MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge https://github.com/MISP/misp-galaxy

pull/882/head
Delta-Sierra 2023-10-30 14:23:14 +01:00
parent 0f9646f844 555c45c139
commit 711032d2e3
9 changed files with 94148 additions and 6309 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
README.md
View File

@ -27,6 +27,14 @@ Category: *actor* - source: *https://apt.360.net/aptlist* - total: *42* elements
[[HTML](https://www.misp-project.org/galaxy.html#_360.net_threat_actors)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/360net.json)]
## Ammunitions
[Ammunitions](https://www.misp-project.org/galaxy.html#_ammunitions) - Common ammunitions galaxy
Category: *firearm* - source: *https://ammo.com/* - total: *410* elements
[[HTML](https://www.misp-project.org/galaxy.html#_ammunitions)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ammunitions.json)]
## Android
[Android](https://www.misp-project.org/galaxy.html#_android) - Android malware galaxy based on multiple open sources.
@ -55,7 +63,7 @@ Category: *guidelines* - source: *Open Sources* - total: *71* elements
[Backdoor](https://www.misp-project.org/galaxy.html#_backdoor) - A list of backdoor malware.
Category: *tool* - source: *Open Sources* - total: *16* elements
Category: *tool* - source: *Open Sources* - total: *23* elements
[[HTML](https://www.misp-project.org/galaxy.html#_backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)]
@ -147,6 +155,14 @@ Category: *tool* - source: *MISP Project* - total: *52* elements
[[HTML](https://www.misp-project.org/galaxy.html#_exploit-kit)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/exploit-kit.json)]
## Firearms
[Firearms](https://www.misp-project.org/galaxy.html#_firearms) - Common firearms galaxy
Category: *firearm* - source: *https://www.impactguns.com* - total: *5953* elements
[[HTML](https://www.misp-project.org/galaxy.html#_firearms)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/firearms.json)]
## FIRST DNS Abuse Techniques Matrix
[FIRST DNS Abuse Techniques Matrix](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix) - The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internets stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information.
@ -159,7 +175,7 @@ Category: *first-dns* - source: *https://www.first.org/global/sigs/dns/* - total
[Malpedia](https://www.misp-project.org/galaxy.html#_malpedia) - Malware galaxy cluster based on Malpedia.
Category: *tool* - source: *Malpedia* - total: *2823* elements
Category: *tool* - source: *Malpedia* - total: *2947* elements
[[HTML](https://www.misp-project.org/galaxy.html#_malpedia)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/malpedia.json)]
@ -423,7 +439,7 @@ Category: *rsit* - source: *https://github.com/enisaeu/Reference-Security-Incide
[Sector](https://www.misp-project.org/galaxy.html#_sector) - Activity sectors
Category: *sector* - source: *CERT-EU* - total: *117* elements
Category: *sector* - source: *CERT-EU* - total: *118* elements
[[HTML](https://www.misp-project.org/galaxy.html#_sector)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sector.json)]
@ -431,7 +447,7 @@ Category: *sector* - source: *CERT-EU* - total: *117* elements
[Sigma-Rules](https://www.misp-project.org/galaxy.html#_sigma-rules) - MISP galaxy cluster based on Sigma Rules.
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2568* elements
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2776* elements
[[HTML](https://www.misp-project.org/galaxy.html#_sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)]
@ -495,7 +511,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
[Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
Category: *actor* - source: *MISP Project* - total: *420* elements
Category: *actor* - source: *MISP Project* - total: *432* elements
[[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
@ -503,7 +519,7 @@ Category: *actor* - source: *MISP Project* - total: *420* elements
[Tool](https://www.misp-project.org/galaxy.html#_tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
Category: *tool* - source: *MISP Project* - total: *557* elements
Category: *tool* - source: *MISP Project* - total: *585* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)]

