MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge https://github.com/MISP/misp-galaxy

pull/610/head
Delta-Sierra 2020-11-27 12:47:20 +01:00
parent 7af75bb222 9a731470d3
commit e81d3c63d5
6 changed files with 11317 additions and 896 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3458
clusters/mitre-attack-pattern.json
View File

File diff suppressed because it is too large Load Diff

1216
clusters/mitre-course-of-action.json
View File

File diff suppressed because it is too large Load Diff

1263
clusters/mitre-intrusion-set.json
View File

File diff suppressed because it is too large Load Diff

5667
clusters/mitre-malware.json
View File

File diff suppressed because it is too large Load Diff

601
clusters/mitre-tool.json
View File

@ -66,348 +66,6 @@
"uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69", "uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69",
"value": "Pass-The-Hash Toolkit - S0122" "value": "Pass-The-Hash Toolkit - S0122"
}, },
{
"description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, penetration testing tool which bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strikes interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002). (Citation: cobaltstrike manual)",
"meta": {
"external_id": "S0154",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0154",
"https://cobaltstrike.com/downloads/csmanual38.pdf"
],
"synonyms": [
"Cobalt Strike"
]
},
"related": [
{
"dest-uuid": "ca44dd5e-fd9e-48b5-99cb-0b2629b9265f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "1a1d3ea4-972e-4c48-8d85-08d9db8f1550",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"value": "Cobalt Strike - S0154"
},
{ {
"description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.(Citation: Imminent Unit42 Dec2019)", "description": "[Imminent Monitor](https://attack.mitre.org/software/S0434) was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.(Citation: Imminent Unit42 Dec2019)",
"meta": { "meta": {
@ -779,6 +437,96 @@
"uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", "uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e",
"value": "HTRAN - S0040" "value": "HTRAN - S0040"
}, },
{
"description": "[MCMD](https://attack.mitre.org/software/S0500) is a remote access tool that provides remote command shell capability used by [Dragonfly 2.0](https://attack.mitre.org/groups/G0074).(Citation: Secureworks MCMD July 2019)",
"meta": {
"external_id": "S0500",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0500",
"https://www.secureworks.com/research/mcmd-malware-analysis"
],
"synonyms": [
"MCMD"
]
},
"related": [
{
"dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
}
],
"uuid": "975737f1-b10d-476f-8bda-3ec26ea57172",
"value": "MCMD - S0500"
},
{ {
"description": "[pwdump](https://attack.mitre.org/software/S0006) is a credential dumper. (Citation: Wikipedia pwdump)", "description": "[pwdump](https://attack.mitre.org/software/S0006) is a credential dumper. (Citation: Wikipedia pwdump)",
"meta": { "meta": {
@ -2969,13 +2717,6 @@
] ]
}, },
"related": [ "related": [
{
"dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{ {
"dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"tags": [ "tags": [
@ -4653,7 +4394,167 @@
], ],
"uuid": "5fc81b43-62b5-41b1-9113-c79ae5f030c4", "uuid": "5fc81b43-62b5-41b1-9113-c79ae5f030c4",
"value": "CARROTBALL - S0465" "value": "CARROTBALL - S0465"
},
{
"description": "[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted networks.(Citation: CME Github September 2018)",
"meta": {
"external_id": "S0488",
"mitre_platforms": [
"Windows"
],
"refs": [
"https://attack.mitre.org/software/S0488",
"https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference"
],
"synonyms": [
"CrackMapExec"
]
},
"related": [
{
"dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
},
{
"dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "uses"
} }
], ],
"version": 18 "uuid": "c4810609-7da6-48ec-8057-1b70a7814db0",
"value": "CrackMapExec - S0488"
}
],
"version": 19
} }

8
clusters/threat-actor.json
View File

@ -3081,7 +3081,8 @@
"https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/", "https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/",
"https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html", "https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html",
"https://www.secureworks.com/research/threat-profiles/nickel-gladstone", "https://www.secureworks.com/research/threat-profiles/nickel-gladstone",
"https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html" "https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html",
"https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/"
], ],
"synonyms": [ "synonyms": [
"Operation DarkSeoul", "Operation DarkSeoul",
@ -7019,7 +7020,8 @@
"https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672",
"https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104", "https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104",
"https://www.secureworks.com/research/threat-profiles/gold-tahoe", "https://www.secureworks.com/research/threat-profiles/gold-tahoe",
"https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546" "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546",
"https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/"
], ],
"synonyms": [ "synonyms": [
"SectorJ04 Group", "SectorJ04 Group",
@ -8496,5 +8498,5 @@
"value": "Operation Skeleton Key" "value": "Operation Skeleton Key"
} }
], ],
"version": 188 "version": 190
} }