MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' into master

pull/483/head
rmkml 2019-11-22 22:32:24 +01:00 committed by GitHub
parent 81cef767aa 85ccbee574
commit 64f100e578
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 11704 additions and 3135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
clusters/attck4fraud.json
View File

@ -178,6 +178,56 @@
"uuid": "102e0d9e-8807-4c52-8a79-455d5e688081",
"value": "Insider Trading"
},
{
"description": "Investment Fraud",
"meta": {
"kill_chain": [
"fraud-tactics:Perform Fraud"
]
},
"uuid": "92f5f46f-c506-45de-9a7f-f1128e40d47c",
"value": "Investment Fraud"
},
{
"description": "Romance Scam",
"meta": {
"kill_chain": [
"fraud-tactics:Perform Fraud"
]
},
"uuid": "8ac64815-52c0-4d14-a4e4-4a19b2a6057d",
"value": "Romance Scam"
},
{
"description": "Buying/Renting Fraud",
"meta": {
"kill_chain": [
"fraud-tactics:Perform Fraud"
]
},
"uuid": "464005e5-f608-41c9-a4fa-cfe9b8d26431",
"value": "Buying/Renting Fraud"
},
{
"description": "Cash Recovery Scam",
"meta": {
"kill_chain": [
"fraud-tactics:Perform Fraud"
]
},
"uuid": "97a79d67-02f4-4e1c-ac37-f835c88fe2c2",
"value": "Cash Recovery Scam"
},
{
"description": "Fake Invoice Fraud",
"meta": {
"kill_chain": [
"fraud-tactics:Perform Fraud"
]
},
"uuid": "a0f764d1-b541-4ee7-bb30-21b9a735f644",
"value": "Fake Invoice Fraud"
},
{
"description": "Business Email Compromise",
"meta": {
@ -330,5 +380,5 @@
"value": "ATM Explosive Attack"
}
],
"version": 2
"version": 3
}

