MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

merge

pull/952/head
Delta-Sierra 2024-03-21 16:04:35 +01:00
parent 7e715b63e7 a297d1fd1c
commit f7eaa3d9d7
29 changed files with 7654 additions and 523 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

154
README.md
View File

@ -47,7 +47,7 @@ Category: *tool* - source: *Open Sources* - total: *433* elements
[Azure Threat Research Matrix](https://www.misp-project.org/galaxy.html#_azure_threat_research_matrix) - The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.
Category: *atrm* - source: *https://github.com/microsoft/Azure-Threat-Research-Matrix* - total: *89* elements
Category: *atrm* - source: *https://github.com/microsoft/Azure-Threat-Research-Matrix* - total: *90* elements
[[HTML](https://www.misp-project.org/galaxy.html#_azure_threat_research_matrix)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/atrm.json)]
@ -63,7 +63,7 @@ Category: *guidelines* - source: *Open Sources* - total: *71* elements
[Backdoor](https://www.misp-project.org/galaxy.html#_backdoor) - A list of backdoor malware.
Category: *tool* - source: *Open Sources* - total: *23* elements
Category: *tool* - source: *Open Sources* - total: *24* elements
[[HTML](https://www.misp-project.org/galaxy.html#_backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)]
@ -139,13 +139,37 @@ Category: *Cryptominers* - source: *Open Source Intelligence* - total: *5* eleme
[[HTML](https://www.misp-project.org/galaxy.html#_cryptominers)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/cryptominers.json)]
## DISARM Techniques
## Actor Types
[DISARM Techniques](https://www.misp-project.org/galaxy.html#_disarm_techniques) - DISARM is a framework designed for describing and understanding disinformation incidents.
[Actor Types](https://www.misp-project.org/galaxy.html#_actor_types) - DISARM is a framework designed for describing and understanding disinformation incidents.
Category: *disarm* - source: *https://github.com/misinfosecproject/amitt_framework* - total: *294* elements
Category: *disarm* - source: *https://github.com/DISARMFoundation/DISARMframeworks* - total: *33* elements
[[HTML](https://www.misp-project.org/galaxy.html#_disarm_techniques)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-techniques.json)]
[[HTML](https://www.misp-project.org/galaxy.html#_actor_types)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-actortypes.json)]
## Countermeasures
[Countermeasures](https://www.misp-project.org/galaxy.html#_countermeasures) - DISARM is a framework designed for describing and understanding disinformation incidents.
Category: *disarm* - source: *https://github.com/DISARMFoundation/DISARMframeworks* - total: *139* elements
[[HTML](https://www.misp-project.org/galaxy.html#_countermeasures)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-countermeasures.json)]
## Detections
[Detections](https://www.misp-project.org/galaxy.html#_detections) - DISARM is a framework designed for describing and understanding disinformation incidents.
Category: *disarm* - source: *https://github.com/DISARMFoundation/DISARMframeworks* - total: *94* elements
[[HTML](https://www.misp-project.org/galaxy.html#_detections)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-detections.json)]
## Techniques
[Techniques](https://www.misp-project.org/galaxy.html#_techniques) - DISARM is a framework designed for describing and understanding disinformation incidents.
Category: *disarm* - source: *https://github.com/DISARMFoundation/DISARMframeworks* - total: *298* elements
[[HTML](https://www.misp-project.org/galaxy.html#_techniques)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/disarm-techniques.json)]
## Election guidelines
@ -179,11 +203,19 @@ Category: *first-dns* - source: *https://www.first.org/global/sigs/dns/* - total
[[HTML](https://www.misp-project.org/galaxy.html#_first_dns_abuse_techniques_matrix)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/first-dns.json)]
## Intelligence Agencies
[Intelligence Agencies](https://www.misp-project.org/galaxy.html#_intelligence_agencies) - List of intelligence agencies
Category: *Intelligence Agencies* - source: *https://en.wikipedia.org/wiki/List_of_intelligence_agencies* - total: *436* elements
[[HTML](https://www.misp-project.org/galaxy.html#_intelligence_agencies)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/intelligence-agencies.json)]
## Malpedia
[Malpedia](https://www.misp-project.org/galaxy.html#_malpedia) - Malware galaxy cluster based on Malpedia.
Category: *tool* - source: *Malpedia* - total: *2972* elements
Category: *tool* - source: *Malpedia* - total: *3039* elements
[[HTML](https://www.misp-project.org/galaxy.html#_malpedia)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/malpedia.json)]
@ -235,6 +267,22 @@ Category: *course-of-action* - source: *https://github.com/mitre/cti* - total: *
[[HTML](https://www.misp-project.org/galaxy.html#_course_of_action)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-course-of-action.json)]
## mitre-data-component
[mitre-data-component](https://www.misp-project.org/galaxy.html#_mitre-data-component) - Data components are parts of data sources.
Category: *data-component* - source: *https://github.com/mitre/cti* - total: *116* elements
[[HTML](https://www.misp-project.org/galaxy.html#_mitre-data-component)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-data-component.json)]
## mitre-data-source
[mitre-data-source](https://www.misp-project.org/galaxy.html#_mitre-data-source) - Data sources represent the various subjects/topics of information that can be collected by sensors/logs.
Category: *data-source* - source: *https://github.com/mitre/cti* - total: *40* elements
[[HTML](https://www.misp-project.org/galaxy.html#_mitre-data-source)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-data-source.json)]
## Enterprise Attack - Attack Pattern
[Enterprise Attack - Attack Pattern](https://www.misp-project.org/galaxy.html#_enterprise_attack_-_attack_pattern) - ATT&CK tactic
@ -435,6 +483,14 @@ Category: *measure* - source: *MISP Project* - total: *20* elements
[[HTML](https://www.misp-project.org/galaxy.html#_preventive_measure)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/preventive-measure.json)]
## Producer
[Producer](https://www.misp-project.org/galaxy.html#_producer) - List of threat intelligence producer from security vendors to CERTs including any producer of intelligence at large.
Category: *actor* - source: *MISP Project* - total: *15* elements
[[HTML](https://www.misp-project.org/galaxy.html#_producer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/producer.json)]
## Ransomware
[Ransomware](https://www.misp-project.org/galaxy.html#_ransomware) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar
@ -447,7 +503,7 @@ Category: *tool* - source: *Various* - total: *1705* elements
[RAT](https://www.misp-project.org/galaxy.html#_rat) - remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system.
Category: *tool* - source: *MISP Project* - total: *265* elements
Category: *tool* - source: *MISP Project* - total: *266* elements
[[HTML](https://www.misp-project.org/galaxy.html#_rat)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/rat.json)]
@ -479,7 +535,7 @@ Category: *sector* - source: *CERT-EU* - total: *118* elements
[Sigma-Rules](https://www.misp-project.org/galaxy.html#_sigma-rules) - MISP galaxy cluster based on Sigma Rules.
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2814* elements
Category: *rules* - source: *https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma* - total: *2840* elements
[[HTML](https://www.misp-project.org/galaxy.html#_sigma-rules)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json)]
@ -503,7 +559,7 @@ Category: *sod-matrix* - source: *https://github.com/cudeso/SoD-Matrix* - total:
[Stealer](https://www.misp-project.org/galaxy.html#_stealer) - A list of malware stealer.
Category: *tool* - source: *Open Sources* - total: *13* elements
Category: *tool* - source: *Open Sources* - total: *16* elements
[[HTML](https://www.misp-project.org/galaxy.html#_stealer)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/stealer.json)]
@ -511,7 +567,7 @@ Category: *tool* - source: *Open Sources* - total: *13* elements
[Surveillance Vendor](https://www.misp-project.org/galaxy.html#_surveillance_vendor) - List of vendors selling surveillance technologies including malware, interception devices or computer exploitation services.
Category: *actor* - source: *MISP Project* - total: *49* elements
Category: *actor* - source: *MISP Project* - total: *50* elements
[[HTML](https://www.misp-project.org/galaxy.html#_surveillance_vendor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/surveillance-vendor.json)]
@ -543,15 +599,71 @@ Category: *tea-matrix* - source: ** - total: *7* elements
[Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
Category: *actor* - source: *MISP Project* - total: *557* elements
Category: *actor* - source: *MISP Project* - total: *644* elements
[[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
## Tidal Campaigns
[Tidal Campaigns](https://www.misp-project.org/galaxy.html#_tidal_campaigns) - Tidal Campaigns Cluster
Category: *Campaigns* - source: *https://app-api.tidalcyber.com/api/v1/campaigns/* - total: *41* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tidal_campaigns)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-campaigns.json)]
## Tidal Groups
[Tidal Groups](https://www.misp-project.org/galaxy.html#_tidal_groups) - Tidal Groups Galaxy
Category: *Threat Groups* - source: *https://app-api.tidalcyber.com/api/v1/groups/* - total: *441* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tidal_groups)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-groups.json)]
## Tidal References
[Tidal References](https://www.misp-project.org/galaxy.html#_tidal_references) - Tidal References Cluster
Category: *References* - source: *https://app-api.tidalcyber.com/api/v1/references/* - total: *3848* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tidal_references)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-references.json)]
## Tidal Software
[Tidal Software](https://www.misp-project.org/galaxy.html#_tidal_software) - Tidal Software Cluster
Category: *Software* - source: *https://app-api.tidalcyber.com/api/v1/software/* - total: *1386* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tidal_software)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-software.json)]
## Tidal Tactic
[Tidal Tactic](https://www.misp-project.org/galaxy.html#_tidal_tactic) - Tidal Tactic Cluster
Category: *Tactic* - source: *https://app-api.tidalcyber.com/api/v1/tactic/* - total: *14* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tidal_tactic)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-tactic.json)]
## Tidal Technique
[Tidal Technique](https://www.misp-project.org/galaxy.html#_tidal_technique) - Tidal Technique Cluster
Category: *Technique* - source: *https://app-api.tidalcyber.com/api/v1/technique/* - total: *625* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tidal_technique)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tidal-technique.json)]
## Threat Matrix for storage services
[Threat Matrix for storage services](https://www.misp-project.org/galaxy.html#_threat_matrix_for_storage_services) - Microsoft Defender for Cloud threat matrix for storage services contains attack tactics, techniques and mitigations relevant storage services delivered by cloud providers.
Category: *tmss* - source: *https://github.com/microsoft/Threat-matrix-for-storage-services* - total: *40* elements
[[HTML](https://www.misp-project.org/galaxy.html#_threat_matrix_for_storage_services)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tmss.json)]
## Tool
[Tool](https://www.misp-project.org/galaxy.html#_tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
Category: *tool* - source: *MISP Project* - total: *588* elements
Category: *tool* - source: *MISP Project* - total: *596* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)]
@ -563,8 +675,12 @@ Category: *military equipment* - source: *Popular Mechanics* - total: *36* eleme
[[HTML](https://www.misp-project.org/galaxy.html#_uavs/ucavs)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/uavs.json)]
[[HTML](https://www.misp-project.org/galaxy.html#_uavs/ucavs)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/uavs.json)]
# Online documentation
The [misp-galaxy.org](https://misp-galaxy.org) website provides an easily navigable resource for all MISP galaxy clusters.
A [readable PDF overview of the MISP galaxy is available](https://www.misp.software/galaxy.pdf) or [HTML](https://www.misp.software/galaxy.html) and generated from the JSON.
