MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [mapping] Generated automatic mapping between clusters

pull/250/head
Christophe Vandeplas 2018-08-14 09:32:24 +02:00
parent 5478f0aa45
commit 88162aa44e
20 changed files with 7484 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

169
clusters/android.json
View File

@ -84,6 +84,15 @@
"Invisble Man"
]
},
"related": [
{
"dest-uuid": "a33df440-f112-4a5e-a290-3c65dae6091d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "426ead34-b3e6-45c7-ba22-5b8f3b8214bd",
"value": "Svpeng"
},
@ -127,6 +136,15 @@
"http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf"
]
},
"related": [
{
"dest-uuid": "c8770c81-c29f-40d2-a140-38544206b2b4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "f5cacc72-f02a-42d1-a020-7a59650086bb",
"value": "HummingBad"
},
@ -227,6 +245,22 @@
"Bankosy"
]
},
"related": [
{
"dest-uuid": "f8047de2-fefc-4ee0-825b-f1fae4b20c09",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "620981e8-49c8-486a-b30c-359702c8ffbc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "3d3aa832-8847-47c5-9e31-ef13ab7ab6fb",
"value": "GM Bot"
},
@ -256,6 +290,29 @@
"Backdoor:Java/Adwind"
]
},
"related": [
{
"dest-uuid": "b76d9845-815c-4e77-9538-6b737269da2f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ab4694d6-7043-41f2-b328-d93bec9c1b22",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "dadccdda-a4c2-4021-90b9-61a394e602be",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ce1a9641-5bb8-4a61-990a-870e9ef36ac1",
"value": "Adwind"
},
@ -301,6 +358,15 @@
"https://www.symantec.com/security_response/writeup.jsp?docid=2015-101207-3555-99"
]
},
"related": [
{
"dest-uuid": "c80a6bef-b3ce-44d0-b113-946e93124898",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "0c769e82-df28-4f65-97f5-7f3d88488f2e",
"value": "Kemoge"
},
@ -682,6 +748,22 @@
"https://www.symantec.com/security_response/writeup.jsp?docid=2014-072316-5249-99"
]
},
"related": [
{
"dest-uuid": "f8047de2-fefc-4ee0-825b-f1fae4b20c09",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3d3aa832-8847-47c5-9e31-ef13ab7ab6fb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "620981e8-49c8-486a-b30c-359702c8ffbc",
"value": "Bankosy"
},
@ -2138,6 +2220,15 @@
"IcicleGum"
]
},
"related": [
{
"dest-uuid": "a5be6094-2d17-11e8-a5b1-ff153ed7d9c3",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "52c5f9b3-e9ed-4c86-b4a8-d4ebc68a4d7b",
"value": "Igexin"
},
@ -3548,6 +3639,29 @@
"https://www.symantec.com/security_response/writeup.jsp?docid=2015-110509-4646-99"
]
},
"related": [
{
"dest-uuid": "b76d9845-815c-4e77-9538-6b737269da2f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ab4694d6-7043-41f2-b328-d93bec9c1b22",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ce1a9641-5bb8-4a61-990a-870e9ef36ac1",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "dadccdda-a4c2-4021-90b9-61a394e602be",
"value": "Sockrat"
},
@ -3558,6 +3672,50 @@
"https://www.symantec.com/security_response/writeup.jsp?docid=2017-010508-5201-99"
]
},
"related": [
{
"dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729",
"value": "Sofacy"
},
@ -4214,6 +4372,15 @@
"https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf"
]
},
"related": [
{
"dest-uuid": "52c5f9b3-e9ed-4c86-b4a8-d4ebc68a4d7b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "a5be6094-2d17-11e8-a5b1-ff153ed7d9c3",
"value": "IcicleGum"
},
@ -4320,5 +4487,5 @@
"value": "Skygofree"
}
],
"version": 10
"version": 11
}

145
clusters/banker.json
View File

@ -20,6 +20,22 @@
"Zbot"
]
},
"related": [
{
"dest-uuid": "0ce448de-c2bb-4c6e-9ad7-c4030f02b4d7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "e878d24d-f122-48c4-930c-f6b6d5f0ee28",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "f0ec2df5-2e38-4df3-970d-525352006f2e",
"value": "Zeus"
},
@ -37,6 +53,15 @@
"Neverquest"
]
},
"related": [
{
"dest-uuid": "e95dd1ba-7485-4c02-bf2e-14beedbcf053",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "f3813bbd-682c-400d-8165-778be6d3f91f",
"value": "Vawtrak"
},
@ -52,6 +77,22 @@
"Feodo Version D"
]
},
"related": [
{
"dest-uuid": "276c2c2e-09da-44cf-a3f7-806b3feb41da",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "7ca93488-c357-44c3-b246-3f88391aca5a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "44754726-e1d5-4e5f-a113-234c4a8ca65e",
"value": "Dridex"
},
@ -71,6 +112,15 @@
"Papras"
]
},
"related": [
{
"dest-uuid": "75b01a1e-3269-4f4c-bdba-37af4e9c3f54",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b9448d2a-a23c-4bf2-92a1-d860716ba2f3",
"value": "Gozi"
},
@ -259,6 +309,15 @@
"Dyreza"
]
},
"related": [
{
"dest-uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "15e969e6-f031-4441-a49b-f401332e4b00",
"value": "Dyre"
},
@ -278,6 +337,22 @@
"illi"
]
},
"related": [
{
"dest-uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "75f53ead-1aee-4f91-8cb9-b4170d747cfc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "5594b171-32ec-4145-b712-e7701effffdd",
"value": "Tinba"
},
@ -294,6 +369,15 @@
"Emotet"
]
},
"related": [
{
"dest-uuid": "3f7616bd-f1de-46ee-87c2-43c0c2edaa28",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "8e002f78-7fb8-4e70-afd7-0b4ac655be26",
"value": "Geodo"
},
@ -311,6 +395,22 @@
"Cridex"
]
},
"related": [
{
"dest-uuid": "276c2c2e-09da-44cf-a3f7-806b3feb41da",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "44754726-e1d5-4e5f-a113-234c4a8ca65e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "7ca93488-c357-44c3-b246-3f88391aca5a",
"value": "Feodo"
},
@ -325,6 +425,15 @@
"Nimnul"
]
},
"related": [
{
"dest-uuid": "8ed81090-f098-4878-b87e-2d801b170759",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "7e2288ec-e7d4-4833-9245-a2bc5ae40ee2",
"value": "Ramnit"
},
@ -342,6 +451,22 @@
"Pinkslipbot"
]
},
"related": [
{
"dest-uuid": "ac2ff27d-a7cb-46fe-ae32-cfe571dc614d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "6e1168e6-7768-4fa2-951f-6d6934531633",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b2ec1f16-2a76-4910-adc5-ecb3570e7c1a",
"value": "Qakbot"
},
@ -376,6 +501,15 @@
"Xbot"
]
},
"related": [
{
"dest-uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e683cd91-40b4-4e1c-be25-34a27610a22e",
"value": "TinyNuke"
},
@ -542,6 +676,15 @@
"https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season"
]
},
"related": [
{
"dest-uuid": "4cfe3f22-96b8-4d3d-a6cc-85835d9471e2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "7d9362e5-e3cf-4640-88a2-3faf31952963",
"value": "GratefulPOS"
},
@ -687,5 +830,5 @@
"value": "Kronos"
}
],
"version": 11
"version": 12
}

