MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #98 from Delta-Sierra/master 

add cert-eu based vocabularies
pull/99/head
Alexandre Dulaunoy 2017-10-20 15:50:26 +02:00 committed by GitHub
parent f1b219ee38 814c19841f
commit eaaa63a15d
5 changed files with 589 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -41,9 +41,13 @@ A [readable PDF overview of the MISP galaxy is available](https://www.misp.softw
## Common
- [vocabularies/common/certainty-level.json](vocabularies/common/certainty-level.json) - Certainty level of an associated element or cluster.
- [vocabularies/common/threat-actor-type.json](vocabularies/common/threat-actor-type.json) - threat actor type vocab as defined by Cert EU.
- [vocabularies/common/ttp-category.json](vocabularies/common/ttp-category.json) - ttp category vocab as defined by Cert EU.
- [vocabularies/common/ttp-type.json](vocabularies/common/ttp-type.json) - ttp type vocab as defined by Cert EU.
## Threat Actor
- [vocabularies/threat-actor/cert-eu-motive.json](vocabularies/threat-actor/cert-eu-motive.json) - Motive vocab as defined by Cert EU.
- [vocabularies/threat-actor/intended-effect-vocabulary.json](vocabularies/threat-actor/intended-effect.json) - The IntendedEffectVocab is the default STIX vocabulary for expressing the intended effect of a threat actor. STIX 1.2.1
- [vocabularies/threat-actor/motivation-vocabulary.json](vocabularies/threat-actor/motivation.json) - The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor. STIX 1.2.1
- [vocabularies/threat-actor/planning-and-operational-support-vocabulary.json](vocabularies/threat-actor/planning-and-operational-support.json) - The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions available to a threat actor.

9
clusters/tool.json
View File

@ -2983,6 +2983,15 @@
"https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf"
]
}
},
{
"value": "IoT_reaper",
"description": "IoT_reaper is fairly large now and is actively expanding. For example, there are multiple C2s we are tracking, the most recently data (October 19) from just one C2 shows the number of unique active bot IP address is more than 10k per day. While at the same time, there are millions of potential vulnerable device IPs being queued into the c2 system waiting to be processed by an automatic loader that injects malicious code to the devices to expand the size of the botnet.",
"meta": {
"refs": [
"http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/"
]
}
}
]
}

25
vocabularies/common/threat-actor-type.json Normal file
View File

@ -0,0 +1,25 @@
{
"values": [
{
"value": "Independent Group"
},
{
"value": "State or state-sponsored Group"
},
{
"value": "Individual"
},
{
"value": "Other"
},
{
"value": "Unknown"
}
],
"version" : 1,
"description": "threat actor type vocab as defined by Cert EU.",
"source": "Cert EU",
"author": ["Cert EU"],
"uuid": "549d040e-b017-11e7-b30c-2fa231749902",
"type": "threat-actor-type"
}

40
vocabularies/common/ttp-category.json Normal file
View File

@ -0,0 +1,40 @@
{
"values": [
{
"value": "Exploits"
},
{
"value": "Infrastructure"
},
{
"value": "Malware"
},
{
"value": "Tools"
},
{
"value": "Other"
},
{
"value": "Unknown"
},
{
"value": "Attack Patterns (S)"
},
{
"value": "Attack Patterns (G)"
},
{
"value": "Tactic"
},
{
"value": "Targeting"
}
],
"version" : 1,
"description": "ttp category vocab as defined by Cert EU.",
"source": "Cert EU",
"author": ["Cert EU"],
"uuid": "54e405b6-b017-11e7-b2f7-df581d1a8587",
"type": "ttp-category-vocabulary"
}

