MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

put uuid as meta

pull/80/head
Deborah Servili 2017-08-16 15:13:18 +02:00
parent 447bfe93f3
commit 7cb372bdb5
10 changed files with 2453 additions and 2197 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2320
clusters/mitre_attack-pattern.json
View File

File diff suppressed because it is too large Load Diff

778
clusters/mitre_course-of-action.json
View File

File diff suppressed because it is too large Load Diff

294
clusters/mitre_intrusion-set.json
View File

@ -2,8 +2,9 @@
"uuid": "10df003c-7831-11e7-bdb9-971cdd1218df",
"values": [
{
"uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446",
"description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.[[Citation: Kaspersky Poseidon Group]]",
"meta": {
"uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446",
"refs": [
"https://attack.mitre.org/wiki/Group/G0033",
"https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/"
@ -12,12 +13,12 @@
"Poseidon Group"
]
},
"name": "Poseidon Group",
"description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.[[Citation: Kaspersky Poseidon Group]]"
"value": "Poseidon Group"
},
{
"uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40",
"description": "Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack.[[Citation: Citizen Lab Group5]]",
"meta": {
"uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40",
"refs": [
"https://attack.mitre.org/wiki/Group/G0043",
"https://citizenlab.org/2016/08/group5-syria/"
@ -26,12 +27,12 @@
"Group5"
]
},
"name": "Group5",
"description": "Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack.[[Citation: Citizen Lab Group5]]"
"value": "Group5"
},
{
"uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647",
"description": "PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.[[Citation: Bizeul 2014]][[Citation: Villeneuve 2014]]",
"meta": {
"uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647",
"refs": [
"https://attack.mitre.org/wiki/Group/G0011",
"http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2",
@ -41,12 +42,12 @@
"PittyTiger"
]
},
"name": "PittyTiger",
"description": "PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.[[Citation: Bizeul 2014]][[Citation: Villeneuve 2014]]"
"value": "PittyTiger"
},
{
"uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"description": "admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.[[Citation: FireEye admin@338]]",
"meta": {
"uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"refs": [
"https://attack.mitre.org/wiki/Group/G0018",
"https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html"
@ -55,12 +56,12 @@
"admin@338"
]
},
"name": "admin@338",
"description": "admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.[[Citation: FireEye admin@338]]"
"value": "admin@338"
},
{
"uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f",
"description": "RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM).[[Citation: ESET RTM Feb 2017]]",
"meta": {
"uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f",
"refs": [
"https://attack.mitre.org/wiki/Group/G0048",
"https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
@ -69,12 +70,12 @@
"RTM"
]
},
"name": "RTM",
"description": "RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM).[[Citation: ESET RTM Feb 2017]]"
"value": "RTM"
},
{
"uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"description": "APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.[[Citation: FireEye EPS Awakens Part 2]]",
"meta": {
"uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"refs": [
"https://attack.mitre.org/wiki/Group/G0023",
"https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html"
@ -83,12 +84,12 @@
"APT16"
]
},
"name": "APT16",
"description": "APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.[[Citation: FireEye EPS Awakens Part 2]]"
"value": "APT16"
},
{
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"description": "APT28 is a threat group that has been attributed to the Russian government.[[Citation: FireEye APT28]][[Citation: SecureWorks TG-4127]][[Citation: FireEye APT28 January 2017]][[Citation: GRIZZLY STEPPE JAR]] This group reportedly compromised the Democratic National Committee in April 2016.[[Citation: Crowdstrike DNC June 2016]]",
"meta": {
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"refs": [
"https://attack.mitre.org/wiki/Group/G0007",
"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf",
@ -108,12 +109,12 @@
"TG-4127"
]
},
"name": "APT28",
"description": "APT28 is a threat group that has been attributed to the Russian government.[[Citation: FireEye APT28]][[Citation: SecureWorks TG-4127]][[Citation: FireEye APT28 January 2017]][[Citation: GRIZZLY STEPPE JAR]] This group reportedly compromised the Democratic National Committee in April 2016.[[Citation: Crowdstrike DNC June 2016]]"
"value": "APT28"
},
{
"uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
"description": "Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Though both this group and Axiom use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting.[[Citation: Kaspersky Winnti April 2013]][[Citation: Kaspersky Winnti June 2015]][[Citation: Novetta Winnti April 2015]]",
"meta": {
"uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
"refs": [
"https://attack.mitre.org/wiki/Group/G0044",
"http://www.novetta.com/wp-content/uploads/2015/04/novetta%20winntianalysis.pdf",
@ -125,12 +126,12 @@
"Blackfly"
]
},
"name": "Winnti Group",
"description": "Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Though both this group and Axiom use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting.[[Citation: Kaspersky Winnti April 2013]][[Citation: Kaspersky Winnti June 2015]][[Citation: Novetta Winnti April 2015]]"
"value": "Winnti Group"
},
{
"uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"description": "Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications.Deep Panda.Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion.[[Citation: Symantec Black Vine]]",
"meta": {
"uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"refs": [
"https://attack.mitre.org/wiki/Group/G0009",
"http://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/",
@ -147,12 +148,12 @@
"Black Vine"
]
},
"name": "Deep Panda",
"description": "Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications.Deep Panda.Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion.[[Citation: Symantec Black Vine]]"
"value": "Deep Panda"
},
{
"uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411",
"description": "Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.[[Citation: DustySky]][[Citation: DustySky2]]",
"meta": {
"uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411",
"refs": [
"https://attack.mitre.org/wiki/Group/G0021",
"http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2%20-6.2016%20TLP%20White.pdf"
@ -163,12 +164,12 @@
"Operation Molerats"
]
},
"name": "Molerats",
"description": "Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.[[Citation: DustySky]][[Citation: DustySky2]]"
"value": "Molerats"
},
{
"uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656",
"description": "Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.[[Citation: Symantec Strider Blog]][[Citation: Kaspersky ProjectSauron Blog]]",
"meta": {
"uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656",
"refs": [
"https://attack.mitre.org/wiki/Group/G0041",
"http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets",
@ -179,12 +180,12 @@
"ProjectSauron"
]
},
"name": "Strider",
"description": "Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.[[Citation: Symantec Strider Blog]][[Citation: Kaspersky ProjectSauron Blog]]"
"value": "Strider"
},
{
"uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192",
"description": "Sandworm Team is a cyber espionage group that has operated since approximately 2009 and has been attributed to Russia.[[Citation: iSIGHT Sandworm 2014]] This group is also known as Quedagh.[[Citation: F-Secure BlackEnergy 2014]]",
"meta": {
"uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192",
"refs": [
"https://attack.mitre.org/wiki/Group/G0034",
"https://www.f-secure.com/documents/996508/1030745/blackenergy%20whitepaper.pdf",
@ -195,12 +196,12 @@
"Quedagh"
]
},
"name": "Sandworm Team",
"description": "Sandworm Team is a cyber espionage group that has operated since approximately 2009 and has been attributed to Russia.[[Citation: iSIGHT Sandworm 2014]] This group is also known as Quedagh.[[Citation: F-Secure BlackEnergy 2014]]"
"value": "Sandworm Team"
},
{
"uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"description": "FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.[[Citation: FireEye FIN6 April 2016]]",
"meta": {
"uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"refs": [
"https://attack.mitre.org/wiki/Group/G0037",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf"
@ -209,12 +210,12 @@
"FIN6"
]
},
"name": "FIN6",
"description": "FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.[[Citation: FireEye FIN6 April 2016]]"
"value": "FIN6"
},
{
"uuid": "ae41895a-243f-4a65-b99b-d85022326c31",
"description": "Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries.[[Citation: Cylance Dust Storm]]",
"meta": {
"uuid": "ae41895a-243f-4a65-b99b-d85022326c31",
"refs": [
"https://attack.mitre.org/wiki/Group/G0031",
"https://www.cylance.com/hubfs/2015%20cylance%20website/assets/operation-dust-storm/Op%20Dust%20Storm%20Report.pdf?t=1456259131512"
@ -223,12 +224,12 @@
"Dust Storm"
]
},
"name": "Dust Storm",
"description": "Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries.[[Citation: Cylance Dust Storm]]"
"value": "Dust Storm"
},
{
"uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"description": "Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver.[[Citation: Cylance Cleaver]] Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889).[[Citation: Dell Threat Group 2889]]",
"meta": {
"uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"refs": [
"https://attack.mitre.org/wiki/Group/G0003",
"http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/",
@ -240,12 +241,12 @@
"TG-2889"
]
},
"name": "Cleaver",
"description": "Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver.[[Citation: Cylance Cleaver]] Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889).[[Citation: Dell Threat Group 2889]]"
"value": "Cleaver"
},
{
"uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"description": "APT12 is a threat group that has been attributed to China.[[Citation: Meyers Numbered Panda]] It is also known as DynCalc, IXESHE, and Numbered Panda.[[Citation: Moran 2014]][[Citation: Meyers Numbered Panda]]",
"meta": {
"uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"refs": [
"https://attack.mitre.org/wiki/Group/G0005",
"https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html",
@ -258,12 +259,12 @@
"Numbered Panda"
]
},
"name": "APT12",
"description": "APT12 is a threat group that has been attributed to China.[[Citation: Meyers Numbered Panda]] It is also known as DynCalc, IXESHE, and Numbered Panda.[[Citation: Moran 2014]][[Citation: Meyers Numbered Panda]]"
"value": "APT12"
},
{
"uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f",
"description": "Moafee is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group DragonOK. .[[Citation: Haq 2014]]",
"meta": {
"uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f",
"refs": [
"https://attack.mitre.org/wiki/Group/G0002",
"https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"
@ -272,12 +273,12 @@
"Moafee"
]
},
"name": "Moafee",
"description": "Moafee is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group DragonOK. .[[Citation: Haq 2014]]"
"value": "Moafee"
},
{
"uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"description": "Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[[Citation: Dell TG-3390]]",
"meta": {
"uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"refs": [
"https://attack.mitre.org/wiki/Group/G0027",
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/"
@ -288,12 +289,12 @@
"Emissary Panda"
]
},
"name": "Threat Group-3390",
"description": "Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[[Citation: Dell TG-3390]]"
"value": "Threat Group-3390"
},
{
"uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a",
"description": "DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. [[Citation: Operation Quantum Entanglement]][[Citation: Symbiotic APT Groups]] It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. [[Citation: New DragonOK]]",
"meta": {
"uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a",
"refs": [
"https://attack.mitre.org/wiki/Group/G0017",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
@ -304,12 +305,12 @@
"DragonOK"
]
},
"name": "DragonOK",
"description": "DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. [[Citation: Operation Quantum Entanglement]][[Citation: Symbiotic APT Groups]] It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. [[Citation: New DragonOK]]"
"value": "DragonOK"
},
{
"uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"description": "APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the Peoples Liberation Army (PLA) General Staff Departments (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.[[Citation: Mandiant APT1]]",
"meta": {
"uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"refs": [
"https://attack.mitre.org/wiki/Group/G0006",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
@ -321,12 +322,12 @@
"Comment Panda"
]
},
"name": "APT1",
"description": "APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the Peoples Liberation Army (PLA) General Staff Departments (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.[[Citation: Mandiant APT1]]"
"value": "APT1"
},
{
"uuid": "59140a2e-d117-4206-9b2c-2a8662bd9d46",
"description": "Taidoor is a threat group that has operated since at least 2009 and has primarily targeted the Taiwanese government.[[Citation: TrendMicro Taidoor]]",
"meta": {
"uuid": "59140a2e-d117-4206-9b2c-2a8662bd9d46",
"refs": [
"https://attack.mitre.org/wiki/Group/G0015",
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp%20the%20taidoor%20campaign.pdf"
@ -335,12 +336,12 @@
"Taidoor"
]
},
"name": "Taidoor",
"description": "Taidoor is a threat group that has operated since at least 2009 and has primarily targeted the Taiwanese government.[[Citation: TrendMicro Taidoor]]"
"value": "Taidoor"
},
{
"uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"description": "Night Dragon is a threat group that has conducted activity originating primarily in China.[[Citation: McAfee Night Dragon]]",
"meta": {
"uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"refs": [
"https://attack.mitre.org/wiki/Group/G0014",
"http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf"
@ -349,12 +350,12 @@
"Night Dragon"
]
},
"name": "Night Dragon",
"description": "Night Dragon is a threat group that has conducted activity originating primarily in China.[[Citation: McAfee Night Dragon]]"
"value": "Night Dragon"
},
{
"uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"description": "Naikon is a threat group that has focused on targets around the South China Sea.Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[[Citation: Baumgartner Golovkin Naikon 2015]]",
"meta": {
"uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"refs": [
"https://attack.mitre.org/wiki/Group/G0019",
"http://cdn2.hubspot.net/hubfs/454298/Project%20CAMERASHY%20ThreatConnect%20Copyright%202015.pdf",
@ -365,12 +366,12 @@
"Naikon"
]
},
"name": "Naikon",
"description": "Naikon is a threat group that has focused on targets around the South China Sea.Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[[Citation: Baumgartner Golovkin Naikon 2015]]"
"value": "Naikon"
},
{
"uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"description": "Ke3chang is a threat group attributed to actors operating out of China.[[Citation: Villeneuve et al 2014]]",
"meta": {
"uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"refs": [
"https://attack.mitre.org/wiki/Group/G0004",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf"
@ -379,12 +380,12 @@
"Ke3chang"
]
},
"name": "Ke3chang",
"description": "Ke3chang is a threat group attributed to actors operating out of China.[[Citation: Villeneuve et al 2014]]"
"value": "Ke3chang"
},
{
"uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"description": "Patchwork is a threat group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Much of the code used by this group was copied and pasted from online forums.[[Citation: Cymmetria Patchwork]][[Citation: Symantec Patchwork]]",
"meta": {
"uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"refs": [
"https://attack.mitre.org/wiki/Group/G0040",
"http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries",
@ -396,12 +397,12 @@
"Chinastrats"
]
},
"name": "Patchwork",
"description": "Patchwork is a threat group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Much of the code used by this group was copied and pasted from online forums.[[Citation: Cymmetria Patchwork]][[Citation: Symantec Patchwork]]"
"value": "Patchwork"
},
{
"uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd",
"description": "APT30 is a threat group suspected to be associated with the Chinese government.Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[[Citation: Baumgartner Golovkin Naikon 2015]]",
"meta": {
"uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd",
"refs": [
"https://attack.mitre.org/wiki/Group/G0013",
"https://securelist.com/analysis/publications/69953/the-naikon-apt/",
@ -411,12 +412,12 @@
"APT30"
]
},
"name": "APT30",
"description": "APT30 is a threat group suspected to be associated with the Chinese government.Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[[Citation: Baumgartner Golovkin Naikon 2015]]"
"value": "APT30"
},
{
"uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772",
"description": "MONSOON is the name of an espionage campaign that apparently started in December 2015 and was ongoing as of July 2016. It is believed that the actors behind MONSOON are the same actors behind Operation Hangover. While attribution is unclear, the campaign has targeted victims with military and political interests in the Indian Subcontinent.[[Citation: Forcepoint Monsoon]] Operation Hangover has been reported as being Indian in origin, and can be traced back to 2010.[[Citation: Operation Hangover May 2013]]",
"meta": {
"uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772",
"refs": [
"https://attack.mitre.org/wiki/Group/G0042",
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf",
@ -427,12 +428,12 @@
"Operation Hangover"
]
},
"name": "MONSOON",
"description": "MONSOON is the name of an espionage campaign that apparently started in December 2015 and was ongoing as of July 2016. It is believed that the actors behind MONSOON are the same actors behind Operation Hangover. While attribution is unclear, the campaign has targeted victims with military and political interests in the Indian Subcontinent.[[Citation: Forcepoint Monsoon]] Operation Hangover has been reported as being Indian in origin, and can be traced back to 2010.[[Citation: Operation Hangover May 2013]]"
"value": "MONSOON"
},
{
"uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"description": "APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.[[Citation: FireEye APT17]]",
"meta": {
"uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"refs": [
"https://attack.mitre.org/wiki/Group/G0025",
"https://www2.fireeye.com/rs/fireye/images/APT17%20Report.pdf"
@ -442,12 +443,12 @@
"Deputy Dog"
]
},
"name": "APT17",
"description": "APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.[[Citation: FireEye APT17]]"
"value": "APT17"
},
{
"uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
"description": "FIN7 is a financially motivated threat group that has primarily targeted the retail and hospitality sectors, often using point-of-sale malware.[[Citation: FireEye FIN7 March 2017]]",