97
clusters/botnet.json
View File

@ -48,6 +48,15 @@
"Kraken"
]
},
"related": [
{
"dest-uuid": "e721809b-2785-4ce3-b95a-7fde2762f736",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "7296f769-9bb7-474d-bbc7-5839f71d052a",
"value": "Marina Botnet"
},
@ -134,6 +143,22 @@
"https://en.wikipedia.org/wiki/Akbot"
]
},
"related": [
{
"dest-uuid": "ac2ff27d-a7cb-46fe-ae32-cfe571dc614d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b2ec1f16-2a76-4910-adc5-ecb3570e7c1a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "6e1168e6-7768-4fa2-951f-6d6934531633",
"value": "Akbot"
},
@ -344,6 +369,15 @@
"Oficla"
]
},
"related": [
{
"dest-uuid": "b3ea33fd-eaa0-4bab-9bd0-12534c9aa987",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "65a30580-d542-4113-b00f-7fab98bd046c",
"value": "BredoLab"
},
@ -385,6 +419,15 @@
"Kracken"
]
},
"related": [
{
"dest-uuid": "7296f769-9bb7-474d-bbc7-5839f71d052a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e721809b-2785-4ce3-b95a-7fde2762f736",
"value": "Kraken"
},
@ -455,6 +498,22 @@
"Kneber"
]
},
"related": [
{
"dest-uuid": "0ce448de-c2bb-4c6e-9ad7-c4030f02b4d7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f0ec2df5-2e38-4df3-970d-525352006f2e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e878d24d-f122-48c4-930c-f6b6d5f0ee28",
"value": "Zeus"
},
@ -480,6 +539,15 @@
"https://en.wikipedia.org/wiki/Botnet"
]
},
"related": [
{
"dest-uuid": "7e2288ec-e7d4-4833-9245-a2bc5ae40ee2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "8ed81090-f098-4878-b87e-2d801b170759",
"value": "Ramnit"
},
@ -514,6 +582,15 @@
"https://en.wikipedia.org/wiki/Mirai_(malware)"
]
},
"related": [
{
"dest-uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
"value": "Mirai"
},
@ -538,6 +615,15 @@
"Okiru"
]
},
"related": [
{
"dest-uuid": "1ad4697b-3388-48ed-8621-85abebf5dbbf",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e77cf495-632a-4459-aad1-cdf29d73683f",
"value": "Satori"
},
@ -653,6 +739,15 @@
"Mad Max"
]
},
"related": [
{
"dest-uuid": "d3d56dd0-3409-470a-958b-a865fdd158f9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "7a6fcec7-3408-4371-907b-cbf8fc931b66",
"value": "Madmax"
},
@ -707,5 +802,5 @@
"value": "Bamital"
}
],
"version": 8
"version": 9
}

36
clusters/exploit-kit.json
View File

@ -233,6 +233,22 @@
"3ROS Exploit Kit"
]
},
"related": [
{
"dest-uuid": "75f53ead-1aee-4f91-8cb9-b4170d747cfc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "5594b171-32ec-4145-b712-e7701effffdd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c",
"value": "Hunter"
},
@ -291,6 +307,15 @@
"BHEK"
]
},
"related": [
{
"dest-uuid": "2ea1f494-cf18-49fb-a043-36555131dd7c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e6201dc3-01a7-40c5-ba72-02fa470ada53",
"value": "BlackHole"
},
@ -354,6 +379,15 @@
"RIG-E"
]
},
"related": [
{
"dest-uuid": "525ce93a-76a1-441a-9c45-0eac64d0ed12",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "6eb15569-4ddd-4820-9a44-7bca5b303b86",
"value": "Empire"
},
@ -671,5 +705,5 @@
"value": "Unknown"
}
],
"version": 7
"version": 8
}

84
clusters/microsoft-activity-group.json
View File

@ -15,6 +15,22 @@
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
},
"related": [
{
"dest-uuid": "efed95ba-d7e8-47ff-8c53-99c42426ee7c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "43894e2a-174e-4931-94a8-2296afe8f650",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "5744f91a-d2d8-4f92-920f-943dd80c578f",
"value": "PROMETHIUM"
},
@ -25,6 +41,22 @@
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
},
"related": [
{
"dest-uuid": "025bdaa9-897d-4bad-afa6-013ba5734653",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ada08ea8-4517-4eea-aff1-3ad69e5466bb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "47b5007a-3fb1-466a-9578-629e6e735493",
"value": "NEODYMIUM"
},
@ -35,6 +67,15 @@
"https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"
]
},
"related": [
{
"dest-uuid": "46670c51-fea4-45d6-bdd4-62e85a5c7404",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "99784b80-6298-45ba-885c-0ed37bfd8324",
"value": "TERBIUM"
},
@ -60,6 +101,22 @@
"Grey-Cloud"
]
},
"related": [
{
"dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec",
"value": "STRONTIUM"
},
@ -76,6 +133,15 @@
"darkhotel"
]
},
"related": [
{
"dest-uuid": "b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b56af6ab-69f8-457a-bf50-c3aefa6dc14a",
"value": "DUBNIUM"
},
@ -87,6 +153,22 @@
"http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf"
]
},
"related": [
{
"dest-uuid": "f9c06633-dcff-48a1-8588-759e7cec5694",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "154e97b5-47ef-415a-99a6-2157f1b50339",
"value": "PLATINUM"
},
@ -121,5 +203,5 @@
"value": "ZIRCONIUM"
}
],
"version": 3
"version": 4
}

