From 65995bbe93389a14d0fdedc8cac812ae10a02dd6 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 20 Oct 2017 11:13:26 +0200 Subject: [PATCH 1/4] add cert-eu based vocabularies --- README.md | 4 + vocabularies/common/threat-actor-type.json | 25 + vocabularies/common/ttp-category.json | 40 ++ vocabularies/common/ttp-type.json | 514 +++++++++++++++++++++ 4 files changed, 583 insertions(+) create mode 100644 vocabularies/common/threat-actor-type.json create mode 100644 vocabularies/common/ttp-category.json create mode 100644 vocabularies/common/ttp-type.json diff --git a/README.md b/README.md index d8790e98..0bcd30e1 100644 --- a/README.md +++ b/README.md @@ -41,9 +41,13 @@ A [readable PDF overview of the MISP galaxy is available](https://www.misp.softw ## Common - [vocabularies/common/certainty-level.json](vocabularies/common/certainty-level.json) - Certainty level of an associated element or cluster. +- [vocabularies/common/threat-actor-type.json](vocabularies/common/threat-actor-type.json) - threat actor type vocab as defined by Cert EU. +- [vocabularies/common/ttp-category.json](vocabularies/common/ttp-category.json) - ttp category vocab as defined by Cert EU. +- [vocabularies/common/ttp-type.json](vocabularies/common/ttp-type.json) - ttp type vocab as defined by Cert EU. ## Threat Actor +- [vocabularies/threat-actor/cert-eu-motive.json](vocabularies/threat-actor/cert-eu-motive.json) - Motive vocab as defined by Cert EU. - [vocabularies/threat-actor/intended-effect-vocabulary.json](vocabularies/threat-actor/intended-effect.json) - The IntendedEffectVocab is the default STIX vocabulary for expressing the intended effect of a threat actor. STIX 1.2.1 - [vocabularies/threat-actor/motivation-vocabulary.json](vocabularies/threat-actor/motivation.json) - The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor. STIX 1.2.1 - [vocabularies/threat-actor/planning-and-operational-support-vocabulary.json](vocabularies/threat-actor/planning-and-operational-support.json) - The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions available to a threat actor. diff --git a/vocabularies/common/threat-actor-type.json b/vocabularies/common/threat-actor-type.json new file mode 100644 index 00000000..27704b06 --- /dev/null +++ b/vocabularies/common/threat-actor-type.json @@ -0,0 +1,25 @@ +{ + "values": [ + { + "value": "Independent Group" + }, + { + "value": "State or state-sponsored Group" + }, + { + "value": "Individual" + }, + { + "value": "Other" + }, + { + "value": "Unknown" + } + ], + "version" : 1, + "description": "threat actor type vocab as defined by Cert EU.", + "source": "Cert EU", + "author": ["Cert EU"], + "uuid": "549d040e-b017-11e7-b30c-2fa231749902", + "type": "threat-actor-type" +} diff --git a/vocabularies/common/ttp-category.json b/vocabularies/common/ttp-category.json new file mode 100644 index 00000000..438eef13 --- /dev/null +++ b/vocabularies/common/ttp-category.json @@ -0,0 +1,40 @@ +{ + "values": [ + { + "value": "Exploits" + }, + { + "value": "Infrastructure" + }, + { + "value": "Malware" + }, + { + "value": "Tools" + }, + { + "value": "Other" + }, + { + "value": "Unknown" + }, + { + "value": "Attack Patterns (S)" + }, + { + "value": "Attack Patterns (G)" + }, + { + "value": "Tactic" + }, + { + "value": "Targeting" + } + ], + "version" : 1, + "description": "ttp category vocab as defined by Cert EU.", + "source": "Cert EU", + "author": ["Cert EU"], + "uuid": "54e405b6-b017-11e7-b2f7-df581d1a8587", + "type": "ttp-category-vocabulary" +} diff --git a/vocabularies/common/ttp-type.json b/vocabularies/common/ttp-type.json new file mode 100644 index 00000000..83aa3c8e --- /dev/null +++ b/vocabularies/common/ttp-type.json @@ -0,0 +1,514 @@ +{ + "values": [ + { + "value": "Android Trojan" + }, + { + "value": "Backdoor" + }, + { + "value": "Banking Trojan" + }, + { + "value": "Bot" + }, + { + "value": "DDoS malware" + }, + { + "value": "Espionage malware" + }, + { + "value": "Exploit kit" + }, + { + "value": "Keylogger" + }, + { + "value": "Mac Backdoor" + }, + { + "value": "Mac Trojan" + }, + { + "value": "Malware site" + }, + { + "value": "RAT" + }, + { + "value": "Rootkit" + }, + { + "value": "SQLI