MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of github.com:MISP/misp-galaxy

pull/104/head
Raphaël Vinot 2017-10-25 12:28:01 -04:00
parent 196f0a7ac8 b7c612dc47
commit c6f9c5261c
28 changed files with 2167 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -25,13 +25,14 @@ to localized information (which is not shared) or additional information (that c
- [clusters/threat-actor.json](clusters/threat-actor.json) - Adversary groups - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. MISP
- [clusters/tool.json](clusters/tool.json) - tool is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
- [clusters/mitre_attack-pattern.json](clusters/mitre_attack-pattern.json) - Attack Pattern - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
- [clusters/mitre_course-of-action.json](clusters/mitre_course-of-action.json) - Course of Action - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
- [clusters/mitre_intrusion-set.json](clusters/mitre_intrusion-set.json) - Intrusion Test - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
- [clusters/mitre_malware.json](clusters/mitre_malware.json) - Malware - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
- [clusters/mitre_tool.json](clusters/mitre_tool.json) - Tool - MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK)
- [clusters/sectors.json](clusters/sectors.json) - Activity sectors
- [clusters/cert-eu-govsector,json](clusters/cert-eu-govsector,json) - Cert EU GovSector
# Available Vocabularies
@ -41,9 +42,13 @@ A [readable PDF overview of the MISP galaxy is available](https://www.misp.softw
## Common
- [vocabularies/common/certainty-level.json](vocabularies/common/certainty-level.json) - Certainty level of an associated element or cluster.
- [vocabularies/common/threat-actor-type.json](vocabularies/common/threat-actor-type.json) - threat actor type vocab as defined by Cert EU.
- [vocabularies/common/ttp-category.json](vocabularies/common/ttp-category.json) - ttp category vocab as defined by Cert EU.
- [vocabularies/common/ttp-type.json](vocabularies/common/ttp-type.json) - ttp type vocab as defined by Cert EU.
## Threat Actor
- [vocabularies/threat-actor/cert-eu-motive.json](vocabularies/threat-actor/cert-eu-motive.json) - Motive vocab as defined by Cert EU.
- [vocabularies/threat-actor/intended-effect-vocabulary.json](vocabularies/threat-actor/intended-effect.json) - The IntendedEffectVocab is the default STIX vocabulary for expressing the intended effect of a threat actor. STIX 1.2.1
- [vocabularies/threat-actor/motivation-vocabulary.json](vocabularies/threat-actor/motivation.json) - The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor. STIX 1.2.1
- [vocabularies/threat-actor/planning-and-operational-support-vocabulary.json](vocabularies/threat-actor/planning-and-operational-support.json) - The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions available to a threat actor.

31
clusters/cert-eu-govsector.json Normal file
View File

@ -0,0 +1,31 @@
{
"values": [
{
"value": "Constituency"
},
{
"value": "EU-Centric"
},
{
"value": "EU-nearby"
},
{
"value": "World-class"
},
{
"value": "Unknown"
},
{
"value": "Outside World"
}
],
"version": 1,
"uuid": "69351b20-b898-11e7-a2f1-c3e696a74a48",
"description": "Cert EU GovSector",
"authors": [
"Various"
],
"source": "CERT-EU",
"type": "cert-seu-gocsector",
"name": "Cert EU GovSector"
}

2
clusters/preventive-measure.json
View File

@ -128,7 +128,7 @@
"type": [
"Best Practice"
],
"possible_issues": "igher administrative costs"
"possible_issues": "Higher administrative costs"
},
"value": "Remove Admin Privileges",
"description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to."

