MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge https://github.com/MISP/misp-galaxy

pull/659/head
Delta-Sierra 2021-06-21 14:08:56 +02:00
parent 92bd2e3ee9 141b85c084
commit 97976ba2e8
8 changed files with 20338 additions and 3477 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

289
.gitchangelog.rc Normal file
View File

@ -0,0 +1,289 @@
# -*- coding: utf-8; mode: python -*-
##
## Format
##
## ACTION: [AUDIENCE:] COMMIT_MSG [!TAG ...]
##
## Description
##
## ACTION is one of 'chg', 'fix', 'new'
##
## Is WHAT the change is about.
##
## 'chg' is for refactor, small improvement, cosmetic changes...
## 'fix' is for bug fixes
## 'new' is for new features, big improvement
##
## AUDIENCE is optional and one of 'dev', 'usr', 'pkg', 'test', 'doc'|'docs'
##
## Is WHO is concerned by the change.
##
## 'dev' is for developpers (API changes, refactors...)
## 'usr' is for final users (UI changes)
## 'pkg' is for packagers (packaging changes)
## 'test' is for testers (test only related changes)
## 'doc' is for doc guys (doc only changes)
##
## COMMIT_MSG is ... well ... the commit message itself.
##
## TAGs are additionnal adjective as 'refactor' 'minor' 'cosmetic'
##
## They are preceded with a '!' or a '@' (prefer the former, as the
## latter is wrongly interpreted in github.) Commonly used tags are:
##
## 'refactor' is obviously for refactoring code only
## 'minor' is for a very meaningless change (a typo, adding a comment)
## 'cosmetic' is for cosmetic driven change (re-indentation, 80-col...)
## 'wip' is for partial functionality but complete subfunctionality.
##
## Example:
##
## new: usr: support of bazaar implemented
## chg: re-indentend some lines !cosmetic
## new: dev: updated code to be compatible with last version of killer lib.
## fix: pkg: updated year of licence coverage.
## new: test: added a bunch of test around user usability of feature X.
## fix: typo in spelling my name in comment. !minor
##
## Please note that multi-line commit message are supported, and only the
## first line will be considered as the "summary" of the commit message. So
## tags, and other rules only applies to the summary. The body of the commit
## message will be displayed in the changelog without reformatting.
##
## ``ignore_regexps`` is a line of regexps
##
## Any commit having its full commit message matching any regexp listed here
## will be ignored and won't be reported in the changelog.
##
ignore_regexps = [
r'@minor', r'!minor',
r'@cosmetic', r'!cosmetic',
r'@refactor', r'!refactor',
r'@wip', r'!wip',
r'^([cC]hg|[fF]ix|[nN]ew)\s*:\s*[p|P]kg:',
r'^([cC]hg|[fF]ix|[nN]ew)\s*:\s*[d|D]ev:',
r'^(.{3,3}\s*:)?\s*[fF]irst commit.?\s*$',
]
## ``section_regexps`` is a list of 2-tuples associating a string label and a
## list of regexp
##
## Commit messages will be classified in sections thanks to this. Section
## titles are the label, and a commit is classified under this section if any
## of the regexps associated is matching.
##
## Please note that ``section_regexps`` will only classify commits and won't
## make any changes to the contents. So you'll probably want to go check
## ``subject_process`` (or ``body_process``) to do some changes to the subject,
## whenever you are tweaking this variable.
##
section_regexps = [
('New', [
r'^[nN]ew\s*:\s*((dev|use?r|pkg|test|doc|docs)\s*:\s*)?([^\n]*)$',
]),
('Changes', [
r'^[cC]hg\s*:\s*((dev|use?r|pkg|test|doc|docs)\s*:\s*)?([^\n]*)$',
]),
('Fix', [
r'^[fF]ix\s*:\s*((dev|use?r|pkg|test|doc|docs)\s*:\s*)?([^\n]*)$',
]),
('Other', None ## Match all lines
),
]
## ``body_process`` is a callable
##
## This callable will be given the original body and result will
## be used in the changelog.
##
## Available constructs are:
##
## - any python callable that take one txt argument and return txt argument.
##
## - ReSub(pattern, replacement): will apply regexp substitution.
##
## - Indent(chars=" "): will indent the text with the prefix
## Please remember that template engines gets also to modify the text and
## will usually indent themselves the text if needed.
##
## - Wrap(regexp=r"\n\n"): re-wrap text in separate paragraph to fill 80-Columns
##
## - noop: do nothing
##
## - ucfirst: ensure the first letter is uppercase.
## (usually used in the ``subject_process`` pipeline)
##
## - final_dot: ensure text finishes with a dot
## (usually used in the ``subject_process`` pipeline)
##
## - strip: remove any spaces before or after the content of the string
##
## - SetIfEmpty(msg="No commit message."): will set the text to
## whatever given ``msg`` if the current text is empty.
##
## Additionally, you can `pipe` the provided filters, for instance:
#body_process = Wrap(regexp=r'\n(?=\w+\s*:)') | Indent(chars=" ")
#body_process = Wrap(regexp=r'\n(?=\w+\s*:)')
#body_process = noop
body_process = ReSub(r'((^|\n)[A-Z]\w+(-\w+)*: .*(\n\s+.*)*)+$', r'') | strip
