MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

new: [interpol] Addition of INTERPOL Darknet- and Cryptoasset Ecosystems taxonomy

pull/964/head
Christophe Vandeplas 2024-04-23 10:15:08 +02:00
parent fbc6cfcac0
commit 83ffa6fa6f
No known key found for this signature in database
GPG Key ID: BDC48619FFDC5A5B
5 changed files with 1129 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.vscode/launch.json vendored
View File

@ -1,6 +1,16 @@
{
"version": "0.2.0",
"configurations": [
{
"name": "gen_interpol_dwvat",
"type": "debugpy",
"request": "launch",
"program": "${file}",
"console": "integratedTerminal",
"args": "-p ../../DW-VA-Taxonomy",
"cwd": "${fileDirname}"
},
{
"name": "Python Debugger: Current File",
"type": "debugpy",

39
README.md
View File

@ -6,7 +6,7 @@
MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or
attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There
are default knowledge base (such as Threat Actors, Tools, Ransomware, ATT&CK matrixes) available in MISP galaxy
are default knowledge base (such as Threat Actors, Tools, Ransomware, ATT&CK matrixes) available in MISP galaxy
but those can be overwritten, replaced, updated, forked and shared as you wish.
Existing clusters and vocabularies can be used as-is or as a common knowledge base. MISP distribution can be applied
@ -63,7 +63,7 @@ Category: *guidelines* - source: *Open Sources* - total: *71* elements
[Backdoor](https://www.misp-project.org/galaxy.html#_backdoor) - A list of backdoor malware.
Category: *tool* - source: *Open Sources* - total: *24* elements
Category: *tool* - source: *Open Sources* - total: *28* elements
[[HTML](https://www.misp-project.org/galaxy.html#_backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)]
@ -211,6 +211,14 @@ Category: *Intelligence Agencies* - source: *https://en.wikipedia.org/wiki/List_
[[HTML](https://www.misp-project.org/galaxy.html#_intelligence_agencies)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/intelligence-agencies.json)]
## INTERPOL DWVA Entity Taxonomy
[INTERPOL DWVA Entity Taxonomy](https://www.misp-project.org/galaxy.html#_interpol_dwva_entity_taxonomy) - This taxonomy defines entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems.
Category: *interpol-dwva-entities* - source: *https://interpol-innovation-centre.github.io/DW-VA-Taxonomy/* - total: *88* elements
[[HTML](https://www.misp-project.org/galaxy.html#_interpol_dwva_entity_taxonomy)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/interpol-dwva-entities.json)]
## Malpedia
[Malpedia](https://www.misp-project.org/galaxy.html#_malpedia) - Malware galaxy cluster based on Malpedia.
@ -269,7 +277,7 @@ Category: *course-of-action* - source: *https://github.com/mitre/cti* - total: *
## mitre-data-component
[mitre-data-component](https://www.misp-project.org/galaxy.html#_mitre-data-component) - Data components are parts of data sources.
[mitre-data-component](https://www.misp-project.org/galaxy.html#_mitre-data-component) - Data components are parts of data sources.
Category: *data-component* - source: *https://github.com/mitre/cti* - total: *116* elements
@ -277,7 +285,7 @@ Category: *data-component* - source: *https://github.com/mitre/cti* - total: *11
## mitre-data-source
[mitre-data-source](https://www.misp-project.org/galaxy.html#_mitre-data-source) - Data sources represent the various subjects/topics of information that can be collected by sensors/logs.
[mitre-data-source](https://www.misp-project.org/galaxy.html#_mitre-data-source) - Data sources represent the various subjects/topics of information that can be collected by sensors/logs.
Category: *data-source* - source: *https://github.com/mitre/cti* - total: *40* elements
@ -495,7 +503,7 @@ Category: *actor* - source: *MISP Project* - total: *15* elements
[Ransomware](https://www.misp-project.org/galaxy.html#_ransomware) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar
Category: *tool* - source: *Various* - total: *1705* elements
Category: *tool* - source: *Various* - total: *1706* elements
[[HTML](https://www.misp-project.org/galaxy.html#_ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)]
@ -535,7 +543,7 @@ Category: *sector* - source: *CERT-EU* - total: *118* elements
[Sigma-Rules](https://www.misp-project.org/galaxy.html#_sigma-rules) - MISP galaxy cluster based on Sigma Rules.
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2840* elements
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2873* elements
[[HTML](https://www.misp-project.org/galaxy.html#_sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)]
@ -575,7 +583,7 @@ Category: *actor* - source: *MISP Project* - total: *50* elements
[Target Information](https://www.misp-project.org/galaxy.html#_target_information) - Description of targets of threat actors.
Category: *target* - source: *Various* - total: *240* elements
Category: *target* - source: *Various* - total: *241* elements
[[HTML](https://www.misp-project.org/galaxy.html#_target_information)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/target-information.json)]
@ -599,7 +607,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
[Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
Category: *actor* - source: *MISP Project* - total: *644* elements
Category: *actor* - source: *MISP Project* - total: *668* elements
[[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
@ -663,7 +671,7 @@ Category: *tmss* - source: *https://github.com/microsoft/Threat-matrix-for-stora
[Tool](https://www.misp-project.org/galaxy.html#_tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
Category: *tool* - source: *MISP Project* - total: *596* elements
Category: *tool* - source: *MISP Project* - total: *603* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)]
@ -675,11 +683,18 @@ Category: *military equipment* - source: *Popular Mechanics* - total: *36* eleme
[[HTML](https://www.misp-project.org/galaxy.html#_uavs/ucavs)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/uavs.json)]
[[HTML](https://www.misp-project.org/galaxy.html#_uavs/ucavs)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/uavs.json)]
## UKHSA Culture Collections
# Online documentation
[UKHSA Culture Collections](https://www.misp-project.org/galaxy.html#_ukhsa_culture_collections) - UK Health Security Agency Culture Collections represent deposits of cultures that consist of expertly preserved, authenticated cell lines and microbial strains of known provenance.
