MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

add uuid to every cluster

pull/162/head
Deborah Servili 2018-02-28 15:37:37 +01:00
parent 2eea951b71
commit d88a4a44dc
15 changed files with 25083 additions and 23061 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7974
clusters/android.json
View File

File diff suppressed because it is too large Load Diff

1116
clusters/banker.json
View File

File diff suppressed because it is too large Load Diff

1044
clusters/botnet.json
View File

File diff suppressed because it is too large Load Diff

293
clusters/branded_vulnerability.json
View File

@ -1,142 +1,153 @@
{
"values": [
{
"value": "Meltdown",
"description": "Meltdown exploits the out-of-order execution feature of modern processors, allowing user-level programs to access kernel memory using processor caches as covert side channels. This is specific to the way out-of-order execution is implemented in the processors. This vulnerability has been assigned CVE-2017-5754.",
"meta": {
"aliases": [
"CVE-2017-5754"
],
"logo": [
"https://upload.wikimedia.org/wikipedia/commons/thumb/5/56/Meltdown_with_text.svg/300px-Meltdown_with_text.svg.png"
]
}
},
{
"value": "Spectre",
"description": "Spectre exploits the speculative execution feature that is present in almost all processors in existence today. Two variants of Spectre are known and seem to depend on what is used to influence erroneous speculative execution. The first variant triggers speculative execution by performing a bounds check bypass and has been assigned CVE-2017-5753. The second variant uses branch target injection for the same effect and has been assigned CVE-2017-5715.",
"meta": {
"aliases": [
"CVE-2017-5753",
"CVE-2017-5715"
],
"logo": [
"https://en.wikipedia.org/wiki/File:Spectre_with_text.svg"
]
}
},
{
"value": "Heartbleed",
"description": "Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug's name derives from heartbeat. The vulnerability is classified as a buffer over-read,[5] a situation where more data can be read than should be allowed.",
"meta": {
"aliases": [
"CVE-20140160"
],
"logo": [
"https://upload.wikimedia.org/wikipedia/commons/thumb/d/dc/Heartbleed.svg/440px-Heartbleed.svg.png"
]
}
},
{
"value": "Shellshock",
"description": "Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.",
"meta": {
"aliases": [
"CVE-20146271"
],
"logo": [
"https://upload.wikimedia.org/wikipedia/commons/thumb/4/44/Shellshock-bug.png/440px-Shellshock-bug.png",
"https://upload.wikimedia.org/wikipedia/commons/8/86/Shellshock.png",
"https://cdn-images-1.medium.com/max/1600/1*bopQcJtKouPOJ_isSzanLw.png"
]
}
},
{
"value": "Ghost",
"description": "The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.\nDuring a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.",
"meta": {
"aliases": [
"CVE-20150235"
],
"logo": [
"https://cdn-images-1.medium.com/max/1600/1*HnCEOo0RUT1fliJjRT02lA.png"
]
}
},
{
"value": "Stagefright",
"description": "Stagefright is the name given to a group of software bugs that affect versions 2.2 (\"Froyo\") and newer of the Android operating system. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesnt have to do anything to accept the bug, it happens in the background. The phone number is the only target information.",
"meta": {
"aliases": [
"CVE-2015-1538",
"CVE-2015-1539",
"CVE-2015-3824",
"CVE-2015-3826",
"CVE-2015-3827",
"CVE-2015-3828",
"CVE-2015-3829",
"CVE-2015-3864"
],
"logo": [
"https://upload.wikimedia.org/wikipedia/en/f/f2/Stagefright_bug_logo.png",
"https://cdn-images-1.medium.com/max/1600/1*-Ivm3lZHNaOUwmklT4Rb1g.png"
]
}
},
{
"value": "Badlock",
"description": "Badlock is a security bug disclosed on April 12, 2016 affecting the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols[1] supported by Windows and Samba servers.",
"meta": {
"logo": [
"https://upload.wikimedia.org/wikipedia/commons/thumb/4/4b/Badlock_logo.svg/440px-Badlock_logo.svg.png",
"https://cdn-images-1.medium.com/max/1600/1*EVbwwxEBOU83NKxgQrPG9w.png"
]
}
},
{
"value": "Dirty COW",
"description": "Dirty COW (Dirty copy-on-write) is a computer security vulnerability for the Linux kernel that affects all Linux-based operating systems including Android. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem. The vulnerability was discovered by Phil Oester. Because of the race condition, with the right timing, a local attacker can exploit the copy-on-write mechanism to turn a read-only mapping of a file into a writable mapping. Although it is a local privilege escalation, remote attackers can use it in conjunction with other exploits that allow remote execution of non-privileged code to achieve remote root access on a computer. The attack itself does not leave traces in the system log.",
"meta": {
"aliases": [
"CVE-2016-5195"
],
"logo": [
"https://upload.wikimedia.org/wikipedia/commons/thumb/1/1b/DirtyCow.svg/440px-DirtyCow.svg.png"
]
}
},
{
"value": "POODLE",
"description": "The POODLE attack (which stands for \"Padding Oracle On Downgraded Legacy Encryptio\") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated \"September 2014\" ). Ivan Ristic does not consider the POODLE attack as serious as the Heartbleed and Shellshock attacks. On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.",
"meta": {
"aliases": [
"CVE-2014-3566"
]
}
},
{
"value": "BadUSB",
"description": "The BadUSB vulnerability exploits unprotected firmware in order to deliver malicious code to computers and networks. This is achieved by reverse-engineering the device and reprogramming it. As the reprogrammed firmware is not monitored or assessed by modern security software, this attack method is extremely difficult for antivirus/security software to detect and prevent."
},
{
"value": "ImageTragick",
"meta": {
"aliases": [
"CVE-20163714"
],
"logo": [
"https://imagetragick.com/img/logo-medium.png"
]
}
}
],
"version": 1,
"uuid": "93715a12-f45b-11e7-bcf9-3767161e9ebd",
"description": "List of known vulnerabilities and attacks with a branding",
"authors": [
"Unknown"
],
"source": "Open Sources",
"type": "branded-vulnerability",
"name": "Branded Vulnerability"
}
"values": [
{