## ``subject_process`` is a callable
##
## This callable will be given the original subject and result will
## be used in the changelog.
##
## Available constructs are those listed in ``body_process`` doc.
subject_process = (strip |
ReSub(r'^([cC]hg|[fF]ix|[nN]ew)\s*:\s*((dev|use?r|pkg|test|doc|docs)\s*:\s*)?([^\n@]*)(@[a-z]+\s+)*$', r'\4') |
SetIfEmpty("No commit message.") | ucfirst | final_dot)
## ``tag_filter_regexp`` is a regexp
##
## Tags that will be used for the changelog must match this regexp.
##
tag_filter_regexp = r'^v[0-9]+\.[0-9]+\.[0-9]+$'
## ``unreleased_version_label`` is a string or a callable that outputs a string
##
## This label will be used as the changelog Title of the last set of changes
## between last valid tag and HEAD if any.
unreleased_version_label = "%%version%% (unreleased)"
## ``output_engine`` is a callable
##
## This will change the output format of the generated changelog file
##
## Available choices are:
##
## - rest_py
##
## Legacy pure python engine, outputs ReSTructured text.
## This is the default.
##
## - mustache(<template_name>)
##
## Template name could be any of the available templates in
## ``templates/mustache/*.tpl``.
## Requires python package ``pystache``.
## Examples:
## - mustache("markdown")
## - mustache("restructuredtext")
##
## - makotemplate(<template_name>)
##
## Template name could be any of the available templates in
## ``templates/mako/*.tpl``.
## Requires python package ``mako``.
## Examples:
## - makotemplate("restructuredtext")
##
#output_engine = rest_py
#output_engine = mustache("restructuredtext")
output_engine = mustache("markdown")
#output_engine = makotemplate("restructuredtext")
## ``include_merge`` is a boolean
##
## This option tells git-log whether to include merge commits in the log.
## The default is to include them.
include_merge = True
## ``log_encoding`` is a string identifier
##
## This option tells gitchangelog what encoding is outputed by ``git log``.
## The default is to be clever about it: it checks ``git config`` for
## ``i18n.logOutputEncoding``, and if not found will default to git's own
## default: ``utf-8``.
#log_encoding = 'utf-8'
## ``publish`` is a callable
##
## Sets what ``gitchangelog`` should do with the output generated by
## the output engine. ``publish`` is a callable taking one argument
## that is an interator on lines from the output engine.
##
## Some helper callable are provided:
##
## Available choices are:
##
## - stdout
##
## Outputs directly to standard output
## (This is the default)
##
## - FileInsertAtFirstRegexMatch(file, pattern, idx=lamda m: m.start())
##
## Creates a callable that will parse given file for the given
## regex pattern and will insert the output in the file.
## ``idx`` is a callable that receive the matching object and
## must return a integer index point where to insert the
## the output in the file. Default is to return the position of
## the start of the matched string.
##
## - FileRegexSubst(file, pattern, replace, flags)
##
## Apply a replace inplace in the given file. Your regex pattern must
## take care of everything and might be more complex. Check the README
## for a complete copy-pastable example.
##
# publish = FileInsertIntoFirstRegexMatch(
# "CHANGELOG.rst",
# r'/(?P<rev>[0-9]+\.[0-9]+(\.[0-9]+)?)\s+\([0-9]+-[0-9]{2}-[0-9]{2}\)\n--+\n/',
# idx=lambda m: m.start(1)
# )
#publish = stdout
## ``revs`` is a list of callable or a list of string
##
## callable will be called to resolve as strings and allow dynamical
## computation of these. The result will be used as revisions for
## gitchangelog (as if directly stated on the command line). This allows
## to filter exaclty which commits will be read by gitchangelog.
##
## To get a full documentation on the format of these strings, please
## refer to the ``git rev-list`` arguments. There are many examples.
##
## Using callables is especially useful, for instance, if you
## are using gitchangelog to generate incrementally your changelog.
##
## Some helpers are provided, you can use them::
##
## - FileFirstRegexMatch(file, pattern): will return a callable that will
## return the first string match for the given pattern in the given file.
## If you use named sub-patterns in your regex pattern, it'll output only
## the string matching the regex pattern named "rev".
##
## - Caret(rev): will return the rev prefixed by a "^", which is a
## way to remove the given revision and all its ancestor.
##
## Please note that if you provide a rev-list on the command line, it'll
## replace this value (which will then be ignored).
##
## If empty, then ``gitchangelog`` will act as it had to generate a full
## changelog.
##
## The default is to use all commits to make the changelog.
#revs = ["^1.0.3", ]
#revs = [
# Caret(
# FileFirstRegexMatch(
# "CHANGELOG.rst",
# r"(?P<rev>[0-9]+\.[0-9]+(\.[0-9]+)?)\s+\([0-9]+-[0-9]{2}-[0-9]{2}\)\n--+\n")),
# "HEAD"
#]
revs = []