53
clusters/ransomware.json
View File

@ -6482,7 +6482,8 @@
"([A-F0-9]{32}).thor",
"([A-F0-9]{32}).aesir",
"([A-F0-9]{32}).zzzzz",
"([A-F0-9]{32}).osiris"
"([A-F0-9]{32}).osiris",
".lukitus"
],
"encryption": "AES-128",
"ransomnotes": [
@ -6494,7 +6495,9 @@
"_WHAT_is.html",
"_INSTRUCTION.html",
"DesktopOSIRIS.(bmp|htm)",
"OSIRIS-[0-9]{4}.htm"
"OSIRIS-[0-9]{4}.htm",
"lukitus.htm",
"lukitus.bmp."
],
"refs": [
"http://www.bleepingcomputer.com/news/security/new-locky-version-adds-the-zepto-extension-to-encrypted-files/",
@ -8534,12 +8537,56 @@
"https://twitter.com/struppigel/status/900238572409823232"
]
}
},
{
"value": "SynAck",
"description": "The ransomware does not use a customized desktop wallpaper to signal its presence, and the only way to discover that SynAck has infected your PC is by the ransom notes dropped on the user's desktop, named in the format: RESTORE_INFO-[id].txt. For example: RESTORE_INFO-4ABFA0EF.txt\n In addition, SynAck also appends its own extension at the end of all files it encrypted. This file extensions format is ten random alpha characters for each file. For example: test.jpg.XbMiJQiuoh. Experts believe the group behind SynAck uses RDP brute-force attacks to access remote computers and manually download and install the ransomware.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-spike-in-activity/"
],
"synonyms": [
"Syn Ack"
],
"ransomnotes": [
"RESTORE_INFO-[id].txt"
]
}
},
{
"value": "SyncCrypt",
"description": "A new ransomware called SyncCrypt was discovered by Emsisoft security researcher xXToffeeXx that is being distributed by spam attachments containing WSF files. When installed these attachments will encrypt a computer and append the .kk extension to encrypted files.",
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/"
],
"extension": [
".kk"
],
"ransomnotes": [
"readme.html",
"readme.png"
]
}
},
{
"value": "Bad Rabbit",
"description": "On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. As was the case in previous situations, we quickly mobilized to assess the situation and ensure that customers remain protected from this and other threats as they emerge across the threat landscape. There have been several large scale ransomware campaigns over the last several months. This appears to have some similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.",
"meta": {
"refs": [
"http://blog.talosintelligence.com/2017/10/bad-rabbit.html"
],
"synonyms": [
"BadRabbit",
"Bad-Rabbit"
]
}
}
],
"source": "Various",
"uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",
"name": "Ransomware",
"version": 2,
"version": 3,
"type": "ransomware",
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar"
}

1074
clusters/rat.json Normal file → Executable file
View File

File diff suppressed because it is too large Load Diff

370
clusters/sector.json Normal file
View File

@ -0,0 +1,370 @@
{
"values": [
{
"value": "Unknown"
},
{
"value": "Other"
},
{
"value": "Academia - University"
},
{
"value": "Activists"
},
{
"value": "Aerospace"
},
{
"value": "Agriculture"
},
{
"value": "Arts"
},
{
"value": "Bank"
},
{
"value": "Chemical"
},
{
"value": "Citizens"
},
{
"value": "Civil Aviation"
},
{
"value": "Country"
},
{
"value": "Culture"
},
{
"value": "Data Broker"
},
{
"value": "Defense"
},
{
"value": "Development"
},
{
"value": "Diplomacy"
},
{
"value": "Education"
},
{
"value": "Electric"
},
{
"value": "Electronic"
},
{
"value": "Employment"
},
{
"value": "Energy"
},
{
"value": "Entertainment"
},
{
"value": "Environment"
},
{
"value": "Finance"
},
{
"value": "Food"
},
{
"value": "Game"
},
{
"value": "Gas"
},
{
"value": "Government, Administration"
},
{
"value": "Health"
},
{
"value": "Higher education"
},
{
"value": "Hotels"
},
{
"value": "Infrastructure"
},
{
"value": "Intelligence"
},
{
"value": "IT"
},
{
"value": "IT - Hacker"
},
{
"value": "IT - ISP"
},
{
"value": "IT - Security"
},
{
"value": "Justice"
},
{
"value": "Manufacturing"
},
{
"value": "Maritime"
},
{
"value": "Military"
},
{
"value": "Multi-sector"
},
{
"value": "News - Media"
},
{
"value": "NGO"
},
{
"value": "Oil"
},
{
"value": "Payment"
},
{
"value": "Pharmacy"
},
{
"value": "Police - Law enforcement"
},
{
"value": "Research - Innovation"
},
{
"value": "Satellite navigation"
},
{
"value": "Security systems"
},
{
"value": "Social networks"
},
{
"value": "Space"
},
{
"value": "Steel"
},
{
"value": "Telecoms"
},
{
"value": "Think Tanks"
},
{
"value": "Trade"
},
{
"value": "Transport"
},
{
"value": "Travel"
},
{
"value": "Turbine"
},
{
"value": "Tourism"
},
{
"value": "Life science"
},
{
"value": "Biomedical"
},
{
"value": "High tech"
},
{
"value": "Opposition"
},
{
"value": "Political party"
},
{
"value": "Hospitality"
},
{
"value": "Automotive"
},
{
"value": "Metal"
},
{
"value": "Railway"
},
{
"value": "Water"
},
{
"value": "Smart meter"
},
{
"value": "Retai"
},
{
"value": "Retail"
},
{
"value": "Technology"
},
{
"value": "engineering"
},
{
"value": "Mining"
},
{
"value": "Sport"
},
{
"value": "Restaurant"
},
{
"value": "Semi-conductors"
},
{
"value": "Insurance"
},
{
"value": "Legal"
},
{
"value": "Shipping"
},
{
"value": "Logistic"
},
{
"value": "Construction"
},
{
"value": "Industrial"
},
{
"value": "Communication equipment"
},
{
"value": "Security Service"
},
{
"value": "Tax firm"
},
{
"value": "Television broadcast"
},
{
"value": "Separatists"
},
{
"value": "Dissidents"
},
{
"value": "Digital services"
},
{
"value": "Digital infrastructure"
},
{
"value": "Security actors"
},
{
"value": "eCommerce"
},
{
"value": "Islamic forums"
},
{
"value": "Journalist"
},
{
"value": "Streaming service"
},
{
"value": "Puplishing industry"
},
{
"value": "Publishing industry"
},
{
"value": "Islamic organisation"
},
{
"value": "Casino"
},
{
"value": "Consulting"
},
{
"value": "Online marketplace"
},
{
"value": "DNS service provider"
},
{
"value": "Veterinary"
},
{
"value": "Marketing"
},
{
"value": "Video Sharing"
},
{
"value": "Advertising"
},
{
"value": "Investment"
},
{
"value": "Accounting"
},
{
"value": "Programming"
},
{
"value": "Managed Services Provider"
},
{
"value": "Lawyers"
},
{
"value": "Civil society"
},
{
"value": "Petrochemical"
},
{
"value": "Immigration"
}
],
"version": 1,
"uuid": "141deecc-ae4e-11e7-8dfe-f3397ba8cc8",
"description": "Activity sectors",
"authors": [
"Various"
],
"source": "CERT-EU",
"type": "sector",
"name": "Sector"
}

