",
"value": "netsh - S0108"
},
{
"description": "dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. (Citation: TechNet Dsquery) It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.\n\nAliases: dsquery, dsquery.exe",
"value": "dsquery - S0105",
"meta": {
"external_id": "S0105",
"refs": [
"https://attack.mitre.org/wiki/Software/S0105",
"https://technet.microsoft.com/en-us/library/cc732952.aspx"
],
"external_id": "S0105",
"synonyms": [
"dsquery",
"dsquery.exe"
]
},
"uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe"
"uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe",
"value": "dsquery - S0105"
},
{
"description": "gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. (Citation: TrueSec Gsecdump)\n\nAliases: gsecdump",
"value": "gsecdump - S0008",
"meta": {
"external_id": "S0008",
"refs": [
"https://attack.mitre.org/wiki/Software/S0008",
"https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump%20v2.0b5"
],
"external_id": "S0008",
"synonyms": [
"gsecdump"
]
},
"uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54"
"uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54",
"value": "gsecdump - S0008"
},
{
"description": "Ping is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)\n\nAliases: Ping, ping.exe",
"value": "Ping - S0097",
"meta": {
"external_id": "S0097",
"refs": [
"https://attack.mitre.org/wiki/Software/S0097",
"https://technet.microsoft.com/en-us/library/bb490968.aspx"
],
"external_id": "S0097",
"synonyms": [
"Ping",
"ping.exe"
]
},
"uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47"
"uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47",
"value": "Ping - S0097"
},
{
"description": "Fgdump is a Windows password hash dumper. (Citation: Mandiant APT1)\n\nAliases: Fgdump",
"value": "Fgdump - S0120",
"meta": {
"external_id": "S0120",
"refs": [
"https://attack.mitre.org/wiki/Software/S0120",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"external_id": "S0120",
"synonyms": [
"Fgdump"
]
},
"uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe"
"uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe",
"value": "Fgdump - S0120"
},
{
"description": "Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process. (Citation: Mandiant APT1)\n\nAliases: Lslsass",
"value": "Lslsass - S0121",
"meta": {
"external_id": "S0121",
"refs": [
"https://attack.mitre.org/wiki/Software/S0121",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"external_id": "S0121",
"synonyms": [
"Lslsass"
]
},
"uuid": "2fab555f-7664-4623-b4e0-1675ae38190b"
"uuid": "2fab555f-7664-4623-b4e0-1675ae38190b",
"value": "Lslsass - S0121"
},
{
"description": "Pass-The-Hash Toolkit is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)\n\nAliases: Pass-The-Hash Toolkit",
"value": "Pass-The-Hash Toolkit - S0122",
"meta": {
"external_id": "S0122",
"refs": [
"https://attack.mitre.org/wiki/Software/S0122",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"external_id": "S0122",
"synonyms": [
"Pass-The-Hash Toolkit"
]
},
"uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69"
"uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69",
"value": "Pass-The-Hash Toolkit - S0122"
},
{
"description": "FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data. (Citation: Wikipedia FTP)\n\nAliases: FTP, ftp.exe",
"value": "FTP - S0095",
"meta": {
"external_id": "S0095",
"refs": [
"https://attack.mitre.org/wiki/Software/S0095",
"https://en.wikipedia.org/wiki/File%20Transfer%20Protocol"
],
"external_id": "S0095",
"synonyms": [
"FTP",
"ftp.exe"
]
},
"uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565"
"uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565",
"value": "FTP - S0095"
},
{
"description": "ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)\n\nAliases: ipconfig, ipconfig.exe",
"value": "ipconfig - S0100",
"meta": {
"external_id": "S0100",
"refs": [
"https://attack.mitre.org/wiki/Software/S0100",
"https://technet.microsoft.com/en-us/library/bb490921.aspx"
],
"external_id": "S0100",
"synonyms": [
"ipconfig",
"ipconfig.exe"
]
},
"uuid": "294e2560-bd48-44b2-9da2-833b5588ad11"
"uuid": "294e2560-bd48-44b2-9da2-833b5588ad11",
"value": "ipconfig - S0100"
},
{
"description": "nbtstat is a utility used to troubleshoot NetBIOS name resolution. (Citation: TechNet Nbtstat)\n\nAliases: nbtstat, nbtstat.exe",
"value": "nbtstat - S0102",
"meta": {
"external_id": "S0102",
"refs": [
"https://attack.mitre.org/wiki/Software/S0102",
"https://technet.microsoft.com/en-us/library/cc940106.aspx"
],
"external_id": "S0102",
"synonyms": [
"nbtstat",
"nbtstat.exe"
]
},
"uuid": "b35068ec-107a-4266-bda8-eb7036267aea"
"uuid": "b35068ec-107a-4266-bda8-eb7036267aea",
"value": "nbtstat - S0102"
},
{
"description": "HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. (Citation: Operation Quantum Entanglement)\n\nAliases: HTRAN, HUC Packet Transmit Tool",
"value": "HTRAN - S0040",
"meta": {
"external_id": "S0040",
"refs": [
"https://attack.mitre.org/wiki/Software/S0040",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf"
],
"external_id": "S0040",
"synonyms": [
"HTRAN",
"HUC Packet Transmit Tool"
]
},
"uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e"
"uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e",
"value": "HTRAN - S0040"
},
{
"description": "Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes \"Onion Routing,\" in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. (Citation: Dingledine Tor The Second-Generation Onion Router)\n\nAliases: Tor",
"value": "Tor - S0183",
"meta": {
"external_id": "S0183",
"refs": [
"https://attack.mitre.org/wiki/Software/S0183",
"http://www.dtic.mil/dtic/tr/fulltext/u2/a465464.pdf"
],
"external_id": "S0183",
"synonyms": [
"Tor"
]
},
"uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68"
"uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68",
"value": "Tor - S0183"
},
{
"description": "netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)\n\nAliases: netstat, netstat.exe",
"value": "netstat - S0104",
"meta": {
"external_id": "S0104",
"refs": [
"https://attack.mitre.org/wiki/Software/S0104",
"https://technet.microsoft.com/en-us/library/bb490947.aspx"
],
"external_id": "S0104",
"synonyms": [
"netstat",
"netstat.exe"
]
},
"uuid": "4664b683-f578-434f-919b-1c1aad2a1111"
"uuid": "4664b683-f578-434f-919b-1c1aad2a1111",
"value": "netstat - S0104"
},
{
"description": "pwdump is a credential dumper. (Citation: Wikipedia pwdump)\n\nAliases: pwdump",
"value": "pwdump - S0006",
"meta": {
"external_id": "S0006",
"refs": [
"https://attack.mitre.org/wiki/Software/S0006",
"https://en.wikipedia.org/wiki/Pwdump"
],
"external_id": "S0006",
"synonyms": [
"pwdump"
]
},
"uuid": "9de2308e-7bed-43a3-8e58-f194b3586700"
"uuid": "9de2308e-7bed-43a3-8e58-f194b3586700",
"value": "pwdump - S0006"
},
{
"description": "Cachedump is a publicly-available tool that program extracts cached password hashes from a systems registry. (Citation: Mandiant APT1)\n\nAliases: Cachedump",
"value": "Cachedump - S0119",
"meta": {
"external_id": "S0119",
"refs": [
"https://attack.mitre.org/wiki/Software/S0119",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"external_id": "S0119",
"synonyms": [
"Cachedump"
]
},
"uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52"
"uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52",
"value": "Cachedump - S0119"
},
{
"description": "Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. (Citation: Microsoft Forfiles Aug 2016)\n\nAliases: Forfiles\n\nContributors: Matthew Demaske, Adaptforward",
"value": "Forfiles - S0193",
"meta": {
"external_id": "S0193",
"refs": [
"https://attack.mitre.org/wiki/Software/S0193",
"https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753551(v=ws.11)"
],
"external_id": "S0193",
"synonyms": [
"Forfiles"
]
},
"uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2"
"uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2",
"value": "Forfiles - S0193"
},
{
"description": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\nNet has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through Windows admin shares using <code>net use</code> commands, and interacting with services.\n\nAliases: Net, net.exe",
"value": "Net - S0039",
"meta": {
"external_id": "S0039",
"refs": [
"https://attack.mitre.org/wiki/Software/S0039",
"https://msdn.microsoft.com/en-us/library/aa939914",
"http://windowsitpro.com/windows/netexe-reference"
],
"external_id": "S0039",
"synonyms": [
"Net",
"net.exe"
]
},
"uuid": "03342581-f790-4f03-ba41-e82e67392e23"
"uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"value": "Net - S0039"
},
{
"description": "PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers. (Citation: Russinovich Sysinternals) (Citation: SANS PsExec)\n\nAliases: PsExec",
"value": "PsExec - S0029",
"meta": {
"external_id": "S0029",
"refs": [
"https://attack.mitre.org/wiki/Software/S0029",
"https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx",
"https://digital-forensics.sans.org/blog/2012/12/17/protecting-privileged-domain-accounts-psexec-deep-dive"
],
"external_id": "S0029",
"synonyms": [
"PsExec"
]
},
"uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
"uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db",
"value": "PsExec - S0029"
},
{
"description": "Certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)\n\nAliases: certutil, certutil.exe",
"value": "certutil - S0160",
"meta": {
"external_id": "S0160",
"refs": [
"https://attack.mitre.org/wiki/Software/S0160",
"https://technet.microsoft.com/library/cc732443.aspx"
],
"external_id": "S0160",
"synonyms": [
"certutil",
"certutil.exe"
]
},
"uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc"
"uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc",
"value": "certutil - S0160"
},
{
"description": "Arp displays information about a system's Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp)\n\nAliases: Arp, arp.exe",
"value": "Arp - S0099",
"meta": {
"external_id": "S0099",
"refs": [
"https://attack.mitre.org/wiki/Software/S0099",
"https://technet.microsoft.com/en-us/library/bb490864.aspx"
],
"external_id": "S0099",
"synonyms": [
"Arp",
"arp.exe"
]
},
"uuid": "30489451-5886-4c46-90c9-0dff9adc5252"
"uuid": "30489451-5886-4c46-90c9-0dff9adc5252",
"value": "Arp - S0099"
},
{
"description": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd)\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code> (Citation: TechNet Dir)), deleting files (e.g., <code>del</code> (Citation: TechNet Del)), and copying files (e.g., <code>copy</code> (Citation: TechNet Copy)).\n\nAliases: cmd, cmd.exe",
"value": "cmd - S0106",
"meta": {
"external_id": "S0106",
"refs": [
"https://attack.mitre.org/wiki/Software/S0106",
"https://technet.microsoft.com/en-us/library/bb490880.aspx",
@ -565,151 +564,152 @@
"https://technet.microsoft.com/en-us/library/cc771049.aspx",
"https://technet.microsoft.com/en-us/library/bb490886.aspx"
],
"external_id": "S0106",
"synonyms": [
"cmd",
"cmd.exe"
]
},
"uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e"
"uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e",
"value": "cmd - S0106"
},
{
"description": "Havij is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. (Citation: Check Point Havij Analysis)\n\nAliases: Havij",
"value": "Havij - S0224",
"meta": {
"external_id": "S0224",
"refs": [
"https://attack.mitre.org/wiki/Software/S0224",
"https://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/"
],
"external_id": "S0224",
"synonyms": [
"Havij"
]
},
"uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5"
"uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5",
"value": "Havij - S0224"
},
{
"description": "PowerSploit is an open source, offensive security framework compromised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)\n\nAliases: PowerSploit",
"value": "PowerSploit - S0194",
"meta": {
"external_id": "S0194",
"refs": [
"https://attack.mitre.org/wiki/Software/S0194",
"https://github.com/PowerShellMafia/PowerSploit",
"http://www.powershellmagazine.com/2014/07/08/powersploit/",
"http://powersploit.readthedocs.io"
],
"external_id": "S0194",
"synonyms": [
"PowerSploit"
]
},
"uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d"
"uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d",
"value": "PowerSploit - S0194"
},
{
"description": "meek is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.\n\nAliases: meek",
"value": "meek - S0175",
"meta": {
"external_id": "S0175",
"refs": [
"https://attack.mitre.org/wiki/Software/S0175"
],
"external_id": "S0175",
"synonyms": [
"meek"
]
},
"uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830"
"uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830",
"value": "meek - S0175"
},
{
"description": "Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation: Microsoft Reg)\n\nUtilities such as Reg are known to be used by persistent threats. (Citation: Windows Commands JPCERT)\n\nAliases: Reg, reg.exe",
"value": "Reg - S0075",
"meta": {
"external_id": "S0075",
"refs": [
"https://attack.mitre.org/wiki/Software/S0075",
"https://technet.microsoft.com/en-us/library/cc732643.aspx",
"http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html"
],
"external_id": "S0075",
"synonyms": [
"Reg",
"reg.exe"
]
},
"uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f"
"uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f",
"value": "Reg - S0075"
},
{
"description": "spwebmember is a Microsoft SharePoint enumeration and data dumping tool written in .NET. (Citation: NCC Group APT15 Alive and Strong)\n\nAliases: spwebmember",
"value": "spwebmember - S0227",
"meta": {
"external_id": "S0227",
"refs": [
"https://attack.mitre.org/wiki/Software/S0227",
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
],
"external_id": "S0227",
"synonyms": [
"spwebmember"
]
},
"uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4"
"uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4",
"value": "spwebmember - S0227"
},
{
"description": "Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). (Citation: GitHub Pupy) Pupy is publicly available on GitHub. (Citation: GitHub Pupy)\n\nAliases: Pupy",
"value": "Pupy - S0192",
"meta": {
"external_id": "S0192",
"refs": [
"https://attack.mitre.org/wiki/Software/S0192",
"https://github.com/n1nj4sec/pupy"
],
"external_id": "S0192",
"synonyms": [
"Pupy"
]
},
"uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4"
"uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4",
"value": "Pupy - S0192"
},
{
"description": "sqlmap is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. (Citation: sqlmap Introduction)\n\nAliases: sqlmap",
"value": "sqlmap - S0225",
"meta": {
"external_id": "S0225",
"refs": [
"https://attack.mitre.org/wiki/Software/S0225",
"http://sqlmap.org/"
],
"external_id": "S0225",
"synonyms": [
"sqlmap"
]
},
"uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555"
"uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555",
"value": "sqlmap - S0225"
},
{
"description": "Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strikes interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz. (Citation: cobaltstrike manual)\n\nAliases: Cobalt Strike\n\nContributors: Josh Abraham",
"value": "Cobalt Strike - S0154",
"meta": {
"external_id": "S0154",
"refs": [
"https://attack.mitre.org/wiki/Software/S0154",
"https://cobaltstrike.com/downloads/csmanual38.pdf"
],
"external_id": "S0154",
"synonyms": [
"Cobalt Strike"
]
},
"uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39"
"uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"value": "Cobalt Strike - S0154"
},
{
"description": "Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. (Citation: GitHub Invoke-PSImage)\n\nAliases: Invoke-PSImage\n\nContributors: Christiaan Beek, @ChristiaanBeek",
"value": "Invoke-PSImage - S0231",
"meta": {
"external_id": "S0231",
"refs": [
"https://attack.mitre.org/wiki/Software/S0231",
"https://github.com/peewpw/Invoke-PSImage"
],
"external_id": "S0231",
"synonyms": [
"Invoke-PSImage"
]
},
"uuid": "b52d6583-14a2-4ddc-8527-87fd2142558f"
"uuid": "b52d6583-14a2-4ddc-8527-87fd2142558f",
"value": "Invoke-PSImage - S0231"
}
]
],
"version": 4
}