5470
clusters/mitre-attack-pattern.json
View File

File diff suppressed because it is too large Load Diff

567
clusters/mitre-course-of-action.json
View File

@ -498,6 +498,27 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "eb88d97c-32f1-40be-80f0-d61a4b0b4b31",
@ -595,6 +616,41 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "800f9819-7007-4540-a520-40e655876800",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "0470e792-32f8-46b0-a351-652bc35e9336",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "1dcaeb21-9348-42ea-950a-f842aaf1ae1f",
@ -780,6 +836,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "e083305c-49e7-4c87-aae8-9689213bffbe",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "cf2cccb1-cab8-431a-8ecf-f7874d05f433",
@ -878,13 +941,6 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
@ -1204,6 +1260,13 @@
],
"type": "mitigates"
},
{
"dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7",
"tags": [
@ -1463,13 +1526,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5",
"tags": [
@ -1532,6 +1588,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "987988f0-cf86-4680-a875-2f6456ab2448",
@ -3340,6 +3403,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "b9f0c069-abbe-4a07-a245-2481219a1463",
@ -4064,30 +4134,6 @@
"uuid": "245075bc-f992-4d89-af8c-834c53d403f4",
"value": "Transmitted Data Manipulation Mitigation - T1493"
},
{
"description": "Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as Bloodhound (version 1.5.1 and later)(Citation: GitHub Bloodhound).\n\nConsider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.(Citation: Wald0 Guide to GPOs)(Citation: Microsoft WMI Filters)(Citation: Microsoft GPO Security Filtering)",
"meta": {
"external_id": "T1484",
"refs": [
"https://attack.mitre.org/mitigations/T1484",
"https://github.com/BloodHoundAD/BloodHound",
"https://wald0.com/?p=179",
"https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/",
"https://docs.microsoft.com/en-us/previous-versions/windows/desktop/Policy/filtering-the-scope-of-a-gpo"
]
},
"related": [
{
"dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "2108b914-eee1-45cc-8840-36272b19596a",
"value": "Group Policy Modification Mitigation - T1484"
},
{
"description": "Identify critical business and system processes that may be targeted by adversaries and work to secure those systems against tampering. Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code. Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)",
"meta": {
@ -4904,6 +4950,20 @@
],
"type": "mitigates"
},
{
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3",
"tags": [
@ -5415,6 +5475,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "b0c74ef9-c61e-4986-88cb-78da98a355ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "12241367-a8b7-49b4-b86e-2236901ba50c",
@ -5784,6 +5851,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "1f9c2bae-b441-4f66-a8af-b65946ee72f2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "e3388c78-2a8d-47c2-8422-c1398b324462",
@ -6170,6 +6244,13 @@
],
"type": "mitigates"
},
{
"dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7",
"tags": [
@ -6547,6 +6628,48 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "1f9c2bae-b441-4f66-a8af-b65946ee72f2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "94cb00a4-b295-4d06-aa2b-5653b9c1be9c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "1126cab1-c700-412f-a510-61f4937bb096",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "0470e792-32f8-46b0-a351-652bc35e9336",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "93e7968a-9074-4eac-8ae9-9f5200ec3317",
@ -6872,6 +6995,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "565275d5-fcc3-4b66-b4e7-928e4cac6b8c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "a2c36a5d-4058-475e-8e77-fff75e50d3b9",
@ -7855,6 +7985,76 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "1f9c2bae-b441-4f66-a8af-b65946ee72f2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "94cb00a4-b295-4d06-aa2b-5653b9c1be9c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "24769ab5-14bd-4f4e-a752-cfb185da53ee",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "1126cab1-c700-412f-a510-61f4937bb096",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "800f9819-7007-4540-a520-40e655876800",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "565275d5-fcc3-4b66-b4e7-928e4cac6b8c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "9bb9e696-bff8-4ae1-9454-961fc7d91d5f",
