MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' into master

pull/408/head
rmkml 2019-05-25 00:03:34 +02:00 committed by GitHub
parent cd58833770 bada481a4e
commit 6f140ce358
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
28 changed files with 25412 additions and 12005 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
.travis.yml
View File

@ -3,14 +3,27 @@ language: python
cache: pip
python:
- "3.6"
- "3.6-dev"
- "3.7-dev"
sudo: required
install:
- sudo apt-get update -qq
- sudo apt-get install -y -qq jq moreutils
- pip install jsonschema
- pip install jsonschema pipenv
- pushd ..
# Install PyMISPGalaxies
- git clone https://github.com/MISP/PyMISPGalaxies.git
- pushd PyMISPGalaxies
- git submodule update --init
- git submodule foreach git pull origin master
- pipenv install -d
- popd
- popd
script:
- ./validate_all.sh
- pushd ../PyMISPGalaxies
- pipenv run nosetests-3.4 --with-coverage --cover-package=pymispgalaxies -d
- popd

6
clusters/android.json
View File

@ -4497,7 +4497,7 @@
"https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf"
]
},
"uuid": "2c75b006-2d18-11e8-8f57-2714f7737ec5 ",
"uuid": "2c75b006-2d18-11e8-8f57-2714f7737ec5",
"value": "BreadSMS"
},
{
@ -4569,7 +4569,7 @@
"https://researchcenter.paloaltonetworks.com/2018/04/unit42-henbox-inside-coop/"
]
},
"uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§",
"uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86",
"value": "HenBox"
},
{
@ -4655,5 +4655,5 @@
"value": "Razdel"
}
],
"version": 19
"version": 20
}

25
clusters/attck4fraud.json
View File

@ -168,16 +168,6 @@
"uuid": "6bec22cb-9aed-426a-bffc-b0a78db6527a",
"value": "ATM Black Box Attack"
},
{
"description": "Account-Checking Services",
"meta": {
"kill_chain": [
"fraud-tactics:Target Compromise"
]
},
"uuid": "824bccd3-9dea-4579-8642-8dd15afcfacc",
"value": "Account-Checking Services"
},
{
"description": "Insider Trading",
"meta": {
@ -272,7 +262,8 @@
"description": "Fund Transfer",
"meta": {
"kill_chain": [
"fraud-tactics:Assets Transfer"
"fraud-tactics:Assets Transfer",
"fraud-tactics:Monetisation"
]
},
"uuid": "72ffa97e-d128-4c41-b323-0297b43d8a1b",
@ -308,16 +299,6 @@
"uuid": "f1243265-d50a-42fb-a83c-4696f95636e9",
"value": "Money Mules"
},
{
"description": "Fund Transfer",
"meta": {
"kill_chain": [
"fraud-tactics:Monetisation"
]
},
"uuid": "a8913af2-8f22-44b2-b6bc-32b7489d8f96",
"value": "Fund Transfer"
},
{
"description": "Prepaid Cards",
"meta": {
@ -349,5 +330,5 @@
"value": "ATM Explosive Attack"
}
],
"version": 1
"version": 2
}

12
clusters/botnet.json
View File

@ -1147,7 +1147,17 @@
},
"uuid": "f387e30a-dc48-11e8-b9f4-370bc63008bf",
"value": "Chalubo"
},
{
"description": "Our honeypot sensors recently detected an AESDDoS botnet malware variant (detected by Trend Micro as Backdoor.Linux.AESDDOS.J) exploiting a server-side template injection vulnerability (CVE-2019-3396) in the Widget Connector macro in Atlassian Confluence Server, a collaboration software program used by DevOps professionals.",
"meta": {
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/aesddos-botnet-malware-exploits-cve-2019-3396-to-perform-remote-code-execution-ddos-attacks-and-cryptocurrency-mining/"
]
},
"uuid": "809d100b-d46d-40f4-b498-5371f46bb9d6",
"value": "AESDDoS"
}
],
"version": 19
"version": 20
}