The [misp-galaxy.org](https://misp-galaxy.org) website provides an easily navigable resource for all MISP galaxy clusters.
Category: *virus* - source: *https://www.culturecollections.org.uk* - total: *6667* elements
[[HTML](https://www.misp-project.org/galaxy.html#_ukhsa_culture_collections)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ukhsa-culture-collections.json)]
# Online documentation
The [misp-galaxy.org](https://misp-galaxy.org) website provides an easily navigable resource for all MISP galaxy clusters.
A [readable PDF overview of the MISP galaxy is available](https://www.misp.software/galaxy.pdf) or [HTML](https://www.misp.software/galaxy.html) and generated from the JSON.

930
clusters/interpol-dwva-entities.json Normal file
View File

@ -0,0 +1,930 @@
{
"authors": [
"INTERPOL Darkweb and Virtual Assets Working Group"
],
"category": "dwva-entities",
"description": "This taxonomy defines entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems.",
"name": "INTERPOL DWVA Entity Taxonomy",
"source": "https://interpol-innovation-centre.github.io/DW-VA-Taxonomy/",
"type": "dwva-entities",
"uuid": "b15898ba-a923-4916-856c-0dfe8b174196",
"values": [
{
"description": "An application that does not rely on a central server but on several decentralized nodes. Each user can choose to be an active node serving the app. ",
"meta": {
"kill_chain": [
"concepts:Infrastructure"
]
},
"uuid": "469a982f-c2fc-557e-9539-39641d9cb842",
"value": "Decentralized Apps"
},
{
"description": "A [hardware] cryptocurrency wallet is a device, physical medium, (...) which stores the private keys for cryptocurrency transactions. It will normally also contain the associated public keys.",
"meta": {
"kill_chain": [
"concepts:Wallet"
]
},
"uuid": "6d62ceb4-d172-54da-9ae5-e766f58bf4d6",
"value": "Hardware Wallet"
},
{
"description": "A decentralized distributed system that provides sharing contact information, so people downloading the same file can discover each other. Both Tor and I2P use DHT. Due to the distributed nature of the hidden services domain resolution, it is possible to deploy nodes in the DHT to monitor requests coming from a given domain.",
"meta": {
"kill_chain": [
"concepts:Technology"
]
},
"uuid": "9d537e25-39d8-5cc3-b769-48ff900dfa70",
"value": "Distributed Hash Technology"
},
{
"description": "Bitcoin is a network protocol based on blockchain, introduced by Nakamoto [11] which allows payments and coin transfers to be made among participating entities. No trusted",
"meta": {
"kill_chain": [
"concepts:Cryptocurrency"
]
},
"uuid": "4a6cfe47-bfc3-574d-9d07-950bd045e305",
"value": "Bitcoin"
},
{
"description": "Counterfeit consumer goods are goods, often of inferior quality, made or sold under another's brand name without the brand owner's authorization.",
"meta": {
"kill_chain": [
"concepts:Asset"
]
},
"uuid": "f95b3fad-a0d1-5141-8729-689189ca70a9",
"value": "Counterfeit product"
},
{
"description": "A shop owner is an actor within the group of Criminal Actors; operating a DW shop.",
"meta": {
"kill_chain": [
"concepts:Actor"
]
},
"uuid": "80fc8f9c-26e8-5759-afde-26ac748193ea",
"value": "Shop owner"
},
{
"description": "An HD (Hierarchical Deterministic) Wallet is a tree of private/public keypairs starting from a master seed. This technology provides both account management and identity masking. A user only needs to keep the master seeds because she can generate following keypairs from the root key deterministically, and each public key that can be exposed is changed for each transaction. ",
"meta": {
"kill_chain": [
"concepts:Technology"
]
},
"uuid": "73b6cf78-ae88-5fd5-8514-99e59063f1aa",
"value": "Hierarchically Deterministic wallets"
},
{
"description": "A non-fungible token (NFT) is a unit of data stored on a digital ledger, called a blockchain, that certifies a digital asset to be unique and therefore not interchangeable. NFTs can be used to represent items such as photos, videos, audio, and other types of digital files.",
"meta": {
"kill_chain": [
"concepts:Technology"
],
"refs": [
"https://en.wikipedia.org/wiki/Non-fungible_token"
]
},
"uuid": "75a2011e-c289-5a69-ab7d-4259a333563b",
"value": "Non Fungible Token"
},
{
"description": "A (hosting) service that guarantees the availability of hosted resources even when they are found to be malicious or illegal. ",
"meta": {
"kill_chain": [
"concepts:Service"
]
},
"uuid": "f5c58c28-64ac-5cb4-aa01-6ff9e7eb0e7f",
"value": "Bulletproof Hosting"
},
{
"description": "Wiki services, including directory services for other hidden services, hosted in the Dark Web.",
"meta": {
"kill_chain": [
"concepts:Service"
]
},
"uuid": "63b2dd59-bc5d-5673-95bd-efca71d87c98",
"value": "Darknet Wiki"
},
{
"description": "In a Proof of Stake (PoS) network, users need to prove ownership of enough stakes to become validators. Ethereum (ETH) is moving from PoW to PoS. PoS offers several advantages over PoW: it is energy efficient, reduces hardware requirements and is less prone to centralisation ",
"meta": {
"kill_chain": [
"concepts:Technology"
]
},
"uuid": "ecf1ad91-1cf2-53dc-857e-f5f6b2b9223f",
"value": "Proof of Stake"
},
{
"description": "Multisig refers to all the transactions that require two or more signatures. Multisignature transactions and addresses are validated only when at least x of the possible y signatories have signed. x and y are defined at creation.",
"meta": {
"kill_chain": [
"concepts:Process"
]
},
"uuid": "2487485a-cd53-5e1e-82a5-b69a9422e469",
"value": "Multisig"
},
{