510
clusters/mitre-intrusion-set.json
View File

File diff suppressed because it is too large Load Diff

712
clusters/mitre-malware.json
View File

File diff suppressed because it is too large Load Diff

1086
clusters/mitre-mobile-attack-attack-pattern.json
View File

File diff suppressed because it is too large Load Diff

98
clusters/mitre-mobile-attack-course-of-action.json
View File

@ -1,125 +1,125 @@
{
"name": "Mobile Attack - Course of Action",
"type": "mitre-mobile-attack-course-of-action",
"description": "ATT&CK Mitigation",
"version": 3,
"source": "https://github.com/mitre/cti",
"uuid": "03956f9e-1708-11e8-8395-976b24233e15",
"authors": [
"MITRE"
],
"description": "ATT&CK Mitigation",
"name": "Mobile Attack - Course of Action",
"source": "https://github.com/mitre/cti",
"type": "mitre-mobile-attack-course-of-action",
"uuid": "03956f9e-1708-11e8-8395-976b24233e15",
"values": [
{
"description": "A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.",
"value": "Deploy Compromised Device Detection Method - MOB-M1010",
"uuid": "cf2cccb1-cab8-431a-8ecf-f7874d05f433",
"meta": {
"external_id": "MOB-M1010"
}
},
"uuid": "cf2cccb1-cab8-431a-8ecf-f7874d05f433",
"value": "Deploy Compromised Device Detection Method - MOB-M1010"
},
{
"description": "In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).",
"value": "Interconnection Filtering - MOB-M1014",
"uuid": "e829ee51-1caf-4665-ba15-7f8979634124",
"meta": {
"external_id": "MOB-M1014"
}
},
"uuid": "e829ee51-1caf-4665-ba15-7f8979634124",
"value": "Interconnection Filtering - MOB-M1014"
},
{
"description": "Application developers should use device-provided credential storage mechanisms such as Android's KeyStore or iOS's KeyChain. These can prevent credentials from being exposed to an adversary.",
"value": "Use Device-Provided Credential Storage - MOB-M1008",
"uuid": "d2a199d2-dfea-4d0c-987d-6195ed17be9c",
"meta": {
"external_id": "MOB-M1008"
}
},
"uuid": "d2a199d2-dfea-4d0c-987d-6195ed17be9c",
"value": "Use Device-Provided Credential Storage - MOB-M1008"
},
{
"description": "New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.",
"value": "Use Recent OS Version - MOB-M1006",
"uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564",
"meta": {
"external_id": "MOB-M1006"
}
},
"uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564",
"value": "Use Recent OS Version - MOB-M1006"
},
{
"description": "Install security updates in response to discovered vulnerabilities.\n\nPurchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.\n\nDecommission devices that will no longer receive security updates.\n\nLimit or block access to enterprise resources from devices that have not installed recent security updates.\n* On Android devices, access can be controlled based on each device's security patch level.\n* On iOS devices, access can be controlled based on the iOS version.",
"value": "Security Updates - MOB-M1001",
"uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"meta": {
"external_id": "MOB-M1001"
}
},
"uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
"value": "Security Updates - MOB-M1001"
},
{
"description": "On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.",
"value": "Lock Bootloader - MOB-M1003",
"uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
"meta": {
"external_id": "MOB-M1003"
}
},
"uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
"value": "Lock Bootloader - MOB-M1003"
},
{
"description": "Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.",
"value": "System Partition Integrity - MOB-M1004",
"uuid": "7b1cf46f-784b-405a-a8dd-4624c19d8321",
"meta": {
"external_id": "MOB-M1004"
}
},
"uuid": "7b1cf46f-784b-405a-a8dd-4624c19d8321",
"value": "System Partition Integrity - MOB-M1004"
},
{
"description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.",
"value": "Attestation - MOB-M1002",
"uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c",
"meta": {
"external_id": "MOB-M1002"
}
},
"uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c",
"value": "Attestation - MOB-M1002"
},
{
"description": "Warn device users not to accept requests to grant Device Administrator access to applications without good reason.\n\nAdditionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.",
"value": "Caution with Device Administrator Access - MOB-M1007",
"uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
"meta": {
"external_id": "MOB-M1007"
}
},
"uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
"value": "Caution with Device Administrator Access - MOB-M1007"
},
{
"description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
"value": "Application Developer Guidance - MOB-M1013",
"uuid": "25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
"meta": {
"external_id": "MOB-M1013"
}
},
"uuid": "25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
"value": "Application Developer Guidance - MOB-M1013"
},
{
"description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as Detect App Analysis Environment exist that can enable adversaries to bypass vetting.",
"value": "Application Vetting - MOB-M1005",
"uuid": "1553b156-6767-47f7-9eb4-2a692505666d",
"meta": {
"external_id": "MOB-M1005"
}
},
"uuid": "1553b156-6767-47f7-9eb4-2a692505666d",
"value": "Application Vetting - MOB-M1005"
},
{
"description": "Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.",
"value": "User Guidance - MOB-M1011",
"uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"meta": {
"external_id": "MOB-M1011"
}
},
"uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1",
"value": "User Guidance - MOB-M1011"
},
{
"description": "An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.",
"value": "Enterprise Policy - MOB-M1012",
"uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"meta": {
"external_id": "MOB-M1012"
}
},
"uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee",
"value": "Enterprise Policy - MOB-M1012"
},
{
"description": "Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.\n\niOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.\n\nAndroid's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected (Citation: Android-NetworkSecurityConfig).\n\nUse of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.",
"value": "Encrypt Network Traffic - MOB-M1009",
"uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8",
"meta": {
"external_id": "MOB-M1009"
}
},
"uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8",
"value": "Encrypt Network Traffic - MOB-M1009"
}
]
],
"version": 3
}

34
clusters/mitre-mobile-attack-intrusion-set.json
View File

@ -1,18 +1,23 @@
{
"name": "Mobile Attack - intrusion Set",
"type": "mitre-mobile-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"version": 3,
"source": "https://github.com/mitre/cti",
"uuid": "02ab4018-1708-11e8-8f9d-e735aabdfa53",
"authors": [
"MITRE"
],
"description": "Name of ATT&CK Group",
"name": "Mobile Attack - intrusion Set",
"source": "https://github.com/mitre/cti",
"type": "mitre-mobile-attack-intrusion-set",
"uuid": "02ab4018-1708-11e8-8f9d-e735aabdfa53",
"values": [
{
"description": "APT28 is a threat group that has been attributed to the Russian government. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28) January 2017 (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee in April 2016. (Citation: Crowdstrike DNC June 2016)",
"value": "APT28 - G0007",
"meta": {
"external_id": "G0007",
"refs": [
"https://attack.mitre.org/wiki/Group/G0007",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
],
"synonyms": [
"APT28",
"Sednit",
@ -23,16 +28,11 @@
"Tsar Team",
"Threat Group-4127",
"TG-4127"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0007",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
],
"external_id": "G0007"
]
},
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c"
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"value": "APT28 - G0007"
}
]
],
"version": 3
}