malware" + }, + { + "value": "Toolkit" + }, + { + "value": "Trojan" + }, + { + "value": "Other" + }, + { + "value": "Unknown" + }, + { + "value": "Ransomware" + }, + { + "value": "Dark Net Market" + }, + { + "value": "Destructive" + }, + { + "value": "Forums" + }, + { + "value": "Domain Registration" + }, + { + "value": "POS malware" + }, + { + "value": "Hosting" + }, + { + "value": "ICS" + }, + { + "value": "Android app" + }, + { + "value": "Privacy" + }, + { + "value": "Safe browsing" + }, + { + "value": "Safe internet search" + }, + { + "value": "Peer-to-peer" + }, + { + "value": "Crypto" + }, + { + "value": "Social media" + }, + { + "value": "Identity Theft" + }, + { + "value": "VPN" + }, + { + "value": "Speech recognition software" + }, + { + "value": "Encrypted email" + }, + { + "value": "Messaging" + }, + { + "value": "ATM malware" + }, + { + "value": "Network mapper" + }, + { + "value": "Pentest tool" + }, + { + "value": "Authentication bypass" + }, + { + "value": "Phishing infra" + }, + { + "value": "Dox and ransom" + }, + { + "value": "Hot patching" + }, + { + "value": "Arsenal" + }, + { + "value": "CVE" + }, + { + "value": "Fake website" + }, + { + "value": "Information stealer" + }, + { + "value": "DoS" + }, + { + "value": "Worm" + }, + { + "value": "Downloader" + }, + { + "value": "Loader" + }, + { + "value": "Infostealer" + }, + { + "value": "RF Signals Intercepter" + }, + { + "value": "Wireless Keystroke Logger" + }, + { + "value": "Recon tool" + }, + { + "value": "Website" + }, + { + "value": "Website recon" + }, + { + "value": "Malware features" + }, + { + "value": "URL shortener service" + }, + { + "value": "Information Warfare" + }, + { + "value": "Programming language" + }, + { + "value": "Port scanner" + }, + { + "value": "Installer" + }, + { + "value": "CMS exploitation" + }, + { + "value": "Remote execution tool" + }, + { + "value": "Service" + }, + { + "value": "Money miner" + }, + { + "value": "Remote administration tool" + }, + { + "value": "First-stage" + }, + { + "value": "Dropper" + }, + { + "value": "Virtual server penetration" + }, + { + "value": "Scripting language" + }, + { + "value": "Adware" + }, + { + "value": "Obfuscation technique" + }, + { + "value": "Drive-by attack" + }, + { + "value": "PLC worm" + }, + { + "value": "Blog" + }, + { + "value": "Account checker" + }, + { + "value": "Internet Control" + }, + { + "value": "C2" + }, + { + "value": "Scanning routers" + }, + { + "value": "Take over" + }, + { + "value": "Credit Card Fraud" + }, + { + "value": "DDoS Tool" + }, + { + "value": "IoT bot" + }, + { + "value": "Targeting" + }, + { + "value": "cryptocurrency" + }, + { + "value": "Anti-analysis" + }, + { + "value": "persistence" + }, + { + "value": "Anti-detection" + }, + { + "value": "Phishing-theme" + }, + { + "value": "OpSec" + }, + { + "value": "Automatic phone calls" + }, + { + "value": "Selling" + }, + { + "value": "Extortion" + }, + { + "value": "Watering hole" + }, + { + "value": "Sharing platform" + }, + { + "value": "Sideloading" + }, + {"value": "Operating System" + }, + {"value": "Sample" + }, + {"value": "Buffer overflow" + }, + { + "value": "Online magazine" + }, + { + "value": "Spoofing" + }, + { + "value": "Ransomware-as-a-Service" + }, + { + "value": "Spambot" + }, + { + "value": "HTTP bot" + }, + { + "value": "Shop" + }, + { + "value": "Password recovery" + }, + { + "value": "Password manager" + }, + { + "value": "Certificate exploit" + }, + { + "value": "Mailer" + }, + { + "value": "Card" + }, + { + "value": "Powershell agent" + }, + { + "value": "Skimmer" + }, + { + "value": "Exploit" + }, + { + "value": "Medical device tampering" + }, + { + "value": "App store" + }, + { + "value": "Scareware" + }, + { + "value": "Payment platform" + }, + { + "value": "Man-in-the-middle" + }, + { + "value": "Switch ttack" + }, + { + "value": "Switch attack" + }, + { + "value": "Browser hijacker" + }, + { + "value": "Supply chain attack" + }, + { + "value": "Powershell scripts" + }, + { + "value": "Malicious iFrame injects" + }, + { + "value": "Dumps grabber" + }, + { + "value": "Exfiltration tool" + }, + { + "value": "Code injection" + }, + { + "value": "Mobile malware" + }, + { + "value": "Zero-Day" + }, + { + "value": "Multi-stage