## How to contribute?
@ -580,12 +696,12 @@ The MISP galaxy (JSON files) are dual-licensed under:
or
~~~~
Copyright (c) 2015-2023 Alexandre Dulaunoy - a@foo.be
Copyright (c) 2015-2023 CIRCL - Computer Incident Response Center Luxembourg
Copyright (c) 2015-2023 Andras Iklody
Copyright (c) 2015-2023 Raphael Vinot
Copyright (c) 2015-2023 Deborah Servili
Copyright (c) 2016-2023 Various contributors to MISP Project
Copyright (c) 2015-2024 Alexandre Dulaunoy - a@foo.be
Copyright (c) 2015-2024 CIRCL - Computer Incident Response Center Luxembourg
Copyright (c) 2015-2024 Andras Iklody
Copyright (c) 2015-2024 Raphael Vinot
Copyright (c) 2015-2024 Deborah Servili
Copyright (c) 2016-2024 Various contributors to MISP Project
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:

56
clusters/disarm-countermeasures.json
View File

@ -580,7 +580,7 @@
"meta": {
"external_id": "C00034",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Degrade",
"metatechniques:Friction"
],
@ -606,7 +606,7 @@
"meta": {
"external_id": "C00036",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deny",
"metatechniques:Targeting"
],
@ -632,7 +632,7 @@
"meta": {
"external_id": "C00040",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deny",
"metatechniques:Verification"
],
@ -658,7 +658,7 @@
"meta": {
"external_id": "C00042",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Degrade",
"metatechniques:Countermessaging"
],
@ -684,7 +684,7 @@
"meta": {
"external_id": "C00044",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Disrupt",
"metatechniques:Friction"
],
@ -710,7 +710,7 @@
"meta": {
"external_id": "C00046",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Degrade",
"metatechniques:Targeting"
],
@ -736,7 +736,7 @@
"meta": {
"external_id": "C00047",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deceive",
"metatechniques:Data Pollution"
],
@ -762,7 +762,7 @@
"meta": {
"external_id": "C00048",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deter",
"metatechniques:Daylight"
],
@ -788,7 +788,7 @@
"meta": {
"external_id": "C00051",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deny",
"metatechniques:Resilience"
],
@ -814,7 +814,7 @@
"meta": {
"external_id": "C00052",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Degrade",
"metatechniques:Targeting"
],
@ -840,7 +840,7 @@
"meta": {
"external_id": "C00053",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Degrade",
"metatechniques:Cleaning"
],
@ -874,7 +874,7 @@
"meta": {
"external_id": "C00056",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deny",
"metatechniques:Friction"
],
@ -900,7 +900,7 @@
"meta": {
"external_id": "C00058",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deny",
"metatechniques:Removal"
],
@ -926,7 +926,7 @@
"meta": {
"external_id": "C00059",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deny",
"metatechniques:Verification"
],
@ -978,7 +978,7 @@
"meta": {
"external_id": "C00062",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Degrade",
"metatechniques:Countermessaging"
],
@ -1056,7 +1056,7 @@
"meta": {
"external_id": "C00067",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Disrupt",
"metatechniques:Targeting"
],
@ -1296,7 +1296,7 @@
"meta": {
"external_id": "C00077",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Disrupt",
"metatechniques:Targeting"
],
@ -1608,7 +1608,7 @@
"meta": {
"external_id": "C00093",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deter",
"metatechniques:Resilience"
],
@ -2448,7 +2448,7 @@
"meta": {
"external_id": "C00133",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Disrupt",
"metatechniques:Removal"
],
@ -2474,7 +2474,7 @@
"meta": {
"external_id": "C00135",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Disrupt",
"metatechniques:Removal"
],
@ -2816,7 +2816,7 @@
"meta": {
"external_id": "C00155",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deny",
"metatechniques:Removal"
],
@ -2898,7 +2898,7 @@
"meta": {
"external_id": "C00160",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deny",
"metatechniques:Resilience"
],
@ -2954,7 +2954,7 @@
"meta": {
"external_id": "C00162",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Disrupt",
"metatechniques:Targeting"
],
@ -3084,7 +3084,7 @@
"meta": {
"external_id": "C00172",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deny",
"metatechniques:Removal"
],
@ -3270,7 +3270,7 @@
"meta": {
"external_id": "C00189",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Destroy",
"metatechniques:Daylight"
],
@ -3348,7 +3348,7 @@
"meta": {
"external_id": "C00197",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Deny",
"metatechniques:Removal"
],
@ -3430,7 +3430,7 @@
"meta": {
"external_id": "C00203",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Disrupt",
"metatechniques:Friction"
],
@ -3728,5 +3728,5 @@
"value": "Strengthen Trust in social media platforms"
}
],
"version": 1
"version": 2
}

44
clusters/disarm-detections.json
View File

@ -189,7 +189,7 @@
"meta": {
"external_id": "F00008",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -214,7 +214,7 @@
"meta": {
"external_id": "F00009",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -239,7 +239,7 @@
"meta": {
"external_id": "F00010",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -264,7 +264,7 @@
"meta": {
"external_id": "F00011",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -289,7 +289,7 @@
"meta": {
"external_id": "F00012",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -314,7 +314,7 @@
"meta": {
"external_id": "F00013",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -339,7 +339,7 @@
"meta": {
"external_id": "F00014",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -364,7 +364,7 @@
"meta": {
"external_id": "F00015",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -389,7 +389,7 @@
"meta": {
"external_id": "F00016",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -414,7 +414,7 @@
"meta": {
"external_id": "F00017",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -439,7 +439,7 @@
"meta": {
"external_id": "F00018",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -464,7 +464,7 @@
"meta": {
"external_id": "F00019",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -489,7 +489,7 @@
"meta": {
"external_id": "F00020",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -522,7 +522,7 @@
"meta": {
"external_id": "F00021",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -547,7 +547,7 @@
"meta": {
"external_id": "F00022",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -572,7 +572,7 @@
"meta": {
"external_id": "F00023",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -597,7 +597,7 @@
"meta": {
"external_id": "F00024",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -1916,7 +1916,7 @@
"meta": {
"external_id": "F00077",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -2066,7 +2066,7 @@
"meta": {
"external_id": "F00084",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -2186,7 +2186,7 @@
"meta": {
"external_id": "F00089",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -2290,7 +2290,7 @@
"meta": {
"external_id": "F00093",
"kill_chain": [
"tactics:Establish Social Assets",
"tactics:Establish Assets",
"responsetypes:Detect"
],
"refs": [
@ -2361,5 +2361,5 @@
"value": "Fact checking"
}
],
"version": 1
"version": 2
}

434
clusters/disarm-techniques.json
View File

@ -94,7 +94,7 @@
"meta": {
"external_id": "T0007",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0007.md"
@ -189,7 +189,7 @@
"meta": {
"external_id": "T0010",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0010.md"
@ -248,56 +248,12 @@
"uuid": "39baec3d-f2ce-5fee-ba7d-3db7d6469946",
"value": "Cultivate Ignorant Agents"
},
{
"description": "Hack or take over legimate accounts to distribute misinformation or damaging content.",
"meta": {
"external_id": "T0011",
"kill_chain": [
"tactics:Establish Legitimacy"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0011.md"
]
},
"related": [
{
"dest-uuid": "5481cc36-5af8-5ddf-bcb7-638d3be3f583",
"type": "blocked-by"
},
{
"dest-uuid": "14b886aa-c023-5a84-9605-e4a9cb22e4f4",
"type": "blocked-by"
},
{
"dest-uuid": "f8cab1cc-c87e-5338-90bc-18d071a01601",
"type": "detected-by"
},
{
"dest-uuid": "187285bb-a282-5a6a-833e-01d9744165c4",
"type": "detected-by"
},
{
"dest-uuid": "5012f883-a0ae-5181-bc69-d74b55b44d38",
"type": "detected-by"
},
{
"dest-uuid": "65634c12-ec5f-5a3c-b329-94d3dd84b58e",
"type": "detected-by"
},
{
"dest-uuid": "382e6c32-fb02-5c41-aba1-8161ed8a815e",
"type": "detected-by"
}
],
"uuid": "d05396d6-9701-5ce3-a6cd-abff224310ae",
"value": "Compromise Legitimate Accounts"
},
{
"description": "Create media assets to support inauthentic organisations (e.g. think tank), people (e.g. experts) and/or serve as sites to distribute malware/launch phishing operations.",
"meta": {
"external_id": "T0013",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0013.md"
@ -321,7 +277,7 @@
"meta": {
"external_id": "T0014",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0014.md"
@ -349,7 +305,7 @@
"meta": {
"external_id": "T0014.001",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0014.001.md"
@ -364,7 +320,7 @@
"meta": {
"external_id": "T0014.002",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0014.002.md"
@ -489,64 +445,6 @@
"uuid": "87208979-6982-53d5-ad0f-49cef659555c",
"value": "Purchase Targeted Advertisements"
},
{
"description": "Flood social channels; drive traffic/engagement to all assets; create aura/sense/perception of pervasiveness/consensus (for or against or both simultaneously) of an issue or topic. \"Nothing is true, but everything is possible.\" Akin to astroturfing campaign.",
"meta": {
"external_id": "T0019",
"kill_chain": [
"tactics:Develop Content"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0019.md"
]
},
"related": [
{
"dest-uuid": "731ffe0e-0225-583e-9ef0-f39851b725c7",
"type": "blocked-by"
},
{
"dest-uuid": "fe5266c1-0af6-59f3-8a0a-f4e5b3f67513",
"type": "blocked-by"
},
{
"dest-uuid": "dae93cbd-eb65-5fb0-9d4e-4571ff54b6ff",
"type": "blocked-by"
}
],
"uuid": "cb7d7a14-6e5c-503c-84b8-4a49e69b2627",
"value": "Generate Information Pollution"
},
{
"description": "Create fake academic research. Example: fake social science research is often aimed at hot-button social issues such as gender, race and sexuality. Fake science research can target Climate Science debate or pseudoscience like anti-vaxx",
"meta": {
"external_id": "T0019.001",
"kill_chain": [
"tactics:Develop Content"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0019.001.md"
]
},
"related": [],
"uuid": "b2d72f4b-fa1f-5798-b075-f3f31320ce4d",
"value": "Create Fake Research"
},
{
"description": "Hashtag hijacking occurs when users “[use] a trending hashtag to promote topics that are substantially different from its recent context” (VanDam and Tan, 2016) or “to promote ones own social media agenda” (Darius and Stephany, 2019).",
"meta": {
"external_id": "T0019.002",
"kill_chain": [
"tactics:Develop Content"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0019.002.md"
]
},
"related": [],
"uuid": "7452c88a-f6ed-52b6-8fe4-25273bb5bc69",
"value": "Hijack Hashtags"
},
{
"description": "Iteratively test incident performance (messages, content etc), e.g. A/B test headline/content enagagement metrics; website and/or funding campaign conversion rates",
"meta": {
@ -727,11 +625,11 @@
"value": "Online Polls"
},
{
"description": "Credibility in a social media environment is often a function of the size of a user's network. \"Influencers\" are so-called because of their reach, typically understood as: 1) the size of their network (i.e. the number of followers, perhaps weighted by their own influence); and 2) The rate at which their comments are re-circulated (these two metrics are related). Add traditional media players at all levels of credibility and professionalism to this, and the number of potential influencial carriers available for unwitting amplification becomes substantial. By targeting high-influence people and organisations in all types of media with narratives and content engineered to appeal their emotional or ideological drivers, influence campaigns are able to add perceived credibility to their messaging via saturation and adoption by trusted agents such as celebrities, journalists and local leaders.",
"description": "Influencers are people on social media platforms who have large audiences. \n\nThreat Actors can try to trick Influencers such as celebrities, journalists, or local leaders who arent associated with their campaign into amplifying campaign content. This gives them access to the Influencers audience without having to go through the effort of building it themselves, and it helps legitimise their message by associating it with the Influencer, benefitting from their audiences trust in them.",
"meta": {
"external_id": "T0039",
"kill_chain": [
"tactics:Conduct Pump Priming"
"tactics:Maximise Exposure"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0039.md"
@ -760,7 +658,7 @@
}
],
"uuid": "53e8c51b-c178-5429-8cee-022c6741cc91",
"value": "Bait Legitimate Influencers"
"value": "Bait Influencer"
},
{
"description": "Campaigns often leverage tactical and informational asymmetries on the threat surface, as seen in the Distort and Deny strategies, and the \"firehose of misinformation\". Specifically, conspiracy theorists can be repeatedly wrong, but advocates of the truth need to be perfect. By constantly escalating demands for proof, propagandists can effectively leverage this asymmetry while also priming its future use, often with an even greater asymmetric advantage. The conspiracist is offered freer rein for a broader range of \"questions\" while the truth teller is burdened with higher and higher standards of proof.",
@ -1011,7 +909,7 @@
"value": "Dox"
},
{
"description": "Flooding and/or mobbing social media channels feeds and/or hashtag with excessive volume of content to control/shape online conversations and/or drown out opposing points of view. Bots and/or patriotic trolls are effective tools to acheive this effect.",
"description": "Flooding sources of information (e.g. Social Media feeds) with a high volume of inauthentic content.\n\nThis can be done to control/shape online conversations, drown out opposing points of view, or make it harder to find legitimate information. \n\nBots and/or patriotic trolls are effective tools to achieve this effect.\n\nThis Technique previously used the name Flooding the Information Space.",
"meta": {
"external_id": "T0049",
"kill_chain": [
@ -1044,7 +942,7 @@
}
],
"uuid": "ee7bc41a-9eb0-5732-924a-3885e1c3bee9",
"value": "Flooding the Information Space"
"value": "Flood Information Space"
},
{
"description": "Use trolls to amplify narratives and/or manipulate narratives. Fake profiles/sockpuppets operating to support individuals/narratives from the entire political spectrum (left/right binary). Operating with increased emphasis on promoting local content and promoting real Twitter users generating their own, often divisive political content, as it's easier to amplify existing content than create new/original content. Trolls operate where ever there's a socially divisive issue (issues that can/are be politicized).",
@ -1062,7 +960,7 @@
"value": "Trolls Amplify and Manipulate"
},
{
"description": "Take over an existing hashtag to drive exposure.",
"description": "Hashtags can be used by communities to collate information they post about particular topics (such as their interests, or current events) and users can find communities to join by exploring hashtags theyre interested in. \n\nThreat actors can flood an existing hashtag to try to ruin hashtag functionality, posting content unrelated to the hashtag alongside it, making it a less reliable source of relevant information. They may also try to flood existing hashtags with campaign content, with the intent of maximising exposure to users.\n\nThis Technique covers cases where threat actors flood existing hashtags with campaign content.\n\nThis Technique covers behaviours previously documented by T0019.002: Hijack Hashtags, which has since been deprecated. This Technique was previously called Hijack Existing Hashtag.",
