MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [mitre] bump to v13.

pull/848/head
Thomas Dupuy 2023-05-08 14:04:50 +00:00
parent 2d7b7137bf
commit bbbd006215
5 changed files with 5902 additions and 5987 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

981
clusters/mitre-attack-pattern.json
View File

File diff suppressed because it is too large Load Diff

4068
clusters/mitre-course-of-action.json
View File

File diff suppressed because it is too large Load Diff

2383
clusters/mitre-intrusion-set.json
View File

File diff suppressed because it is too large Load Diff

4081
clusters/mitre-malware.json
View File

File diff suppressed because it is too large Load Diff

376
clusters/mitre-tool.json
View File

@ -37,6 +37,262 @@
"uuid": "242f3da3-4425-4d11-8f5c-b842886da966",
"value": "Windows Credential Editor - S0005"
},
{
"description": "[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of [Brute Ratel C4](https://attack.mitre.org/software/S1063) was leaked in the cybercriminal underground, leading to its use by threat actors.(Citation: Dark Vortex Brute Ratel C4)(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)(Citation: SANS Brute Ratel October 2022)(Citation: Trend Micro Black Basta October 2022)",
"meta": {
"external_id": "S1063",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S1063",
"https://bruteratel.com/",
"https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/",
"https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/",
"https://www.sans.org/blog/cracked-brute-ratel-c4-framework-proliferates-across-the-cybercriminal-underground/",
"https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html"
],
"synonyms": [
"Brute Ratel C4",
"BRc4"
]
},
"related": [
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "74d2a63f-3c7b-4852-92da-02d8fbab16da",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "75d8b521-6b6a-42ff-8af3-d97e20ce12a5",
"value": "Brute Ratel C4 - S1063"
},
{
"description": "[Pass-The-Hash Toolkit](https://attack.mitre.org/software/S0122) is a toolkit that allows an adversary to \"pass\" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)",
"meta": {
@ -1117,6 +1373,13 @@
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"tags": [
@ -1211,6 +1474,13 @@
]
},
"related": [
{
"dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c",
"tags": [
@ -2292,6 +2562,64 @@
"uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507",
"value": "UACMe - S0116"
},
{
"description": "[Rubeus](https://attack.mitre.org/software/S1071) is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.(Citation: GitHub Rubeus March 2023)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)",
"meta": {
"external_id": "S1071",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S1071",
"https://github.com/GhostPack/Rubeus",
"https://thedfirreport.com/2020/10/08/ryuks-return/",
"https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/",
"https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html"
],
"synonyms": [
"Rubeus"
]
},
"related": [
{
"dest-uuid": "3986e7fd-a8e9-4ecb-bfc6-55920855912b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d273434a-448e-4598-8e14-607f4a0d5e27",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "e33267fe-099f-4af2-8730-63d49f8813b2",
"value": "Rubeus - S1071"
},
{
"description": "[Cachedump](https://attack.mitre.org/software/S0119) is a publicly-available tool that program extracts cached password hashes from a systems registry. (Citation: Mandiant APT1)",
"meta": {
@ -3003,6 +3331,9 @@
"refs": [
"https://attack.mitre.org/software/S0174",
"https://github.com/SpiderLabs/Responder"
],
"synonyms": [
"Responder"
]
},
"related": [
@ -3189,13 +3520,6 @@
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "bf96a5a3-3bce-43b7-8597-88545984c07b",
"tags": [
@ -3211,14 +3535,14 @@
"type": "uses"
},
{
"dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02",
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447",
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
@ -3728,8 +4052,8 @@
"refs": [
"https://attack.mitre.org/software/S0332",
"https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html",
"https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html",
"https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/"
"https://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/",
"https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html"
],
"synonyms": [
"Remcos"
@ -5009,13 +5333,6 @@
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023",
"tags": [
@ -5079,6 +5396,13 @@
],
"type": "uses"
},
{
"dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
"tags": [
@ -6393,6 +6717,13 @@
],
"type": "uses"
},
{
"dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b4409cd8-0da9-46e1-a401-a241afd4d1cc",
"tags": [
@ -6407,6 +6738,13 @@
],
"type": "uses"
},
{
"dest-uuid": "d94b3ae9-8059-4989-8e9f-ea0f601f80a7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db",
"tags": [
@ -6542,5 +6880,5 @@
"value": "Mythic - S0699"
}
],
"version": 27
"version": 28
}