868
clusters/misinfosec-amitt-misinformation-pattern.json Normal file
View File

@ -0,0 +1,868 @@
{
"authors": [
"misinfosecproject"
],
"category": "misinformation-pattern",
"description": "AM!TT Technique",
"name": "Misinformation Pattern",
"source": "https://github.com/misinfosecproject/amitt_framework",
"type": "amitt-misinformation-pattern",
"uuid": "b3f65346-49e4-48c3-88f8-354902a5fe47",
"values": [
{
"description": "Nimmo's \"4Ds of propaganda\": dismiss, distort, distract, dismay (MisinfosecWG added divide in 2019). Misinformation promotes an agenda by advancing narratives supportive of that agenda. This is most effective when the advanced narrative pre-dates the revelation of the specific misinformation content. But this is often not possible.",
"meta": {
"external_id": "T0001",
"kill_chain": [
"misinformation-tactics:Strategic Planning"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0001.md"
]
},
"uuid": "16556f68-fe4f-43c8-a8a4-6fc205d80251",
"value": "5Ds (dismiss, distort, distract, dismay, divide)"
},
{
"description": "Organize citizens around pro-state messaging. Paid or volunteer groups coordinated to push state propaganda (examples include 2016 Diba Facebook Expedition, coordinated to overcome Chinas Great Firewall to flood the Facebook pages of Taiwanese politicians and news agencies with a pro-PRC message).",
"meta": {
"external_id": "T0002",
"kill_chain": [
"misinformation-tactics:Strategic Planning"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0002.md"
]
},
"uuid": "35f79572-d306-4df1-92e7-84e4d2242baf",
"value": "Facilitate State Propaganda"
},
{
"description": "Use or adapt existing narrative themes, where narratives are the baseline stories of a target audience. Narratives form the bedrock of our worldviews. New information is understood through a process firmly grounded in this bedrock. If new information is not consitent with the prevailing narratives of an audience, it will be ignored. Effective campaigns will frame their misinformation in the context of these narratives. Highly effective campaigns will make extensive use of audience-appropriate archetypes and meta-narratives throughout their content creation and amplifiction practices. Examples include midwesterners are generous, Russia is under attack from outside.",
"meta": {
"external_id": "T0003",
"kill_chain": [
"misinformation-tactics:Strategic Planning"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0003.md"
]
},
"uuid": "05f58511-8d22-45d5-b889-47a07b9be00d",
"value": "Leverage Existing Narratives"
},
{
"description": "Advance competing narratives connected to same issue ie: on one hand deny incident while at same time expresses dismiss. MH17 (example) \"Russian Foreign Ministry again claimed that “absolutely groundless accusations are put forward against the Russian side, which are aimed at discrediting Russia in the eyes of the international community\" (deny); \"The Dutch MH17 investigation is biased, anti-Russian and factually inaccurate\" (dismiss). \n\nSuppressing or discouraging narratives already spreading requires an alternative. The most simple set of narrative techniques in response would be the construction and promotion of contradictory alternatives centered on denial, deflection, dismissal, counter-charges, excessive standards of proof, bias in prohibition or enforcement, and so on.\n\nThese competing narratives allow loyalists cover, but are less compelling to opponents and fence-sitters than campaigns built around existing narratives or highly explanatory master narratives. Competing narratives, as such, are especially useful in the \"firehose of misinformation\" approach.",
"meta": {
"external_id": "T0004",
"kill_chain": [
"misinformation-tactics:Strategic Planning"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0004.md"
]
},
"uuid": "8960c6c3-ab73-41b3-b661-901f4e4ed5e6",
"value": "Competing Narratives"
},
{
"description": "Recon/research to identify \"the source of power that provides moral or physical strength, freedom of action, or will to act.\" Thus, the center of gravity is usually seen as the \"source of strength\". Includes demographic and network analysis of communities",
"meta": {
"external_id": "T0005",
"kill_chain": [
"misinformation-tactics:Objective Planning"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0005.md"
]
},
"uuid": "a6de0798-4de8-4aa8-90c4-fd6d88f850f3",
"value": "Center of Gravity Analysis"
},
{
"description": "The promotion of beneficial master narratives is perhaps the most effective method for achieving long-term strategic narrative dominance. From a \"whole of society\" perpective the promotion of the society's core master narratives should occupy a central strategic role. From a misinformation campaign / cognitive security perpectve the tactics around master narratives center more precisely on the day-to-day promotion and reinforcement of this messaging. In other words, beneficial, high-coverage master narratives are a central strategic goal and their promotion consitutes an ongoing tactical struggle carried out at a whole-of-society level. \n\nBy way of example, major powers are promoting master narratives such as:\n* \"Huawei is detetmined to build trustworthy networks\"\n* \"Russia is the victim of bullying by NATO powers\"\n* \"USA is guided by its founding principles of liberty and egalitarianism\"\n\nTactically, their promotion covers a broad spectrum of activities both on- and offline.",
"meta": {
"external_id": "T0006",
"kill_chain": [
"misinformation-tactics:Objective Planning"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0006.md"
]
},
"uuid": "73c4fe48-8d25-47ce-8295-33db463b0e85",
"value": "Create Master Narratives"
},
{
"description": "Create key social engineering assets needed to amplify content, manipulate algorithms, fool public and/or specific incident/campaign targets. \n\nComputational propaganda depends substantially on false perceptions of credibility and acceptance. By creating fake users and groups with a variety of interests and commitments, attackers can ensure that their messages both come from trusted sources and appear more widely adopted than they actually are. \n\nExamples: Ukraine elections (2019) circumvent Facebooks new safeguards by paying Ukrainian citizens to give a Russian agent access to their personal pages. EU Elections (2019) Avaaz reported more than 500 suspicious pages and groups to Facebook related to the three-month investigation of Facebook disinformation networks in Europe. Mueller report (2016) The IRA was able to reach up to 126 million Americans on Facebook via a mixture of fraudulent accounts, groups, and advertisements, the report says. Twitter accounts it created were portrayed as real American voices by major news outlets. It was even able to hold real-life rallies, mobilizing hundreds of people at a time in major cities like Philadelphia and Miami. ",
"meta": {
"external_id": "T0007",
"kill_chain": [
"misinformation-tactics:Develop People"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0007.md"
]
},
"uuid": "14394d02-9f8f-4999-8e3d-c51b6f25076b",
"value": "Create fake Social Media Profiles / Pages / Groups"
},
{
"description": "Modern computational propaganda makes use of a cadre of imposter news sites spreading globally. These sites, sometimes motivated by concerns other than propaganda--for instance, click-based revenue--often have some superficial markers of authenticity, such as naming and site-design. But many can be quickly exposed with reference to their owenership, reporting history and adverstising details. A prominent case from the 2016 era was the _Denver Guardian_, which purported to be a local newspaper in Colorado and specialized in negative stories about Hillary Clinton.",
"meta": {
"external_id": "T0008",
"kill_chain": [
"misinformation-tactics:Develop People"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0008.md"
]
},
"uuid": "dd3f7b62-a99c-40d6-baeb-cd36601cc524",
"value": "Create fake or imposter news sites"
},
{
"description": "Stories planted or promoted in computational propaganda operations often make use of experts fabricated from whole cloth, sometimes specifically for the story itself. For example, in the Jade Helm conspiracy theory promoted by SVR in 2015, a pair of experts--one of them naming himself a “Military Intelligence Analyst / Russian Regional CME” and the other a “Geopolitical Strategist, Journalist & Author”--pushed the story heavily on LinkedIn.",
"meta": {
"external_id": "T0009",
"kill_chain": [
"misinformation-tactics:Develop People"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0009.md"
]
},
"uuid": "0253d5f6-cc08-4f46-b00a-628926020d2c",
"value": "Create fake experts"
},
{
"description": "Cultivate propagandists for a cause, the goals of which are not fully comprehended, and who are used cynically by the leaders of the cause. Independent actors use social media and specialised web sites to strategically reinforce and spread messages compatible with their own. Their networks are infiltrated and used by state media disinformation organisations to amplify the states own disinformation strategies against target populations. Many are traffickers in conspiracy theories or hoaxes, unified by a suspicion of Western governments and mainstream media. Their narratives, which appeal to leftists hostile to globalism and military intervention and nationalists against immigration, are frequently infiltrated and shaped by state-controlled trolls and altered news items from agencies such as RT and Sputnik. Also know as \"useful idiots\" or \"unwitting agents\".",
"meta": {
"external_id": "T0010",
"kill_chain": [
"misinformation-tactics:Develop Networks"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0010.md"
]
},
"uuid": "784cfb1f-c6f5-44a3-8b60-272c64aac4ea",
"value": "Cultivate useful idiots"
},
{
"description": "Hack or take over legimate accounts to distribute misinformation or damaging content. Examples include Syrian Electronic Army (2013) series of false tweets from a hijacked Associated Press Twitter account claiming that President Barack Obama had been injured in a series of explosions near the White House. The false report caused a temporary plunge of 143 points on the Dow Jones Industrial Average.",
"meta": {
"external_id": "T0011",
"kill_chain": [
"misinformation-tactics:Develop Networks"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0011.md"
]
},
"uuid": "79e9410b-c325-44fd-9b1b-8c9c53c8ecdd",
"value": "Hijack legitimate account"
},
{
"description": "Use anonymous social media profiles. Examples include page or group administrators, masked \"whois\" website directory data, no bylines connected to news article, no masthead connect to news websites. \n\nExample is 2016 @TEN_GOP profile where the actual Tennessee Republican Party tried unsuccessfully for months to get Twitter to shut it down, and 2019 Endless Mayfly is an Iran-aligned network of inauthentic personas and social media accounts that spreads falsehoods and amplifies narratives critical of Saudi Arabia, the United States, and Israel.",
"meta": {
"external_id": "T0012",
"kill_chain": [
"misinformation-tactics:Develop Networks"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0012.md"
]
},
"uuid": "40c0ba05-ecb4-42c1-af78-4c7cf586f547",
"value": "Use concealment"
},
{
"description": "",
"meta": {
"external_id": "T0013",
"kill_chain": [
"misinformation-tactics:Develop Networks"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0013.md"
]
},
"uuid": "81d35c37-da96-423b-9ec1-e2831a6f413d",
"value": "Create fake websites"
},
{
"description": "Generate revenue through online funding campaigns. e.g. Gather data, advance credible persona via Gofundme; Patreon; or via fake website connecting via PayPal or Stripe. (Example 2016) #VaccinateUS Gofundme campaigns to pay for Targetted facebook ads (Larry Cook, targetting Washington State mothers, $1,776 to boost posts over 9 months).",
"meta": {
"external_id": "T0014",
"kill_chain": [
"misinformation-tactics:Develop Networks"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0014.md"
]
},
"uuid": "06ff0cd0-08a4-486b-ab81-57c50bc2253e",
"value": "Create funding campaigns"
},
{
"description": "Many incident-based campaigns will create a hashtag to promote their fabricated event (e.g. #ColumbianChemicals to promote a fake story about a chemical spill in Louisiana). \n\nCreating a hashtag for an incident can have two important effects:\n1. Create a perception of reality around an event. Certainly only \"real\" events would be discussed in a hashtag. After all, the event has a name!\n2. Publicize the story more widely through trending lists and search behavior \n\nAsset needed to direct/control/manage \"conversation\" connected to launching new incident/campaign with new hashtag for applicable social media sites ie: Twitter, LinkedIn)",
"meta": {
"external_id": "T0015",
"kill_chain": [
"misinformation-tactics:Develop Networks"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0015.md"
]
},
"uuid": "80c68f29-1c22-4277-93c0-e19f97bd56ee",
"value": "Create hashtag"
},
{
"description": "Create attention grabbing headlines (outrage, doubt, humor) required to drive traffic & engagement. (example 2016) “Pope Francis shocks world, endorses Donald Trump for president.” (example 2016) \"FBI director received millions from Clinton Foundation, his brothers law firm does Clintons taxes”. This is a key asset",
"meta": {
"external_id": "T0016",
"kill_chain": [
"misinformation-tactics:Microtargeting"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0016.md"
]
},
"uuid": "7193e229-e122-4f50-818b-e2b047b18a9a",
"value": "Clickbait"
},
{
"description": "Drive traffic/engagement to funding campaign sites; helps provide measurable metrics to assess conversion rates",
"meta": {
"external_id": "T0017",
"kill_chain": [
"misinformation-tactics:Microtargeting"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0017.md"
]
},
"uuid": "3a540119-0ede-4ac5-968c-de11ac477cb3",
"value": "Promote online funding"
},
{
"description": "Create or fund advertisements targeted at specific populations",
"meta": {
"external_id": "T0018",
"kill_chain": [
"misinformation-tactics:Microtargeting"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0018.md"
]
},
"uuid": "97ce4b61-b888-4a76-98f6-a32dc1df1a1a",
"value": "Paid targeted ads"
},
{
"description": "Flood social channels; drive traffic/engagement to all assets; create aura/sense/perception of pervasiveness/consensus (for or against or both simultaneously) of an issue or topic. \"Nothing is true, but everything is possible.\" Akin to astroturfing campaign.",
"meta": {
"external_id": "T0019",
"kill_chain": [
"misinformation-tactics:Develop Content"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0019.md"
]
},
"uuid": "7bdc0b07-63db-406b-8602-1b8a1faa387f",
"value": "Generate information pollution"
},
{
"description": "Iteratively test incident performance (messages, content etc), e.g. A/B test headline/content enagagement metrics; website and/or funding campaign conversion rates",
"meta": {
"external_id": "T0020",
"kill_chain": [
"misinformation-tactics:Develop Content"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0020.md"
]
},
"uuid": "5bd83398-8273-49b8-8bc2-9435bda603ed",
"value": "Trial content"
},
{
"description": "Memes are one of the most important single artefact types in all of computational propaganda. Memes in this framework denotes the narrow image-based definition. But that naming is no accident, as these items have most of the important properties of Dawkins' original conception as a self-replicating unit of culture. Memes pull together reference and commentary; image and narrative; emotion and message. Memes are a powerful tool and the heart of modern influence campaigns.",
"meta": {
"external_id": "T0021",
"kill_chain": [
"misinformation-tactics:Develop Content"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0021.md"
]
},
"uuid": "fa6e62ca-16c3-4fdd-93ff-b1e1da4cfad8",
"value": "Memes"
},
{
"description": "\"Conspiracy narratives appeal to the human desire for explanatory order, by invoking the participation of poweful (often sinister) actors in pursuit of their own political goals. These narratives are especially appealing when an audience is low-information, marginalized or otherwise inclined to reject the prevailing explanation. Conspiracy narratives are an important component of the \"\"firehose of falsehoods\"\" model. \n\nExample: QAnon: conspiracy theory is an explanation of an event or situation that invokes a conspiracy by sinister and powerful actors, often political in motivation, when other explanations are more probable \"",
"meta": {
"external_id": "T0022",
"kill_chain": [
"misinformation-tactics:Develop Content"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0022.md"
]
},
"uuid": "5a832f09-0b39-4734-b7a1-9a4592bdb57e",
"value": "Conspiracy narratives"
},
{
"description": "Change, twist, or exaggerate existing facts to construct a narrative that differs from reality. Examples: images and ideas can be distorted by being placed in an improper content",
"meta": {
"external_id": "T0023",
"kill_chain": [
"misinformation-tactics:Develop Content"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0023.md"
]
},
"uuid": "01c4d71e-47ef-4cad-abda-ad1abd42cae7",
"value": "Distort facts"
},
{
"description": "Create fake videos and/or images by manipulating existing content or generating new content (e.g. deepfakes). Examples include Pelosi video (making her appear drunk) and photoshoped shark on flooded streets of Houston TX.",
"meta": {
"external_id": "T0024",
"kill_chain": [
"misinformation-tactics:Develop Content"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0024.md"
]
},
"uuid": "79a57ba1-9d29-4cd6-8669-ce9728bc33d7",
"value": "Create fake videos and images"
},
{
"description": "Obtain documents (eg by theft or leak), then alter and release, possibly among factual documents/sources. \n\nExample (2019) DFRLab report \"Secondary Infektion” highlights incident with key asset being a forged “letter” created by the operation to provide ammunition for far-right forces in Europe ahead of the election.",
"meta": {
"external_id": "T0025",
"kill_chain": [
"misinformation-tactics:Develop Content"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0025.md"
]
},
"uuid": "01f8720b-d254-4744-a4eb-a28efc8c3528",
"value": "Leak altered documents"
},
{
"description": "Create fake academic research. Example: fake social science research is often aimed at hot-button social issues such as gender, race and sexuality. Fake science research can target Climate Science debate or pseudoscience like anti-vaxx",
"meta": {
"external_id": "T0026",
"kill_chain": [
"misinformation-tactics:Develop Content"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0026.md"
]
},
"uuid": "032ea639-87e3-413b-925d-e556b472216b",
"value": "Create fake research"
},
{
"description": "Adapting existing narratives to current operational goals is the tactical sweet-spot for an effective misinformation campaign. Leveraging existing narratives is not only more effective, it requires substantially less resourcing, as the promotion of new master narratives operates on a much larger scale, both time and scope. Fluid, dynamic & often interchangable key master narratives can be (\"The morally corrupt West\") adapted to divisive (LGBT proganda) or to distort (individuals working as CIA operatives). For Western audiences, different but equally powerful framings are available, such as \"USA has a fraught history in race relations, espically in crimincal justice areas.\"",
"meta": {
"external_id": "T0027",
"kill_chain": [
"misinformation-tactics:Develop Content"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0027.md"
]
},
"uuid": "c30bfa00-2da6-4443-aa05-5342ad9ea2cc",
"value": "Adapt existing narratives"
},
{
"description": "\"Misinformation promotes an agenda by advancing narratives supportive of that agenda. This is most effective when the advanced narrative pre-dates the revelation of the specific misinformation content. But this is often not possible. \n\nSuppressing or discouraging narratives already spreading requires an alternative. The most simple set of narrative techniques in response would be the construction and promotion of contradictory alternatives centered on denial, deflection, dismissal, counter-charges, excessive standards of proof, bias in prohibition or enforcement, and so on. \n\nThese competing narratives allow loyalists cover, but are less compelling to opponents and fence-sitters than campaigns built around existing narratives or highly explanatory master narratives. Competing narratives, as such, are especially useful in the \"\"firehose of misinformation\"\" approach.\"",
"meta": {
"external_id": "T0028",
"kill_chain": [
"misinformation-tactics:Develop Content"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0028.md"
]
},
"uuid": "c84a5389-92a0-41f1-bed1-b85a4720ffa5",
"value": "Create competing narratives"
},
{
"description": "Create fake online polls, or manipulate existing online polls. Examples: flooding FCC with comments; creating fake engagement metrics of Twitter/Facebook polls to manipulate perception of given issue. Data gathering tactic to target those who engage, and potentially their networks of friends/followers as well",
"meta": {
"external_id": "T0029",
"kill_chain": [
"misinformation-tactics:Channel Selection"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0029.md"
]
},
"uuid": "d7175e98-579d-4675-aff1-3fc24a18e003",
"value": "Manipulate online polls"
},
{
"description": "Create other assets/dossier/cover/fake relationships and/or connections or documents, sites, bylines, attributions, to establish/augment/inflate crediblity/believability",
"meta": {
"external_id": "T0030",
"kill_chain": [
"misinformation-tactics:Channel Selection"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0030.md"
]
},
"uuid": "88fad613-42bb-46b0-8ef7-dafde53d2b72",
"value": "Backstop personas"
},
{
"description": "Use YouTube as a narrative dissemination channel",
"meta": {
"external_id": "T0031",
"kill_chain": [
"misinformation-tactics:Channel Selection"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0031.md"
]
},
"uuid": "18a024a0-b0c8-4091-bd22-9d167c0ada16",
"value": "YouTube"
},
{
"description": "Use Reddit as a narrative dissemination channel",
"meta": {
"external_id": "T0032",
"kill_chain": [
"misinformation-tactics:Channel Selection"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0032.md"
]
},
"uuid": "0cf0ecdb-fc07-41b0-9fa1-8c7eb40a8116",
"value": "Reddit"
},
{
"description": "Use Instagram as a narrative dissemination channel",
"meta": {
"external_id": "T0033",
"kill_chain": [
"misinformation-tactics:Channel Selection"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0033.md"
]
},
"uuid": "3ad77fc0-970b-4a6a-bfd9-db122e375812",
"value": "Instagram"
},
{
"description": "Use LinkedIn as a narrative dissemination channel",
"meta": {
"external_id": "T0034",
"kill_chain": [
"misinformation-tactics:Channel Selection"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0034.md"
]
},
"uuid": "9a440d3e-eba9-4d8f-ba93-d691a9121a68",
"value": "LinkedIn"
},
{
"description": "Use Pinterest as a narrative dissemination channel",
"meta": {
"external_id": "T0035",
"kill_chain": [
"misinformation-tactics:Channel Selection"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0035.md"
]
},
"uuid": "ba998ea4-b39d-4d66-b3ba-d90e2e0abc8c",
"value": "Pinterest"
},
{
"description": "Use WhatsApp as a narrative dissemination channel",
"meta": {
"external_id": "T0036",
"kill_chain": [
"misinformation-tactics:Channel Selection"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0036.md"
]
},
"uuid": "231e17e7-3268-4316-ae25-ba4e978a043a",
"value": "WhatsApp"
},
{
"description": "Use Facebook as a narrative dissemination channel",
"meta": {
"external_id": "T0037",
"kill_chain": [
"misinformation-tactics:Channel Selection"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0037.md"
]
},
"uuid": "70086088-dfd6-4fd7-9f28-bf61c7f77dbb",
"value": "Facebook"
},
{
"description": "Use Twitter as a narrative dissemination channel",
"meta": {
"external_id": "T0038",
"kill_chain": [
"misinformation-tactics:Channel Selection"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0038.md"
]
},
"uuid": "c2463ebc-2156-4597-b8e8-cad15954cab4",
"value": "Twitter"
},
{
"description": "",
"meta": {
"external_id": "T0039",
"kill_chain": [
"misinformation-tactics:Pump Priming"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0039.md"
]
},
"uuid": "f1145ebe-da32-471b-9ce5-4ba5c1393bb3",
"value": "Bait legitimate influencers"
},
{
"description": "",
"meta": {
"external_id": "T0040",
"kill_chain": [
"misinformation-tactics:Pump Priming"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0040.md"
]
},
"uuid": "6134c516-1521-40ee-9cdd-48d5f034289a",
"value": "Demand unsurmountable proof"
},
{
"description": "",
"meta": {
"external_id": "T0041",
"kill_chain": [
"misinformation-tactics:Pump Priming"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0041.md"
]
},
"uuid": "90e5c8f1-55b4-48f3-99df-07a1b15621b7",
"value": "Deny involvement"
},
{
"description": "",
"meta": {
"external_id": "T0042",
"kill_chain": [
"misinformation-tactics:Pump Priming"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0042.md"
]
},
"uuid": "c4820314-22b3-4143-b197-0ef49faa6132",
"value": "Kernel of Truth"
},
{
"description": "",
"meta": {
"external_id": "T0043",
"kill_chain": [
"misinformation-tactics:Pump Priming"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0043.md"
]
},
"uuid": "f89d4b1d-34a3-41fc-9fcb-5c17faf4d928",
"value": "Use SMS/ WhatsApp/ Chat apps"
},
{
"description": "",
"meta": {
"external_id": "T0044",
"kill_chain": [
"misinformation-tactics:Pump Priming"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0044.md"
]
},
"uuid": "04946fbc-9bfc-4078-8dec-d3554233494b",
"value": "Seed distortions"
},
{
"description": "Use the fake experts that were set up in T0009. Pseudo-experts are disposable assets that often appear once and then disappear. Give \"credility\" to misinformation. Take advantage of credential bias",
"meta": {
"external_id": "T0045",
"kill_chain": [
"misinformation-tactics:Pump Priming"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0045.md"
]
},
"uuid": "6284e088-837a-4dbe-8f81-249559069625",
"value": "Use fake experts"
},
{
"description": "Manipulate content engagement metrics (ie: Reddit & Twitter) to influence/impact news search results (e.g. Google), also elevates RT & Sputnik headline into Google news alert emails. aka \"Black-hat SEO\" ",
"meta": {
"external_id": "T0046",
"kill_chain": [
"misinformation-tactics:Pump Priming"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0046.md"
]
},
"uuid": "1a51094b-5965-4ddb-9833-11e14ac1fd98",
"value": "Search Engine Optimization"
},
{
"description": "Use political influence or the power of state to stop critical social media comments. Government requested/driven content take downs (see Google Transperancy reports. (Example 20190 Singapore Protection from Online Falsehoods and Manipulation Bill would make it illegal to spread \"false statements of fact\" in Singapore, where that information is \"prejudicial\" to Singapore's security or \"public tranquility.\" Or India/New Delhi has cut off services to Facebook and Twitter in Kashmir 28 times in the past five years, and in 2016, access was blocked for five months -- on the grounds that these platforms were being used for anti-social and \"anti-national\" purposes.",
"meta": {
"external_id": "T0047",
"kill_chain": [
"misinformation-tactics:Exposure"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0047.md"
]
},
"uuid": "6e13aaa2-8452-4f4f-b5ca-56291dcbb351",
"value": "Muzzle social media as a political force"
},
{
"description": "Intimidate, coerce, threaten critics/dissidents/journalists via trolling, doxing. Phillipines (example) Maria Ressa and Rappler journalists targeted Duterte regime, lawsuits, trollings, banned from the presidential palace where press briefings take place. 2017 Bot attack on five ProPublica Journalists.",
"meta": {
"external_id": "T0048",
"kill_chain": [
"misinformation-tactics:Exposure"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0048.md"
]
},
"uuid": "cf50c811-8d01-4c0b-bb0c-c7d84ac620b4",
"value": "Cow online opinion leaders"
},
{
"description": "Flooding and/or mobbing social media channels feeds and/or hashtag with excessive volume of content to control/shape online conversations and/or drown out opposing points of view. Bots and/or patriotic trolls are effective tools to acheive this effect. \n\nExample (2018): bots flood social media promoting messages which support Saudi Arabia with intent to cast doubt on allegations that the kingdom was involved in Khashoggis death.",
"meta": {
"external_id": "T0049",
"kill_chain": [
"misinformation-tactics:Exposure"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0049.md"
]
},
"uuid": "01b27791-6daf-4819-a218-256377282135",
"value": "Flooding"
},
{
"description": "Deploy state-coordinated social media commenters and astroturfers. Both internal/domestic and external social media influence operations, popularized by China (50cent Army manage message inside the \"Great Firewall\") but also technique used by Chinese English-language social media influence operations are seeded by state-run media, which overwhelmingly present a positive, benign, and cooperative image of China. ",
"meta": {
"external_id": "T0050",
"kill_chain": [
"misinformation-tactics:Exposure"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0050.md"
]
},
"uuid": "b1744176-7e69-4d2a-bd26-3994dd1ade79",
"value": "Cheerleading domestic social media ops"
},
{
"description": "Use government-paid social media commenters, astroturfers, chat bots (programmed to reply to specific key words/hashtags) influence online conversations, product reviews, web-site comment forums. (2017 example) the FCC was inundated with nearly 22 million public comments on net neutrality (many from fake accounts)",
"meta": {
"external_id": "T0051",
"kill_chain": [
"misinformation-tactics:Exposure"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0051.md"
]
},
"uuid": "a9d7894e-abc8-407f-8f90-62d3b2cff277",
"value": "Fabricate social media comment"
},
{
"description": "Create content/news/opinion web-sites to cross-post stories. Tertiary sites circulate and amplify narratives. Often these sites have no masthead, bylines or attribution. \n\nExamples of tertiary sites inculde Russia Insider, The Duran, geopolitica.ru, Mint Press News, Oriental Review, globalresearch.ca. \n\nExample (2019, Domestic news): Snopes reveals Star News Digital Media, Inc. may look like a media company that produces local news, but operates via undisclosed connections to political activism. \n\nExample (2018) FireEye reports on Iranian campaign that created between April 2018 and March 2019 sites used to spread inauthentic content from websites such as Liberty Front Press (LFP), US Journal, and Real Progressive Front during the US mid-terms.",
"meta": {
"external_id": "T0052",
"kill_chain": [
"misinformation-tactics:Exposure"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0052.md"
]
},
"uuid": "bb0c643e-c83b-474e-9eb6-21ba51d20efe",
"value": "Tertiary sites amplify news"
},
{
"description": "Use trolls to amplify narratives and/or manipulate narratives. Fake profiles/sockpuppets operating to support individuals/narratives from the entire political spectrum (left/right binary). Operating with increased emphasis on promoting local content and promoting real Twitter users generating their own, often divisive political content, as it's easier to amplify existing content than create new/original content. Trolls operate where ever there's a socially divisive issue (issues that can/are be politicized) e.g. BlackLivesMatter or MeToo",
"meta": {
"external_id": "T0053",
"kill_chain": [
"misinformation-tactics:Exposure"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0053.md"
]
},
"uuid": "9feff36b-887c-4cb8-9224-a0694b003d57",
"value": "Twitter trolls amplify and manipulate"
},
{
"description": "Use bots to amplify narratives above algorithm thresholds. Bots are automated/programmed profiles designed to amplify content (ie: automatically retweet or like) and give appearance it's more \"popular\" than it is. They can operate as a network, to function in a coordinated/orchestrated manner. In some cases (more so now) they are an inexpensive/disposable assets used for minimal deployment as bot detection tools improve and platforms are more responsive.(example 2019) #TrudeauMustGo ",
"meta": {
"external_id": "T0054",
"kill_chain": [
"misinformation-tactics:Exposure"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0054.md"
]
},
"uuid": "10f072e1-02cd-4b6e-8a4e-c1c35cf9e166",
"value": "Twitter bots amplify"
},
{
"description": "Use the dedicated hashtag for the incident (e.g. #PhosphorusDisaster)",
"meta": {
"external_id": "T0055",
"kill_chain": [
"misinformation-tactics:Exposure"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0055.md"
]
},
"uuid": "0f490149-34b2-4316-b19b-7b43423522b3",
"value": "Use hashtag"
},
{
"description": "Output information pollution (e.g. articles on an unreported false story/event) through channels controlled by or related to the incident creator. Examples include RT/Sputnik or antivax websites seeding stories.",
"meta": {
"external_id": "T0056",
"kill_chain": [
"misinformation-tactics:Exposure"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0056.md"
]
},
"uuid": "4a3a83d1-fb95-47ac-91fe-cd2682eb4637",
"value": "Dedicated channels disseminate information pollution"
},
{
"description": "Coordinate and promote real-world events across media platforms, e.g. rallies, protests, gatherings in support of incident narratives. Example: Facebook groups/pages coordinate/more divisive/polarizing groups and actvities into the public space. (Example) Mueller's report, highlights, the IRA organized political rallies in the U.S. using social media starting in 2015 and continued to coordinate rallies after the 2016 election",
"meta": {
"external_id": "T0057",
"kill_chain": [
"misinformation-tactics:Go Physical"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0057.md"
]
},
"uuid": "37a150a4-abb9-475d-820b-132336b25491",
"value": "Organise remote rallies and events"
},
{
"description": "Make incident content visible for a long time, e.g. by exploiting platform terms of service, or placing it where it's hard to remove or unlikely to be removed.",
"meta": {
"external_id": "T0058",
"kill_chain": [
"misinformation-tactics:Persistence"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0058.md"
]
},
"uuid": "c7366126-f01d-435d-91d5-e77d26082c1a",
"value": "Legacy web content"
},
{
"description": "",
"meta": {
"external_id": "T0059",
"kill_chain": [
"misinformation-tactics:Persistence"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0059.md"
]
},
"uuid": "12a75c2e-495d-43da-bf13-d89f448cefc0",
"value": "Play the long game"
},
{
"description": "",
"meta": {
"external_id": "T0060",
"kill_chain": [
"misinformation-tactics:Persistence"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0060.md"
]
},
"uuid": "cface37a-cbb9-4554-96f0-d3088f7131ed",
"value": "Continue to amplify"
},
{
"description": "Sell hats, t-shirts, flags and other branded content that's designed to be seen in the real world",
"meta": {
"external_id": "T0061",
"kill_chain": [
"misinformation-tactics:Go Physical"
],
"refs": [
"https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0061.md"
]
},
"uuid": "3b312e50-6420-48b7-9a94-c4d84f29ad1c",
"value": "Sell merchandising"
}
],
"version": 4
}