224
clusters/mitre-mobile-attack-malware.json
View File

@ -1,98 +1,96 @@
{
"name": "Mobile Attack - Malware",
"type": "mitre-mobile-attack-malware",
"description": "Name of ATT&CK software",
"version": 3,
"source": "https://github.com/mitre/cti",
"uuid": "04a165aa-1708-11e8-b2da-c7d7625f4a4f",
"authors": [
"MITRE"
],
"description": "Name of ATT&CK software",
"name": "Mobile Attack - Malware",
"source": "https://github.com/mitre/cti",
"type": "mitre-mobile-attack-malware",
"uuid": "04a165aa-1708-11e8-b2da-c7d7625f4a4f",
"values": [
{
"description": "AndroRAT \"allows a third party to control the device and collect information such as contacts, call logs, text messages, device location, and audio from the microphone. It is now used maliciously by other actors.\" (Citation: Lookout-EnterpriseApps)\n\nAliases: AndroRAT",
"value": "AndroRAT - MOB-S0008",
"meta": {
"external_id": "MOB-S0008",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0008",
"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
],
"external_id": "MOB-S0008",
"synonyms": [
"AndroRAT"
]
},
"uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93"
"uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93",
"value": "AndroRAT - MOB-S0008"
},
{
"description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.Agent.ao",
"value": "Trojan-SMS.AndroidOS.Agent.ao - MOB-S0023",
"meta": {
"external_id": "MOB-S0023",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0023",
"https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
],
"external_id": "MOB-S0023",
"synonyms": [
"Trojan-SMS.AndroidOS.Agent.ao"
]
},
"uuid": "a1867c56-8c86-455a-96ad-b0d5f7e2bc17"
"uuid": "a1867c56-8c86-455a-96ad-b0d5f7e2bc17",
"value": "Trojan-SMS.AndroidOS.Agent.ao - MOB-S0023"
},
{
"description": "DualToy is Windows malware that installs malicious applications onto Android and iOS devices connected over USB (Citation: PaloAlto-DualToy).\n\nAliases: DualToy",
"value": "DualToy - MOB-S0031",
"meta": {
"external_id": "MOB-S0031",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0031"
],
"external_id": "MOB-S0031",
"synonyms": [
"DualToy"
]
},
"uuid": "507fe748-5e4a-4b45-9e9f-8b1115f4e878"
"uuid": "507fe748-5e4a-4b45-9e9f-8b1115f4e878",
"value": "DualToy - MOB-S0031"
},
{
"description": "On jailbroken iOS devices, (Citation: KeyRaider) steals Apple account credentials and other data. It \"also has built-in functionality to hold iOS devices for ransom.\" (Citation: KeyRaider)\n\nAliases: (Citation: KeyRaider)",
"value": "KeyRaider - MOB-S0004",
"meta": {
"external_id": "MOB-S0004",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0004",
"http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
],
"external_id": "MOB-S0004",
"synonyms": [
"KeyRaider"
]
},
"uuid": "3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50"
"uuid": "3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50",
"value": "KeyRaider - MOB-S0004"
},
{
"description": "Brain Test is a family of Android malware described by CheckPoint (Citation: CheckPoint-BrainTest) and Lookout (Citation: Lookout-BrainTest).\n\nAliases: BrainTest",
"value": "BrainTest - MOB-S0009",
"meta": {
"external_id": "MOB-S0009",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0009",
"http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/",
"https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
],
"external_id": "MOB-S0009",
"synonyms": [
"BrainTest"
]
},
"uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e"
"uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e",
"value": "BrainTest - MOB-S0009"
},
{
"description": "Lookout states that some variants of the Shedun, Shuanet, and ShiftyBug/Kemoge Android malware families \"have 71 percent to 82 percent code similarity\" (Citation: Lookout-Adware), even though they \"dont believe these apps were all created by the same author or group\".\n\nAliases: Shedun, Shuanet, ShiftyBug, Kemoge",
"value": "Shedun - MOB-S0010",
"meta": {
"external_id": "MOB-S0010",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0010",
"https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"
],
"external_id": "MOB-S0010",
"synonyms": [
"Shedun",
"Shuanet",
@ -100,447 +98,449 @@
"Kemoge"
]
},
"uuid": "c80a6bef-b3ce-44d0-b113-946e93124898"
"uuid": "c80a6bef-b3ce-44d0-b113-946e93124898",
"value": "Shedun - MOB-S0010"
},
{
"description": "Android malware family analyzed by Trend Micro (Citation: TrendMicro-DressCode)\n\nAliases: DressCode",
"value": "DressCode - MOB-S0016",
"meta": {
"external_id": "MOB-S0016",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0016",
"http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/"
],
"external_id": "MOB-S0016",
"synonyms": [
"DressCode"
]
},
"uuid": "ff742eeb-1f90-4f5a-8b92-9d40fffd99ca"
"uuid": "ff742eeb-1f90-4f5a-8b92-9d40fffd99ca",
"value": "DressCode - MOB-S0016"
},
{
"description": "Adups, software pre-installed onto Android devices including those made by BLU Products, reportedly transmitted sensitive data to a Chinese server. The capability was reportedly designed \"to help a Chinese phone manufacturer monitor user behavior\" and \"was not intended for American phones\". (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor).\n\nAliases: Adups",
"value": "Adups - MOB-S0025",
"meta": {
"external_id": "MOB-S0025",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0025",
"https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html",
"http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534"
],
"external_id": "MOB-S0025",
"synonyms": [
"Adups"
]
},
"uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf"
"uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
"value": "Adups - MOB-S0025"
},
{
"description": "Discovered by Lookout (Citation: Lookout-Pegasus) and Citizen Lab (Citation: PegasusCitizenLab), Pegasus escalates privileges on iOS devices and uses its privileged access to collect a variety of sensitive information.\n\nAliases: Pegasus",
"value": "Pegasus - MOB-S0005",
"meta": {
"external_id": "MOB-S0005",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0005",
"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf",
"https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/"
],
"external_id": "MOB-S0005",
"synonyms": [
"Pegasus"
]
},
"uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a"
"uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a",
"value": "Pegasus - MOB-S0005"
},
{
"description": "RuMMS is a family of Android malware (Citation: FireEye-RuMMS).\n\nAliases: RuMMS",
"value": "RuMMS - MOB-S0029",
"meta": {
"external_id": "MOB-S0029",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0029",
"https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
],
"external_id": "MOB-S0029",
"synonyms": [
"RuMMS"
]
},
"uuid": "936be60d-90eb-4c36-9247-4b31128432c4"
"uuid": "936be60d-90eb-4c36-9247-4b31128432c4",
"value": "RuMMS - MOB-S0029"
},
{
"description": "HummingBad is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android (Citation: ArsTechnica-HummingBad).\n\nAliases: HummingBad",
"value": "HummingBad - MOB-S0038",
"meta": {
"external_id": "MOB-S0038",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0038",
"http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"
],
"external_id": "MOB-S0038",
"synonyms": [
"HummingBad"
]
},
"uuid": "c8770c81-c29f-40d2-a140-38544206b2b4"
"uuid": "c8770c81-c29f-40d2-a140-38544206b2b4",
"value": "HummingBad - MOB-S0038"
},
{
"description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.OpFake.a",
"value": "Trojan-SMS.AndroidOS.OpFake.a - MOB-S0024",
"meta": {
"external_id": "MOB-S0024",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0024",
"https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
],
"external_id": "MOB-S0024",
"synonyms": [
"Trojan-SMS.AndroidOS.OpFake.a"
]
},
"uuid": "d89c132d-7752-4c7f-9372-954a71522985"
"uuid": "d89c132d-7752-4c7f-9372-954a71522985",
"value": "Trojan-SMS.AndroidOS.OpFake.a - MOB-S0024"
},
{
"description": "Android malware family analyzed by Lookout (Citation: Lookout-Dendroid).\n\nAliases: Dendroid",
"value": "Dendroid - MOB-S0017",
"meta": {
"external_id": "MOB-S0017",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0017",
"https://blog.lookout.com/blog/2014/03/06/dendroid/"
],
"external_id": "MOB-S0017",
"synonyms": [
"Dendroid"
]
},
"uuid": "317a2c10-d489-431e-b6b2-f0251fddc88e"
"uuid": "317a2c10-d489-431e-b6b2-f0251fddc88e",
"value": "Dendroid - MOB-S0017"
},
{
"description": "Android malware analyzed by Scandinavian security group CSIS as described in a Tripwire post (Citation: Tripwire-MazarBOT).\n\nAliases: MazarBOT",
"value": "MazarBOT - MOB-S0019",
"meta": {
"external_id": "MOB-S0019",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0019",
"https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
],
"external_id": "MOB-S0019",
"synonyms": [
"MazarBOT"
]
},
"uuid": "5ddf81ea-2c06-497b-8c30-5f1ab89a40f9"
"uuid": "5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
"value": "MazarBOT - MOB-S0019"
},
{
"description": "The (Citation: Gooligan) malware family, revealed by Check Point, runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal \"authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.\" (Citation: Gooligan)\n\nGoogle (Citation: Ludwig-GhostPush) and LookoutLookout- (Citation: Gooligan) describe (Citation: Gooligan) as part of the Ghost Push Android malware family.\n\nAliases: (Citation: Gooligan)",
"value": "Gooligan - MOB-S0006",
"meta": {
"external_id": "MOB-S0006",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0006",
"http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/",
"https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi"
],
"external_id": "MOB-S0006",
"synonyms": [
"Gooligan"
]
},
"uuid": "20d56cd6-8dff-4871-9889-d32d254816de"
"uuid": "20d56cd6-8dff-4871-9889-d32d254816de",
"value": "Gooligan - MOB-S0006"
},
{
"description": "OldBoot is a family of Android malware described in a report from The Hacker News (Citation: HackerNews-OldBoot).\n\nAliases: OldBoot",
"value": "OldBoot - MOB-S0001",
"meta": {
"external_id": "MOB-S0001",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0001",
"http://thehackernews.com/2014/01/first-widely-distributed-android.html"
],
"external_id": "MOB-S0001",
"synonyms": [
"OldBoot"
]
},
"uuid": "2074b2ad-612e-4758-adce-7901c1b49bbc"
"uuid": "2074b2ad-612e-4758-adce-7901c1b49bbc",
"value": "OldBoot - MOB-S0001"
},
{
"description": "WireLurker is a family of macOS malware that targets iOS devices connected over USB (Citation: PaloAlto-WireLurker).\n\nAliases: WireLurker",
"value": "WireLurker - MOB-S0028",
"meta": {
"external_id": "MOB-S0028",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0028"
],
"external_id": "MOB-S0028",
"synonyms": [
"WireLurker"
]
},
"uuid": "326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb"
"uuid": "326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb",
"value": "WireLurker - MOB-S0028"
},
{
"description": "Android remote access trojan (RAT) that has been observed to pose as legitimate applications including the Super Mario Run (Citation: Zscaler-SuperMarioRun) and Pokemon GO games (Citation: Proofpoint-Droidjack).\n\nAliases: DroidJack RAT",
"value": "DroidJack RAT - MOB-S0036",
"meta": {
"external_id": "MOB-S0036",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0036",
"https://www.zscaler.com/blogs/research/super-mario-run-malware-2--droidjack-rat",
"https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app"
],
"external_id": "MOB-S0036",
"synonyms": [
"DroidJack RAT"
]
},
"uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1"
"uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
"value": "DroidJack RAT - MOB-S0036"
},
{
"description": "The HummingWhale Android malware family \"includes new virtual machine techniques that allow the malware to perform ad fraud better than ever\". (Citation: ArsTechnica-HummingWhale)\n\nAliases: HummingWhale",
"value": "HummingWhale - MOB-S0037",
"meta": {
"external_id": "MOB-S0037",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0037",
"http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/"
],
"external_id": "MOB-S0037",
"synonyms": [
"HummingWhale"
]
},
"uuid": "6447e3a1-ef4d-44b1-99d5-6b1c4888674f"
"uuid": "6447e3a1-ef4d-44b1-99d5-6b1c4888674f",
"value": "HummingWhale - MOB-S0037"
},
{
"description": "ANDROIDOS_ANSERVER.A is Android malware novel for using encrypted content within a blog site for command and control (Citation: TrendMicro-Anserver).\n\nAliases: ANDROIDOS_ANSERVER.A",
"value": "ANDROIDOS_ANSERVER.A - MOB-S0026",
"meta": {
"external_id": "MOB-S0026",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0026",
"http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/"
],
"external_id": "MOB-S0026",
"synonyms": [
"ANDROIDOS_ANSERVER.A"
]
},
"uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8"
"uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8",
"value": "ANDROIDOS_ANSERVER.A - MOB-S0026"
},
{
"description": "Android malware described by Kaspersky (Citation: Kaspersky-MobileMalware).\n\nAliases: Trojan-SMS.AndroidOS.FakeInst.a",
"value": "Trojan-SMS.AndroidOS.FakeInst.a - MOB-S0022",
"meta": {
"external_id": "MOB-S0022",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0022",
"https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/"
],
"external_id": "MOB-S0022",
"synonyms": [
"Trojan-SMS.AndroidOS.FakeInst.a"
]
},
"uuid": "28e39395-91e7-4f02-b694-5e079c964da9"
"uuid": "28e39395-91e7-4f02-b694-5e079c964da9",
"value": "Trojan-SMS.AndroidOS.FakeInst.a - MOB-S0022"
},
{
"description": "Android malware family analyzed by Lookout (Citation: Lookout-NotCompatible)\n\nAliases: NotCompatible",
"value": "NotCompatible - MOB-S0015",
"meta": {
"external_id": "MOB-S0015",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0015",
"https://blog.lookout.com/blog/2014/11/19/notcompatible/"
],
"external_id": "MOB-S0015",
"synonyms": [
"NotCompatible"
]
},
"uuid": "23040c15-e7d8-47b5-8c16-8fd3e0e297fe"
"uuid": "23040c15-e7d8-47b5-8c16-8fd3e0e297fe",
"value": "NotCompatible - MOB-S0015"
},
{
"description": "The X-Agent Android malware was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data for where it was used and hence the potential location of Ukrainian artillery (Citation: CrowdStrike-Android).\n\nAliases: X-Agent",
"value": "X-Agent - MOB-S0030",
"meta": {
"external_id": "MOB-S0030",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0030",
"https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"
],
"external_id": "MOB-S0030",
"synonyms": [
"X-Agent"
]
},
"uuid": "56660521-6db4-4e5a-a927-464f22954b7c"
"uuid": "56660521-6db4-4e5a-a927-464f22954b7c",
"value": "X-Agent - MOB-S0030"
},
{
"description": "Twitoor is a family of Android malware described by ESET (Citation: ESET-Twitoor).\n\nAliases: Twitoor",
"value": "Twitoor - MOB-S0018",
"meta": {
"external_id": "MOB-S0018",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0018",
"http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/"
],
"external_id": "MOB-S0018",
"synonyms": [
"Twitoor"
]
},
"uuid": "41e3fd01-7b83-471f-835d-d2b1dc9a770c"
"uuid": "41e3fd01-7b83-471f-835d-d2b1dc9a770c",
"value": "Twitoor - MOB-S0018"
},
{
"description": "OBAD is a family of Android malware (Citation: TrendMicro-Obad).\n\nAliases: OBAD",
"value": "OBAD - MOB-S0002",
"meta": {
"external_id": "MOB-S0002",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0002",
"http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"
],
"external_id": "MOB-S0002",
"synonyms": [
"OBAD"
]
},
"uuid": "ca4f63b9-a358-4214-bb26-8c912318cfde"
"uuid": "ca4f63b9-a358-4214-bb26-8c912318cfde",
"value": "OBAD - MOB-S0002"
},
{
"description": "As reported by Kaspersky (Citation: Kaspersky-WUC), a spear phishing message was sent to activist groups containing a malicious Android application as an attachment.\n\nAliases: Android/Chuli.A",
"value": "Android/Chuli.A - MOB-S0020",
"meta": {
"external_id": "MOB-S0020",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0020",
"https://securelist.com/blog/incidents/35552/android-trojan-found-in-targeted-attack-58/"
],
"external_id": "MOB-S0020",
"synonyms": [
"Android/Chuli.A"
]
},
"uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533"
"uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533",
"value": "Android/Chuli.A - MOB-S0020"
},
{
"description": "According to Lookout (Citation: Lookout-EnterpriseApps), the PJApps Android malware family \"may collect and leak the victims phone number, mobile device unique identifier (IMEI), and location. In order to make money, it may send messages to premium SMS numbers. PJApps also has the ability to download further applications to the device.\"\n\nAliases: PJApps",
"value": "PJApps - MOB-S0007",
"meta": {
"external_id": "MOB-S0007",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0007",
"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
],
"external_id": "MOB-S0007",
"synonyms": [
"PJApps"
]
},
"uuid": "c709da93-20c3-4d17-ab68-48cba76b2137"
"uuid": "c709da93-20c3-4d17-ab68-48cba76b2137",
"value": "PJApps - MOB-S0007"
},
{
"description": "Android malware analyzed by FireEye (Citation: FireEye-AndroidOverlay).\nAccording to their analysis, \"three campaigns in Europe used view overlay techniques...to present nearly identical credential input UIs as seen in benign apps, subsequently tricking unwary users into providing their banking credentials.\"\n\nAliases: AndroidOverlayMalware",
"value": "AndroidOverlayMalware - MOB-S0012",
"meta": {
"external_id": "MOB-S0012",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0012",
"https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay-malware-spreading-in-europe.html"
],
"external_id": "MOB-S0012",
"synonyms": [
"AndroidOverlayMalware"
]
},
"uuid": "b6d3657a-2d6a-400f-8b7e-4d60391aa1f7"
"uuid": "b6d3657a-2d6a-400f-8b7e-4d60391aa1f7",
"value": "AndroidOverlayMalware - MOB-S0012"
},
{
"description": "As described by Palo Alto Networks (Citation: ZergHelper), the (Citation: ZergHelper) app uses techniques to evade Apple's App Store review process for itself and uses techniques to install additional applications that are not in Apple's App Store.\n\nAliases: (Citation: ZergHelper)",
"value": "ZergHelper - MOB-S0003",
"meta": {
"external_id": "MOB-S0003",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0003",
"http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
],
"external_id": "MOB-S0003",
"synonyms": [
"ZergHelper"
]
},
"uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0"
"uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0",
"value": "ZergHelper - MOB-S0003"
},
{
"description": "SpyNote RAT (Citation: Zscaler-SpyNote) (Remote Access Trojan) is a family of malicious Android apps. The \"SpyNote RAT builder\" tool can be used to develop malicious apps with the SpyNote RAT functionality.\n\nAliases: SpyNote RAT",
"value": "SpyNote RAT - MOB-S0021",
"meta": {
"external_id": "MOB-S0021",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0021",
"https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
],
"external_id": "MOB-S0021",
"synonyms": [
"SpyNote RAT"
]
},
"uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23"
"uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23",
"value": "SpyNote RAT - MOB-S0021"
},
{
"description": " (Citation: RCSAndroid) (Citation: RCSAndroid) is Android malware allegedly distributed by Hacking Team.\n\nAliases: (Citation: RCSAndroid)",
"value": "RCSAndroid - MOB-S0011",
"meta": {
"external_id": "MOB-S0011",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0011",
"https://github.com/hackedteam/core-android/tree/master/RCSAndroid"
],
"external_id": "MOB-S0011",
"synonyms": [
"RCSAndroid"
]
},
"uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b"
"uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
"value": "RCSAndroid - MOB-S0011"
},
{
"description": "The Charger Android malware steals \"steals contacts and SMS messages from the user's device\". It also \"asks for admin permissions\" and \"[i]f granted, the ransomware locks the device and displays a message demanding payment\". (Citation: CheckPoint-Charger)\n\nAliases: Charger",
"value": "Charger - MOB-S0039",
"meta": {
"external_id": "MOB-S0039",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0039",
"http://blog.checkpoint.com/2017/01/24/charger-malware/"
],
"external_id": "MOB-S0039",
"synonyms": [
"Charger"
]
},
"uuid": "d1c600f8-0fb6-4367-921b-85b71947d950"
"uuid": "d1c600f8-0fb6-4367-921b-85b71947d950",
"value": "Charger - MOB-S0039"
},
{
"description": "iOS malware that \"is different from previous seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices\" and \"abuses private APIs in the iOS system to implement malicious functionalities\" (Citation: PaloAlto-YiSpecter).\n\nAliases: YiSpecter",
"value": "YiSpecter - MOB-S0027",
"meta": {
"external_id": "MOB-S0027",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0027"
],
"external_id": "MOB-S0027",
"synonyms": [
"YiSpecter"
]
},
"uuid": "a15c9357-2be0-4836-beec-594f28b9b4a9"
"uuid": "a15c9357-2be0-4836-beec-594f28b9b4a9",
"value": "YiSpecter - MOB-S0027"
},
{
"description": "Discovered and analyzed by Lookout (Citation: Lookout-PegasusAndroid) and Google (Citation: Google-Chrysaor), Pegasus for Android (also known as Chrysaor) is spyware that was used in targeted attacks. Pegasus for Android does not use zero day vulnerabilities. It attempts to escalate privileges using well-known vulnerabilities, and even if the attempts fail, it still performs some subset of spyware functions that do not require escalated privileges.\n\nAliases: Pegasus for Android, Chrysaor",
"value": "Pegasus for Android - MOB-S0032",
"meta": {
"external_id": "MOB-S0032",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0032",
"https://blog.lookout.com/blog/2017/04/03/pegasus-android/",
"https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html"
],
"external_id": "MOB-S0032",
"synonyms": [
"Pegasus for Android",
"Chrysaor"
]
},
"uuid": "93799a9d-3537-43d8-b6f4-17215de1657c"
"uuid": "93799a9d-3537-43d8-b6f4-17215de1657c",
"value": "Pegasus for Android - MOB-S0032"
},
{
"description": "iOS malware analyzed by Palo Alto Networks (Citation: (Citation: PaloAlto-XcodeGhost)1) (Citation: PaloAlto-XcodeGhost)\n\nAliases: XcodeGhost",
"value": "XcodeGhost - MOB-S0013",
"meta": {
"external_id": "MOB-S0013",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0013",
"http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/",
"http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
],
"external_id": "MOB-S0013",
"synonyms": [
"XcodeGhost"
]
},
"uuid": "d9e07aea-baad-4b68-bdca-90c77647d7f9"
"uuid": "d9e07aea-baad-4b68-bdca-90c77647d7f9",
"value": "XcodeGhost - MOB-S0013"
}
]
],
"version": 3
}