"meta": {
"external_id": "T0049.002",
"kill_chain": [
@ -1074,7 +972,7 @@
},
"related": [],
"uuid": "885e8687-3598-5378-b0bf-f09b67c1696e",
"value": "Hijack Existing Hashtag"
"value": "Flood Existing Hashtag"
},
{
"description": "Automated forwarding and reposting refer to the proliferation of operation content using automated means, such as artificial intelligence or social media bots. An influence operation may use automated activity to increase content exposure without dedicating the resources, including personnel and time, traditionally required to forward and repost content. Use bots to amplify narratives above algorithm thresholds. Bots are automated/programmed profiles designed to amplify content (ie: automatically retweet or like) and give appearance it's more \"popular\" than it is. They can operate as a network, to function in a coordinated/orchestrated manner. In some cases (more so now) they are an inexpensive/disposable assets used for minimal deployment as bot detection tools improve and platforms are more responsive.",
@ -1151,6 +1049,21 @@
"uuid": "d8a87575-9e25-5e93-8bf6-8489fe70b864",
"value": "Inauthentic Sites Amplify News and Narratives"
},
{
"description": "Information Pollution occurs when threat actors attempt to ruin a source of information by flooding it with lots of inauthentic or unreliable content, intending to make it harder for legitimate users to find the information theyre looking for. \n\nThis subtechnique's objective is to reduce exposure to target information, rather than promoting exposure to campaign content, for which the parent technique T0049 can be used. \n\nAnalysts will need to infer what the motive for flooding an information space was when deciding whether to use T0049 or T0049.008 to tag a case when an information space is flooded. If such inference is not possible, default to T0049.\n\nThis Technique previously used the ID T0019.",
"meta": {
"external_id": "T0049.008",
"kill_chain": [
"tactics:Maximise Exposure"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0049.008.md"
]
},
"related": [],
"uuid": "0bf3d2c3-db36-5175-99b0-6c82ad078937",
"value": "Generate Information Pollution"
},
{
"description": "Coordinate and promote real-world events across media platforms, e.g. rallies, protests, gatherings in support of incident narratives.",
"meta": {
@ -1268,7 +1181,7 @@
"meta": {
"external_id": "T0065",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0065.md"
@ -1938,21 +1851,6 @@
"uuid": "ed3754e6-bc15-5cf0-8a4b-8737b3814225",
"value": "Develop AI-Generated Text"
},
{
"description": "Develop False or Altered Documents",
"meta": {
"external_id": "T0085.002",
"kill_chain": [
"tactics:Develop Content"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.002.md"
]
},
"related": [],
"uuid": "5b0d1b23-0b48-5f67-8fb4-fe4430f30990",
"value": "Develop False or Altered Documents"
},
{
"description": "An influence operation may develop false or misleading news articles aligned to their campaign goals or narratives.",
"meta": {
@ -1968,6 +1866,66 @@
"uuid": "7bbdfe14-8294-54f7-9842-449f2db17a90",
"value": "Develop Inauthentic News Articles"
},
{
"description": "Produce text in the form of a document.",
"meta": {
"external_id": "T0085.004",
"kill_chain": [
"tactics:Develop Content"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.004.md"
]
},
"related": [],
"uuid": "5f8303e9-4956-589a-a4c6-6b929143f460",
"value": "Develop Document"
},
{
"description": "Produce text content in the form of a book. \n\nThis technique covers both e-books and physical books, however, the former is more easily deployed by threat actors given the lower cost to develop.",
"meta": {
"external_id": "T0085.005",
"kill_chain": [
"tactics:Develop Content"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.005.md"
]
},
"related": [],
"uuid": "c363e714-6b46-5f44-8446-ab88fa5974e9",
"value": "Develop Book"
},
{
"description": "Opinion articles (aka “Op-Eds” or “Editorials”) are articles or regular columns flagged as “opinion” posted to news sources, and can be contributed by people outside the organisation. \n\nFlagging articles as opinions allow news organisations to distinguish them from the typical expectations of objective news reporting while distancing the presented opinion from the organisation or its employees.\n\nThe use of this technique is not by itself an indication of malicious or inauthentic content; Op-eds are a common format in media. However, threat actors exploit op-eds to, for example, submit opinion articles to local media to promote their narratives.\n\nExamples from the perspective of a news site involve publishing op-eds from perceived prestigious voices to give legitimacy to an inauthentic publication, or supporting causes by hosting op-eds from actors aligned with the organisations goals.",
"meta": {
"external_id": "T0085.006",
"kill_chain": [
"tactics:Develop Content"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.006.md"
]
},
"related": [],
"uuid": "a3c5ef63-020b-5dd9-b8b1-303d6e0d2201",
"value": "Develop Opinion Article"
},
{
"description": "Create fake academic research. Example: fake social science research is often aimed at hot-button social issues such as gender, race and sexuality. Fake science research can target Climate Science debate or pseudoscience like anti-vaxx.\n\nThis Technique previously used the ID T0019.001",
"meta": {
"external_id": "T0085.007",
"kill_chain": [
"tactics:Develop Content"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0085.007.md"
]
},
"related": [],
"uuid": "130f70c4-5c39-5284-b604-b4711c6c41b8",
"value": "Create Fake Research"
},
{
"description": "Creating and editing false or misleading visual artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign. This may include photographing staged real-life situations, repurposing existing digital images, or using image creation and editing technologies.",
"meta": {
@ -2164,22 +2122,7 @@
"value": "Obtain Authentic Documents"
},
{
"description": "Create inauthentic documents intended to appear as if they are authentic non-public documents. These documents can be \"leaked\" during later stages in the operation.",
"meta": {
"external_id": "T0089.002",
"kill_chain": [
"tactics:Develop Content"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0089.002.md"
]
},
"related": [],
"uuid": "da4180d9-4829-5e8d-a0d0-c33bbd22fbc0",
"value": "Create Inauthentic Documents"
},
{
"description": "Alter authentic documents (public or non-public) to achieve campaign goals. The altered documents are intended to appear as if they are authentic can be \"leaked\" during later stages in the operation.",
"description": "Alter authentic documents (public or non-public) to achieve campaign goals. The altered documents are intended to appear as if they are authentic and can be \"leaked\" during later stages in the operation.",
"meta": {
"external_id": "T0089.003",
"kill_chain": [
@ -2198,7 +2141,7 @@
"meta": {
"external_id": "T0090",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.md"
@ -2213,7 +2156,7 @@
"meta": {
"external_id": "T0090.001",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.001.md"
@ -2228,7 +2171,7 @@
"meta": {
"external_id": "T0090.002",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.002.md"
@ -2243,7 +2186,7 @@
"meta": {
"external_id": "T0090.003",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.003.md"
@ -2258,7 +2201,7 @@
"meta": {
"external_id": "T0090.004",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0090.004.md"
@ -2273,7 +2216,7 @@
"meta": {
"external_id": "T0091",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0091.md"
@ -2288,7 +2231,7 @@
"meta": {
"external_id": "T0091.001",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0091.001.md"
@ -2303,7 +2246,7 @@
"meta": {
"external_id": "T0091.002",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0091.002.md"
@ -2318,7 +2261,7 @@
"meta": {
"external_id": "T0091.003",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0091.003.md"
@ -2333,7 +2276,7 @@
"meta": {
"external_id": "T0092",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0092.md"
@ -2348,7 +2291,7 @@
"meta": {
"external_id": "T0092.001",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0092.001.md"
@ -2363,7 +2306,7 @@
"meta": {
"external_id": "T0092.002",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0092.002.md"
@ -2378,7 +2321,7 @@
"meta": {
"external_id": "T0092.003",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0092.003.md"
@ -2393,7 +2336,7 @@
"meta": {
"external_id": "T0093",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0093.md"
@ -2408,7 +2351,7 @@
"meta": {
"external_id": "T0093.001",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0093.001.md"
@ -2423,7 +2366,7 @@
"meta": {
"external_id": "T0093.002",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0093.002.md"
@ -2438,7 +2381,7 @@
"meta": {
"external_id": "T0094",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0094.md"
@ -2453,7 +2396,7 @@
"meta": {
"external_id": "T0094.001",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0094.001.md"
@ -2468,7 +2411,7 @@
"meta": {
"external_id": "T0094.002",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0094.002.md"
@ -2483,7 +2426,7 @@
"meta": {
"external_id": "T0095",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0095.md"
@ -2498,7 +2441,7 @@
"meta": {
"external_id": "T0096",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0096.md"
@ -2513,7 +2456,7 @@
"meta": {
"external_id": "T0096.001",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0096.001.md"
@ -2528,7 +2471,7 @@
"meta": {
"external_id": "T0096.002",
"kill_chain": [
"tactics:Establish Social Assets"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0096.002.md"
@ -2554,7 +2497,7 @@
"value": "Create Personas"
},
{
"description": "Create other assets/dossier/cover/fake relationships and/or connections or documents, sites, bylines, attributions, to establish/augment/inflate crediblity/believability",
"description": "People may produce evidence which supports the persona they are deploying (T0097) (aka “backstopping” the persona).\n\nThis Technique covers situations where evidence is developed or produced as part of an influence operation to increase the perceived legitimacy of a persona used during IO, including creating accounts for the same persona on multiple platforms.\n\nThe use of personas (T0097), and providing evidence to improve peoples perception of ones persona (T0097.001), are not necessarily malicious or inauthentic. However, sometimes people use personas to increase the perceived legitimacy of narratives for malicious purposes.\n\nThis Technique was previously called Backstop Personas.",
"meta": {
"external_id": "T0097.001",
"kill_chain": [
@ -2566,7 +2509,7 @@
},
"related": [],
"uuid": "2341584c-3ca5-5d2e-85f8-2b9c4da81268",
"value": "Backstop Personas"
"value": "Produce Evidence for Persona"
},
{
"description": "Modern computational propaganda makes use of a cadre of imposter news sites spreading globally. These sites, sometimes motivated by concerns other than propaganda--for instance, click-based revenue--often have some superficial markers of authenticity, such as naming and site-design. But many can be quickly exposed with reference to their owenership, reporting history and adverstising details.",
@ -2614,7 +2557,7 @@
"value": "Leverage Existing Inauthentic News Sites"
},
{
"description": "An influence operation may prepare assets impersonating legitimate entities to further conceal its network identity and add a layer of legitimacy to its operation content. Users will more likely believe and less likely fact-check news from recognisable sources rather than unknown sites. Legitimate entities may include authentic news outlets, public figures, organisations, or state entities. An influence operation may use a wide variety of cyber techniques to impersonate a legitimate entitys website or social media account. Typosquatting87 is the international registration of a domain name with purposeful variations of the impersonated domain name through intentional typos, top-level domain (TLD) manipulation, or punycode. Typosquatting facilitates the creation of falsified websites by creating similar domain names in the URL box, leaving it to the user to confirm that the URL is correct.",
"description": "An influence operation may prepare assets impersonating existing entities (both organisations and people) to further conceal its network identity and add a layer of legitimacy to its operation content. Existing entities may include authentic news outlets, public figures, organisations, or state entities. \n\nUsers will more likely believe and less likely fact-check news from recognisable sources rather than unknown sites. \n\nAn influence operation may use a wide variety of cyber techniques to impersonate a legitimate entitys website or social media account. \n\nThis Technique was previously called Prepare Assets Impersonating Legitimate Entities.",
"meta": {
"external_id": "T0099",
"kill_chain": [
@ -2626,22 +2569,7 @@
},
"related": [],
"uuid": "9758be4b-0f4d-5438-bc2a-567bffb8cd57",
"value": "Prepare Assets Impersonating Legitimate Entities"
},
{
"description": "Astroturfing occurs when an influence operation disguises itself as grassroots movement or organisation that supports operation narratives. Unlike butterfly attacks, astroturfing aims to increase the appearance of popular support for the operation cause and does not infiltrate existing groups to discredit their objectives.",
"meta": {
"external_id": "T0099.001",
"kill_chain": [
"tactics:Establish Legitimacy"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.001.md"
]
},
"related": [],
"uuid": "2710c060-376c-5008-b7e8-791086382a2b",
"value": "Astroturfing"
"value": "Impersonate Existing Entity"
},
{
"description": "An influence operation may prepare assets impersonating legitimate entities to further conceal its network identity and add a layer of legitimacy to its operation content. Users will more likely believe and less likely fact-check news from recognisable sources rather than unknown sites. Legitimate entities may include authentic news outlets, public figures, organisations, or state entities.",
@ -2658,6 +2586,66 @@
"uuid": "8eab0457-f145-56f7-aac6-d46ec8225570",
"value": "Spoof/Parody Account/Site"
},
{
"description": "A situation where a threat actor styles their online assets or content to mimic an existing organisation.\n\nThis can be done to take advantage of peoples trust in the organisation to increase narrative believability, to smear the organisation, or to make the organisation less trustworthy.",
"meta": {
"external_id": "T0099.003",
"kill_chain": [
"tactics:Establish Legitimacy"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.003.md"
]
},
"related": [],
"uuid": "87a87abc-4860-51e5-a3cb-527d763dd7b1",
"value": "Impersonate Existing Organisation"
},
{
"description": "A situation where a threat actor styles their online assets or content to mimic an existing media outlet.\n\nThis can be done to take advantage of peoples trust in the outlet to increase narrative believability, to smear the outlet, or to make the outlet less trustworthy.",
"meta": {
"external_id": "T0099.004",
"kill_chain": [
"tactics:Establish Legitimacy"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.004.md"
]
},
"related": [],
"uuid": "6d757126-920d-5bd3-8eeb-c555e9f6482e",
"value": "Impersonate Existing Media Outlet"
},
{