@ -8210,6 +8410,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "2f316f6c-ae42-44fe-adf8-150989e0f6d3",
@ -8352,6 +8559,13 @@
],
"type": "mitigates"
},
{
"dest-uuid": "e0232cb0-ded5-4c2e-9dc7-2893142a5c11",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b",
"tags": [
@ -11014,13 +11228,41 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "800f9819-7007-4540-a520-40e655876800",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "0470e792-32f8-46b0-a351-652bc35e9336",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "86598de0-b347-4928-9eb0-0acbfc21908c",
"value": "Network Segmentation - M1030"
},
{
"description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as [Detect App Analysis Environment](https://attack.mitre.org/techniques/T1440) exist that can enable adversaries to bypass vetting.",
"description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as [Evade Analysis Environment](https://attack.mitre.org/techniques/T1523) exist that can enable adversaries to bypass vetting.",
"meta": {
"external_id": "M1005",
"refs": [
@ -11356,6 +11598,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "e083305c-49e7-4c87-aae8-9689213bffbe",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "1553b156-6767-47f7-9eb4-2a692505666d",
@ -11592,6 +11841,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1",
@ -11986,6 +12242,20 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "e5d930e9-775a-40ad-9bdb-b941d8dfe86b",
@ -12354,6 +12624,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "b0c74ef9-c61e-4986-88cb-78da98a355ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a",
@ -12806,6 +13083,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "90c218c3-fbf8-4830-98a7-e8cfb7eaa485",
@ -13452,6 +13736,34 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
@ -13598,6 +13910,69 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "94cb00a4-b295-4d06-aa2b-5653b9c1be9c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "cca0ccb6-a068-4574-a722-b1556f86833a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "8982a661-d84c-48c0-b4ec-1db29c6cf3bc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067",
@ -13772,6 +14147,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "b0c74ef9-c61e-4986-88cb-78da98a355ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "590777b3-b475-4c7c-aaf8-f4a73b140312",
@ -13869,6 +14251,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "565275d5-fcc3-4b66-b4e7-928e4cac6b8c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "7da0387c-ba92-4553-b291-b636ee42b2eb",
@ -14728,6 +15117,48 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "506f6f49-7045-4156-9007-7474cb44ad6d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "31fe0ba2-62fd-4fd9-9293-4043d84f7fe9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "84771bc3-f6a0-403e-b144-01af70e5fda0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "c071d8c1-3b3a-4f22-9407-ca4e96921069",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "84ae8255-b4f4-4237-b5c5-e717405a9701",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "78bb71be-92b4-46de-acd6-5f998fedf1cc",
@ -14873,6 +15304,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "e083305c-49e7-4c87-aae8-9689213bffbe",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c",
@ -15251,13 +15689,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "0c4b4fda-9062-47da-98b9-ceae2dcf052a",
"tags": [
@ -15348,11 +15779,53 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "94cb00a4-b295-4d06-aa2b-5653b9c1be9c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "861b8fd2-57f3-4ee1-ab5d-c19c3b8c7a4a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "1f9c2bae-b441-4f66-a8af-b65946ee72f2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "800f9819-7007-4540-a520-40e655876800",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "b0c74ef9-c61e-4986-88cb-78da98a355ec",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8",
"value": "Audit - M1047"
}
],
"version": 18
"version": 19
}