"meta": {
"uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
"refs": [
"https://attack.mitre.org/wiki/Group/G0046",
"https://www.fireeye.com/blog/threat-research/2017/03/fin7%20spear%20phishing.html"
@ -456,12 +457,12 @@
"FIN7"
]
},
"name": "FIN7",
"description": "FIN7 is a financially motivated threat group that has primarily targeted the retail and hospitality sectors, often using point-of-sale malware.[[Citation: FireEye FIN7 March 2017]]"
"value": "FIN7"
},
{
"uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"description": "APT3 is a China-based threat group.[[Citation: FireEye Clandestine Wolf]] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[[Citation: FireEye Clandestine Wolf]][[Citation: FireEye Operation Double Tap]] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[[Citation: Symantec Buckeye]]",
"meta": {
"uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"refs": [
"https://attack.mitre.org/wiki/Group/G0022",
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong",
@ -478,12 +479,12 @@
"TG-0110"
]
},
"name": "APT3",
"description": "APT3 is a China-based threat group.[[Citation: FireEye Clandestine Wolf]] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[[Citation: FireEye Clandestine Wolf]][[Citation: FireEye Operation Double Tap]] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[[Citation: Symantec Buckeye]]"
"value": "APT3"
},
{
"uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f",
"description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.[[Citation: Securelist GCMAN]]",
"meta": {
"uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f",
"refs": [
"https://attack.mitre.org/wiki/Group/G0036",
"https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/"
@ -492,12 +493,12 @@
"GCMAN"
]
},
"name": "GCMAN",
"description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.[[Citation: Securelist GCMAN]]"
"value": "GCMAN"
},
{
"uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"description": "Lazarus Group is a threat group that has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment. It was responsible for a campaign known as Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[[Citation: Novetta Blockbuster]]",
"meta": {
"uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"refs": [
"https://attack.mitre.org/wiki/Group/G0032",
"https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf"
@ -506,12 +507,12 @@
"Lazarus Group"
]
},
"name": "Lazarus Group",
"description": "Lazarus Group is a threat group that has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment. It was responsible for a campaign known as Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[[Citation: Novetta Blockbuster]]"
"value": "Lazarus Group"
},
{
"uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7",
"description": "Lotus Blossom is threat group that has targeted government and military organizations in Southeast Asia.[[Citation: Lotus Blossom Jun 2015]] It is also known as Spring Dragon.[[Citation: Spring Dragon Jun 2015]]",
"meta": {
"uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7",
"refs": [
"https://attack.mitre.org/wiki/Group/G0030",
"https://securelist.com/blog/research/70726/the-spring-dragon-apt/",
@ -522,12 +523,12 @@
"Spring Dragon"
]
},
"name": "Lotus Blossom",
"description": "Lotus Blossom is threat group that has targeted government and military organizations in Southeast Asia.[[Citation: Lotus Blossom Jun 2015]] It is also known as Spring Dragon.[[Citation: Spring Dragon Jun 2015]]"
"value": "Lotus Blossom"
},
{
"uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9",
"description": "Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives.[[Citation: Kaspersky Equation QA]]",
"meta": {
"uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9",
"refs": [
"https://attack.mitre.org/wiki/Group/G0020",
"https://securelist.com/files/2015/02/Equation%20group%20questions%20and%20answers.pdf"
@ -536,12 +537,12 @@
"Equation"
]
},
"name": "Equation",
"description": "Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives.[[Citation: Kaspersky Equation QA]]"
"value": "Equation"
},
{
"uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383",
"description": "Darkhotel is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center WiFi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing.[[Citation: Kaspersky Darkhotel]]",
"meta": {
"uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383",
"refs": [
"https://attack.mitre.org/wiki/Group/G0012",
"https://securelist.com/files/2014/11/darkhotel%20kl%2007.11.pdf"
@ -550,12 +551,12 @@
"Darkhotel"
]
},
"name": "Darkhotel",
"description": "Darkhotel is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center WiFi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing.[[Citation: Kaspersky Darkhotel]]"
"value": "Darkhotel"
},
{
"uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"description": "Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems.[[Citation: Symantec Dragonfly]]",
"meta": {
"uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"refs": [
"https://attack.mitre.org/wiki/Group/G0035",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/Dragonfly%20Threat%20Against%20Western%20Energy%20Suppliers.pdf"
@ -565,12 +566,12 @@
"Energetic Bear"
]
},
"name": "Dragonfly",
"description": "Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems.[[Citation: Symantec Dragonfly]]"
"value": "Dragonfly"
},
{
"uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d",
"description": "Suckfly is a China-based threat group that has been active since at least 2014.[[Citation: Symantec Suckfly March 2016]]",
"meta": {
"uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d",
"refs": [
"https://attack.mitre.org/wiki/Group/G0039",
"http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates"
@ -579,12 +580,12 @@
"Suckfly"
]
},
"name": "Suckfly",
"description": "Suckfly is a China-based threat group that has been active since at least 2014.[[Citation: Symantec Suckfly March 2016]]"
"value": "Suckfly"
},
{
"uuid": "894aab42-3371-47b1-8859-a4a074c804c8",
"description": "Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed.[[Citation: Citizen Lab Stealth Falcon May 2016]]",
"meta": {
"uuid": "894aab42-3371-47b1-8859-a4a074c804c8",
"refs": [
"https://attack.mitre.org/wiki/Group/G0038",
"https://citizenlab.org/2016/05/stealth-falcon/"
@ -593,12 +594,12 @@
"Stealth Falcon"
]
},
"name": "Stealth Falcon",
"description": "Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed.[[Citation: Citizen Lab Stealth Falcon May 2016]]"
"value": "Stealth Falcon"
},
{
"uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7",