"description": "A situation where a threat actor styles their online assets or content to impersonate an official (including government officials, organisation officials, etc).",
"meta": {
"external_id": "T0099.005",
"kill_chain": [
"tactics:Establish Legitimacy"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.005.md"
]
},
"related": [],
"uuid": "90a440e1-5618-5406-9ce3-2e61cf6c5e77",
"value": "Impersonate Existing Official"
},
{
"description": "A situation where a threat actor styles their online assets or content to impersonate an influencer or celebrity, typically to exploit users existing faith in the impersonated target.",
"meta": {
"external_id": "T0099.006",
"kill_chain": [
"tactics:Establish Legitimacy"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0099.006.md"
]
},
"related": [],
"uuid": "c2714def-dd7a-5091-818a-0c219af8135f",
"value": "Impersonate Existing Influencer"
},
{
"description": "An influence operation may co-opt trusted sources by infiltrating or repurposing a source to reach a target audience through existing, previously reliable networks. Co-opted trusted sources may include: - National or local new outlets - Research or academic publications - Online blogs or websites",
"meta": {
@ -2869,7 +2857,7 @@
"value": "Mainstream Social Networks"
},
{
"description": "Dating Apps",
"description": "Dating App” refers to any platform (or platform feature) in which the ostensive purpose is for users to develop a physical/romantic relationship with other users.\n\nThreat Actors can exploit users quest for love to trick them into doing things like revealing sensitive information or giving them money.\n\nExamples include Tinder, Bumble, Grindr, Facebook Dating, Tantan, Badoo, Plenty of Fish, hinge, LOVOO, OkCupid, happn, and Mamba.",
"meta": {
"external_id": "T0104.002",
"kill_chain": [
@ -2881,7 +2869,7 @@
},
"related": [],
"uuid": "96b1a88b-ea2d-51ad-a473-1669e956d387",
"value": "Dating Apps"
"value": "Dating App"
},
{
"description": "Social networks that are not open to people outside of family, friends, neighbours, or co-workers. Non-work-related examples include Couple, FamilyWall, 23snaps, and Nextdoor. Some of the larger social network platforms enable closed communities: examples are Instagram Close Friends and Twitter (X) Circle. Work-related examples of private social networks include LinkedIn, Facebook Workplace, and enterprise communication platforms such as Slack or Microsoft Teams.",
@ -3173,7 +3161,7 @@
"meta": {
"external_id": "T0113",
"kill_chain": [
"tactics:Conduct Pump Priming"
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0113.md"
@ -4787,7 +4775,67 @@
"related": [],
"uuid": "823c3b54-8eac-5772-8e1c-b7fd55bbe518",
"value": "Spread Hate"
},
{
"description": "Threat Actors may take over existing assets not owned by them through nefarious means, such as using technical exploits, hacking, purchasing compromised accounts from the dark web, or social engineering.",
"meta": {
"external_id": "T0141",
"kill_chain": [
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0141.md"
]
},
"related": [],
"uuid": "c863835c-366c-58c1-b405-68f632632540",
"value": "Acquire Compromised Asset"
},
{
"description": "Threat Actors can take over existing users accounts to distribute campaign content. \n\nThe actor may maintain the assets previous identity to capitalise on the perceived legitimacy its previous owner had cultivated.\n\nThe actor may completely rebrand the account to exploit its existing reach, or relying on the accounts history to avoid more stringent automated content moderation rules applied to new accounts.\n\nSee also [Mitre ATT&CKs T1586 Compromise Accounts](https://attack.mitre.org/techniques/T1586/) for more technical information on how threat actors may achieve this objective.\n\nThis Technique was previously called Compromise Legitimate Accounts, and used the ID T0011.",
"meta": {
"external_id": "T0141.001",
"kill_chain": [
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0141.001.md"
]
},
"related": [],
"uuid": "6c78a4cc-99ff-5dda-9fd2-0ed060b478ad",
"value": "Acquire Compromised Account"
},
{
"description": "Threat Actors may take over existing websites to publish or amplify inauthentic narratives. This includes the defacement of websites, and cases where websites personas are maintained to add credence to threat actors narratives.\n\nSee also [Mitre ATT&CKs T1584 Compromise Infrastructure](https://attack.mitre.org/techniques/T1584/) for more technical information on how threat actors may achieve this objective.",
"meta": {
"external_id": "T0141.002",
"kill_chain": [
"tactics:Establish Assets"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0141.002.md"
]
},
"related": [],
"uuid": "66c253b1-d644-5dca-9954-805693489ed4",
"value": "Acquire Compromised Website"
},
{
"description": "This technique, sometimes known as \"astroturfing\", occurs when an influence operation disguises itself as a grassroots movement or organisation that supports operation narratives. \n\nAstroturfing aims to increase the appearance of popular support for an evolving grassroots movement in contrast to \"Utilise Butterfly Attacks\", which aims to discredit an existing grassroots movement. \n\nThis Technique was previously called Astroturfing, and used the ID T0099.001",
"meta": {
"external_id": "T0142",
"kill_chain": [
"tactics:Establish Legitimacy"
],
"refs": [
"https://github.com/DISARMFoundation/DISARMframeworks/blob/main/generated_pages/techniques/T0142.md"
]
},
"related": [],
"uuid": "c52f5e7a-5a13-5859-9bb0-1620dec4dde2",
"value": "Fabricate Grassroots Movement"
}
],
"version": 1
"version": 2
}

5736
clusters/intelligence-agencies.json Normal file
View File

File diff suppressed because it is too large Load Diff

79
clusters/threat-actor.json
View File

@ -2504,7 +2504,8 @@
"https://www.secureworks.com/research/threat-profiles/iron-hemlock",
"https://attack.mitre.org/groups/G0016",
"https://unit42.paloaltonetworks.com/atoms/cloaked-ursa/",
"https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf"
"https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf",
"https://cip.gov.ua/services/cm/api/attachment/download?id=60068"
],
"synonyms": [
"Group 100",
@ -2522,7 +2523,8 @@
"Blue Kitsune",
"ITG11",
"BlueBravo",
"Nobelium"
"Nobelium",
"UAC-0029"
],
"targeted-sector": [
"Think Tanks",
@ -2632,7 +2634,8 @@
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
"https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/",
"https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf",
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
"https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html",
"https://cip.gov.ua/services/cm/api/attachment/download?id=60068"
],
"synonyms": [
"Snake",
@ -2656,7 +2659,10 @@
"Blue Python",
"SUMMIT",
"UNC4210",
"Secret Blizzard"
"Secret Blizzard",
"UAC-0144",
"UAC-0024",
"UAC-0003"
],
"targeted-sector": [
"Government, Administration",
@ -2821,7 +2827,8 @@
"https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back",
"https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/",
"https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine",
"https://cert.gov.ua/article/405538"
"https://cert.gov.ua/article/405538",
"https://cip.gov.ua/services/cm/api/attachment/download?id=60068"
],
"synonyms": [
"Quedagh",
@ -2835,7 +2842,8 @@
"Blue Echidna",
"FROZENBARENTS",
"UAC-0113",
"Seashell Blizzard"
"Seashell Blizzard",
"UAC-0082"
],
"targeted-sector": [
"Electric",
@ -5372,7 +5380,6 @@
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"
],
"synonyms": [
"Hippo Team",
"JerseyMikes",
"TURBINE PANDA",
"BRONZE EXPRESS",
@ -6294,7 +6301,8 @@
"https://attack.mitre.org/groups/G0069/",
"http://www.secureworks.com/research/threat-profiles/cobalt-ulster",
"https://unit42.paloaltonetworks.com/atoms/boggyserpens/",
"https://www.sentinelone.com/blog/the-new-frontline-of-geopolitics-understanding-the-rise-of-state-sponsored-cyber-attacks/"
"https://www.sentinelone.com/blog/the-new-frontline-of-geopolitics-understanding-the-rise-of-state-sponsored-cyber-attacks/",
"https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html"
],
"synonyms": [
"TEMP.Zagros",
@ -6306,7 +6314,8 @@
"ATK51",
"Boggy Serpens",
"Mango Sandstorm",
"TA450"
"TA450",
"Earth Vetala"
]
},
"related": [
@ -13456,7 +13465,12 @@
"country": "RU",
"refs": [
"https://www.mandiant.com/resources/blog/gru-rise-telegram-minions",
"https://www.mandiant.com/resources/blog/gru-disruptive-playbook"
"https://www.mandiant.com/resources/blog/gru-disruptive-playbook",
"https://cip.gov.ua/services/cm/api/attachment/download?id=60068"
],
"synonyms": [
"UAC-0100",
"UAC-0106"
]
},
"uuid": "566752f5-a294-4430-b47e-8e705f9887ea",
@ -13471,7 +13485,11 @@
"https://www.cyfirma.com/?post_type=out-of-band&p=17397",
"https://www.reversinglabs.com/blog/the-week-in-security-possible-colonial-pipeline-2.0-ransomware-hurts-small-american-eateries",
"https://channellife.com.au/story/the-increasing-presence-of-pro-russia-hacktivists",
"https://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/"
"https://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/",
"https://cip.gov.ua/services/cm/api/attachment/download?id=60068"
],
"synonyms": [
"UAC-0109"
]
},
"uuid": "3689f0e2-6c39-4864-ae0b-cc03e4cb695a",
@ -15394,6 +15412,43 @@
"uuid": "69a944ef-4962-432e-a1b9-575b646ee2ed",
"value": "R00tK1T"
},
{
"description": "UNC5325 is a suspected Chinese cyber espionage operator that exploited CVE-2024-21893 to compromise Ivanti Connect Secure appliances. UNC5325 leveraged code from open-source projects, installed custom malware, and modified the appliance's settings in order to evade detection and attempt to maintain persistence. UNC5325 has been observed deploying LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK. Mandiant identified TTPs and malware code overlaps in LITTLELAMB.WOOLTEA and PITHOOK with malware leveraged by UNC3886. Mandiant assesses with moderate confidence that UNC5325 is associated with UNC3886.",
"meta": {
"country": "CN",
"refs": [
"https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence"
]
},
"uuid": "ffb28c09-16a6-483a-817a-89c89751c9d4",
"value": "UNC5325"
},
{
"description": "Earth Kapre is an APT group specializing in cyberespionage. They target organizations in various countries through phishing campaigns using malicious attachments to infect machines. Earth Kapre employs techniques like abusing PowerShell, curl, and Program Compatibility Assistant to execute malicious commands and evade detection within targeted networks. The group has been active since at least 2018 and has been linked to multiple incidents involving data theft and espionage.",
"meta": {
"refs": [
"https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.html"
],
"synonyms": [
"RedCurl",
"Red Wolf"
]
},
"uuid": "d4004926-bf12-4cfe-b141-563c8ffb304a",
"value": "Earth Kapre"
},
{
"description": "Earth Krahang is an APT group targeting government organizations worldwide. They use spear-phishing emails, weak internet-facing servers, and custom backdoors like Cobalt Strike, RESHELL, and XDealer to conduct cyber espionage. The group creates VPN servers on infected systems, employs brute force attacks on email accounts, and exploits compromised government infrastructure to attack other governments. Earth Krahang has been linked to another China-linked actor, Earth Lusca, and is believed to be part of a specialized task force for cyber espionage against government institutions.",
"meta": {
"country": "CN",
"refs": [
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-china-linked-earth-krahang-apt-breached-70-organizations-in-23-nations-active-iocs",
"https://www.trendmicro.com/en_us/research/24/c/earth-krahang.html"
]
},
"uuid": "8cfc9653-51bc-40f1-a267-78a1b8c763f6",
"value": "Earth Krahang"
},
{
"meta": {
"cfr-suspected-victims": [
@ -15407,5 +15462,5 @@
"value": "Mirage Tiger"
}
],
"version": 303
"version": 305
}

630
clusters/tmss.json Normal file
View File

@ -0,0 +1,630 @@
{
"authors": [
"Microsoft",
"Evgeny Bogokovsky",
"Ram Pliskin"
],
"category": "tmss",
"description": "Microsoft Defender for Cloud threat matrix for storage services contains attack tactics, techniques and mitigations relevant storage services delivered by cloud providers.",
"name": "Threat Matrix for storage services",
"source": "https://github.com/microsoft/Threat-matrix-for-storage-services",
"type": "tmss",
"uuid": "aaf033a6-7f1e-45ab-beef-20a52b75b641",
"values": [
{
"description": "Attackers may execute active reconnaissance scans to gather storage account names that becomes a potential target. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.",
"meta": {
"external_id": "MS-T801",
"kill_chain": [
"TMSS-tactics:Reconnaissance"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/storage-account-discovery"
]
},
"related": [
{
"dest-uuid": "67073dde-d720-45ae-83da-b12d5e73ca3b",
"type": "related-to"
}
],
"uuid": "106eb589-71e3-58a1-a37e-916cdc902414",
"value": "MS-T801 - Storage account discovery"
},
{
"description": "Attackers may use search engines to collect information about victim storage accounts that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords such as storage accounts domain names (site:*.blob.core.windows.net)",
"meta": {
"external_id": "MS-T804",
"kill_chain": [
"TMSS-tactics:Reconnaissance"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/search-engines"
]
},
"uuid": "044be881-7476-5fbe-a760-bdf9cf949cab",
"value": "MS-T804 - Search engines"
},
{
"description": "Attackers may search public databases for publicly available storage accounts that can be used during targeting.",
"meta": {
"external_id": "MS-T803",
"kill_chain": [
"TMSS-tactics:Reconnaissance"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/databases-of-public-accounts"
]
},
"related": [
{
"dest-uuid": "55fc4df0-b42c-479a-b860-7a6761bcaad0",
"type": "related-to"
}
],
"uuid": "ef3d435e-8ca6-5864-a882-e7b092870719",
"value": "MS-T803 - Databases of publicly available storage accounts"
},
{
"description": "Attackers may search for DNS data for valid storage account names that can become potential targets. Threat actors can query nameservers using brute-force technique to enumerate existing storage accounts in the wild, or search through centralized repositories of logged DNS query responses (known as passive DNS).",
"meta": {
"external_id": "MS-T826",
"kill_chain": [
"TMSS-tactics:Reconnaissance"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/dns-passive-dns"
]
},
"uuid": "e5b2e210-fedb-5651-bb82-484e9f0dfde8",
"value": "MS-T826 - DNS/Passive DNS"
},
{
"description": "Attackers may look for storage accounts of a victim enterprise by searching its websites. Victim-owned website pages may be stored on a storage account or contain links to retrieve data stored in a storage account. The links contain the URL of the storage and provide an entry point into the account.",
"meta": {
"external_id": "MS-T805",
"kill_chain": [
"TMSS-tactics:Reconnaissance"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/victim-owned-websites"
]
},
"related": [
{
"dest-uuid": "16cdd21f-da65-4e4f-bc04-dd7d198c7b26",
"type": "related-to"
}
],
"uuid": "53e65db3-5177-56fc-ae07-088c9919463e",
"value": "MS-T805 - Victim-owned websites"
},
{
"description": "A shared access signature (SAS) is a token, that is appended to the a uniform resource identifier (URI) for a storage resource, that grants restricted access rights over the associated resource in your storage account. Attackers may get a SAS token using one of the Credential Access techniques or during the reconnaissance process through social engineering.",
"meta": {
"external_id": "MS-T814",
"kill_chain": [
"TMSS-tactics:Initial Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/valid-sas-token"
]
},
"uuid": "1900b9ba-0b3c-5ad7-bdd0-ac8c40a8da0a",