38
clusters/exploit-kit.json
View File

@ -97,7 +97,7 @@
"http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/",
"https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/"
],
"status": "Retired - Last seen ",
"status": "",
"synonyms": [
"Sednit RTF EK"
]
@ -120,6 +120,20 @@
"uuid": "74fb6a14-1279-4a5b-939a-76478d36d3e1",
"value": "DNSChanger"
},
{
"description": "Novidade Exploit Kit is an exploit kit targeting Routers via the browser",
"meta": {
"refs": [
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-exploit-kit-novidade-found-targeting-home-and-soho-routers/"
],
"status": "Active",
"synonyms": [
"DNSGhost"
]
},
"uuid": "88acc3b7-2cdd-4e7b-ad0b-2880ffa1eb6d",
"value": "Novidade"
},
{
"description": "Disdain EK has been introduced on underground forum on 2017-08-07. The panel is stolen from Sundown, the pattern are Terror alike and the obfuscation reminds Nebula",
"meta": {
@ -201,6 +215,17 @@
"uuid": "b8be7af8-69a8-11e8-adc0-fa7ae01bbebc",
"value": "VenomKit"
},
{
"description": "Taurus Builder is a tool used to generate malicious MS Word documents that contain macros. The kit is advertised on forums by the user \"badbullzvenom\". ",
"meta": {
"refs": [
""
],
"status": "Active"
},
"uuid": "63988ca2-46c8-4bda-be46-96a8670af357",
"value": "Taurus Builder"
},
{
"description": "RIG is an exploit kit that takes its source in Infinity EK itself an evolution of Redkit. It became dominant after the fall of Angler, Nuclear Pack and the end of public access to Neutrino. RIG-v is the name given to RIG 4 when it was only accessible by \"vip\" customers and when RIG 3 was still in use.",
"meta": {
@ -221,6 +246,17 @@
"uuid": "0545e5c0-ed0d-4a02-a69d-31e9e2b31e8a",
"value": "RIG"
},
{
"description": "Spelevo is an exploit kit that appeared at the end of February 2019 and could be an evolution of SPL EK",
"meta": {
"refs": [
"https://twitter.com/kafeine/status/1103649040800145409"
],
"status": "Active"
},
"uuid": "c880991f-1c17-4bf2-8955-50309364e358",
"value": "Spelevo"
},
{
"description": "Sednit EK is the exploit kit used by APT28",
"meta": {

2810
clusters/malpedia.json
View File

File diff suppressed because it is too large Load Diff

1044
clusters/mitre-attack-pattern.json
View File

File diff suppressed because one or more lines are too long

1313
clusters/mitre-course-of-action.json
View File

File diff suppressed because it is too large Load Diff

9
clusters/mitre-enterprise-attack-course-of-action.json
View File

@ -973,6 +973,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "16f144e4-c780-4ed2-98b4-55d14e2dfa44",
@ -3665,5 +3672,5 @@
"value": "Security Software Discovery Mitigation - T1063"
}
],
"version": 6
"version": 7
}

2
clusters/mitre-enterprise-attack-intrusion-set.json
View File

@ -4,7 +4,7 @@
],
"category": "actor",
"description": "Name of ATT&CK Group",
"name": "Enterprise Attack -intrusion Set",
"name": "Enterprise Attack - Intrusion Set",
"source": "https://github.com/mitre/cti",
"type": "mitre-enterprise-attack-intrusion-set",
"uuid": "01f18402-1708-11e8-ac1c-1ffb3c4a7775",

10575
clusters/mitre-intrusion-set.json
View File

File diff suppressed because it is too large Load Diff

17177
clusters/mitre-malware.json
View File

File diff suppressed because it is too large Load Diff

2
clusters/mitre-mobile-attack-attack-pattern.json
View File

@ -1670,5 +1670,5 @@
"value": "Malicious Software Development Tools - MOB-T1065"
}
],
"version": 4
"version": 5
}

2
clusters/mitre-mobile-attack-course-of-action.json
View File

@ -304,5 +304,5 @@
"value": "Encrypt Network Traffic - MOB-M1009"
}
],
"version": 5
"version": 6
}

2
clusters/mitre-mobile-attack-intrusion-set.json
View File

@ -4,7 +4,7 @@
],
"category": "actor",
"description": "Name of ATT&CK Group",
"name": "Mobile Attack - intrusion Set",
"name": "Mobile Attack - Intrusion Set",
"source": "https://github.com/mitre/cti",
"type": "mitre-mobile-attack-intrusion-set",
"uuid": "02ab4018-1708-11e8-8f9d-e735aabdfa53",

16
clusters/mitre-mobile-attack-malware.json
View File

@ -609,6 +609,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8",
@ -740,6 +747,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "41e3fd01-7b83-471f-835d-d2b1dc9a770c",
@ -1103,5 +1117,5 @@
"value": "XcodeGhost - MOB-S0013"
}
],
"version": 7
"version": 8
}

2
clusters/mitre-pre-attack-attack-pattern.json
View File

@ -2785,5 +2785,5 @@
"value": "Data Hiding - PRE-T1097"
}
],
"version": 5
"version": 6
}

18
clusters/mitre-pre-attack-intrusion-set.json
View File

@ -4,7 +4,7 @@
],
"category": "actor",
"description": "Name of ATT&CK Group",
"name": "Pre Attack - intrusion Set",
"name": "Pre Attack - Intrusion Set",
"source": "https://github.com/mitre/cti",
"type": "mitre-pre-attack-intrusion-set",
"uuid": "1fdc8fa2-1708-11e8-99a3-67b4efc13c4f",
@ -263,6 +263,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
@ -296,6 +303,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
@ -355,5 +369,5 @@
"value": "APT17 - G0025"
}
],
"version": 7
"version": 8
}