14
clusters/mitre-mobile-attack-relationship.json
View File

@ -1,13 +1,12 @@
{
"name": "Mobile Attack - Relationship",
"type": "mitre-mobile-attack-relationship",
"description": "MITRE Relationship",
"version": 2,
"source": "https://github.com/mitre/cti",
"uuid": "02f1fc42-1708-11e8-a4f2-eb70472c5901",
"authors": [
"MITRE"
],
"description": "MITRE Relationship",
"name": "Mobile Attack - Relationship",
"source": "https://github.com/mitre/cti",
"type": "mitre-mobile-attack-relationship",
"uuid": "02f1fc42-1708-11e8-a4f2-eb70472c5901",
"values": [
{
"meta": {
@ -1969,5 +1968,6 @@
"uuid": "94a737af-9a72-48f6-a85e-d9d7fa93bfdd",
"value": "Application Vetting (MOB-M1005) mitigates Download New Code at Runtime (MOB-T1010)"
}
]
],
"version": 2
}

20
clusters/mitre-mobile-attack-tool.json
View File

@ -1,28 +1,28 @@
{
"name": "Mobile Attack - Tool",
"type": "mitre-mobile-attack-tool",
"description": "Name of ATT&CK software",
"version": 3,
"source": "https://github.com/mitre/cti",
"uuid": "02cee87e-1708-11e8-8f15-8b33e4d6194b",
"authors": [
"MITRE"
],
"description": "Name of ATT&CK software",
"name": "Mobile Attack - Tool",
"source": "https://github.com/mitre/cti",
"type": "mitre-mobile-attack-tool",
"uuid": "02cee87e-1708-11e8-8f15-8b33e4d6194b",
"values": [
{
"description": "Xbot is a family of Android malware analyzed by Palo Alto Networks (Citation: PaloAlto-Xbot) that \"tries to steal victims' banking credentials and credit card information\", \"can also remotely lock infected Android devices, encrypt the user's files in external storage (e.g., SD card), and then ask for a U.S. $100 PayPal cash card as ransom\" and \"will steal all SMS message and contact information, intercept certain SMS messages, and parse SMS messages for mTANs (Mobile Transaction Authentication Number) from banks.\"\n\nAliases: Xbot",
"value": "Xbot - MOB-S0014",
"meta": {
"external_id": "MOB-S0014",
"refs": [
"https://attack.mitre.org/mobile/index.php/Software/MOB-S0014",
"http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
],
"external_id": "MOB-S0014",
"synonyms": [
"Xbot"
]
},
"uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4"
"uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4",
"value": "Xbot - MOB-S0014"
}
]
],
"version": 3
}

1754
clusters/mitre-pre-attack-attack-pattern.json
View File

File diff suppressed because it is too large Load Diff

122
clusters/mitre-pre-attack-intrusion-set.json
View File

@ -1,33 +1,38 @@
{
"name": "Pre Attack - intrusion Set",
"type": "mitre-pre-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"version": 3,
"source": "https://github.com/mitre/cti",
"uuid": "1fdc8fa2-1708-11e8-99a3-67b4efc13c4f",
"authors": [
"MITRE"
],
"description": "Name of ATT&CK Group",
"name": "Pre Attack - intrusion Set",
"source": "https://github.com/mitre/cti",
"type": "mitre-pre-attack-intrusion-set",
"uuid": "1fdc8fa2-1708-11e8-99a3-67b4efc13c4f",
"values": [
{
"description": "APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)",
"value": "APT16 - G0023",
"meta": {
"synonyms": [
"APT16"
],
"external_id": "G0023",
"refs": [
"https://attack.mitre.org/wiki/Group/G0023",
"https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html"
],
"external_id": "G0023"
"synonyms": [
"APT16"
]
},
"uuid": "d6e88e18-81e8-4709-82d8-973095da1e70"
"uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"value": "APT16 - G0023"
},
{
"description": "APT28 is a threat group that has been attributed to the Russian government. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28) January 2017 (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee in April 2016. (Citation: Crowdstrike DNC June 2016)",
"value": "APT28 - G0007",
"meta": {
"external_id": "G0007",
"refs": [
"https://attack.mitre.org/wiki/Group/G0007",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
],
"synonyms": [
"APT28",
"Sednit",
@ -38,104 +43,99 @@
"Tsar Team",
"Threat Group-4127",
"TG-4127"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0007",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
],
"external_id": "G0007"
]
},
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c"
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"value": "APT28 - G0007"
},
{
"description": "Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)",
"value": "Cleaver - G0003",
"meta": {
"synonyms": [
"Cleaver",
"TG-2889",
"Threat Group 2889"
],
"external_id": "G0003",
"refs": [
"https://attack.mitre.org/wiki/Group/G0003",
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance%20Operation%20Cleaver%20Report.pdf",
"http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/"
],
"external_id": "G0003"
"synonyms": [
"Cleaver",
"TG-2889",
"Threat Group 2889"
]
},
"uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063"
"uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"value": "Cleaver - G0003"
},
{
"description": "APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)",
"value": "APT12 - G0005",
"meta": {
"external_id": "G0005",
"refs": [
"https://attack.mitre.org/wiki/Group/G0005",
"http://www.crowdstrike.com/blog/whois-numbered-panda/"
],
"synonyms": [
"APT12",
"IXESHE",
"DynCalc",
"Numbered Panda",
"DNSCALC"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0005",
"http://www.crowdstrike.com/blog/whois-numbered-panda/"
],
"external_id": "G0005"
]
},
"uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb"
"uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"value": "APT12 - G0005"
},
{
"description": "APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the Peoples Liberation Army (PLA) General Staff Departments (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)",
"value": "APT1 - G0006",
"meta": {
"external_id": "G0006",
"refs": [
"https://attack.mitre.org/wiki/Group/G0006",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"synonyms": [
"APT1",
"Comment Crew",
"Comment Group",
"Comment Panda"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0006",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
],
"external_id": "G0006"
]
},
"uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662"
"uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"value": "APT1 - G0006"
},
{
"description": "Night Dragon is a campaign name for activity involving threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon) The activity from this group is also known as Musical Chairs. (Citation: Arbor Musical Chairs Feb 2018)",
"value": "Night Dragon - G0014",
"meta": {
"synonyms": [
"Night Dragon",
"Musical Chairs"
],
"external_id": "G0014",
"refs": [
"https://attack.mitre.org/wiki/Group/G0014",
"https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee%20NightDragon%20wp%20draft%20to%20customersv1-1.pdf",
"https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/"
],
"external_id": "G0014"
"synonyms": [
"Night Dragon",
"Musical Chairs"
]
},
"uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8"
"uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"value": "Night Dragon - G0014"
},
{
"description": "APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)",
"value": "APT17 - G0025",
"meta": {
"synonyms": [
"APT17",
"Deputy Dog"
],
"external_id": "G0025",
"refs": [
"https://attack.mitre.org/wiki/Group/G0025",
"https://www2.fireeye.com/rs/fireye/images/APT17%20Report.pdf"
],
"external_id": "G0025"
"synonyms": [
"APT17",
"Deputy Dog"
]
},
"uuid": "090242d7-73fc-4738-af68-20162f7a5aae"
"uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"value": "APT17 - G0025"
}
]
],
"version": 3
}

14
clusters/mitre-pre-attack-relationship.json
View File

@ -1,8 +1,12 @@
{
"uuid": "1ffd3108-1708-11e8-9f98-67b378d9094c",
"authors": [
"MITRE"
],
"description": "MITRE Relationship",
"name": "Pre Attack - Relationship",
"source": "https://github.com/mitre/cti",
"version": 2,
"type": "mitre-pre-attack-relationship",
"uuid": "1ffd3108-1708-11e8-9f98-67b378d9094c",
"values": [
{
"meta": {
@ -917,9 +921,5 @@
"value": "Conduct social engineering (PRE-T1056) related-to Conduct social engineering (PRE-T1045)"
}
],
"authors": [
"MITRE"
],
"type": "mitre-pre-attack-relationship",
"name": "Pre Attack - Relationship"
"version": 2
}