841
clusters/mitre-enterprise-attack-intrusion-set.json
View File

File diff suppressed because it is too large Load Diff

906
clusters/mitre-enterprise-attack-malware.json
View File

File diff suppressed because it is too large Load Diff

63
clusters/mitre-enterprise-attack-tool.json
View File

@ -21,6 +21,15 @@
"Winexe"
]
},
"related": [
{
"dest-uuid": "811bdec0-e236-48ae-b27c-1a8fe0bfc3a9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d",
"value": "Winexe - S0191"
},
@ -176,6 +185,15 @@
"Mimikatz"
]
},
"related": [
{
"dest-uuid": "7f3a035d-d83a-45b8-8111-412aa8ade802",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
"value": "Mimikatz - S0002"
},
@ -518,6 +536,15 @@
"PsExec"
]
},
"related": [
{
"dest-uuid": "6dd05630-9bd8-11e8-a8b9-47ce338a4367",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db",
"value": "PsExec - S0029"
},
@ -534,6 +561,15 @@
"certutil.exe"
]
},
"related": [
{
"dest-uuid": "3e205e84-9f90-4b4b-8896-c82189936a15",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc",
"value": "certutil - S0160"
},
@ -662,6 +698,15 @@
"Pupy"
]
},
"related": [
{
"dest-uuid": "bdb420be-5882-41c8-b439-02bbef69d83f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4",
"value": "Pupy - S0192"
},
@ -692,6 +737,22 @@
"Cobalt Strike"
]
},
"related": [
{
"dest-uuid": "ca44dd5e-fd9e-48b5-99cb-0b2629b9265f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3da22160-12d9-4d27-a99f-338e8de3844a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"value": "Cobalt Strike - S0154"
},
@ -711,5 +772,5 @@
"value": "Invoke-PSImage - S0231"
}
],
"version": 4
"version": 5
}

613
clusters/mitre-intrusion-set.json
View File

@ -20,6 +20,15 @@
],
"uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446"
},
"related": [
{
"dest-uuid": "5fc09923-fcff-4e81-9cae-4518ef31cf4d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Poseidon Group"
},
{
@ -49,6 +58,15 @@
],
"uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647"
},
"related": [
{
"dest-uuid": "4d37813c-b8e9-4e58-a758-03168d8aa189",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "PittyTiger"
},
{
@ -63,6 +81,15 @@
],
"uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756"
},
"related": [
{
"dest-uuid": "ac4bce1f-b3ec-4c44-bd36-b6cc986b319b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "admin@338"
},
{
@ -116,6 +143,22 @@
],
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c"
},
"related": [
{
"dest-uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "APT28"
},
{
@ -133,6 +176,22 @@
],
"uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff"
},
"related": [
{
"dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Winnti Group"
},
{
@ -155,6 +214,22 @@
],
"uuid": "a653431d-6a5e-4600-8ad3-609b5af57064"
},
"related": [
{
"dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0286e80e-b0ed-464f-ad62-beec8536d0cb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Deep Panda"
},
{
@ -171,6 +246,15 @@
],
"uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411"
},
"related": [
{
"dest-uuid": "f7c2e501-73b1-400f-a5d9-2e2e07b7dfde",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Molerats"
},
{
@ -187,6 +271,15 @@
],
"uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656"
},
"related": [
{
"dest-uuid": "f3179cfb-9c86-4980-bd6b-e4fa74adaaa7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Strider"
},
{
@ -203,6 +296,29 @@
],
"uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192"
},
"related": [
{
"dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b47250ec-2094-4d06-b658-11456e05fe89",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Sandworm Team"
},
{
@ -217,6 +333,15 @@
],
"uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb"
},
"related": [
{
"dest-uuid": "647894f6-1723-4cba-aba4-0ef0966d5302",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "FIN6"
},
{
@ -231,6 +356,15 @@
],
"uuid": "ae41895a-243f-4a65-b99b-d85022326c31"
},
"related": [
{
"dest-uuid": "9e71024e-817f-45b0-92a0-d886c30bc929",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Dust Storm"
},
{
@ -248,6 +382,71 @@
],
"uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063"
},
"related": [
{
"dest-uuid": "11e17436-6ede-4733-8547-4ce0254ea19e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Cleaver"
},
{
@ -266,6 +465,15 @@
],
"uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb"
},
"related": [
{
"dest-uuid": "48146604-6693-4db1-bd94-159744726514",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "APT12"
},
{
@ -280,6 +488,15 @@
],
"uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f"
},
"related": [
{
"dest-uuid": "a9b44750-992c-4743-8922-129880d277ea",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Moafee"
},
{
@ -298,6 +515,29 @@
],
"uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c"
},
"related": [
{
"dest-uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f1b9f7d6-6ab1-404b-91a6-a1ed1845c045",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4af45fea-72d3-11e8-846c-d37699506c8d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Threat Group-3390"
},
{
@ -314,6 +554,15 @@
],
"uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a"
},
"related": [
{
"dest-uuid": "a9b44750-992c-4743-8922-129880d277ea",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "DragonOK"
},
{
@ -331,6 +580,15 @@
],
"uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662"
},
"related": [
{
"dest-uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "APT1"
},
{
@ -359,6 +617,15 @@
],
"uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8"
},
"related": [
{
"dest-uuid": "b3714d59-b61e-4713-903a-9b4f04ae7f3d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Night Dragon"
},
{
@ -375,6 +642,29 @@
],
"uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050"
},
"related": [
{
"dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f26144c5-8593-4e78-831a-11f6452d809b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Naikon"
},
{
@ -406,6 +696,22 @@
],
"uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0"
},
"related": [
{
"dest-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "18d473a5-831b-47a5-97a1-a32156299825",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Patchwork"
},
{
@ -421,6 +727,29 @@
],
"uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd"
},
"related": [
{
"dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f26144c5-8593-4e78-831a-11f6452d809b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "APT30"
},
{
@ -437,6 +766,22 @@
],
"uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772"
},
"related": [
{
"dest-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "18d473a5-831b-47a5-97a1-a32156299825",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "MONSOON"
},
{
@ -452,6 +797,36 @@
],
"uuid": "090242d7-73fc-4738-af68-20162f7a5aae"
},
"related": [
{
"dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "APT17"
},
{
@ -467,6 +842,15 @@
],
"uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc"
},
"related": [
{
"dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "FIN7"
},
{
@ -490,6 +874,15 @@
],
"uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9"
},
"related": [
{
"dest-uuid": "d144c83e-2302-4947-9e24-856fbf7949ae",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "APT3"
},
{
@ -504,6 +897,15 @@
],
"uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f"
},
"related": [
{
"dest-uuid": "d93889de-b4bc-4a29-9ce7-d67717c140a0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "GCMAN"
},
{
@ -521,6 +923,22 @@
],
"uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a"
},
"related": [
{
"dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "027a1428-6e79-4a4b-82b9-e698e8525c2b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Lazarus Group"
},
{
@ -537,6 +955,15 @@
],
"uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7"
},
"related": [
{
"dest-uuid": "32fafa69-fe3c-49db-afd4-aac2664bcf0d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Lotus Blossom"
},
{
@ -582,6 +1009,29 @@
],
"uuid": "b96e02f1-4037-463f-b158-5a964352f8d9"
},
"related": [
{
"dest-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "OilRig"
},
{
@ -597,6 +1047,15 @@
],
"uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1"
},
"related": [
{
"dest-uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Dragonfly"
},
{
@ -611,6 +1070,15 @@
],
"uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d"
},
"related": [
{
"dest-uuid": "5abb12e7-5066-4f84-a109-49a037205c76",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Suckfly"
},
{
@ -625,6 +1093,15 @@
],
"uuid": "894aab42-3371-47b1-8859-a4a074c804c8"
},
"related": [
{
"dest-uuid": "dab75e38-6969-4e78-9304-dc269c3cbcf0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Stealth Falcon"
},
{
@ -639,6 +1116,15 @@
],
"uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7"
},
"related": [
{
"dest-uuid": "0da10682-85c6-4c0b-bace-ba1f7adfb63e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Scarlet Mimic"
},
{
@ -669,6 +1155,22 @@
],
"uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6"
},
"related": [
{
"dest-uuid": "fa80877c-f509-4daf-8b62-20aba1635f68",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "c097471c-2405-4393-b6d7-afbcb5f0cd11",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Turla"
},
{
@ -686,6 +1188,15 @@
],
"uuid": "899ce53f-13a0-479b-a0e4-67d46e241542"
},
"related": [
{
"dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "APT29"
},
{
@ -700,6 +1211,15 @@
],
"uuid": "6c74fda2-bb04-40bd-a166-8c2d4b952d33"
},
"related": [
{
"dest-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "FIN10"
},
{
@ -722,6 +1242,15 @@
],
"uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f"
},
"related": [
{
"dest-uuid": "56b37b05-72e7-4a89-ba8a-61ce45269a8c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "menuPass"
},
{
@ -738,6 +1267,15 @@
],
"uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45"
},
"related": [
{
"dest-uuid": "0ca45163-e223-4167-b1af-f088ed14a93d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Putter Panda"
},
{
@ -756,6 +1294,22 @@
],
"uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973"
},
"related": [
{
"dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Axiom"
},
{
@ -771,6 +1325,15 @@
],
"uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c"
},
"related": [
{
"dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Carbanak"
},
{
@ -788,6 +1351,29 @@
],
"uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648"
},
"related": [
{
"dest-uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "APT18"
},
{
@ -803,6 +1389,22 @@
],
"uuid": "7e5a571f-dee2-4cae-a960-f8ab8a8fb1cf"
},
"related": [
{
"dest-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "aa29ae56-e54b-47a2-ad16-d3ab0242d5d7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "APT32"
},
{
@ -817,8 +1419,17 @@
],
"uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf"
},
"related": [
{
"dest-uuid": "1a77e156-76bc-43f5-bdd7-bd67f30fbbbb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Gamaredon Group"
}
],
"version": 6
"version": 7
}