2067
clusters/mitre-attack-pattern.json
View File

File diff suppressed because one or more lines are too long

1058
clusters/mitre-course-of-action.json
View File

File diff suppressed because it is too large Load Diff

1815
clusters/mitre-intrusion-set.json
View File

File diff suppressed because it is too large Load Diff

5152
clusters/mitre-malware.json
View File

File diff suppressed because it is too large Load Diff

374
clusters/mitre-tool.json
View File

@ -89,13 +89,6 @@
],
"type": "similar"
},
{
"dest-uuid": "3da22160-12d9-4d27-a99f-338e8de3844a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550",
"tags": [
@ -103,13 +96,6 @@
],
"type": "similar"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
@ -320,6 +306,13 @@
],
"type": "uses"
},
{
"dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
@ -361,6 +354,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9ddc2534-e91c-4dab-a8f6-43dab81e8142",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
@ -445,13 +445,6 @@
],
"type": "similar"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446",
"tags": [
@ -507,6 +500,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
@ -866,14 +866,14 @@
},
"related": [
{
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830",
"dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@ -921,20 +921,6 @@
]
},
"related": [
{
"dest-uuid": "3e205e84-9f90-4b4b-8896-c82189936a15",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1",
"tags": [
@ -948,6 +934,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc",
@ -1018,6 +1011,13 @@
]
},
"related": [
{
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
@ -1026,7 +1026,7 @@
"type": "uses"
},
{
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
"dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@ -1250,13 +1250,6 @@
]
},
"related": [
{
"dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392",
"tags": [
@ -1320,6 +1313,13 @@
],
"type": "uses"
},
{
"dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077",
"tags": [
@ -1338,6 +1338,196 @@
"uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"value": "Net - S0039"
},
{
"description": "[esentutl](https://attack.mitre.org/software/S0404) is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.(Citation: Microsoft Esentutl)",
"meta": {
"external_id": "S0404",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0404",
"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh875546(v=ws.11)"
],
"synonyms": [
"esentutl",
"esentutl.exe"
]
},
"related": [
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "c256da91-6dd5-40b2-beeb-ee3b22ab3d27",
"value": "esentutl - S0404"
},
{
"description": "[FlexiSpy](https://attack.mitre.org/software/S0408) is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy)\n\n[FlexiSpy](https://attack.mitre.org/software/S0408) markets itself as a parental control and employee monitoring application.(Citation: FlexiSpy-Website)",
"meta": {
"external_id": "S0408",
"mitre_platforms": [
"Android"
],
"refs": [
"https://attack.mitre.org/software/S0408",
"https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf",
"http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html",
"https://www.flexispy.com/"
],
"synonyms": [
"FlexiSpy"
]
},
"related": [
{
"dest-uuid": "948a447c-d783-4ba0-8516-a64140fcacd5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "fd658820-cbba-4c95-8ac9-0fac6b1099e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e4c347e9-fb91-4bc5-83b8-391e389131e2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
"value": "FlexiSpy - S0408"
},
{
"description": "[Reg](https://attack.mitre.org/software/S0075) is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation: Microsoft Reg)\n\nUtilities such as [Reg](https://attack.mitre.org/software/S0075) are known to be used by persistent threats. (Citation: Windows Commands JPCERT)",
"meta": {
@ -1357,14 +1547,14 @@
},
"related": [
{
"dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286",
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896",
"dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@ -1751,13 +1941,6 @@
],
"type": "similar"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
"tags": [
@ -1940,6 +2123,13 @@
],
"type": "uses"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc",
"tags": [
@ -1993,6 +2183,49 @@
"uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4",
"value": "Pupy - S0192"
},
{
"description": "MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used by a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.(Citation: GitHub MailSniper)",
"meta": {
"external_id": "S0413",
"mitre_platforms": [
"Office 365",
"Windows",
"Azure AD"
],
"refs": [
"https://attack.mitre.org/software/S0413",
"https://github.com/dafthack/MailSniper"
],
"synonyms": [
"MailSniper"
]
},
"related": [
{
"dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "999c4e6e-b8dc-4b4f-8d6e-1b829f29997e",
"value": "MailSniper - S0413"
},
{
"description": "[Expand](https://attack.mitre.org/software/S0361) is a Windows utility used to expand one or more compressed CAB files.(Citation: Microsoft Expand Utility) It has been used by [BBSRAT](https://attack.mitre.org/software/S0127) to decompress a CAB file into executable content.(Citation: Palo Alto Networks BBSRAT)",
"meta": {
@ -2054,14 +2287,14 @@
},
"related": [
{
"dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c",
"dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e",
"dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@ -2088,14 +2321,14 @@
},
"related": [
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e",
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@ -2599,6 +2832,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4579d9c9-d5b9-45e0-9848-0104637b579f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "da04ac30-27da-4959-a67d-450ce47d9470",
@ -2776,7 +3016,7 @@
],
"refs": [
"https://attack.mitre.org/software/S0378",
"https://github.com/nettitude/PoshC2"
"https://github.com/nettitude/PoshC2_Python"
],
"synonyms": [
"PoshC2"
@ -3500,6 +3740,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4579d9c9-d5b9-45e0-9848-0104637b579f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3",
@ -3578,6 +3825,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4579d9c9-d5b9-45e0-9848-0104637b579f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b",
@ -3724,5 +3978,5 @@
"value": "Nltest - S0359"
}
],
"version": 15
"version": 17
}

24
clusters/ransomware.json
View File

@ -13444,6 +13444,9 @@
"meta": {
"refs": [
"https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html"
],
"synonyms": [
"REvil"
]
},
"uuid": "24bd9a4b-2b66-428b-8e1c-6b280b056c00",
@ -13570,6 +13573,25 @@
"uuid": "7cea8846-1f3d-331a-3ebf-055d452351b6",
"value": "Maze"
},
{
"description": "Ransomware delivered using fake Windows Update spam",
"meta": {
"extensions": [
".777"
],
"ransomnotes-filenames": [
"Cyborg_DECRYPT.txt"
],
"ransomnotes-refs": [
"https://npercoco.typepad.com/.a/6a0133f264aa62970b0240a4ebff1b200b-pi"
],
"refs": [
"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/fake-windows-update-spam-leads-to-cyborg-ransomware-and-its-builder/"
]
},
"uuid": "0a0b9311-8cbc-4d97-b337-42c9a018ebe0",
"value": "Cyborg Ransomware"
},
{
"description": "A targeted email campaign has been spotted distributing the JasperLoader to victims. While the JasperLoader was originally used to then install Gootkit, Certego has observed it now being used to infect victims with a new ransomware dubbed FTCODE. Using an invoice-themed email appearing to target Italian users, the attackers attempt to convince users to allow macros in a Word document. The macro is used to run PowerShell to retrieve additional PowerShell code.",
"meta": {
@ -13585,5 +13607,5 @@
"value": "FTCode"
}
],
"version": 73
"version": 74
}

6
clusters/rat.json
View File

@ -1934,7 +1934,9 @@
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PLUGX"
],
"synonyms": [
"Korplug"
"Korplug",
"SOGU",
"Scontroller"
]
},
"related": [
@ -3416,5 +3418,5 @@
"value": "InnfiRAT"
}
],
"version": 31
"version": 32
}