132
clusters/mitre-tool.json
View File

@ -1,14 +1,15 @@
{
"name": "Tool",
"authors": [
"MITRE"
],
"type": "mitre-tool",
"description": "Name of ATT&CK software",
"name": "Tool",
"source": "https://github.com/mitre/cti",
"version": 4,
"type": "mitre-tool",
"uuid": "d700dc5c-78f6-11e7-a476-5f748c8e4fe0",
"values": [
{
"description": "at is used to schedule tasks on a system to run at a specified date or time.[[Citation: TechNet At]]\n\nAliases: at, at.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0110",
@ -20,10 +21,10 @@
],
"uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952"
},
"value": "at",
"description": "at is used to schedule tasks on a system to run at a specified date or time.[[Citation: TechNet At]]\n\nAliases: at, at.exe"
"value": "at"
},
{
"description": "route can be used to find or change information within the local system IP routing table.[[Citation: TechNet Route]]\n\nAliases: route, route.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0103",
@ -35,10 +36,10 @@
],
"uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de"
},
"value": "route",
"description": "route can be used to find or change information within the local system IP routing table.[[Citation: TechNet Route]]\n\nAliases: route, route.exe"
"value": "route"
},
{
"description": "The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface.[[Citation: Microsoft Tasklist]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0057",
@ -46,10 +47,10 @@
],
"uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f"
},
"value": "Tasklist",
"description": "The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface.[[Citation: Microsoft Tasklist]]"
"value": "Tasklist"
},
{
"description": "Windows Credential Editor is a password dumping tool.[[Citation: Amplia WCE]]\n\nAliases: Windows Credential Editor, WCE",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0005",
@ -61,10 +62,10 @@
],
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966"
},
"value": "Windows Credential Editor",
"description": "Windows Credential Editor is a password dumping tool.[[Citation: Amplia WCE]]\n\nAliases: Windows Credential Editor, WCE"
"value": "Windows Credential Editor"
},
{
"description": "schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time.[[Citation: TechNet Schtasks]]\n\nAliases: schtasks, schtasks.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0111",
@ -76,10 +77,10 @@
],
"uuid": "c9703cd3-141c-43a0-a926-380082be5d04"
},
"value": "schtasks",
"description": "schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time.[[Citation: TechNet Schtasks]]\n\nAliases: schtasks, schtasks.exe"
"value": "schtasks"
},
{
"description": "UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.[[Citation: Github UACMe]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0116",
@ -87,10 +88,10 @@
],
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507"
},
"value": "UACMe",
"description": "UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.[[Citation: Github UACMe]]"
"value": "UACMe"
},
{
"description": "ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system.[[Citation: Wikipedia Ifconfig]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0101",
@ -98,10 +99,10 @@
],
"uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5"
},
"value": "ifconfig",
"description": "ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system.[[Citation: Wikipedia Ifconfig]]"
"value": "ifconfig"
},
{
"description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.[[Citation: Deply Mimikatz]][[Citation: Adsecurity Mimikatz Guide]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0002",
@ -110,10 +111,10 @@
],
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
},
"value": "Mimikatz",
"description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.[[Citation: Deply Mimikatz]][[Citation: Adsecurity Mimikatz Guide]]"
"value": "Mimikatz"
},
{
"description": "xCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems.[[Citation: xCmd]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0123",
@ -121,10 +122,10 @@
],
"uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b"
},
"value": "xCmd",
"description": "xCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems.[[Citation: xCmd]]"
"value": "xCmd"
},
{
"description": "Systeminfo is a Windows utility that can be used to gather detailed information about a computer.[[Citation: TechNet Systeminfo]]\n\nAliases: systeminfo.exe, Systeminfo",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0096",
@ -136,10 +137,10 @@
],
"uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1"
},
"value": "Systeminfo",
"description": "Systeminfo is a Windows utility that can be used to gather detailed information about a computer.[[Citation: TechNet Systeminfo]]\n\nAliases: systeminfo.exe, Systeminfo"
"value": "Systeminfo"
},
{
"description": "netsh is a scripting utility used to interact with networking components on local or remote systems.[[Citation: TechNet Netsh]]\n\nAliases: netsh, netsh.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0108",
@ -151,10 +152,10 @@
],
"uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71"
},
"value": "netsh",
"description": "netsh is a scripting utility used to interact with networking components on local or remote systems.[[Citation: TechNet Netsh]]\n\nAliases: netsh, netsh.exe"
"value": "netsh"
},
{
"description": "dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain.[[Citation: TechNet Dsquery]] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.\n\nAliases: dsquery, dsquery.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0105",
@ -166,10 +167,10 @@
],
"uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe"
},
"value": "dsquery",
"description": "dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain.[[Citation: TechNet Dsquery]] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.\n\nAliases: dsquery, dsquery.exe"
"value": "dsquery"
},
{
"description": "gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems.[[Citation: TrueSec Gsecdump]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0008",
@ -177,10 +178,10 @@
],
"uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54"
},
"value": "gsecdump",
"description": "gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems.[[Citation: TrueSec Gsecdump]]"
"value": "gsecdump"
},
{
"description": "Ping is an operating system utility commonly used to troubleshoot and verify network connections.[[Citation: TechNet Ping]]\n\nAliases: ping.exe, Ping",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0097",
@ -192,10 +193,10 @@
],
"uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47"
},
"value": "Ping",
"description": "Ping is an operating system utility commonly used to troubleshoot and verify network connections.[[Citation: TechNet Ping]]\n\nAliases: ping.exe, Ping"
"value": "Ping"
},
{
"description": "Fgdump is a Windows password hash dumper.[[Citation: Mandiant APT1]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0120",
@ -203,10 +204,10 @@
],
"uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe"
},
"value": "Fgdump",
"description": "Fgdump is a Windows password hash dumper.[[Citation: Mandiant APT1]]"
"value": "Fgdump"
},
{
"description": "Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process.[[Citation: Mandiant APT1]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0121",
@ -214,10 +215,10 @@
],
"uuid": "2fab555f-7664-4623-b4e0-1675ae38190b"
},
"value": "Lslsass",
"description": "Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process.[[Citation: Mandiant APT1]]"
"value": "Lslsass"
},
{
"description": "Pass-The-Hash Toolkit is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems.[[Citation: Mandiant APT1]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0122",
@ -225,10 +226,10 @@
],
"uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69"
},
"value": "Pass-The-Hash Toolkit",
"description": "Pass-The-Hash Toolkit is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems.[[Citation: Mandiant APT1]]"
"value": "Pass-The-Hash Toolkit"
},
{
"description": "FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.[[Citation: Wikipedia FTP]]\n\nAliases: FTP, ftp.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0095",
@ -240,10 +241,10 @@
],
"uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565"
},
"value": "FTP",
"description": "FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.[[Citation: Wikipedia FTP]]\n\nAliases: FTP, ftp.exe"
"value": "FTP"
},
{
"description": "ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration.[[Citation: TechNet Ipconfig]]\n\nAliases: ipconfig, ipconfig.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0100",
@ -255,10 +256,10 @@
],
"uuid": "294e2560-bd48-44b2-9da2-833b5588ad11"
},
"value": "ipconfig",
"description": "ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration.[[Citation: TechNet Ipconfig]]\n\nAliases: ipconfig, ipconfig.exe"
"value": "ipconfig"
},
{
"description": "Certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services.[[Citation: TechNet Certutil]]\n\nAliases: certutil, certutil.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0160",
@ -270,10 +271,10 @@
],
"uuid": "3e205e84-9f90-4b4b-8896-c82189936a15"
},
"value": "certutil",
"description": "Certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services.[[Citation: TechNet Certutil]]\n\nAliases: certutil, certutil.exe"
"value": "certutil"
},
{
"description": "nbtstat is a utility used to troubleshoot NetBIOS name resolution.[[Citation: TechNet Nbtstat]]\n\nAliases: nbtstat, nbtstat.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0102",
@ -285,10 +286,10 @@
],
"uuid": "b35068ec-107a-4266-bda8-eb7036267aea"
},
"value": "nbtstat",
"description": "nbtstat is a utility used to troubleshoot NetBIOS name resolution.[[Citation: TechNet Nbtstat]]\n\nAliases: nbtstat, nbtstat.exe"
"value": "nbtstat"
},
{
"description": "HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. [[Citation: Operation Quantum Entanglement]]\n\nAliases: HTRAN, HUC Packet Transmit Tool",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0040",
@ -300,10 +301,10 @@
],
"uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e"
},
"value": "HTRAN",
"description": "HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. [[Citation: Operation Quantum Entanglement]]\n\nAliases: HTRAN, HUC Packet Transmit Tool"
"value": "HTRAN"
},
{
"description": "netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics.[[Citation: TechNet Netstat]]\n\nAliases: netstat, netstat.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0104",
@ -315,10 +316,10 @@
],
"uuid": "4664b683-f578-434f-919b-1c1aad2a1111"
},
"value": "netstat",
"description": "netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics.[[Citation: TechNet Netstat]]\n\nAliases: netstat, netstat.exe"
"value": "netstat"
},
{
"description": "pwdump is a credential dumper.[[Citation: Wikipedia pwdump]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0006",
@ -326,10 +327,10 @@
],
"uuid": "9de2308e-7bed-43a3-8e58-f194b3586700"
},
"value": "pwdump",
"description": "pwdump is a credential dumper.[[Citation: Wikipedia pwdump]]"
"value": "pwdump"
},
{
"description": "Cachedump is a publicly-available tool that program extracts cached password hashes from a systems registry.[[Citation: Mandiant APT1]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0119",
@ -337,10 +338,10 @@
],
"uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52"
},
"value": "Cachedump",
"description": "Cachedump is a publicly-available tool that program extracts cached password hashes from a systems registry.[[Citation: Mandiant APT1]]"
"value": "Cachedump"
},
{
"description": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.Net has a great deal of functionality,[[Citation: Savill 1999]] much of which is useful for an adversary, such as gathering system and network information for [[Discovery]], moving laterally through [[Windows admin shares]] using <code>net use</code> commands, and interacting with services.\n\nAliases: Net, net.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0039",
@ -353,10 +354,10 @@
],
"uuid": "03342581-f790-4f03-ba41-e82e67392e23"
},
"value": "Net",
"description": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.Net has a great deal of functionality,[[Citation: Savill 1999]] much of which is useful for an adversary, such as gathering system and network information for [[Discovery]], moving laterally through [[Windows admin shares]] using <code>net use</code> commands, and interacting with services.\n\nAliases: Net, net.exe"
"value": "Net"
},
{
"description": "PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.[[Citation: Russinovich Sysinternals]][[Citation: SANS PsExec]]",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0029",
@ -365,10 +366,10 @@
],
"uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
},
"value": "PsExec",
"description": "PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.[[Citation: Russinovich Sysinternals]][[Citation: SANS PsExec]]"
"value": "PsExec"
},
{
"description": "Arp displays information about a system's Address Resolution Protocol (ARP) cache.[[Citation: TechNet Arp]]\n\nAliases: Arp, arp.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0099",
@ -380,10 +381,10 @@
],
"uuid": "30489451-5886-4c46-90c9-0dff9adc5252"
},
"value": "Arp",
"description": "Arp displays information about a system's Address Resolution Protocol (ARP) cache.[[Citation: TechNet Arp]]\n\nAliases: Arp, arp.exe"
"value": "Arp"
},
{
"description": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities.[[Citation: TechNet Cmd]]\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code>[[Citation: TechNet Dir]]), deleting files (e.g., <code>del</code>[[Citation: TechNet Del]]), and copying files (e.g., <code>copy</code>[[Citation: TechNet Copy]]).\n\nAliases: cmd, cmd.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0106",
@ -398,10 +399,10 @@
],
"uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e"
},
"value": "cmd",
"description": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities.[[Citation: TechNet Cmd]]\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code>[[Citation: TechNet Dir]]), deleting files (e.g., <code>del</code>[[Citation: TechNet Del]]), and copying files (e.g., <code>copy</code>[[Citation: TechNet Copy]]).\n\nAliases: cmd, cmd.exe"
"value": "cmd"
},
{
"description": "Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strikes interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[[Citation: cobaltstrike manual]]\n\nThe list of techniques below focuses on Cobalt Strikes ATT&CK-relevant tactics.",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0154",
@ -409,10 +410,10 @@
],
"uuid": "3da22160-12d9-4d27-a99f-338e8de3844a"
},
"value": "Cobalt Strike",
"description": "Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strikes interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[[Citation: cobaltstrike manual]]\n\nThe list of techniques below focuses on Cobalt Strikes ATT&CK-relevant tactics."
"value": "Cobalt Strike"
},
{
"description": "Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information.Reg are known to be used by persistent threats.[[Citation: Windows Commands JPCERT]]\n\nAliases: Reg, reg.exe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0075",
@ -425,9 +426,8 @@
],
"uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f"
},
"value": "Reg",
"description": "Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information.Reg are known to be used by persistent threats.[[Citation: Windows Commands JPCERT]]\n\nAliases: Reg, reg.exe"
"value": "Reg"
}
],
"uuid": "d700dc5c-78f6-11e7-a476-5f748c8e4fe0"
"version": 4
}