"value": "MS-T814 - Valid SAS token"
},
{
"description": "Attackers may get a shared key using one of Credential Access techniques or capture one earlier in their reconnaissance process through social engineering to gain initial access. Adversaries may leverage keys left in source code or configuration files. Sophisticated attackers may also obtain keys from hosts (virtual machines) that have mounted File Share on their system (SMB). Shared key provides unrestricted permissions over all data plane operations.",
"meta": {
"external_id": "MS-T815",
"kill_chain": [
"TMSS-tactics:Initial Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/valid-shared-key"
]
},
"uuid": "3348438e-9ed7-5aa3-b60b-8c97075c0550",
"value": "MS-T815 - Valid shared key"
},
{
"description": "Attackers may steal account credentials using one of the credential access techniques or capture an account earlier in their reconnaissance process through social engineering to gain initial access. An authorized principal account can result in full control of storage account resources.",
"meta": {
"external_id": "MS-T816",
"kill_chain": [
"TMSS-tactics:Initial Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/authorized-principal-account"
]
},
"uuid": "ad800a27-4d29-58f4-962e-f3b01acea800",
"value": "MS-T816 - Authorized principal account"
},
{
"description": "Attackers may leverage publicly exposed storage accounts to list containers/blobs and their properties. Azure Storage supports optional anonymous public read access for containers and blobs. By default, anonymous access to your data is never permitted. Unless you explicitly enable anonymous access, all requests to a container and its blobs must be authorized. When you configure a container's public access level setting to permit anonymous access, clients can read data in that container without authorizing the request.",
"meta": {
"external_id": "MS-T817",
"kill_chain": [
"TMSS-tactics:Initial Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/anonymous-public-read-access"
]
},
"uuid": "3e5fba42-41c6-54ff-8977-e9f861f9e039",
"value": "MS-T817 - Anonymous public read access"
},
{
"description": "Attackers may obtain and abuse credentials of an SFTP account as a means of gaining initial access. SFTP is a prevalent file transfer protocol between a client and a remote service. Once the user connects to the cloud storage service, the user can upload and download blobs and perform other operations that are supported by the protocol. SFTP connection requires SFTP accounts which are managed locally in the storage service instance, including credentials in a form of passwords or key-pairs.",
"meta": {
"external_id": "MS-T825",
"kill_chain": [
"TMSS-tactics:Initial Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/sftp-credentials"
]
},
"uuid": "abc4f207-7149-54cb-baa8-685506759e03",
"value": "MS-T825 - SFTP credentials"
},
{
"description": "Attackers may perform initial access to a storage account using NFS protocol where enabled. While access is restricted to a list of allowed virtual networks that are configured on the storage account firewall, connection via NFS protocol does not require authentication and can be performed by any source on the specified networks.",
"meta": {
"external_id": "MS-T827",
"kill_chain": [
"TMSS-tactics:Initial Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/nfs-access"
]
},
"uuid": "6b17039c-ec8b-54af-8363-232d5acef0e3",
"value": "MS-T827 - NFS access"
},
{
"description": "Attackers may perform initial access to a storage account file shares using Server Message Block (SMB) protocol.",
"meta": {
"external_id": "MS-T828",
"kill_chain": [
"TMSS-tactics:Initial Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/smb-access"
]
},
"uuid": "2ede6cb7-2d42-577d-814d-a767b0dccf83",
"value": "MS-T828 - SMB access"
},
{
"description": "Attackers may set a replication policy between source and destination containers that asynchronously copies objects from source to destination. This feature can be maliciously misused in both directions. Outbound replication can serve as an exfiltration channel of customer data from the victim's container to an adversary's container. Inbound replication can be used to deliver malware from an adversary's container to a victim's container. After the policy is set, the attacker can operate on their container without accessing the victim container.",
"meta": {
"external_id": "MS-T840",
"kill_chain": [
"TMSS-tactics:Initial Access",
"TMSS-tactics:Exfiltration"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/object-replication"
]
},
"related": [
{
"dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6",
"type": "related-to"
}
],
"uuid": "8fdc8739-5b51-51c8-b290-f94a3bd07271",
"value": "MS-T840 - Object replication"
},
{
"description": "Attackers may disable firewall protection or set additional firewall rules to masquerade their access channel. Azure Storage offers a set of built-in network access features. Administrators can leverage these capabilities to restrict access to storage resources. Restriction rules can operate at the IP level or VNet IDs. When network rules are configured, only requests originated from authorized subnets will be served.",
"meta": {
"external_id": "MS-T813",
"kill_chain": [
"TMSS-tactics:Persistence",
"TMSS-tactics:Defense Evasion"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/firewall-configuration-changes"
]
},
"uuid": "a608566b-99bc-523c-9e7c-0e220fe2c972",
"value": "MS-T813 - Firewall and virtual networks configuratioin changes"
},
{
"description": "Storage services offer built-in RBAC roles that encompass sets of permissions used to access different data types. Definition of custom roles is also supported. Upon assignment of an RBAC role to an identity object (like Azure AD security principal) the storage provider grants access to that security principal. Attackers may leverage the RBAC mechanism to ensure persistent access to their owned identity objects.",
"meta": {
"external_id": "MS-T808",
"kill_chain": [
"TMSS-tactics:Persistence",
"TMSS-tactics:Defense Evasion"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/rbac-permission"
]
},
"uuid": "bf27614e-18ca-5ab0-add4-610777067754",
"value": "MS-T808 - Role-based access control permission"
},
{
"description": "Attackers may create a high-privileged SAS token with long expiry to preserve valid credentials for a long period. The tokens are not monitored by storage accounts thus they cannot be revoked (except Service SAS) and it's not easy to determine whether there are valid tokens in the wild until they are used.",
"meta": {
"external_id": "MS-T806",
"kill_chain": [
"TMSS-tactics:Persistence"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/create-sas-token"
]
},
"uuid": "5eefa8fc-0ae5-57f1-9a65-389186e25ca4",
"value": "MS-T806 - Create SAS token"
},
{
"description": "Attackers may adjust the container access level property at the granularity of a blob or container, to permit anonymous read access to data in the storage account. This configuration secures a channel to exfiltrate data even if the initial access technique is no longer valid.",
"meta": {
"external_id": "MS-T807",
"kill_chain": [
"TMSS-tactics:Persistence"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/container-access-level-property"
]
},
"uuid": "17061b42-9706-5594-9ac2-2b9dd2150649",
"value": "MS-T807 - Container access level property"
},
{
"description": "Attackers may create an SFTP account to maintain access to a target storage account. The SFTP account is local on the storage instance and is not subject to Azure RBAC permissions. The account is also unaffected in case of storage account access keys rotation.",
"meta": {
"external_id": "MS-T809",
"kill_chain": [
"TMSS-tactics:Persistence"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/sftp-account"
]
},
"uuid": "a31f49b0-5c72-577a-9f73-198daa685f17",
"value": "MS-T809 - SFTP account"
},
{
"description": "Attackers may configure the storage account firewall to allow access by trusted Azure services. Azure Storage provides a predefined list of trusted services. Any resource from that list that belongs to the same subscription as the storage account is allowed by the firewall even if there is no firewall rule that explicitly permits the source address of the resource.",
"meta": {
"external_id": "MS-T830",
"kill_chain": [
"TMSS-tactics:Persistence"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/trusted-azure-services"
]
},
"uuid": "c78756dd-1bb7-5145-bb82-8268b55d1996",
"value": "MS-T830 - Trusted Azure services"
},
{
"description": "Attackers may configure the storage account firewall to allow access by specific resource instances based on their system-assigned managed identity, regardless of their source address. The resource type can be chosen from a predefined list provided by Azure Storage, and the resource instance must be in the same tenant as the storage account. The RBAC permissions of the resource instance determine the types of operations that a resource instance can perform on storage account data.",
"meta": {
"external_id": "MS-T829",
"kill_chain": [
"TMSS-tactics:Persistence"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/trusted-access-managed-identity"
]
},
"uuid": "0f60104b-65bd-5ca4-8286-d83c6310d5b0",
"value": "MS-T829 - Trusted access based on a managed identity"
},
{
"description": "Attackers may set private endpoints for a storage account to establish a separate communication channel from a target virtual network. The new endpoint is assigned with a private IP address within the virtual network's address range. All the requests sent to the private endpoint bypass the storage account firewall by design.",
"meta": {
"external_id": "MS-T812",
"kill_chain": [
"TMSS-tactics:Persistence",
"TMSS-tactics:Defense Evasion"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/private-endpoint"
]
},
"uuid": "b57fb931-e898-59f2-b456-fefce5e19e99",
"value": "MS-T812 - Private endpoint"
},
{
"description": "Storage services offer different types of cloning or backup data stored on them. Attackers may abuse these built-in capabilities to steal sensitive documents, source code, credentials, and other business crucial information.",
"meta": {
"external_id": "MS-T841",
"kill_chain": [
"TMSS-tactics:Defense Evasion"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/storage-data-clone"
]
},
"uuid": "1581f347-b5bf-5237-b4cf-9005fbe0fcf6",
"value": "MS-T841 - Storage data clone"
},
{
"description": "Attackers may fragment stolen information and exfiltrate it on different size chunks to avoid being detected by triggering potentially predefined transfer threshold alerts.",
"meta": {
"external_id": "MS-T831",
"kill_chain": [
"TMSS-tactics:Defense Evasion",
"TMSS-tactics:Exfiltration"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/data-transfer-size-limits"
]
},
"related": [
{
"dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd",
"type": "related-to"
}
],
"uuid": "30de37bf-a416-5f25-8396-a2af42ff437a",
"value": "MS-T831 - Data transfer size limits"
},
{
"description": "Attackers may exploit legitimate automation processes, predefined by the compromised organization, with the goal of having their logging traces blend in normally within the companys typical activities. Assimilating or disguising malicious intentions will keep adversary actions, such as data theft, stealthier.",
"meta": {
"external_id": "MS-T832",
"kill_chain": [
"TMSS-tactics:Defense Evasion",
"TMSS-tactics:Exfiltration"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/automated-exfiltration"
]
},
"related": [
{
"dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
"type": "related-to"
}
],
"uuid": "f4a35b50-b56b-5663-8a84-e2235cee712f",
"value": "MS-T832 - Automated exfiltration"
},
{
"description": "Attackers may disable storage account audit logs to prevent event tracking and avoid detection. Audit logs provide a detailed record of operations performed on a target storage account and may be used to detect malicious activities. Thus, disabling these logs can leave a resource vulnerable to attacks without being detected.",
"meta": {
"external_id": "MS-T810",
"kill_chain": [
"TMSS-tactics:Defense Evasion"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/disable-audit-logs"
]
},
"uuid": "ef893695-23f7-5f90-9135-9c50a259abe1",
"value": "MS-T810 - Disable audit logs"
},
{
"description": "Attackers may disable the cloud workload protection service which raises security alerts upon detection of malicious activities in cloud storage services.",
"meta": {
"external_id": "MS-T811",
"kill_chain": [
"TMSS-tactics:Defense Evasion"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/disable-protection-service"
]
},
"uuid": "14af4a95-e84c-52fb-80ac-0f3aeb13a643",
"value": "MS-T811 - Disable cloud workload protection"
},
{
"description": "Attackers may split their requests across geo replicas to reduce the footprint in each region and avoid being detected by various rules and heuristics.",
"meta": {
"external_id": "MS-T833",
"kill_chain": [
"TMSS-tactics:Defense Evasion"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/operations-across-geo-replicas"
]
},
"uuid": "7853ec1a-6440-5119-a719-0cee735f3034",
"value": "MS-T833 - Operations across geo replicas"
},
{
"description": "Attackers may leverage subscription/account-level access to gather storage account keys and use these keys to authenticate at the resource level. This technique exhibits cloud resource pivoting in combination with control management and data planes. Adversaries can query management APIs to fetch primary and secondary storage account keys.",
"meta": {
"external_id": "MS-T818",
"kill_chain": [
"TMSS-tactics:Credential Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/access-key-query"
]
},
"related": [
{
"dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a",
"type": "related-to"
}
],
"uuid": "06735c35-4f9d-5ba4-9f05-7d087eac2e84",
"value": "MS-T818 - Access key query"
},
{
"description": "Cloud Shell is an interactive, authenticated, browser-accessible shell for managing cloud resources. It provides the flexibility of shell experience, either Bash or PowerShell. To support the Cloud Shell promise of being accessible from everywhere, Cloud Shell profiles and session history are saved on storage account. Attackers may leverage the legitimate use of Cloud Shell to impersonate account owners and potentially obtain additional secrets logged as part of session history.",
"meta": {
"external_id": "MS-T834",
"kill_chain": [
"TMSS-tactics:Credential Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/cloud-shell-profiles"
]
},
"uuid": "cf858945-94ff-5d2d-ab02-bfe15626d8b3",
"value": "MS-T834 - Cloud shell profiles"
},
{
"description": "Attackers may sniff network traffic and capture credentials sent over an insecure protocol. When Storage account is configured to support unencrypted protocol such as HTTP, credentials are passed over the wire unprotected and are susceptible to leakage. The attacker can use the compromised credentials to gain initial access to the storage account.",
"meta": {
"external_id": "MS-T819",
"kill_chain": [
"TMSS-tactics:Credential Access"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/unsecured-communication-channel"
]
},
"related": [
{
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
"type": "related-to"
}
],
"uuid": "37baec71-2c4e-5904-94c4-5bf1c88623b6",
"value": "MS-T819 - Unsecured communication channel"
},
{
"description": "Attackers may leverage access permission to explore the stored objects in the storage account. Tools witnessed, at the reconnaissance phase, are oftentimes used toward this post-compromise information-gathering objective, now with authorization to access storage APIs, such as the List Blobs call.",