541
clusters/region.json Normal file
View File

@ -0,0 +1,541 @@
{
"authors": [
"Unknown"
],
"category": "location",
"description": "Regions based on UN M49.",
"name": "Regions UN M49",
"source": "https://unstats.un.org/unsd/methodology/m49/overview/",
"type": "region",
"uuid": "eea087b6-e02f-11e9-89c1-cf406e0267ec",
"values": [
{
"meta": {
"subregion": [
"002 - Africa",
"019 - Americas",
"142 - Asia",
"150 - Europe",
"009 - Oceania",
"010 - Antarctica"
]
},
"uuid": "8d87018b-e8bb-472e-841b-4429fb6b9bc0",
"value": "001 - World"
},
{
"meta": {
"subregion": [
"015 - Northern Africa",
"202 - Sub-Saharan Africa"
]
},
"uuid": "48fc57a4-3a9f-42dd-8e2b-83488d08a1be",
"value": "002 - Africa"
},
{
"meta": {
"subregion": [
"419 - Latin America and the Caribbean",
"021 - Northern America"
]
},
"uuid": "a6427c40-6fba-46dc-9995-72e16a4c57a7",
"value": "019 - Americas"
},
{
"meta": {
"subregion": [
"143 - Central Asia",
"030 - Eastern Asia",
"035 - South-eastern Asia",
"034 - Southern Asia",
"145 - Western Asia"
]
},
"uuid": "4b09b683-5650-4a6c-a383-d8f3b686ebc2",
"value": "142 - Asia"
},
{
"meta": {
"subregion": [
"151 - Eastern Europe",
"154 - Northern Europe",
"039 - Southern Europe",
"155 - Western Europe"
]
},
"uuid": "739c285c-fe59-4540-b323-bf713af30347",
"value": "150 - Europe"
},
{
"meta": {
"subregion": [
"053 - Australia and New Zealand",
"054 - Melanesia",
"057 - Micronesia",
"061 - Polynesia"
]
},
"uuid": "d9e8c021-b387-4d67-8b8e-5e5ae57e6647",
"value": "009 - Oceania"
},
{
"meta": {
"subregion": [
"012 - Algeria",
"818 - Egypt",
"434 - Libya",
"504 - Morocco",
"729 - Sudan",
"788 - Tunisia",
"732 - Western Sahara"
]
},
"uuid": "4a65b439-849b-4fdd-b34d-e80f738a4309",
"value": "015 - Northern Africa"
},
{
"meta": {
"subregion": [
"014 - Eastern Africa",
"017 - Middle Africa",
"018 - Southern Africa",
"011 - Western Africa"
]
},
"uuid": "130997e8-c900-4457-829a-447eec3fbb89",
"value": "202 - Sub-Saharan Africa"
},
{
"meta": {
"subregion": [
"029 - Caribbean",
"013 - Central America",
"005 - South America"
]
},
"uuid": "aef21eb1-eccd-46e1-a4c8-9e9b8452d912",
"value": "419 - Latin America and the Caribbean"
},
{
"meta": {
"subregion": [
"060 - Bermuda",
"124 - Canada",
"304 - Greenland",
"666 - Saint Pierre and Miquelon",
"840 - United States of America"
]
},
"uuid": "64974dea-c6c9-462d-9fcf-4456a397d591",
"value": "021 - Northern America"
},
{
"meta": {
"subregion": [
"398 - Kazakhstan",
"417 - Kyrgyzstan",
"762 - Tajikistan",
"795 - Turkmenistan",
"860 - Uzbekistan"
]
},
"uuid": "a5515b7c-594b-4e37-a60f-3bab8808c54c",
"value": "143 - Central Asia"
},
{
"meta": {
"subregion": [
"156 - China",
"344 - China, Hong Kong Special Administrative Region",
"446 - China, Macao Special Administrative Region",
"408 - Democratic People's Republic of Korea",
"392 - Japan",
"496 - Mongolia",
"410 - Republic of Korea"
]
},
"uuid": "aa46fbd1-54df-4e1e-a5d6-7bced5c59803",
"value": "030 - Eastern Asia"
},
{
"meta": {
"subregion": [
"096 - Brunei Darussalam",
"116 - Cambodia",
"360 - Indonesia",
"418 - Lao People's Democratic Republic",
"458 - Malaysia",
"104 - Myanmar",
"608 - Philippines",
"702 - Singapore",
"764 - Thailand",
"626 - Timor-Leste",
"704 - Viet Nam"
]
},
"uuid": "990d0e8e-dfd0-45d1-ab8b-758b9139c0fe",
"value": "035 - South-eastern Asia"
},
{
"meta": {
"subregion": [
"004 - Afghanistan",
"050 - Bangladesh",
"064 - Bhutan",
"356 - India",
"364 - Iran (Islamic Republic of)",
"462 - Maldives",
"524 - Nepal",
"586 - Pakistan",
"144 - Sri Lanka"
]
},
"uuid": "f86776cd-274f-438a-8beb-9349aebda0bb",
"value": "034 - Southern Asia"
},
{
"meta": {
"subregion": [
"051 - Armenia",
"031 - Azerbaijan",
"048 - Bahrain",
"196 - Cyprus",
"268 - Georgia",
"368 - Iraq",
"376 - Israel",
"400 - Jordan",
"414 - Kuwait",
"422 - Lebanon",
"512 - Oman",
"634 - Qatar",
"682 - Saudi Arabia",
"275 - State of Palestine",
"760 - Syrian Arab Republic",
"792 - Turkey",
"784 - United Arab Emirates",
"887 - Yemen"
]
},
"uuid": "d66b2e98-39fb-4710-b075-5bee2fa00cd4",
"value": "145 - Western Asia"
},
{
"meta": {
"subregion": [
"112 - Belarus",
"100 - Bulgaria",
"203 - Czechia",
"348 - Hungary",
"616 - Poland",
"498 - Republic of Moldova",
"642 - Romania",
"643 - Russian Federation",
"703 - Slovakia",
"804 - Ukraine"
]
},
"uuid": "c7cb0859-5680-4bdb-9c78-46cab3504a62",
"value": "151 - Eastern Europe"
},
{
"meta": {
"subregion": [
"830 - Channel Islands",
"248 - Åland Islands",
"208 - Denmark",
"233 - Estonia",
"234 - Faroe Islands",
"246 - Finland",
"352 - Iceland",
"372 - Ireland",
"833 - Isle of Man",
"428 - Latvia",
"440 - Lithuania",
"578 - Norway",
"744 - Svalbard and Jan Mayen Islands",
"752 - Sweden",
"826 - United Kingdom of Great Britain and Northern Ireland"
]
},
"uuid": "f93cb275-0366-4ecc-abf0-a17928d1e177",
"value": "154 - Northern Europe"
},
{
"meta": {
"subregion": [
"008 - Albania",
"020 - Andorra",
"070 - Bosnia and Herzegovina",
"191 - Croatia",
"292 - Gibraltar",
"300 - Greece",
"336 - Holy See",
"380 - Italy",
"470 - Malta",
"499 - Montenegro",
"807 - North Macedonia",
"620 - Portugal",
"674 - San Marino",
"688 - Serbia",
"705 - Slovenia",
"724 - Spain"
]
},
"uuid": "63880bb3-f959-4200-b8ae-e25d9fa84c22",
"value": "039 - Southern Europe"
},
{
"meta": {
"subregion": [
"040 - Austria",
"056 - Belgium",
"250 - France",
"276 - Germany",
"438 - Liechtenstein",
"442 - Luxembourg",
"492 - Monaco",
"528 - Netherlands",
"756 - Switzerland"
]
},
"uuid": "7048c324-c9c2-4c53-a42a-912e78f3aeec",
"value": "155 - Western Europe"
},
{
"meta": {
"subregion": [
"036 - Australia",
"162 - Christmas Island",
"166 - Cocos (Keeling) Islands",
"334 - Heard Island and McDonald Islands",
"554 - New Zealand",
"574 - Norfolk Island"
]
},
"uuid": "93dd8987-1466-493f-b5dc-c2b7fe762d75",
"value": "053 - Australia and New Zealand"
},
{
"meta": {
"subregion": [
"242 - Fiji",
"540 - New Caledonia",
"598 - Papua New Guinea",
"090 - Solomon Islands",
"548 - Vanuatu"
]
},
"uuid": "4cb4b767-2db4-4858-bb28-656816350fef",
"value": "054 - Melanesia"
},
{
"meta": {
"subregion": [
"316 - Guam",
"296 - Kiribati",
"584 - Marshall Islands",
"583 - Micronesia (Federated States of)",
"520 - Nauru",
"580 - Northern Mariana Islands",
"585 - Palau",
"581 - United States Minor Outlying Islands"
]
},
"uuid": "fbe052e0-a4ab-4d74-8765-5a9786e7bdbc",
"value": "057 - Micronesia"
},
{
"meta": {
"subregion": [
"016 - American Samoa",
"184 - Cook Islands",
"258 - French Polynesia",
"570 - Niue",
"612 - Pitcairn",
"882 - Samoa",
"772 - Tokelau",
"776 - Tonga",
"798 - Tuvalu",
"876 - Wallis and Futuna Islands"
]
},
"uuid": "a387db42-cdb4-4f75-98c4-5b51a03d0c68",
"value": "061 - Polynesia"
},
{
"meta": {
"subregion": [
"086 - British Indian Ocean Territory",
"108 - Burundi",
"174 - Comoros",
"262 - Djibouti",
"232 - Eritrea",
"231 - Ethiopia",
"260 - French Southern Territories",
"404 - Kenya",
"450 - Madagascar",
"454 - Malawi",
"480 - Mauritius",
"175 - Mayotte",
"508 - Mozambique",
"638 - Réunion",
"646 - Rwanda",
"690 - Seychelles",
"706 - Somalia",
"728 - South Sudan",
"800 - Uganda",
"834 - United Republic of Tanzania",
"894 - Zambia",
"716 - Zimbabwe"
]
},
"uuid": "9b15e8e9-2adb-4aa8-baea-d63ccc434428",
"value": "014 - Eastern Africa"
},
{
"meta": {
"subregion": [
"024 - Angola",
"120 - Cameroon",
"140 - Central African Republic",
"148 - Chad",
"178 - Congo",
"180 - Democratic Republic of the Congo",
"226 - Equatorial Guinea",
"266 - Gabon",
"678 - Sao Tome and Principe"
]
},
"uuid": "1a79ac27-1580-4482-826e-d4db9a26b080",
"value": "017 - Middle Africa"
},
{
"meta": {
"subregion": [
"072 - Botswana",
"748 - Eswatini",
"426 - Lesotho",
"516 - Namibia",
"710 - South Africa"
]
},
"uuid": "b95340de-8f29-4dbf-ad0f-a4c0be367e59",
"value": "018 - Southern Africa"
},
{
"meta": {
"subregion": [
"204 - Benin",
"854 - Burkina Faso",
"132 - Cabo Verde",
"384 - Côte dIvoire",
"270 - Gambia",
"288 - Ghana",
"324 - Guinea",
"624 - Guinea-Bissau",
"430 - Liberia",
"466 - Mali",
"478 - Mauritania",
"562 - Niger",
"566 - Nigeria",
"654 - Saint Helena",
"686 - Senegal",
"694 - Sierra Leone",
"768 - Togo"
]
},
"uuid": "d44cf4b4-8025-4827-960c-b666dfdc5243",
"value": "011 - Western Africa"
},
{
"meta": {
"subregion": [
"660 - Anguilla",
"028 - Antigua and Barbuda",
"533 - Aruba",
"044 - Bahamas",
"052 - Barbados",
"535 - Bonaire, Sint Eustatius and Saba",
"092 - British Virgin Islands",
"136 - Cayman Islands",
"192 - Cuba",
"531 - Curaçao",
"212 - Dominica",
"214 - Dominican Republic",
"308 - Grenada",
"312 - Guadeloupe",
"332 - Haiti",
"388 - Jamaica",
"474 - Martinique",
"500 - Montserrat",
"630 - Puerto Rico",
"652 - Saint Barthélemy",
"659 - Saint Kitts and Nevis",
"662 - Saint Lucia",
"663 - Saint Martin (French Part)",
"670 - Saint Vincent and the Grenadines",
"534 - Sint Maarten (Dutch part)",
"780 - Trinidad and Tobago",
"796 - Turks and Caicos Islands",
"850 - United States Virgin Islands"
]
},
"uuid": "e16efc93-ae3b-471a-a888-eda66d1da22b",
"value": "029 - Caribbean"
},
{
"meta": {
"subregion": [
"084 - Belize",
"188 - Costa Rica",
"222 - El Salvador",
"320 - Guatemala",
"340 - Honduras",
"484 - Mexico",
"558 - Nicaragua",
"591 - Panama"
]
},
"uuid": "105247d9-e619-4231-b88e-17dd9aed1580",
"value": "013 - Central America"
},
{
"meta": {
"subregion": [
"032 - Argentina",
"068 - Bolivia (Plurinational State of)",
"074 - Bouvet Island",
"076 - Brazil",
"152 - Chile",
"170 - Colombia",
"218 - Ecuador",
"238 - Falkland Islands (Malvinas)",
"254 - French Guiana",
"328 - Guyana",
"600 - Paraguay",
"604 - Peru",
"239 - South Georgia and the South Sandwich Islands",
"740 - Suriname",
"858 - Uruguay",
"862 - Venezuela (Bolivarian Republic of)"
]
},
"uuid": "e9ee6728-d325-4726-be7d-08b5ccf3f3d6",
"value": "005 - South America"
},
{
"meta": {
"subregion": [
"831 - Guernsey",
"832 - Jersey",
"680 - Sark"
]
},
"uuid": "76adc9e0-215a-4496-8642-b98ac7715d0f",
"value": "830 - Channel Islands"
}
],
"version": 1
}

1968
clusters/target-information.json
View File

File diff suppressed because it is too large Load Diff

106
clusters/threat-actor.json
View File

@ -7,7 +7,7 @@
"Various"
],
"category": "actor",
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.",
"name": "Threat Actor",
"source": "MISP Project",
"type": "threat-actor",
@ -671,8 +671,12 @@
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/"
],
"synonyms": [
"Winnti Umbrella",
"Winnti Group",
"Tailgater Team",
"Suckfly",
"APT41",
"APT 41",
"Group 72",
"Group72",
"Tailgater",
@ -1056,7 +1060,8 @@
"APT27",
"Operation Iron Tiger",
"Iron Tiger APT",
"BRONZE UNION"
"BRONZE UNION",
"Lucky Mouse"
]
},
"related": [
@ -1978,7 +1983,10 @@
"attribution-confidence": "50",
"country": "IR",
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
"https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/",
"https://www.brighttalk.com/webcast/10703/275683",
"https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage"
],
"synonyms": [
"APT 33",
@ -2563,6 +2571,7 @@
"Turla",
"Snake",
"Venomous Bear",
"VENOMOUS Bear",
"Group 88",
"Waterbug",
"WRAITH",
@ -6995,8 +7004,12 @@
"https://www.group-ib.com/blog/silence",
"https://securelist.com/the-silence/83009/"
],
"spoken-language": [
"rus"
],
"synonyms": [
"Silence"
"Silence",
"Silence APT group"
]
},
"uuid": "0d5e17fd-7a71-47fd-b4bc-867cdb833726",
@ -7287,11 +7300,15 @@
"https://info.phishlabs.com/blog/silent-librarian-university-attacks-continue-unabated-in-days-following-indictment",
"https://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic",
"https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary",
"https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities"
"https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again",
"https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities",
"https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff",
"https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian"
],
"synonyms": [
"COBALT DICKENS",
"Mabna Institute"
"Mabna Institute",
"TA407"
]
},
"uuid": "5059b44d-2753-4977-b987-4922f09afe6b",
@ -7708,7 +7725,82 @@
"description": "SectorJ04 is a Russian-based cybercrime group that began operating about five years ago and conducted hacking activities for financial profit using malware such as banking trojans and ransomware against national and industrial sectors located across Europe, North America and West Africa.\nIn 2019, the SectorJ04 group expanded its hacking activities to cover various industrial sectors located across Southeast Asia and East Asia, and is changing the pattern of their attacks from targeted attacks to searching for random victims. This report includes details related to the major hacking targets of the SectorJ04 group in 2019, how those targets were hacked, characteristics of their hacking activities this year and recent cases of the SectorJ04 groups hacking.",
"uuid": "50e25cfb-8b4d-408d-a7c6-bd0672662d39",
"value": "SectorJ04"
},
{
"description": "A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers customers.\nThe group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.",
"meta": {
"refs": [
"https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain"
]
},
"uuid": "5f108484-db7f-11e9-aaa4-fb0176425734",
"value": "Tortoiseshell"
},
{
"description": "Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. This campaign was carried out by what appears to be a single operator that we call POISON CARP.",
"meta": {
"refs": [
"https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/",
"https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/"
],
"synonyms": [
"Evil Eye"
]
},
"uuid": "7aa99279-4255-4d26-bb95-12e7156555a0",
"value": "POISON CARP"
},
{
"description": "Early in August 2019, Proofpoint described what appeared to be state-sponsored activity targeting the US utilities sector with malware that we dubbed “Lookback”. Between August 21 and August 29, 2019, several spear phishing emails were identified targeting additional US companies in the utilities sector. The phishing emails originated from what appears to be an actor-controlled domain: globalenergycertification[.]net. This domain, like those used in previous campaigns, impersonated a licensing body related to the utilities sector. In this case, it masqueraded as the legitimate domain for Global Energy Certification (“GEC”). The emails include a GEC examination-themed body and a malicious Microsoft Word attachment that uses macros to install and run LookBack. (Note confusion between Malware, Campaign and ThreatActor)",
"meta": {
"refs": [
"https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals",
"https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks"
]
},
"uuid": "5cd95926-0098-435e-892d-9c9f61763ad7",
"value": "LookBack"
},
{
"description": "In 2018, the Cybereason Nocturnus team identified an advanced, persistent attack targeting global telecommunications providers carried out by a threat actor using tools and techniques commonly associated with Chinese-affiliated threat actors, such as APT10. This multi-wave attacks focused on obtaining data of specific, high-value targets and resulted in a complete takeover of the network.",
"meta": {
"refs": [
"https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers"
],
"threat-actor-classification": [
"operation"
]
},
"uuid": "8dda51ef-9a30-48f7-b0fd-5b6f0a62262d",
"value": "Operation Soft Cell"
},
{
"description": "We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks.",
"meta": {
"refs": [
"https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/"
],
"threat-actor-classification": [
"operation"
]
},
"uuid": "75db4269-924b-4771-8f62-0de600a43634",
"value": "Operation WizardOpium"
},
{
"description": "For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, India, Kazakhstan, Russia, Thailand, Turkey. Our data suggest that the group has Asian roots. Description translated from Russian.",
"meta": {
"refs": [
"https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf"
],
"synonyms": [
"Calypso",
"Calypso APT"
]
},
"uuid": "200d04c8-a11f-45c4-86fd-35bb5de3f7a3",
"value": "Calypso group"
}
],
"version": 131
"version": 143
}

