From 7db66e05dd22faee44d2c2e3d0b72903c4336e44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 14 Feb 2017 11:34:59 +0100 Subject: [PATCH] Strict schema, update clusters accordingly --- clusters/preventive-measure.json | 162 +++++++++++++++---------------- clusters/tds.json | 8 +- clusters/threat-actor.json | 12 +-- clusters/tool.json | 6 +- schema_clusters.json | 59 +++++++++-- 5 files changed, 146 insertions(+), 101 deletions(-) diff --git a/clusters/preventive-measure.json b/clusters/preventive-measure.json index 82706e41..a9f9089d 100644 --- a/clusters/preventive-measure.json +++ b/clusters/preventive-measure.json @@ -5,10 +5,10 @@ "refs": [ "http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7." ], - "Complexity": "Medium", - "Effectiveness": "High", - "Impact": "Low", - "Type": "Recovery" + "complexity": "Medium", + "effectiveness": "High", + "impact": "Low", + "type": "Recovery" }, "value": "Backup and Restore Process", "description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schrödinger's backup - it is both existent and non-existent until you've tried a restore" @@ -19,10 +19,10 @@ "https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US", "https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitter" ], - "Complexity": "Low", - "Effectiveness": "High", - "Impact": "Low", - "Type": "GPO" + "complexity": "Low", + "effectiveness": "High", + "impact": "Low", + "type": "GPO" }, "value": "Block Macros", "description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros" @@ -32,35 +32,35 @@ "refs": [ "http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html" ], - "Complexity": "Low", - "Effectiveness": "Medium", - "Impact": "Medium", - "Type": "GPO" + "complexity": "Low", + "effectiveness": "Medium", + "impact": "Medium", + "type": "GPO", + "possible_issues": "Administrative VBS scripts on Workstations" }, "value": "Disable WSH", - "description": "Disable Windows Script Host", - "Possible Issues": "Administrative VBS scripts on Workstations" + "description": "Disable Windows Script Host" }, { "meta": { - "Complexity": "Low", - "Effectiveness": "Medium", - "Impact": "Low", - "Type": "Mail Gateway" + "complexity": "Low", + "effectiveness": "Medium", + "impact": "Low", + "type": "Mail Gateway" }, "value": "Filter Attachments Level 1", "description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub" }, { "meta": { - "Complexity": "Low", - "Effectiveness": "High", - "Impact": "High", - "Type": "Mail Gateway" + "complexity": "Low", + "effectiveness": "High", + "impact": "High", + "type": "Mail Gateway", + "possible_issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) " }, "value": "Filter Attachments Level 2", - "description": "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm", - "Possible Issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) " + "description": "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm" }, { "meta": { @@ -68,24 +68,24 @@ "http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/", "http://www.thirdtier.net/ransomware-prevention-kit/" ], - "Complexity": "Medium", - "Effectiveness": "Medium", - "Impact": "Medium", - "Type": "GPO" + "complexity": "Medium", + "effectiveness": "Medium", + "impact": "Medium", + "type": "GPO", + "possible_issues": "Web embedded software installers" }, "value": "Restrict program execution", - "description": "Block all program executions from the %LocalAppData% and %AppData% folder", - "Possible Issues": "Web embedded software installers" + "description": "Block all program executions from the %LocalAppData% and %AppData% folder" }, { "meta": { "refs": [ "http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htm" ], - "Complexity": "Low", - "Effectiveness": "Low", - "Impact": "Low", - "Type": "User Assistence" + "complexity": "Low", + "effectiveness": "Low", + "impact": "Low", + "type": "User Assistence" }, "value": "Show File Extensions", "description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")" @@ -95,50 +95,50 @@ "refs": [ "https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx" ], - "Complexity": "Low", - "Effectiveness": "Medium", - "Impact": "Low", - "Type": "GPO" + "complexity": "Low", + "effectiveness": "Medium", + "impact": "Low", + "type": "GPO", + "possible_issues": "administrator resentment" }, "value": "Enforce UAC Prompt", - "description": "Enforce administrative users to confirm an action that requires elevated rights", - "Possible Issues": "administrator resentment" + "description": "Enforce administrative users to confirm an action that requires elevated rights" }, { "meta": { - "Complexity": "Medium", - "Effectiveness": "Medium", - "Impact": "Medium", - "Type": "Best Practice" + "complexity": "Medium", + "effectiveness": "Medium", + "impact": "Medium", + "type": "Best Practice", + "possible_issues": "igher administrative costs" }, "value": "Remove Admin Privileges", - "description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.", - "Possible Issues": "igher administrative costs" + "description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to." }, { "meta": { - "Complexity": "Medium", - "Effectiveness": "Low", - "Impact": "Low", - "Type": "Best Practice" + "complexity": "Medium", + "effectiveness": "Low", + "impact": "Low", + "type": "Best Practice" }, "value": "Restrict Workstation Communication", "description": "Activate the Windows Firewall to restrict workstation to workstation communication" }, { "meta": { - "Complexity": "Medium", - "Effectiveness": "High", - "Type": "Advanced Malware Protection" + "complexity": "Medium", + "effectiveness": "High", + "type": "Advanced Malware Protection" }, "value": "Sandboxing Email