2274
clusters/mitre-tool.json
View File

File diff suppressed because it is too large Load Diff

366
clusters/o365-exchange-techniques.json Normal file
View File

@ -0,0 +1,366 @@
{
"authors": [
"John Lambert",
"Alexandre Dulaunoy"
],
"category": "guidelines",
"description": "o365-exchange-techniques - Office365/Exchange related techniques by @johnLaT",
"name": "o365-exchange-techniques",
"source": "Open Sources",
"type": "cloud-security",
"uuid": "44574c7e-b732-4466-a7be-ef363374013a",
"values": [
{
"description": "AAD - Dump users and groups with Azure AD",
"meta": {
"kill_chain": [
"tactics:Recon"
]
},
"uuid": "fab70361-329a-410a-9dc4-831ecd8df39f",
"value": "AAD - Dump users and groups with Azure AD"
},
{
"description": "O365 - Get Global Address List: MailSniper",
"meta": {
"kill_chain": [
"tactics:Recon"
]
},
"uuid": "21833216-1b8a-43a9-b51e-500c67a900a8",
"value": "O365 - Get Global Address List: MailSniper"
},
{
"description": "O365 - Find Open Mailboxes: MailSniper",
"meta": {
"kill_chain": [
"tactics:Recon"
]
},
"uuid": "9e3af2e1-90a6-4d69-ba82-cb0c99401713",
"value": "O365 - Find Open Mailboxes: MailSniper"
},
{
"description": "O365 - User account enumeration with ActiveSync",
"meta": {
"kill_chain": [
"tactics:Recon"
]
},
"uuid": "53361eef-39b0-4c46-a009-0b4e3a0e286a",
"value": "O365 - User account enumeration with ActiveSync"
},
{
"description": "End Point - Search host for Azure Credentials: SharpCloud",
"meta": {
"kill_chain": [
"tactics:Recon"
]
},
"uuid": "5c0c2b04-77e5-4f50-a0b8-206d7cc9946a",
"value": "End Point - Search host for Azure Credentials: SharpCloud"
},
{
"description": "On-Prem Exchange - Portal Recon",
"meta": {
"kill_chain": [
"tactics:Recon"
]
},
"uuid": "2cd547bf-b093-4dab-b9e5-5172049cbc0d",
"value": "On-Prem Exchange - Portal Recon"
},
{
"description": "On-Prem Exchange - Enumerate domain accounts: using Skype4B",
"meta": {
"kill_chain": [
"tactics:Recon"
]
},
"uuid": "651fdde4-09ed-48b7-9620-545d7dcec251",
"value": "On-Prem Exchange - Enumerate domain accounts: using Skype4B"
},
{
"description": "On-Prem Exchange - Enumerate domain accounts: OWA & Exchange",
"meta": {
"kill_chain": [
"tactics:Recon"
]
},
"uuid": "008c46de-4667-4e40-9bea-74e91b6587fd",
"value": "On-Prem Exchange - Enumerate domain accounts: OWA & Exchange"
},
{
"description": "On-Prem Exchange - Enumerate domain accounts: FindPeople",
"meta": {
"kill_chain": [
"tactics:Recon"
]
},
"uuid": "435e9319-88ed-4555-be84-a5322dc997a4",
"value": "On-Prem Exchange - Enumerate domain accounts: FindPeople"
},
{
"description": "On-Prem Exchange - OWA version discovery",
"meta": {
"kill_chain": [
"tactics:Recon"
]
},
"uuid": "f227caf6-9399-4ac3-bab4-010f66853abb",
"value": "On-Prem Exchange - OWA version discovery"
},
{
"description": "AAD - Password Spray: MailSniper",
"meta": {
"kill_chain": [
"tactics:Compromise"
]
},
"uuid": "933ec08d-a6d4-4ced-b732-4cb0331e7799",
"value": "AAD - Password Spray: MailSniper"
},
{
"description": "AAD - Password Spray: CredKing",
"meta": {
"kill_chain": [
"tactics:Compromise"
]
},
"uuid": "5670ca90-38cd-4825-bd83-1bdb31fd5ea3",
"value": "AAD - Password Spray: CredKing"
},
{
"description": "O365 - Bruteforce of Autodiscover: SensePost Ruler",
"meta": {
"kill_chain": [
"tactics:Compromise"
]
},
"uuid": "d66c1ead-4dd3-4968-b6fe-faf41b7fb88d",
"value": "O365 - Bruteforce of Autodiscover: SensePost Ruler"
},
{
"description": "O365 - Phishing for credentials",
"meta": {
"kill_chain": [
"tactics:Compromise"
]
},
"uuid": "eda57f15-029c-4465-9401-f9dafc6d366c",
"value": "O365 - Phishing for credentials"
},
{
"description": "O365 - Phishing using OAuth app",
"meta": {
"kill_chain": [
"tactics:Compromise"
]
},
"uuid": "61589df6-6848-4866-8613-8a4a7478abef",
"value": "O365 - Phishing using OAuth app"
},
{
"description": "O365 - 2FA MITM Phishing: evilginx2",
"meta": {
"kill_chain": [
"tactics:Compromise"
]
},
"uuid": "fa1087c8-012d-4ef6-9eb3-5b5a6fb94c02",
"value": "O365 - 2FA MITM Phishing: evilginx2"
},
{
"description": "On-Prem Exchange - Password Spray using Invoke-PasswordSprayOWA, EWS",
"meta": {
"kill_chain": [
"tactics:Compromise"
]
},
"uuid": "8ffe80b9-0213-40c6-aeca-8877bdca8741",