83
clusters/tool.json
View File

@ -663,7 +663,10 @@
"synonyms": [
"Etso",
"SUQ",
"Agent.ALQHI"
"Agent.ALQHI",
"RbDoor",
"RibDoor",
"HIGHNOON"
],
"type": [
"Backdoor"
@ -5352,6 +5355,10 @@
"meta": {
"refs": [
"https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf"
],
"synonyms": [
"POISONPLUG",
"Barlaiy"
]
},
"related": [
@ -7808,7 +7815,79 @@
},
"uuid": "c72f8f57-fc2f-4ca2-afbe-ca5bfa5a1747",
"value": "Amavaldo"
},
{
"description": "hacker going by the handle Mr. Burns. He also created something similar called RMS, which behaves very much like the TVSPY builder.\n“RMS/TVSPY continues to be developed, with a new version being posted by the developer/reseller on a regular basis,” Damballa researchers noted. “In fact, the legitimate RMS version developed by TektonIT and the version posted in criminal forums appear to be identical. TVSPY seems to be merely a modification of RMS to utilize TeamViewer infrastructure and a command-and-control interface manageable through the Web.",
"meta": {
"refs": [
"https://mobile.twitter.com/SaudiDFIR/status/1177740045186457600"
],
"synonyms": [
"TVRAT",
"SpY-Agent",
"teamspy"
]
},
"uuid": "ae82a19e-2334-4e72-b55c-79b4ba4f137f",
"value": "TVSPY"
},
{
"description": "The COMpfun malware was initially documented by G-DATA in 2014. Although G-DATA didnt identify which actor was using this malware, Kaspersky tentatively linked it to the Turla APT, based on the victimology. Our telemetry indicates that the current campaign using Reductor started at the end of April 2019 and remained active at the time of writing (August 2019). We identified targets in Russia and Belarus.",
"meta": {
"refs": [
"https://securelist.com/compfun-successor-reductor/93633/",
"https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence"
]
},
"uuid": "b2c2d42b-a6a3-4ab0-a013-eb1c7461aca9",
"value": "COMpfun"
},
{
"description": "We called these new modules Reductor after a .pdb path left in some samples. Besides typical RAT functions such as uploading, downloading and executing files, Reductors authors put a lot of effort into manipulating digital certificates and marking outbound TLS traffic with unique host-related identifiers. The Kaspersky Attribution Engine shows strong code similarities between this family and the COMPfun Trojan. Moreover, further research showed that the original COMpfun Trojan most probably is used as a downloader in one of the distribution schemes. Based on these similarities, were quite sure the new malware was developed by the COMPfun authors.",
"meta": {
"refs": [
"https://securelist.com/compfun-successor-reductor/93633/"
]
},
"uuid": "a577bb0d-9732-449a-80f7-5e6c93e6046c",
"value": "Reductor"
},
{
"description": "Legitimate tool - command-line tool used to monitor a running process and dump memory depending on customcriteria. The attackers use this tool to dump the LSASS process to gatherWINDOWScredentials hashes",
"uuid": "1ae22855-c343-4ae9-8cab-522c9da938aa",
"value": "ProcDump"
},
{
"description": "Legitimate tool - command-line tool used to import and export certificates on a machine. The attackers use this toolto gather credentials used for VPN authentication to the clients networks",
"uuid": "fadd0d1f-b098-43ea-b7a6-50fb58aef9f6",
"value": "CertMig"
},
{
"description": "Legitimate tool - tool used to scan IPv4/IPv6 networks and remotely execute PowerShell commands.",
"uuid": "bbba3a35-5064-4e60-ad4b-0ba16cc81a23",
"value": "Netscan"
},
{
"description": "Malware embedded in Asus Live Update in 2018. ShadowHammer triggers its malicious behavior only if the computer it is running on has a network adapter with the MAC address whitelisted by the attacker.",
"meta": {
"refs": [
"https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf"
]
},
"uuid": "c1815516-aa2a-43d2-9136-78a8feb054b6",
"value": "ShadowHammer"
},
{
"description": "DePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve persistence, the malware registers a new local port monitor a trick falling under the “Port Monitors” technique in the MITRE ATT&CK knowledgebase. For that, the malware uses the “Windows Default Print Monitor” name; thats why we have named it DePriMon. Due to its complexity and modular architecture, we consider it to be a framework.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/deprimon-malware-registers-itself-as-a-windows-print-monitor/",
"https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/"
]
},
"uuid": "c76874cd-0d73-4cbf-8d39-a066900dd4ce",
"value": "DePriMon"
}
],
"version": 123
"version": 128
}

25
galaxies/misinfosec-amitt-misinformation-pattern.json Normal file
View File

@ -0,0 +1,25 @@
{
"description": "AM!TT Tactic",
"icon": "map",
"kill_chain_order": {
"misinformation-tactics": [
"Strategic Planning",
"Objective Planning",
"Develop People",
"Develop Networks",
"Microtargeting",
"Develop Content",
"Channel Selection",
"Pump Priming",
"Exposure",
"Go Physical",
"Persistence",
"Measure Effectiveness"
]
},
"name": "Misinformation Pattern",
"namespace": "misinfosec",
"type": "amitt-misinformation-pattern",
"uuid": "4d381145-9a5e-4778-918c-fbf23d78544e",
"version": 4
}

9
galaxies/region.json Normal file
View File

@ -0,0 +1,9 @@
{
"description": "Regions based on UN M49.",
"icon": "globe-europe",
"name": "Regions UN M49",
"namespace": "misp",
"type": "region",
"uuid": "d151a79a-e029-11e9-9409-f3e0cf3d93aa",
"version": 2
}