"description": "A cryptocurrency with a decentralized Blockchain that provides anonymity for its users and their transactions. It is similar to Bitcoin as an open-source, but their major differences are the increased level of privacy it provides. ",
"meta": {
"kill_chain": [
"concepts:Cryptocurrency"
]
},
"uuid": "d34972ac-80c3-58ed-8c13-76a3f7ff2f3a",
"value": "Zcash"
},
{
"description": "Buyers may \"finalize early\" (FE), releasing funds from escrow to the vendor prior to receiving their goods in order to expedite a transaction. This can be done when there is a trust relationship between vendor and buyer, however it does leave the buyer vulnerable to fraud if they choose to do so.",
"meta": {
"kill_chain": [
"concepts:Process"
]
},
"uuid": "e699a6f3-2dc3-5df1-a3e5-bec7974fc985",
"value": "Finalize Early"
},
{
"description": "CoinSwap is a protocol to make a transaction via a third party to obfuscate the money flow. For instance, when Alice would like to pay Bob, Carol offers to receive Alice's coin and pay Bob with an unconnected coin. While none of these parties trusts each other, this protocol does not allow Carol to rob Alice's coin.",
"meta": {
"kill_chain": [
"concepts:Service"
]
},
"uuid": "2605341c-b0d1-51db-89fa-8bf0a3d03941",
"value": "Coin swapping"
},
{
"description": "Ripple is a real-time gross settlement system, currency exchange and remittance network created by Ripple Labs Inc., a US-based technology company. (...) The ledger employs the native cryptocurrency known as XRP.",
"meta": {
"kill_chain": [
"concepts:Cryptocurrency"
]
},
"uuid": "00c741af-99c2-5c44-84bd-c4b83975e747",
"value": "Ripple"
},
{
"description": "Someone who is selling something.",
"meta": {
"kill_chain": [
"concepts:Actor"
],
"refs": [
"https://dictionary.cambridge.org/dictionary/english/vendor"
]
},
"uuid": "6e524ade-26e4-5fcf-9da1-e975ea8aaaa1",
"value": "Vendor"
},
{
"description": "Initial Coin Offerings (ICO) are public offers of new cryptocurrencies in exchange of existing ones, aimed to finance projects in the blockchain development arena. The typical pattern is for a startup to produce a white paper that describes their business model and technical approach. The white paper includes details about the functions that the tokens issued during the ICO will perform and the process of token creation.",
"meta": {
"kill_chain": [
"concepts:Service"
]
},
"uuid": "51c1324f-a92e-5803-861a-473ed2c26b4a",
"value": "Initial Coin Offering / Initial Crypto-Tokens Offering"
},
{
"description": "Layer 2 is a collective term for solutions designed to help scale decentralised applications by handling transactions off the Ethereum mainnet (layer 1), while taking advantage of the robust decentralized security model of mainnet.",
"meta": {
"kill_chain": [
"concepts:Technology"
],
"refs": [
"https://ethereum.org/en/developers/docs/scaling/layer-2-rollups"
]
},
"uuid": "e35d6c4e-27c8-5f5b-91e5-8738298388f7",
"value": "Layer 2"
},
{
"description": "Virtual asset service provider means any natural or legal person who (...) as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person: i) exchange between virtual assets and fiat currencies; ii) exchange between one or more forms of virtual assets; iii) transfer of virtual assets; iv) safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and v) participation in and provision of financial services related to an issuers offer and/or sale of a virtual asset.",
"meta": {
"kill_chain": [
"concepts:Actor"
]
},
"uuid": "2e2f67bf-d5a0-544a-a5e4-7bb9da23fd0c",
"value": "Virtual Asset Service Provider"
},
{
"description": "Same as exchange but in a completely distributed environment. There is no central hosting server and all nodes are servers.",
"meta": {
"kill_chain": [
"concepts:Service"
]
},
"uuid": "754d163f-01fc-551f-b501-c65591307d02",
"value": "Decentralized Exchange"
},
{
"description": "Refers to data that provides information about a certain item's content. For example, an image may include information that describes how large the picture is or when the image was created, while a text document may contain information about the author of the document, or the IP address of the document's author, and so on. ",
"meta": {
"kill_chain": [
"concepts:Technology"
]
},
"uuid": "bf02d987-1f4e-500f-af39-8d85cda7ffd1",
"value": "Metadata"
},
{
"description": "An exit scam can be performed by a dark net martket or single vendor shop and is the process in which the one or more of the market admins prevents users withdrawing funds through the escrow system and then closes the market, exiting with all the bitcoins and other digital currencies they were holding in escrow.",
"meta": {
"kill_chain": [
"concepts:Process"
]
},
"uuid": "d457fb70-6f79-5e0b-aad0-c947a6b61faf",
"value": "Exit scam"
},
{
"description": "A smart contract is a self-executing contract with the terms of the agreement between buyer and seller being directly written into lines of code. The code and the agreements contained therein exist across a distributed, decentralized blockchain network. The code controls the execution, and transactions are trackable and irreversible.",
"meta": {
"kill_chain": [
"concepts:Technology"
]
},
"uuid": "ebf4b07b-e879-53c5-9b9e-862178742112",
"value": "Smart contract"
},
{
"description": "An actor that provides a service by making available and managing infrastructure or by executing a process",
"meta": {
"kill_chain": [
"concepts:Actor"
]
},
"uuid": "6e27d6e7-bb5f-5f8b-acff-2cb2a8e7ad02",
"value": "Service Provider"
},
{
"description": "An actor whose job it is to supervise the technical operation of a service",