762
clusters/mitre-malware.json
View File

File diff suppressed because it is too large Load Diff

46
clusters/mitre-mobile-attack-intrusion-set.json
View File

@ -30,9 +30,53 @@
"TG-4127"
]
},
"related": [
{
"dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"value": "APT28 - G0007"
}
],
"version": 3
"version": 4
}

70
clusters/mitre-mobile-attack-malware.json
View File

@ -98,6 +98,15 @@
"Kemoge"
]
},
"related": [
{
"dest-uuid": "0c769e82-df28-4f65-97f5-7f3d88488f2e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "c80a6bef-b3ce-44d0-b113-946e93124898",
"value": "Shedun - MOB-S0010"
},
@ -145,6 +154,15 @@
"Pegasus"
]
},
"related": [
{
"dest-uuid": "9d7c772b-43f1-49cf-bc70-7a7cd2ed34c8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a",
"value": "Pegasus - MOB-S0005"
},
@ -175,6 +193,15 @@
"HummingBad"
]
},
"related": [
{
"dest-uuid": "f5cacc72-f02a-42d1-a020-7a59650086bb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "c8770c81-c29f-40d2-a140-38544206b2b4",
"value": "HummingBad - MOB-S0038"
},
@ -205,6 +232,15 @@
"Dendroid"
]
},
"related": [
{
"dest-uuid": "ea3a8c25-4adb-4538-bf11-55259bdba15f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "317a2c10-d489-431e-b6b2-f0251fddc88e",
"value": "Dendroid - MOB-S0017"
},
@ -356,6 +392,29 @@
"X-Agent"
]
},
"related": [
{
"dest-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0a32ceea-fa66-47ab-8bde-150dbd6d2e40",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3e2c99f9-66cd-48be-86e9-d7c1c164d87c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "56660521-6db4-4e5a-a927-464f22954b7c",
"value": "X-Agent - MOB-S0030"
},
@ -522,6 +581,15 @@
"Chrysaor"
]
},
"related": [
{
"dest-uuid": "9d7c772b-43f1-49cf-bc70-7a7cd2ed34c8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "93799a9d-3537-43d8-b6f4-17215de1657c",
"value": "Pegasus for Android - MOB-S0032"
},
@ -542,5 +610,5 @@
"value": "XcodeGhost - MOB-S0013"
}
],
"version": 3
"version": 4
}

11
clusters/mitre-mobile-attack-tool.json
View File

@ -20,9 +20,18 @@
"Xbot"
]
},
"related": [
{
"dest-uuid": "e683cd91-40b4-4e1c-be25-34a27610a22e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4",
"value": "Xbot - MOB-S0014"
}
],
"version": 3
"version": 4
}

140
clusters/mitre-pre-attack-intrusion-set.json
View File

@ -45,6 +45,22 @@
"TG-4127"
]
},
"related": [
{
"dest-uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"value": "APT28 - G0007"
},
@ -63,6 +79,71 @@
"Threat Group 2889"
]
},
"related": [
{
"dest-uuid": "11e17436-6ede-4733-8547-4ce0254ea19e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"value": "Cleaver - G0003"
},
@ -82,6 +163,15 @@
"DNSCALC"
]
},
"related": [
{
"dest-uuid": "48146604-6693-4db1-bd94-159744726514",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"value": "APT12 - G0005"
},
@ -100,6 +190,15 @@
"Comment Panda"
]
},
"related": [
{
"dest-uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"value": "APT1 - G0006"
},
@ -117,6 +216,15 @@
"Musical Chairs"
]
},
"related": [
{
"dest-uuid": "b3714d59-b61e-4713-903a-9b4f04ae7f3d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"value": "Night Dragon - G0014"
},
@ -133,9 +241,39 @@
"Deputy Dog"
]
},
"related": [
{
"dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"value": "APT17 - G0025"
}
],
"version": 3
"version": 4
}