"value": "On-Prem Exchange - Password Spray using Invoke-PasswordSprayOWA, EWS"
},
{
"description": "On-Prem Exchange - Bruteforce of Autodiscover: SensePost Ruler",
"meta": {
"kill_chain": [
"tactics:Compromise"
]
},
"uuid": "cf8df948-0332-4ec7-94f3-3f6d54bbcbb9",
"value": "On-Prem Exchange - Bruteforce of Autodiscover: SensePost Ruler"
},
{
"description": "O365 - Add Mail forwarding rule",
"meta": {
"kill_chain": [
"tactics:Persistence"
]
},
"uuid": "80308e39-11e9-45b2-b6d2-f13f3de509ab",
"value": "O365 - Add Mail forwarding rule"
},
{
"description": "O365 - Add Global admin account",
"meta": {
"kill_chain": [
"tactics:Persistence"
]
},
"uuid": "a9c1f718-b9bf-4efc-9fa1-852b6c93f725",
"value": "O365 - Add Global admin account"
},
{
"description": "O365 - Delegate Tenant Admin",
"meta": {
"kill_chain": [
"tactics:Persistence"
]
},
"uuid": "2f10dbd7-89e4-4929-8bdc-8ca167f08ace",
"value": "O365 - Delegate Tenant Admin"
},
{
"description": "End Point - Persistence throught Outlook Home Page: SensePost Ruler",
"meta": {
"kill_chain": [
"tactics:Persistence"
]
},
"uuid": "708790c8-3e6f-4dd3-8f89-0651ef71dfe0",
"value": "End Point - Persistence throught Outlook Home Page: SensePost Ruler"
},
{
"description": "End Point - Persistence throught custom Outlook form",
"meta": {
"kill_chain": [
"tactics:Persistence"
]
},
"uuid": "aadc2552-97db-419c-a414-5c1f862d38ef",
"value": "End Point - Persistence throught custom Outlook form"
},
{
"description": "End Point - Create Hidden Mailbox Rule",
"meta": {
"kill_chain": [
"tactics:Persistence"
]
},
"uuid": "d023f254-466b-436b-acfd-beea54c323b1",
"value": "End Point - Create Hidden Mailbox Rule"
},
{
"description": "O365 - MailSniper: Search Mailbox for credentials",
"meta": {
"kill_chain": [
"tactics:Expansion"
]
},
"uuid": "fccf7c5a-7d2c-413b-ae45-d5ab226c8ba8",
"value": "O365 - MailSniper: Search Mailbox for credentials"
},
{
"description": "O365 - Search for Content with eDiscovery",
"meta": {
"kill_chain": [
"tactics:Expansion",
"tactics:Actions on Intent"
]
},
"uuid": "fe65c7ed-7129-4591-a82e-a223b0cdbf14",
"value": "O365 - Search for Content with eDiscovery"
},
{
"description": "O365 - Account Takeover: Add-MailboxPermission",
"meta": {
"kill_chain": [
"tactics:Expansion"
]
},
"uuid": "19f22ecb-8470-4f69-a763-46a19afe6c5d",
"value": "O365 - Account Takeover: Add-MailboxPermission"
},
{
"description": "O365 - Pivot to On-Prem host: SensePost Ruler",
"meta": {
"kill_chain": [
"tactics:Expansion"
]
},
"uuid": "c0010a9d-666e-4cfd-a9b3-21f5861ecdf6",
"value": "O365 - Pivot to On-Prem host: SensePost Ruler"
},
{
"description": "O365 - Exchange Tasks for C2: MWR",
"meta": {
"kill_chain": [
"tactics:Expansion"
]
},
"uuid": "9ada2a83-c632-4c9c-91cd-b1d7b947e44a",
"value": "O365 - Exchange Tasks for C2: MWR"
},
{
"description": "O365 - Send Internal Email",
"meta": {
"kill_chain": [
"tactics:Expansion"
]
},
"uuid": "685af033-af7b-4582-a539-5f1f9080fd98",
"value": "O365 - Send Internal Email"
},
{
"description": "On-Prem Exchange - Search Mailboxes with eDiscovery searches (EXO, Teams, SPO, OD4B, Skype4B)",
"meta": {
"kill_chain": [
"tactics:Expansion"
]
},
"uuid": "0f33ff1e-2305-4239-8d30-38edcfe2511a",
"value": "On-Prem Exchange - Search Mailboxes with eDiscovery searches (EXO, Teams, SPO, OD4B, Skype4B)"
},
{
"description": "On-Prem Exchange - Delegation",
"meta": {
"kill_chain": [
"tactics:Expansion"
]
},
"uuid": "a69da576-7ed2-4b29-8c4a-6c16bd2c2a54",
"value": "On-Prem Exchange - Delegation"
},
{
"description": "O365 - MailSniper: Search Mailbox for content",
"meta": {
"kill_chain": [
"tactics:Actions on Intent"
]
},
"uuid": "ae6eb93b-503f-49b5-98db-3f282551facb",
"value": "O365 - MailSniper: Search Mailbox for content"
},
{
"description": "O365 - Exfiltration email using EWS APIs with PowerShell",
"meta": {
"kill_chain": [
"tactics:Actions on Intent"
]
},
"uuid": "4d67a417-169c-47d0-a7fa-d710b9e2f611",
"value": "O365 - Exfiltration email using EWS APIs with PowerShell"
},
{
"description": "O365 - Download documents and email",
"meta": {
"kill_chain": [
"tactics:Actions on Intent"
]
},
"uuid": "1ccc00f8-d4b5-4c72-a7c0-a53127497a7c",
"value": "O365 - Download documents and email"
}
],
"version": 2
}