"meta": {
"kill_chain": [
"concepts:Actor"
]
},
"uuid": "4040b338-591d-5863-8d5e-474294e603e4",
"value": "Administrator"
},
{
"description": "A virtual asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations.",
"meta": {
"kill_chain": [
"concepts:Asset"
]
},
"uuid": "1666d707-c38a-5153-88fc-9ed6fdfeef75",
"value": "Virtual Asset "
},
{
"description": "Forum services hosted in the Dark Web.",
"meta": {
"kill_chain": [
"concepts:Service"
]
},
"uuid": "c50cbe2d-8c5d-556c-a3a0-1ee2edf8091c",
"value": "Darknet Forum"
},
{
"description": "A shop is a service where products from one actor (the shop owner) are traded.",
"meta": {
"kill_chain": [
"concepts:Service"
]
},
"uuid": "d6a68be7-82e7-5fd4-b653-27e8d15fb6dd",
"value": "Shop"
},
{
"description": "A digital account hosted by third party financial institution, known as Virtual Asset Service Provider(VASP), which allows the account-holder (the user) to store, send, and receive cryptocurrency.",
"meta": {
"kill_chain": [
"concepts:Wallet"
],
"refs": [
"https://home.treasury.gov/system/files/136/2020-12-18-FAQs.pdf"
]
},
"uuid": "951ea43f-6acc-56c4-b51d-0618a7f23c3f",
"value": "Hosted wallet"
},
{
"description": "A special-use top level domain name designating an anonymous onion service, which was formerly known as a \"hidden service\". It is referred to as that because of the “layered” approach to relays on the Tor Browser.",
"meta": {
"kill_chain": [
"concepts:Technology"
]
},
"uuid": "229e9ab2-4c75-52af-aab8-e73d0fe8b493",
"value": ".Onion"
},
{
"description": "Blockchain bridges enable interoperability between vastly different networks, such as Bitcoin and Ethereum, and between one parent blockchain and its sidechains.",
"meta": {
"kill_chain": [
"concepts:Technology"
],
"refs": [
"https://blog.makerdao.com/what-are-blockchain-bridges-and-why-are-they-important-for-defi/"
]
},
"uuid": "309242e2-7882-558e-9563-0bb477bff5b8",
"value": "Bridge"
},
{
"description": "A wallet that is not hosted by a third-party financial system. It can be very difficult or impossible to determine who is accessing or in control of the use of cryptocurrencies in an unhosted wallet. Unhosted wallets allow for anonymity and concealment of illicit financial activity.",
"meta": {
"kill_chain": [
"concepts:Wallet"
],
"refs": [
"https://home.treasury.gov/system/files/136/2020-12-18-FAQs.pdf"
]
},
"uuid": "206859e5-f52b-5bad-8f49-08bc28d4e378",
"value": "Unhosted wallet"
},
{
"description": "A vending tactic involving the vendor passing the buyers address on to another vendor to ship to, eliminating any need for the middleman (dropshipper) to handle anything illegal in person.",
"meta": {
"kill_chain": [
"concepts:Generic"
],
"refs": [
"DNM Bible Glossary"
]
},
"uuid": "3ba88867-6567-5102-97e5-ecc23145593c",
"value": "Drop Ship"
},
{
"description": "A sidechain is a side blockchain that is linked to another blockchain, referred to as the main chain, via a two-way peg.",
"meta": {
"kill_chain": [
"concepts:Technology"
],
"refs": [
"https://coinmarketcap.com/alexandria/glossary/side-chain"
]
},
"uuid": "087b61b1-86b8-5859-95ec-ab26d76bd050",
"value": "Sidechain"
},
{
"description": "A cryptocurrency loan executed trough a smart contract, with no collateral, that must be paid back in the same block. The purpose of a flash loan is to gain money through arbitrage (on different exchanges or different assets) without providing any collateral.",
"meta": {
"kill_chain": [
"concepts:Technology"
],
"refs": [
"https://www.coindesk.com/what-is-a-flash-loan"
]
},
"uuid": "d04b5d8c-a7ea-52f0-a5cc-96133466fe07",
"value": "Flash Loan"
},
{
"description": "An escrow is a contractual arrangement in which a third party (the stakeholder or escrow agent) receives and disburses money or property for the primary transacting parties, with the disbursement dependent on conditions agreed to by the transacting parties.",
"meta": {
"kill_chain": [
"concepts:Service"
]
},
"uuid": "fc936928-f8be-5652-b13c-a0491158959a",
"value": "Escrow"
},
{
"description": "Bitcoin blockchain is constructed and validated by computation. Miners work to validate the blockchain with their computation power, proving their work for a reward. The Bitcoin Blockchain is based on Proof-of-Work. ",
"meta": {
"kill_chain": [
"concepts:Technology"
]
},
"uuid": "f4377e3b-ed10-5291-b984-4225013cde1b",
"value": "Proof of Work"
},
{
"description": "A method of scrambling or anonymizing the source of ones cryptocurrencies. ",
"meta": {
"kill_chain": [
"concepts:Service"
]
},
"uuid": "7739c2a5-45f5-58b1-97af-59e65f69284c",
"value": "Tumbler"
},
{
"description": "An unspent transaction output of cryptocurrencies. This output is considered as an input to new transaction.",
"meta": {
"kill_chain": [
"concepts:Technology"
]
},
"uuid": "ea28ccaa-9786-5871-bda1-add90914da3d",
"value": "Unspent Transaction Output"
},
{
"description": "A crypto-asset (...) is a digital asset designed to work as a medium of exchange wherein individual coin ownership records are stored in a ledger existing in a form of a computerized database using strong cryptography to secure transaction records, to control the creation of additional coins, and to verify the transfer of coin ownership.",
"meta": {
"kill_chain": [
"concepts:Asset"
]
},
"uuid": "e9bf2ffe-9695-5c79-a88d-792fefbed39b",
"value": "Crypto-assets"
},
{
"description": "Bitcoin Cash is a cryptocurrency that is a fork of Bitcoin. Bitcoin Cash is a spin-off or altcoin that was created in 2017.",
"meta": {
"kill_chain": [