"value": "Meltdown",
"description": "Meltdown exploits the out-of-order execution feature of modern processors, allowing user-level programs to access kernel memory using processor caches as covert side channels. This is specific to the way out-of-order execution is implemented in the processors. This vulnerability has been assigned CVE-2017-5754.",
"meta": {
"aliases": [
"CVE-2017-5754"
],
"logo": [
"https://upload.wikimedia.org/wikipedia/commons/thumb/5/56/Meltdown_with_text.svg/300px-Meltdown_with_text.svg.png"
]
},
"uuid": "70bee5b7-0fa3-4a4d-98ee-d8ab787c6db1"
},
{
"value": "Spectre",
"description": "Spectre exploits the speculative execution feature that is present in almost all processors in existence today. Two variants of Spectre are known and seem to depend on what is used to influence erroneous speculative execution. The first variant triggers speculative execution by performing a bounds check bypass and has been assigned CVE-2017-5753. The second variant uses branch target injection for the same effect and has been assigned CVE-2017-5715.",
"meta": {
"aliases": [
"CVE-2017-5753",
"CVE-2017-5715"
],
"logo": [
"https://en.wikipedia.org/wiki/File:Spectre_with_text.svg"
]
},
"uuid": "36168188-6d14-463a-9713-f88764a83329"
},
{
"value": "Heartbleed",
"description": "Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug's name derives from heartbeat. The vulnerability is classified as a buffer over-read,[5] a situation where more data can be read than should be allowed.",
"meta": {
"aliases": [
"CVE-2014\u20130160"
],
"logo": [
"https://upload.wikimedia.org/wikipedia/commons/thumb/d/dc/Heartbleed.svg/440px-Heartbleed.svg.png"
]
},
"uuid": "d6d85947-e6ee-4d2e-bb48-437f31c7a270"
},
{
"value": "Shellshock",
"description": "Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.",
"meta": {
"aliases": [
"CVE-2014\u20136271"
],
"logo": [
"https://upload.wikimedia.org/wikipedia/commons/thumb/4/44/Shellshock-bug.png/440px-Shellshock-bug.png",
"https://upload.wikimedia.org/wikipedia/commons/8/86/Shellshock.png",
"https://cdn-images-1.medium.com/max/1600/1*bopQcJtKouPOJ_isSzanLw.png"
]
},
"uuid": "2102db77-5a51-40c1-bfc1-38fb7dcb7f05"
},
{
"value": "Ghost",
"description": "The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.\nDuring a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.",
"meta": {
"aliases": [
"CVE-2015\u20130235"
],
"logo": [
"https://cdn-images-1.medium.com/max/1600/1*HnCEOo0RUT1fliJjRT02lA.png"
]
},
"uuid": "a1640081-aa8d-4070-84b2-d23e2ae82799"
},
{
"value": "Stagefright",
"description": "Stagefright is the name given to a group of software bugs that affect versions 2.2 (\"Froyo\") and newer of the Android operating system. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed\u2014the user doesn\u2019t have to do anything to \u2018accept\u2019 the bug, it happens in the background. The phone number is the only target information.",
"meta": {
"aliases": [
"CVE-2015-1538",
"CVE-2015-1539",
"CVE-2015-3824",
"CVE-2015-3826",
"CVE-2015-3827",
"CVE-2015-3828",
"CVE-2015-3829",
"CVE-2015-3864"
],
"logo": [
"https://upload.wikimedia.org/wikipedia/en/f/f2/Stagefright_bug_logo.png",
"https://cdn-images-1.medium.com/max/1600/1*-Ivm3lZHNaOUwmklT4Rb1g.png"
]
},
"uuid": "352916e7-62bf-4b0c-bce7-da759d1a4f5f"
},
{
"value": "Badlock",
"description": "Badlock is a security bug disclosed on April 12, 2016 affecting the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols[1] supported by Windows and Samba servers.",
"meta": {
"logo": [
"https://upload.wikimedia.org/wikipedia/commons/thumb/4/4b/Badlock_logo.svg/440px-Badlock_logo.svg.png",
"https://cdn-images-1.medium.com/max/1600/1*EVbwwxEBOU83NKxgQrPG9w.png"
]
},
"uuid": "74f2bd2c-69f1-4d28-8d42-94b7ef89f31e"
},
{
"value": "Dirty COW",
"description": "Dirty COW (Dirty copy-on-write) is a computer security vulnerability for the Linux kernel that affects all Linux-based operating systems including Android. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem. The vulnerability was discovered by Phil Oester. Because of the race condition, with the right timing, a local attacker can exploit the copy-on-write mechanism to turn a read-only mapping of a file into a writable mapping. Although it is a local privilege escalation, remote attackers can use it in conjunction with other exploits that allow remote execution of non-privileged code to achieve remote root access on a computer. The attack itself does not leave traces in the system log.",
"meta": {
"aliases": [
"CVE-2016-5195"
],
"logo": [
"https://upload.wikimedia.org/wikipedia/commons/thumb/1/1b/DirtyCow.svg/440px-DirtyCow.svg.png"
]
},
"uuid": "54196537-cb0c-425c-83d6-437d41b4cc65"
},
{
"value": "POODLE",
"description": "The POODLE attack (which stands for \"Padding Oracle On Downgraded Legacy Encryptio\") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo M\u00f6ller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated \"September 2014\" ). Ivan Ristic does not consider the POODLE attack as serious as the Heartbleed and Shellshock attacks. On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.",
"meta": {
"aliases": [
"CVE-2014-3566"
]
},
"uuid": "22b9af72-48c9-4da1-b13d-15667dbdd998"
},
{
"value": "BadUSB",
"description": "The \u2018BadUSB\u2019 vulnerability exploits unprotected firmware in order to deliver malicious code to computers and networks. This is achieved by reverse-engineering the device and reprogramming it. As the reprogrammed firmware is not monitored or assessed by modern security software, this attack method is extremely difficult for antivirus/security software to detect and prevent.",
"uuid": "bc3a3299-1443-4390-8b25-4bb280c1abd7"
},
{
"value": "ImageTragick",
"meta": {
"aliases": [
"CVE-2016\u20133714"
],
"logo": [
"https://imagetragick.com/img/logo-medium.png"
]
},
"uuid": "e85e1270-eec5-4331-8004-a063125a54b4"
}
],
"version": 1,
"uuid": "93715a12-f45b-11e7-bcf9-3767161e9ebd",
"description": "List of known vulnerabilities and attacks with a branding",
"authors": [
"Unknown"
],
"source": "Open Sources",
"type": "branded-vulnerability",
"name": "Branded Vulnerability"
}