224
clusters/preventive-measure.json
View File

@ -1,56 +1,65 @@
{
"authors": [
"Various"
],
"description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.",
"name": "Preventive Measure",
"source": "MISP Project",
"type": "preventive-measure",
"uuid": "1a8e55eb-a0ff-425b-80e0-30df866f8f65",
"values": [
{
"description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schrödinger's backup - it is both existent and non-existent until you've tried a restore",
"meta": {
"refs": [
"http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7."
],
"complexity": "Medium",
"effectiveness": "High",
"impact": "Low",
"refs": [
"http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7."
],
"type": [
"Recovery"
]
},
"value": "Backup and Restore Process",
"description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schrödinger's backup - it is both existent and non-existent until you've tried a restore",
"uuid": "5f942376-ea5b-4b23-9c26-81d3aeba7fb4"
"uuid": "5f942376-ea5b-4b23-9c26-81d3aeba7fb4",
"value": "Backup and Restore Process"
},
{
"description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros",
"meta": {
"complexity": "Low",
"effectiveness": "High",
"impact": "Low",
"refs": [
"https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US",
"https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitter"
],
"complexity": "Low",
"effectiveness": "High",
"impact": "Low",
"type": [
"GPO"
]
},
"value": "Block Macros",
"description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros",
"uuid": "79563662-8d92-4fd1-929a-9b8926a62685"
"uuid": "79563662-8d92-4fd1-929a-9b8926a62685",
"value": "Block Macros"
},
{
"description": "Disable Windows Script Host",
"meta": {
"refs": [
"http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html"
],
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Medium",
"possible_issues": "Administrative VBS scripts on Workstations",
"refs": [
"http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html"
],
"type": [
"GPO"
],
"possible_issues": "Administrative VBS scripts on Workstations"
]
},
"value": "Disable WSH",
"description": "Disable Windows Script Host",
"uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f"
"uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f",
"value": "Disable WSH"
},
{
"description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub",
"meta": {
"complexity": "Low",
"effectiveness": "Medium",
@ -59,90 +68,90 @@
"Mail Gateway"
]
},
"value": "Filter Attachments Level 1",
"description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub",
"uuid": "7055b72b-b113-4f93-8387-e6f58ce5fc92"
"uuid": "7055b72b-b113-4f93-8387-e6f58ce5fc92",
"value": "Filter Attachments Level 1"
},
{
"description": "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm",
"meta": {
"complexity": "Low",
"effectiveness": "High",
"impact": "High",
"possible_issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) ",
"type": [
"Mail Gateway"
],
"possible_issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) "
]
},
"value": "Filter Attachments Level 2",
"description": "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm",
"uuid": "8c9bbbf5-a321-4eb1-8c03-a399a9687687"
"uuid": "8c9bbbf5-a321-4eb1-8c03-a399a9687687",
"value": "Filter Attachments Level 2"
},
{
"description": "Block all program executions from the %LocalAppData% and %AppData% folder",
"meta": {
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Medium",
"possible_issues": "Web embedded software installers",
"refs": [
"http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/",
"http://www.thirdtier.net/ransomware-prevention-kit/"
],
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Web embedded software installers"
]
},
"value": "Restrict program execution",
"description": "Block all program executions from the %LocalAppData% and %AppData% folder",
"uuid": "6a234b1d-8e86-49c4-91d6-cc3be3d04f74"
"uuid": "6a234b1d-8e86-49c4-91d6-cc3be3d04f74",
"value": "Restrict program execution"
},
{
"description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")",
"meta": {
"refs": [
"http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htm"
],
"complexity": "Low",
"effectiveness": "Low",
"impact": "Low",
"refs": [
"http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htm"
],
"type": [
"User Assistence"
]
},
"value": "Show File Extensions",
"description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")",
"uuid": "5b911d46-66c8-4180-ab97-663a0868264e"
"uuid": "5b911d46-66c8-4180-ab97-663a0868264e",
"value": "Show File Extensions"
},
{
"description": "Enforce administrative users to confirm an action that requires elevated rights",
"meta": {
"refs": [
"https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx"
],
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Low",
"possible_issues": "administrator resentment",
"refs": [
"https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx"
],
"type": [
"GPO"
],
"possible_issues": "administrator resentment"
]
},
"value": "Enforce UAC Prompt",
"description": "Enforce administrative users to confirm an action that requires elevated rights",
"uuid": "3f8c55db-611e-4831-b624-f9cbdc3b0e11"
"uuid": "3f8c55db-611e-4831-b624-f9cbdc3b0e11",
"value": "Enforce UAC Prompt"
},
{
"description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.",
"meta": {
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Medium",
"possible_issues": "Higher administrative costs",
"type": [
"Best Practice"
],
"possible_issues": "Higher administrative costs"
]
},
"value": "Remove Admin Privileges",
"description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.",
"uuid": "168f94d3-4ffc-4ea6-8f2e-8ba699f0fef6"
"uuid": "168f94d3-4ffc-4ea6-8f2e-8ba699f0fef6",
"value": "Remove Admin Privileges"
},
{
"description": "Activate the Windows Firewall to restrict workstation to workstation communication",
"meta": {
"complexity": "Medium",
"effectiveness": "Low",
@ -151,11 +160,11 @@
"Best Practice"
]
},
"value": "Restrict Workstation Communication",
"description": "Activate the Windows Firewall to restrict workstation to workstation communication",
"uuid": "fb25c345-0cee-4ae7-ab31-c1c801cde1c2"
"uuid": "fb25c345-0cee-4ae7-ab31-c1c801cde1c2",
"value": "Restrict Workstation Communication"
},
{
"description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis",
"meta": {
"complexity": "Medium",
"effectiveness": "High",
@ -163,11 +172,11 @@
"Advanced Malware Protection"
]
},
"value": "Sandboxing Email Input",
"description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis",
"uuid": "7960740f-71a5-42db-8a1a-1c7ccbf83349"
"uuid": "7960740f-71a5-42db-8a1a-1c7ccbf83349",
"value": "Sandboxing Email Input"
},
{
"description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor",
"meta": {
"complexity": "Medium",
"effectiveness": "Medium",
@ -175,115 +184,106 @@
"3rd Party Tools"
]
},
"value": "Execution Prevention",
"description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor",
"uuid": "bfda0c9e-1303-4861-b028-e0506dd8861c"
"uuid": "bfda0c9e-1303-4861-b028-e0506dd8861c",
"value": "Execution Prevention"
},
{
"description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer",
"meta": {
"refs": [
"https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/"
],
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Medium",
"possible_issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts.",
"refs": [
"https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/"
],
"type": [
"GPO"
],
"possible_issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts."
]
},
"value": "Change Default \"Open With\" to Notepad",
"description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer",
"uuid": "3b7bc1b2-e04f-4492-b3b1-87bb6701635b"
"uuid": "3b7bc1b2-e04f-4492-b3b1-87bb6701635b",
"value": "Change Default \"Open With\" to Notepad"
},
{
"description": "Server-side file screening with the help of File Server Resource Manager",
"meta": {
"refs": [
"http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm"
],
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Low",
"refs": [
"http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm"
],
"type": [
"Monitoring"
]
},
"value": "File Screening",
"description": "Server-side file screening with the help of File Server Resource Manager",
"uuid": "79769940-7cd2-4aaa-80da-b90c0372b898"
"uuid": "79769940-7cd2-4aaa-80da-b90c0372b898",
"value": "File Screening"
},
{
"description": "Block program executions (AppLocker)",
"meta": {
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Medium",
"possible_issues": "Configure & test extensively",
"refs": [
"https://technet.microsoft.com/en-us/library/dd759117%28v=ws.11%29.aspx",
"http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx"
],
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Configure & test extensively"
]
},
"value": "Restrict program execution #2",
"description": "Block program executions (AppLocker)",
"uuid": "feb6cddb-4182-4515-94dc-0eadffcdc098"
"uuid": "feb6cddb-4182-4515-94dc-0eadffcdc098",
"value": "Restrict program execution #2"
},
{
"description": "Detect and block exploitation techniques",
"meta": {
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Low",
"refs": [
"www.microsoft.com/emet",
"http://windowsitpro.com/security/control-emet-group-policy"
],
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Low",
"type": [
"GPO"
]
},
"value": "EMET",
"description": "Detect and block exploitation techniques",
"uuid": "5f0a749f-88f2-4e6e-8fd8-46307f8439f6"
"uuid": "5f0a749f-88f2-4e6e-8fd8-46307f8439f6",
"value": "EMET"
},
{
"description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring",
"meta": {
"refs": [
"https://twitter.com/JohnLaTwC/status/799792296883388416"
],
"complexity": "Medium",
"effectiveness": "Low",
"impact": "Low",
"refs": [
"https://twitter.com/JohnLaTwC/status/799792296883388416"
],
"type": [
"3rd Party Tools"
]
},
"value": "Sysmon",
"description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring",
"uuid": "1b1e5664-4250-459b-adbb-f0b33f64bf7e"
"uuid": "1b1e5664-4250-459b-adbb-f0b33f64bf7e",
"value": "Sysmon"
},
{
"value": "Blacklist-phone-numbers",
"description": "Filter the numbers at phone routing level including PABX",
"meta": {
"refs": [
"https://wiki.freepbx.org/display/FPG/Blacklist+Module+User+Guide#BlacklistModuleUserGuide-ImportingorExportingaBlacklistinCSVFileFormat"
],
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Medium",
"complexity": "Low"
"refs": [
"https://wiki.freepbx.org/display/FPG/Blacklist+Module+User+Guide#BlacklistModuleUserGuide-ImportingorExportingaBlacklistinCSVFileFormat"
]
},
"uuid": "123e20c5-8f44-4de5-a183-6890788e5a81"
"uuid": "123e20c5-8f44-4de5-a183-6890788e5a81",
"value": "Blacklist-phone-numbers"
}
],
"name": "Preventive Measure",
"type": "preventive-measure",
"source": "MISP Project",
"authors": [
"Various"
],
"description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.",
"uuid": "1a8e55eb-a0ff-425b-80e0-30df866f8f65",
"version": 3
}

