mirror of https://github.com/MISP/misp-galaxy
Strict schema, update clusters accordingly
parent
9bf4da3a7a
commit
7db66e05dd
|
@ -5,10 +5,10 @@
|
|||
"refs": [
|
||||
"http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7."
|
||||
],
|
||||
"Complexity": "Medium",
|
||||
"Effectiveness": "High",
|
||||
"Impact": "Low",
|
||||
"Type": "Recovery"
|
||||
"complexity": "Medium",
|
||||
"effectiveness": "High",
|
||||
"impact": "Low",
|
||||
"type": "Recovery"
|
||||
},
|
||||
"value": "Backup and Restore Process",
|
||||
"description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schrödinger's backup - it is both existent and non-existent until you've tried a restore"
|
||||
|
@ -19,10 +19,10 @@
|
|||
"https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US",
|
||||
"https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitter"
|
||||
],
|
||||
"Complexity": "Low",
|
||||
"Effectiveness": "High",
|
||||
"Impact": "Low",
|
||||
"Type": "GPO"
|
||||
"complexity": "Low",
|
||||
"effectiveness": "High",
|
||||
"impact": "Low",
|
||||
"type": "GPO"
|
||||
},
|
||||
"value": "Block Macros",
|
||||
"description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros"
|
||||
|
@ -32,35 +32,35 @@
|
|||
"refs": [
|
||||
"http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html"
|
||||
],
|
||||
"Complexity": "Low",
|
||||
"Effectiveness": "Medium",
|
||||
"Impact": "Medium",
|
||||
"Type": "GPO"
|
||||
"complexity": "Low",
|
||||
"effectiveness": "Medium",
|
||||
"impact": "Medium",
|
||||
"type": "GPO",
|
||||
"possible_issues": "Administrative VBS scripts on Workstations"
|
||||
},
|
||||
"value": "Disable WSH",
|
||||
"description": "Disable Windows Script Host",
|
||||
"Possible Issues": "Administrative VBS scripts on Workstations"
|
||||
"description": "Disable Windows Script Host"
|
||||
},
|
||||
{
|
||||
"meta": {
|
||||
"Complexity": "Low",
|
||||
"Effectiveness": "Medium",
|
||||
"Impact": "Low",
|
||||
"Type": "Mail Gateway"
|
||||
"complexity": "Low",
|
||||
"effectiveness": "Medium",
|
||||
"impact": "Low",
|
||||
"type": "Mail Gateway"
|
||||
},
|
||||
"value": "Filter Attachments Level 1",
|
||||
"description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub"
|
||||
},
|
||||
{
|
||||
"meta": {
|
||||
"Complexity": "Low",
|
||||
"Effectiveness": "High",
|
||||
"Impact": "High",
|
||||
"Type": "Mail Gateway"
|
||||
"complexity": "Low",
|
||||
"effectiveness": "High",
|
||||
"impact": "High",
|
||||
"type": "Mail Gateway",
|
||||
"possible_issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) "
|
||||
},
|
||||
"value": "Filter Attachments Level 2",
|
||||
"description": "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm",
|
||||
"Possible Issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) "
|
||||
"description": "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm"
|
||||
},
|
||||
{
|
||||
"meta": {
|
||||
|
@ -68,24 +68,24 @@
|
|||
"http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/",
|
||||
"http://www.thirdtier.net/ransomware-prevention-kit/"
|
||||
],
|
||||
"Complexity": "Medium",
|
||||
"Effectiveness": "Medium",
|
||||
"Impact": "Medium",
|
||||
"Type": "GPO"
|
||||
"complexity": "Medium",
|
||||
"effectiveness": "Medium",
|
||||
"impact": "Medium",
|
||||
"type": "GPO",
|
||||
"possible_issues": "Web embedded software installers"
|
||||
},
|
||||
"value": "Restrict program execution",
|
||||
"description": "Block all program executions from the %LocalAppData% and %AppData% folder",
|
||||