66
clusters/cert-eu-govsector.json
View File

@ -1,31 +1,37 @@
{
"values": [
{
"value": "Constituency"
},
{
"value": "EU-Centric"
},
{
"value": "EU-nearby"
},
{
"value": "World-class"
},
{
"value": "Unknown"
},
{
"value": "Outside World"
}
],
"version": 1,
"uuid": "69351b20-b898-11e7-a2f1-c3e696a74a48",
"description": "Cert EU GovSector",
"authors": [
"Various"
],
"source": "CERT-EU",
"type": "cert-seu-gocsector",
"name": "Cert EU GovSector"
}
"values": [
{
"value": "Constituency",
"uuid": "8ebd301f-067f-499d-8718-f63c8ced73ac"
},
{
"value": "EU-Centric",
"uuid": "bf3fd6a1-692e-4d77-b17d-496f71eebac9"
},
{
"value": "EU-nearby",
"uuid": "536dada1-30e5-453a-9611-33597ab5c373"
},
{
"value": "World-class",
"uuid": "8024aa5d-d0b0-4114-87c9-92e358c96850"
},
{
"value": "Unknown",
"uuid": "32f8b3dd-defc-47c8-a070-378f5e0e1be8"
},
{
"value": "Outside World",
"uuid": "adc80f46-86ef-4de8-95d1-15c45c15d002"
}
],
"version": 1,
"uuid": "69351b20-b898-11e7-a2f1-c3e696a74a48",
"description": "Cert EU GovSector",
"authors": [
"Various"
],
"source": "CERT-EU",
"type": "cert-seu-gocsector",
"name": "Cert EU GovSector"
}