implant framework" + }, + { + "value": "Second-stage" + }, + { + "value": "IRC" + }, + { + "value": "Administration" + }, + { + "value": "XSS tool" + }, + { + "value": "Tracking program" + }, + { + "value": "HTTP loader" + }, + { + "value": "Spyware" + }, + { + "value": "Bitcoin stealer" + }, + { + "value": "Phone bot" + }, + { + "value": "Video editor" + }, + { + "value": "URL shortening service" + }, + { + "value": "Fraud" + }, + { + "value": "Spreading mechanisms" + }, + { + "value": "Android bot" + }, + { + "value": "Disinformation" + }, + { + "value": "Mineware" + }, + { + "value": "Adware" + }, + { + "value": "CWE" + }, + { + "value": "SCADA malware" + }, + { + "value": "Crypter" + }, + { + "value": "Phishing" + }, + { + "value": "Template injection" + }, + { + "value": "Credential stealer" + }, + { + "value": "Crypto currency exchange and trading platform" + }, + { + "value": "cryptocurrency mining malware" + }, + { + "value": "Card shop" + }, + { + "value": "Evasion" + }, + { + "value": "Browser" + }, + { + "value": "Wiper" + }, + { + "value": "cryptocurrency cloud mining" + }, + { + "value": "Distribution vector" + }, + { + "value": "Postscript Abuse" + }, + { + "value": "Bolware" + }, + { + "value": "Software" + }, + { + "value": "Proxy malware" + } + ], + "version" : 1, + "description": "ttp type vocab as defined by Cert EU.", + "source": "Cert EU", + "author": ["Cert EU"], + "uuid": "55224678-b017-11e7-874d-971b517d8cba", + "type": "ttp-type-vocabulary" +} From 3a4d73ffafcd713fa1a723c3585616ace356ce7f Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 20 Oct 2017 11:47:21 +0200 Subject: [PATCH 2/4] delete duplicate --- vocabularies/common/ttp-type.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/vocabularies/common/ttp-type.json b/vocabularies/common/ttp-type.json index 83aa3c8e..7c4ddb79 100644 --- a/vocabularies/common/ttp-type.json +++ b/vocabularies/common/ttp-type.json @@ -447,9 +447,6 @@ { "value": "Mineware" }, - { - "value": "Adware" - }, { "value": "CWE" }, From 2fd3d3221d3dade8d7d661d8bbc2cf1fa08a6e28 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 20 Oct 2017 15:09:20 +0200 Subject: [PATCH 3/4] add IoT_reaper --- clusters/tool.json | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index 0416b747..0d443980 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -2983,6 +2983,15 @@ "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf" ] } + }, + { + "value": "IoT_reaper", + "description": "IoT_reaper is fairly large now and is actively expanding. For example, there are multiple C2s we are tracking, the most recently data (October 19) from just one C2 shows the number of unique active bot IP address is more than 10k per day. While at the same time, there are millions of potential vulnerable device IPs being queued into the c2 system waiting to be processed by an automatic loader that injects malicious code to the devices to expand the size of the botnet.", + "meta": { + "refs" : [ + "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/" + ] + } } ] } From 814c19841f80fe485f9b393f5b35f8c4b65a7f29 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 20 Oct 2017 15:32:01 +0200 Subject: [PATCH 4/4] jq --- clusters/tool.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/tool.json b/clusters/tool.json index 0d443980..b7949df3 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -2618,7 +2618,7 @@ "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html" ], "synonyms": [ - "BlackOasis" + "BlackOasis" ] }, "description": "Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.", @@ -2988,7 +2988,7 @@ "value": "IoT_reaper", "description": "IoT_reaper is fairly large now and is actively expanding. For example, there are multiple C2s we are tracking, the most recently data (October 19) from just one C2 shows the number of unique active bot IP address is more than 10k per day. While at the same time, there are millions of potential vulnerable device IPs being queued into the c2 system waiting to be processed by an automatic loader that injects malicious code to the devices to expand the size of the botnet.", "meta": { - "refs" : [ + "refs": [ "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/" ] }