"meta": {
"external_id": "MS-T820",
"kill_chain": [
"TMSS-tactics:Discovery"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/storage-service-discovery"
]
},
"uuid": "559ab713-b18f-5649-ab34-608a1f00a663",
"value": "MS-T820 - Storage service discovery"
},
{
"description": "Attackers may leverage control plane access permission to retrieve the storage account configuration. The configuration contains various technical details that may assist the attacker in implementing a variety of tactics. For example, firewall configuration provides network access information. Other parameters may reveal whether access operations are logged. The configuation may also contain the backup policy that may assist the attacker in performing data destruction.",
"meta": {
"external_id": "MS-T835",
"kill_chain": [
"TMSS-tactics:Discovery"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/account-configuration-discovery"
]
},
"uuid": "a58c9198-8b41-5d88-b856-ee48801b3a79",
"value": "MS-T835 - Account configuration discovery"
},
{
"description": "Attackers may use storage services to store a malicious program or toolset that will be executed at later times during their operation. In addition, adversaries may exploit the trust between users and their organizations Storage services by storing phishing content. Furthermore, storage services can be leveraged to park gathered intelligence that will be exfiltrated when terms suit the actor group.",
"meta": {
"external_id": "MS-T821",
"kill_chain": [
"TMSS-tactics:Lateral Movement"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/malicious-content-upload"
]
},
"uuid": "23539a72-5e00-5775-8f7d-24f364dd5bb7",
"value": "MS-T821 - Malicious content upload"
},
{
"description": "Storage services offer different types of mechanisms to support auto-synchronization between various resources and the storage account. Attackers may leverage access to the storage account to upload malware and benefit from the auto-sync built-in capabilities to have their payload being populated and potentially weaponize multiple systems.",
"meta": {
"external_id": "MS-T822",
"kill_chain": [
"TMSS-tactics:Lateral Movement"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/malware-distribution"
]
},
"uuid": "a7100316-2a71-5b74-a2f2-a2529c08598c",
"value": "MS-T822 - Malware distribution"
},
{
"description": "Attackers may manipulate storage services to trigger a compute service, like Azure Functions, where an attacker already has a foothold on a storage container and can inject a blob that will initiate a chain of a compute process. This may allow an attacker to infiltrate another resource and cause harm.",
"meta": {
"external_id": "MS-T823",
"kill_chain": [
"TMSS-tactics:Lateral Movement"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/trigger-cross-service-interaction"
]
},
"uuid": "f9d6b919-6fe3-59ea-81a3-cbac0daacfa5",
"value": "MS-T823 - Trigger cross-service interaction"
},
{
"description": "Same is applicable for data blobs or files which may be eventually processed on a host by a legitimate application with software vulnerabilities. Attackers may tamper benign data with a payload that exploits a vulnerability on a user's end and execute a malicious code.",
"meta": {
"external_id": "MS-T824",
"kill_chain": [
"TMSS-tactics:Lateral Movement"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/code-injection"
]
},
"uuid": "ac060220-18b4-5757-9f5c-2fd43f2d2f61",
"value": "MS-T824 - Code injection"
},
{
"description": "Attackers may use the \"static website\" feature to exfiltrate collected data outside of the storage account. Static website is a cloud storage provider hosting capability that enables serving static web content directly from the storage account. The website can be reached via an alternative web endpoint which might be overlooked when restricting access to the storage account.",
"meta": {
"external_id": "MS-T836",
"kill_chain": [
"TMSS-tactics:Exfiltration"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/static-website"
]
},
"uuid": "ae3a9c3e-3316-5165-bc98-a1df76acdee2",
"value": "MS-T836 - Static website"
},
{
"description": "Attackers may corrupt or delete data stored on storage services to disrupt the availability of systems or other lines of business.",
"meta": {
"external_id": "MS-T839",
"kill_chain": [
"TMSS-tactics:Impact"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/data-corruption"
]
},
"uuid": "561d0cdd-ded3-5f52-b542-afd43ca5ca09",
"value": "MS-T839 - Data corruption"
},
{
"description": "Attackers may encrypt data stored on storage services to disrupt the availability of systems or other lines of business. Making resources inaccessible by encrypting files or blobs and withholding access to a decryption key. This may be done to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware).",
"meta": {
"external_id": "MS-T838",
"kill_chain": [
"TMSS-tactics:Impact"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/data-encryption-for-impact"
]
},
"uuid": "7e243d46-1e08-51ff-af85-cb80f02c7e41",
"value": "MS-T838 - Data encryption for impact (Ransomware)"
},
{
"description": "Attackers may insert or modify data in order to influence external outcomes, thus threatening the integrity of the data. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary.",
"meta": {
"external_id": "MS-T837",
"kill_chain": [
"TMSS-tactics:Impact"
],
"refs": [
"https://microsoft.github.io/Threat-matrix-for-storage-services/techniques/data-manipulation"
]
},
"uuid": "f0556667-5e4e-51f9-a92c-9e92193d141a",
"value": "MS-T837 - Data manipulation"
}
],
"version": 1
}

4
galaxies/atrm.json
View File

@ -13,8 +13,8 @@
]
},
"name": "Azure Threat Research Matrix",
"namespace": "atrm",
"namespace": "microsoft",
"type": "atrm",
"uuid": "b541a056-154c-41e7-8a56-41db3f871c00",
"version": 2
"version": 3
}

4
galaxies/disarm-countermeasures.json
View File

@ -40,7 +40,7 @@
"Assess Effectiveness",
"Target Audience Analysis",
"Develop Narratives",
"Establish Social Assets",
"Establish Assets",
"Establish Legitimacy",
"Maximise Exposure",
"Drive Online Harms"
@ -50,5 +50,5 @@
"namespace": "disarm",
"type": "disarm-countermeasures",
"uuid": "9a3ac024-7c65-5ac0-87c4-eaed2238eec8",
"version": 1
"version": 2
}

4
galaxies/disarm-detections.json
View File

@ -24,7 +24,7 @@
"Assess Effectiveness",
"Target Audience Analysis",
"Develop Narratives",
"Establish Social Assets",
"Establish Assets",
"Establish Legitimacy",
"Maximise Exposure",
"Drive Online Harms"
@ -34,5 +34,5 @@
"namespace": "disarm",
"type": "disarm-detections",
"uuid": "bb61e6f3-b2bd-5c7d-929c-b6f292ccc56a",
"version": 1
"version": 2
}

4
galaxies/disarm-techniques.json
View File

@ -15,7 +15,7 @@
"Assess Effectiveness",
"Target Audience Analysis",
"Develop Narratives",
"Establish Social Assets",
"Establish Assets",
"Establish Legitimacy",
"Maximise Exposure",
"Drive Online Harms"
@ -25,5 +25,5 @@
"namespace": "disarm",
"type": "disarm-techniques",
"uuid": "a90f2bb6-11e1-58a7-9962-ba37886720ec",
"version": 1
"version": 2
}

9
galaxies/intelligence-agencies.json Normal file
View File

@ -0,0 +1,9 @@
{
"description": "List of intelligence agencies",
"icon": "ninja",
"name": "Intelligence Agencies",
"namespace": "intelligence-agency",
"type": "intelligence-agency",
"uuid": "3ef969e7-96cd-4048-aa83-191ac457d0db",
"version": 1
}

22
galaxies/tmss.json Normal file
View File

@ -0,0 +1,22 @@
{
"description": "Microsoft Defender for Cloud threat matrix for storage services contains attack tactics, techniques and mitigations relevant storage services delivered by cloud providers.",
"icon": "map",
"kill_chain_order": {
"TMSS-tactics": [
"Reconnaissance",
"Initial Access",
"Persistence",
"Defense Evasion",
"Credential Access",
"Discovery",
"Lateral Movement",
"Exfiltration",
"Impact"
]
},
"name": "Threat Matrix for storage services",
"namespace": "microsoft",
"type": "tmss",
"uuid": "d6532b58-99e0-44a9-93c8-affe055e4443",
"version": 1
}

1
tools/IntelAgencies/REQUIREMENTS Normal file
View File

@ -0,0 +1 @@
pycountry

157
tools/IntelAgencies/main.py Normal file
View File

@ -0,0 +1,157 @@
from modules.api import WikipediaAPI
from modules.intel import IntelAgency, Meta, Galaxy, Cluster
import os
import uuid
import json
from bs4 import BeautifulSoup
import pycountry
CLUSTER_PATH = '../../clusters'
GALAXY_PATH = '../../galaxies'
GALAXY_NAME = 'intelligence-agencies'
UUID = "3ef969e7-96cd-4048-aa83-191ac457d0db"
WIKIPEDIA_URL = "https://en.wikipedia.org"
COUNTRY_CODES = {
"Brunei": "BN",
"People's Republic of China": "CN",
"Democratic Republic of the Congo": "CD", # Note: This is for the Democratic Republic of the Congo, not to be confused with the Republic of the Congo (CG)
"Czech Republic": "CZ",
"Iran": "IR",
"Moldova": "MD", # Officially known as the Republic of Moldova
"North Korea": "KP", # Officially the Democratic People's Republic of Korea (DPRK)
"Palestine": "PS",
"Russia": "RU", # Officially the Russian Federation
"South Korea": "KR", # Officially the Republic of Korea (ROK)
"Syria": "SY", # Officially the Syrian Arab Republic
"Taiwan": "TW", # ISO code is assigned as "Taiwan, Province of China"
"Tanzania": "TZ", # Officially the United Republic of Tanzania
"Trinidad & Tobago": "TT",
"Turkey": "TR",
"Venezuela": "VE", # Officially the Bolivarian Republic of Venezuela
"Vietnam": "VN", # Officially the Socialist Republic of Vietnam
"European Union": None, # Not a country, no ISO code
"Shanghai Cooperation Organisation": None # Not a country, no ISO code
}
def compute_uuid(value, namespace=UUID):
return str(uuid.uuid5(uuid.UUID(namespace), value))
def get_notes_on_lower_level(content):
notes = []
for li in content.find_all('li', recursive=False):
if li.find('ul'):
notes.extend(get_notes_on_lower_level(li.find('ul')))
else:
a_tag = li.find('a')
title = li.text
link_href = None
description = li.text
i_tag = li.find_all('i')
synonyms = [i.text for i in i_tag]
if a_tag:
title = a_tag.get('title', description)
if a_tag.has_attr('href'):
link_href = f'{WIKIPEDIA_URL}{a_tag["href"]}'
if len(synonyms) == 0 or synonyms[0] == title:
synonyms = None
notes.append((title, link_href, description, synonyms))
return notes
def get_agencies_from_country(heading, current_country):
agencies = []
contents = []
contents.append(heading.find_next('ul'))
current_content = contents[0]
while True:
next_sibling = current_content.find_next_sibling()
if next_sibling is None or next_sibling.name == 'h2':
break
if next_sibling.name == 'ul':
contents.append(next_sibling)
current_content = next_sibling
for content in contents:
agency_names = get_notes_on_lower_level(content)
for name, links, description, synonyms in agency_names:
country_code = pycountry.countries.get(name=current_country)
# Set country
country_name = current_country
if country_code:
country_code = country_code.alpha_2
else:
country_code = COUNTRY_CODES.get(current_country)
if current_country in ["European Union", "Shanghai Cooperation Organisation"]: # Not a country
country_name = None
# Set names for duplicates
if name in ['Special Branch', 'Financial Intelligence Unit']:
name = f'{name} ({current_country})'
agencies.append(IntelAgency(value=name, uuid=compute_uuid(name), meta=Meta(country=country_code, country_name=country_name, refs=[links], synonyms=synonyms), description=description))
return agencies
def extract_info(content):
IGNORE = ["See also", "References", "External links", "Further reading"]
soup = BeautifulSoup(content, 'html.parser')
agencies = []
current_country = None
for h2 in soup.find_all('h2'):
span = h2.find('span', {'class': 'mw-headline'})
if span and span.text not in IGNORE:
current_country = span.text.strip()
agencies.extend(get_agencies_from_country(h2, current_country))
else:
continue
return agencies
if __name__ == '__main__':
wiki = WikipediaAPI()
page_title = 'List of intelligence agencies'
content = wiki.get_page_html(page_title)
if content:
agencies = extract_info(content)
else:
raise ValueError("Error: No content found: ", content)
authors = [x['name'] for x in wiki.get_authors(page_title)]
# Write to files
galaxy = Galaxy(
description="List of intelligence agencies",
icon="ninja",
name="Intelligence Agencies",
namespace="intelligence-agency",
type="intelligence-agency",
uuid=UUID,
version=1,
)
galaxy.save_to_file(os.path.join(GALAXY_PATH, f'{GALAXY_NAME}.json'))
cluster = Cluster(
authors=authors,
category="Intelligence Agencies",
description="List of intelligence agencies",
name="Intelligence Agencies",
source="https://en.wikipedia.org/wiki/List_of_intelligence_agencies",
type="intelligence-agency",
uuid=UUID,
version=1,
)
for agency in agencies:
cluster.add_value(agency)
cluster.save_to_file(os.path.join(CLUSTER_PATH, f'{GALAXY_NAME}.json'))

0
tools/IntelAgencies/modules/__init__.py Normal file
View File

72
tools/IntelAgencies/modules/api.py Normal file
View File

@ -0,0 +1,72 @@
import requests
class WikipediaAPI():
def __init__(self):
self.base_url = 'https://en.wikipedia.org/w/api.php'
def get_page_summary(self, page_title):
params = {
'action': 'query',
'format': 'json',
'titles': page_title,
'prop': 'extracts',
'explaintext': True,
}
try:
response = requests.get(self.base_url, params=params)
data = response.json()
page_id = next(iter(data['query']['pages']))
return data['query']['pages'][page_id]['extract']
except Exception as e:
print(f'Error: {e}')
return None
def get_page_content(self, page_title):
params = {
'action': 'query',
'format': 'json',
'titles': page_title,
'prop': 'revisions',
'rvprop': 'content',
}
try:
response = requests.get(self.base_url, params=params)
data = response.json()
page_id = next(iter(data['query']['pages']))
return data['query']['pages'][page_id]['revisions'][0]['*']
except Exception as e:
print(f'Error: {e}')
return None
def get_page_html(self, page_title):
params = {
'action': 'parse',
'format': 'json',
'page': page_title,
'prop': 'text',
'disableeditsection': True,
}
try:
response = requests.get(self.base_url, params=params)
data = response.json()
return data['parse']['text']['*']
except Exception as e:
print(f'Error: {e}')
return None
def get_authors(self, page_title):
params = {
'action': 'query',
'format': 'json',
'titles': page_title,
'prop': 'contributors',
}
try:
response = requests.get(self.base_url, params=params)
data = response.json()
page_id = next(iter(data['query']['pages']))
return data['query']['pages'][page_id]['contributors']
except Exception as e:
print(f'Error: {e}')
return None

76
tools/IntelAgencies/modules/intel.py Normal file
View File

@ -0,0 +1,76 @@
from dataclasses import dataclass, field, asdict, is_dataclass
import json
@dataclass
class Meta:
country: str = None
country_name: str = None
refs: list = field(default_factory=list)
synonyms: list = field(default_factory=list)
def custom_asdict(obj):
if is_dataclass(obj):
result = {}
for field_name, field_def in obj.__dataclass_fields__.items():
value = getattr(obj, field_name)
if field_name == 'meta':
meta_value = custom_asdict(value)
meta_value = {k: v for k, v in meta_value.items() if v is not None and not (k in ['refs', 'synonyms'] and (not v or all(e is None for e in v)))}
value = meta_value
elif isinstance(value, (list, tuple)) and all(is_dataclass(i) for i in value):
value = [custom_asdict(i) for i in value]
elif isinstance(value, list) and all(e is None for e in value):
continue
if value is None and field_name in ['country', 'country_name']:
continue
result[field_name] = value
return result
else:
return obj
@dataclass
class IntelAgency:
description: str = ""
meta: Meta = field(default_factory=Meta)
related: list = field(default_factory=list)
uuid: str = None
value: str = None
def __post_init__(self):
if not self.value:
raise ValueError("IntelAgency 'value' cannot be empty.")
if not self.uuid:
raise ValueError("IntelAgency 'uuid' cannot be empty.")