1239
clusters/exploit-kit.json
View File

File diff suppressed because it is too large Load Diff

239
clusters/microsoft-activity-group.json
View File

@ -1,116 +1,125 @@
{
"version": 3,
"uuid": "28b5e55d-acba-4748-a79d-0afa3512689a",
"description": "Activity groups as described by Microsoft",
"authors": [
"Various"
],
"source": "MISP Project",
"type": "microsoft-activity-group",
"name": "Microsoft Activity Group actor",
"values": [
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
},
"description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.",
"value": "PROMETHIUM"
},
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
},
"description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoors characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.",
"value": "NEODYMIUM"
},
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"
]
},
"description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.",
"value": "TERBIUM"
},
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/",
"http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_A_Profile_Of_A_Persistent_Adversary_English.pdf",
"https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/"
],
"country": "RU",
"synonyms": [
"APT 28",
"APT28",
"Pawn Storm",
"Fancy Bear",
"Sednit",
"TsarTeam",
"TG-4127",
"Group-4127",
"Sofacy",
"Grey-Cloud"
]
},
"description": "STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims computer. ",
"value": "STRONTIUM"
},
{
"description": "DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features.",
"value": "DUBNIUM",
"meta": {
"refs": [
"https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/",
"https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2",
"https://blogs.technet.microsoft.com/mmpc/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/",
"https://blogs.technet.microsoft.com/mmpc/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/"
],
"synonyms": [
"darkhotel"
]
}
},
{
"description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The groups persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.",
"value": "PLATINUM",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/",
"http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf"
]
}
},
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
]
},
"description": "Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.",
"value": "BARIUM"
},
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
]
},
"description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEADs victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEADs objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEADs attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.",
"value": "LEAD"
},
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/"
]
},
"description": "In addition to strengthening generic detection of EoP exploits, Microsoft security researchers are actively gathering threat intelligence and indicators attributable to ZIRCONIUM, the activity group using the CVE-2017-0005 exploit. ",
"value": "ZIRCONIUM"
}
]
}
"version": 3,
"uuid": "28b5e55d-acba-4748-a79d-0afa3512689a",
"description": "Activity groups as described by Microsoft",
"authors": [
"Various"
],
"source": "MISP Project",
"type": "microsoft-activity-group",
"name": "Microsoft Activity Group actor",
"values": [
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
},
"description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features\u2014this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.",
"value": "PROMETHIUM",
"uuid": "5744f91a-d2d8-4f92-920f-943dd80c578f"
},
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
},
"description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor\u2019s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.",
"value": "NEODYMIUM",
"uuid": "47b5007a-3fb1-466a-9578-629e6e735493"
},
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"
]
},
"description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.",
"value": "TERBIUM",
"uuid": "99784b80-6298-45ba-885c-0ed37bfd8324"
},
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/",
"http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_A_Profile_Of_A_Persistent_Adversary_English.pdf",
"https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/"
],
"country": "RU",
"synonyms": [
"APT 28",
"APT28",
"Pawn Storm",
"Fancy Bear",
"Sednit",
"TsarTeam",
"TG-4127",
"Group-4127",
"Sofacy",
"Grey-Cloud"
]
},
"description": "STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims\u2019 computer. ",
"value": "STRONTIUM",
"uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec"
},
{
"description": "DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features.",
"value": "DUBNIUM",
"meta": {
"refs": [
"https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/",
"https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2",
"https://blogs.technet.microsoft.com/mmpc/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/",
"https://blogs.technet.microsoft.com/mmpc/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/"
],
"synonyms": [
"darkhotel"
]
},
"uuid": "b56af6ab-69f8-457a-bf50-c3aefa6dc14a"
},
{
"description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group\u2019s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.",
"value": "PLATINUM",
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/",
"http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf"
]
},
"uuid": "154e97b5-47ef-415a-99a6-2157f1b50339"
},
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
]
},
"description": "Microsoft Threat Intelligence associates Winnti with multiple activity groups\u2014collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims\u2014particularly those working in Business Development or Human Resources\u2014on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant\u2014notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.",
"value": "BARIUM",
"uuid": "cc70bdbd-afa7-4e19-bba2-2443811ef3af"
},
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/"
]
},
"description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEAD\u2019s victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEAD\u2019s objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEAD\u2019s attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.",
"value": "LEAD",
"uuid": "f542442e-ba0f-425d-b386-6c10351a468e"
},
{
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/"
]
},
"description": "In addition to strengthening generic detection of EoP exploits, Microsoft security researchers are actively gathering threat intelligence and indicators attributable to ZIRCONIUM, the activity group using the CVE-2017-0005 exploit. ",
"value": "ZIRCONIUM",
"uuid": "2d19c573-252b-49d8-8c2e-3b529b91e72d"
}
]
}