7158
clusters/ransomware.json
View File

File diff suppressed because one or more lines are too long

620
clusters/rat.json
View File

File diff suppressed because it is too large Load Diff

964
clusters/sector.json
View File

@ -1,489 +1,489 @@
{
"values": [
{
"value": "Unknown",
"uuid": "3ff4e243-7e26-4535-b911-fdda2f724aa2"
},
{
"value": "Other",
"uuid": "03655488-3d11-4fbf-8fe6-6148aaa01b83"
},
{
"value": "Academia - University",
"uuid": "98821a86-3c11-474b-afab-3c84af061407"
},
{
"value": "Activists",
"uuid": "0a62f502-0a51-44ac-82a3-0a965b98c7a9"
},
{
"value": "Aerospace",
"uuid": "12f90076-f03d-4a2d-9f33-7a274dc462bb"
},
{
"value": "Agriculture",
"uuid": "e2214f48-0cdd-4110-ba59-e703282adf2c"
},
{
"value": "Arts",
"uuid": "b5283132-9245-4a5f-b4bc-1937fd80d80a"
},
{
"value": "Bank",
"uuid": "19cc9f22-e682-4808-a96c-82e573703dff"
},
{
"value": "Chemical",
"uuid": "306f828d-8eb8-4adb-bee9-3211bf2a4ff7"
},
{
"value": "Citizens",
"uuid": "f50c1d4d-9d7c-4076-b5d4-e86dd5de4628"
},
{
"value": "Civil Aviation",
"uuid": "ed13b6c9-c32c-4a58-82a7-ce64dc7fa086"
},
{
"value": "Country",
"uuid": "89e7e93a-394f-48e3-ba70-501df2f010c0"
},
{
"value": "Culture",
"uuid": "8c645d4e-8fcc-48a8-9656-5135cfbc10a6"
},
{
"value": "Data Broker",
"uuid": "0a2c80eb-ae5d-4d5e-b6fd-2703bc6a750d"
},
{
"value": "Defense",
"uuid": "9df5fb28-2298-4030-9db3-8cdef35bee14"
},
{
"value": "Development",
"uuid": "96b329b2-2f04-4ce7-8ef2-bf3d898028c9"
},
{
"value": "Diplomacy",
"uuid": "33cbaf17-7600-47f7-87c7-39640874a1b4"
},
{
"value": "Education",
"uuid": "19eca562-123d-449b-af33-5a36e5279b12"
},
{
"value": "Electric",
"uuid": "ac2dad84-5194-41bb-9edd-aad8d42f828f"
},
{
"value": "Electronic",
"uuid": "04e0eef9-d7e8-4280-86bb-cc9897be8e08"
},
{
"value": "Employment",
"uuid": "474e6647-ff06-4a9b-8061-a1a43baf8b15"
},
{
"value": "Energy",
"uuid": "3a94474b-7e23-4e06-9129-faea7ef55af8"
},
{
"value": "Entertainment",
"uuid": "beb9d5d6-53df-4e99-8fa8-e52880fbe740"
},
{
"value": "Environment",
"uuid": "8291a998-e888-4351-87ec-c6da6b06bff6"
},
{
"value": "Finance",
"uuid": "75597b7f-54e8-4f14-88c9-e81485ece483"
},
{
"value": "Food",
"uuid": "9ade7eff-e2ce-4f05-85de-bb6b70444db4"
},
{
"value": "Game",
"uuid": "64493b1b-04eb-4f4d-94c7-65c3713131de"
},
{
"value": "Gas",
"uuid": "851c28c6-2e80-4d63-959b-44037931175b"
},
{
"value": "Government, Administration",
"uuid": "6012ecea-dcc8-490c-b368-e2e06b2cb62f"
},
{
"value": "Health",
"uuid": "4649fe79-cb8f-4aa3-b3e0-e67d4161fcb0"
},
{
"value": "Higher education",
"uuid": "b822d660-fad3-40da-b4db-9bbf8fe23b27"
},
{
"value": "Hotels",
"uuid": "909f4de6-91ea-44b6-9c8f-5983fd4877c2"
},
{
"value": "Infrastructure",
"uuid": "641af156-12d0-4fb4-b89d-971cd454914f"
},
{
"value": "Intelligence",
"uuid": "7aeb79bf-cc1a-49b5-b2ec-5b1fe4a7e295"
},
{
"value": "IT",
"uuid": "3f18e5e7-c77d-4890-9d09-412a39a822e5"
},
{
"value": "IT - Hacker",
"uuid": "342d0a71-584c-4e3f-9b2d-1dc5b5e53e97"
},
{
"value": "IT - ISP",
"uuid": "872de996-e069-4cd9-b227-d5ca01dc020c"
},
{
"value": "IT - Security",
"uuid": "6d9dbde3-25de-48b9-ab98-361c4211e6be"
},
{
"value": "Justice",
"uuid": "784e59ae-89bb-4bc8-82c8-7fab6ca5fb8a"
},
{
"value": "Manufacturing",
"uuid": "5cacd8fb-a3d4-4ed7-84b5-d69378038591"
},
{
"value": "Maritime",
"uuid": "82ac6245-8691-4216-a6dd-8c99ebb8ce51"
},
{
"value": "Military",
"uuid": "5aec0d78-53b2-4fcf-b165-537494b866e4"
},
{
"value": "Multi-sector",
"uuid": "e10093ef-ccbf-4c24-9093-61e856c05ccd"
},
{
"value": "News - Media",
"uuid": "a0499041-2b4e-43aa-8fe3-04c2de23abdd"
},
{
"value": "NGO",
"uuid": "d2f31b1f-a9b1-4f5b-b2b3-1aa2732a0608"
},
{
"value": "Oil",
"uuid": "5875cc3f-d0a5-445e-abb2-08411fc82522"
},
{
"value": "Payment",
"uuid": "0d688425-afb5-4f71-8b5a-f9be7d2d1551"
},
{
"value": "Pharmacy",
"uuid": "8d7aa230-d07f-46e8-a099-6f1753793b84"
},
{
"value": "Police - Law enforcement",
"uuid": "36432a96-225a-4c90-b0f5-44eaee45e306"
},
{
"value": "Research - Innovation",
"uuid": "738939b4-c93f-4972-938a-7eb1f60188b9"
},
{
"value": "Satellite navigation",
"uuid": "40082760-ed9e-4fcb-8bfa-2341d81d5e22"
},
{
"value": "Security systems",
"uuid": "23429f36-298a-4ac6-8db9-87223bef9cbf"
},
{
"value": "Social networks",
"uuid": "61809257-9f13-4910-b824-f483c4334bb5"
},
{
"value": "Space",
"uuid": "595be3ad-bfb3-4bea-b81a-2fef618a1075"
},
{
"value": "Steel",
"uuid": "cdc8b76f-a8df-4d30-81c1-bdb4935c718d"
},
{
"value": "Telecoms",
"uuid": "0de938bd-4efa-4c7a-9244-71a79317d142"
},
{
"value": "Think Tanks",
"uuid": "3c70895b-573b-450c-ad0a-98b0e1a9741e"
},
{
"value": "Trade",
"uuid": "4fef12b1-0bee-4855-81fb-9b7d2c5a1dec"
},
{
"value": "Transport",
"uuid": "e93eb8db-72b1-4407-be3e-8cfea8f9efee"
},
{
"value": "Travel",
"uuid": "33a4f4fe-9bc3-4d43-b5ab-64fcc35882cf"
},
{
"value": "Turbine",
"uuid": "69b8bfcd-600e-45d8-962a-ce09ed0914ab"
},
{
"value": "Tourism",
"uuid": "bf0753fd-cb62-440d-a2c5-1adfb037676e"
},
{
"value": "Life science",
"uuid": "87eae00d-b973-46db-83a2-1f520aebcd44"
},
{
"value": "Biomedical",
"uuid": "58282b0e-10d4-4294-8845-6f41a1e79730"
},
{
"value": "High tech",
"uuid": "cd4dfa11-5f4a-4d02-a2cc-35603261e631"
},
{
"value": "Opposition",
"uuid": "18daafae-a923-4cf5-bf87-d8b35dd297e2"
},
{
"value": "Political party",
"uuid": "a93f281c-1fb4-471d-88ba-dfe5f3af13ff"
},
{
"value": "Hospitality",
"uuid": "d1aa1165-981a-4d9f-aece-c130c5034e1b"
},
{
"value": "Automotive",
"uuid": "79e7755d-d7fa-4bbc-b956-e296c614745e"
},
{
"value": "Metal",
"uuid": "3a7dae7d-2590-4e80-9c13-c22048a09f8a"
},
{
"value": "Railway",
"uuid": "02847338-fe03-4073-9f5b-c6fedc244b04"
},
{
"value": "Water",
"uuid": "26282f7e-8db4-4369-8af1-3981f6a93350"
},
{
"value": "Smart meter",
"uuid": "62487559-c0e5-4250-af48-d43fa2e61b82"
},
{
"value": "Retai",
"uuid": "a26ae91b-df10-4c6f-b7bc-14c7ba13f21d"
},
{
"value": "Retail",
"uuid": "6ce2374c-2c81-4298-a941-666bf4258c00"
},
{
"value": "Technology",
"uuid": "ff403f0f-67d0-494c-aff9-1d748b7e7d8d"
},
{
"value": "engineering",
"uuid": "e07cd84c-1d66-4de3-8b93-15fa93f119cc"
},
{
"value": "Mining",
"uuid": "7508db07-ffd1-4137-9941-718f18370c4c"
},
{
"value": "Sport",
"uuid": "e8355f07-48c7-497b-9a14-3c2a6325ef3d"
},
{
"value": "Restaurant",
"uuid": "5eee85f4-f8dc-4dea-9ba2-af1e9f957097"
},
{
"value": "Semi-conductors",
"uuid": "5b9bb2f4-3e03-46b9-ab65-a7f99b726a32"
},
{
"value": "Insurance",
"uuid": "c4f35266-0f80-4948-9c0a-f4681ed0d507"
},
{
"value": "Legal",
"uuid": "94a7ffd4-d2e4-4324-be71-f274e84de089"
},
{
"value": "Shipping",
"uuid": "64483d7b-71a4-4130-803e-2c614a098d8b"
},
{
"value": "Logistic",
"uuid": "934bc859-ebc4-48d7-adb7-5accd4f0f965"
},
{
"value": "Construction",
"uuid": "4b5c230d-70b8-4748-a27c-bec121c436d8"
},
{
"value": "Industrial",
"uuid": "3153215a-784d-478e-a147-3410a5b43b39"
},
{
"value": "Communication equipment",
"uuid": "f4e11fd2-f2a2-4d09-8ed4-7ef978ccc03b"
},
{
"value": "Security Service",
"uuid": "886e517c-0331-445e-9c4b-ebe08aeb01cd"
},
{
"value": "Tax firm",
"uuid": "138159c5-0b29-46a5-91e2-fe01f7e7111d"
},
{
"value": "Television broadcast",
"uuid": "13fe4a5d-8d86-4875-b763-02bc5705810f"
},
{
"value": "Separatists",
"uuid": "d6335a0a-dfa2-4150-804b-86d06139e38a"
},
{
"value": "Dissidents",
"uuid": "c2f32e7c-6162-4999-ac3b-356007446d18"
},
{
"value": "Digital services",
"uuid": "5a9da7ef-57b8-4a22-88be-b8b6556fd447"
},
{
"value": "Digital infrastructure",
"uuid": "a10c2362-3ee9-4741-b5a5-c2fd1c7c730f"
},
{
"value": "Security actors",
"uuid": "0904672b-c18a-450e-88d6-6a94dd0eb25a"
},
{
"value": "eCommerce",
"uuid": "7e1ec8ba-24c4-4ad4-a596-7532ecbd0fbd"
},
{
"value": "Islamic forums",
"uuid": "c529331a-e2a9-4ba9-bb92-d4f88ae3704b"
},
{
"value": "Journalist",
"uuid": "ea95dce2-c2fc-48cb-95c7-d9200811f030"
},
{
"value": "Streaming service",
"uuid": "2287c024-9643-43ef-8776-858d3994b9ac"
},
{
"value": "Puplishing industry",
"uuid": "97e018e8-e03b-48ff-8add-1059f035069a"
},
{
"value": "Publishing industry",
"uuid": "867cbcb3-8baa-476f-bec5-ceb36e9b1e09"
},
{
"value": "Islamic organisation",
"uuid": "3929f589-ac94-4a6a-8360-122e06484db8"
},
{
"value": "Casino",
"uuid": "2e7ad54f-7637-4268-a9b9-cb2975d6bab9"
},
{
"value": "Consulting",
"uuid": "87ad7866-bdfa-4a22-a4f3-c411fecb1d0d"
},
{
"value": "Online marketplace",
"uuid": "737a196b-7bab-460b-b199-d6626fca1af1"
},
{
"value": "DNS service provider",
"uuid": "e48c0afc-afab-4ced-9a8b-a28d4a2efa08"
},
{
"value": "Veterinary",
"uuid": "4bc73e7c-d174-4faf-9176-d0ccc8ccfbbf"
},
{
"value": "Marketing",
"uuid": "ee5720bb-c638-46f8-bdf2-55579bf37eb2"
},
{
"value": "Video Sharing",
"uuid": "55d12d41-c558-4cdf-b2c5-f246403ca68f"
},
{
"value": "Advertising",
"uuid": "b018010e-272e-4ca9-8551-073618d7f2ad"
},
{
"value": "Investment",
"uuid": "40d66f31-36c2-42ff-97c6-97b34b5ce04e"
},
{
"value": "Accounting",
"uuid": "6edffd60-443c-4238-b368-362b47340d8b"
},
{
"value": "Programming",
"uuid": "855f40e1-074e-4818-8082-696a54adf13f"
},
{
"value": "Managed Services Provider",
"uuid": "f9260307-f792-4e60-8aa5-e2b4f84adadb"
},
{
"value": "Lawyers",
"uuid": "56eee132-fc01-410c-ada0-44d713443bf2"
},
{
"value": "Civil society",
"uuid": "9c1f6a5b-d9de-4cce-a024-7437cb20e24e"
},
{
"value": "Petrochemical",
"uuid": "1f1c762b-1e39-4989-8679-cc1f9cb08349"
},
{
"value": "Immigration",
"uuid": "bfd171a5-33f5-4c79-81c5-3dda99dae559"
}
],
"version": 1,
"uuid": "141deecc-ae4e-11e7-8dfe-f3397ba8cc8",
"description": "Activity sectors",
"authors": [
"Various"
],
"description": "Activity sectors",
"name": "Sector",
"source": "CERT-EU",
"type": "sector",
"name": "Sector"
"uuid": "141deecc-ae4e-11e7-8dfe-f3397ba8cc8",
"values": [
{
"uuid": "3ff4e243-7e26-4535-b911-fdda2f724aa2",
"value": "Unknown"
},
{
"uuid": "03655488-3d11-4fbf-8fe6-6148aaa01b83",
"value": "Other"
},
{
"uuid": "98821a86-3c11-474b-afab-3c84af061407",
"value": "Academia - University"
},
{
"uuid": "0a62f502-0a51-44ac-82a3-0a965b98c7a9",
"value": "Activists"
},
{
"uuid": "12f90076-f03d-4a2d-9f33-7a274dc462bb",
"value": "Aerospace"
},
{
"uuid": "e2214f48-0cdd-4110-ba59-e703282adf2c",
"value": "Agriculture"
},
{
"uuid": "b5283132-9245-4a5f-b4bc-1937fd80d80a",
"value": "Arts"
},
{
"uuid": "19cc9f22-e682-4808-a96c-82e573703dff",
"value": "Bank"
},
{
"uuid": "306f828d-8eb8-4adb-bee9-3211bf2a4ff7",
"value": "Chemical"
},
{
"uuid": "f50c1d4d-9d7c-4076-b5d4-e86dd5de4628",
"value": "Citizens"
},
{
"uuid": "ed13b6c9-c32c-4a58-82a7-ce64dc7fa086",
"value": "Civil Aviation"
},
{
"uuid": "89e7e93a-394f-48e3-ba70-501df2f010c0",
"value": "Country"
},
{
"uuid": "8c645d4e-8fcc-48a8-9656-5135cfbc10a6",
"value": "Culture"
},
{
"uuid": "0a2c80eb-ae5d-4d5e-b6fd-2703bc6a750d",
"value": "Data Broker"
},
{
"uuid": "9df5fb28-2298-4030-9db3-8cdef35bee14",
"value": "Defense"
},
{
"uuid": "96b329b2-2f04-4ce7-8ef2-bf3d898028c9",
"value": "Development"
},
{
"uuid": "33cbaf17-7600-47f7-87c7-39640874a1b4",
"value": "Diplomacy"
},
{
"uuid": "19eca562-123d-449b-af33-5a36e5279b12",
"value": "Education"
},
{
"uuid": "ac2dad84-5194-41bb-9edd-aad8d42f828f",
"value": "Electric"
},
{
"uuid": "04e0eef9-d7e8-4280-86bb-cc9897be8e08",
"value": "Electronic"
},
{
"uuid": "474e6647-ff06-4a9b-8061-a1a43baf8b15",
"value": "Employment"
},
{
"uuid": "3a94474b-7e23-4e06-9129-faea7ef55af8",
"value": "Energy"
},
{
"uuid": "beb9d5d6-53df-4e99-8fa8-e52880fbe740",
"value": "Entertainment"
},
{
"uuid": "8291a998-e888-4351-87ec-c6da6b06bff6",
"value": "Environment"
},
{
"uuid": "75597b7f-54e8-4f14-88c9-e81485ece483",
"value": "Finance"
},
{
"uuid": "9ade7eff-e2ce-4f05-85de-bb6b70444db4",
"value": "Food"
},
{
"uuid": "64493b1b-04eb-4f4d-94c7-65c3713131de",
"value": "Game"
},
{
"uuid": "851c28c6-2e80-4d63-959b-44037931175b",
"value": "Gas"
},
{
"uuid": "6012ecea-dcc8-490c-b368-e2e06b2cb62f",
"value": "Government, Administration"
},
{
"uuid": "4649fe79-cb8f-4aa3-b3e0-e67d4161fcb0",
"value": "Health"
},
{
"uuid": "b822d660-fad3-40da-b4db-9bbf8fe23b27",
"value": "Higher education"
},
{
"uuid": "909f4de6-91ea-44b6-9c8f-5983fd4877c2",
"value": "Hotels"
},
{
"uuid": "641af156-12d0-4fb4-b89d-971cd454914f",
"value": "Infrastructure"
},
{
"uuid": "7aeb79bf-cc1a-49b5-b2ec-5b1fe4a7e295",
"value": "Intelligence"
},
{
"uuid": "3f18e5e7-c77d-4890-9d09-412a39a822e5",
"value": "IT"
},
{
"uuid": "342d0a71-584c-4e3f-9b2d-1dc5b5e53e97",
"value": "IT - Hacker"
},
{
"uuid": "872de996-e069-4cd9-b227-d5ca01dc020c",
"value": "IT - ISP"
},
{
"uuid": "6d9dbde3-25de-48b9-ab98-361c4211e6be",
"value": "IT - Security"
},
{
"uuid": "784e59ae-89bb-4bc8-82c8-7fab6ca5fb8a",
"value": "Justice"
},
{
"uuid": "5cacd8fb-a3d4-4ed7-84b5-d69378038591",
"value": "Manufacturing"
},
{
"uuid": "82ac6245-8691-4216-a6dd-8c99ebb8ce51",
"value": "Maritime"
},
{
"uuid": "5aec0d78-53b2-4fcf-b165-537494b866e4",
"value": "Military"
},
{
"uuid": "e10093ef-ccbf-4c24-9093-61e856c05ccd",
"value": "Multi-sector"
},
{
"uuid": "a0499041-2b4e-43aa-8fe3-04c2de23abdd",
"value": "News - Media"
},
{
"uuid": "d2f31b1f-a9b1-4f5b-b2b3-1aa2732a0608",
"value": "NGO"
},
{
"uuid": "5875cc3f-d0a5-445e-abb2-08411fc82522",
"value": "Oil"
},
{
"uuid": "0d688425-afb5-4f71-8b5a-f9be7d2d1551",
"value": "Payment"
},
{
"uuid": "8d7aa230-d07f-46e8-a099-6f1753793b84",
"value": "Pharmacy"
},
{
"uuid": "36432a96-225a-4c90-b0f5-44eaee45e306",
"value": "Police - Law enforcement"
},
{
"uuid": "738939b4-c93f-4972-938a-7eb1f60188b9",
"value": "Research - Innovation"
},
{
"uuid": "40082760-ed9e-4fcb-8bfa-2341d81d5e22",
"value": "Satellite navigation"
},
{
"uuid": "23429f36-298a-4ac6-8db9-87223bef9cbf",
"value": "Security systems"
},
{
"uuid": "61809257-9f13-4910-b824-f483c4334bb5",
"value": "Social networks"
},
{
"uuid": "595be3ad-bfb3-4bea-b81a-2fef618a1075",
"value": "Space"
},
{
"uuid": "cdc8b76f-a8df-4d30-81c1-bdb4935c718d",
"value": "Steel"
},
{
"uuid": "0de938bd-4efa-4c7a-9244-71a79317d142",
"value": "Telecoms"
},
{
"uuid": "3c70895b-573b-450c-ad0a-98b0e1a9741e",
"value": "Think Tanks"
},
{
"uuid": "4fef12b1-0bee-4855-81fb-9b7d2c5a1dec",
"value": "Trade"
},
{
"uuid": "e93eb8db-72b1-4407-be3e-8cfea8f9efee",
"value": "Transport"
},
{
"uuid": "33a4f4fe-9bc3-4d43-b5ab-64fcc35882cf",
"value": "Travel"
},
{
"uuid": "69b8bfcd-600e-45d8-962a-ce09ed0914ab",
"value": "Turbine"
},
{
"uuid": "bf0753fd-cb62-440d-a2c5-1adfb037676e",
"value": "Tourism"
},
{
"uuid": "87eae00d-b973-46db-83a2-1f520aebcd44",
"value": "Life science"
},
{
"uuid": "58282b0e-10d4-4294-8845-6f41a1e79730",
"value": "Biomedical"
},
{
"uuid": "cd4dfa11-5f4a-4d02-a2cc-35603261e631",
"value": "High tech"
},
{
"uuid": "18daafae-a923-4cf5-bf87-d8b35dd297e2",
"value": "Opposition"
},
{
"uuid": "a93f281c-1fb4-471d-88ba-dfe5f3af13ff",
"value": "Political party"
},
{
"uuid": "d1aa1165-981a-4d9f-aece-c130c5034e1b",
"value": "Hospitality"
},
{
"uuid": "79e7755d-d7fa-4bbc-b956-e296c614745e",
"value": "Automotive"
},
{
"uuid": "3a7dae7d-2590-4e80-9c13-c22048a09f8a",
"value": "Metal"
},
{
"uuid": "02847338-fe03-4073-9f5b-c6fedc244b04",
"value": "Railway"
},
{
"uuid": "26282f7e-8db4-4369-8af1-3981f6a93350",
"value": "Water"
},
{
"uuid": "62487559-c0e5-4250-af48-d43fa2e61b82",
"value": "Smart meter"
},
{
"uuid": "a26ae91b-df10-4c6f-b7bc-14c7ba13f21d",
"value": "Retai"
},
{
"uuid": "6ce2374c-2c81-4298-a941-666bf4258c00",
"value": "Retail"
},
{
"uuid": "ff403f0f-67d0-494c-aff9-1d748b7e7d8d",
"value": "Technology"
},
{
"uuid": "e07cd84c-1d66-4de3-8b93-15fa93f119cc",
"value": "engineering"
},
{
"uuid": "7508db07-ffd1-4137-9941-718f18370c4c",
"value": "Mining"
},
{
"uuid": "e8355f07-48c7-497b-9a14-3c2a6325ef3d",
"value": "Sport"
},
{
"uuid": "5eee85f4-f8dc-4dea-9ba2-af1e9f957097",
"value": "Restaurant"
},
{
"uuid": "5b9bb2f4-3e03-46b9-ab65-a7f99b726a32",
"value": "Semi-conductors"
},
{
"uuid": "c4f35266-0f80-4948-9c0a-f4681ed0d507",
"value": "Insurance"
},
{
"uuid": "94a7ffd4-d2e4-4324-be71-f274e84de089",
"value": "Legal"
},
{
"uuid": "64483d7b-71a4-4130-803e-2c614a098d8b",
"value": "Shipping"
},
{
"uuid": "934bc859-ebc4-48d7-adb7-5accd4f0f965",
"value": "Logistic"
},
{
"uuid": "4b5c230d-70b8-4748-a27c-bec121c436d8",
"value": "Construction"
},
{
"uuid": "3153215a-784d-478e-a147-3410a5b43b39",
"value": "Industrial"
},
{
"uuid": "f4e11fd2-f2a2-4d09-8ed4-7ef978ccc03b",
"value": "Communication equipment"
},
{
"uuid": "886e517c-0331-445e-9c4b-ebe08aeb01cd",
"value": "Security Service"
},
{
"uuid": "138159c5-0b29-46a5-91e2-fe01f7e7111d",
"value": "Tax firm"
},
{
"uuid": "13fe4a5d-8d86-4875-b763-02bc5705810f",
"value": "Television broadcast"
},
{
"uuid": "d6335a0a-dfa2-4150-804b-86d06139e38a",
"value": "Separatists"
},
{
"uuid": "c2f32e7c-6162-4999-ac3b-356007446d18",
"value": "Dissidents"
},
{
"uuid": "5a9da7ef-57b8-4a22-88be-b8b6556fd447",
"value": "Digital services"
},
{
"uuid": "a10c2362-3ee9-4741-b5a5-c2fd1c7c730f",
"value": "Digital infrastructure"
},
{
"uuid": "0904672b-c18a-450e-88d6-6a94dd0eb25a",
"value": "Security actors"
},
{
"uuid": "7e1ec8ba-24c4-4ad4-a596-7532ecbd0fbd",
"value": "eCommerce"
},
{
"uuid": "c529331a-e2a9-4ba9-bb92-d4f88ae3704b",
"value": "Islamic forums"
},
{
"uuid": "ea95dce2-c2fc-48cb-95c7-d9200811f030",
"value": "Journalist"
},
{
"uuid": "2287c024-9643-43ef-8776-858d3994b9ac",
"value": "Streaming service"
},
{
"uuid": "97e018e8-e03b-48ff-8add-1059f035069a",
"value": "Puplishing industry"
},
{
"uuid": "867cbcb3-8baa-476f-bec5-ceb36e9b1e09",
"value": "Publishing industry"
},
{
"uuid": "3929f589-ac94-4a6a-8360-122e06484db8",
"value": "Islamic organisation"
},
{
"uuid": "2e7ad54f-7637-4268-a9b9-cb2975d6bab9",
"value": "Casino"
},
{
"uuid": "87ad7866-bdfa-4a22-a4f3-c411fecb1d0d",
"value": "Consulting"
},
{
"uuid": "737a196b-7bab-460b-b199-d6626fca1af1",
"value": "Online marketplace"
},
{
"uuid": "e48c0afc-afab-4ced-9a8b-a28d4a2efa08",
"value": "DNS service provider"
},
{
"uuid": "4bc73e7c-d174-4faf-9176-d0ccc8ccfbbf",
"value": "Veterinary"
},
{
"uuid": "ee5720bb-c638-46f8-bdf2-55579bf37eb2",
"value": "Marketing"
},
{
"uuid": "55d12d41-c558-4cdf-b2c5-f246403ca68f",
"value": "Video Sharing"
},
{
"uuid": "b018010e-272e-4ca9-8551-073618d7f2ad",
"value": "Advertising"
},
{
"uuid": "40d66f31-36c2-42ff-97c6-97b34b5ce04e",
"value": "Investment"
},
{
"uuid": "6edffd60-443c-4238-b368-362b47340d8b",
"value": "Accounting"
},
{
"uuid": "855f40e1-074e-4818-8082-696a54adf13f",
"value": "Programming"
},
{
"uuid": "f9260307-f792-4e60-8aa5-e2b4f84adadb",
"value": "Managed Services Provider"
},
{
"uuid": "56eee132-fc01-410c-ada0-44d713443bf2",
"value": "Lawyers"
},
{
"uuid": "9c1f6a5b-d9de-4cce-a024-7437cb20e24e",
"value": "Civil society"
},
{
"uuid": "1f1c762b-1e39-4989-8679-cc1f9cb08349",
"value": "Petrochemical"
},
{
"uuid": "bfd171a5-33f5-4c79-81c5-3dda99dae559",
"value": "Immigration"
}
],
"version": 1
}