1402
clusters/ransomware.json
View File

File diff suppressed because one or more lines are too long

8
clusters/sector.json
View File

@ -7,7 +7,7 @@
"name": "Sector",
"source": "CERT-EU",
"type": "sector",
"uuid": "141deecc-ae4e-11e7-8dfe-f3397ba8cc8",
"uuid": "1401c704-7dfb-41f6-a6d3-e751b270843b",
"values": [
{
"uuid": "3ff4e243-7e26-4535-b911-fdda2f724aa2",
@ -305,10 +305,6 @@
"uuid": "a26ae91b-df10-4c6f-b7bc-14c7ba13f21d",
"value": "Retail"
},
{
"uuid": "6ce2374c-2c81-4298-a941-666bf4258c00",
"value": "Retail"
},
{
"uuid": "ff403f0f-67d0-494c-aff9-1d748b7e7d8d",
"value": "Technology"
@ -482,5 +478,5 @@
"value": "Immigration"
}
],
"version": 3
"version": 4
}

15
clusters/tds.json
View File

@ -74,6 +74,19 @@
"uuid": "aa179c37-1a8a-4761-841a-cc940e19d7be",
"value": "SimpleTDS"
},
{
"description": "zTDS is an open source TDS",
"meta": {
"refs": [
"http://ztds.info/doku.php"
],
"type": [
"OpenSource"
]
},
"uuid": "7a84de25-545a-4220-b500-85b9219dd67d",
"value": "zTDS"
},
{
"description": "BossTDS",
"meta": {
@ -121,5 +134,5 @@
"value": "Orchid TDS"
}
],
"version": 3
"version": 4
}