@dataclass
class Galaxy:
description: str
icon: str
name: str
namespace: str
type: str
uuid: str
version: int
def save_to_file(self, path: str):
with open(path, "w") as file:
file.write(json.dumps(asdict(self), indent=4))
@dataclass
class Cluster:
authors: str
category: str
description: str
name: str
source: str
type: str
uuid: str
version: int
values: list = field(default_factory=list)
def add_value(self, value: IntelAgency):
self.values.append(value)
def save_to_file(self, path: str):
with open(path, "w") as file:
file.write(json.dumps(custom_asdict(self), indent=4, ensure_ascii=False))

2
tools/gen_atrm.py → tools/gen_ms_atrm.py
View File

@ -84,7 +84,7 @@ json_galaxy = {
},
'name': "Azure Threat Research Matrix",
'description': "The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.",
'namespace': "atrm",
'namespace': "microsoft",
'type': "atrm",
'uuid': "b541a056-154c-41e7-8a56-41db3f871c00",
'version': 1

149
tools/gen_ms_tmss.py Executable file
View File

@ -0,0 +1,149 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# A simple convertor of the Threat Matrix for storage services to a MISP Galaxy datastructure.
# Copyright (C) 2022 Christophe Vandeplas
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import yaml
import os
import uuid
import re
import json
import argparse
parser = argparse.ArgumentParser(description='Create/update the Threat Matrix for storage services based on Markdown files.')
parser.add_argument("-p", "--path", required=True, help="Path of the 'Threat Matrix for storage services' git clone folder")
args = parser.parse_args()
if not os.path.exists(args.path):
exit("ERROR: Threat Matrix for storage services folder incorrect")
with open(os.path.join(args.path, 'mkdocs.yml'), 'r') as f:
mkdocs_data = yaml.load(f, Loader=yaml.BaseLoader)
tactics = []
clusters = {}
def find_mitre_uuid_from_technique_id(technique_id):
with open('../clusters/mitre-attack-pattern.json', 'r') as mitre_f:
mitre = json.load(mitre_f)
for item in mitre['values']:
if item['meta']['external_id'] == technique_id:
return item['uuid']
return None
for nav_item in mkdocs_data['nav']:
try:
for tact_item in nav_item['Tactics']:
try:
tactic = next(iter(tact_item.keys()))
tactics.append(tactic)
for techn_items in tact_item[tactic]:
try:
# for techn_fname in techn_items['Techniques']:
for technique_name, fname in techn_items.items():
description_lst = []
with open(os.path.join(args.path, 'docs', fname), 'r') as technique_f:
# find the short description, residing between the main title (#) and next title (!!!) or table (|)
technique_f_lines = technique_f.read()
description = technique_f_lines.split('\n')[-2].strip()
technique_id = re.search(r'ID: (MS-T[0-9]+)', technique_f_lines).group(1)
try:
# make relationship to MITRE ATT&CK
mitre_technique_id = re.search(r'MITRE technique: \[(T[0-9]+)\]', technique_f_lines).group(1)
mitre_technique_uuid = find_mitre_uuid_from_technique_id(mitre_technique_id)
related = [
{
"dest-uuid": mitre_technique_uuid,
"type": "related-to"
}
]
except AttributeError:
mitre_technique_uuid = None
pass
# print(f"{tactic} / {technique} / {description}")
technique = f'{technique_id} - {technique_name}'
if technique not in clusters:
clusters[technique] = {
'value': technique,
'description': description,
'uuid': str(uuid.uuid5(uuid.UUID("9319371e-2504-4128-8410-3741cebbcfd3"), technique)),
'meta': {
'kill_chain': [],
'refs': [f"https://microsoft.github.io/Threat-matrix-for-storage-services/{fname[:-3]}"],
'external_id': technique_id
}
}
if mitre_technique_uuid:
clusters[technique]['related'] = related
clusters[technique]['meta']['kill_chain'].append(f"TMSS-tactics:{tactic}")
except KeyError:
continue
except AttributeError:
continue
except AttributeError: # skip lines that have no field/value
continue
break
except KeyError:
continue
galaxy_type = "tmss"
galaxy_name = "Threat Matrix for storage services"
galaxy_description = 'Microsoft Defender for Cloud threat matrix for storage services contains attack tactics, techniques and mitigations relevant storage services delivered by cloud providers.'
galaxy_source = 'https://github.com/microsoft/Threat-matrix-for-storage-services'
json_galaxy = {
'icon': "map",
'kill_chain_order': {
'TMSS-tactics': tactics
},
'name': galaxy_name,
'description': galaxy_description,
'namespace': "microsoft",
'type': galaxy_type,
'uuid': "d6532b58-99e0-44a9-93c8-affe055e4443",
'version': 1
}
json_cluster = {
'authors': ["Microsoft"],
'category': 'tmss',
'name': galaxy_name,
'description': galaxy_description,
'source': galaxy_source,
'type': galaxy_type,
'uuid': "aaf033a6-7f1e-45ab-beef-20a52b75b641",
'values': list(clusters.values()),
'version': 1
}
# add authors based on the Acknowledgements page
authors = ('Evgeny Bogokovsky', 'Ram Pliskin')
for author in authors:
json_cluster['authors'].append(author)
# save the Galaxy and Cluster file
with open(os.path.join('..', 'galaxies', 'tmss.json'), 'w') as f:
json.dump(json_galaxy, f, indent=2, sort_keys=True, ensure_ascii=False)
f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things
with open(os.path.join('..', 'clusters', 'tmss.json'), 'w') as f:
json.dump(json_cluster, f, indent=2, sort_keys=True, ensure_ascii=False)
f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things
print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")

4
tools/mkdocs/modules/galaxy.py
View File

@ -51,6 +51,10 @@ class Galaxy:
def _create_title_entry(self):
entry = ""
entry += f"[Hide Navigation](#){{ .md-button #toggle-navigation }}\n"
entry += f"[Hide TOC](#){{ .md-button #toggle-toc }}\n"
entry += f"<div class=\"clearfix\"></div>\n"
entry += f"[Edit :material-pencil:](https://github.com/MISP/misp-galaxy/edit/main/clusters/{self.json_file_name}){{ .md-button }}\n"
entry += f"# {self.galaxy_name}\n"
return entry

2
tools/mkdocs/modules/site.py
View File

@ -7,7 +7,7 @@ class Site:
def __init__(self, path, name) -> None:
self.path = path
self.name = name
self.content = ""
self.content = '[Hide Navigation](#){ .md-button #toggle-navigation }\n[Hide TOC](#){ .md-button #toggle-toc }\n<div class="clearfix"></div> \n\n'
def add_content(self, content):
self.content += content

421
tools/mkdocs/site/docs/01_attachements/javascripts/graph.js
View File

@ -76,16 +76,15 @@ document$.subscribe(function () {
simulation.update({ newNodes: newNodes, newLinks: newLinks });
}
function createForceDirectedGraph(data, elementId) {
var nodePaths = {};
data.forEach(d => {
nodePaths[d.source] = d.sourcePath || null;
nodePaths[d.target] = d.targetPath || null;
});
// Extract unique galaxy names from data
const galaxies = Array.from(new Set(data.flatMap(d => [d.sourceGalaxy, d.targetGalaxy])));
function extractNodePaths(data) {
return data.reduce((acc, d) => ({
...acc,
[d.source]: d.sourcePath || null,
[d.target]: d.targetPath || null,
}), {});
}
function defineColorScale(galaxies) {
const colorScheme = [
'#E63946', // Red
'#F1FAEE', // Off White
@ -108,8 +107,171 @@ document$.subscribe(function () {
'#FFBA08', // Selective Yellow
'#FFD60A' // Naples Yellow
];
const colorScale = d3.scaleOrdinal(colorScheme)
return d3.scaleOrdinal(colorScheme)
.domain(galaxies);
}
function initializeNodeInteractions(node, link, tooltip, simulation, links, Parent_Node, NODE_RADIUS) {
// Mouseover event handler
node.on("mouseover", function (event, d) {
tooltip.transition()
.duration(200)
.style("opacity", .9);
tooltip.html(d.id)
.style("left", (event.pageX) + "px")
.style("top", (event.pageY - 28) + "px");
node.style("opacity", 0.1);
link.style("opacity", 0.1);
d3.select(this)
.attr("r", parseFloat(d3.select(this).attr("r")) + 5)
.style("opacity", 1);
d3.selectAll(".legend-text.galaxy-" + d.galaxy.replace(/\s+/g, '-').replace(/[\s.]/g, '-'))
.style("font-weight", "bold")
.style("font-size", "14px");
link.filter(l => l.source.id === d.id || l.target.id === d.id)
.attr("stroke-width", 3)
.style("opacity", 1);
node.filter(n => n.id === d.id || links.some(l => (l.source.id === d.id && l.target.id === n.id) || (l.target.id === d.id && l.source.id === n.id)))
.style("opacity", 1);
})
.on("mousemove", function (event) {
tooltip.style("left", (event.pageX) + "px")
.style("top", (event.pageY - 28) + "px");
})
.on("mouseout", function (event, d) {
tooltip.transition()
.duration(500)
.style("opacity", 0);
node.style("opacity", 1);
link.style("opacity", 1);
d3.select(this).attr("r", d => d.id === Parent_Node.id ? NODE_RADIUS + 5 : NODE_RADIUS);
d3.selectAll(".legend-text.galaxy-" + d.galaxy.replace(/\s+/g, '-').replace(/[\s.]/g, '-'))
.style("font-weight", "normal")
.style("font-size", "12px");
link.filter(l => l.source.id === d.id || l.target.id === d.id)
.attr("stroke-width", 1);
node.filter(n => n.id === d.id || links.some(l => (l.source.id === d.id && l.target.id === n.id) || (l.target.id === d.id && l.source.id === n.id)));
})
.on("dblclick", function (event, d) {
location.href = d.path;
});
// Define drag behavior
var drag = d3.drag()
.on("start", dragstarted)
.on("drag", dragged)
.on("end", dragended);
// Apply drag behavior to nodes
node.call(drag);
function dragstarted(event, d) {
if (!event.active) simulation.alphaTarget(0.3).restart();
d.fx = d.x;
d.fy = d.y;
}
function dragged(event, d) {
d.fx = event.x;
d.fy = event.y;
}
function dragended(event, d) {
if (!event.active) simulation.alphaTarget(0);
}
}
function createGalaxyColorLegend(svg, width, galaxies, colorScale, node, link, tooltip) {
// Prepare legend data
const legendData = galaxies.map(galaxy => ({
name: galaxy,
color: colorScale(galaxy)
}));
const maxCharLength = 10; // Maximum number of characters to display in legend
// Create legend
const legend = svg.append("g")
.attr("class", "legend")
.attr("transform", "translate(" + (width - 100) + ",20)"); // Adjust position as needed
// Add legend title
legend.append("text")
.attr("x", 0)
.attr("y", -10)
.style("font-size", "13px")
.style("text-anchor", "start")
.style("fill", "grey")
.text("Galaxy Colors");
// Add colored rectangles and text labels for each galaxy
const legendItem = legend.selectAll(".legend-item")
.data(legendData)
.enter().append("g")
.attr("class", "legend-item")
.attr("transform", (d, i) => `translate(0, ${i * 20})`);
legendItem.append("rect")
.attr("width", 12)
.attr("height", 12)
.style("fill", d => d.color)
.on("mouseover", mouseoverEffect)
.on("mouseout", mouseoutEffect);
legendItem.append("text")
.attr("x", 24)
.attr("y", 9)
.attr("dy", "0.35em")
.style("text-anchor", "start")
.style("fill", "grey")
.style("font-size", "12px")
.attr("class", d => "legend-text galaxy-" + d.name.replace(/\s+/g, '-').replace(/[\s.]/g, '-'))
.text(d => d.name.length > maxCharLength ? d.name.substring(0, maxCharLength) + "..." : d.name)
.on("mouseover", mouseoverEffect)
.on("mouseout", mouseoutEffect);
function mouseoverEffect(event, d) {
// Dim the opacity of all nodes and links
node.style("opacity", 0.1);
link.style("opacity", 0.1);
// Highlight elements associated with the hovered galaxy
svg.selectAll(".galaxy-" + d.name.replace(/\s+/g, '-').replace(/[\s.]/g, '-'))
.each(function () {
d3.select(this).style("opacity", 1); // Increase opacity for related elements
});
// Show tooltip
tooltip.transition()
.duration(200)
.style("opacity", .9);
tooltip.html(d.name)
.style("left", (event.pageX) + "px")
.style("top", (event.pageY - 28) + "px");
}
function mouseoutEffect(event, d) {
// Restore the opacity of nodes and links
node.style("opacity", 1);
link.style("opacity", 1);
// Hide tooltip
tooltip.transition()
.duration(500)
.style("opacity", 0);
}
}
function createForceDirectedGraph(data, elementId) {
const nodePaths = extractNodePaths(data);
// // Extract unique galaxy names from data
const galaxies = Array.from(new Set(data.flatMap(d => [d.sourceGalaxy, d.targetGalaxy])));
const colorScale = defineColorScale(data);
var nodes = Array.from(new Set(data.flatMap(d => [d.source, d.target])))
.map(id => ({
@ -119,8 +281,6 @@ document$.subscribe(function () {
}));
let header = document.querySelector('h1').textContent;
// const parentUUID = header.replace(/\s+/g, '-').charAt(0).toLowerCase() + header.replace(/\s+/g, '-').slice(1);
// console.log("Parent UUID: " + parentUUID);
const Parent_Node = nodes.find(node => node.id.includes(header));
var links = data.map(d => ({ source: d.source, target: d.target }));
@ -130,15 +290,17 @@ document$.subscribe(function () {
.style("opacity", 0);
// Set up the dimensions of the graph
var width = 800, height = 1000;
var width = document.querySelector('.md-content__inner').offsetWidth;
var height = width;