"concepts:Cryptocurrency"
]
},
"uuid": "ff848751-0764-5053-89af-e0feb4aeb482",
"value": "Bitcoin cash"
},
{
"description": "Fiat money is a currency (a medium of exchange) established as money, often by government regulation. Fiat money does not have intrinsic value and does not have use value. It has value only because a government maintains its value, or because parties engaging in exchange agree on its value. ",
"meta": {
"kill_chain": [
"concepts:Asset"
]
},
"uuid": "5b639ba0-e080-548b-9950-6e6c6f4a1fbd",
"value": "FIAT currencies"
},
{
"description": "A Bitcoin ATM (Automated Teller Machine) is a kiosk that allows a person to purchase Bitcoin and other cryptocurrencies by using cash or debit card. Some types of ATM also allow users to sell their cryptocurrency, dispensing cash in payment. Depending on the provider, the ATM can require KYC verification.",
"meta": {
"kill_chain": [
"concepts:Service"
]
},
"uuid": "2bb19164-c3ff-503f-9971-400de7af7fee",
"value": "Crypto ATM"
},
{
"description": "Ethereum is a decentralized, open-source blockchain with smart contract functionality. Ether (ETH) is the native cryptocurrency of the platform. It is the second-largest cryptocurrency by market capitalization, after Bitcoin. Ethereum is the most actively used blockchain. ",
"meta": {
"kill_chain": [
"concepts:Cryptocurrency"
]
},
"uuid": "2c0ef492-3bc0-510b-bd43-0802d9adf3f5",
"value": "Ethereum"
},
{
"description": "A process that lets you earn either fixed or variable interest by investing crypto in a DeFi market.",
"meta": {
"kill_chain": [
"concepts:Process"
],
"refs": [
"https://decrypt.co/resources/what-is-yield-farming-beginners-guide"
]
},
"uuid": "cd806af8-2674-5d40-a0ed-af194df5737a",
"value": "Yield farming"
},
{
"description": "An “anonymous overlay network” using the garlic routing protocol that encrypts multiple messages together to make data traffic analysis difficult, while simultaneously increasing network traffic speed. Each encrypted message has its own specific delivery instruction, and each endpoint works as a cryptographic identifier or what we refer to as “keys.” Since I2P is entirely peer-to-peer in structure, there's no hard-coded trusted set of directory stores. Instead, the network directory of I2P is netDb, a distributed database that is replicated across the network.",
"meta": {
"kill_chain": [
"concepts:Technology"
]
},
"uuid": "30b69477-70ff-51dc-b8f6-f29f03f5f0ac",
"value": "Invisible Internet Protocol"
},
{
"description": "Authority that defines (national) regulations",
"meta": {
"kill_chain": [
"concepts:Authorities"
]
},
"uuid": "30e65bc1-97e7-588f-a717-cb47a52b6ec6",
"value": "Regulator"
},
{
"description": "A collective name used to describe websites which require a special browser in order to access.",
"meta": {
"kill_chain": [
"concepts:Technology"
]
},
"uuid": "46800c1a-cceb-555d-9a22-5ebaebf62625",
"value": "Hidden Service"
},
{
"description": "A relay is a node in the Tor network. When a request to access a particular hidden service is made, the browser calculates the optimal route through a series of relays, exchanging cryptographic keys between nodes, to display the content without disclosing the IP address of the request originator. Each relay decrypts a layer of encryption to reveal the next relay in the circuit to pass the remaining encrypted data on to it. The final relay decrypts the innermost layer of encryption and sends the original data to its destination without revealing or knowing the source IP address. ",
"meta": {
"kill_chain": [
"concepts:Infrastructure"
]
},
"uuid": "c751ccc2-a365-51f1-97a1-1fec29b9726d",
"value": "Relay (node)"
},
{
"description": "Bitcoin improvement proposals, these are the equivalent of RFCs. They define the protocols and structures of Bitcoin. They are developed and maintained at the Bitcoin Github.",
"meta": {
"kill_chain": [
"concepts:Process"
]
},
"uuid": "acbb92c2-be9c-55db-a264-2eb3ec09e6ce",
"value": "Bitcoin Improvement Proposals"
},
{
"description": "Smart Contracts on blockchains, DApps, mainly via the Ethereum technology and network. They are used to provide traditional financial services. The technology provides strong immunity against attackers and some level of anonymity and privacy. Transactions are confirmed relatively fast, but mostly lack KYC and AML compliance controls and offer limited to no user support and customer care. Current DeFi innovations include: Lending platforms; Prediction markets; Decentralised Exchange (DEXs); Staking and pooling platforms. ",
"meta": {
"kill_chain": [
"concepts:Service"
]
},
"uuid": "a65902c5-b9d4-59ae-9b83-144923cea2bc",
"value": "Decentralized Finances"
},
{
"description": "The end user of a service. Customer would be paying for the services (buying good, using a service, owning an asset...).",
"meta": {
"kill_chain": [
"concepts:Actor"
]
},
"uuid": "7a226797-891c-55f6-8f2e-0753c8c43fec",
"value": "Customer"
},
{
"description": "Litecoin (LTC or Ł) is a peer-to-peer cryptocurrency and open-source software project released under the MIT/X11 license. Litecoin was an early bitcoin spinoff or altcoin, starting in October 2011. In technical details, Litecoin is nearly identical to Bitcoin.",
"meta": {
"kill_chain": [
"concepts:Cryptocurrency"
]
},
"uuid": "6317fb5c-072e-5a80-845f-2577b18e4d89",
"value": "Litecoin"
},
{
"description": "Cyberterrorism is the use of the Internet to conduct violent acts that result in, or threaten, loss of life or significant bodily harm, in order to achieve political or ideological gains through threat or intimidation.",