118
clusters/threat-actor.json
View File

@ -8,7 +8,7 @@
],
"category": "actor",
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
"name": "Threat actor",
"name": "Threat Actor",
"source": "MISP Project",
"type": "threat-actor",
"uuid": "7cdff317-a673-4474-84ec-4f1754947823",
@ -757,7 +757,7 @@
"country": "CN",
"refs": [
"https://securelist.com/analysis/publications/69953/the-naikon-apt/",
"http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html",
"https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html",
"https://www.cfr.org/interactive/cyber-operations/apt-30"
],
"synonyms": [
@ -1709,13 +1709,12 @@
"refs": [
"https://en.wikipedia.org/wiki/Operation_Newscaster",
"https://iranthreats.github.io/resources/macdownloader-macos-malware/",
"https://www.isightpartners.com/2014/05/newscaster-iranian-threat-inside-social-media/",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks/file-2581720763-pdf.pdf",
"https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/",
"https://cryptome.org/2012/11/parastoo-hacks-iaea.htm",
"https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf",
"https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/",
"https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf",
"https://github.com/gasgas4/APT_CyberCriminal_Campagin/tree/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks",
"https://www.cfr.org/interactive/cyber-operations/newscaster"
],
"synonyms": [
@ -2313,7 +2312,8 @@
"https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/",
"https://www.cfr.org/interactive/cyber-operations/turla",
"https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/",
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/"
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/",
"http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf"
],
"synonyms": [
"Turla",
@ -2327,7 +2327,9 @@
"Pfinet",
"TAG_0530",
"KRYPTON",
"Hippo Team"
"Hippo Team",
"Pacifier APT",
"Popeye"
]
},
"related": [
@ -2619,9 +2621,16 @@
"value": "Berserk Bear"
},
{
"description": "FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.",
"meta": {
"attribution-confidence": "50",
"country": "RO",
"refs": [
"https://www.reuters.com/article/2015/06/23/us-hackers-insidertrading-idUSKBN0P31M720150623",
"https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html",
"https://www2.fireeye.com/rs/fireye/images/rpt-fin4.pdf",
"https://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html"
],
"synonyms": [
"FIN4"
]
@ -2887,12 +2896,22 @@
"http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf",
"https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf",
"https://www.amnesty.org/en/documents/asa33/8366/2018/en/",
"https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/"
"https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/",
"https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe",
"https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf",
"https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf",
"https://aisa.org.au//PDF/AISA%20Sydney%20-%20Dec2016.pdf",
"https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials",
"https://s.tencent.com/research/report/669.html"
],
"synonyms": [
"C-Major",
"Transparent Tribe",
"Mythic Leopard"
"Mythic Leopard",
"ProjectM",
"APT36",
"APT 36",
"TMP.Lapis"
]
},
"related": [
@ -2972,22 +2991,6 @@
"uuid": "bb446dc2-4fee-4212-8b2c-3ffa2917e338",
"value": "ScarCruft"
},
{
"description": "Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail.",
"meta": {
"attribution-confidence": "50",
"country": "RU",
"refs": [
"http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf"
],
"synonyms": [
"Skipper",
"Popeye"
]
},
"uuid": "32db3cc1-bb79-4b08-a7a4-747a37221afa",
"value": "Pacifier APT"
},
{
"description": "This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder",
"meta": {
@ -5756,7 +5759,9 @@
"description": "In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT's attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organizations new attack activity, confirmed and exposed the gangs targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization",
"meta": {
"refs": [
"https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/"
"https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/",
"https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia",
"https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/"
],
"synonyms": [
"DoNot Team"
@ -6373,7 +6378,11 @@
"meta": {
"refs": [
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/"
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/",
"https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service"
],
"synonyms": [
"TA542"
]
},
"uuid": "c93281be-f6cd-4cd0-a5a3-defde9d77d8b",
@ -6657,19 +6666,58 @@
"value": "Operation ShadowHammer"
},
{
"description": "FireEye details APT36 as a Pakistani espionage group that supports Pakistani military and diplomatic interests, targeting Indian military and government. Operations have been also observed in the US, Europe, and Central Asia. Uses social engineering emails, multiple open-source, and custom malware tools.",
"description": "In July 2018, an attack on Singapores largest public health organization, SingHealth, resulted in a reported 1.5 million patient records being stolen. Until now, nothing was known about who was responsible for this attack. Symantec researchers have discovered that this attack group, which we call Whitefly, has been operating since at least 2017, has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information.",
"meta": {
"refs": [
"https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf"
],
"synonyms": [
"APT 36",
"TMP.Lapis"
"https://www.symantec.com/blogs/threat-intelligence/whitefly-espionage-singapore"
]
},
"uuid": "80fad97c-df3a-44ea-a127-cf29833b4946",
"value": "APT36"
"uuid": "943f490e-ac7f-40fe-b6f3-33e2623649d2",
"value": "Whitefly"
},
{
"description": " This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.",
"meta": {
"refs": [
"https://blog.talosintelligence.com/2019/04/seaturtle.html"
]
},
"uuid": "ce7bba52-5ae8-44ea-9979-68502d832ab7",
"value": "Sea Turtle"
},
{
"description": "Last Friday, Deputy Attorney General Rod Rosenstein announced the indictment of nine Iranians who worked for an organization named the Mabna Institute. According to prosecutors, the defendants stole more than 31 terabytes of data from universities, companies, and government agencies around the world. The cost to the universities alone reportedly amounted to approximately $3.4 billion. The information stolen from these universities was used by the Islamic Revolutionary Guard Corps (IRGC) or sold for profit inside Iran. PhishLabs has been tracking this same threat group since late-2017, designating them Silent Librarian. Since discovery, we have been working with the FBI, ISAC partners, and other international law enforcement agencies to help understand and mitigate these attacks.",
"meta": {
"refs": [
"https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment",
"https://info.phishlabs.com/blog/silent-librarian-university-attacks-continue-unabated-in-days-following-indictment",
"https://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic",
"https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities"
],
"synonyms": [
"COBALT DICKENS"
]
},
"uuid": "5059b44d-2753-4977-b987-4922f09afe6b",
"value": "Silent Librarian"
},
{
"description": "FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government.",
"meta": {
"country": "CN",
"refs": [
"https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/",
"https://duo.com/decipher/apt-groups-moving-down-the-supply-chain",
"https://github.com/GuardaCyber/APT-Groups-and-Operations/blob/master/Reports/FireEye%20Intel%20-%20APT31%20Threat%20Group%20Profile.pdf"
],
"synonyms": [
"APT 31",
"ZIRCONIUM"
]
},
"uuid": "6bf7e6b6-5917-45a6-9567-f0baba79768c",
"value": "APT31"
}
],
"version": 106
"version": 110
}