"description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.[[Citation: Scarlet Mimic Jan 2016]]",
"meta": {
"uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7",
"refs": [
"https://attack.mitre.org/wiki/Group/G0029",
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
@ -607,12 +608,12 @@
"Scarlet Mimic"
]
},
"name": "Scarlet Mimic",
"description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.[[Citation: Scarlet Mimic Jan 2016]]"
"value": "Scarlet Mimic"
},
{
"uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983",
"description": "Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure.[[Citation: Dell TG-1314]]",
"meta": {
"uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983",
"refs": [
"https://attack.mitre.org/wiki/Group/G0028",
"http://www.secureworks.com/resources/blog/living-off-the-land/"
@ -622,12 +623,12 @@
"TG-1314"
]
},
"name": "Threat Group-1314",
"description": "Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure.[[Citation: Dell TG-1314]]"
"value": "Threat Group-1314"
},
{
"uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"description": "Turla is a threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies.[[Citation: Kaspersky Turla]]",
"meta": {
"uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"refs": [
"https://attack.mitre.org/wiki/Group/G0010",
"https://securelist.com/analysis/publications/65545/the-epic-turla-operation/"
@ -637,12 +638,12 @@
"Waterbug"
]
},
"name": "Turla",
"description": "Turla is a threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies.[[Citation: Kaspersky Turla]]"
"value": "Turla"
},
{
"uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"description": "APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008.[[Citation: F-Secure The Dukes]][[Citation: GRIZZLY STEPPE JAR]] This group reportedly compromised the Democratic National Committee starting in the summer of 2015.[[Citation: Crowdstrike DNC June 2016]]",
"meta": {
"uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"refs": [
"https://attack.mitre.org/wiki/Group/G0016",
"https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf",
@ -654,12 +655,12 @@
"Cozy Bear"
]
},
"name": "APT29",
"description": "APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008.[[Citation: F-Secure The Dukes]][[Citation: GRIZZLY STEPPE JAR]] This group reportedly compromised the Democratic National Committee starting in the summer of 2015.[[Citation: Crowdstrike DNC June 2016]]"
"value": "APT29"
},
{
"uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"description": "menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014.[[Citation: Palo Alto menuPass Feb 2017]][[Citation: Crowdstrike CrowdCast Oct 2013]][[Citation: FireEye Poison Ivy]]",
"meta": {
"uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"refs": [
"https://attack.mitre.org/wiki/Group/G0045",
"https://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem",
@ -672,12 +673,12 @@
"APT10"
]
},
"name": "menuPass",
"description": "menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014.[[Citation: Palo Alto menuPass Feb 2017]][[Citation: Crowdstrike CrowdCast Oct 2013]][[Citation: FireEye Poison Ivy]]"
"value": "menuPass"
},
{
"uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45",
"description": "Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLAs 3rd General Staff Department (GSD).[[Citation: CrowdStrike Putter Panda]]",
"meta": {
"uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45",
"refs": [
"https://attack.mitre.org/wiki/Group/G0024",
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
@ -688,12 +689,12 @@
"MSUpdater"
]
},
"name": "Putter Panda",
"description": "Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLAs 3rd General Staff Department (GSD).[[Citation: CrowdStrike Putter Panda]]"
"value": "Putter Panda"
},
{
"uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
"description": "Axiom is a cyber espionage group suspected to be associated with the Chinese government.Winnti Group use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting.[[Citation: Kaspersky Winnti April 2013]][[Citation: Kaspersky Winnti June 2015]][[Citation: Novetta Winnti April 2015]]",
"meta": {
"uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
"refs": [
"https://attack.mitre.org/wiki/Group/G0001",
"http://www.novetta.com/wp-content/uploads/2014/11/Executive%20Summary-Final%201.pdf",
@ -706,12 +707,12 @@
"Group 72"
]
},
"name": "Axiom",
"description": "Axiom is a cyber espionage group suspected to be associated with the Chinese government.Winnti Group use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting.[[Citation: Kaspersky Winnti April 2013]][[Citation: Kaspersky Winnti June 2015]][[Citation: Novetta Winnti April 2015]]"
"value": "Axiom"
},
{
"uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c",
"description": "Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak).[[Citation: Kaspersky Carbanak]]",
"meta": {
"uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c",
"refs": [
"https://attack.mitre.org/wiki/Group/G0008",
"https://securelist.com/files/2015/02/Carbanak%20APT%20eng.pdf"
@ -721,12 +722,12 @@
"Anunak"
]
},
"name": "Carbanak",
"description": "Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak).[[Citation: Kaspersky Carbanak]]"
"value": "Carbanak"
},
{
"uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648",
"description": "APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical.[[Citation: Dell Lateral Movement]]",
"meta": {
"uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648",
"refs": [
"https://attack.mitre.org/wiki/Group/G0026",
"http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/"
@ -738,12 +739,12 @@
"Dynamite Panda"
]
},
"name": "APT18",
"description": "APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical.[[Citation: Dell Lateral Movement]]"
"value": "APT18"
},
{
"uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"description": "Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government.[[Citation: Palo Alto Gamaredon Feb 2017]]",
"meta": {
"uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"refs": [
"https://attack.mitre.org/wiki/Group/G0047",
"https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
@ -752,16 +753,15 @@
"Gamaredon Group"
]
},
"name": "Gamaredon Group",
"description": "Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government.[[Citation: Palo Alto Gamaredon Feb 2017]]"
"value": "Gamaredon Group"
}
],
"authors": [
"MITRE"
],
"version": "1",
"type": "intrusion-set",
"name": "intrusion Set",
"source": "https://github.com/mitre/cti",
"description": "Name of ATT&CK Group"
"type": "intrusion-set",
"description": "Name of ATT&CK Group",
"version": "1"
}