558
clusters/preventive-measure.json
View File

@ -1,271 +1,289 @@
{
"values": [
{
"meta": {
"refs": [
"http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7."
],
"complexity": "Medium",
"effectiveness": "High",
"impact": "Low",
"type": [
"Recovery"
]
},
"value": "Backup and Restore Process",
"description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schrödinger's backup - it is both existent and non-existent until you've tried a restore"
},
{
"meta": {
"refs": [
"https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US",
"https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitter"
],
"complexity": "Low",
"effectiveness": "High",
"impact": "Low",
"type": [
"GPO"
]
},
"value": "Block Macros",
"description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros"
},
{
"meta": {
"refs": [
"http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html"
],
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Administrative VBS scripts on Workstations"
},
"value": "Disable WSH",
"description": "Disable Windows Script Host"
},
{
"meta": {
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Low",
"type": [
"Mail Gateway"
]
},
"value": "Filter Attachments Level 1",
"description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub"
},
{
"meta": {
"complexity": "Low",
"effectiveness": "High",
"impact": "High",
"type": [
"Mail Gateway"
],
"possible_issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) "
},
"value": "Filter Attachments Level 2",
"description": "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm"
},
{
"meta": {
"refs": [
"http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/",
"http://www.thirdtier.net/ransomware-prevention-kit/"
],
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Web embedded software installers"
},
"value": "Restrict program execution",
"description": "Block all program executions from the %LocalAppData% and %AppData% folder"
},
{
"meta": {
"refs": [
"http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htm"
],
"complexity": "Low",
"effectiveness": "Low",
"impact": "Low",
"type": [
"User Assistence"
]
},
"value": "Show File Extensions",
"description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")"
},
{
"meta": {
"refs": [
"https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx"
],
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Low",
"type": [
"GPO"
],
"possible_issues": "administrator resentment"
},
"value": "Enforce UAC Prompt",
"description": "Enforce administrative users to confirm an action that requires elevated rights"
},
{
"meta": {
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"Best Practice"
],
"possible_issues": "Higher administrative costs"
},
"value": "Remove Admin Privileges",
"description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to."
},
{
"meta": {
"complexity": "Medium",
"effectiveness": "Low",
"impact": "Low",
"type": [
"Best Practice"
]
},
"value": "Restrict Workstation Communication",
"description": "Activate the Windows Firewall to restrict workstation to workstation communication"
},
{
"meta": {
"complexity": "Medium",
"effectiveness": "High",
"type": [
"Advanced Malware Protection"
]
},
"value": "Sandboxing Email Input",
"description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis"
},
{
"meta": {
"complexity": "Medium",
"effectiveness": "Medium",
"type": [
"3rd Party Tools"
]
},
"value": "Execution Prevention",
"description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor"
},
{
"meta": {
"refs": [
"https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/"
],
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts."
},
"value": "Change Default \"Open With\" to Notepad",
"description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer"
},
{
"meta": {
"refs": [
"http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm"
],
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Low",
"type": [
"Monitoring"
]
},
"value": "File Screening",
"description": "Server-side file screening with the help of File Server Resource Manager"
},
{
"meta": {
"refs": [
"https://technet.microsoft.com/en-us/library/dd759117%28v=ws.11%29.aspx",
"http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx"
],
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Configure & test extensively"
},
"value": "Restrict program execution #2",
"description": "Block program executions (AppLocker)"
},
{
"meta": {
"refs": [
"www.microsoft.com/emet",
"http://windowsitpro.com/security/control-emet-group-policy"
],
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Low",
"type": [
"GPO"
]
},
"value": "EMET",
"description": "Detect and block exploitation techniques"
},
{
"meta": {
"refs": [
"https://twitter.com/JohnLaTwC/status/799792296883388416"
],
"complexity": "Medium",
"effectiveness": "Low",
"impact": "Low",
"type": [
"3rd Party Tools"
]
},
"value": "Sysmon",
"description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring"
},
{
"value": "Blacklist-phone-numbers",
"description": "Filter the numbers at phone routing level including PABX",
"meta": {
"refs": [
"https://wiki.freepbx.org/display/FPG/Blacklist+Module+User+Guide#BlacklistModuleUserGuide-ImportingorExportingaBlacklistinCSVFileFormat"
],
"effectiveness": "Medium",
"impact": "Medium",
"complexity": "Low"
}
}
],
"name": "Preventive Measure",
"type": "preventive-measure",
"source": "MISP Project",
"authors": [
"Various"
],
"description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.",
"uuid": "1a8e55eb-a0ff-425b-80e0-30df866f8f65",
"version": 3
}
"values": [
{
"meta": {
"refs": [
"http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7."
],
"complexity": "Medium",
"effectiveness": "High",
"impact": "Low",
"type": [
"Recovery"
]
},
"value": "Backup and Restore Process",
"description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schr\u00f6dinger's backup - it is both existent and non-existent until you've tried a restore",
"uuid": "5f942376-ea5b-4b23-9c26-81d3aeba7fb4"
},
{
"meta": {
"refs": [
"https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US",
"https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitter"
],
"complexity": "Low",
"effectiveness": "High",
"impact": "Low",
"type": [
"GPO"
]
},
"value": "Block Macros",
"description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros",
"uuid": "79563662-8d92-4fd1-929a-9b8926a62685"
},
{
"meta": {
"refs": [
"http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html"
],
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Administrative VBS scripts on Workstations"
},
"value": "Disable WSH",
"description": "Disable Windows Script Host",
"uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f"
},
{
"meta": {
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Low",
"type": [
"Mail Gateway"
]
},
"value": "Filter Attachments Level 1",
"description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub",
"uuid": "7055b72b-b113-4f93-8387-e6f58ce5fc92"
},
{
"meta": {
"complexity": "Low",
"effectiveness": "High",
"impact": "High",
"type": [
"Mail Gateway"
],
"possible_issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) "
},
"value": "Filter Attachments Level 2",
"description": "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm",
"uuid": "8c9bbbf5-a321-4eb1-8c03-a399a9687687"
},
{
"meta": {
"refs": [
"http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/",
"http://www.thirdtier.net/ransomware-prevention-kit/"
],
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Web embedded software installers"
},
"value": "Restrict program execution",
"description": "Block all program executions from the %LocalAppData% and %AppData% folder",
"uuid": "6a234b1d-8e86-49c4-91d6-cc3be3d04f74"
},
{
"meta": {
"refs": [
"http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htm"
],
"complexity": "Low",
"effectiveness": "Low",
"impact": "Low",
"type": [
"User Assistence"
]
},
"value": "Show File Extensions",
"description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")",
"uuid": "5b911d46-66c8-4180-ab97-663a0868264e"
},
{
"meta": {
"refs": [
"https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx"
],
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Low",
"type": [
"GPO"
],
"possible_issues": "administrator resentment"
},
"value": "Enforce UAC Prompt",
"description": "Enforce administrative users to confirm an action that requires elevated rights",
"uuid": "3f8c55db-611e-4831-b624-f9cbdc3b0e11"
},
{
"meta": {
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"Best Practice"
],
"possible_issues": "Higher administrative costs"
},
"value": "Remove Admin Privileges",
"description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.",
"uuid": "168f94d3-4ffc-4ea6-8f2e-8ba699f0fef6"
},
{
"meta": {
"complexity": "Medium",
"effectiveness": "Low",
"impact": "Low",
"type": [
"Best Practice"
]
},
"value": "Restrict Workstation Communication",
"description": "Activate the Windows Firewall to restrict workstation to workstation communication",
"uuid": "fb25c345-0cee-4ae7-ab31-c1c801cde1c2"
},
{
"meta": {
"complexity": "Medium",
"effectiveness": "High",
"type": [
"Advanced Malware Protection"
]
},
"value": "Sandboxing Email Input",
"description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis",
"uuid": "7960740f-71a5-42db-8a1a-1c7ccbf83349"
},
{
"meta": {
"complexity": "Medium",
"effectiveness": "Medium",
"type": [
"3rd Party Tools"
]
},
"value": "Execution Prevention",
"description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor",
"uuid": "bfda0c9e-1303-4861-b028-e0506dd8861c"
},
{
"meta": {
"refs": [
"https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/"
],
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts."
},
"value": "Change Default \"Open With\" to Notepad",
"description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer",
"uuid": "3b7bc1b2-e04f-4492-b3b1-87bb6701635b"
},
{
"meta": {
"refs": [
"http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm"
],
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Low",
"type": [
"Monitoring"
]
},
"value": "File Screening",
"description": "Server-side file screening with the help of File Server Resource Manager",
"uuid": "79769940-7cd2-4aaa-80da-b90c0372b898"
},
{
"meta": {
"refs": [
"https://technet.microsoft.com/en-us/library/dd759117%28v=ws.11%29.aspx",
"http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx"
],
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Configure & test extensively"
},
"value": "Restrict program execution #2",
"description": "Block program executions (AppLocker)",
"uuid": "feb6cddb-4182-4515-94dc-0eadffcdc098"
},
{
"meta": {
"refs": [
"www.microsoft.com/emet",
"http://windowsitpro.com/security/control-emet-group-policy"
],
"complexity": "Medium",
"effectiveness": "Medium",
"impact": "Low",
"type": [
"GPO"
]
},
"value": "EMET",
"description": "Detect and block exploitation techniques",
"uuid": "5f0a749f-88f2-4e6e-8fd8-46307f8439f6"
},
{
"meta": {
"refs": [
"https://twitter.com/JohnLaTwC/status/799792296883388416"
],
"complexity": "Medium",
"effectiveness": "Low",
"impact": "Low",
"type": [
"3rd Party Tools"
]
},
"value": "Sysmon",
"description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring",
"uuid": "1b1e5664-4250-459b-adbb-f0b33f64bf7e"
},
{
"value": "Blacklist-phone-numbers",
"description": "Filter the numbers at phone routing level including PABX",
"meta": {
"refs": [
"https://wiki.freepbx.org/display/FPG/Blacklist+Module+User+Guide#BlacklistModuleUserGuide-ImportingorExportingaBlacklistinCSVFileFormat"
],
"effectiveness": "Medium",
"impact": "Medium",
"complexity": "Low"
},
"uuid": "123e20c5-8f44-4de5-a183-6890788e5a81"
}
],
"name": "Preventive Measure",
"type": "preventive-measure",
"source": "MISP Project",
"authors": [
"Various"
],
"description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.",
"uuid": "1a8e55eb-a0ff-425b-80e0-30df866f8f65",
"version": 3
}