138
clusters/tool.json
View File

@ -6469,7 +6469,7 @@
"type": "similar"
}
],
"uuid": "3784c74-691a-4110-94f6-66e60224aa92",
"uuid": "203fd529-6382-417e-a68f-7565fbf89ece",
"value": "SHARPKNOT"
},
{
@ -6682,7 +6682,7 @@
"https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/"
]
},
"uuid": "1740ec4-d730-40d6-a3b8-32d5fe7f21cf",
"uuid": "5433edec-f1c3-4051-a3cc-c7f9fc8972ee",
"value": "Iron Backdoor"
},
{
@ -7630,7 +7630,139 @@
},
"uuid": "e1ca79ea-5628-4266-bb36-3892c7126ef4",
"value": "Brushaloader"
},
{
"description": "In addition to increased reports of threat activity, we have also discovered new evidence that the threat actors behind the DNSpionage campaign continue to change their tactics, likely in an attempt to improve the efficacy of their operations. In February, we discovered some changes to the actors' tactics, techniques and procedures (TTPs), including the use of a new reconnaissance phase that selectively chooses which targets to infect with malware. In April 2019, we also discovered the actors using a new malware, which we are calling Karkoff.",
"meta": {
"refs": [
"https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html"
]
},
"uuid": "a9fc6d3d-09d5-45c3-a91e-e8c61ef37908",
"value": "Karkoff"
},
{
"description": "We conclude that this RAT/stealeris efficient and was also really interesting to analyse.Furthermore, the creator made effortsto look Korean, for example the author of the .pdf file is Kim Song Chol. He is the brother of Kim Jong-un, the leader of North Korea. We identified that the author of a variant of this stealer is another brother of Kim Jong-un. Maybe the author named every variant withthe name of each brother. After some searches using Google, we identified anold variant of this malware here: http://contagiodump.blogspot.ca/2010/10/oct-08-cve-2010-2883-pdf-nuclear.html. The code of the malware available on the blog is closeto our case but with fewer features. In 2010, the password of the Gmail account was futurekimkim. Three years ago, the author was already fixatedon the Kim family...The language of the resource stored in the .dll file is Korean (LANG_KOREAN). The owner of the gmail mailbox is laoshi135.zhangand the secret question of this account is in Korean too.We dont know if the malware truly comesfrom Korea.However, thanks to these factors, we decided to name this sample KimJongRAT/Stealer.",
"meta": {
"refs": [
"https://malware.lu/assets/files/articles/RAP003_KimJongRAT-Stealer_Analysis.1.0.pdf"
]
},
"uuid": "3160f772-d458-4bff-970c-1c0431238803",
"value": "KimJongRAT"
},
{
"description": "Based on our research, it appears the malware author calls the encoded secondary payload “Cowboy” regardless of what malware family is delivered.",
"meta": {
"refs": [
"https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/"
]
},
"uuid": "50baa4dc-0667-4b47-b4aa-374a2743f409",
"value": "Cowboy"
},
{
"description": "JasperLoader employs a multi-stage infection process that features several obfuscation techniques that make analysis more difficult. It appears that this loader was designed with resiliency and flexibility in mind, as evidenced in later stages of the infection process. ",
"meta": {
"refs": [
"https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html?m=1"
]
},
"uuid": "d8de6b56-9950-4389-83b8-4fc3262dc4c9",
"value": "JasperLoader"
},
{
"description": "The malware Scranos infects with rootkit capabilities, burying deep into vulnerable Windows computers to gain persistent access — even after the computer restarts. Scranos only emerged in recent months, according to Bitdefender with new research out Tuesday, but the number of its infections has rocketed in the months since it was first identified in November.",
"meta": {
"refs": [
"https://labs.bitdefender.com/2019/04/inside-scranos-a-cross-platform-rootkit-enabled-spyware-operation/",
"https://techcrunch.com/2019/04/16/scranos-rootkit-passwords-payments/?guccounter=1&guce_referrer_us=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_cs=MrGSn18TmNoWovpLbekFYA"
]
},
"uuid": "5f0f6af2-b644-49a6-8f68-5d4ca58c989e",
"value": "Scranos"
},
{
"description": "Unit 42 has discovered a new malware family weve named “Reaver” with ties to attackers who use SunOrcal malware. SunOrcal activity has been documented to at least 2013, and based on metadata surrounding some of the C2s, may have been active as early as 2010. The new family appears to have been in the wild since late 2016 and to date we have only identified 10 unique samples, indicating it may be sparingly used. Reaver is also somewhat unique in the fact that its final payload is in the form of a Control panel item, or CPL file. To date, only 0.006% of all malware seen by Palo Alto Networks employs this technique, indicating that it is in fact fairly rare.",
"meta": {
"refs": [
"https://unit42.paloaltonetworks.com/unit42-new-malware-with-ties-to-sunorcal-discovered/",
"https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html"
]
},
"related": [
{
"dest-uuid": "80365d3a-6d46-4195-a772-364749a6dc06",
"tags": [
"estimative-language:likelihood-probability=\"roughly-even-chance\""
],
"type": "similar"
},
{
"dest-uuid": "dd919e75-57e8-4e5c-9451-8be6e734f1f3",
"tags": [
"estimative-language:likelihood-probability=\"roughly-even-chance\""
],
"type": "similar"
}
],
"uuid": "22b75148-9d58-4fa7-8459-6ef25bbaf759",
"value": "Reaver"
},
{
"description": "The Citizen Lab analyzed a malicious email sent to Tibetan organizations in June 2013. The email in question purported to be from a prominent member of the Tibetan community and repurposed content from a community mailing list. Attached to the email were what appeared to be three Microsoft Word documents (.doc), but which were trojaned with a malware family we call “Surtr”.1 All three attachments drop the exact same malware. We have seen the Surtr malware family used in attacks on Tibetan groups dating back to November 2012.",
"meta": {
"refs": [
"https://citizenlab.ca/2013/08/surtr-malware-family-targeting-the-tibetan-community/",
"https://otx.alienvault.com/pulse/588a7c8fe4166d1d84244b9a"
]
},
"related": [
{
"dest-uuid": "22b75148-9d58-4fa7-8459-6ef25bbaf759",
"tags": [
"estimative-language:likelihood-probability=\"roughly-even-chance\""
],
"type": "similar"
},
{
"dest-uuid": "80365d3a-6d46-4195-a772-364749a6dc06",
"tags": [
"estimative-language:likelihood-probability=\"roughly-even-chance\""
],
"type": "similar"
}
],
"uuid": "dd919e75-57e8-4e5c-9451-8be6e734f1f3",
"value": "SURTR"
},
{
"description": "SunOrcal is a trojan malware family whose activity dates back to at least 2013. A version discovered in November 2017 incorporates steganography techniques and can collect C2 information via GitHub, obscuring its C2 infrastructure and evading detection using the legitimate site for its first beacon. The threat actors have targeted users in the Vietnam area, spreading phishing emails containing malicious documents purportedly regarding South China Sea disputes. The new SunOrcal version has also been used with the recently discovered Reaver trojan and the original SunOrcal version. Some of the recent activity also incorporates the use of the Surtr malware.",
"meta": {
"refs": [
"https://unit42.paloaltonetworks.com/unit42-sunorcal-adds-github-steganography-repertoire-expands-vietnam-myanmar/",
"https://www.cyber.nj.gov/threat-profiles/trojan-variants/sunorcal"
]
},
"related": [
{
"dest-uuid": "22b75148-9d58-4fa7-8459-6ef25bbaf759",
"tags": [
"estimative-language:likelihood-probability=\"roughly-even-chance\""
],
"type": "similar"
},
{
"dest-uuid": "dd919e75-57e8-4e5c-9451-8be6e734f1f3",
"tags": [
"estimative-language:likelihood-probability=\"roughly-even-chance\""
],
"type": "similar"
}
],
"uuid": "80365d3a-6d46-4195-a772-364749a6dc06",
"value": "SunOrcal"
}
],
"version": 116
"version": 121
}