1006
clusters/mitre_malware.json
View File

File diff suppressed because it is too large Load Diff

240
clusters/mitre_tool.json
View File

@ -1,10 +1,7 @@
{
"name": "Tool",
"values": [
{
"name": "at",
"description": "at is used to schedule tasks on a system to run at a specified date or time.[[Citation: TechNet At]]\n\nAliases: at, at.exe",
"uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0110",
@ -13,13 +10,13 @@
"synonyms": [
"at",
"at.exe"
]
}
],
"uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952"
},
"value": "at"
},
{
"name": "route",
"description": "route can be used to find or change information within the local system IP routing table.[[Citation: TechNet Route]]\n\nAliases: route, route.exe",
"uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0103",
@ -28,24 +25,24 @@
"synonyms": [
"route",
"route.exe"
]
}
],
"uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de"
},
"value": "route"
},
{
"name": "Tasklist",
"description": "The Tasklist utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface.[[Citation: Microsoft Tasklist]]",
"uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0057",
"https://technet.microsoft.com/en-us/library/bb491010.aspx"
]
}
],
"uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f"
},
"value": "Tasklist"
},
{
"name": "Windows Credential Editor",
"description": "Windows Credential Editor is a password dumping tool.[[Citation: Amplia WCE]]\n\nAliases: Windows Credential Editor, WCE",
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0005",
@ -54,13 +51,13 @@
"synonyms": [
"Windows Credential Editor",
"WCE"
]
}
],
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966"
},
"value": "Windows Credential Editor"
},
{
"name": "schtasks",
"description": "schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time.[[Citation: TechNet Schtasks]]\n\nAliases: schtasks, schtasks.exe",
"uuid": "c9703cd3-141c-43a0-a926-380082be5d04",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0111",
@ -69,58 +66,58 @@
"synonyms": [
"schtasks",
"schtasks.exe"
]
}
],
"uuid": "c9703cd3-141c-43a0-a926-380082be5d04"
},
"value": "schtasks"
},
{
"name": "UACMe",
"description": "UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.[[Citation: Github UACMe]]",
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0116",
"https://github.com/hfiref0x/UACME"
]
}
],
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507"
},
"value": "UACMe"
},
{
"name": "ifconfig",
"description": "ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system.[[Citation: Wikipedia Ifconfig]]",
"uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0101",
"https://en.wikipedia.org/wiki/Ifconfig"
]
}
],
"uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5"
},
"value": "ifconfig"
},
{
"name": "Mimikatz",
"description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks.[[Citation: Deply Mimikatz]][[Citation: Adsecurity Mimikatz Guide]]",
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0002",
"https://adsecurity.org/?page%20id=1821",
"https://github.com/gentilkiwi/mimikatz"
]
}
],
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
},
"value": "Mimikatz"
},
{
"name": "xCmd",
"description": "xCmd is an open source tool that is similar to PsExec and allows the user to execute applications on remote systems.[[Citation: xCmd]]",
"uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0123",
"https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/"
]
}
],
"uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b"
},
"value": "xCmd"
},
{
"name": "Systeminfo",
"description": "Systeminfo is a Windows utility that can be used to gather detailed information about a computer.[[Citation: TechNet Systeminfo]]\n\nAliases: Systeminfo, systeminfo.exe",
"uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0096",
@ -129,13 +126,13 @@
"synonyms": [
"Systeminfo",
"systeminfo.exe"
]
}
],
"uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1"
},
"value": "Systeminfo"
},
{
"name": "netsh",
"description": "netsh is a scripting utility used to interact with networking components on local or remote systems.[[Citation: TechNet Netsh]]\n\nAliases: netsh, netsh.exe",
"uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0108",
@ -144,13 +141,13 @@
"synonyms": [
"netsh",
"netsh.exe"
]
}
],
"uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71"
},
"value": "netsh"
},
{
"name": "dsquery",
"description": "dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain.[[Citation: TechNet Dsquery]] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.\n\nAliases: dsquery, dsquery.exe",
"uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0105",
@ -159,24 +156,24 @@
"synonyms": [
"dsquery",
"dsquery.exe"
]
}
],
"uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe"
},
"value": "dsquery"
},
{
"name": "gsecdump",
"description": "gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems.[[Citation: TrueSec Gsecdump]]",
"uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0008",
"http://www.truesec.com/Tools/Tool/gsecdump%20v2.0b5"
]
}
],
"uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54"
},
"value": "gsecdump"
},
{
"name": "Ping",
"description": "Ping is an operating system utility commonly used to troubleshoot and verify network connections.[[Citation: TechNet Ping]]\n\nAliases: Ping, ping.exe",
"uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0097",
@ -185,46 +182,46 @@
"synonyms": [
"Ping",
"ping.exe"
]
}
],
"uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47"
},
"value": "Ping"
},
{
"name": "Fgdump",
"description": "Fgdump is a Windows password hash dumper.[[Citation: Mandiant APT1]]",
"uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0120",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
]
}
],
"uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe"
},
"value": "Fgdump"
},
{
"name": "Lslsass",
"description": "Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsass process.[[Citation: Mandiant APT1]]",
"uuid": "2fab555f-7664-4623-b4e0-1675ae38190b",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0121",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