Input", "description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis" }, { "meta": { - "Complexity": "Medium", - "Effectiveness": "Medium", - "Type": "3rd Party Tools" + "complexity": "Medium", + "effectiveness": "Medium", + "type": "3rd Party Tools" }, "value": "Execution Prevention", "description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor" @@ -148,24 +148,24 @@ "refs": [ "https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/" ], - "Complexity": "Low", - "Effectiveness": "Medium", - "Impact": "Medium", - "Type": "GPO" + "complexity": "Low", + "effectiveness": "Medium", + "impact": "Medium", + "type": "GPO", + "possible_issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts." }, "value": "Change Default \"Open With\" to Notepad", - "description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer", - "Possible Issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts." + "description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer" }, { "meta": { "refs": [ "http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm" ], - "Complexity": "Low", - "Effectiveness": "Medium", - "Impact": "Low", - "Type": "Monitoring" + "complexity": "Low", + "effectiveness": "Medium", + "impact": "Low", + "type": "Monitoring" }, "value": "File Screening", "description": "Server-side file screening with the help of File Server Resource Manager" @@ -176,14 +176,14 @@ "https://technet.microsoft.com/en-us/library/dd759117%28v=ws.11%29.aspx", "http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx" ], - "Complexity": "Medium", - "Effectiveness": "Medium", - "Impact": "Medium", - "Type": "GPO" + "complexity": "Medium", + "effectiveness": "Medium", + "impact": "Medium", + "type": "GPO", + "possible_issues": "Configure & test extensively" }, "value": "Restrict program execution #2", - "description": "Block program executions (AppLocker)", - "Possible Issues": "Configure & test extensively" + "description": "Block program executions (AppLocker)" }, { "meta": { @@ -191,10 +191,10 @@ "www.microsoft.com/emet", "http://windowsitpro.com/security/control-emet-group-policy" ], - "Complexity": "Medium", - "Effectiveness": "Medium", - "Impact": "Low", - "Type": "GPO" + "complexity": "Medium", + "effectiveness": "Medium", + "impact": "Low", + "type": "GPO" }, "value": "EMET", "description": "Detect and block exploitation techniques" @@ -204,10 +204,10 @@ "refs": [ "https://twitter.com/JohnLaTwC/status/799792296883388416" ], - "Complexity": "Medium", - "Effectiveness": "Low", - "Impact": "Low", - "Type": "3rd Party Tools" + "complexity": "Medium", + "effectiveness": "Low", + "impact": "Low", + "type": "3rd Party Tools" }, "value": "Sysmon", "description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring" @@ -221,5 +221,5 @@ ], "description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.", "uuid": "1a8e55eb-a0ff-425b-80e0-30df866f8f65", - "version": 1 + "version": 2 } diff --git a/clusters/tds.json b/clusters/tds.json index 75759a75..5cbf9963 100755 --- a/clusters/tds.json +++ b/clusters/tds.json @@ -6,9 +6,9 @@ "meta": { "refs": [ "https://keitarotds.com/" - ] - }, - "type": "Commercial" + ], + "type": "Commercial" + } }, { "value": "Sutra", @@ -68,7 +68,7 @@ } } ], - "version": 1, + "version": 2, "uuid": "ab5fffaa-c5f6-11e6-9d9d-cec0c932ce01", "description": "TDS is a list of Traffic Direction System used by adversaries", "authors": [ diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 15096164..3197fee2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -432,7 +432,7 @@ "refs": [ "http://www.crowdstrike.com/blog/whois-anchor-panda/" ], - "Motive": "Espionage" + "motive": "Espionage" }, "value": "Anchor Panda", "description": "PLA Navy" @@ -451,7 +451,7 @@ }, { "meta": { - "synomyns": [ + "synonyms": [ "IceFog", "Dagger Panda" ], @@ -958,9 +958,9 @@ "country": "FR", "synonyms": [ "Animal Farm" - ], - "description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007." - } + ] + }, + "description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007." }, { "meta": { @@ -1387,5 +1387,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 14 + "version": 15 } diff --git a/clusters/tool.json b/clusters/tool.json index ed0187ed..3de63622 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -1151,8 +1151,8 @@ }, { "value": "Trojan.Seaduke", + "description": "Trojan.Seaduke is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files.", "meta": { - "description": "Trojan.Seaduke is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files.", "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-031915-4935-99" ], @@ -1213,7 +1213,7 @@ }, { "meta": { - "derivated-from": [ + "derivated_from": [ "Shiz" ], "refs": [ @@ -1317,7 +1317,7 @@ } } ], - "version": 21, + "version": 22, "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "authors": [ diff --git a/schema_clusters.json b/schema_clusters.json index 73acaba6..780bfe14 100644 --- a/schema_clusters.json +++ b/schema_clusters.json @@ -36,14 +36,59 @@ "value": { "type": "string" }, - "type": { - "type": "string" - }, - "Possible Issues": { - "type": "string" - }, "meta": { - "type": "object" + "type": "object", + "additionalProperties": false, + "properties": { + "refs": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + } + }, + "synonyms": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + } + }, + "derivated_from": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + } + }, + "status": { + "type": "string" + }, + "country": { + "type": "string" + }, + "effectiveness": { + "type": "string" + }, + "complexity": { + "type": "string" + }, + "type": { + "type": "string" + }, + "impact": { + "type": "string" + }, + "motive": { + "type": "string" + }, + "colour": { + "type": "string" + }, + "possible_issues": { + "type": "string" + } + } } }, "required": [