var svg = d3.select(elementId).append("svg")
.attr("width", width)
.attr("height", height);
var svg = d3.select("div#container")
.append("svg")
.attr("preserveAspectRatio", "xMinYMin meet")
.attr("viewBox", "0 0 " + width + " " + height)
.classed("svg-content", true);
// Create a force simulation
linkDistance = Math.sqrt((width * height) / nodes.length);
var simulation = d3.forceSimulation(nodes)
.force("link", d3.forceLink(links).id(d => d.id).distance(linkDistance))
.force("charge", d3.forceManyBody().strength(-70))
@ -169,166 +331,8 @@ document$.subscribe(function () {
})
.attr("class", d => "node galaxy-" + d.galaxy.replace(/\s+/g, '-').replace(/[\s.]/g, '-'));
// Apply tooltip on nodes
node.on("mouseover", function (event, d) {
tooltip.transition()
.duration(200)
.style("opacity", .9);
tooltip.html(d.id)
.style("left", (event.pageX) + "px")
.style("top", (event.pageY - 28) + "px");
node.style("opacity", 0.1);
link.style("opacity", 0.1);
d3.select(this)
.attr("r", parseFloat(d3.select(this).attr("r")) + 5)
.style("opacity", 1);
svg.selectAll(".legend-text.galaxy-" + d.galaxy.replace(/\s+/g, '-').replace(/[\s.]/g, '-'))
.style("font-weight", "bold")
.style("font-size", "14px");
link.filter(l => l.source.id === d.id || l.target.id === d.id)
.attr("stroke-width", 3)
.style("opacity", 1);
node.filter(n => n.id === d.id || links.some(l => (l.source.id === d.id && l.target.id === n.id) || (l.target.id === d.id && l.source.id === n.id)))
.style("opacity", 1);
})
.on("mousemove", function (event) {
tooltip.style("left", (event.pageX) + "px")
.style("top", (event.pageY - 28) + "px");
})
.on("mouseout", function (event, d) {
tooltip.transition()
.duration(500)
.style("opacity", 0);
node.style("opacity", 1);
link.style("opacity", 1);
d3.select(this).attr("r", function (d, i) {
return d.id === Parent_Node.id ? NODE_RADIUS + 5 : NODE_RADIUS;
});
svg.selectAll(".legend-text.galaxy-" + d.galaxy.replace(/\s+/g, '-').replace(/[\s.]/g, '-'))
.style("font-weight", "normal")
.style("font-size", "12px");
link.filter(l => l.source.id === d.id || l.target.id === d.id)
.attr("stroke-width", 1);
node.filter(n => n.id === d.id || links.some(l => (l.source.id === d.id && l.target.id === n.id) || (l.target.id === d.id && l.source.id === n.id)))
});
// Apply links on nodes
node.on("dblclick", function (event, d) {
location.href = d.path;
});
// Define drag behavior
var drag = d3.drag()
.on("start", dragstarted)
.on("drag", dragged)
.on("end", dragended);
// Apply drag behavior to nodes
node.call(drag);
function dragstarted(event, d) {
if (!event.active) simulation.alphaTarget(0.3).restart();
d.fx = d.x;
d.fy = d.y;
}
function dragged(event, d) {
d.fx = event.x;
d.fy = event.y;
}
function dragended(event, d) {
// Do not reset the fixed positions
if (!event.active) simulation.alphaTarget(0);
}
// Prepare legend data
const legendData = galaxies.map(galaxy => ({
name: galaxy,
color: colorScale(galaxy)
}));
const maxCharLength = 10; // Maximum number of characters to display in legend
// Create legend
const legend = svg.append("g")
.attr("class", "legend")
.attr("transform", "translate(" + (width - 100) + ",20)"); // Adjust position as needed
// Add legend title
legend.append("text")
.attr("x", 0)
.attr("y", -10)
.style("font-size", "13px")
.style("text-anchor", "start")
.style("fill", "grey")
.text("Galaxy Colors");
// Add colored rectangles and text labels for each galaxy
const legendItem = legend.selectAll(".legend-item")
.data(legendData)
.enter().append("g")
.attr("class", "legend-item")
.attr("transform", (d, i) => `translate(0, ${i * 20})`);
legendItem.append("rect")
.attr("width", 12)
.attr("height", 12)
.style("fill", d => d.color)
.on("mouseover", function (event, d) {
node.style("opacity", 0.1);
link.style("opacity", 0.1);
svg.selectAll(".galaxy-" + d.name.replace(/\s+/g, '-').replace(/[\s.]/g, '-'))
.each(function () {
var currentRadius = d3.select(this).attr("r");
d3.select(this).style("opacity", 1);
});
tooltip.transition()
.duration(200)
.style("opacity", .9);
tooltip.html(d.name)
.style("left", (event.pageX) + "px")
.style("top", (event.pageY - 28) + "px");
})
.on("mouseout", function (event, d) {
node.style("opacity", 1);
link.style("opacity", 1);
tooltip.transition()
.duration(500)
.style("opacity", 0);
});
legendItem.append("text")
.attr("x", 24)
.attr("y", 9)
.attr("dy", "0.35em")
.style("text-anchor", "start")
.style("fill", "grey")
.style("font-size", "12px")
.attr("class", d => "legend-text galaxy-" + d.name.replace(/\s+/g, '-').replace(/[\s.]/g, '-'))
.text(d => d.name.length > maxCharLength ? d.name.substring(0, maxCharLength) + "..." : d.name)
.on("mouseover", function (event, d) {
node.style("opacity", 0.1);
link.style("opacity", 0.1);
svg.selectAll(".galaxy-" + d.name.replace(/\s+/g, '-').replace(/[\s.]/g, '-'))
.each(function () {
d3.select(this).style("opacity", 1);
});
tooltip.transition()
.duration(200)
.style("opacity", .9);
tooltip.html(d.name)
.style("left", (event.pageX) + "px")
.style("top", (event.pageY - 28) + "px");
})
.on("mouseout", function (event, d) {
node.style("opacity", 1);
link.style("opacity", 1);
tooltip.transition()
.duration(500)
.style("opacity", 0);
});
initializeNodeInteractions(node, link, tooltip, simulation, links, Parent_Node, NODE_RADIUS);
createGalaxyColorLegend(svg, width, galaxies, colorScale, node, link, tooltip);
// Update positions on each simulation 'tick'
simulation.on("tick", () => {
@ -367,59 +371,6 @@ document$.subscribe(function () {
exit => exit.remove()
);
node.call(drag);
// Apply tooltip on nodes
node.on("mouseover", function (event, d) {
tooltip.transition()
.duration(200)
.style("opacity", .9);
tooltip.html(d.id)
.style("left", (event.pageX) + "px")
.style("top", (event.pageY - 28) + "px");
node.style("opacity", 0.1);
link.style("opacity", 0.1);
d3.select(this)
.attr("r", parseFloat(d3.select(this).attr("r")) + 5)
.style("opacity", 1);
svg.selectAll(".legend-text.galaxy-" + d.galaxy.replace(/\s+/g, '-').replace(/[\s.]/g, '-'))
.style("font-weight", "bold")
.style("font-size", "14px");
link.filter(l => l.source.id === d.id || l.target.id === d.id)
.attr("stroke-width", 3)
.style("opacity", 1);
node.filter(n => n.id === d.id || links.some(l => (l.source.id === d.id && l.target.id === n.id) || (l.target.id === d.id && l.source.id === n.id)))
.style("opacity", 1);
})
.on("mousemove", function (event) {
tooltip.style("left", (event.pageX) + "px")
.style("top", (event.pageY - 28) + "px");
})
.on("mouseout", function (event, d) {
tooltip.transition()
.duration(500)
.style("opacity", 0);
node.style("opacity", 1);
link.style("opacity", 1);
d3.select(this).attr("r", function (d, i) {
return d.id === Parent_Node.id ? NODE_RADIUS + 5 : NODE_RADIUS;
});
svg.selectAll(".legend-text.galaxy-" + d.galaxy.replace(/\s+/g, '-').replace(/[\s.]/g, '-'))
.style("font-weight", "normal")
.style("font-size", "12px");
link.filter(l => l.source.id === d.id || l.target.id === d.id)
.attr("stroke-width", 1);
node.filter(n => n.id === d.id || links.some(l => (l.source.id === d.id && l.target.id === n.id) || (l.target.id === d.id && l.source.id === n.id)))
});
// Apply links on nodes
node.on("dblclick", function (event, d) {
console.log("Node: " + d.id);
console.log(d);
console.log("Source Path: " + d.sourcePath);
location.href = d.path;
});
// Process new links
const oldLinksMap = new Map(link.data().map(d => [`${d.source.id},${d.target.id}`, d]));
links = newLinks.map(d => Object.assign(oldLinksMap.get(`${d.source.id},${d.target.id}`) || {}, d));
@ -433,6 +384,9 @@ document$.subscribe(function () {
exit => exit.remove()
);
initializeNodeInteractions(node, link, tooltip, simulation, links, Parent_Node, NODE_RADIUS);
createGalaxyColorLegend(svg, width, galaxies, colorScale, node, link, tooltip);
// Restart the simulation with new data
simulation.nodes(nodes);
simulation.force("link").links(links);
@ -453,10 +407,9 @@ document$.subscribe(function () {
col_1: "checklist",
col_3: "checklist",
col_4: "checklist",
col_widths: ["180px", "180px", "180px", "180px", "100px"],
col_types: ["string", "string", "string", "string", "number"],
grid_layout: false,
responsive: false,
responsive: true,
watermark: ["Filter table ...", "Filter table ...", "Filter table ...", "Filter table ..."],
auto_filter: {
delay: 100 //milliseconds
@ -491,9 +444,11 @@ document$.subscribe(function () {
} else {
data = allData;
}
var graphId = "graph" + index;
var graphId = "container";
var div = document.createElement("div");
// div.id = graphId;
div.id = graphId;
div.className = "svg-container";
table.parentNode.insertBefore(div, table);
var simulation = createForceDirectedGraph(data, "#" + graphId);

22
tools/mkdocs/site/docs/01_attachements/javascripts/navigation.js Normal file
View File

@ -0,0 +1,22 @@
document.addEventListener('DOMContentLoaded', function () {
const body = document.body;
const toggleNavigationBtn = document.getElementById('toggle-navigation');
const toggleTocBtn = document.getElementById('toggle-toc');
function updateButtonText() {
toggleNavigationBtn.textContent = body.classList.contains('hide-navigation') ? '>>> Show Navigation' : '<<< Hide Navigation';
toggleTocBtn.textContent = body.classList.contains('hide-toc') ? 'Show TOC <<<' : 'Hide TOC >>>';
}
toggleNavigationBtn.addEventListener('click', function () {
body.classList.toggle('hide-navigation');
updateButtonText();
});
toggleTocBtn.addEventListener('click', function () {
body.classList.toggle('hide-toc');
updateButtonText();
});
updateButtonText(); // Initialize button text based on current state
});

6
tools/mkdocs/site/docs/01_attachements/stylesheets/buttons.css Normal file
View File

@ -0,0 +1,6 @@
.md-button {
font-size: 16px;
position: relative;
padding: 10px 20px;
float: right;
}

20
tools/mkdocs/site/docs/01_attachements/stylesheets/graph.css
View File

@ -7,4 +7,24 @@
border-radius: 4px;
pointer-events: none;
color: black;
}
.svg-container {
display: inline-block;
position: relative;
width: 100%;
padding-bottom: 100%;
vertical-align: top;
overflow: hidden;
}
.svg-content {
display: inline-block;
position: absolute;
top: 0;
left: 0;
}
.md-typeset__table {
width: 100%;
}

49
tools/mkdocs/site/docs/01_attachements/stylesheets/navigation.css Normal file
View File

@ -0,0 +1,49 @@
.hide-navigation .md-sidebar--primary {
display: none;
}
.hide-toc .md-sidebar--secondary {
display: none;
}
#toggle-toc {
margin: 10px 5px;
padding: 5px 10px;
color: grey;
outline: none;
background-color: initial;
border-color: grey;
/* border: none; */
cursor: pointer;
float: right;
}
#toggle-toc:hover {
color: #5C6BC0;
border-color: #5C6BC0;
}
/* Additional styling for positioning the buttons next to each other */
#toggle-navigation {
margin: 10px 5px;
padding: 5px 10px;
color: grey;
outline: none;
background-color: initial;
border-color: grey;
/* border: none; */
cursor: pointer;
float: left;
}
#toggle-navigation:hover {
color: #5C6BC0;
border-color: #5C6BC0;
}
.clearfix::after {
content: "";
display: table;
clear: both;
}

10
tools/mkdocs/site/mkdocs.yml
View File

@ -24,6 +24,8 @@ theme:
- search.highlight
- search.share
- navigation.instant.preview
- navigation.instant.prefetch
- navigation.top
palette:
# Palette toggle for automatic mode
@ -66,18 +68,16 @@ extra:
generator: false
extra_javascript:
# - javascripts/tablefilter.js
# - "https://unpkg.com/tablefilter@0.7.3/dist/tablefilter/tablefilter.js"
# - "https://d3js.org/d3.v6.min.js"
- 01_attachements/javascripts/graph.js
- 01_attachements/javascripts/statistics.js
# - node_modules/tablefilter/dist/tablefilter/tablefilter.js
# - node_modules/d3/dist/d3.min.js
- 01_attachements/modules/d3.min.js
- 01_attachements/modules/tablefilter/tablefilter.js
- 01_attachements/javascripts/navigation.js
extra_css:
- 01_attachements/stylesheets/graph.css
- 01_attachements/stylesheets/buttons.css
- 01_attachements/stylesheets/navigation.css
plugins:
- search

6
tools/mkdocs/utils/helper.py
View File

@ -69,7 +69,11 @@ def galaxy_transform_to_link(galaxy):
def generate_relations_table(cluster):
relationships = cluster.relationships
markdown = f"# {cluster.value} \n\n"
markdown = ""
markdown += f"[Hide Navigation](#){{ .md-button #toggle-navigation }}\n"
markdown += f"[Hide TOC](#){{ .md-button #toggle-toc }}\n"
markdown += f"<div class=\"clearfix\"></div>\n"
markdown += f"# {cluster.value} ({cluster.uuid}) \n\n"
markdown += f"{cluster.description} \n\n"
markdown += "|Cluster A | Galaxy A | Cluster B | Galaxy B | Level { .graph } |\n"
markdown += "| --- | --- | --- | --- | --- |\n"