45
clusters/mitre-tool.json
View File

@ -111,6 +111,15 @@
],
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
},
"related": [
{
"dest-uuid": "7f3a035d-d83a-45b8-8111-412aa8ade802",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Mimikatz"
},
{
@ -271,6 +280,15 @@
],
"uuid": "3e205e84-9f90-4b4b-8896-c82189936a15"
},
"related": [
{
"dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "certutil"
},
{
@ -366,6 +384,15 @@
],
"uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
},
"related": [
{
"dest-uuid": "6dd05630-9bd8-11e8-a8b9-47ce338a4367",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "PsExec"
},
{
@ -410,6 +437,22 @@
],
"uuid": "3da22160-12d9-4d27-a99f-338e8de3844a"
},
"related": [
{
"dest-uuid": "ca44dd5e-fd9e-48b5-99cb-0b2629b9265f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"value": "Cobalt Strike"
},
{
@ -429,5 +472,5 @@
"value": "Reg"
}
],
"version": 4
"version": 5
}

272
clusters/ransomware.json
View File

@ -1771,6 +1771,15 @@
"Purge Ransomware"
]
},
"related": [
{
"dest-uuid": "5541471c-8d15-4aec-9996-e24b59c3e3d6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "fe16edbe-3050-4276-bac3-c7ff5fd4174a",
"value": "Globe3 Ransomware"
},
@ -2251,6 +2260,15 @@
"https://id-ransomware.blogspot.co.il/2016/12/roga-ransomware.html"
]
},
"related": [
{
"dest-uuid": "175ebcc0-d74f-49b2-9226-c660ca1fe2e8",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "cd1eb48e-070b-418e-8d83-4644a388f8ae",
"value": "Roga"
},
@ -4152,6 +4170,15 @@
"Trojan.Encoder.6491"
]
},
"related": [
{
"dest-uuid": "f855609e-b7ab-41e8-aafa-62016f8f4e1a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "a57a8bc3-8c33-43e8-b237-25edcd5f532a",
"value": "Windows_Security Ransonware"
},
@ -4282,6 +4309,15 @@
"Purge Ransomware"
]
},
"related": [
{
"dest-uuid": "fe16edbe-3050-4276-bac3-c7ff5fd4174a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "5541471c-8d15-4aec-9996-e24b59c3e3d6",
"value": "Globe2 Ransomware"
},
@ -4602,6 +4638,15 @@
"Fabiansomeware"
]
},
"related": [
{
"dest-uuid": "d5d3f9de-21b5-482e-b716-5f2f13182990",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e38b8876-5780-4574-9adf-304e9d659bdb",
"value": "Apocalypse"
},
@ -4700,6 +4745,15 @@
"Rakhni"
]
},
"related": [
{
"dest-uuid": "c85a41a8-a0a1-4963-894f-84bb980e6e86",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "af50d07e-3fc5-4014-9ac5-f5466cf042bc",
"value": "Bandarchor"
},
@ -4796,6 +4850,15 @@
"Salami"
]
},
"related": [
{
"dest-uuid": "b95aa3fb-9f32-450e-8058-67d94f196913",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "eee75995-321f-477f-8b57-eee4eedf4ba3",
"value": "Booyah"
},
@ -4903,6 +4966,15 @@
"http://www.bleepingcomputer.com/forums/t/625820/central-security-treatment-organization-ransomware-help-topic-cry-extension/"
]
},
"related": [
{
"dest-uuid": "629f6986-2c1f-4d0a-b805-e4ef3e2ce634",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "8ff729d9-aee5-4b85-a59d-3f57e105be40",
"value": "Central Security Treatment Organization"
},
@ -5071,6 +5143,15 @@
"Central Security Treatment Organization"
]
},
"related": [
{
"dest-uuid": "8ff729d9-aee5-4b85-a59d-3f57e105be40",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "629f6986-2c1f-4d0a-b805-e4ef3e2ce634",
"value": "CryLocker"
},
@ -5173,6 +5254,15 @@
"http://news.softpedia.com/news/new-cryptobit-ransomware-could-be-decryptable-503239.shtml"
]
},
"related": [
{
"dest-uuid": "681f212a-af1b-4e40-a718-81b0dc46dc52",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "1903ed75-05f7-4019-b0b7-7a8f23f22194",
"value": "CryptoBit"
},
@ -5216,6 +5306,15 @@
"READ IF YOU WANT YOUR FILES BACK.html"
]
},
"related": [
{
"dest-uuid": "b817ce63-f1c3-49de-bd8b-fd56c3f956c9",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "26c8b446-305c-4057-83bc-85b09630281e",
"value": "CryptoFortress"
},
@ -5522,6 +5621,15 @@
"CryptProjectXXX"
]
},
"related": [
{
"dest-uuid": "e272d0b5-cdfc-422a-bb78-9214475daec5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "255aac37-e4d2-4eeb-b8de-143f9c2321bd",
"value": "CryptXXX"
},
@ -5543,6 +5651,15 @@
"CryptProjectXXX"
]
},
"related": [
{
"dest-uuid": "255aac37-e4d2-4eeb-b8de-143f9c2321bd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e272d0b5-cdfc-422a-bb78-9214475daec5",
"value": "CryptXXX 2.0"
},
@ -5959,6 +6076,15 @@