"Possible Issues": "Web embedded software installers"
|
||||
"description": "Block all program executions from the %LocalAppData% and %AppData% folder"
|
||||
},
|
||||
{
|
||||
"meta": {
|
||||
"refs": [
|
||||
"http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htm"
|
||||
],
|
||||
"Complexity": "Low",
|
||||
"Effectiveness": "Low",
|
||||
"Impact": "Low",
|
||||
"Type": "User Assistence"
|
||||
"complexity": "Low",
|
||||
"effectiveness": "Low",
|
||||
"impact": "Low",
|
||||
"type": "User Assistence"
|
||||
},
|
||||
"value": "Show File Extensions",
|
||||
"description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")"
|
||||
|
@ -95,50 +95,50 @@
|
|||
"refs": [
|
||||
"https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx"
|
||||
],
|
||||
"Complexity": "Low",
|
||||
"Effectiveness": "Medium",
|
||||
"Impact": "Low",
|
||||
"Type": "GPO"
|
||||
"complexity": "Low",
|
||||
"effectiveness": "Medium",
|
||||
"impact": "Low",
|
||||
"type": "GPO",
|
||||
"possible_issues": "administrator resentment"
|
||||
},
|
||||
"value": "Enforce UAC Prompt",
|
||||
"description": "Enforce administrative users to confirm an action that requires elevated rights",
|
||||
"Possible Issues": "administrator resentment"
|
||||
"description": "Enforce administrative users to confirm an action that requires elevated rights"
|
||||
},
|
||||
{
|
||||
"meta": {
|
||||
"Complexity": "Medium",
|
||||
"Effectiveness": "Medium",
|
||||
"Impact": "Medium",
|
||||
"Type": "Best Practice"
|
||||
"complexity": "Medium",
|
||||
"effectiveness": "Medium",
|
||||
"impact": "Medium",
|
||||
"type": "Best Practice",
|
||||
"possible_issues": "igher administrative costs"
|
||||
},
|
||||
"value": "Remove Admin Privileges",
|
||||
"description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.",
|
||||
"Possible Issues": "igher administrative costs"
|
||||
"description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to."
|
||||
},
|
||||
{
|
||||
"meta": {
|
||||
"Complexity": "Medium",
|
||||
"Effectiveness": "Low",
|
||||
"Impact": "Low",
|
||||
"Type": "Best Practice"
|
||||
"complexity": "Medium",
|
||||
"effectiveness": "Low",
|
||||
"impact": "Low",
|
||||
"type": "Best Practice"
|
||||
},
|
||||
"value": "Restrict Workstation Communication",
|
||||
"description": "Activate the Windows Firewall to restrict workstation to workstation communication"
|
||||
},
|
||||
{
|
||||
"meta": {
|
||||
"Complexity": "Medium",
|
||||
"Effectiveness": "High",
|
||||
"Type": "Advanced Malware Protection"
|
||||
"complexity": "Medium",
|
||||
"effectiveness": "High",
|
||||
"type": "Advanced Malware Protection"
|
||||
},
|
||||
"value": "Sandboxing Email Input",
|
||||
"description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis"
|
||||
},
|
||||
{
|
||||
"meta": {
|
||||
"Complexity": "Medium",
|
||||
"Effectiveness": "Medium",
|
||||
"Type": "3rd Party Tools"
|
||||
"complexity": "Medium",
|
||||
"effectiveness": "Medium",
|
||||
"type": "3rd Party Tools"
|
||||
},
|
||||
"value": "Execution Prevention",
|
||||
"description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor"
|
||||
|
@ -148,24 +148,24 @@
|
|||
"refs": [
|
||||
"https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/"
|
||||
],
|
||||
"Complexity": "Low",
|
||||
"Effectiveness": "Medium",
|
||||
"Impact": "Medium",
|
||||
"Type": "GPO"
|
||||
"complexity": "Low",
|
||||
"effectiveness": "Medium",
|
||||
"impact": "Medium",
|
||||
"type": "GPO",
|
||||
"possible_issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts."