11
clusters/threat-actor.json
View File

@ -663,6 +663,17 @@
"value": "Charming Kitten",
"description": "Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors."
},
{
"meta": {
"country": "IR",
"synonyms": [],
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"
]
},
"description": "Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.",
"value": "APT33"
},
{
"meta": {
"country": "IR",

21
clusters/tool.json
View File

@ -2616,6 +2616,9 @@
"meta": {
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html"
],
"synonyms": [
"BlackOasis"
]
},
"description": "Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.",
@ -2971,6 +2974,24 @@
"https://www.cylance.com/en_us/blog/threat-spotlight-is-fireball-adware-or-malware.html"
]
}
},
{
"value": "ShadowPad",
"description": "ShadowPad is a modular cyber-attack platform that attackers deploy in victim networks to gain flexible remote control capabilities. The platform is designed to run in two stages. The first stage is a shellcode that was embedded in a legitimate nssock2.dll used by Xshell, Xmanager and other software packages produced by NetSarang. This stage is responsible for connecting to “validation” command and control (C&C) servers and getting configuration information including the location of the real C&C server, which may be unique per victim. The second stage acts as an orchestrator for five main modules responsible for C&C communication, working with the DNS protocol, loading and injecting additional plugins into the memory of other processes.",
"meta": {
"refs": [
"https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf"
]
}
},
{
"value": "IoT_reaper",
"description": "IoT_reaper is fairly large now and is actively expanding. For example, there are multiple C2s we are tracking, the most recently data (October 19) from just one C2 shows the number of unique active bot IP address is more than 10k per day. While at the same time, there are millions of potential vulnerable device IPs being queued into the c2 system waiting to be processed by an automatic loader that injects malicious code to the devices to expand the size of the botnet.",
"meta": {
"refs": [
"http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/"
]
}
}
]
}

8
galaxies/cert-eu-govsector.json Normal file
View File

@ -0,0 +1,8 @@
{
"type": "cert-seu-gocsector",
"name": "Cert EU GovSector",
"description": "Cert EU GovSector",
"version": 1,
"icon": "globe",
"uuid": "68858a48-b898-11e7-91ce-bf424ef9b662"
}

3
galaxies/exploit-kit.json
View File

@ -2,6 +2,7 @@
"type": "exploit-kit",
"name": "Exploit-Kit",
"description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years",
"version": 2,
"version": 3,
"icon": "internet-explorer",
"uuid": "6ab240ec-bd79-11e6-a4a6-cec0c932ce01"
}