250
tools/UN M49/UNSD.csv Normal file
View File

@ -0,0 +1,250 @@
Global Code,Global Name,Region Code,Region Name,Sub-region Code,Sub-region Name,Intermediate Region Code,Intermediate Region Name,M49 Code,Country or Area,ISO-alpha3 Code,Least Developed Countries (LDC),Land Locked Developing Countries (LLDC),Small Island Developing States (SIDS),Developed / Developing Countries
001,World,002,Africa,015,Northern Africa,,,012,Algeria,DZA,,,,Developing
001,World,002,Africa,015,Northern Africa,,,818,Egypt,EGY,,,,Developing
001,World,002,Africa,015,Northern Africa,,,434,Libya,LBY,,,,Developing
001,World,002,Africa,015,Northern Africa,,,504,Morocco,MAR,,,,Developing
001,World,002,Africa,015,Northern Africa,,,729,Sudan,SDN,x,,,Developing
001,World,002,Africa,015,Northern Africa,,,788,Tunisia,TUN,,,,Developing
001,World,002,Africa,015,Northern Africa,,,732,Western Sahara,ESH,,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,086,British Indian Ocean Territory,IOT,,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,108,Burundi,BDI,x,x,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,174,Comoros,COM,x,,x,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,262,Djibouti,DJI,x,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,232,Eritrea,ERI,x,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,231,Ethiopia,ETH,x,x,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,260,French Southern Territories,ATF,,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,404,Kenya,KEN,,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,450,Madagascar,MDG,x,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,454,Malawi,MWI,x,x,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,480,Mauritius,MUS,,,x,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,175,Mayotte,MYT,,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,508,Mozambique,MOZ,x,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,638,Réunion,REU,,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,646,Rwanda,RWA,x,x,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,690,Seychelles,SYC,,,x,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,706,Somalia,SOM,x,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,728,South Sudan,SSD,x,x,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,800,Uganda,UGA,x,x,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,834,United Republic of Tanzania,TZA,x,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,894,Zambia,ZMB,x,x,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,014,Eastern Africa,716,Zimbabwe,ZWE,,x,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,017,Middle Africa,024,Angola,AGO,x,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,017,Middle Africa,120,Cameroon,CMR,,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,017,Middle Africa,140,Central African Republic,CAF,x,x,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,017,Middle Africa,148,Chad,TCD,x,x,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,017,Middle Africa,178,Congo,COG,,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,017,Middle Africa,180,Democratic Republic of the Congo,COD,x,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,017,Middle Africa,226,Equatorial Guinea,GNQ,,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,017,Middle Africa,266,Gabon,GAB,,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,017,Middle Africa,678,Sao Tome and Principe,STP,x,,x,Developing
001,World,002,Africa,202,Sub-Saharan Africa,018,Southern Africa,072,Botswana,BWA,,x,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,018,Southern Africa,748,Eswatini,SWZ,,x,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,018,Southern Africa,426,Lesotho,LSO,x,x,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,018,Southern Africa,516,Namibia,NAM,,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,018,Southern Africa,710,South Africa,ZAF,,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,011,Western Africa,204,Benin,BEN,x,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,011,Western Africa,854,Burkina Faso,BFA,x,x,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,011,Western Africa,132,Cabo Verde,CPV,,,x,Developing
001,World,002,Africa,202,Sub-Saharan Africa,011,Western Africa,384,Côte dIvoire,CIV,,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,011,Western Africa,270,Gambia,GMB,x,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,011,Western Africa,288,Ghana,GHA,,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,011,Western Africa,324,Guinea,GIN,x,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,011,Western Africa,624,Guinea-Bissau,GNB,x,,x,Developing
001,World,002,Africa,202,Sub-Saharan Africa,011,Western Africa,430,Liberia,LBR,x,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,011,Western Africa,466,Mali,MLI,x,x,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,011,Western Africa,478,Mauritania,MRT,x,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,011,Western Africa,562,Niger,NER,x,x,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,011,Western Africa,566,Nigeria,NGA,,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,011,Western Africa,654,Saint Helena,SHN,,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,011,Western Africa,686,Senegal,SEN,x,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,011,Western Africa,694,Sierra Leone,SLE,x,,,Developing
001,World,002,Africa,202,Sub-Saharan Africa,011,Western Africa,768,Togo,TGO,x,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,660,Anguilla,AIA,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,028,Antigua and Barbuda,ATG,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,533,Aruba,ABW,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,044,Bahamas,BHS,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,052,Barbados,BRB,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,535,"Bonaire, Sint Eustatius and Saba",BES,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,092,British Virgin Islands,VGB,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,136,Cayman Islands,CYM,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,192,Cuba,CUB,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,531,Curaçao,CUW,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,212,Dominica,DMA,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,214,Dominican Republic,DOM,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,308,Grenada,GRD,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,312,Guadeloupe,GLP,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,332,Haiti,HTI,x,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,388,Jamaica,JAM,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,474,Martinique,MTQ,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,500,Montserrat,MSR,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,630,Puerto Rico,PRI,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,652,Saint Barthélemy,BLM,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,659,Saint Kitts and Nevis,KNA,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,662,Saint Lucia,LCA,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,663,Saint Martin (French Part),MAF,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,670,Saint Vincent and the Grenadines,VCT,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,534,Sint Maarten (Dutch part),SXM,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,780,Trinidad and Tobago,TTO,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,796,Turks and Caicos Islands,TCA,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,029,Caribbean,850,United States Virgin Islands,VIR,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,013,Central America,084,Belize,BLZ,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,013,Central America,188,Costa Rica,CRI,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,013,Central America,222,El Salvador,SLV,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,013,Central America,320,Guatemala,GTM,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,013,Central America,340,Honduras,HND,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,013,Central America,484,Mexico,MEX,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,013,Central America,558,Nicaragua,NIC,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,013,Central America,591,Panama,PAN,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,005,South America,032,Argentina,ARG,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,005,South America,068,Bolivia (Plurinational State of),BOL,,x,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,005,South America,074,Bouvet Island,BVT,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,005,South America,076,Brazil,BRA,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,005,South America,152,Chile,CHL,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,005,South America,170,Colombia,COL,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,005,South America,218,Ecuador,ECU,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,005,South America,238,Falkland Islands (Malvinas),FLK,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,005,South America,254,French Guiana,GUF,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,005,South America,328,Guyana,GUY,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,005,South America,600,Paraguay,PRY,,x,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,005,South America,604,Peru,PER,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,005,South America,239,South Georgia and the South Sandwich Islands,SGS,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,005,South America,740,Suriname,SUR,,,x,Developing
001,World,019,Americas,419,Latin America and the Caribbean,005,South America,858,Uruguay,URY,,,,Developing
001,World,019,Americas,419,Latin America and the Caribbean,005,South America,862,Venezuela (Bolivarian Republic of),VEN,,,,Developing
001,World,019,Americas,021,Northern America,,,060,Bermuda,BMU,,,,Developed
001,World,019,Americas,021,Northern America,,,124,Canada,CAN,,,,Developed
001,World,019,Americas,021,Northern America,,,304,Greenland,GRL,,,,Developed
001,World,019,Americas,021,Northern America,,,666,Saint Pierre and Miquelon,SPM,,,,Developed
001,World,019,Americas,021,Northern America,,,840,United States of America,USA,,,,Developed
001,World,,,,,,,010,Antarctica,ATA,,,,
001,World,142,Asia,143,Central Asia,,,398,Kazakhstan,KAZ,,x,,Developing
001,World,142,Asia,143,Central Asia,,,417,Kyrgyzstan,KGZ,,x,,Developing
001,World,142,Asia,143,Central Asia,,,762,Tajikistan,TJK,,x,,Developing
001,World,142,Asia,143,Central Asia,,,795,Turkmenistan,TKM,,x,,Developing
001,World,142,Asia,143,Central Asia,,,860,Uzbekistan,UZB,,x,,Developing
001,World,142,Asia,030,Eastern Asia,,,156,China,CHN,,,,Developing
001,World,142,Asia,030,Eastern Asia,,,344,"China, Hong Kong Special Administrative Region",HKG,,,,Developing
001,World,142,Asia,030,Eastern Asia,,,446,"China, Macao Special Administrative Region",MAC,,,,Developing
001,World,142,Asia,030,Eastern Asia,,,408,Democratic People's Republic of Korea,PRK,,,,Developing
001,World,142,Asia,030,Eastern Asia,,,392,Japan,JPN,,,,Developed
001,World,142,Asia,030,Eastern Asia,,,496,Mongolia,MNG,,x,,Developing
001,World,142,Asia,030,Eastern Asia,,,410,Republic of Korea,KOR,,,,Developing
001,World,142,Asia,035,South-eastern Asia,,,096,Brunei Darussalam,BRN,,,,Developing
001,World,142,Asia,035,South-eastern Asia,,,116,Cambodia,KHM,x,,,Developing
001,World,142,Asia,035,South-eastern Asia,,,360,Indonesia,IDN,,,,Developing
001,World,142,Asia,035,South-eastern Asia,,,418,Lao People's Democratic Republic,LAO,x,x,,Developing
001,World,142,Asia,035,South-eastern Asia,,,458,Malaysia,MYS,,,,Developing
001,World,142,Asia,035,South-eastern Asia,,,104,Myanmar,MMR,x,,,Developing
001,World,142,Asia,035,South-eastern Asia,,,608,Philippines,PHL,,,,Developing
001,World,142,Asia,035,South-eastern Asia,,,702,Singapore,SGP,,,x,Developing
001,World,142,Asia,035,South-eastern Asia,,,764,Thailand,THA,,,,Developing
001,World,142,Asia,035,South-eastern Asia,,,626,Timor-Leste,TLS,x,,x,Developing
001,World,142,Asia,035,South-eastern Asia,,,704,Viet Nam,VNM,,,,Developing
001,World,142,Asia,034,Southern Asia,,,004,Afghanistan,AFG,x,x,,Developing
001,World,142,Asia,034,Southern Asia,,,050,Bangladesh,BGD,x,,,Developing
001,World,142,Asia,034,Southern Asia,,,064,Bhutan,BTN,x,x,,Developing
001,World,142,Asia,034,Southern Asia,,,356,India,IND,,,,Developing
001,World,142,Asia,034,Southern Asia,,,364,Iran (Islamic Republic of),IRN,,,,Developing
001,World,142,Asia,034,Southern Asia,,,462,Maldives,MDV,,,x,Developing
001,World,142,Asia,034,Southern Asia,,,524,Nepal,NPL,x,x,,Developing
001,World,142,Asia,034,Southern Asia,,,586,Pakistan,PAK,,,,Developing
001,World,142,Asia,034,Southern Asia,,,144,Sri Lanka,LKA,,,,Developing
001,World,142,Asia,145,Western Asia,,,051,Armenia,ARM,,x,,Developing
001,World,142,Asia,145,Western Asia,,,031,Azerbaijan,AZE,,x,,Developing
001,World,142,Asia,145,Western Asia,,,048,Bahrain,BHR,,,,Developing
001,World,142,Asia,145,Western Asia,,,196,Cyprus,CYP,,,,Developed
001,World,142,Asia,145,Western Asia,,,268,Georgia,GEO,,,,Developing
001,World,142,Asia,145,Western Asia,,,368,Iraq,IRQ,,,,Developing
001,World,142,Asia,145,Western Asia,,,376,Israel,ISR,,,,Developed
001,World,142,Asia,145,Western Asia,,,400,Jordan,JOR,,,,Developing
001,World,142,Asia,145,Western Asia,,,414,Kuwait,KWT,,,,Developing
001,World,142,Asia,145,Western Asia,,,422,Lebanon,LBN,,,,Developing
001,World,142,Asia,145,Western Asia,,,512,Oman,OMN,,,,Developing
001,World,142,Asia,145,Western Asia,,,634,Qatar,QAT,,,,Developing
001,World,142,Asia,145,Western Asia,,,682,Saudi Arabia,SAU,,,,Developing
001,World,142,Asia,145,Western Asia,,,275,State of Palestine,PSE,,,,Developing
001,World,142,Asia,145,Western Asia,,,760,Syrian Arab Republic,SYR,,,,Developing
001,World,142,Asia,145,Western Asia,,,792,Turkey,TUR,,,,Developing
001,World,142,Asia,145,Western Asia,,,784,United Arab Emirates,ARE,,,,Developing
001,World,142,Asia,145,Western Asia,,,887,Yemen,YEM,x,,,Developing
001,World,150,Europe,151,Eastern Europe,,,112,Belarus,BLR,,,,Developed
001,World,150,Europe,151,Eastern Europe,,,100,Bulgaria,BGR,,,,Developed
001,World,150,Europe,151,Eastern Europe,,,203,Czechia,CZE,,,,Developed
001,World,150,Europe,151,Eastern Europe,,,348,Hungary,HUN,,,,Developed
001,World,150,Europe,151,Eastern Europe,,,616,Poland,POL,,,,Developed
001,World,150,Europe,151,Eastern Europe,,,498,Republic of Moldova,MDA,,x,,Developed
001,World,150,Europe,151,Eastern Europe,,,642,Romania,ROU,,,,Developed
001,World,150,Europe,151,Eastern Europe,,,643,Russian Federation,RUS,,,,Developed
001,World,150,Europe,151,Eastern Europe,,,703,Slovakia,SVK,,,,Developed
001,World,150,Europe,151,Eastern Europe,,,804,Ukraine,UKR,,,,Developed
001,World,150,Europe,154,Northern Europe,,,248,Åland Islands,ALA,,,,Developed
001,World,150,Europe,154,Northern Europe,830,Channel Islands,831,Guernsey,GGY,,,,Developed
001,World,150,Europe,154,Northern Europe,830,Channel Islands,832,Jersey,JEY,,,,Developed
001,World,150,Europe,154,Northern Europe,830,Channel Islands,680,Sark,,,,,Developed
001,World,150,Europe,154,Northern Europe,,,208,Denmark,DNK,,,,Developed
001,World,150,Europe,154,Northern Europe,,,233,Estonia,EST,,,,Developed
001,World,150,Europe,154,Northern Europe,,,234,Faroe Islands,FRO,,,,Developed
001,World,150,Europe,154,Northern Europe,,,246,Finland,FIN,,,,Developed
001,World,150,Europe,154,Northern Europe,,,352,Iceland,ISL,,,,Developed
001,World,150,Europe,154,Northern Europe,,,372,Ireland,IRL,,,,Developed
001,World,150,Europe,154,Northern Europe,,,833,Isle of Man,IMN,,,,Developed
001,World,150,Europe,154,Northern Europe,,,428,Latvia,LVA,,,,Developed
001,World,150,Europe,154,Northern Europe,,,440,Lithuania,LTU,,,,Developed
001,World,150,Europe,154,Northern Europe,,,578,Norway,NOR,,,,Developed
001,World,150,Europe,154,Northern Europe,,,744,Svalbard and Jan Mayen Islands,SJM,,,,Developed
001,World,150,Europe,154,Northern Europe,,,752,Sweden,SWE,,,,Developed
001,World,150,Europe,154,Northern Europe,,,826,United Kingdom of Great Britain and Northern Ireland,GBR,,,,Developed
001,World,150,Europe,039,Southern Europe,,,008,Albania,ALB,,,,Developed
001,World,150,Europe,039,Southern Europe,,,020,Andorra,AND,,,,Developed
001,World,150,Europe,039,Southern Europe,,,070,Bosnia and Herzegovina,BIH,,,,Developed
001,World,150,Europe,039,Southern Europe,,,191,Croatia,HRV,,,,Developed
001,World,150,Europe,039,Southern Europe,,,292,Gibraltar,GIB,,,,Developed
001,World,150,Europe,039,Southern Europe,,,300,Greece,GRC,,,,Developed
001,World,150,Europe,039,Southern Europe,,,336,Holy See,VAT,,,,Developed
001,World,150,Europe,039,Southern Europe,,,380,Italy,ITA,,,,Developed
001,World,150,Europe,039,Southern Europe,,,470,Malta,MLT,,,,Developed
001,World,150,Europe,039,Southern Europe,,,499,Montenegro,MNE,,,,Developed
001,World,150,Europe,039,Southern Europe,,,807,North Macedonia,MKD,,x,,Developed
001,World,150,Europe,039,Southern Europe,,,620,Portugal,PRT,,,,Developed
001,World,150,Europe,039,Southern Europe,,,674,San Marino,SMR,,,,Developed
001,World,150,Europe,039,Southern Europe,,,688,Serbia,SRB,,,,Developed
001,World,150,Europe,039,Southern Europe,,,705,Slovenia,SVN,,,,Developed
001,World,150,Europe,039,Southern Europe,,,724,Spain,ESP,,,,Developed
001,World,150,Europe,155,Western Europe,,,040,Austria,AUT,,,,Developed
001,World,150,Europe,155,Western Europe,,,056,Belgium,BEL,,,,Developed
001,World,150,Europe,155,Western Europe,,,250,France,FRA,,,,Developed
001,World,150,Europe,155,Western Europe,,,276,Germany,DEU,,,,Developed
001,World,150,Europe,155,Western Europe,,,438,Liechtenstein,LIE,,,,Developed
001,World,150,Europe,155,Western Europe,,,442,Luxembourg,LUX,,,,Developed
001,World,150,Europe,155,Western Europe,,,492,Monaco,MCO,,,,Developed
001,World,150,Europe,155,Western Europe,,,528,Netherlands,NLD,,,,Developed
001,World,150,Europe,155,Western Europe,,,756,Switzerland,CHE,,,,Developed
001,World,009,Oceania,053,Australia and New Zealand,,,036,Australia,AUS,,,,Developed
001,World,009,Oceania,053,Australia and New Zealand,,,162,Christmas Island,CXR,,,,Developed
001,World,009,Oceania,053,Australia and New Zealand,,,166,Cocos (Keeling) Islands,CCK,,,,Developed
001,World,009,Oceania,053,Australia and New Zealand,,,334,Heard Island and McDonald Islands,HMD,,,,Developed
001,World,009,Oceania,053,Australia and New Zealand,,,554,New Zealand,NZL,,,,Developed
001,World,009,Oceania,053,Australia and New Zealand,,,574,Norfolk Island,NFK,,,,Developed
001,World,009,Oceania,054,Melanesia,,,242,Fiji,FJI,,,x,Developing
001,World,009,Oceania,054,Melanesia,,,540,New Caledonia,NCL,,,x,Developing
001,World,009,Oceania,054,Melanesia,,,598,Papua New Guinea,PNG,,,x,Developing
001,World,009,Oceania,054,Melanesia,,,090,Solomon Islands,SLB,x,,x,Developing
001,World,009,Oceania,054,Melanesia,,,548,Vanuatu,VUT,x,,x,Developing
001,World,009,Oceania,057,Micronesia,,,316,Guam,GUM,,,x,Developing
001,World,009,Oceania,057,Micronesia,,,296,Kiribati,KIR,x,,x,Developing
001,World,009,Oceania,057,Micronesia,,,584,Marshall Islands,MHL,,,x,Developing
001,World,009,Oceania,057,Micronesia,,,583,Micronesia (Federated States of),FSM,,,x,Developing
001,World,009,Oceania,057,Micronesia,,,520,Nauru,NRU,,,x,Developing
001,World,009,Oceania,057,Micronesia,,,580,Northern Mariana Islands,MNP,,,x,Developing
001,World,009,Oceania,057,Micronesia,,,585,Palau,PLW,,,x,Developing
001,World,009,Oceania,057,Micronesia,,,581,United States Minor Outlying Islands,UMI,,,,Developing
001,World,009,Oceania,061,Polynesia,,,016,American Samoa,ASM,,,x,Developing
001,World,009,Oceania,061,Polynesia,,,184,Cook Islands,COK,,,x,Developing
001,World,009,Oceania,061,Polynesia,,,258,French Polynesia,PYF,,,x,Developing
001,World,009,Oceania,061,Polynesia,,,570,Niue,NIU,,,x,Developing
001,World,009,Oceania,061,Polynesia,,,612,Pitcairn,PCN,,,,Developing
001,World,009,Oceania,061,Polynesia,,,882,Samoa,WSM,,,x,Developing
001,World,009,Oceania,061,Polynesia,,,772,Tokelau,TKL,,,,Developing
001,World,009,Oceania,061,Polynesia,,,776,Tonga,TON,,,x,Developing
001,World,009,Oceania,061,Polynesia,,,798,Tuvalu,TUV,x,,x,Developing
001,World,009,Oceania,061,Polynesia,,,876,Wallis and Futuna Islands,WLF,,,,Developing
1 Global Code Global Name Region Code Region Name Sub-region Code Sub-region Name Intermediate Region Code Intermediate Region Name M49 Code Country or Area ISO-alpha3 Code Least Developed Countries (LDC) Land Locked Developing Countries (LLDC) Small Island Developing States (SIDS) Developed / Developing Countries
2 001 World 002 Africa 015 Northern Africa 012 Algeria DZA Developing
3 001 World 002 Africa 015 Northern Africa 818 Egypt EGY Developing
4 001 World 002 Africa 015 Northern Africa 434 Libya LBY Developing