"meta": {
"kill_chain": [
"concepts:Actor"
]
},
"uuid": "61bbe7e3-3ad2-5e44-bd76-91c5058e301a",
"value": "Cyberterrorist"
},
{
"description": "Tether is a controversial cryptocurrency with tokens issued by Tether Limited. It formerly falsely claimed that each token was backed by one United States dollar, but on 14 March 2019 changed the backing to include loans to affiliate companies.",
"meta": {
"kill_chain": [
"concepts:Cryptocurrency"
]
},
"uuid": "058eb937-cce7-5469-a5fa-9def1e7b3744",
"value": "Tether"
},
{
"description": "A bank is a financial institution that accepts deposits from the public and creates a demand deposit while simultaneously making loans.",
"meta": {
"kill_chain": [
"concepts:Actor"
]
},
"uuid": "4ccf207f-40df-59ad-99d0-17fc7f9fd055",
"value": "Bank"
},
{
"description": "An open-source cryptocurrency created in April 2014 that focuses on fungibility, privacy and decentralization. Monero (XMR) uses an obfuscated public ledger, meaning anybody can broadcast or send transactions, but no outside observer can tell the source, amount or destination. ",
"meta": {
"kill_chain": [
"concepts:Cryptocurrency"
]
},
"uuid": "d41ae632-4373-5915-b339-39ffe6ddff7d",
"value": "Monero"
},
{
"description": "BNB powers the Binance Ecosystem. As the native coin of Binance Chain, BNB has multiple use cases: fueling transactions on the Chain, paying for transaction fees on Binance Exchange, making in-store payments, and many more.",
"meta": {
"kill_chain": [
"concepts:Cryptocurrency"
]
},
"uuid": "45800897-766c-51fe-ad0a-c33bb56277ba",
"value": "Binance Coin"
},
{
"description": "A type of anonymity network similar to Tor, based on the Invisible Internet Project protocol.",
"meta": {
"kill_chain": [
"concepts:Dark_Web"
]
},
"uuid": "27636f7b-1ac6-5db7-b322-045ed04b2de5",
"value": "Invisible Internet protocol network"
},
{
"description": "A darknet market is a commercial website on the web that operates via darknets such as Tor or I2P. They function primarily as black markets, selling or brokering transactions involving drugs, cyber-arms, weapons, counterfeit currency, stolen credit card details, forged documents, unlicensed pharmaceuticals, steroids, and other illicit goods as well as the sale of legal products.",
"meta": {
"kill_chain": [
"concepts:Service"
]
},
"uuid": "dae3b4a9-7838-5761-9356-faa9c55f0d47",
"value": "Darknet market"
},
{
"description": "An abbreviation for Pretty Good Privacy, an encryption program popular for encrypting emails and files. Through the use of public and private keys, it allows users who have never met to send encrypted messages etc. to each other without exchanging private encryption keys.",
"meta": {
"kill_chain": [
"concepts:Technology"
]
},
"uuid": "0db385a9-9cbd-5420-acef-472029b9cd0a",
"value": "Pretty Good Privacy"
},
{
"description": "Notice and take down is a process operated by online hosts in response to court orders or allegations that content is illegal. Content is removed by the host following notice. ",
"meta": {
"kill_chain": [
"concepts:Process"
]
},
"uuid": "a22efe40-4a32-59af-b219-216e8ced8dd5",
"value": "Takedown notice"
},
{
"description": "Someone or something that has been hurt, damaged, or killed or has suffered, either because of the actions of someone or something else, or because of illness or chance.",
"meta": {
"kill_chain": [
"concepts:Actor"
],
"refs": [
"https://dictionary.cambridge.org/dictionary/english/victim"
]
},
"uuid": "73f67ffc-a672-55dc-a0e0-6a21f22b5033",
"value": "Victim"
},
{
"description": "Polkadot is a heterogeneous multi-chain interchange and translation architecture which enables customised side-chains to connect with public blockchains.",
"meta": {
"kill_chain": [
"concepts:Cryptocurrency"
]
},
"uuid": "6d36792e-836a-5c87-9f8c-a826169eb2c8",
"value": "Polkadot"
},
{
"description": "Login credentials for e-services that are provided by financial institutions with a bank license.",
"meta": {
"kill_chain": [
"concepts:Asset"
]
},
"uuid": "d9620d2b-7f4a-5a04-aa8a-63935f1d3011",
"value": "Bank credentials"
},
{
"description": "A money mule, sometimes called a \"smurfer,\" is a person who transfers money acquired illegally in person, through a courier service, or electronically, on behalf of others. Typically, the mule is paid for services with a small part of the money transferred. ",
"meta": {
"kill_chain": [
"concepts:Actor"
]
},
"uuid": "91c16626-6b05-50e2-a344-62e07abac344",
"value": "Money mule"
},
{
"description": "A text-based chat service enabling users connected to a server to communicate with each other in real-time. ",
"meta": {
"kill_chain": [
"concepts:Service"
]
},
"uuid": "14461a3c-b0f9-57b7-9aae-633988f910d4",
"value": "Internet Relay Chat"
},
{
"description": "A [software] cryptocurrency wallet is a (...) program or a service which stores the private keys for cryptocurrency transactions. It will normally also contain the associated public keys.",
"meta": {
"kill_chain": [
"concepts:Wallet"
]
},
"uuid": "b2d781a1-97d1-503e-b7e1-d099fc348071",
"value": "Software wallet"
},
{
"description": "Cardano is a public blockchain platform. It is open source and decentralized, with consensus achieved using proof of stake. It can facilitate peer-to-peer transactions with its internal cryptocurrency Ada.",
"meta": {
"kill_chain": [
"concepts:Cryptocurrency"
]
},
"uuid": "f8b5c74e-6cdd-5bf0-9f11-c2419db6bab4",
"value": "Cardano"
},
{