3
galaxies/microsoft-activity-group.json
View File

@ -2,6 +2,7 @@
"name": "Microsoft Activity Group actor",
"type": "microsoft-activity-group",
"description": "Activity groups as described by Microsoft",
"version": 1,
"version": 2,
"icon": "user-secret",
"uuid": "74c869e8-0b8e-4e5f-96e6-cd992e07a505"
}

3
galaxies/mitre_attack-pattern.json
View File

@ -1,7 +1,8 @@
{
"version": 2,
"version": 3,
"uuid": "c4e851fa-775f-11e7-8163-b774922098cd",
"type": "mitre-attack-pattern",
"name": "Attack Pattern",
"icon": "map",
"description": "ATT&CK Tactic"
}

3
galaxies/mitre_course-of-action.json
View File

@ -3,5 +3,6 @@
"name": "Course of Action",
"description": "ATT&CK Mitigation",
"type": "mitre-course-of-action",
"version": 3
"icon": "chain",
"version": 4
}

3
galaxies/mitre_intrusion-set.json
View File

@ -2,6 +2,7 @@
"type": "mitre-intrusion-set",
"uuid": "1023f364-7831-11e7-8318-43b5531983ab",
"description": "Name of ATT&CK Group",
"version": 3,
"version": 5,
"icon": "user-secret",
"name": "Intrusion Set"
}

3
galaxies/mitre_malware.json
View File

@ -1,7 +1,8 @@
{
"version": 2,
"version": 3,
"uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4",
"description": "Name of ATT&CK software",
"name": "Malware",
"icon": "optin-monster",
"type": "mitre-malware"
}

3
galaxies/mitre_tool.json
View File

@ -3,5 +3,6 @@
"type": "mitre-tool",
"description": "Name of ATT&CK software",
"uuid": "d5cbd1a2-78f6-11e7-a833-7b9bccca9649",
"version": 2
"icon": "gavel",
"version": 3
}

3
galaxies/preventive-measure.json
View File

@ -2,6 +2,7 @@
"name": "Preventive Measure",
"type": "preventive-measure",
"description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.",
"version": 1,
"version": 2,
"icon": "shield",
"uuid": "8168995b-adcd-4684-9e37-206c5771505a"
}

3
galaxies/ransomware.json
View File

@ -1,7 +1,8 @@
{
"description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml",
"type": "ransomware",
"version": 1,
"version": 3,
"name": "Ransomware",
"icon": "btc",
"uuid": "3f44af2e-1480-4b6b-9aa8-f9bb21341078"
}

3
galaxies/rat.json
View File

@ -2,6 +2,7 @@
"type": "rat",
"name": "RAT",
"description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.",
"version": 1,
"version": 2,
"icon": "eye",
"uuid": "06825db6-4797-11e7-ac4d-af25fdcdd299"
}

8
galaxies/sector.json Normal file
View File

@ -0,0 +1,8 @@
{
"type": "sector",
"name": "Sector",
"description": "Activity sectors",
"version": 1,
"icon": "industry",
"uuid": "e1bb134c-ae4d-11e7-8aa9-f78a37325439"
}

3
galaxies/tds.json
View File

@ -2,6 +2,7 @@
"type": "tds",
"name": "TDS",
"description": "TDS is a list of Traffic Direction System used by adversaries",
"version": 2,
"version": 3,
"icon": "cart-arrow-down",
"uuid": "1b9a7d8e-bd7a-11e6-a4a6-cec0c932ce01"
}

3
galaxies/threat-actor.json
View File

@ -2,6 +2,7 @@
"name": "Threat Actor",
"type": "threat-actor",
"description": "Threat actors are characteristics of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behaviour.",
"version": 1,
"version": 2,
"icon": "user-secret",
"uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3"
}

3
galaxies/tool.json
View File

@ -2,6 +2,7 @@
"type": "tool",
"name": "Tool",
"description": "Threat actors tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"version": 1,
"version": 2,
"icon": "optin-monster",
"uuid": "9b8037f7-bc8f-4de1-a797-37266619bc0b"
}

3
schema_galaxies.json
View File

@ -17,6 +17,9 @@
"name": {
"type": "string"
},
"icon": {
"type": "string"
},
"uuid": {
"type": "string"
}