4114
clusters/ammunitions.json Normal file
View File

File diff suppressed because it is too large Load Diff

83356
clusters/firearms.json Normal file
View File

File diff suppressed because it is too large Load Diff

12746
clusters/sigma-rules.json
View File

File diff suppressed because it is too large Load Diff

166
clusters/threat-actor.json
View File

@ -209,6 +209,30 @@
"uuid": "8a8f39df-74b3-4946-ab64-f84968bababe",
"value": "DIZZY PANDA"
},
{
"description": "Grayling activity was first observed in early 2023, when a number of victims were identified with distinctive malicious DLL side-loading activity. Grayling appears to target organisations in Asia, however one unknown organisation in the United States was also targeted. Industries targeted include Biomedical, Government and Information Technology. Grayling use a variety of tools during their attacks, including well known tools such as Cobalt Strike and Havoc and also some others.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"Taiwan",
"United States",
"Vietnam",
"Solomon Islands"
],
"cfr-target-category": [
"Biomedical",
"Government",
"Information technology"
],
"country": "CN",
"refs": [
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks"
]
},
"uuid": "6714de29-4dd8-463c-99a3-77c9e80fa47d",
"value": "Grayling"
},
{
"description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'",
"meta": {
@ -6190,7 +6214,8 @@
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi",
"https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia",
"https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea",
"https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf"
"https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf",
"https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/"
],
"synonyms": [
"TEMP.Periscope",
@ -6204,7 +6229,8 @@
"TA423",
"Red Ladon",
"ITG09",
"MUDCARP"
"MUDCARP",
"ISLANDDREAMS"
]
},
"related": [
@ -6246,13 +6272,19 @@
"https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html",
"https://www.cfr.org/cyber-operations/apt-35",
"https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/",
"https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/"
"https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/",
"https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/",
"https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/",
"https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us"
],
"synonyms": [
"Newscaster Team",
"Magic Hound",
"G0059",
"Phosphorus"
"Phosphorus",
"Mint Sandstorm",
"TunnelVision",
"COBALT MIRAGE"
]
},
"related": [
@ -7224,6 +7256,34 @@
{
"description": "Wizard Spider is reportedly associated with Grim Spider and Lunar Spider.\nThe WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function.\nGRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.",
"meta": {
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"Australia",
"Bahamas",
"Canada",
"Costa Rica",
"France",
"Germany",
"India",
"Ireland",
"Italy",
"Japan",
"Mexico",
"New Zealand",
"Spain",
"Switzerland",
"Taiwan",
"United Kingdom",
"Ukraine",
"United States"
],
"cfr-target-category": [
"Defense",
"Financial",
"Government",
"Healthcare",
"Telecommunications"
],
"country": "RU",
"refs": [
"https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/",
@ -7237,7 +7297,9 @@
"https://www.secureworks.com/research/dyre-banking-trojan",
"https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic",
"https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users",
"http://www.secureworks.com/research/threat-profiles/gold-blackburn"
"http://www.secureworks.com/research/threat-profiles/gold-blackburn",
"https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf",
"https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf"
],
"synonyms": [
"TEMP.MixMaster",
@ -7492,8 +7554,29 @@
{
"description": "Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc.",
"meta": {
"cfr-suspected-victims": [
"Ecuador",
"Colombia",
"Spain",
"Panama",
"Chile"
],
"cfr-target-category": [
"Petroleum",
"Manufacturing",
"Financial",
"Private sector",
"Government"
],
"cfr-type-of-incident": "Espionage",
"refs": [
"https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/"
"https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
"https://www.ecucert.gob.ec/wp-content/uploads/2022/03/alerta-APTs-2022-03-23.pdf",
"https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia",
"https://lab52.io/blog/apt-c-36-recent-activity-analysis/",
"https://www.trendmicro.com/en_ph/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html",
"https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/",
"https://attack.mitre.org/groups/G0099/"
],
"synonyms": [
"Blind Eagle"
@ -9600,6 +9683,26 @@
{
"description": "The Gelsemium group has been active since at least 2014 and was described in the past by a few security companies. Gelsemiums name comes from one possible translation ESET found while reading a report from VenusTech who dubbed the group 狼毒草 for the first time. Its the name of a genus of flowering plants belonging to the family Gelsemiaceae, Gelsemium elegans is the species that contains toxic compounds like Gelsemine, Gelsenicine and Gelsevirine, which ESET choses as names for the three components of this malware family.",
"meta": {
"cfr-suspected-victims": [
"North Korea",
"South Korea",
"Japan",
"China",
"Mongolia",
"Egypt",
"Saudi Arabia",
"Yemen",
"Oman",
"Iran",
"Iraq",
"Kuwait",
"Israel",
"Jordan",
"Gaza",
"Syria",
"Turkey",
"Lebanon"
],
"cfr-target-category": [
"Government",
"Electronics Manufacturers",
@ -11523,7 +11626,8 @@
"https://www.microsoft.com/en-us/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/"
],
"synonyms": [
"Nemesis Kitten"
"Nemesis Kitten",
"Storm-0270"
]
},
"related": [
@ -11909,7 +12013,53 @@
],
"uuid": "32eebd31-5e0f-4fb9-b478-26ff4e48aaf4",
"value": "AtlasCross"
},
{
"description": "Void Rabisu is an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine.",
"meta": {
"cfr-suspected-victims": [
"Ukraine",
"European Union"
],
"references": [
"https://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html",
"https://www.trendmicro.com/en_za/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html"
],
"synonyms": [
"Tropical Scorpius"
]
},
"related": [
{
"dest-uuid": "6d9dfc5f-4ebf-404b-ab5e-e6497867fe65",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
},
{
"dest-uuid": "5f1c11d3-c6ac-4368-a801-cced88a9d93b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
}
],
"uuid": "9766d52e-0e5d-4997-9c31-7f2291dcda9e",
"value": "Void Rabisu"
},
{
"description": "In early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European healthcare institution involving a set of tools mentioned in the Avast report in late 2022. The incident was attributed to Camaro Dragon, a Chinese-based espionage threat actor whose activities overlap with activities tracked by different researchers as Mustang Panda and LuminousMoth, whose focus is primarily on Southeast Asian countries and their close peers.",
"meta": {
"country": "CN",
"references": [
"https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/",
"https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/"
]
},
"uuid": "9ee446fd-b0cd-4662-9cd1-a60b429192db",
"value": "Camaro Dragon"
}
],
"version": 285
"version": 287
}