"description": "Dogecoin (code: DOGE, symbol: Ð) is a cryptocurrency created by software engineers Billy Markus and Jackson Palmer, who decided to create a payment system that is instant, fun, and free from traditional banking fees.",
"meta": {
"kill_chain": [
"concepts:Cryptocurrency"
]
},
"uuid": "c93f371a-4d61-57fc-a3ef-e296eb5ddc4e",
"value": "Dogecoin"
},
{
"description": "Trading platform (commonly referred to as an “Exchange”) is the term within this paper used to describe any venue which facilitates the exchange of tokens for any form of money or asset. Trading platforms provide services to buy and sell tokens and/or for exchange of national (fiat) currencies backed by central banks.",
"meta": {
"kill_chain": [
"concepts:Service"
]
},
"uuid": "470b9309-79e3-545e-bc6a-df45df7e43af",
"value": "Exchange"
},
{
"description": "Blockchain is a distributed technology built under peer-to-peer network principles and cryptographic primitives, such as asymmetric encryption and digital signature. It allows trust-less users to exchange information and record transactions without external interference and coordination.",
"meta": {
"kill_chain": [
"concepts:Technology"
]
},
"uuid": "3fc478f2-b949-5b25-aecd-c7263e0f453d",
"value": "Blockchain"
},
{
"description": "Messaging services hosted or accessible via privacy enhanced networks.",
"meta": {
"kill_chain": [
"concepts:Service"
]
},
"uuid": "58868c19-cee0-5f5c-b8fa-2db0e7be4277",
"value": "Darknet Email Service"
},
{
"description": "A credential is a piece of any document that details a qualification, competence, or authority issued to an individual by a third party with a relevant or de facto authority or assumed competence to do so.",
"meta": {
"kill_chain": [
"concepts:Asset"
]
},
"uuid": "211d1030-727f-50e6-ae6e-05dd76bc72bd",
"value": "Credentials"
},
{
"description": "A rug pull is a malicious maneuver in the cryptocurrency industry where crypto developers abandon a project and run away with investors funds",
"meta": {
"kill_chain": [
"concepts:Process"
],
"refs": [
"https://coinmarketcap.com/alexandria/glossary/rug-pull"
]
},
"uuid": "87a990fe-f558-5dc6-93c4-385c76160c83",
"value": "Rug pull"
},
{
"description": "A person who manages the discussion contributions in an online forum.",
"meta": {
"kill_chain": [
"concepts:Actor"
]
},
"uuid": "e9b5e147-ae3f-52fa-a927-e0fd45af269c",
"value": "Moderator"
},
{
"description": "A network of routers that adds encryption to conceal a web users location and usage so that these are resistant to surveillance and hence are truly anonymous. The domain names of these hidden sites all end in .onion and they are only accessible by using a Tor browser. Tor stands for The Onion Router. ",
"meta": {
"kill_chain": [
"concepts:Dark_Web"
]
},
"uuid": "01d8b306-9f3c-58f3-a262-3666ef5422a6",
"value": "TOR Network"
},
{
"description": "One of the newest Darknets, becoming increasingly popular. It is a combination of trackerless Bittorrent and a Blockchain for persistent site and user identity. ZeroNet optionally uses the Tor network as a virtual private network. As a full mesh network, all clients are also servers. By browsing to a “zite” as they are known in ZeroNet lingo, the machine used automatically becomes one of the servers for this zite also. ",
"meta": {
"kill_chain": [
"concepts:Dark_Web"
]
},
"uuid": "2aef7bc3-7dec-55e7-8efb-09f2c2d4b998",
"value": "ZeroNet"
},
{
"description": "The dead drop is a delivery model used by some vendors to distribute their products. A vendor uses a dropman to hide consignments of pre-packaged drug deals in a number of suitably discreet offline locations. When a buyer makes a purchase from the vendor the geo-coordinates are provided to them for them to collect their order.",
"meta": {
"kill_chain": [
"concepts:Service"
]
},
"uuid": "06d58504-8603-57cf-9684-fd170aec3e19",
"value": "Dead drop"
},
{
"description": "Coinjoin is a method of mixing cryptocurrency tokens or coins, where two or more user transactions are combined into a single transaction on the blockchain, with multiple inputs and outputs. The concept behind that methodology is to obfuscate the link between an input and an output that would otherwise be apparent in a standard, single-user transaction. The coinjoin methodology is open-source and integrated into some software wallets, and is also available for use via a hosted online service.",
"meta": {
"kill_chain": [
"concepts:Technology"
]
},
"uuid": "3b0afb33-efce-56e5-9d17-9c4e29c24194",
"value": "Coinjoin"
},
{
"description": "A pastebin or text storage site is a type of online content hosting service where users can store plain text, e.g. to source code snippets for code review via Internet Relay Chat (IRC).",
"meta": {
"kill_chain": [
"concepts:Service"
]
},
"uuid": "1d370886-ae76-561b-bfda-00d7276a2672",
"value": "Paste site/service"
},
{
"description": "The deep web, invisible web, or hidden web are parts of the World Wide Web whose contents are not indexed by standard web search-engines.",
"meta": {
"kill_chain": [
"concepts:Infrastructure"
]
},
"uuid": "1671f327-3e58-5f64-94fe-acf0860effbe",
"value": "Deep Web"
},
{
"description": "(User of) Decentralized virtual currency that employs cryptography to accomplish tamper-resistance.",
"meta": {
"kill_chain": [
"concepts:Actor"
]
},
"uuid": "980a0996-5c70-5de2-9698-e5057015702d",
"value": "Cryptocurrencies User"
},
{
"description": "An attack to a DeFi protocol that exploits vulnerabilities in the flash loan system",
"meta": {
"kill_chain": [
"concepts:Process"
]
},
"uuid": "9f510016-a418-563f-9ffc-0a8fb1393d07",
"value": "Flash loan attack"
},
{