6468
clusters/mitre-intrusion-set.json
View File

File diff suppressed because it is too large Load Diff

9671
clusters/mitre-malware.json
View File

File diff suppressed because it is too large Load Diff

585
clusters/mitre-tool.json
View File

@ -66,6 +66,110 @@
"uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69",
"value": "Pass-The-Hash Toolkit - S0122"
},
{
"description": "[CSPY Downloader](https://attack.mitre.org/software/S0527) is a tool designed to evade analysis and download additional payloads used by [Kimsuky](https://attack.mitre.org/groups/G0094).(Citation: Cybereason Kimsuky November 2020)",
"meta": {
"external_id": "S0527",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0527",
"https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite"
],
"synonyms": [
"CSPY Downloader"
]
},
"related": [
{
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "5256c0f8-9108-4c92-8b09-482dfacdcd94",
"value": "CSPY Downloader - S0527"
},
{
"description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.(Citation: Imminent Unit42 Dec2019)",
"meta": {
@ -381,6 +485,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
@ -397,7 +508,7 @@
"refs": [
"https://attack.mitre.org/software/S0040",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
"https://s3.eu-west-1.amazonaws.com/ncsc-content/files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf"
"https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools"
],
"synonyms": [
"HTRAN",
@ -1232,7 +1343,7 @@
"value": "PsExec - S0029"
},
{
"description": "The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\n[Net](https://attack.mitre.org/software/S0039) has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) using <code>net use</code> commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as <code>net1 user</code>.",
"description": "The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\n[Net](https://attack.mitre.org/software/S0039) has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) using <code>net use</code> commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as <code>net1 user</code>.",
"meta": {
"external_id": "S0039",
"mitre_platforms": [
@ -1639,6 +1750,66 @@
"uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f",
"value": "Tasklist - S0057"
},
{
"description": "[NBTscan](https://attack.mitre.org/software/S0590) is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June 2003)(Citation: Symantec Waterbug Jun 2019)(Citation: FireEye APT39 Jan 2019)",
"meta": {
"external_id": "S0590",
"mitre_platforms": [
"Windows",
"Linux",
"macOS"
],
"refs": [
"https://attack.mitre.org/software/S0590",
"https://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html",
"https://sectools.org/tool/nbtscan/",
"https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments",
"https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html"
],
"synonyms": [
"NBTscan"
]
},
"related": [
{
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b63970b7-ddfb-4aee-97b1-80d335e033a8",
"value": "NBTscan - S0590"
},
{
"description": "[FTP](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data. (Citation: Wikipedia FTP)",
"meta": {
@ -1942,6 +2113,105 @@
"uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b",
"value": "xCmd - S0123"
},
{
"description": "[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT Wocao December 2019)",
"meta": {
"external_id": "S0521",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0521",
"https://github.com/BloodHoundAD/BloodHound",
"https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/",
"https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf"
],
"synonyms": [
"BloodHound"
]
},
"related": [
{
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "066b057c-944e-4cfc-b654-e3dfba04b926",
"value": "BloodHound - S0521"
},
{
"description": "[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). (Citation: GitHub Pupy) [Pupy](https://attack.mitre.org/software/S0192) is publicly available on GitHub. (Citation: GitHub Pupy)",
"meta": {
@ -2414,6 +2684,61 @@
"uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2",
"value": "Forfiles - S0193"
},
{
"description": "[Out1](https://attack.mitre.org/software/S0594) is a remote access tool written in python and used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021.(Citation: Trend Micro Muddy Water March 2021)",
"meta": {
"external_id": "S0594",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0594",
"https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html"
],
"synonyms": [
"Out1"
]
},
"related": [
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "80c815bb-b24a-4b9c-9d73-ff4c075a278d",
"value": "Out1 - S0594"
},
{
"description": "Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. (Citation: GitHub Responder)",
"meta": {
@ -2449,7 +2774,7 @@
"value": "Responder - S0174"
},
{
"description": "[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1086) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)",
"description": "[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)",
"meta": {
"external_id": "S0194",
"mitre_platforms": [
@ -2663,7 +2988,7 @@
"type": "uses"
},
{
"dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0",
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@ -2701,6 +3026,125 @@
"uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830",
"value": "meek - S0175"
},
{