25
vocabularies/common/threat-actor-type.json Normal file
View File

@ -0,0 +1,25 @@
{
"values": [
{
"value": "Independent Group"
},
{
"value": "State or state-sponsored Group"
},
{
"value": "Individual"
},
{
"value": "Other"
},
{
"value": "Unknown"
}
],
"version" : 1,
"description": "threat actor type vocab as defined by Cert EU.",
"source": "Cert EU",
"author": ["Cert EU"],
"uuid": "549d040e-b017-11e7-b30c-2fa231749902",
"type": "threat-actor-type"
}

40
vocabularies/common/ttp-category.json Normal file
View File

@ -0,0 +1,40 @@
{
"values": [
{
"value": "Exploits"
},
{
"value": "Infrastructure"
},
{
"value": "Malware"
},
{
"value": "Tools"
},
{
"value": "Other"
},
{
"value": "Unknown"
},
{
"value": "Attack Patterns (S)"
},
{
"value": "Attack Patterns (G)"
},
{
"value": "Tactic"
},
{
"value": "Targeting"
}
],
"version" : 1,
"description": "ttp category vocab as defined by Cert EU.",
"source": "Cert EU",
"author": ["Cert EU"],
"uuid": "54e405b6-b017-11e7-b2f7-df581d1a8587",
"type": "ttp-category-vocabulary"
}