|
||||
},
|
||||
"value": "Change Default \"Open With\" to Notepad",
|
||||
"description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer",
|
||||
"Possible Issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts."
|
||||
"description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer"
|
||||
},
|
||||
{
|
||||
"meta": {
|
||||
"refs": [
|
||||
"http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm"
|
||||
],
|
||||
"Complexity": "Low",
|
||||
"Effectiveness": "Medium",
|
||||
"Impact": "Low",
|
||||
"Type": "Monitoring"
|
||||
"complexity": "Low",
|
||||
"effectiveness": "Medium",
|
||||
"impact": "Low",
|
||||
"type": "Monitoring"
|
||||
},
|
||||
"value": "File Screening",
|
||||
"description": "Server-side file screening with the help of File Server Resource Manager"
|
||||
|
@ -176,14 +176,14 @@
|
|||
"https://technet.microsoft.com/en-us/library/dd759117%28v=ws.11%29.aspx",
|
||||
"http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx"
|
||||
],
|
||||
"Complexity": "Medium",
|
||||
"Effectiveness": "Medium",
|
||||
"Impact": "Medium",
|
||||
"Type": "GPO"
|
||||
"complexity": "Medium",
|
||||
"effectiveness": "Medium",
|
||||
"impact": "Medium",
|
||||
"type": "GPO",
|
||||
"possible_issues": "Configure & test extensively"
|
||||
},
|
||||
"value": "Restrict program execution #2",
|
||||
"description": "Block program executions (AppLocker)",
|
||||
"Possible Issues": "Configure & test extensively"
|
||||
"description": "Block program executions (AppLocker)"
|
||||
},
|
||||
{
|
||||
"meta": {
|
||||
|
@ -191,10 +191,10 @@
|
|||
"www.microsoft.com/emet",
|
||||
"http://windowsitpro.com/security/control-emet-group-policy"
|
||||
],
|
||||
"Complexity": "Medium",
|
||||
"Effectiveness": "Medium",
|
||||
"Impact": "Low",
|
||||
"Type": "GPO"
|
||||
"complexity": "Medium",
|
||||
"effectiveness": "Medium",
|
||||
"impact": "Low",
|
||||
"type": "GPO"
|
||||
},
|
||||
"value": "EMET",
|
||||
"description": "Detect and block exploitation techniques"
|
||||
|
@ -204,10 +204,10 @@
|
|||
"refs": [
|
||||
"https://twitter.com/JohnLaTwC/status/799792296883388416"
|
||||
],
|
||||
"Complexity": "Medium",
|
||||
"Effectiveness": "Low",
|
||||
"Impact": "Low",
|
||||
"Type": "3rd Party Tools"
|
||||
"complexity": "Medium",
|
||||
"effectiveness": "Low",
|
||||
"impact": "Low",
|
||||
"type": "3rd Party Tools"
|
||||
},
|
||||
"value": "Sysmon",
|
||||
"description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring"
|
||||
|
@ -221,5 +221,5 @@
|
|||
],
|
||||
"description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.",
|
||||
"uuid": "1a8e55eb-a0ff-425b-80e0-30df866f8f65",
|
||||
"version": 1
|
||||
"version": 2
|
||||
}
|
||||
|
|
|
@ -6,9 +6,9 @@
|
|||
"meta": {
|
||||
"refs": [
|
||||
"https://keitarotds.com/"
|
||||
]
|
||||
},
|
||||
"type": "Commercial"
|
||||
],
|
||||
"type": "Commercial"
|
||||
}
|
||||
},
|
||||
{
|
||||
"value": "Sutra",
|
||||
|
@ -68,7 +68,7 @@
|
|||
}
|
||||
}
|
||||
],
|
||||
"version": 1,
|
||||
"version": 2,
|
||||
"uuid": "ab5fffaa-c5f6-11e6-9d9d-cec0c932ce01",
|
||||
"description": "TDS is a list of Traffic Direction System used by adversaries",
|
||||
"authors": [
|
||||
|
|
|
@ -432,7 +432,7 @@
|
|||
"refs": [
|
||||
"http://www.crowdstrike.com/blog/whois-anchor-panda/"
|
||||
],
|
||||
"Motive": "Espionage"
|
||||
"motive": "Espionage"
|
||||
},
|
||||
"value": "Anchor Panda",
|
||||
"description": "PLA Navy"
|
||||
|
@ -451,7 +451,7 @@
|
|||
},
|
||||
{
|
||||
"meta": {
|
||||
"synomyns": [
|
||||
"synonyms": [
|
||||
"IceFog",
|
||||
"Dagger Panda"
|
||||
],
|
||||
|
@ -958,9 +958,9 @@
|
|||
"country": "FR",
|
||||
"synonyms": [
|
||||
"Animal Farm"
|
||||
],
|
||||
"description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007."