"description": "[IronNetInjector](https://attack.mitre.org/software/S0581) is a [Turla](https://attack.mitre.org/groups/G0010) toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including [ComRAT](https://attack.mitre.org/software/S0126).(Citation: Unit 42 IronNetInjector February 2021 )",
"meta": {
"external_id": "S0581",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0581",
" https://unit42.paloaltonetworks.com/ironnetinjector/"
],
"synonyms": [
"IronNetInjector"
]
},
"related": [
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b1595ddd-a783-482a-90e1-8afc8d48467e",
"value": "IronNetInjector - S0581"
},
{
"description": "[ConnectWise](https://attack.mitre.org/software/S0591) is a legitimate remote administration tool that has been used since at least 2016 by threat actors including [MuddyWater](https://attack.mitre.org/groups/G0069) and [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) to connect to and conduct lateral movement in target environments.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)",
"meta": {
"external_id": "S0591",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0591",
"https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies",
"https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html"
],
"synonyms": [
"ConnectWise",
"ScreenConnect"
]
},
"related": [
{
"dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "842976c7-f9c8-41b2-8371-41dc64fbe261",
"value": "ConnectWise - S0591"
},
{
"description": "[SDelete](https://attack.mitre.org/software/S0195) is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. (Citation: Microsoft SDelete July 2016)",
"meta": {
@ -2950,7 +3394,7 @@
],
"refs": [
"https://attack.mitre.org/software/S0227",
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
"https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
],
"synonyms": [
"spwebmember"
@ -3103,7 +3547,7 @@
"value": "Remcos - S0332"
},
{
"description": "[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in [PowerShell](https://attack.mitre.org/techniques/T1086). Although [PoshC2](https://attack.mitre.org/software/S0378) is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.(Citation: GitHub PoshC2)",
"description": "[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in [PowerShell](https://attack.mitre.org/techniques/T1059/001). Although [PoshC2](https://attack.mitre.org/software/S0378) is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.(Citation: GitHub PoshC2)",
"meta": {
"external_id": "S0378",
"mitre_platforms": [
@ -3341,6 +3785,111 @@
"uuid": "4b57c098-f043-4da2-83ef-7588a6d426bc",
"value": "PoshC2 - S0378"
},
{
"description": "[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)",
"meta": {
"external_id": "S0552",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0552",
"https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ ",
"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
"https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html"
],
"synonyms": [
"AdFind"
]
},
"related": [
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "f59508a6-3615-47c3-b493-6676e1a39a87",
"value": "AdFind - S0552"
},
{
"description": "[RemoteUtilities](https://attack.mitre.org/software/S0592) is a legitimate remote administration tool that has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021 for execution on target machines.(Citation: Trend Micro Muddy Water March 2021)",
"meta": {
"external_id": "S0592",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0592",
"https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html"
],
"synonyms": [
"RemoteUtilities"
]
},
"related": [
{
"dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "03c6e0ea-96d3-4b23-9afb-05055663cf4b",
"value": "RemoteUtilities - S0592"
},
{
"description": "[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)",
"meta": {
@ -3411,7 +3960,7 @@
"value": "Xbot - S0298"
},
{
"description": "[Empire](https://attack.mitre.org/software/S0363) is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https://attack.mitre.org/techniques/T1086) for Windows and Python for Linux/macOS. [Empire](https://attack.mitre.org/software/S0363) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire)",
"description": "[Empire](https://attack.mitre.org/software/S0363) is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https://attack.mitre.org/techniques/T1059/001) for Windows and Python for Linux/macOS. [Empire](https://attack.mitre.org/software/S0363) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire)",
"meta": {
"external_id": "S0363",
"mitre_platforms": [
@ -3421,8 +3970,8 @@
],
"refs": [
"https://attack.mitre.org/software/S0363",
"https://s3.eu-west-1.amazonaws.com/ncsc-content/files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf",
"https://github.com/PowerShellEmpire/Empire",
"https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools",
"https://github.com/EmpireProject/Empire",
"https://github.com/dstepanic/attck_empire"
],
"synonyms": [
@ -3818,7 +4367,7 @@
"type": "uses"
},
{
"dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d",
"dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@ -3907,6 +4456,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "fc742192-19e3-466c-9eb5-964a97b29490",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3",
@ -4034,6 +4590,13 @@
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b",
@ -4556,5 +5119,5 @@
"value": "CrackMapExec - S0488"
}
],
"version": 19
"version": 20
}