511
vocabularies/common/ttp-type.json Normal file
View File

@ -0,0 +1,511 @@
{
"values": [
{
"value": "Android Trojan"
},
{
"value": "Backdoor"
},
{
"value": "Banking Trojan"
},
{
"value": "Bot"
},
{
"value": "DDoS malware"
},
{
"value": "Espionage malware"
},
{
"value": "Exploit kit"
},
{
"value": "Keylogger"
},
{
"value": "Mac Backdoor"
},
{
"value": "Mac Trojan"
},
{
"value": "Malware site"
},
{
"value": "RAT"
},
{
"value": "Rootkit"
},
{
"value": "SQLI malware"
},
{
"value": "Toolkit"
},
{
"value": "Trojan"
},
{
"value": "Other"
},
{
"value": "Unknown"
},
{
"value": "Ransomware"
},
{
"value": "Dark Net Market"
},
{
"value": "Destructive"
},
{
"value": "Forums"
},
{
"value": "Domain Registration"
},
{
"value": "POS malware"
},
{
"value": "Hosting"
},
{
"value": "ICS"
},
{
"value": "Android app"
},
{
"value": "Privacy"
},
{
"value": "Safe browsing"
},
{
"value": "Safe internet search"
},
{
"value": "Peer-to-peer"
},
{
"value": "Crypto"
},
{
"value": "Social media"
},
{
"value": "Identity Theft"
},
{
"value": "VPN"
},
{
"value": "Speech recognition software"
},
{
"value": "Encrypted email"
},
{
"value": "Messaging"
},
{
"value": "ATM malware"
},
{
"value": "Network mapper"
},
{
"value": "Pentest tool"
},
{
"value": "Authentication bypass"
},
{
"value": "Phishing infra"
},
{
"value": "Dox and ransom"
},
{
"value": "Hot patching"
},
{
"value": "Arsenal"
},
{
"value": "CVE"
},
{
"value": "Fake website"
},
{
"value": "Information stealer"
},
{
"value": "DoS"
},
{
"value": "Worm"
},
{
"value": "Downloader"
},
{
"value": "Loader"
},
{
"value": "Infostealer"
},
{
"value": "RF Signals Intercepter"
},
{
"value": "Wireless Keystroke Logger"
},
{
"value": "Recon tool"
},
{
"value": "Website"
},
{
"value": "Website recon"
},
{
"value": "Malware features"
},
{
"value": "URL shortener service"
},
{
"value": "Information Warfare"
},
{
"value": "Programming language"
},
{
"value": "Port scanner"
},
{
"value": "Installer"
},
{
"value": "CMS exploitation"
},
{
"value": "Remote execution tool"
},
{
"value": "Service"
},
{
"value": "Money miner"
},
{
"value": "Remote administration tool"
},
{
"value": "First-stage"
},
{
"value": "Dropper"
},
{
"value": "Virtual server penetration"
},
{
"value": "Scripting language"
},
{
"value": "Adware"
},
{
"value": "Obfuscation technique"
},
{
"value": "Drive-by attack"
},
{
"value": "PLC worm"
},
{
"value": "Blog"
},
{
"value": "Account checker"
},
{
"value": "Internet Control"
},
{
"value": "C2"
},
{
"value": "Scanning routers"
},
{
"value": "Take over"
},
{
"value": "Credit Card Fraud"
},
{
"value": "DDoS Tool"
},
{
"value": "IoT bot"
},
{
"value": "Targeting"
},
{
"value": "cryptocurrency"
},
{
"value": "Anti-analysis"
},
{
"value": "persistence"
},
{
"value": "Anti-detection"
},
{
"value": "Phishing-theme"
},
{
"value": "OpSec"
},
{
"value": "Automatic phone calls"
},
{
"value": "Selling"
},
{
"value": "Extortion"
},
{
"value": "Watering hole"
},
{
"value": "Sharing platform"
},
{
"value": "Sideloading"
},
{"value": "Operating System"
},
{"value": "Sample"
},
{"value": "Buffer overflow"
},
{
"value": "Online magazine"
},
{
"value": "Spoofing"
},
{
"value": "Ransomware-as-a-Service"
},
{
"value": "Spambot"
},
{
"value": "HTTP bot"
},
{
"value": "Shop"
},
{
"value": "Password recovery"
},
{
"value": "Password manager"
},
{
"value": "Certificate exploit"
},
{
"value": "Mailer"
},
{
"value": "Card"
},
{
"value": "Powershell agent"
},
{
"value": "Skimmer"
},
{
"value": "Exploit"
},
{
"value": "Medical device tampering"
},
{
"value": "App store"
},
{
"value": "Scareware"
},
{
"value": "Payment platform"
},
{
"value": "Man-in-the-middle"
},
{
"value": "Switch ttack"
},
{
"value": "Switch attack"
},
{
"value": "Browser hijacker"
},
{
"value": "Supply chain attack"
},
{
"value": "Powershell scripts"
},
{
"value": "Malicious iFrame injects"
},
{
"value": "Dumps grabber"
},
{
"value": "Exfiltration tool"
},
{
"value": "Code injection"
},
{
"value": "Mobile malware"
},
{
"value": "Zero-Day"
},
{
"value": "Multi-stage implant framework"
},
{
"value": "Second-stage"
},
{
"value": "IRC"
},
{
"value": "Administration"
},
{
"value": "XSS tool"
},
{
"value": "Tracking program"
},
{
"value": "HTTP loader"
},
{
"value": "Spyware"
},
{
"value": "Bitcoin stealer"
},
{
"value": "Phone bot"
},
{
"value": "Video editor"
},
{
"value": "URL shortening service"
},
{
"value": "Fraud"
},
{
"value": "Spreading mechanisms"
},
{
"value": "Android bot"
},
{
"value": "Disinformation"
},
{
"value": "Mineware"
},
{
"value": "CWE"
},
{
"value": "SCADA malware"
},
{
"value": "Crypter"
},
{
"value": "Phishing"
},
{
"value": "Template injection"
},
{
"value": "Credential stealer"
},
{
"value": "Crypto currency exchange and trading platform"
},
{
"value": "cryptocurrency mining malware"
},
{
"value": "Card shop"
},
{
"value": "Evasion"
},
{
"value": "Browser"
},
{
"value": "Wiper"
},
{
"value": "cryptocurrency cloud mining"
},
{
"value": "Distribution vector"
},
{
"value": "Postscript Abuse"
},
{
"value": "Bolware"
},
{
"value": "Software"
},
{
"value": "Proxy malware"
}
],
"version" : 1,
"description": "ttp type vocab as defined by Cert EU.",
"source": "Cert EU",
"author": ["Cert EU"],
"uuid": "55224678-b017-11e7-874d-971b517d8cba",
"type": "ttp-type-vocabulary"
}

37
vocabularies/threat-actor/cert-eu-motive.json Normal file
View File

@ -0,0 +1,37 @@
{
"values": [
{
"value": "Cybercrime"
},
{
"value": "Cyberwar"
},
{
"value": "Espionage"
},
{
"value": "Hacktivists"
},
{
"value": "Hacktivists-Nationalists"
},
{
"value": "Other"
},
{
"value": "Unknown"
},
{
"value": "Jihadism"
},
{
"value": "Censorhip"
}
],
"version" : 1,
"description": "Motive vocab as defined by Cert EU.",
"source": "Cert EU",
"author": ["Cert EU"],
"uuid": "fe16ec3e-aff4-11e7-80d0-13582aacbd16",
"type": "threat-actor-cert-eu-motives-vocabulary"
}