18073
clusters/ransomware.json
View File

File diff suppressed because it is too large Load Diff

4580
clusters/rat.json
View File

File diff suppressed because it is too large Load Diff

857
clusters/sector.json
View File

@ -1,370 +1,489 @@
{
"values": [
{
"value": "Unknown"
},
{
"value": "Other"
},
{
"value": "Academia - University"
},
{
"value": "Activists"
},
{
"value": "Aerospace"
},
{
"value": "Agriculture"
},
{
"value": "Arts"
},
{
"value": "Bank"
},
{
"value": "Chemical"
},
{
"value": "Citizens"
},
{
"value": "Civil Aviation"
},
{
"value": "Country"
},
{
"value": "Culture"
},
{
"value": "Data Broker"
},
{
"value": "Defense"
},
{
"value": "Development"
},
{
"value": "Diplomacy"
},
{
"value": "Education"
},
{
"value": "Electric"
},
{
"value": "Electronic"
},
{
"value": "Employment"
},
{
"value": "Energy"
},
{
"value": "Entertainment"
},
{
"value": "Environment"
},
{
"value": "Finance"
},
{
"value": "Food"
},
{
"value": "Game"
},
{
"value": "Gas"
},
{
"value": "Government, Administration"
},
{
"value": "Health"
},
{
"value": "Higher education"
},
{
"value": "Hotels"
},
{
"value": "Infrastructure"
},
{
"value": "Intelligence"
},
{
"value": "IT"
},
{
"value": "IT - Hacker"
},
{
"value": "IT - ISP"
},
{
"value": "IT - Security"
},
{
"value": "Justice"
},
{
"value": "Manufacturing"
},
{
"value": "Maritime"
},
{
"value": "Military"
},
{
"value": "Multi-sector"
},
{
"value": "News - Media"
},
{
"value": "NGO"
},
{
"value": "Oil"
},
{
"value": "Payment"
},
{
"value": "Pharmacy"
},
{
"value": "Police - Law enforcement"
},
{
"value": "Research - Innovation"
},
{
"value": "Satellite navigation"
},
{
"value": "Security systems"
},
{
"value": "Social networks"
},
{
"value": "Space"
},
{
"value": "Steel"
},
{
"value": "Telecoms"
},
{
"value": "Think Tanks"
},
{
"value": "Trade"
},
{
"value": "Transport"
},
{
"value": "Travel"
},
{
"value": "Turbine"
},
{
"value": "Tourism"
},
{
"value": "Life science"
},
{
"value": "Biomedical"
},
{
"value": "High tech"
},
{
"value": "Opposition"
},
{
"value": "Political party"
},
{
"value": "Hospitality"
},
{
"value": "Automotive"
},
{
"value": "Metal"
},
{
"value": "Railway"
},
{
"value": "Water"
},
{
"value": "Smart meter"
},
{
"value": "Retai"
},
{
"value": "Retail"
},
{
"value": "Technology"
},
{
"value": "engineering"
},
{
"value": "Mining"
},
{
"value": "Sport"
},
{
"value": "Restaurant"
},
{
"value": "Semi-conductors"
},
{
"value": "Insurance"
},
{
"value": "Legal"
},
{
"value": "Shipping"
},
{
"value": "Logistic"
},
{
"value": "Construction"
},
{
"value": "Industrial"
},
{
"value": "Communication equipment"
},
{
"value": "Security Service"
},
{
"value": "Tax firm"
},
{
"value": "Television broadcast"
},
{
"value": "Separatists"
},
{
"value": "Dissidents"
},
{
"value": "Digital services"
},
{
"value": "Digital infrastructure"
},
{
"value": "Security actors"
},
{
"value": "eCommerce"
},
{
"value": "Islamic forums"
},
{
"value": "Journalist"
},
{
"value": "Streaming service"
},
{
"value": "Puplishing industry"
},
{
"value": "Publishing industry"
},
{
"value": "Islamic organisation"
},
{
"value": "Casino"
},
{
"value": "Consulting"
},
{
"value": "Online marketplace"
},
{
"value": "DNS service provider"
},
{
"value": "Veterinary"
},
{
"value": "Marketing"
},
{
"value": "Video Sharing"
},
{
"value": "Advertising"
},
{
"value": "Investment"
},
{
"value": "Accounting"
},
{
"value": "Programming"
},
{
"value": "Managed Services Provider"
},
{
"value": "Lawyers"
},
{
"value": "Civil society"
},
{
"value": "Petrochemical"
},
{
"value": "Immigration"
}
],
"version": 1,
"uuid": "141deecc-ae4e-11e7-8dfe-f3397ba8cc8",
"description": "Activity sectors",
"authors": [
"Various"
],
"source": "CERT-EU",
"type": "sector",
"name": "Sector"
}
"values": [
{
"value": "Unknown",
"uuid": "3ff4e243-7e26-4535-b911-fdda2f724aa2"
},
{
"value": "Other",
"uuid": "03655488-3d11-4fbf-8fe6-6148aaa01b83"
},
{
"value": "Academia - University",
"uuid": "98821a86-3c11-474b-afab-3c84af061407"
},
{
"value": "Activists",
"uuid": "0a62f502-0a51-44ac-82a3-0a965b98c7a9"
},
{
"value": "Aerospace",
"uuid": "12f90076-f03d-4a2d-9f33-7a274dc462bb"
},
{
"value": "Agriculture",
"uuid": "e2214f48-0cdd-4110-ba59-e703282adf2c"
},
{
"value": "Arts",
"uuid": "b5283132-9245-4a5f-b4bc-1937fd80d80a"
},
{
"value": "Bank",
"uuid": "19cc9f22-e682-4808-a96c-82e573703dff"
},
{
"value": "Chemical",
"uuid": "306f828d-8eb8-4adb-bee9-3211bf2a4ff7"
},
{
"value": "Citizens",
"uuid": "f50c1d4d-9d7c-4076-b5d4-e86dd5de4628"
},
{
"value": "Civil Aviation",
"uuid": "ed13b6c9-c32c-4a58-82a7-ce64dc7fa086"
},
{
"value": "Country",
"uuid": "89e7e93a-394f-48e3-ba70-501df2f010c0"
},
{
"value": "Culture",
"uuid": "8c645d4e-8fcc-48a8-9656-5135cfbc10a6"
},
{
"value": "Data Broker",
"uuid": "0a2c80eb-ae5d-4d5e-b6fd-2703bc6a750d"
},
{
"value": "Defense",
"uuid": "9df5fb28-2298-4030-9db3-8cdef35bee14"
},
{
"value": "Development",
"uuid": "96b329b2-2f04-4ce7-8ef2-bf3d898028c9"
},
{
"value": "Diplomacy",
"uuid": "33cbaf17-7600-47f7-87c7-39640874a1b4"
},
{
"value": "Education",
"uuid": "19eca562-123d-449b-af33-5a36e5279b12"
},
{
"value": "Electric",
"uuid": "ac2dad84-5194-41bb-9edd-aad8d42f828f"
},
{
"value": "Electronic",
"uuid": "04e0eef9-d7e8-4280-86bb-cc9897be8e08"
},
{
"value": "Employment",
"uuid": "474e6647-ff06-4a9b-8061-a1a43baf8b15"
},
{
"value": "Energy",
"uuid": "3a94474b-7e23-4e06-9129-faea7ef55af8"
},
{
"value": "Entertainment",
"uuid": "beb9d5d6-53df-4e99-8fa8-e52880fbe740"
},
{
"value": "Environment",
"uuid": "8291a998-e888-4351-87ec-c6da6b06bff6"
},
{
"value": "Finance",
"uuid": "75597b7f-54e8-4f14-88c9-e81485ece483"
},
{
"value": "Food",
"uuid": "9ade7eff-e2ce-4f05-85de-bb6b70444db4"
},
{
"value": "Game",
"uuid": "64493b1b-04eb-4f4d-94c7-65c3713131de"
},
{
"value": "Gas",
"uuid": "851c28c6-2e80-4d63-959b-44037931175b"
},
{
"value": "Government, Administration",
"uuid": "6012ecea-dcc8-490c-b368-e2e06b2cb62f"
},
{
"value": "Health",
"uuid": "4649fe79-cb8f-4aa3-b3e0-e67d4161fcb0"
},
{
"value": "Higher education",
"uuid": "b822d660-fad3-40da-b4db-9bbf8fe23b27"
},
{
"value": "Hotels",
"uuid": "909f4de6-91ea-44b6-9c8f-5983fd4877c2"
},
{
"value": "Infrastructure",
"uuid": "641af156-12d0-4fb4-b89d-971cd454914f"
},
{
"value": "Intelligence",
"uuid": "7aeb79bf-cc1a-49b5-b2ec-5b1fe4a7e295"
},
{
"value": "IT",
"uuid": "3f18e5e7-c77d-4890-9d09-412a39a822e5"
},
{
"value": "IT - Hacker",
"uuid": "342d0a71-584c-4e3f-9b2d-1dc5b5e53e97"
},
{
"value": "IT - ISP",
"uuid": "872de996-e069-4cd9-b227-d5ca01dc020c"
