diff --git a/README.md b/README.md index d8790e9..0bcd30e 100644 --- a/README.md +++ b/README.md @@ -41,9 +41,13 @@ A [readable PDF overview of the MISP galaxy is available](https://www.misp.softw ## Common - [vocabularies/common/certainty-level.json](vocabularies/common/certainty-level.json) - Certainty level of an associated element or cluster. +- [vocabularies/common/threat-actor-type.json](vocabularies/common/threat-actor-type.json) - threat actor type vocab as defined by Cert EU. +- [vocabularies/common/ttp-category.json](vocabularies/common/ttp-category.json) - ttp category vocab as defined by Cert EU. +- [vocabularies/common/ttp-type.json](vocabularies/common/ttp-type.json) - ttp type vocab as defined by Cert EU. ## Threat Actor +- [vocabularies/threat-actor/cert-eu-motive.json](vocabularies/threat-actor/cert-eu-motive.json) - Motive vocab as defined by Cert EU. - [vocabularies/threat-actor/intended-effect-vocabulary.json](vocabularies/threat-actor/intended-effect.json) - The IntendedEffectVocab is the default STIX vocabulary for expressing the intended effect of a threat actor. STIX 1.2.1 - [vocabularies/threat-actor/motivation-vocabulary.json](vocabularies/threat-actor/motivation.json) - The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor. STIX 1.2.1 - [vocabularies/threat-actor/planning-and-operational-support-vocabulary.json](vocabularies/threat-actor/planning-and-operational-support.json) - The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions available to a threat actor. diff --git a/clusters/tool.json b/clusters/tool.json index 6bd307a..b7949df 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -2983,6 +2983,15 @@ "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf" ] } + }, + { + "value": "IoT_reaper", + "description": "IoT_reaper is fairly large now and is actively expanding. For example, there are multiple C2s we are tracking, the most recently data (October 19) from just one C2 shows the number of unique active bot IP address is more than 10k per day. While at the same time, there are millions of potential vulnerable device IPs being queued into the c2 system waiting to be processed by an automatic loader that injects malicious code to the devices to expand the size of the botnet.", + "meta": { + "refs": [ + "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/" + ] + } } ] } diff --git a/vocabularies/common/threat-actor-type.json b/vocabularies/common/threat-actor-type.json new file mode 100644 index 0000000..27704b0 --- /dev/null +++ b/vocabularies/common/threat-actor-type.json @@ -0,0 +1,25 @@ +{ + "values": [ + { + "value": "Independent Group" + }, + { + "value": "State or state-sponsored Group" + }, + { + "value": "Individual" + }, + { + "value": "Other" + }, + { + "value": "Unknown" + } + ], + "version" : 1, + "description": "threat actor type vocab as defined by Cert EU.", + "source": "Cert EU", + "author": ["Cert EU"], + "uuid": "549d040e-b017-11e7-b30c-2fa231749902", + "type": "threat-actor-type" +} diff --git a/vocabularies/common/ttp-category.json b/vocabularies/common/ttp-category.json new file mode 100644 index 0000000..438eef1 --- /dev/null +++ b/vocabularies/common/ttp-category.json @@ -0,0 +1,40 @@ +{ + "values": [ + { + "value": "Exploits" + }, + { + "value": "Infrastructure" + }, + { + "value": "Malware" + }, + { + "value": "Tools" + }, + { + "value": "Other" + }, + { + "value": "Unknown" + }, + { + "value": "Attack Patterns (S)" + }, + { + "value": "Attack Patterns (G)" + }, + { + "value": "Tactic" + }, + { + "value": "Targeting" + } + ], + "version" : 1, + "description": "ttp category vocab as defined by Cert EU.", + "source": "Cert EU", + "author": ["Cert EU"], + "uuid": "54e405b6-b017-11e7-b2f7-df581d1a8587", + "type": "ttp-category-vocabulary" +} diff --git a/vocabularies/common/ttp-type.json b/vocabularies/common/ttp-type.json new file mode 100644 index 0000000..7c4ddb7 --- /dev/null +++ b/vocabularies/common/ttp-type.json @@ -0,0 +1,511 @@ +{ + "values": [ + { + "value": "Android Trojan" + }, + { + "value": "Backdoor" + }, + { + "value": "Banking Trojan" + }, + { + "value": "Bot" + }, + { + "value": "DDoS malware" + }, + { + "value": "Espionage malware" + }, + { + "value": "Exploit kit" + }, + { + "value": "Keylogger" + }, + { + "value": "Mac Backdoor" + }, + { + "value": "Mac Trojan" + }, + { + "value": "Malware site" + }, + { + "value": "RAT" + }, + { + "value": "Rootkit" + }, + { + "value": "SQLI malware" + }, + { + "value": "Toolkit" + }, + { + "value": "Trojan" + }, + { + "value": "Other" + }, + { + "value": "Unknown" + }, + { + "value": "Ransomware" + }, + { + "value": "Dark Net Market" + }, + { + "value": "Destructive" + }, + { + "value": "Forums" + }, + { + "value": "Domain Registration" + }, + { + "value": "POS malware" + }, + { + "value": "Hosting" + }, + { + "value": "ICS" + }, + { + "value": "Android app" + }, + { + "value": "Privacy" + }, + { + "value": "Safe browsing" + }, + { + "value": "Safe internet search" + }, + { + "value": "Peer-to-peer" + }, + { + "value": "Crypto" + }, + { + "value": "Social