|
||||
}
|
||||
]
|
||||
},
|
||||
"description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007."
|
||||
},
|
||||
{
|
||||
"meta": {
|
||||
|
@ -1387,5 +1387,5 @@
|
|||
],
|
||||
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
|
||||
"uuid": "7cdff317-a673-4474-84ec-4f1754947823",
|
||||
"version": 14
|
||||
"version": 15
|
||||
}
|
||||
|
|
|
@ -1151,8 +1151,8 @@
|
|||
},
|
||||
{
|
||||
"value": "Trojan.Seaduke",
|
||||
"description": "Trojan.Seaduke is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files.",
|
||||
"meta": {
|
||||
"description": "Trojan.Seaduke is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files.",
|
||||
"refs": [
|
||||
"https://www.symantec.com/security_response/writeup.jsp?docid=2015-031915-4935-99"
|
||||
],
|
||||
|
@ -1213,7 +1213,7 @@
|
|||
},
|
||||
{
|
||||
"meta": {
|
||||
"derivated-from": [
|
||||
"derivated_from": [
|
||||
"Shiz"
|
||||
],
|
||||
"refs": [
|
||||
|
@ -1317,7 +1317,7 @@
|
|||
}
|
||||
}
|
||||
],
|
||||
"version": 21,
|
||||
"version": 22,
|
||||
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
|
||||
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
|
||||
"authors": [
|
||||
|
|
|
@ -36,14 +36,59 @@
|
|||
"value": {
|
||||
"type": "string"
|
||||
},
|
||||
"type": {
|
||||
"type": "string"
|
||||
},
|
||||
"Possible Issues": {
|
||||
"type": "string"
|
||||
},
|
||||
"meta": {
|
||||
"type": "object"
|
||||
"type": "object",
|
||||
"additionalProperties": false,
|
||||
"properties": {
|
||||
"refs": {
|
||||
"type": "array",
|
||||
"uniqueItems": true,
|
||||
"items": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"synonyms": {
|
||||
"type": "array",
|
||||
"uniqueItems": true,
|
||||
"items": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"derivated_from": {
|
||||
"type": "array",
|
||||
"uniqueItems": true,
|
||||
"items": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"status": {
|
||||
"type": "string"
|
||||
},
|
||||
"country": {
|
||||
"type": "string"
|
||||
},
|
||||
"effectiveness": {
|
||||
"type": "string"
|
||||
},
|
||||
"complexity": {
|
||||
"type": "string"
|
||||
},
|
||||
"type": {
|
||||
"type": "string"
|
||||
},
|
||||
"impact": {
|
||||
"type": "string"
|
||||
},
|
||||
"motive": {
|
||||
"type": "string"
|
||||
},
|
||||
"colour": {
|
||||
"type": "string"
|
||||
},
|
||||
"possible_issues": {
|
||||
"type": "string"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
|
|
Loading…
Reference in New Issue