6
galaxies/mitre-attack-pattern.json
View File

@ -12,8 +12,9 @@
"discovery",
"lateral-movement",
"collection",
"command-and-control",
"exfiltration",
"command-and-control"
"impact"
],
"mitre-mobile-attack": [
"initial-access",
@ -26,6 +27,7 @@
"effects",
"collection",
"exfiltration",
"command-and-control",
"network-effects",
"remote-service-effects"
],
@ -51,5 +53,5 @@
"namespace": "mitre-attack",
"type": "mitre-attack-pattern",
"uuid": "c4e851fa-775f-11e7-8163-b774922098cd",
"version": 7
"version": 8
}

2
galaxies/mitre-enterprise-attack-intrusion-set.json
View File

@ -1,7 +1,7 @@
{
"description": "Name of ATT&CK Group",
"icon": "user-secret",
"name": "Enterprise Attack -Intrusion Set",
"name": "Enterprise Attack - Intrusion Set",
"namespace": "deprecated",
"type": "mitre-enterprise-attack-intrusion-set",
"uuid": "1f3b8c56-1708-11e8-b211-17a60c0f73ee",

18
galaxies/o365-exchange-techniques.json Normal file
View File

@ -0,0 +1,18 @@
{
"description": "o365-exchange-techniques - Office365/Exchange related techniques by @johnLaTwC",
"icon": "map",
"kill_chain_order": {
"tactics": [
"Recon",
"Compromise",
"Persistence",
"Expansion",
"Actions on Intent"
]
},
"name": "o365-exchange-techniques",
"namespace": "misp",
"type": "cloud-security",
"uuid": "44574c7e-b732-4466-a7be-ef363374013a",
"version": 1
}