"description": "Privacy coins are a class of cryptocurrencies that power private and anonymous blockchain transactions by obscuring their origin and destination. Some of the techniques used include hiding a users real wallet balance and address, and mixing multiple transactions with each other to elude chain analysis.",
"meta": {
"kill_chain": [
"concepts:Asset"
]
},
"uuid": "96ccc6d4-fce6-5d4e-bfdc-4888a5af9aaa",
"value": "Privacy coin"
},
{
"description": "The exchange or sharing of information, data, or assets between parties without the involvement of a central authority. Peer-to-peer, or P2P, takes a decentralized approach to interactions between individuals and groups. This approach has been used in computers and networking (peer-to-peer file sharing), as well as with virtual assets trading.",
"meta": {
"kill_chain": [
"concepts:Technology"
]
},
"uuid": "acf94ffc-7cfe-5f59-84a4-63c07b283e3c",
"value": "Peer-to-peer exchange"
},
{
"description": "A virtual service that changes users IP addresses when using the Internet. ",
"meta": {
"kill_chain": [
"concepts:Infrastructure"
]
},
"uuid": "70d38f80-be9b-54aa-8918-3450db195147",
"value": "Proxy"
}
],
"version": 1
}

24
galaxies/interpol-dwva-entities.json Normal file
View File

@ -0,0 +1,24 @@
{
"description": "This taxonomy defines entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems.",
"icon": "user-secret",
"kill_chain_order": {
"concepts": [
"Actor",
"Asset",
"Authorities",
"Cryptocurrency",
"Dark_Web",
"Generic",
"Infrastructure",
"Process",
"Service",
"Technology",
"Wallet"
]
},
"name": "INTERPOL DWVA Entity Taxonomy",
"namespace": "interpol",
"type": "dwva-entities",
"uuid": "a375d7fd-0a3e-41cf-a531-ef56033df967",
"version": 1
}

138
tools/gen_interpol_dwvat.py Executable file
View File

@ -0,0 +1,138 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# A simple convertor of the Interpol Dark Web and Virtual Assets Taxonomies to a MISP Galaxy datastructure.
# https://github.com/INTERPOL-Innovation-Centre/DW-VA-Taxonomy
# Copyright (C) 2024 Christophe Vandeplas
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import yaml
import os
import uuid
import re
import json
import argparse
parser = argparse.ArgumentParser(description='Create/update the Interpol Dark Web and Virtual Assets Taxonomies based on Markdown files.')
parser.add_argument("-p", "--path", required=True, help="Path of the 'DW-VA-Taxonomy' git clone folder")
args = parser.parse_args()
if not os.path.exists(args.path):
exit("ERROR: DW-VA-Taxonomy folder incorrect")
'''
contains _data folder with
- abuses.yaml - simple taxonomy
- entities.yaml - matrix like taxonomy
'''
with open(os.path.join(args.path, '_data', 'entities.yaml'), 'r') as f:
entities_data = yaml.load(f, Loader=yaml.BaseLoader)
try:
with open(os.path.join('..', 'galaxies', 'interpol-entities.json'), 'r') as f:
json_galaxy = json.load(f)
except FileNotFoundError:
json_galaxy = {
'icon': "user-secret",
'kill_chain_order': {
'concepts': []
},
'name': "INTERPOL DWVA Entity Taxonomy",
'description': "This taxonomy defines entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems.",
'namespace': "interpol",
'type': "dwva-entities",
'uuid': "a375d7fd-0a3e-41cf-a531-ef56033df967",
'version': 1
}
try:
with open(os.path.join('..', 'clusters', 'interpol-entities.json'), 'r') as f:
json_cluster = json.load(f)
except FileNotFoundError:
json_cluster = {
'authors': ["INTERPOL Darkweb and Virtual Assets Working Group"],
'category': 'dwva-entities',
'name': "INTERPOL DWVA Entity Taxonomy",
'description': "This taxonomy defines entities that represent real-world actors and service that are part of a larger Darknet- and Cryptoasset Ecosystems.",
'source': 'https://interpol-innovation-centre.github.io/DW-VA-Taxonomy/',
'type': "dwva-entities",
'uuid': "b15898ba-a923-4916-856c-0dfe8b174196",
'values': [],
'version': 1
}
tactics = set()
clusters_dict = {}
# FIXME create dict for the existing clusters, so we can update the clusters without losing the relations
# build a broader concept list so we can ignore them later on
broaders = set()
for section in entities_data:
try:
broaders.add(entities_data[section]['broader'])
except KeyError:
pass
print(broaders)
for section in entities_data:
item = entities_data[section]
if item['type'] == 'concept':
if item['id'] in broaders: # skip the broader concepts
print(f"Skipping {item['id']}")
continue
print(f"Processing {item['id']}")
if 'broader' not in item:
item['broader'] = 'generic'
tactics.add(item['broader'].title())
value = item['prefLabel']
clusters_dict[value] = {
'value': value,
'description': item['description'],
'uuid': str(uuid.uuid5(uuid.UUID("d0ceebc2-877b-4873-9785-d00f279ccb45"), value)),
'meta': {
'kill_chain': [f"concepts:{item['broader'].title()}"],
}
}
try:
clusters_dict[value]['meta']['refs'] = [item['seeAlso']]
except KeyError:
pass
# transform dict to list
clusters = []
for item in clusters_dict.values():
clusters.append(item)
json_cluster['values'] = clusters
json_galaxy['kill_chain_order']['concepts'] = sorted(list(tactics))
# save the Galaxy and Cluster file
with open(os.path.join('..', 'galaxies', 'interpol-dwva-entities.json'), 'w') as f:
json.dump(json_galaxy, f, indent=2, sort_keys=True, ensure_ascii=False)
f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things
with open(os.path.join('..', 'clusters', 'interpol-dwva-entities.json'), 'w') as f:
json.dump(json_cluster, f, indent=2, sort_keys=True, ensure_ascii=False)
f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things
print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")