51
clusters/ransomware.json
View File

@ -2249,6 +2249,9 @@
"refs": [
"https://id-ransomware.blogspot.co.il/2017/01/xcrypt-ransomware.html",
"https://twitter.com/JakubKroustek/status/825790584971472902"
],
"synonyns": [
"XCrypt"
]
},
"uuid": "fd5bb71f-80dc-4a6d-ba8e-ed74999700d3",
@ -3231,17 +3234,17 @@
"https://id-ransomware.blogspot.co.il/2016/12/goldeneye-ransomware.html",
"https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/",
"https://www.bleepingcomputer.com/forums/t/634778/golden-eye-virus/"
],
"related": [
{
"dest-uuid": "7c5a1e93-7ab2-4b08-ada9-e82c4feaed0a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
]
},
"related": [
{
"dest-uuid": "7c5a1e93-7ab2-4b08-ada9-e82c4feaed0a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ac7affb8-971d-4c05-84f0-172b61d007d7",
"value": "GoldenEye Ransomware"
},
@ -14181,6 +14184,8 @@
{
"description": "Mespinoza ransomware is used at least since october 2018. First versions used the common extension \".locked\". SInce december 2019 a new version in open sourced and documented, this new version uses the \".pyza\" extension.",
"meta": {
"colt-average": "70d",
"colt-median": "66d",
"extensions": [
".pyza",
".locked",
@ -14365,6 +14370,8 @@
{
"description": "Darkside, the latest ransomware operation to emerge has been attacking organizations beginning earlier this month. Darksides customized attacks on companies have already garnered them million-dollar payouts.\nThrough their “press release”, these threat actors have claimed to be affiliated with prior ransomware operations making millions of dollars. They stated that they created this new product to match their needs, as prior products didnt.\n Darkside explains that they only target companies they know that can pay the specified ransom. They have allegedly promised that they will not attack the following sectors. They include medicine, education, non-profit organizations, and the government sector.",
"meta": {
"colt-average": "11d",
"colt-median": "7d",
"refs": [
"https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/",
"https://www.wired.com/story/ransomware-gone-corporate-darkside-where-will-it-end/",
@ -22914,16 +22921,6 @@
"uuid": "911e63bc-ab09-4da1-8db7-2ad9354eafee",
"value": "UltraCrypter"
},
{
"description": "ransomware",
"uuid": "90fa20b3-425c-4361-9f7f-e1c89f972158",
"value": "UmbreCrypt"
},
{
"description": "ransomware",
"uuid": "bed135ea-0b1b-4928-88eb-f5d78d2ef7ec",
"value": "UnblockUPC"
},
{
"description": "ransomware",
"uuid": "a9695d8a-9d83-4ae0-9460-f4f56c41ed90",
@ -24198,6 +24195,22 @@
},
"uuid": "f84b92bb-d8e8-4ddd-848c-1a91df504e8e",
"value": "DEcovid19"
},
{
"description": "Ragnarok is is a ransomware that targetscorporate networks in Big Game Huntingtargeted attacks. The ransomware is associated with 'double-extortion' tactic, stealing and publishing files on a data leak site (DLS).",
"meta": {
"encryption": "AES",
"extensions": [
".ragnarok",
".ragnarok_cry"
],
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnaro",
"https://borncity.com/win/2021/03/27/tu-darmstadt-opfer-der-ragnarok-ransomware/"
]
},
"uuid": "fe7e4df0-97b9-4dd2-b3f8-79404fc8272d",
"value": "Ragnarok"
}
],
"version": 98

714
clusters/threat-actor.json
View File

File diff suppressed because it is too large Load Diff