"Trojan.Encoder.6491"
]
},
"related": [
{
"dest-uuid": "a57a8bc3-8c33-43e8-b237-25edcd5f532a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "f855609e-b7ab-41e8-aafa-62016f8f4e1a",
"value": "Encoder.xxxx"
},
@ -6170,6 +6296,15 @@
"Roga"
]
},
"related": [
{
"dest-uuid": "cd1eb48e-070b-418e-8d83-4644a388f8ae",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "175ebcc0-d74f-49b2-9226-c660ca1fe2e8",
"value": "Free-Freedom"
},
@ -6264,6 +6399,15 @@
"http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-locked-and-unlock-files-instructionshtml/"
]
},
"related": [
{
"dest-uuid": "78ef77ac-a570-4fb9-af80-d04c09dff9ab",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "390abe30-8b9e-439e-a6d3-2ee978f05fba",
"value": "GNL Locker"
},
@ -7128,6 +7272,15 @@
"Booyah"
]
},
"related": [
{
"dest-uuid": "eee75995-321f-477f-8b57-eee4eedf4ba3",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b95aa3fb-9f32-450e-8058-67d94f196913",
"value": "MM Locker"
},
@ -7152,6 +7305,15 @@
"CryptoBit"
]
},
"related": [
{
"dest-uuid": "1903ed75-05f7-4019-b0b7-7a8f23f22194",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "681f212a-af1b-4e40-a718-81b0dc46dc52",
"value": "Mobef"
},
@ -7361,6 +7523,15 @@
"Cryakl"
]
},
"related": [
{
"dest-uuid": "4f3e494e-0e37-4894-94b2-741a8100f07a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "3c51fc0e-42d8-4ff0-b1bd-5c8c20271a39",
"value": "Offline ransomware"
},
@ -7456,6 +7627,15 @@
"https://www.bleepingcomputer.com/news/security/new-macos-patcher-ransomware-locks-data-for-good-no-way-to-recover-your-files/"
]
},
"related": [
{
"dest-uuid": "091c9923-5939-4bde-9db5-56abfb51f1a2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e211ea8d-5042-48ae-86c6-15186d1f8dba",
"value": "Patcher"
},
@ -7741,6 +7921,15 @@
"Bandarchor"
]
},
"related": [
{
"dest-uuid": "af50d07e-3fc5-4014-9ac5-f5466cf042bc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "c85a41a8-a0a1-4963-894f-84bb980e6e86",
"value": "Rakhni"
},
@ -8140,6 +8329,15 @@
"Atom"
]
},
"related": [
{
"dest-uuid": "ff471870-7c9a-4122-ba89-489fc819660b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "503c9910-902f-4bae-8c33-ea29db8bdd7f",
"value": "Shark"
},
@ -8515,6 +8713,15 @@
"Teerac"
]
},
"related": [
{
"dest-uuid": "26c8b446-305c-4057-83bc-85b09630281e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b817ce63-f1c3-49de-bd8b-fd56c3f956c9",
"value": "TorrentLocker"
},
@ -8734,6 +8941,15 @@
"Zlader"
]
},
"related": [
{
"dest-uuid": "2195387d-ad9c-47e6-8f14-a49388b26eab",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "63a82b7f-9a71-47a8-9a79-14acc6595da5",
"value": "VaultCrypt"
},
@ -8930,6 +9146,15 @@
"CrypVault"
]
},
"related": [
{
"dest-uuid": "63a82b7f-9a71-47a8-9a79-14acc6595da5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "2195387d-ad9c-47e6-8f14-a49388b26eab",
"value": "Zlader"
},
@ -8959,6 +9184,15 @@
"GNL Locker"
]
},
"related": [
{
"dest-uuid": "390abe30-8b9e-439e-a6d3-2ee978f05fba",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "78ef77ac-a570-4fb9-af80-d04c09dff9ab",
"value": "Zyklon"
},
@ -9283,6 +9517,15 @@
"Patcher"
]
},
"related": [
{
"dest-uuid": "e211ea8d-5042-48ae-86c6-15186d1f8dba",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "091c9923-5939-4bde-9db5-56abfb51f1a2",
"value": "FileCoder"
},
@ -9348,6 +9591,15 @@
"http://www.zdnet.com/article/cryakl-ransomware-decryption-keys-now-available-for-free/"
]
},
"related": [
{
"dest-uuid": "3c51fc0e-42d8-4ff0-b1bd-5c8c20271a39",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "4f3e494e-0e37-4894-94b2-741a8100f07a",
"value": "Cryakl"
},
@ -9445,6 +9697,15 @@
"https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/"
]
},
"related": [
{
"dest-uuid": "b4433e66-9bc4-11e8-8f4e-7363f5526636",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "abf3001c-396c-11e8-8da6-ef501eef12e1",
"value": "Black Ruby"
},
@ -10063,6 +10324,15 @@
"https://www.accenture.com/t20180803T064557Z__w__/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf"
]
},
"related": [
{
"dest-uuid": "abf3001c-396c-11e8-8da6-ef501eef12e1",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b4433e66-9bc4-11e8-8f4e-7363f5526636",
"value": "Black Ruby"
},
@ -10077,5 +10347,5 @@
"value": "Unnamed Android Ransomware"
}
],
"version": 27
"version": 28
}