9
galaxies/ammunitions.json Normal file
View File

@ -0,0 +1,9 @@
{
"description": "Common ammunitions galaxy",
"icon": "battery-full",
"name": "Ammunitions",
"namespace": "Ammunitions",
"type": "ammunitions",
"uuid": "e7394838-65a9-4b8a-b484-b8c4c7cf49c3",
"version": 1
}

9
galaxies/firearms.json Normal file
View File

@ -0,0 +1,9 @@
{
"description": "Common firearms galaxy",
"icon": "fire",
"name": "Firearms",
"namespace": "Firearms",
"type": "firearms",
"uuid": "94af82d1-d62b-45a7-8c99-83c421cc0f3b",
"version": 1
}

2
tools/adoc_galaxy.py
View File

@ -30,7 +30,7 @@ clusters = []
pathClusters = os.path.join(thisDir, '../clusters')
pathGalaxies = os.path.join(thisDir, '../galaxies')
skip_list = ["cancer.json", "handicap.json"]
skip_list = ["cancer.json", "handicap.json", "ammunitions.json", "firearms.json"]
for f in os.listdir(pathGalaxies):
if '.json' in f:

27
tools/description_value.py Executable file
View File

@ -0,0 +1,27 @@
#!/usr/bin/env python3
# coding=utf-8
"""
Tool to remove duplicates in value
"""
import sys
import json
with open(sys.argv[1], 'r') as f:
data = json.load(f)
#for c in data['values']:
# c['value'] = f'{c["value"]} - {c["meta"]["description"]}'
value_seen = []
data_output = []
for c in data['values']:
if c['value'] in value_seen:
continue
else:
data_output.append(c)
value_seen.append(c['value'])
data['values'] = data_output
with open(sys.argv[1], 'w') as f:
json.dump(data, f)