},
{
"value": "IT - Security",
"uuid": "6d9dbde3-25de-48b9-ab98-361c4211e6be"
},
{
"value": "Justice",
"uuid": "784e59ae-89bb-4bc8-82c8-7fab6ca5fb8a"
},
{
"value": "Manufacturing",
"uuid": "5cacd8fb-a3d4-4ed7-84b5-d69378038591"
},
{
"value": "Maritime",
"uuid": "82ac6245-8691-4216-a6dd-8c99ebb8ce51"
},
{
"value": "Military",
"uuid": "5aec0d78-53b2-4fcf-b165-537494b866e4"
},
{
"value": "Multi-sector",
"uuid": "e10093ef-ccbf-4c24-9093-61e856c05ccd"
},
{
"value": "News - Media",
"uuid": "a0499041-2b4e-43aa-8fe3-04c2de23abdd"
},
{
"value": "NGO",
"uuid": "d2f31b1f-a9b1-4f5b-b2b3-1aa2732a0608"
},
{
"value": "Oil",
"uuid": "5875cc3f-d0a5-445e-abb2-08411fc82522"
},
{
"value": "Payment",
"uuid": "0d688425-afb5-4f71-8b5a-f9be7d2d1551"
},
{
"value": "Pharmacy",
"uuid": "8d7aa230-d07f-46e8-a099-6f1753793b84"
},
{
"value": "Police - Law enforcement",
"uuid": "36432a96-225a-4c90-b0f5-44eaee45e306"
},
{
"value": "Research - Innovation",
"uuid": "738939b4-c93f-4972-938a-7eb1f60188b9"
},
{
"value": "Satellite navigation",
"uuid": "40082760-ed9e-4fcb-8bfa-2341d81d5e22"
},
{
"value": "Security systems",
"uuid": "23429f36-298a-4ac6-8db9-87223bef9cbf"
},
{
"value": "Social networks",
"uuid": "61809257-9f13-4910-b824-f483c4334bb5"
},
{
"value": "Space",
"uuid": "595be3ad-bfb3-4bea-b81a-2fef618a1075"
},
{
"value": "Steel",
"uuid": "cdc8b76f-a8df-4d30-81c1-bdb4935c718d"
},
{
"value": "Telecoms",
"uuid": "0de938bd-4efa-4c7a-9244-71a79317d142"
},
{
"value": "Think Tanks",
"uuid": "3c70895b-573b-450c-ad0a-98b0e1a9741e"
},
{
"value": "Trade",
"uuid": "4fef12b1-0bee-4855-81fb-9b7d2c5a1dec"
},
{
"value": "Transport",
"uuid": "e93eb8db-72b1-4407-be3e-8cfea8f9efee"
},
{
"value": "Travel",
"uuid": "33a4f4fe-9bc3-4d43-b5ab-64fcc35882cf"
},
{
"value": "Turbine",
"uuid": "69b8bfcd-600e-45d8-962a-ce09ed0914ab"
},
{
"value": "Tourism",
"uuid": "bf0753fd-cb62-440d-a2c5-1adfb037676e"
},
{
"value": "Life science",
"uuid": "87eae00d-b973-46db-83a2-1f520aebcd44"
},
{
"value": "Biomedical",
"uuid": "58282b0e-10d4-4294-8845-6f41a1e79730"
},
{
"value": "High tech",
"uuid": "cd4dfa11-5f4a-4d02-a2cc-35603261e631"
},
{
"value": "Opposition",
"uuid": "18daafae-a923-4cf5-bf87-d8b35dd297e2"
},
{
"value": "Political party",
"uuid": "a93f281c-1fb4-471d-88ba-dfe5f3af13ff"
},
{
"value": "Hospitality",
"uuid": "d1aa1165-981a-4d9f-aece-c130c5034e1b"
},
{
"value": "Automotive",
"uuid": "79e7755d-d7fa-4bbc-b956-e296c614745e"
},
{
"value": "Metal",
"uuid": "3a7dae7d-2590-4e80-9c13-c22048a09f8a"
},
{
"value": "Railway",
"uuid": "02847338-fe03-4073-9f5b-c6fedc244b04"
},
{
"value": "Water",
"uuid": "26282f7e-8db4-4369-8af1-3981f6a93350"
},
{
"value": "Smart meter",
"uuid": "62487559-c0e5-4250-af48-d43fa2e61b82"
},
{
"value": "Retai",
"uuid": "a26ae91b-df10-4c6f-b7bc-14c7ba13f21d"
},
{
"value": "Retail",
"uuid": "6ce2374c-2c81-4298-a941-666bf4258c00"
},
{
"value": "Technology",
"uuid": "ff403f0f-67d0-494c-aff9-1d748b7e7d8d"
},
{
"value": "engineering",
"uuid": "e07cd84c-1d66-4de3-8b93-15fa93f119cc"
},
{
"value": "Mining",
"uuid": "7508db07-ffd1-4137-9941-718f18370c4c"
},
{
"value": "Sport",
"uuid": "e8355f07-48c7-497b-9a14-3c2a6325ef3d"
},
{
"value": "Restaurant",
"uuid": "5eee85f4-f8dc-4dea-9ba2-af1e9f957097"
},
{
"value": "Semi-conductors",
"uuid": "5b9bb2f4-3e03-46b9-ab65-a7f99b726a32"
},
{
"value": "Insurance",
"uuid": "c4f35266-0f80-4948-9c0a-f4681ed0d507"
},
{
"value": "Legal",
"uuid": "94a7ffd4-d2e4-4324-be71-f274e84de089"
},
{
"value": "Shipping",
"uuid": "64483d7b-71a4-4130-803e-2c614a098d8b"
},
{
"value": "Logistic",
"uuid": "934bc859-ebc4-48d7-adb7-5accd4f0f965"
},
{
"value": "Construction",
"uuid": "4b5c230d-70b8-4748-a27c-bec121c436d8"
},
{
"value": "Industrial",
"uuid": "3153215a-784d-478e-a147-3410a5b43b39"
},
{
"value": "Communication equipment",
"uuid": "f4e11fd2-f2a2-4d09-8ed4-7ef978ccc03b"
},
{
"value": "Security Service",
"uuid": "886e517c-0331-445e-9c4b-ebe08aeb01cd"
},
{
"value": "Tax firm",
"uuid": "138159c5-0b29-46a5-91e2-fe01f7e7111d"
},
{
"value": "Television broadcast",
"uuid": "13fe4a5d-8d86-4875-b763-02bc5705810f"
},
{
"value": "Separatists",
"uuid": "d6335a0a-dfa2-4150-804b-86d06139e38a"
},
{
"value": "Dissidents",
"uuid": "c2f32e7c-6162-4999-ac3b-356007446d18"
},
{
"value": "Digital services",
"uuid": "5a9da7ef-57b8-4a22-88be-b8b6556fd447"
},
{
"value": "Digital infrastructure",
"uuid": "a10c2362-3ee9-4741-b5a5-c2fd1c7c730f"
},
{
"value": "Security actors",
"uuid": "0904672b-c18a-450e-88d6-6a94dd0eb25a"
},
{
"value": "eCommerce",
"uuid": "7e1ec8ba-24c4-4ad4-a596-7532ecbd0fbd"
},
{
"value": "Islamic forums",
"uuid": "c529331a-e2a9-4ba9-bb92-d4f88ae3704b"
},
{
"value": "Journalist",
"uuid": "ea95dce2-c2fc-48cb-95c7-d9200811f030"
},
{
"value": "Streaming service",
"uuid": "2287c024-9643-43ef-8776-858d3994b9ac"
},
{
"value": "Puplishing industry",
"uuid": "97e018e8-e03b-48ff-8add-1059f035069a"
},
{
"value": "Publishing industry",
"uuid": "867cbcb3-8baa-476f-bec5-ceb36e9b1e09"
},
{
"value": "Islamic organisation",
"uuid": "3929f589-ac94-4a6a-8360-122e06484db8"
},
{
"value": "Casino",
"uuid": "2e7ad54f-7637-4268-a9b9-cb2975d6bab9"
},
{
"value": "Consulting",
"uuid": "87ad7866-bdfa-4a22-a4f3-c411fecb1d0d"
},
{
"value": "Online marketplace",
"uuid": "737a196b-7bab-460b-b199-d6626fca1af1"
},
{
"value": "DNS service provider",
"uuid": "e48c0afc-afab-4ced-9a8b-a28d4a2efa08"
},
{
"value": "Veterinary",
"uuid": "4bc73e7c-d174-4faf-9176-d0ccc8ccfbbf"
},
{
"value": "Marketing",
"uuid": "ee5720bb-c638-46f8-bdf2-55579bf37eb2"
},
{
"value": "Video Sharing",
"uuid": "55d12d41-c558-4cdf-b2c5-f246403ca68f"
},
{
"value": "Advertising",
"uuid": "b018010e-272e-4ca9-8551-073618d7f2ad"
},
{
"value": "Investment",
"uuid": "40d66f31-36c2-42ff-97c6-97b34b5ce04e"
},
{
"value": "Accounting",
"uuid": "6edffd60-443c-4238-b368-362b47340d8b"
},
{
"value": "Programming",
"uuid": "855f40e1-074e-4818-8082-696a54adf13f"
},
{
"value": "Managed Services Provider",
"uuid": "f9260307-f792-4e60-8aa5-e2b4f84adadb"
},
{
"value": "Lawyers",
"uuid": "56eee132-fc01-410c-ada0-44d713443bf2"
},
{
"value": "Civil society",
"uuid": "9c1f6a5b-d9de-4cce-a024-7437cb20e24e"
},
{
"value": "Petrochemical",
"uuid": "1f1c762b-1e39-4989-8679-cc1f9cb08349"
},
{
"value": "Immigration",
"uuid": "bfd171a5-33f5-4c79-81c5-3dda99dae559"
}
],
"version": 1,
"uuid": "141deecc-ae4e-11e7-8dfe-f3397ba8cc8",
"description": "Activity sectors",
"authors": [
"Various"
],
"source": "CERT-EU",
"type": "sector",
"name": "Sector"
}