376
clusters/rat.json
View File

@ -71,6 +71,22 @@
"Gen:Trojan.Heur.PT"
]
},
"related": [
{
"dest-uuid": "b42378e0-f147-496f-992a-26a49705395b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0",
"value": "PoisonIvy"
},
@ -120,6 +136,15 @@
"https://krebsonsecurity.com/2014/05/blackshades-trojan-users-had-it-coming/"
]
},
"related": [
{
"dest-uuid": "8c3202d5-1671-46ec-9d42-cb50dbe2f667",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "3a1fc564-3705-4cc0-8f80-13c58d470d34",
"value": "Blackshades"
},
@ -135,6 +160,15 @@
"Dark Comet"
]
},
"related": [
{
"dest-uuid": "9ad11139-e928-45cf-a0b4-937290642e92",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "8a21ae06-d257-48a0-989b-1c9aebedabc2",
"value": "DarkComet"
},
@ -223,6 +257,29 @@
"JBifrost"
]
},
"related": [
{
"dest-uuid": "ab4694d6-7043-41f2-b328-d93bec9c1b22",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ce1a9641-5bb8-4a61-990a-870e9ef36ac1",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "dadccdda-a4c2-4021-90b9-61a394e602be",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b76d9845-815c-4e77-9538-6b737269da2f",
"value": "Adwind RAT"
},
@ -392,6 +449,15 @@
"Njw0rm"
]
},
"related": [
{
"dest-uuid": "c01ef312-dfd6-403f-a8b5-67fc11a550a7",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "7fb493bb-756b-42a2-8f6d-59e254f4f2cc",
"value": "NJRat"
},
@ -570,6 +636,15 @@
"https://github.com/nyx0/Dendroid"
]
},
"related": [
{
"dest-uuid": "317a2c10-d489-431e-b6b2-f0251fddc88e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ea3a8c25-4adb-4538-bf11-55259bdba15f",
"value": "Dendroid"
},
@ -871,6 +946,15 @@
"https://leakforums.net/thread-36962"
]
},
"related": [
{
"dest-uuid": "e38b8876-5780-4574-9adf-304e9d659bdb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "d5d3f9de-21b5-482e-b716-5f2f13182990",
"value": "Apocalypse"
},
@ -944,6 +1028,15 @@
"Njw0rm"
]
},
"related": [
{
"dest-uuid": "7fb493bb-756b-42a2-8f6d-59e254f4f2cc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "c01ef312-dfd6-403f-a8b5-67fc11a550a7",
"value": "Kiler RAT"
},
@ -1009,6 +1102,15 @@
"https://github.com/n1nj4sec/pupy"
]
},
"related": [
{
"dest-uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "bdb420be-5882-41c8-b439-02bbef69d83f",
"value": "Pupy"
},
@ -1074,6 +1176,15 @@
"Shark"
]
},
"related": [
{
"dest-uuid": "503c9910-902f-4bae-8c33-ea29db8bdd7f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ff471870-7c9a-4122-ba89-489fc819660b",
"value": "SharK"
},
@ -1369,6 +1480,15 @@
"https://www.symantec.com/security_response/writeup.jsp?docid=2002-021310-3452-99"
]
},
"related": [
{
"dest-uuid": "2be434d3-03df-4236-9e7e-130c2efa8b33",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "281563d8-14f8-43a8-a0cb-2f0198f7146c",
"value": "NetDevil"
},
@ -1379,6 +1499,15 @@
"https://www.digitrustgroup.com/nanocore-not-your-average-rat/"
]
},
"related": [
{
"dest-uuid": "a8111fb7-d4c4-4671-a6f9-f62fea8bad60",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "6c3c111a-93af-428a-bee0-feacbee0237d",
"value": "NanoCore"
},
@ -1428,6 +1557,15 @@
"NetDevil"
]
},
"related": [
{
"dest-uuid": "281563d8-14f8-43a8-a0cb-2f0198f7146c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "2be434d3-03df-4236-9e7e-130c2efa8b33",
"value": "Net Devil"
},
@ -1537,6 +1675,15 @@
"https://attack.mitre.org/wiki/Software/S0126"
]
},
"related": [
{
"dest-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "9223bf17-7e32-4833-9574-9ffd8c929765",
"value": "ComRAT"
},
@ -1548,6 +1695,15 @@
"https://attack.mitre.org/wiki/Software/S0065"
]
},
"related": [
{
"dest-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "d8aad68d-a68f-42e1-b755-d5f383b73401",
"value": "4H RAT"
},
@ -1605,6 +1761,22 @@
"Korplug"
]
},
"related": [
{
"dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f4b159ea-97e5-483b-854b-c48a78d562aa",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "663f8ef9-4c50-499a-b765-f377d23c1070",
"value": "PlugX"
},
@ -1728,6 +1900,15 @@
"https://github.com/hussein-aitlahcen/BlackHole"
]
},
"related": [
{
"dest-uuid": "e6201dc3-01a7-40c5-ba72-02fa470ada53",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "2ea1f494-cf18-49fb-a043-36555131dd7c",
"value": "BlackHole"
},
@ -1759,6 +1940,15 @@
"https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html"
]
},
"related": [
{
"dest-uuid": "dd4358a4-7a43-42f7-8322-0f941ee61e57",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "6ac125c8-6f00-490f-a43b-30b36d715431",
"value": "FINSPY"
},
@ -1829,6 +2019,22 @@
"https://www.cobaltstrike.com/"
]
},
"related": [
{
"dest-uuid": "3da22160-12d9-4d27-a99f-338e8de3844a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ca44dd5e-fd9e-48b5-99cb-0b2629b9265f",
"value": "Cobalt Strike"
},
@ -1844,6 +2050,22 @@
"VIPER"
]
},
"related": [
{
"dest-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f6c137f0-979c-4ce2-a0e5-2a080a5a1746",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "3eca2d5f-41bf-4ad4-847f-df18befcdc44",
"value": "Sakula"
},
@ -1855,6 +2077,15 @@
"https://attack.mitre.org/wiki/Software/S0071"
]
},
"related": [
{
"dest-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "12bb8f4f-af29-49a0-8c2c-d28468f28fd8",
"value": "hcdLoader"
},
@ -1865,6 +2096,22 @@
"http://www.connect-trojan.net/2015/01/crimson-rat-3.0.0.html"
]
},
"related": [
{
"dest-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "858edfb8-793a-430b-8acc-4310e7d2f0d3",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "8d8efbc6-d1b7-4ec8-bab3-591edba337d0",
"value": "Crimson"
},
@ -1875,6 +2122,15 @@
"http://hack-defender.blogspot.fr/2015/12/kjw0rm-v05x.html"
]
},
"related": [
{
"dest-uuid": "b3f7a454-3b23-4149-99aa-0132323814d0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "a7bffc6a-5b47-410b-b039-def16050adcb",
"value": "KjW0rm"
},
@ -1925,6 +2181,15 @@
"https://books.google.fr/books?isbn=2212290136"
]
},
"related": [
{
"dest-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "59fb0222-0e7d-4f5f-92ac-e68012fb927d",
"value": "3PARA RAT"
},
@ -1948,6 +2213,15 @@
"KONNI"
]
},
"related": [
{
"dest-uuid": "24ee55e3-697f-482f-8fa8-d05999df40cd",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "5b930a23-7d88-481f-8791-abc7b3dd93d2",
"value": "Konni"
},
@ -2013,6 +2287,15 @@
"https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat"
]
},
"related": [
{
"dest-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "d22a3e65-75e5-4970-b424-bdc06ec33dba",
"value": "Hi-Zor"
},
@ -2080,6 +2363,15 @@
"http://securityaffairs.co/wordpress/43889/cyber-crime/new-rat-trochilus.html"
]
},
"related": [
{
"dest-uuid": "5e15e4ca-0e04-4af1-ab2a-779dbcad545d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "8204723f-aefc-4c90-9178-8fe53e8d6f33",
"value": "Trochilus"
},
@ -2091,6 +2383,15 @@
"https://www.alienvault.com/blogs/security-essentials/matryoshka-malware-from-copykittens-group"
]
},
"related": [
{
"dest-uuid": "cb6c49ab-b9ac-459f-b765-05cbe2e63b0d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "33b86249-5455-4698-a5e5-0c9591e673b9",
"value": "Matryoshka"
},
@ -2165,6 +2466,15 @@
"qrat"
]
},
"related": [
{
"dest-uuid": "c3a784ee-cef7-4604-a5ba-ec7b193a5152",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "179288c9-4ff1-4a7e-b728-35dd2e6aac43",
"value": "Qarallax"
},
@ -2177,6 +2487,22 @@
"https://attack.mitre.org/wiki/Software/S0149"
]
},
"related": [
{
"dest-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "76ec1827-68a1-488f-9899-2b788ea8db64",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "f266754c-d0aa-4918-95a3-73b28eaa66e3",
"value": "MoonWind"
},
@ -2221,6 +2547,29 @@
"http://blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html"
]
},
"related": [
{
"dest-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "90124cc8-1205-4e63-83ad-5c45a110b1e6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "3df08e23-1d0b-41ed-b735-c4eca46ce48e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ad6a1b4a-6d79-40d4-adb7-1d7ca697347e",
"value": "RedLeaves"
},
@ -2317,6 +2666,22 @@
"http://blog.talosintelligence.com/2017/03/dnsmessenger.html"
]
},
"related": [
{
"dest-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ee8ccb36-2596-43a3-a044-b8721dbeb2ab",
"value": "DNSMessenger"
},
@ -2380,6 +2745,15 @@
"https://www.us-cert.gov/ncas/alerts/TA17-318A"
]
},
"related": [
{
"dest-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "e0bea149-2def-484f-b658-f782a4f94815",
"value": "FALLCHILL"
},
@ -2539,5 +2913,5 @@
"value": "Hallaj PRO RAT"
}
],
"version": 12
"version": 13
}