5 001 World 002 Africa 015 Northern Africa 504 Morocco MAR Developing
6 001 World 002 Africa 015 Northern Africa 729 Sudan SDN x Developing
7 001 World 002 Africa 015 Northern Africa 788 Tunisia TUN Developing
8 001 World 002 Africa 015 Northern Africa 732 Western Sahara ESH Developing
9 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 086 British Indian Ocean Territory IOT Developing
10 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 108 Burundi BDI x x Developing
11 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 174 Comoros COM x x Developing
12 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 262 Djibouti DJI x Developing
13 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 232 Eritrea ERI x Developing
14 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 231 Ethiopia ETH x x Developing
15 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 260 French Southern Territories ATF Developing
16 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 404 Kenya KEN Developing
17 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 450 Madagascar MDG x Developing
18 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 454 Malawi MWI x x Developing
19 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 480 Mauritius MUS x Developing
20 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 175 Mayotte MYT Developing
21 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 508 Mozambique MOZ x Developing
22 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 638 Réunion REU Developing
23 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 646 Rwanda RWA x x Developing
24 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 690 Seychelles SYC x Developing
25 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 706 Somalia SOM x Developing
26 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 728 South Sudan SSD x x Developing
27 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 800 Uganda UGA x x Developing
28 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 834 United Republic of Tanzania TZA x Developing
29 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 894 Zambia ZMB x x Developing
30 001 World 002 Africa 202 Sub-Saharan Africa 014 Eastern Africa 716 Zimbabwe ZWE x Developing
31 001 World 002 Africa 202 Sub-Saharan Africa 017 Middle Africa 024 Angola AGO x Developing
32 001 World 002 Africa 202 Sub-Saharan Africa 017 Middle Africa 120 Cameroon CMR Developing
33 001 World 002 Africa 202 Sub-Saharan Africa 017 Middle Africa 140 Central African Republic CAF x x Developing
34 001 World 002 Africa 202 Sub-Saharan Africa 017 Middle Africa 148 Chad TCD x x Developing
35 001 World 002 Africa 202 Sub-Saharan Africa 017 Middle Africa 178 Congo COG Developing
36 001 World 002 Africa 202 Sub-Saharan Africa 017 Middle Africa 180 Democratic Republic of the Congo COD x Developing
37 001 World 002 Africa 202 Sub-Saharan Africa 017 Middle Africa 226 Equatorial Guinea GNQ Developing
38 001 World 002 Africa 202 Sub-Saharan Africa 017 Middle Africa 266 Gabon GAB Developing
39 001 World 002 Africa 202 Sub-Saharan Africa 017 Middle Africa 678 Sao Tome and Principe STP x x Developing
40 001 World 002 Africa 202 Sub-Saharan Africa 018 Southern Africa 072 Botswana BWA x Developing
41 001 World 002 Africa 202 Sub-Saharan Africa 018 Southern Africa 748 Eswatini SWZ x Developing
42 001 World 002 Africa 202 Sub-Saharan Africa 018 Southern Africa 426 Lesotho LSO x x Developing
43 001 World 002 Africa 202 Sub-Saharan Africa 018 Southern Africa 516 Namibia NAM Developing
44 001 World 002 Africa 202 Sub-Saharan Africa 018 Southern Africa 710 South Africa ZAF Developing
45 001 World 002 Africa 202 Sub-Saharan Africa 011 Western Africa 204 Benin BEN x Developing
46 001 World 002 Africa 202 Sub-Saharan Africa 011 Western Africa 854 Burkina Faso BFA x x Developing
47 001 World 002 Africa 202 Sub-Saharan Africa 011 Western Africa 132 Cabo Verde CPV x Developing
48 001 World 002 Africa 202 Sub-Saharan Africa 011 Western Africa 384 Côte d’Ivoire CIV Developing
49 001 World 002 Africa 202 Sub-Saharan Africa 011 Western Africa 270 Gambia GMB x Developing
50 001 World 002 Africa 202 Sub-Saharan Africa 011 Western Africa 288 Ghana GHA Developing
51 001 World 002 Africa 202 Sub-Saharan Africa 011 Western Africa 324 Guinea GIN x Developing
52 001 World 002 Africa 202 Sub-Saharan Africa 011 Western Africa 624 Guinea-Bissau GNB x x Developing
53 001 World 002 Africa 202 Sub-Saharan Africa 011 Western Africa 430 Liberia LBR x Developing
54 001 World 002 Africa 202 Sub-Saharan Africa 011 Western Africa 466 Mali MLI x x Developing
55 001 World 002 Africa 202 Sub-Saharan Africa 011 Western Africa 478 Mauritania MRT x Developing
56 001 World 002 Africa 202 Sub-Saharan Africa 011 Western Africa 562 Niger NER x x Developing
57 001 World 002 Africa 202 Sub-Saharan Africa 011 Western Africa 566 Nigeria NGA Developing
58 001 World 002 Africa 202 Sub-Saharan Africa 011 Western Africa 654 Saint Helena SHN Developing
59 001 World 002 Africa 202 Sub-Saharan Africa 011 Western Africa 686 Senegal SEN x Developing
60 001 World 002 Africa 202 Sub-Saharan Africa 011 Western Africa 694 Sierra Leone SLE x Developing
61 001 World 002 Africa 202 Sub-Saharan Africa 011 Western Africa 768 Togo TGO x Developing
62 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 660 Anguilla AIA x Developing
63 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 028 Antigua and Barbuda ATG x Developing
64 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 533 Aruba ABW x Developing
65 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 044 Bahamas BHS x Developing
66 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 052 Barbados BRB x Developing
67 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 535 Bonaire, Sint Eustatius and Saba BES x Developing
68 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 092 British Virgin Islands VGB x Developing
69 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 136 Cayman Islands CYM Developing
70 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 192 Cuba CUB x Developing
71 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 531 Curaçao CUW x Developing
72 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 212 Dominica DMA x Developing
73 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 214 Dominican Republic DOM x Developing
74 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 308 Grenada GRD x Developing
75 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 312 Guadeloupe GLP Developing
76 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 332 Haiti HTI x x Developing
77 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 388 Jamaica JAM x Developing
78 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 474 Martinique MTQ Developing
79 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 500 Montserrat MSR x Developing
80 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 630 Puerto Rico PRI x Developing
81 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 652 Saint Barthélemy BLM Developing
82 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 659 Saint Kitts and Nevis KNA x Developing
83 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 662 Saint Lucia LCA x Developing
84 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 663 Saint Martin (French Part) MAF Developing
85 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 670 Saint Vincent and the Grenadines VCT x Developing
86 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 534 Sint Maarten (Dutch part) SXM x Developing
87 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 780 Trinidad and Tobago TTO x Developing
88 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 796 Turks and Caicos Islands TCA Developing
89 001 World 019 Americas 419 Latin America and the Caribbean 029 Caribbean 850 United States Virgin Islands VIR x Developing
90 001 World 019 Americas 419 Latin America and the Caribbean 013 Central America 084 Belize BLZ x Developing
91 001 World 019 Americas 419 Latin America and the Caribbean 013 Central America 188 Costa Rica CRI Developing
92 001 World 019 Americas 419 Latin America and the Caribbean 013 Central America 222 El Salvador SLV Developing
93 001 World 019 Americas 419 Latin America and the Caribbean 013 Central America 320 Guatemala GTM Developing
94 001 World 019 Americas 419 Latin America and the Caribbean 013 Central America 340 Honduras HND Developing
95 001 World 019 Americas 419 Latin America and the Caribbean 013 Central America 484 Mexico MEX Developing
96 001 World 019 Americas 419 Latin America and the Caribbean 013 Central America 558 Nicaragua NIC Developing
97 001 World 019 Americas 419 Latin America and the Caribbean 013 Central America 591 Panama PAN Developing
98 001 World 019 Americas 419 Latin America and the Caribbean 005 South America 032 Argentina ARG Developing
99 001 World 019 Americas 419 Latin America and the Caribbean 005 South America 068 Bolivia (Plurinational State of) BOL x Developing
100 001 World 019 Americas 419 Latin America and the Caribbean 005 South America 074 Bouvet Island BVT Developing
101 001 World 019 Americas 419 Latin America and the Caribbean 005 South America 076 Brazil BRA Developing
102 001 World 019 Americas 419 Latin America and the Caribbean 005 South America 152 Chile CHL Developing
103 001 World 019 Americas 419 Latin America and the Caribbean 005 South America 170 Colombia COL Developing
104 001 World 019 Americas 419 Latin America and the Caribbean 005 South America 218 Ecuador ECU Developing
105 001 World 019 Americas 419 Latin America and the Caribbean 005 South America 238 Falkland Islands (Malvinas) FLK Developing
106 001 World 019 Americas 419 Latin America and the Caribbean 005 South America 254 French Guiana GUF Developing
107 001 World 019 Americas 419 Latin America and the Caribbean 005 South America 328 Guyana GUY x Developing
108 001 World 019 Americas 419 Latin America and the Caribbean 005 South America 600 Paraguay PRY x Developing
109 001 World 019 Americas 419 Latin America and the Caribbean 005 South America 604 Peru PER Developing
110 001 World 019 Americas 419 Latin America and the Caribbean 005 South America 239 South Georgia and the South Sandwich Islands SGS Developing
111 001 World 019 Americas 419 Latin America and the Caribbean 005 South America 740 Suriname SUR x Developing
112 001 World 019 Americas 419 Latin America and the Caribbean 005 South America 858 Uruguay URY Developing
113 001 World 019 Americas 419 Latin America and the Caribbean 005 South America 862 Venezuela (Bolivarian Republic of) VEN Developing
114 001 World 019 Americas 021 Northern America 060 Bermuda BMU Developed
115 001 World 019 Americas 021 Northern America 124 Canada CAN Developed
116 001 World 019 Americas 021 Northern America 304 Greenland GRL Developed
117 001 World 019 Americas 021 Northern America 666 Saint Pierre and Miquelon SPM Developed
118 001 World 019 Americas 021 Northern America 840 United States of America USA Developed
119 001 World 010 Antarctica ATA
120 001 World 142 Asia 143 Central Asia 398 Kazakhstan KAZ x Developing
121 001 World 142 Asia 143 Central Asia 417 Kyrgyzstan KGZ x Developing
122 001 World 142 Asia 143 Central Asia 762 Tajikistan TJK x Developing
123 001 World 142 Asia 143 Central Asia 795 Turkmenistan TKM x Developing
124 001 World 142 Asia 143 Central Asia 860 Uzbekistan UZB x Developing
125 001 World 142 Asia 030 Eastern Asia 156 China CHN Developing
126 001 World 142 Asia 030 Eastern Asia 344 China, Hong Kong Special Administrative Region HKG Developing
127 001 World 142 Asia 030 Eastern Asia 446 China, Macao Special Administrative Region MAC Developing
128 001 World 142 Asia 030 Eastern Asia 408 Democratic People's Republic of Korea PRK Developing
129 001 World 142 Asia 030 Eastern Asia 392 Japan JPN Developed
130 001 World 142 Asia 030 Eastern Asia 496 Mongolia MNG x Developing
131 001 World 142 Asia 030 Eastern Asia 410 Republic of Korea KOR Developing
132 001 World 142 Asia 035 South-eastern Asia 096 Brunei Darussalam BRN Developing
133 001 World 142 Asia 035 South-eastern Asia 116 Cambodia KHM x Developing
134 001 World 142 Asia 035 South-eastern Asia 360 Indonesia IDN Developing
135 001 World 142 Asia 035 South-eastern Asia 418 Lao People's Democratic Republic LAO x x Developing
136 001 World 142 Asia 035 South-eastern Asia 458 Malaysia MYS Developing
137 001 World 142 Asia 035 South-eastern Asia 104 Myanmar MMR x Developing
138 001 World 142 Asia 035 South-eastern Asia 608 Philippines PHL Developing
139 001 World 142 Asia 035 South-eastern Asia 702 Singapore SGP x Developing
140 001 World 142 Asia 035 South-eastern Asia 764 Thailand THA Developing
141 001 World 142 Asia 035 South-eastern Asia 626 Timor-Leste TLS x x Developing
142 001 World 142 Asia 035 South-eastern Asia 704 Viet Nam VNM Developing
143 001 World 142 Asia 034 Southern Asia 004 Afghanistan AFG x x Developing
144 001 World 142 Asia 034 Southern Asia 050 Bangladesh BGD x Developing
145 001 World 142 Asia 034 Southern Asia 064 Bhutan BTN x x Developing
146 001 World 142 Asia 034 Southern Asia 356 India IND Developing
147 001 World 142 Asia 034 Southern Asia 364 Iran (Islamic Republic of) IRN Developing
148 001 World 142 Asia 034 Southern Asia 462 Maldives MDV x Developing
149 001 World 142 Asia 034 Southern Asia 524 Nepal NPL x x Developing
150 001 World 142 Asia 034 Southern Asia 586 Pakistan PAK Developing
151 001 World 142 Asia 034 Southern Asia 144 Sri Lanka LKA Developing
152 001 World 142 Asia 145 Western Asia 051 Armenia ARM x Developing
153 001 World 142 Asia 145 Western Asia 031 Azerbaijan AZE x Developing
154 001 World 142 Asia 145 Western Asia 048 Bahrain BHR Developing
155 001 World 142 Asia 145 Western Asia 196 Cyprus CYP Developed
156 001 World 142 Asia 145 Western Asia 268 Georgia GEO Developing
157 001 World 142 Asia 145 Western Asia 368 Iraq IRQ Developing
158 001 World 142 Asia 145 Western Asia 376 Israel ISR Developed
159 001 World 142 Asia 145 Western Asia 400 Jordan JOR Developing
160 001 World 142 Asia 145 Western Asia 414 Kuwait KWT Developing
161 001 World 142 Asia 145 Western Asia 422 Lebanon LBN Developing
162 001 World 142 Asia 145 Western Asia 512 Oman OMN Developing
163 001 World 142 Asia 145 Western Asia 634 Qatar QAT Developing
164 001 World 142 Asia 145 Western Asia 682 Saudi Arabia SAU Developing
165 001 World 142 Asia 145 Western Asia 275 State of Palestine PSE Developing
166 001 World 142 Asia 145 Western Asia 760 Syrian Arab Republic SYR Developing
167 001 World 142 Asia 145 Western Asia 792 Turkey TUR Developing
168 001 World 142 Asia 145 Western Asia 784 United Arab Emirates ARE Developing
169 001 World 142 Asia 145 Western Asia 887 Yemen YEM x Developing
170 001 World 150 Europe 151 Eastern Europe 112 Belarus BLR Developed
171 001 World 150 Europe 151 Eastern Europe 100 Bulgaria BGR Developed
172 001 World 150 Europe 151 Eastern Europe 203 Czechia CZE Developed
173 001 World 150 Europe 151 Eastern Europe 348 Hungary HUN Developed
174 001 World 150 Europe 151 Eastern Europe 616 Poland POL Developed
175 001 World 150 Europe 151 Eastern Europe 498 Republic of Moldova MDA x Developed
176 001 World 150 Europe 151 Eastern Europe 642 Romania ROU Developed
177 001 World 150 Europe 151 Eastern Europe 643 Russian Federation RUS Developed
178 001 World 150 Europe 151 Eastern Europe 703 Slovakia SVK Developed
179 001 World 150 Europe 151 Eastern Europe 804 Ukraine UKR Developed
180 001 World 150 Europe 154 Northern Europe 248 Åland Islands ALA Developed
181 001 World 150 Europe 154 Northern Europe 830 Channel Islands 831 Guernsey GGY Developed
182 001 World 150 Europe 154 Northern Europe 830 Channel Islands 832 Jersey JEY Developed
183 001 World 150 Europe 154 Northern Europe 830 Channel Islands 680 Sark Developed
184 001 World 150 Europe 154 Northern Europe 208 Denmark DNK Developed
185 001 World 150 Europe 154 Northern Europe 233 Estonia EST Developed
186 001 World 150 Europe 154 Northern Europe 234 Faroe Islands FRO Developed
187 001 World 150 Europe 154 Northern Europe 246 Finland FIN Developed
188 001 World 150 Europe 154 Northern Europe 352 Iceland ISL Developed
189 001 World 150 Europe 154 Northern Europe 372 Ireland IRL Developed
190 001 World 150 Europe 154 Northern Europe 833 Isle of Man IMN Developed
191 001 World 150 Europe 154 Northern Europe 428 Latvia LVA Developed
192 001 World 150 Europe 154 Northern Europe 440 Lithuania LTU Developed
193 001 World 150 Europe 154 Northern Europe 578 Norway NOR Developed
194 001 World 150 Europe 154 Northern Europe 744 Svalbard and Jan Mayen Islands SJM Developed
195 001 World 150 Europe 154 Northern Europe 752 Sweden SWE Developed
196 001 World 150 Europe 154 Northern Europe 826 United Kingdom of Great Britain and Northern Ireland GBR Developed
197 001 World 150 Europe 039 Southern Europe 008 Albania ALB Developed
198 001 World 150 Europe 039 Southern Europe 020 Andorra AND Developed
199 001 World 150 Europe 039 Southern Europe 070 Bosnia and Herzegovina BIH Developed
200 001 World 150 Europe 039 Southern Europe 191 Croatia HRV Developed
201 001 World 150 Europe 039 Southern Europe 292 Gibraltar GIB Developed
202 001 World 150 Europe 039 Southern Europe 300 Greece GRC Developed
203 001 World 150 Europe 039 Southern Europe 336 Holy See VAT Developed
204 001 World 150 Europe 039 Southern Europe 380 Italy ITA Developed
205 001 World 150 Europe 039 Southern Europe 470 Malta MLT Developed
206 001 World 150 Europe 039 Southern Europe 499 Montenegro MNE Developed
207 001 World 150 Europe 039 Southern Europe 807 North Macedonia MKD x Developed
208 001 World 150 Europe 039 Southern Europe 620 Portugal PRT Developed
209 001 World 150 Europe 039 Southern Europe 674 San Marino SMR Developed
210 001 World 150 Europe 039 Southern Europe 688 Serbia SRB Developed
211 001 World 150 Europe 039 Southern Europe 705 Slovenia SVN Developed
212 001 World 150 Europe 039 Southern Europe 724 Spain ESP Developed
213 001 World 150 Europe 155 Western Europe 040 Austria AUT Developed
214 001 World 150 Europe 155 Western Europe 056 Belgium BEL Developed
215 001 World 150 Europe 155 Western Europe 250 France FRA Developed
216 001 World 150 Europe 155 Western Europe 276 Germany DEU Developed
217 001 World 150 Europe 155 Western Europe 438 Liechtenstein LIE Developed
218 001 World 150 Europe 155 Western Europe 442 Luxembourg LUX Developed
219 001 World 150 Europe 155 Western Europe 492 Monaco MCO Developed
220 001 World 150 Europe 155 Western Europe 528 Netherlands NLD Developed
221 001 World 150 Europe 155 Western Europe 756 Switzerland CHE Developed
222 001 World 009 Oceania 053 Australia and New Zealand 036 Australia AUS Developed
223 001 World 009 Oceania 053 Australia and New Zealand 162 Christmas Island CXR Developed
224 001 World 009 Oceania 053 Australia and New Zealand 166 Cocos (Keeling) Islands CCK Developed
225 001 World 009 Oceania 053 Australia and New Zealand 334 Heard Island and McDonald Islands HMD Developed
226 001 World 009 Oceania 053 Australia and New Zealand 554 New Zealand NZL Developed
227 001 World 009 Oceania 053 Australia and New Zealand 574 Norfolk Island NFK Developed
228 001 World 009 Oceania 054 Melanesia 242 Fiji FJI x Developing
229 001 World 009 Oceania 054 Melanesia 540 New Caledonia NCL x Developing
230 001 World 009 Oceania 054 Melanesia 598 Papua New Guinea PNG x Developing
231 001 World 009 Oceania 054 Melanesia 090 Solomon Islands SLB x x Developing
232 001 World 009 Oceania 054 Melanesia 548 Vanuatu VUT x x Developing
233 001 World 009 Oceania 057 Micronesia 316 Guam GUM x Developing
234 001 World 009 Oceania 057 Micronesia 296 Kiribati KIR x x Developing
235 001 World 009 Oceania 057 Micronesia 584 Marshall Islands MHL x Developing
236 001 World 009 Oceania 057 Micronesia 583 Micronesia (Federated States of) FSM x Developing
237 001 World 009 Oceania 057 Micronesia 520 Nauru NRU x Developing
238 001 World 009 Oceania 057 Micronesia 580 Northern Mariana Islands MNP x Developing
239 001 World 009 Oceania 057 Micronesia 585 Palau PLW x Developing
240 001 World 009 Oceania 057 Micronesia 581 United States Minor Outlying Islands UMI Developing
241 001 World 009 Oceania 061 Polynesia 016 American Samoa ASM x Developing
242 001 World 009 Oceania 061 Polynesia 184 Cook Islands COK x Developing
243 001 World 009 Oceania 061 Polynesia 258 French Polynesia PYF x Developing
244 001 World 009 Oceania 061 Polynesia 570 Niue NIU x Developing
245 001 World 009 Oceania 061 Polynesia 612 Pitcairn PCN Developing
246 001 World 009 Oceania 061 Polynesia 882 Samoa WSM x Developing
247 001 World 009 Oceania 061 Polynesia 772 Tokelau TKL Developing
248 001 World 009 Oceania 061 Polynesia 776 Tonga TON x Developing
249 001 World 009 Oceania 061 Polynesia 798 Tuvalu TUV x x Developing
250 001 World 009 Oceania 061 Polynesia 876 Wallis and Futuna Islands WLF Developing