]
}
],
"uuid": "2fab555f-7664-4623-b4e0-1675ae38190b"
},
"value": "Lslsass"
},
{
"name": "Pass-The-Hash Toolkit",
"description": "Pass-The-Hash Toolkit is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems.[[Citation: Mandiant APT1]]",
"uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0122",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
]
}
],
"uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69"
},
"value": "Pass-The-Hash Toolkit"
},
{
"name": "FTP",
"description": "FTP is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.[[Citation: Wikipedia FTP]]\n\nAliases: FTP, ftp.exe",
"uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0095",
@ -233,13 +230,13 @@
"synonyms": [
"FTP",
"ftp.exe"
]
}
],
"uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565"
},
"value": "FTP"
},
{
"name": "ipconfig",
"description": "ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration.[[Citation: TechNet Ipconfig]]\n\nAliases: ipconfig, ipconfig.exe",
"uuid": "294e2560-bd48-44b2-9da2-833b5588ad11",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0100",
@ -248,13 +245,13 @@
"synonyms": [
"ipconfig",
"ipconfig.exe"
]
}
],
"uuid": "294e2560-bd48-44b2-9da2-833b5588ad11"
},
"value": "ipconfig"
},
{
"name": "nbtstat",
"description": "nbtstat is a utility used to troubleshoot NetBIOS name resolution.[[Citation: TechNet Nbtstat]]\n\nAliases: nbtstat, nbtstat.exe",
"uuid": "b35068ec-107a-4266-bda8-eb7036267aea",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0102",
@ -263,13 +260,13 @@
"synonyms": [
"nbtstat",
"nbtstat.exe"
]
}
],
"uuid": "b35068ec-107a-4266-bda8-eb7036267aea"
},
"value": "nbtstat"
},
{
"name": "HTRAN",
"description": "HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. [[Citation: Operation Quantum Entanglement]]\n\nAliases: HTRAN, HUC Packet Transmit Tool",
"uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0040",
@ -278,13 +275,13 @@
"synonyms": [
"HTRAN",
"HUC Packet Transmit Tool"
]
}
],
"uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e"
},
"value": "HTRAN"
},
{
"name": "netstat",
"description": "netstat is an operating system utility that displays active TCP connections, listening ports, and network statistics.[[Citation: TechNet Netstat]]\n\nAliases: netstat, netstat.exe",
"uuid": "4664b683-f578-434f-919b-1c1aad2a1111",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0104",
@ -293,35 +290,35 @@
"synonyms": [
"netstat",
"netstat.exe"
]
}
],
"uuid": "4664b683-f578-434f-919b-1c1aad2a1111"
},
"value": "netstat"
},
{
"name": "pwdump",
"description": "pwdump is a credential dumper.[[Citation: Wikipedia pwdump]]",
"uuid": "9de2308e-7bed-43a3-8e58-f194b3586700",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0006",
"https://en.wikipedia.org/wiki/Pwdump"
]
}
],
"uuid": "9de2308e-7bed-43a3-8e58-f194b3586700"
},
"value": "pwdump"
},
{
"name": "Cachedump",
"description": "Cachedump is a publicly-available tool that program extracts cached password hashes from a systems registry.[[Citation: Mandiant APT1]]",
"uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0119",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
]
}
],
"uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52"
},
"value": "Cachedump"
},
{
"name": "Net",
"description": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.Net has a great deal of functionality,[[Citation: Savill 1999]] much of which is useful for an adversary, such as gathering system and network information for [[Discovery]], moving laterally through [[Windows admin shares]] using <code>net use</code> commands, and interacting with services.\n\nAliases: Net, net.exe",
"uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0039",
@ -331,25 +328,25 @@
"synonyms": [
"Net",
"net.exe"
]
}
],
"uuid": "03342581-f790-4f03-ba41-e82e67392e23"
},
"value": "Net"
},
{
"name": "PsExec",
"description": "PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.[[Citation: Russinovich Sysinternals]][[Citation: SANS PsExec]]",
"uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0029",
"https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx",
"https://digital-forensics.sans.org/blog/2012/12/17/protecting-privileged-domain-accounts-psexec-deep-dive"
]
}
],
"uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
},
"value": "PsExec"
},
{
"name": "Arp",
"description": "Arp displays information about a system's Address Resolution Protocol (ARP) cache.[[Citation: TechNet Arp]]\n\nAliases: Arp, arp.exe",
"uuid": "30489451-5886-4c46-90c9-0dff9adc5252",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0099",
@ -358,13 +355,13 @@
"synonyms": [
"Arp",
"arp.exe"
]
}
],
"uuid": "30489451-5886-4c46-90c9-0dff9adc5252"
},
"value": "Arp"
},
{
"name": "cmd",
"description": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities.[[Citation: TechNet Cmd]]\n\nCmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code>[[Citation: TechNet Dir]]), deleting files (e.g., <code>del</code>[[Citation: TechNet Del]]), and copying files (e.g., <code>copy</code>[[Citation: TechNet Copy]]).\n\nAliases: cmd, cmd.exe",
"uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0106",
@ -376,13 +373,13 @@
"synonyms": [
"cmd",
"cmd.exe"
]
}
],
"uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e"
},
"value": "cmd"
},
{
"name": "Reg",
"description": "Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information.Reg are known to be used by persistent threats.[[Citation: Windows Commands JPCERT]]\n\nAliases: Reg, reg.exe",
"uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f",
"meta": {
"refs": [
"https://attack.mitre.org/wiki/Software/S0075",
@ -392,16 +389,19 @@
"synonyms": [
"Reg",
"reg.exe"
]
}
],
"uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f"
},
"value": "Reg"
}
],
"description": "Name of ATT&CK software",
"version": "1",
"type": "tool",
"source": "https://github.com/mitre/cti",
"authors": [
"MITRE"
],
"uuid": "d700dc5c-78f6-11e7-a476-5f748c8e4fe0",
"version": "1"
"description": "Name of ATT&CK software",
"name": "Tool",
"uuid": "d700dc5c-78f6-11e7-a476-5f748c8e4fe0"
}