1491
clusters/threat-actor.json
View File

File diff suppressed because it is too large Load Diff

1132
clusters/tool.json
View File

File diff suppressed because it is too large Load Diff

204
tools/gen_mapping.py Executable file
View File

@ -0,0 +1,204 @@
#!/usr/bin/env python3
'''
Author: Christophe Vandeplas
License: AGPL v3
This builds an automatic mapping between the galaxy clusters of the same type.
The mapping is made by using the synonyms documented in each cluster.
The output is saved in the cluster files themselves, if a change is done the version number is increased.
(commented out) The output is saved in a file called "mapping_XXX.json".
'''
import json
import os
# Some galaxy clusters have overlapping synonyms, while not being of the same type.
# This type_mapping is there to distinguish galaxies based on their type.
# Example: A galaxy of type 'actor' should not map to a galaxy of type 'tool', even if the name/synonym is the same.
type_mapping = {
'ransomware': 'tool',
# 'mitre-pre-attack-relationship': '',
# 'mitre-enterprise-attack-course-of-action': '',
'mitre-enterprise-attack-intrusion-set': 'actor',
'mitre-intrusion-set': 'actor',
'rat': 'tool',
'stealer': 'tool',
'mitre-enterprise-attack-malware': 'tool',
# 'mitre-attack-pattern': '',
# 'mitre-mobile-attack-relationship': '',
# 'mitre-enterprise-attack-attack-pattern': '',
'microsoft-activity-group': 'actor',
# 'mitre-course-of-action': '',
'exploit-kit': 'tool',
'mitre-mobile-attack-tool': 'tool',
'backdoor': 'tool',
# 'mitre-pre-attack-attack-pattern': '',
'mitre-mobile-attack-intrusion-set': 'tool',
'mitre-tool': 'tool',
# 'mitre-mobile-attack-attack-pattern': '',
'mitre-mobile-attack-malware': 'tool',
'tool': 'tool',
# 'preventive-measure': '',
# 'sector': '',
'mitre-malware': 'tool',
'banker': 'tool',
# 'branded-vulnerability': '',
'botnet': 'tool',
# 'cert-eu-govsector': '',
'threat-actor': 'actor',
'mitre-enterprise-attack-tool': 'tool',
'android': 'tool',
# 'mitre-mobile-attack-course-of-action': '',
'mitre-pre-attack-intrusion-set': 'actor',
# 'mitre-enterprise-attack-relationship': '',
'tds': 'tool'
}
def loadjsons(path):
"""
Find all Jsons and load them in a dict
"""
files = []
data = []
for name in os.listdir(path):
if os.path.isfile(os.path.join(path, name)) and name.endswith('.json'):
files.append(name)
for jfile in files:
data.append(json.load(open("%s/%s" % (path, jfile))))
return data
def printjson(s):
print(json.dumps(s, sort_keys=True, indent=4, separators=(',', ': ')))
def to_tag(t, v):
return 'misp-galaxy:{}="{}"'.format(t, v)
def get_cluster_uuid(cluster):
uuid = cluster.get('uuid')
if not uuid: # FIXME are these bugs in the format? - mitre-tool.json
uuid = cluster['meta'].get('uuid')
if not uuid:
print(cluster)
exit("ERROR: missing UUID in cluster")
return uuid
if __name__ == '__main__':
path = '../clusters'
jsons = loadjsons(path)
mappings = {}
for k, v in type_mapping.items():
if v not in mappings:
mappings[v] = []
for djson in jsons:
galaxy = djson['type']
# ignore the galaxies that are not relevant for us
if galaxy not in type_mapping:
continue
# process the entries in each cluster
clusters = djson.get('values')
for cluster in clusters:
names = [cluster['value']]
if 'meta' in cluster and 'synonyms' in cluster['meta']:
names += [s for s in cluster['meta']['synonyms']]
# check if the entry is already in our mappings dict
seen_once = False
for mapping in mappings[type_mapping[galaxy]]:
seen = False
# name is known, add the synonyms and tags
for name in names:
if name in mapping['names']:
seen = True
seen_once = True
# we have a match in this mapping, add name and synonyms
if seen:
for name in names:
if name not in mapping['names']:
mapping['names'].append(name)
tag = to_tag(galaxy, cluster['value'])
if tag not in mapping['values']:
mapping['values'].append(tag)
uuid = get_cluster_uuid(cluster)
if uuid not in mapping['uuids']:
mapping['uuids'].append(uuid)
# it's not in any mapping, add it
if not seen_once:
mapping = {}
mapping['names'] = names
mapping['values'] = [to_tag(galaxy, cluster['value'])]
uuid = get_cluster_uuid(cluster)
mapping['uuids'] = [uuid]
mappings[type_mapping[galaxy]].append(mapping)
# We have our nice mapping.
# Now we only need to add it again in the original files.
for name in os.listdir(path):
# skip files that are not relevant
if not (os.path.isfile(os.path.join(path, name)) and name.endswith('.json')):
continue
# load json
with open(os.path.join(path, name), 'r') as f_in:
file_json = json.load(f_in)
galaxy = file_json['type']
# ignore the galaxies that are not relevant for us
if galaxy not in type_mapping:
continue
changed = False
for cluster in file_json['values']:
for mapping in mappings[type_mapping[galaxy]]:
cluster_uuid = get_cluster_uuid(cluster)
if cluster_uuid not in mapping['uuids']:
continue
# uuid is in the mappings
for uuid in mapping['uuids']:
# skip self
if uuid == cluster_uuid:
continue
# skip existing entries
if 'related' in cluster:
if any(v['dest-uuid'] == uuid for v in cluster['related']):
continue
# initialize array
if 'related' not in cluster:
cluster['related'] = []
# automated things are set to likely
# manual validation can upgrade to very-likely or almost-certain
cluster['related'].append({"dest-uuid": uuid,
"type": "similar",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
]
})
changed = True
if changed:
file_json['version'] += 1
# save result to the original file
with open(os.path.join(path, name), 'w') as f_out:
json.dump(file_json, f_out, indent=2, sort_keys=True, ensure_ascii=False)
print("Updated file {}".format(name))
print("All done, please don't forget to ./validate_all.sh and ./jq_all_the_things.sh")
# # simply dump the mapping_json to files. This is not really needed anymore
# for galaxy_type, vals in mappings.items():
# for mapping in vals:
# mapping['names'].sort()
# mapping['values'].sort()
# with open('mapping_{}.json'.format(galaxy_type), 'w') as f:
# json.dump(vals, f, sort_keys=True, indent=4, separators=(',', ': '))
# print("File saved as mapping_{}.json".format(galaxy_type))