511
vocabularies/common/ttp-type.json Normal file
View File

@ -0,0 +1,511 @@
{
"values": [
{
"value": "Android Trojan"
},
{
"value": "Backdoor"
},
{
"value": "Banking Trojan"
},
{
"value": "Bot"
},
{
"value": "DDoS malware"
},
{
"value": "Espionage malware"
},
{
"value": "Exploit kit"
},
{
"value": "Keylogger"
},
{
"value": "Mac Backdoor"
},
{
"value": "Mac Trojan"
},
{
"value": "Malware site"
},
{
"value": "RAT"
},
{
"value": "Rootkit"
},
{
"value": "SQLI malware"
},
{
"value": "Toolkit"
},
{
"value": "Trojan"
},
{
"value": "Other"
},
{
"value": "Unknown"
},
{
"value": "Ransomware"
},
{
"value": "Dark Net Market"
},
{
"value": "Destructive"
},
{
"value": "Forums"
},
{
"value": "Domain Registration"
},
{
"value": "POS malware"
},
{
"value": "Hosting"
},
{
"value": "ICS"
},
{
"value": "Android app"
},
{
"value": "Privacy"
},
{
"value": "Safe browsing"
},
{
"value": "Safe internet search"
},
{
"value": "Peer-to-peer"
},
{
"value": "Crypto"
},
{
"value": "Social media"
},
{
"value": "Identity Theft"
},
{
"value": "VPN"
},
{
"value": "Speech recognition software"
},
{
"value": "Encrypted email"
},
{
"value": "Messaging"
},
{
"value": "ATM malware"
},
{
"value": "Network mapper"
},
{
"value": "Pentest tool"
},
{
"value": "Authentication bypass"
},
{
"value": "Phishing infra"
},
{
"value": "Dox and ransom"
},
{
"value": "Hot patching"
},
{
"value": "Arsenal"
},
{
"value": "CVE"
},
{
"value": "Fake website"
},
{
"value": "Information stealer"
},
{
"value": "DoS"
},
{
"value": "Worm"
},
{
"value": "Downloader"
},
{
"value": "Loader"
},
{
"value": "Infostealer"
},
{
"value": "RF Signals Intercepter"
},
{
"value": "Wireless Keystroke Logger"
},
{
"value": "Recon tool"
},
{
"value": "Website"
},
{
"value": "Website recon"
},
{
"value": "Malware features"
},
{
"value": "URL shortener service"
},
{
"value": "Information Warfare"
},
{
"value": "Programming language"
},
{
"value": "Port scanner"
},
{
"value": "Installer"
},
{
"value": "CMS exploitation"
},
{
"value": "Remote execution tool"
},
{
"value": "Service"
},
{
"value": "Money miner"
},
{
"value": "Remote administration tool"
},
{
"value": "First-stage"
},
{
"value": "Dropper"
},
{
"value": "Virtual server penetration"
},
{
"value": "Scripting language"
},
{
"value": "Adware"
},
{
"value": "Obfuscation technique"
},
{
"value": "Drive-by attack"
},
{
"value": "PLC worm"
},
{
"value": "Blog"
},
{
"value": "Account checker"
},
{
"value": "Internet Control"
},
{
"value": "C2"
},
{
"value": "Scanning routers"
},
{
"value": "Take over"
},
{
"value": "Credit Card Fraud"
},
{
"value": "DDoS Tool"
},
{
"value": "IoT bot"
},
{
"value": "Targeting"
},
{
"value": "cryptocurrency"
},
{
"value": "Anti-analysis"
},
{
"value": "persistence"
},
{
"value": "Anti-detection"
},
{
"value": "Phishing-theme"
},
{
"value": "OpSec"
},
{
"value": "Automatic phone calls"
},
{
"value": "Selling"
},
{
"value": "Extortion"
},
{
"value": "Watering hole"
},
{
"value": "Sharing platform"
},
{
"value": "Sideloading"
},
{"value": "Operating System"
},
{"value": "Sample"
},
{"value": "Buffer overflow"
},
{
"value": "Online magazine"
},
{
"value": "Spoofing"
},
{
"value": "Ransomware-as-a-Service"
},
{
"value": "Spambot"
},
{
"value": "HTTP bot"
},
{
"value": "Shop"
},
{
"value": "Password recovery"
},
{
"value": "Password manager"
},
{
"value": "Certificate exploit"
},
{
"value": "Mailer"
},
{
"value": "Card"
},
{
"value": "Powershell agent"
},
{
"value": "Skimmer"
},
{
"value": "Exploit"
},
{
"value": "Medical device tampering"
},
{
"value": "App store"
},
{
"value": "Scareware"
},
{
"value": "Payment platform"
},
{
"value": "Man-in-the-middle"
},
{
"value": "Switch ttack"
},
{
"value": "Switch attack"
},
{
"value": "Browser hijacker"
},
{
"value": "Supply chain attack"
},
{
"value": "Powershell scripts"
},
{
"value": "Malicious iFrame injects"
},
{
"value": "Dumps grabber"
},
{
"value": "Exfiltration tool"
},
{
"value": "Code injection"
},
{
"value": "Mobile malware"
},
{
"value": "Zero-Day"
},
{
"value": "Multi-stage implant framework"
},
{
"value": "Second-stage"
},
{
"value": "IRC"
},
{
"value": "Administration"
},
{
"value": "XSS tool"
},
{
"value": "Tracking program"
},
{
"value": "HTTP loader"
},
{
"value": "Spyware"
},
{
"value": "Bitcoin stealer"
},
{
"value": "Phone bot"
},
{
"value": "Video editor"
},
{
"value": "URL shortening service"
},
{
"value": "Fraud"
},
{
"value": "Spreading mechanisms"
},
{
"value": "Android bot"
},
{
"value": "Disinformation"
},
{
"value": "Mineware"
},
{
"value": "CWE"
},
{
"value": "SCADA malware"
},
{
"value": "Crypter"
},
{
"value": "Phishing"
},
{
"value": "Template injection"
},
{
"value": "Credential stealer"
},
{
"value": "Crypto currency exchange and trading platform"
},
{
"value": "cryptocurrency mining malware"
},
{
"value": "Card shop"
},
{
"value": "Evasion"
},
{
"value": "Browser"
},
{
"value": "Wiper"
},
{
"value": "cryptocurrency cloud mining"
},
{
"value": "Distribution vector"
},
{
"value": "Postscript Abuse"
},
{
"value": "Bolware"
},
{
"value": "Software"
},
{
"value": "Proxy malware"
}
],
"version" : 1,
"description": "ttp type vocab as defined by Cert EU.",
"source": "Cert EU",
"author": ["Cert EU"],
"uuid": "55224678-b017-11e7-874d-971b517d8cba",
"type": "ttp-type-vocabulary"
}