2
tools/mitre-cti/create_attack-pattern_galaxy.py
View File

@ -22,7 +22,6 @@ for element in os.listdir('.'):
value = {}
value['description'] = temp['description']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
@ -34,6 +33,7 @@ for element in os.listdir('.'):
if 'x_mitre_platforms' in temp:
value['meta']['x_mitre_platforms'] = temp['x_mitre_platforms']
values.append(value)
value['meta']['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
galaxy = {}
galaxy['name'] = "Attack Pattern"

3
tools/mitre-cti/create_course-of-action_galaxy.py
View File

@ -22,8 +22,9 @@ for element in os.listdir('.'):
value = {}
value['description'] = temp['description']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['value'] = temp['name']
value['meta'] = {}
value['meta']['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}

3
tools/mitre-cti/create_intrusion-set_galaxy.py
View File

@ -22,7 +22,6 @@ for element in os.listdir('.'):
value = {}
value['description'] = temp['description']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['value'] = temp['name']
value['meta'] = {}
value['meta']['synonyms'] = temp['aliases']
@ -30,7 +29,7 @@ for element in os.listdir('.'):
for reference in temp['external_references']:
if 'url' in reference:
value['meta']['refs'].append(reference['url'])
value['meta']['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}

2
tools/mitre-cti/create_malware_galaxy.py
View File

@ -22,7 +22,6 @@ for element in os.listdir('.'):
value = {}
value['description'] = temp['description']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
@ -31,6 +30,7 @@ for element in os.listdir('.'):
value['meta']['refs'].append(reference['url'])
if'x_mitre_aliases' in temp:
value['meta']['synonyms'] = temp['x_mitre_aliases']
value['meta']['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}

2
tools/mitre-cti/create_tool_galaxy.py
View File

@ -22,7 +22,6 @@ for element in os.listdir('.'):
value = {}
value['description'] = temp['description']
value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
value['value'] = temp['name']
value['meta'] = {}
value['meta']['refs'] = []
@ -31,6 +30,7 @@ for element in os.listdir('.'):
value['meta']['refs'].append(reference['url'])
if'x_mitre_aliases' in temp:
value['meta']['synonyms'] = temp['x_mitre_aliases']
value['meta']['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:]
values.append(value)
galaxy = {}