32
clusters/stealer.json
View File

@ -1,32 +1,37 @@
{
"uuid": "f2ef4033-9001-4427-a418-df8c48e6d054",
"authors": [
"raw-data"
],
"description": "A list of malware stealer.",
"name": "Stealer",
"source": "Open Sources",
"version": 2,
"type": "stealer",
"uuid": "f2ef4033-9001-4427-a418-df8c48e6d054",
"values": [
{
"description": "It is designed to steal data found within multiple Chromium and Firefox based browsers, it can also steal many popular cryptocurrency wallets as well as any saved FTP passwords within FileZilla. Nocturnal Stealer uses several anti-VM and anti-analysis techniques, which include but are not limited to: environment fingerprinting, checking for debuggers and analyzers, searching for known virtual machine registry keys, and checking for emulation software.",
"meta": {
"date": "March 2018.",
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap"
]
},
"description": "It is designed to steal data found within multiple Chromium and Firefox based browsers, it can also steal many popular cryptocurrency wallets as well as any saved FTP passwords within FileZilla. Nocturnal Stealer uses several anti-VM and anti-analysis techniques, which include but are not limited to: environment fingerprinting, checking for debuggers and analyzers, searching for known virtual machine registry keys, and checking for emulation software.",
"value": "Nocturnal Stealer",
"uuid": "e7080bce-99b5-4615-a798-a192ed89bd5a"
"uuid": "e7080bce-99b5-4615-a798-a192ed89bd5a",
"value": "Nocturnal Stealer"
},
{
"description": "The first version stole browser credentials and cookies, along with all text files it can find on the system. The second variant added the ability to collect Telegram's desktop cache and key files, as well as login information for the video game storefront Steam.",
"meta": {
"date": "March 2018.",
"refs": [
"https://blog.talosintelligence.com/2018/05/telegrab.html"
]
},
"description": "The first version stole browser credentials and cookies, along with all text files it can find on the system. The second variant added the ability to collect Telegram's desktop cache and key files, as well as login information for the video game storefront Steam.",
"value": "TeleGrab",
"uuid": "a6780288-24eb-4006-9ddd-062870c6feec"
"uuid": "a6780288-24eb-4006-9ddd-062870c6feec",
"value": "TeleGrab"
},
{
"description": "It is able to steal accounts from different software, such as, Firefox password Internet Explorer/Edge Thunderbird Chrome/Chromium and many more. It is also able to (1) list all installed software, (2) list processes, (3) Get information about the machine name (CPU type, Graphic card, size of memory), (4) take screen captures, (5) Steal cryptomoney wallet from Electrum, MultiBit, monero-project, bitcoin-qt.",
"meta": {
"date": "July 2018.",
"refs": [
@ -35,14 +40,9 @@
"https://malware.lu/articles/2018/05/04/azorult-stealer.html"
]
},
"description": "It is able to steal accounts from different software, such as, Firefox password Internet Explorer/Edge Thunderbird Chrome/Chromium and many more. It is also able to (1) list all installed software, (2) list processes, (3) Get information about the machine name (CPU type, Graphic card, size of memory), (4) take screen captures, (5) Steal cryptomoney wallet from Electrum, MultiBit, monero-project, bitcoin-qt.",
"value": "AZORult",
"uuid": "a646edab-5c6f-4a79-8a6c-153535259e16"
"uuid": "a646edab-5c6f-4a79-8a6c-153535259e16",
"value": "AZORult"
}
],
"authors": [
"raw-data"
],
"type": "stealer",
"description": "A list of malware stealer."
"version": 2
}

54
clusters/tds.json
View File

@ -1,7 +1,14 @@
{
"authors": [
"Kafeine"
],
"description": "TDS is a list of Traffic Direction System used by adversaries",
"name": "TDS",
"source": "MISP Project",
"type": "tds",
"uuid": "ab5fffaa-c5f6-11e6-9d9d-cec0c932ce01",
"values": [
{
"value": "Keitaro",
"description": "Keitaro TDS is among the mostly used TDS in drive by infection chains",
"meta": {
"refs": [
@ -11,10 +18,10 @@
"Commercial"
]
},
"uuid": "94c57fc0-4477-4643-b539-55ba8c455df6"
"uuid": "94c57fc0-4477-4643-b539-55ba8c455df6",
"value": "Keitaro"
},
{
"value": "BlackTDS",
"description": "BlackTDS is mutualised TDS advertised underground since end of December 2017",
"meta": {
"refs": [
@ -24,20 +31,20 @@
"Underground"
]
},
"uuid": "d5c0cf8d-8ed0-4fa2-a2e6-7274516ea1c8"
"uuid": "d5c0cf8d-8ed0-4fa2-a2e6-7274516ea1c8",
"value": "BlackTDS"
},
{
"value": "ShadowTDS",
"description": "ShadowTDS is advertised underground since 2016-02. It's in fact more like a Social Engineering kit focused on Android and embedding a TDS",
"meta": {
"type": [
"Underground"
]
},
"uuid": "2680a4b1-84d1-4af0-8126-4429a90f8ef8"
"uuid": "2680a4b1-84d1-4af0-8126-4429a90f8ef8",
"value": "ShadowTDS"
},
{
"value": "Sutra",
"description": "Sutra TDS was dominant from 2012 till 2015",
"meta": {
"refs": [
@ -47,10 +54,10 @@
"Commercial"
]
},
"uuid": "67f21003-bbc8-4993-b615-f990e539929f"
"uuid": "67f21003-bbc8-4993-b615-f990e539929f",
"value": "Sutra"
},
{
"value": "SimpleTDS",
"description": "SimpleTDS is a basic open source TDS",
"meta": {
"refs": [
@ -63,10 +70,10 @@
"OpenSource"
]
},
"uuid": "aa179c37-1a8a-4761-841a-cc940e19d7be"
"uuid": "aa179c37-1a8a-4761-841a-cc940e19d7be",
"value": "SimpleTDS"
},
{
"value": "BossTDS",
"description": "BossTDS",
"meta": {
"refs": [
@ -76,10 +83,10 @@
"Commercial"
]
},
"uuid": "5a483b4b-671a-4113-9b99-a115d2d2d644"
"uuid": "5a483b4b-671a-4113-9b99-a115d2d2d644",
"value": "BossTDS"
},
{
"value": "BlackHat TDS",
"description": "BlackHat TDS is sold underground.",
"meta": {
"refs": [
@ -89,36 +96,29 @@
"Underground"
]
},
"uuid": "36aa3b2d-4927-45e5-be08-f30144fd1909"
"uuid": "36aa3b2d-4927-45e5-be08-f30144fd1909",
"value": "BlackHat TDS"
},
{
"value": "Futuristic TDS",
"description": "Futuristic TDS is the TDS component of BlackOS/CookieBomb/NorthTale Iframer",
"meta": {
"type": [
"Underground"
]
},
"uuid": "19d8eab9-72d5-4f22-affb-c0d6aed66346"
"uuid": "19d8eab9-72d5-4f22-affb-c0d6aed66346",
"value": "Futuristic TDS"
},
{
"value": "Orchid TDS",
"description": "Orchid TDS was sold underground. Rare usage",
"meta": {
"type": [
"Underground"
]
},
"uuid": "ec0048f2-a7b2-4a71-83de-6e8fe4fef252"
"uuid": "ec0048f2-a7b2-4a71-83de-6e8fe4fef252",
"value": "Orchid TDS"
}
],
"version": 3,
"uuid": "ab5fffaa-c5f6-11e6-9d9d-cec0c932ce01",
"description": "TDS is a list of Traffic Direction System used by adversaries",
"authors": [
"Kafeine"
],
"source": "MISP Project",
"type": "tds",
"name": "TDS"
"version": 3
}

3156
clusters/threat-actor.json
View File

File diff suppressed because it is too large Load Diff

2498
clusters/tool.json
View File

File diff suppressed because it is too large Load Diff