186
tools/UN M49/region_galaxy.py Normal file
View File

@ -0,0 +1,186 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import csv
import argparse
import uuid
import json
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Region Galaxy - only create the list of values')
parser.add_argument("-c", "--csv", required=True, help="input csv")
args = parser.parse_args()
values = []
with open(args.csv, newline='') as csvfile:
csvreader = csv.reader(csvfile, delimiter=',', quotechar='"')
pass_first_line = True
for data in csvreader:
if pass_first_line:
pass_first_line = False
continue
temp = {}
value_name = data[0] + " - " + data[1]
test = 0
for value in values:
if value['value']==value_name:
test = 1
break
if test==0:
temp['value'] = value_name
temp['meta'] = {}
temp['meta']['subregion'] = []
values.append(temp)
"""---------------- column 2 ------------------"""
with open(args.csv, newline='') as csvfile:
csvreader = csv.reader(csvfile, delimiter=',', quotechar='"')
pass_first_line = True
for data in csvreader:
if pass_first_line:
pass_first_line = False
continue
temp = {}
value_name = data[2] + " - " + data[3]
parent_name = data[0] + " - " + data[1]
if value_name == " - ":
continue
test = 0
for value in values:
if value['value']==value_name:
test = 1
break
if test==0:
temp['value'] = value_name
temp['meta'] = {}
temp['meta']['subregion'] = []
values.append(temp)
for value in values:
if value['value']==parent_name:
test = 0
for sub in value['meta']['subregion']:
if sub == value_name:
test = 1
break
if test == 0:
value['meta']['subregion'].append(value_name)
"""---------------- column 3 ------------------"""
with open(args.csv, newline='') as csvfile:
csvreader = csv.reader(csvfile, delimiter=',', quotechar='"')
pass_first_line = True
for data in csvreader:
if pass_first_line:
pass_first_line = False
continue
temp = {}
value_name = data[4] + " - " + data[5]
parent_name = data[2] + " - " + data[3]
if value_name == " - ":
continue
test = 0
for value in values:
if value['value']==value_name:
test = 1
break
if test==0:
temp['value'] = value_name
temp['meta'] = {}
temp['meta']['subregion'] = []
values.append(temp)
for value in values:
if value['value']==parent_name:
test = 0
for sub in value['meta']['subregion']:
if sub == value_name:
test = 1
break
if test == 0:
value['meta']['subregion'].append(value_name)
"""---------------- column 4 ------------------"""
with open(args.csv, newline='') as csvfile:
csvreader = csv.reader(csvfile, delimiter=',', quotechar='"')
pass_first_line = True
for data in csvreader:
if pass_first_line:
pass_first_line = False
continue
temp = {}
value_name = data[6] + " - " + data[7]
parent_name = data[4] + " - " + data[5]
if value_name == " - ":
continue
test = 0
for value in values:
if value['value']==value_name:
test = 1
break
if test==0:
temp['value'] = value_name
temp['meta'] = {}
temp['meta']['subregion'] = []
values.append(temp)
for value in values:
if value['value']==parent_name:
test = 0
for sub in value['meta']['subregion']:
if sub == value_name:
test = 1
break
if test == 0:
value['meta']['subregion'].append(value_name)
"""---------------- column 5 ------------------"""
with open(args.csv, newline='') as csvfile:
csvreader = csv.reader(csvfile, delimiter=',', quotechar='"')
pass_first_line = True
for data in csvreader:
if pass_first_line:
pass_first_line = False
continue
temp = {}
value_name = data[8] + " - " + data[9]
x=6
y=7
test = 0
while test == 0:
parent_name = data[x] + " - " + data[y]
if parent_name == " - ":
x=x-2
y=y-2
else:
test=1
for value in values:
if value['value']==parent_name:
test = 0
for sub in value['meta']['subregion']:
if sub == value_name:
test = 1
break
if test == 0:
value['meta']['subregion'].append(value_name)
print (values)
with open('region_valuea.json', 'w') as outfile:
json.dump(values, outfile)

8
tools/adoc_galaxy.py
View File

@ -28,10 +28,14 @@ thisDir = os.path.dirname(__file__)
clusters = []
pathClusters = os.path.join(thisDir, '../clusters')
pathGalaxies = os.path.join(thisDir, '../galaxies')
for f in os.listdir(pathClusters):
for f in os.listdir(pathGalaxies):
if '.json' in f:
clusters.append(f)
with open(os.path.join(pathGalaxies, f), 'r') as f_in:
galaxy_data = json.load(f_in)
if galaxy_data.get('namespace') != 'deprecated':
clusters.append(f)
clusters.sort()

171
tools/gen_amitt.py Executable file
View File

@ -0,0 +1,171 @@
import pandas as pd
import os
import json
import uuid
import xlrd
class Amitt:
"""
Create MISP galaxy and cluster JSON files.
This script relies on the AMITT metadata xlsx available here:
https://github.com/misinfosecproject/amitt_framework/blob/master/generating_code/amitt_metadata_v3.xlsx
This script has been adapted from:
https://github.com/misinfosecproject/amitt_framework/blob/master/generating_code/amitt.py
"""
def __init__(self, infile='amitt_metadata_v3.xlsx'):
metadata = {}
xlsx = pd.ExcelFile(infile)
for sheetname in xlsx.sheet_names:
metadata[sheetname] = xlsx.parse(sheetname)
# Create individual tables and dictionaries
self.phases = metadata['phases']
self.techniques = metadata['techniques']
self.tasks = metadata['tasks']
self.incidents = metadata['incidents']
tactechs = self.techniques.groupby('tactic')['id'].apply(list).reset_index().rename({'id': 'techniques'},
axis=1)
self.tactics = metadata['tactics'].merge(tactechs, left_on='id', right_on='tactic', how='left').fillna('').drop(
'tactic', axis=1)
self.tacdict = self.make_object_dict(self.tactics)
def make_object_dict(self, df):
return pd.Series(df.name.values, index=df.id).to_dict()
def make_amitt_galaxy(self):
galaxy = {}
galaxy['name'] = 'Misinformation Pattern'
galaxy['type'] = 'amitt-misinformation-pattern'
galaxy['description'] = 'AM!TT Tactic'
galaxy['uuid'] = str(uuid.uuid4())
galaxy['version'] = 3
galaxy['icon'] = 'map'
galaxy['namespace'] = 'misinfosec'
galaxy['kill_chain_order'] = {
'misinformation-tactics': []
}
for k, v in self.tacdict.items():
galaxy['kill_chain_order']['misinformation-tactics'].append(v)
return galaxy
def write_amitt_file(self, fname, file_data):
with open(fname, 'w') as f:
json.dump(file_data, f, indent=2, sort_keys=True, ensure_ascii=False)
f.write('\n')
def make_amitt_cluster(self):
cluster = {}
cluster['authors'] = ['misinfosecproject']
cluster['category'] = 'misinformation-pattern'
cluster['description'] = 'AM!TT Technique'
cluster['name'] = 'Misinformation Pattern'
cluster['source'] = 'https://github.com/misinfosecproject/amitt_framework'
cluster['type'] = 'amitt-misinformation-pattern'
cluster['uuid'] = str(uuid.uuid4())
cluster['values'] = []
cluster['version'] = 3
techniques = self.techniques.values.tolist()
for technique in techniques:
t = {}
if technique[1] != technique[1]:
technique[1] = ''
if technique[2] != technique[2]:
technique[2] = ''
if technique[3] != technique[3]:
technique[3] = ''
if technique[1] == technique[2] == technique[3] == '':
continue
t['uuid'] = str(uuid.uuid4())
t['value'] = technique[1]
t['description'] = technique[3]
t['meta'] = {
'external_id': technique[0],
'kill_chain': [
'misinfosec:misinformation-tactics:' + self.tacdict[technique[2]].replace(' ', '-').lower()
],
'refs': [
'https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/' + technique[
0] + '.md'
]
}
cluster['values'].append(t)
return cluster
def make_amitt_task_cluster(self):
cluster = {}
cluster['authors'] = ['misinfosecproject']
cluster['category'] = 'misinformation-pattern'
cluster['description'] = 'AM!TT Task'
cluster['name'] = 'Misinformation Task'
cluster['source'] = 'https://github.com/misinfosecproject/amitt_framework'
cluster['type'] = 'amitt-misinformation-pattern'
cluster['uuid'] = str(uuid.uuid4())
cluster['values'] = []
cluster['version'] = '3'
techniques = self.techniques.values.tolist()
for technique in techniques:
t = {}
if technique[1] != technique[1]:
technique[1] = ''
if technique[2] != technique[2]:
technique[2] = ''
if technique[3] != technique[3]:
technique[3] = ''
if technique[1] == technique[2] == technique[3] == '':
continue
t['uuid'] = str(uuid.uuid4())
t['value'] = technique[1]
t['description'] = technique[3]
t['meta'] = {
'external_id': technique[0],
'kill_chain': [
'misinfosec:misinformation-tactics:' + self.tacdict[technique[2]].replace(' ', '-').lower()
],
'refs': [
'https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/' + technique[
0] + '.md'
]
}
cluster['values'].append(t)
return cluster
def main():
amitt = Amitt()
galaxy = amitt.make_amitt_galaxy()
amitt.write_amitt_file('../galaxies/misinfosec-amitt-misinformation-pattern.json', galaxy)
cluster = amitt.make_amitt_cluster()
amitt.write_amitt_file('../clusters/misinfosec-amitt-misinformation-pattern.json', cluster)
if __name__ == '__main__':
main()

0
tools/gen_malpedia.py Normal file → Executable file
View File

76
tools/mitre-cti/v2.0/create_mitre-galaxy.py
View File

@ -17,36 +17,55 @@ domains = ['enterprise-attack', 'mobile-attack', 'pre-attack']
types = ['attack-pattern', 'course-of-action', 'intrusion-set', 'malware', 'tool']
all_data = {} # variable that will contain everything
# read in existing data
# THIS IS FOR MIGRATION - reading the data from the enterprise-attack, mobile-attack, pre-attack
# read in the non-MITRE data
# we need this to be able to build a list of non-MITRE-UUIDs which we will use later on
# to remove relations that are from MITRE.
# the reasoning is that the new MITRE export might contain less relationships than it did before
# so we cannot migrate all existing relationships as such
non_mitre_uuids = set()
for fname in os.listdir(os.path.join(misp_dir, 'clusters')):
if 'mitre' in fname:
continue
if '.json' in fname:
# print(fname)
with open(os.path.join(misp_dir, 'clusters', fname)) as f_in:
cluster_data = json.load(f_in)
for cluster in cluster_data['values']:
non_mitre_uuids.add(cluster['uuid'])
# read in existing MITRE data
# first build a data set of the MISP Galaxy ATT&CK elements by using the UUID as reference, this speeds up lookups later on.
# at the end we will convert everything again to separate datasets
all_data_uuid = {}
for domain in domains:
for t in types:
fname = os.path.join(misp_dir, 'clusters', 'mitre-{}-{}.json'.format(domain, t))
if os.path.exists(fname):
# print("##### {}".format(fname))
with open(fname) as f:
file_data = json.load(f)
# print(file_data)
for value in file_data['values']:
if value['uuid'] in all_data_uuid:
# exit("ERROR: Something is really wrong, we seem to have duplicates.")
# if it already exists we need to copy over all the data manually to merge it
# on the other hand, from a manual analysis it looks like it's mostly the relations that are different
# so now we will just copy over the relationships
# actually, at time of writing the code below results in no change as the new items always contained more than the previously seen items
value_orig = all_data_uuid[value['uuid']]
if 'related' in value_orig:
for related_item in value_orig['related']:
if related_item not in value['related']:
value['related'].append(related_item)
all_data_uuid[value['uuid']] = value
# THIS IS FOR NORMAL OPERATIONS - reading from the very old and new models - one model per type
# FIXME implement this (copy paste above or put above in function and call function)
for t in types:
fname = os.path.join(misp_dir, 'clusters', 'mitre-{}.json'.format(t))
if os.path.exists(fname):
# print("##### {}".format(fname))
with open(fname) as f:
file_data = json.load(f)
# print(file_data)
for value in file_data['values']:
# remove (old)MITRE relations, and keep non-MITRE relations
if 'related' in value:
related_original = value['related']
related_new = []
for rel in related_original:
if rel['dest-uuid'] in non_mitre_uuids:
related_new.append(rel)
value['related'] = related_new
# find and handle duplicate uuids
if value['uuid'] in all_data_uuid:
# exit("ERROR: Something is really wrong, we seem to have duplicates.")
# if it already exists we need to copy over all the data manually to merge it
# on the other hand, from a manual analysis it looks like it's mostly the relations that are different
# so now we will just copy over the relationships
# actually, at time of writing the code below results in no change as the new items always contained more than the previously seen items
value_orig = all_data_uuid[value['uuid']]
if 'related' in value_orig:
for related_item in value_orig['related']:
if related_item not in value['related']:
value['related'].append(related_item)
all_data_uuid[value['uuid']] = value
# now load the MITRE ATT&CK
for domain in domains:
@ -136,6 +155,7 @@ for domain in domains:
# LATER find the opposite word of "rel_type" and build the relation in the opposite direction
# dump all_data to their respective file
for t in types:
fname = os.path.join(misp_dir, 'clusters', 'mitre-{}.json'.format(t))
@ -147,7 +167,7 @@ for t in types:
file_data['values'] = []
for item in all_data_uuid.values():
# print(json.dumps(item, sort_keys=True, indent=2))
if item['type'] != t:
if 'type' not in item or item['type'] != t: # drop old data or not from the right type
continue
item_2 = item.copy()
item_2.pop('type', None)