237
clusters/tds.json
View File

@ -1,115 +1,124 @@
{
"values": [
{
"value": "Keitaro",
"description": "Keitaro TDS is among the mostly used TDS in drive by infection chains",
"meta": {
"refs": [
"https://keitarotds.com/"
],
"type": [
"Commercial"
]
}
},
{
"value": "BlackTDS",
"description": "BlackTDS is mutualised TDS advertised underground since end of December 2017",
"meta": {
"refs": [
"https://blacktds[.com/"
],
"type": [
"Underground"
]
}
},
{
"value": "ShadowTDS",
"description": "ShadowTDS is advertised underground since 2016-02. It's in fact more like a Social Engineering kit focused on Android and embedding a TDS",
"meta": {
"type": [
"Underground"
]
}
},
{
"value": "Sutra",
"description": "Sutra TDS was dominant from 2012 till 2015",
"meta": {
"refs": [
"http://kytoon.com/sutra-tds.html"
],
"type": [
"Commercial"
]
}
},
{
"value": "SimpleTDS",
"description": "SimpleTDS is a basic open source TDS",
"meta": {
"refs": [
"https://sourceforge.net/projects/simpletds/"
],
"synonyms": [
"Stds"
],
"type": [
"OpenSource"
]
}
},
{
"value": "BossTDS",
"description": "BossTDS",
"meta": {
"refs": [
"http://bosstds.com/"
],
"type": [
"Commercial"
]
}
},
{
"value": "BlackHat TDS",
"description": "BlackHat TDS is sold underground.",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html"
],
"type": [
"Underground"
]
}
},
{
"value": "Futuristic TDS",
"description": "Futuristic TDS is the TDS component of BlackOS/CookieBomb/NorthTale Iframer",
"meta": {
"type": [
"Underground"
]
}
},
{
"value": "Orchid TDS",
"description": "Orchid TDS was sold underground. Rare usage",
"meta": {
"type": [
"Underground"
]
}
}
],
"version": 3,
"uuid": "ab5fffaa-c5f6-11e6-9d9d-cec0c932ce01",
"description": "TDS is a list of Traffic Direction System used by adversaries",
"authors": [
"Kafeine"
],
"source": "MISP Project",
"type": "tds",
"name": "TDS"
}
"values": [
{
"value": "Keitaro",
"description": "Keitaro TDS is among the mostly used TDS in drive by infection chains",
"meta": {
"refs": [
"https://keitarotds.com/"
],
"type": [
"Commercial"
]
},
"uuid": "94c57fc0-4477-4643-b539-55ba8c455df6"
},
{
"value": "BlackTDS",
"description": "BlackTDS is mutualised TDS advertised underground since end of December 2017",
"meta": {
"refs": [
"https://blacktds[.com/"
],
"type": [
"Underground"
]
},
"uuid": "d5c0cf8d-8ed0-4fa2-a2e6-7274516ea1c8"
},
{
"value": "ShadowTDS",
"description": "ShadowTDS is advertised underground since 2016-02. It's in fact more like a Social Engineering kit focused on Android and embedding a TDS",
"meta": {
"type": [
"Underground"
]
},
"uuid": "2680a4b1-84d1-4af0-8126-4429a90f8ef8"
},
{
"value": "Sutra",
"description": "Sutra TDS was dominant from 2012 till 2015",
"meta": {
"refs": [
"http://kytoon.com/sutra-tds.html"
],
"type": [
"Commercial"
]
},
"uuid": "67f21003-bbc8-4993-b615-f990e539929f"
},
{
"value": "SimpleTDS",
"description": "SimpleTDS is a basic open source TDS",
"meta": {
"refs": [
"https://sourceforge.net/projects/simpletds/"
],
"synonyms": [
"Stds"
],
"type": [
"OpenSource"
]
},
"uuid": "aa179c37-1a8a-4761-841a-cc940e19d7be"
},
{
"value": "BossTDS",
"description": "BossTDS",
"meta": {
"refs": [
"http://bosstds.com/"
],
"type": [
"Commercial"
]
},
"uuid": "5a483b4b-671a-4113-9b99-a115d2d2d644"
},
{
"value": "BlackHat TDS",
"description": "BlackHat TDS is sold underground.",
"meta": {
"refs": [
"http://malware.dontneedcoffee.com/2014/04/meet-blackhat-tds.html"
],
"type": [
"Underground"
]
},
"uuid": "36aa3b2d-4927-45e5-be08-f30144fd1909"
},
{
"value": "Futuristic TDS",
"description": "Futuristic TDS is the TDS component of BlackOS/CookieBomb/NorthTale Iframer",
"meta": {
"type": [
"Underground"
]
},
"uuid": "19d8eab9-72d5-4f22-affb-c0d6aed66346"
},
{
"value": "Orchid TDS",
"description": "Orchid TDS was sold underground. Rare usage",
"meta": {
"type": [
"Underground"
]
},
"uuid": "ec0048f2-a7b2-4a71-83de-6e8fe4fef252"
}
],
"version": 3,
"uuid": "ab5fffaa-c5f6-11e6-9d9d-cec0c932ce01",
"description": "TDS is a list of Traffic Direction System used by adversaries",
"authors": [
"Kafeine"
],
"source": "MISP Project",
"type": "tds",
"name": "TDS"
}

4763
clusters/threat-actor.json
View File

File diff suppressed because it is too large Load Diff

7084
clusters/tool.json
View File

File diff suppressed because it is too large Load Diff

21
tools/add_missing_uuid.py Normal file
View File

@ -0,0 +1,21 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import argparse
import uuid
parser = argparse.ArgumentParser(description='Add missing uuids in clusters')
parser.add_argument("-f", "--filename", required=True, help="nameof the cluster (without .json)")
args = parser.parse_args()
with open(args.filename+'.json') as json_file:
data = json.load(json_file)
json_file.close()
for value in data['values']:
if 'uuid' not in value:
value['uuid'] = str(uuid.uuid4())
with open(args.filename+'.json', 'w') as json_file:
json.dump(data, json_file, indent=4)