media" + }, + { + "value": "Identity Theft" + }, + { + "value": "VPN" + }, + { + "value": "Speech recognition software" + }, + { + "value": "Encrypted email" + }, + { + "value": "Messaging" + }, + { + "value": "ATM malware" + }, + { + "value": "Network mapper" + }, + { + "value": "Pentest tool" + }, + { + "value": "Authentication bypass" + }, + { + "value": "Phishing infra" + }, + { + "value": "Dox and ransom" + }, + { + "value": "Hot patching" + }, + { + "value": "Arsenal" + }, + { + "value": "CVE" + }, + { + "value": "Fake website" + }, + { + "value": "Information stealer" + }, + { + "value": "DoS" + }, + { + "value": "Worm" + }, + { + "value": "Downloader" + }, + { + "value": "Loader" + }, + { + "value": "Infostealer" + }, + { + "value": "RF Signals Intercepter" + }, + { + "value": "Wireless Keystroke Logger" + }, + { + "value": "Recon tool" + }, + { + "value": "Website" + }, + { + "value": "Website recon" + }, + { + "value": "Malware features" + }, + { + "value": "URL shortener service" + }, + { + "value": "Information Warfare" + }, + { + "value": "Programming language" + }, + { + "value": "Port scanner" + }, + { + "value": "Installer" + }, + { + "value": "CMS exploitation" + }, + { + "value": "Remote execution tool" + }, + { + "value": "Service" + }, + { + "value": "Money miner" + }, + { + "value": "Remote administration tool" + }, + { + "value": "First-stage" + }, + { + "value": "Dropper" + }, + { + "value": "Virtual server penetration" + }, + { + "value": "Scripting language" + }, + { + "value": "Adware" + }, + { + "value": "Obfuscation technique" + }, + { + "value": "Drive-by attack" + }, + { + "value": "PLC worm" + }, + { + "value": "Blog" + }, + { + "value": "Account checker" + }, + { + "value": "Internet Control" + }, + { + "value": "C2" + }, + { + "value": "Scanning routers" + }, + { + "value": "Take over" + }, + { + "value": "Credit Card Fraud" + }, + { + "value": "DDoS Tool" + }, + { + "value": "IoT bot" + }, + { + "value": "Targeting" + }, + { + "value": "cryptocurrency" + }, + { + "value": "Anti-analysis" + }, + { + "value": "persistence" + }, + { + "value": "Anti-detection" + }, + { + "value": "Phishing-theme" + }, + { + "value": "OpSec" + }, + { + "value": "Automatic phone calls" + }, + { + "value": "Selling" + }, + { + "value": "Extortion" + }, + { + "value": "Watering hole" + }, + { + "value": "Sharing platform" + }, + { + "value": "Sideloading" + }, + {"value": "Operating System" + }, + {"value": "Sample" + }, + {"value": "Buffer overflow" + }, + { + "value": "Online magazine" + }, + { + "value": "Spoofing" + }, + { + "value": "Ransomware-as-a-Service" + }, + { + "value": "Spambot" + }, + { + "value": "HTTP bot" + }, + { + "value": "Shop" + }, + { + "value": "Password recovery" + }, + { + "value": "Password manager" + }, + { + "value": "Certificate exploit" + }, + { + "value": "Mailer" + }, + { + "value": "Card" + }, + { + "value": "Powershell agent" + }, + { + "value": "Skimmer" + }, + { + "value": "Exploit" + }, + { + "value": "Medical device tampering" + }, + { + "value": "App store" + }, + { + "value": "Scareware" + }, + { + "value": "Payment platform" + }, + { + "value": "Man-in-the-middle" + }, + { + "value": "Switch ttack" + }, + { + "value": "Switch attack" + }, + { + "value": "Browser hijacker" + }, + { + "value": "Supply chain attack" + }, + { + "value": "Powershell scripts" + }, + { + "value": "Malicious iFrame injects" + }, + { + "value": "Dumps grabber" + }, + { + "value": "Exfiltration tool" + }, + { + "value": "Code injection" + }, + { + "value": "Mobile malware" + }, + { + "value": "Zero-Day" + }, + { + "value": "Multi-stage implant framework" + }, + { + "value": "Second-stage" + }, + { + "value": "IRC" + }, + { + "value": "Administration" + }, + { + "value": "XSS tool" + }, + { + "value": "Tracking program" + }, + { + "value": "HTTP loader" + }, + { + "value": "Spyware" + }, + { + "value": "Bitcoin stealer" + }, + { + "value": "Phone bot" + }, + { + "value": "Video editor" + }, + { + "value": "URL shortening service" + }, + { + "value": "Fraud" + }, + { + "value": "Spreading mechanisms" + }, + { + "value": "Android bot" + }, + { + "value": "Disinformation" + }, + { + "value": "Mineware" + }, + { + "value": "CWE" + }, + { + "value": "SCADA malware" + }, + { + "value": "Crypter" + }, + { + "value": "Phishing" + }, + { + "value": "Template injection" + }, + { + "value": "Credential stealer" + }, + { + "value": "Crypto currency exchange and trading platform" + }, + { + "value": "cryptocurrency mining malware" + }, + { + "value": "Card shop" + }, + { + "value": "Evasion" + }, + { + "value": "Browser" + }, + { + "value": "Wiper" + }, + { + "value": "cryptocurrency cloud mining" + }, + { + "value": "Distribution vector" + }, + { + "value": "Postscript Abuse" + }, + { + "value": "Bolware" + }, + { + "value": "Software" + }, + { + "value": "Proxy malware" + } + ], + "version" : 1, + "description": "ttp type vocab as defined by Cert EU.", + "source": "Cert EU", + "author": ["Cert EU"], + "uuid": "55224678-b017-11e7-874d-971b517d8cba", + "type": "ttp-type-vocabulary" +}